Ygtjki

Protecting Dualbooting Windows from dangerous code (like rm -rf)

Falsification in Math vs Science

How come people say “Would of”?

What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?

Where does the "burst of radiance" from Holy Weapon originate?

What is the steepest angle that a canal can be traversable without locks?

"To split hairs" vs "To be pedantic"

On the insanity of kings as an argument against monarchy

It's possible to achieve negative score?

What does "rabbited" mean/imply in this sentence?

Should I use my personal or workplace e-mail when registering to external websites for work purpose?

Which Sci-Fi work first showed weapon of galactic-scale mass destruction?

Access elements in std::string where positon of string is greater than its size

Idiomatic way to prevent slicing?

Is there a name of the flying bionic bird?

Why is my p-value correlated to difference between means in two sample tests?

What do hard-Brexiteers want with respect to the Irish border?

Pristine Bit Checking

What does Linus Torvalds mean when he says that Git "never ever" tracks a file?

How do you say "canon" as in "official for a story universe"?

If the Wish spell is used to duplicate the effect of Simulacrum, are existing duplicates destroyed?

Understanding the implication of what "well-defined" means for the operation in quotient group

Geography at the pixel level

The difference between dialogue marks

What is “a light-weight namespace container” created by systemd-spawn?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

-5

0

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have tried...
  
  – Tim
  Apr 6 at 14:38
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  A possible duplicate of the last n questions asked by Tim. As you know docker containers uses name-spaces, so NO. Both docker and by the look of it systemd-nspawn use the same mechanisms.
  
  – ctrl-alt-delor
  Apr 6 at 15:13
  
  

  
  
  
  

add a comment | 

-5

0

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have tried...
  
  – Tim
  Apr 6 at 14:38
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  A possible duplicate of the last n questions asked by Tim. As you know docker containers uses name-spaces, so NO. Both docker and by the look of it systemd-nspawn use the same mechanisms.
  
  – ctrl-alt-delor
  Apr 6 at 15:13
  
  

  
  
  
  

add a comment | 

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

share|improve this question

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

share|improve this question

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

edited Apr 6 at 14:13

Jeff Schaller♦

44.9k1164147

asked Apr 6 at 13:56

TimTim

28.5k79269491

asked Apr 6 at 13:56

TimTim

28.5k79269491

1 Answer
1

active

oldest

votes

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 2 days ago

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  Apr 7 at 0:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  2 days ago
  

  
  
  
  

 | 
show 1 more comment

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510906%2fwhat-is-a-light-weight-namespace-container-created-by-systemd-spawn%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 2 days ago

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  Apr 7 at 0:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  2 days ago
  

  
  
  
  

 | 
show 1 more comment

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 2 days ago

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  Apr 7 at 0:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  2 days ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  2 days ago
  

  
  
  
  

 | 
show 1 more comment

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 2 days ago

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

share|improve this answer

edited 2 days ago

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492

answered Apr 6 at 17:13

Stephen KittStephen Kitt

181k25413492