Praise for systemd-nspawn

systemd-nspawn is an awesome API (albeit with a somewhat arcane name) for the OS-level virtualization (speak: ‘containerization’) features of the Linux kernel. It appears way less complex than other toolsets, while is is well integrated into the host’s system, which gives it an amazing convenience. It also has features lacking from other containerization tools, which opens up very interesting application possibilities.

Below I’ll just briefly mention the most striking and useful characteristics I’ve got to know about it in recent months.

I can already say that after having worked with all the best known containerization technologies over the last years, systemd-nspawn has been a real eye-opener and game changer for me. That is why I’m taking the time to write this blog post — and no, I’m not in any way affiliated with the project.

Simplicity

systemd-nspawn has no container image format; a regular directory tree on the host’s file system is the template for a container (although it does have support for OCI images). This eliminates the enormous complexity (and steep learning curves) of describing container images (Dockerfile), build tools (docker build, podman build, buildah etc.), and image handling (docker image, podman image). It also eliminates the complexities of transferring, storing and re-using images (repositories, public hubs, etc.).

Please read the last paragraph again; the time advantage of the elimination of all that complexity cannot be overstated.

For example, a full container file system can be created using debootstrap, and then handled and transferred using rsync; that’s it; at max, two tools in total, which are universal at that.

Convenience

Because systemd-nspawn (Debian package systemd-container) comes along Systemd, it is very well integrated — well — into Systemd!

For example, via the recommended package libnss-mymachines, the container name is made available to the local name resolution, which, for example, allows you to directly point your browser to the container. This works even when the container runs in an isolated network where the container has a dedicated private IP address.

It is also possible to start systemd-nspawn using systemd-run, which allows the container to run in the background, being managed as a regular Systemd unit.

Useful features

The root file system may optionally be mounted as persistent or as ephemeral (changes are discarded together with the container).

For me, the ‘killer feature’ certainly is the ability to boot full, containerized Linux-based systems; in other words, it is possible to run Systemd inside a container! This makes systemd-nspawn a replacement for Virtual Machines (at least for certain applications), and allows many interesting new applications.

Flexibility

Unlike other containerization projects, systemd-nspawn doesn’t impose architectural constraints like “only one process per container” (e.g. in a Dockerfile, there “can only be one” CMD and ENTRYPOINT instruction) that are designed to enforce the possibility scale horizontally. In contrast, systemd-nspawn doesn’t constrict this; you can run one process, any number of them, or even boot into a full system with hundreds of services.

End notes

Despite its comparatively arcane name, systemd-nspawn it has the potential to replace a lot of other containerzation techniques, especially where toolset or ecosystem complexity cannot be tolerated. It does not impose constraints

Seriously, give systemd-nspawn a try. To get started, use the excellent Arch Linux documentation https://wiki.archlinux.org/title/systemd-nspawn which works well for Debian too (but use Debian Bookworm or more recent, I found that systemd-nspawn is quite mature there and has no rough edges).

If you think you found a mistake in this blog post, or would like to suggest an improvement to this blog post, you can write me an e-mail to the address public dot michael at franzl dot name; as subject please use the prefix "Comment to blog post" and append the post title.
 
Copyright © 2023 Michael Franzl