Run Docker-in-Docker in CI pipelines without granting containers privileged host access.
Replace lightweight VMs with Sysbox containers for development and testing environments.
Run a full Kubernetes cluster inside an isolated, unprivileged container.
Pack more isolated workloads onto a single server than traditional VMs allow.
| nestybox/sysbox | tobi/try | apple/tensorflow_macos | |
|---|---|---|---|
| Stars | 3,656 | 3,657 | 3,653 |
| Language | Shell | Shell | Shell |
| Setup difficulty | hard | easy | moderate |
| Complexity | 4/5 | 1/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires installing a custom container runtime on the Linux host and advanced OS isolation setup.
Sysbox is an open-source container runtime that makes Linux containers behave much more like virtual machines, without actually using virtual machines. In standard container setups, running software like Docker or Kubernetes inside another container requires giving that inner container full, unrestricted access to the host machine, which is a significant security risk. Sysbox removes that requirement by using advanced operating system isolation techniques so that containers can run the same kinds of workloads you would normally run in a VM, while the container itself remains safely isolated from the host. The practical result is that you can run a container with Sysbox and inside it start a complete Linux init system (systemd), run another Docker daemon, spin up a Kubernetes cluster, build multi-architecture container images, or run legacy applications, all without giving the container privileged access to the host. The root user inside a Sysbox container has no real privileges on the host machine, so if something goes wrong inside the container it cannot damage the underlying system. Common use cases include securing continuous integration pipelines that need to build or test Docker images, replacing virtual machines with lighter and faster containers for development and testing environments, and fitting more isolated workloads onto a single physical or cloud server compared to what is possible with traditional VMs. Sysbox works alongside the standard container runtime already on your system and is selected on a per-container basis using a single flag when you start a container. You install it once on the Linux host, then point Docker, Kubernetes, or another compatible container manager at it. It was originally created by Nestybox, which was acquired by Docker in 2022. The project is open-source under the Apache 2.0 license, though it is community-supported rather than officially supported through Docker subscriptions.
An open-source container runtime that lets Linux containers safely run Docker, Kubernetes, or a full init system without privileged host access.
Mainly Shell. The stack also includes Shell, Linux, Docker.
Open source under the Apache 2.0 license, though it is community-supported rather than officially supported.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.