undefined | Better HN

story

0 pointscloseparen5y ago0 comments

Hm. Systemd already runs all your services in cgroups, so the same resource limit handles are available. It doesn't do filesystem isolation by default, but when we're talking about Go / Java / Python / Ruby software does that even matter? You statically link or package all your dependencies anyway.

0 comments

notyourday5y ago

Not only systemd runs your code it also does file system isolation built-in, runs containers, both privileged and non-privileged and sets up virtual networking for free.

systemd-nspawn / machined makes the other systems look like very complicated solutions in search of a problem

mekster5y ago

systemd-nspawn seems overlooked by many.

Name may not be pretty but it's an official feature of systemd which is used to debug the systemd development and it is far easier to take backups incrementally because the container files are just plain files in /var/lib/machines/ and apparently you already have it if systemd is on your system. (May need an additional package to be installed from OS package repo.)

I run nspawn instances as development environments for developers and I can also run docker inside it.

j / k navigate · click thread line to collapse