Build / use sysbox with alpine linux? about sysbox HOT 11 CLOSED

Hi @pwFoo, as you probably noticed, Sysbox doesn't yet support Alpine as a development/testing platform (please see this link for details).

Now, can you please explain the use-case that you have in mind? I understand that you want to build static Sysbox binaries making use of musl-libs, what it's not clear to me is your idea of running these within an Alpine container ...

Do you mind accessing our Sysbox slack-channel to discuss your use-case? Just click on this link.

Thanks.

from sysbox.

Hi @rodnymolina
I tried to build within a container as compile environment but failed. I don't need to build it with alpine, but searching for a musl compatible or static binary of sysbox to use in my alpine based host environment.

from sysbox.

@pwFoo, as of now we haven't prioritized Alpine support, but we would be glad to discuss with you the use-case that you have in mind so that we can schedule this request accordingly. Please contact me at [email protected] or our Slack channel.

In the meantime, have you checked our 'sysbox-static' Makefile target? Was that the target that failed during your build attempt?

Also, in case you haven't noticed it yet, see that Sysbox has some requirements in terms of kernel releases and operational modes (userns vs shiftfs). For Alpine to work you would need recent kernels and configure docker in userns-remap mode.

from sysbox.

I tried the sysbox-static target, but it failed to build with two fedora versions and alpine build base. I think it's dependent on my environment... Would be nice to have static binary for download at release page? That would simplify first tests?

Alpine is just the package base. Kernel is a up to date fedora kernel.

from sysbox.

I tried the sysbox-static target, but it failed to build with two fedora versions and alpine build base. I think it's dependent on my environment...

Thanks @pwFoo . Curious on what error you got when building the sysbox-static target. Coincidentally, I noticed we have a dependency bug on the Make target for sysbox-static, meaning that you have to build using this sequence:

$ make sysbox-libs/libseccomp/src/.libs/libseccomp.a 
$ make sysbox-static

I'll fix this so that the sysbox-static target takes care of everything.

I've attached the sysbox-static binaries which I built on my ubuntu-focal dev machine. You can use these for your initial tests. Copy them to the /usr/local/sbin/ directory and then start sysbox with the scr/sysbox script from the sysbox repo.

Would be nice to have static binary for download at release page? That would simplify first tests?

That's a good suggestion, let us think about it.

sysbox-static.tar.gz

from sysbox.

I'll fix this so that the sysbox-static target takes care of everything.

This is fixed now (i.e., make sysbox-static will build libseccomp first).

from sysbox.

Hi,
thanks for the static binaries. Seems to work, but my host is manjaro linux.

docker: Error response from daemon: OCI runtime create failed: distro support check: manjaro is not supported when using uid shifting; supported distros are [ubuntu]: unknown.

So my kernels (manjaro, fedora) not support shiftfs and I need another environment to test sysbox.

from sysbox.

@pwFoo, we don't support Manjaro yet, but we do support Fedora. As you know, currently shiftfs module is only carried by the Ubuntu distro, so you need to configure docker in userns-remap mode if you are running Fedora.

In short, you need to have a docker configuration like this one ...

$ cat /etc/docker/daemon.json
{
   "userns-remap": "sysbox",
   "runtimes": {
       "sysbox-runc": {
          "path": "/usr/local/sbin/sysbox-runc"
       }
   }
}

The 'sysbox' user above will be automatically created by Sysbox launcher script if it's not already present in your system, so I would suggest that you use this script to initialize Sysbox if you are building from sources.

Please see here for more details.

from sysbox.

so you need to configure docker in userns-remap mode if you are running Fedora.

To give a bit more context on this: Sysbox always uses the Linux user-namespace in the containers it creates. This has the benefit of removing restrictions on the root user inside the container (such that it can do things that regular Docker containers don't allow) yet securing the container (root in the container is mapped to an unprivileged user on the host).

Shiftfs allows Sysbox to user the Linux user-namespace without any change in Docker's config. However shiftfs is only supported on Ubuntu currently. In distros without shiftfs, you can still use Sysbox, but you need to place Docker in "userns-remap" mode (as Rodny mentioned above).

By the way, when you configure the Docker in userns-remap mode (via the /etc/docker/daemon.json file), you must restart or send a SIGHUP to Docker (e.g., sudo systemctl restart docker).

Hope this helps.

from sysbox.

Works fine with the daemon.json, but need to change back with normal docker containers (runc).

I think I could change to ubuntu kernel with my custom linuxkit build. At the moment I have some issues with that, so I'll back to sysbox later. And need to read some more information about sysbox featues / security. Also compare sysbox container to kvm vm and use cases.

It's a personal use case, but if sysbox would be an alternative to production ready virtual machines it could be interesting for some more topics too!

Thanks!

from sysbox.

Thanks @pwFoo, glad you got Sysbox to work on your machine.

Also compare sysbox container to kvm vm and use cases.

For a performance/efficiency comparison between Sysbox and VMs (with kvm), check out this blog post we wrote a few months ago:

https://blog.nestybox.com/2020/09/23/perf-comparison.html

Thanks again for giving Sysbox a shot. Let me close this issue as we don't have plans right now to support Sysbox on Alpine Linux.

from sysbox.