Hacker News new | past | comments | ask | show | jobs | submit login

I read a good chunk of that wiki link, but didn't really come away with an understanding of how it differs from just using Docker for sandboxing an app.

Did you have any insight there you might share?




It differs by not being insane. Trivial functionality that actually works. It's what's good about systemd.

It doesn't require forwarding sockets or giving free access to root just for building images. It doesn't explode just because you touch your nftables rules. It doesn't suddenly expose a process to the Internet because of some undocumented option. You can use all the normal tools such as auditd and SELinux without having your configuration overwritten by a madman.


How is it different from podman then?


It's not a docker replacement. Use podman to replace docker. Use system to start stuff (in a namespace or otherwise).


  > how it differs from just using Docker
It uses the system.

You’re missing the trees for the forest. At a high level they are the same, just as with LXC or podman or others. But it’s the details which are really important. Because your leveraging the system you can really shrink down the size, another user mentioned. But there’s also a convenience in just being able to use systemd when its already built into your system.

I suggest also reading

  man systemd-nspawn
Just type it into your terminal, you don’t need to install anything


It's basically the same as docker but it doesn't use proprietary cloud stuff such as dockerhub.

Also occupies like 100kb instead of 40mb because it's C and not go.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: