The best OS isolation solution

I am looking for the best isolation solution in Linux for ARM like Solaris containers or BSD jails. Any suggestions?

1 Like

I think the most popular would be Docker

However, LXC could be more like what you are looking for.

Have you ever try podman which is able to run as a normal user, without requiring a setuid binary ?
If yes, I wondered if it has easy as docker to use… anyone ?

Podman is great and unless you had some incredibly obscure or specific service configs under docker it’s a simple rename in its use. (alias docker=‘podman’)

I’ve abandoned docker personally on servers and my personal computer for quite some time now in favour of podman since it has full cgroupv2 support and it can handle images with systemd init. On Linux I’d recommend people to switch to podman , I think Fedora even made it impossible to actually use docker anymore by default (or it was just forcing cgroupv2).

If one feels comfortable with it, they may even use user namespaces directly. But tools like firejail or bubblewrap make it much easier.

1 Like

I’ve heard about this alias in an article I’ve read BUT as you seem a little bit expert about it, I was wondering about cgroups2 and manjaroarm :

Are all “sys/fs/cgroup” mounts supposed to be on cgroup2 mode ? For what I see it’s only the /sys/fs/cgroup/unified one. Is it enough ?

$ mount | grep “sys/fs/cgroup”
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755)
cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)

To force cgroupsv2, I boot the kernel with these parameters :
cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1

$ mount | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
$ ls -1 /sys/fs/cgroup

Make sure to install crun and use it as runtime for podman by editing /etc/containers/containers.conf:

runtime = "crun"

Some extra tidbits, I always use btrfs as filesystem, docker already worked extra nicely with it and that continues to be true with podman.
Edit /etc/containers/storage.conf:

driver = "btrfs"
#mountopt = "nodev"

Comment mountopt since nodev was not one of the allowed mount flags with btrfs for some reason. Maybe this has been fixed by now.