Mdthbs

How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)

Is it possible to do 50 km distance without any previous training?

N.B. ligature in Latex

Can you lasso down a wizard who is using the Levitate spell?

How to make payment on the internet without leaving a money trail?

How to use Pandas to get the count of every combination inclusive

A Journey Through Space and Time

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Can town administrative "code" overule state laws like those forbidding trespassing?

How to determine if window is maximised or minimised from bash script

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

How can bays and straits be determined in a procedurally generated map?

Is it possible to make sharp wind that can cut stuff from afar?

What would happen to a modern skyscraper if it rains micro blackholes?

Closed subgroups of abelian groups

What Brexit solution does the DUP want?

Why does apt-get install python3 with a trailing hyphen remove a lot of packages?

Are tax years 2016 & 2017 back taxes deductible for tax year 2018?

cryptic clue: mammal sounds like relative consumer (8)

Motorized valve interfering with button?

Chess with symmetric move-square

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

What is the white spray-pattern residue inside these Falcon Heavy nozzles?

What are these boxed doors outside store fronts in New York?

What is “a light-weight namespace container” created by systemd-spawn?

LXC container to use “virtual” interface from host (namespace semantics)How to start a program in a container as a service using systemd-nspawn, systemd-run?Access usb device from systemd-nspawn containersystemd-nspawn OS container is unusable because I can't set the root passwordsystemd-nspawn container with separate IP address (network namespace) not workingFirst process in a new Linux user namespace needs to call setuid()?systemd-nspawn vs chroot and bind mount?Can /sys be sanitized for use with linux namespaces (i.e. via systemd-nspawn)?Why does `systemd-nspawn -n` network namespace not show in `ip netns list`What is a docker container from Linux's point of view?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

-5

0

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have tried...
  
  – Tim
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  A possible duplicate of the last n questions asked by Tim. As you know docker containers uses name-spaces, so NO. Both docker and by the look of it systemd-nspawn use the same mechanisms.
  
  – ctrl-alt-delor
  yesterday
  
  
  

  
  
  
  

add a comment | 

-5

0

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I have tried...
  
  – Tim
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  A possible duplicate of the last n questions asked by Tim. As you know docker containers uses name-spaces, so NO. Both docker and by the look of it systemd-nspawn use the same mechanisms.
  
  – ctrl-alt-delor
  yesterday
  
  
  

  
  
  
  

add a comment | 

man systemd-nspawn says

systemd-nspawn may be used to run a command or OS in a light-weight namespace container.
In many ways it is similar to chroot(1), but more powerful since it fully virtualizes the file system
hierarchy, as well as the process tree, the various IPC subsystems and the host and domain
name.

Is a namespace container a concept only of systemd-nspawn, or of Linux kernel?

What is the relation and difference between a namespace container and a namespace?
Is a namespace container to systemd-nspawn as a namespace to Linux kernel? In other words,
Is a namespace container systemd-nspawn's version of namespace?

Is a docker container based on a namespace container?

Thanks.

linux-kernel docker namespace container systemd-nspawn

share|improve this question

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

share|improve this question

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

share|improve this question

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

edited yesterday

Jeff Schaller♦

44.7k1163145

edited yesterday

Jeff Schaller♦

44.7k1163145

asked yesterday

TimTim

28.5k79269491

asked yesterday

TimTim

28.5k79269491

1 Answer
1

active

oldest

votes

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 17 hours ago

answered yesterday

Stephen KittStephen Kitt

180k25409488

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  18 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  13 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  13 hours ago
  

  
  
  
  

 | 
show 1 more comment

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510906%2fwhat-is-a-light-weight-namespace-container-created-by-systemd-spawn%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 17 hours ago

answered yesterday

Stephen KittStephen Kitt

180k25409488

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  18 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  13 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  13 hours ago
  

  
  
  
  

 | 
show 1 more comment

1

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 17 hours ago

answered yesterday

Stephen KittStephen Kitt

180k25409488

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks. (1) Is a “namespace container” created by systemd-nspaw constructed using also cgroups or somthing else besides namespaces? (2) Is a “namespace container” not a concept provided by the kernel? (3) Is a “namespace container” simply a number of namspaces, so is a concept provided by the kernel, and can be created using API of the kernel, without using systemd-nspawn? (trying to compare a “namespace container” to a docker container)
  
  – Tim
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The reason I asked these questions is that I would like to know if systemd-nspawn (containers) and docker (containers) work at different or the same level (subject to your understanding, I don't have a clear understanding yet).
  
  – Tim
  18 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it correct that both a systemd-nspawn container and a docker container are above the Linux kernel level, i.e. the kernel isn't aware of both, and the two are just two different implementations of the same (or maybe different) "container" concept?
  
  – Tim
  13 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What’s so hard to understand about the fact that containers aren’t a concept the kernel knows about?
  
  – Stephen Kitt
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Am I correct that to users, systemd-cgls seems to deal directly with cgroups provided by kernel, while systemd-nspawn indirectly with namespaces provided by kernel. "It is hard", because I just want to make sure.
  
  – Tim
  13 hours ago
  

  
  
  
  

 | 
show 1 more comment

Containers aren’t a first-class concept, directly provided by the kernel; they are assembled using various features provided by the underlying operating system, including, on Linux, namespaces. Different container runtimes use different features, and in some cases the feature set can vary from one container to another in the same runtime.

A “namespace container” is a container constructed using namespaces. Based on your quote, one can imagine that systemd-nspawn uses at least mount namespaces, PID namespaces, IPC namespaces, and UTS namespaces; its manpage indicates that it also uses system call filters and some form of resource limitation.

Docker containers also use namespaces, along with many other features.

share|improve this answer

edited 17 hours ago

answered yesterday

Stephen KittStephen Kitt

180k25409488

share|improve this answer

edited 17 hours ago

answered yesterday

Stephen KittStephen Kitt

180k25409488

answered yesterday

Stephen KittStephen Kitt

180k25409488

answered yesterday

Stephen KittStephen Kitt

180k25409488