@@ -28,63 +28,118 @@ TODO: modify banner image, add Nestybox logo, call it "sysbox enterprise"
2828open-source [ Sysbox container runtime] ( https://github.com/nestybox/sysbox ) ,
2929developed by [ Nestybox] ( https://www.nestybox.com ) .
3030
31- Sysbox is a container runtime that enables Docker containers to act as virtual
32- servers with full root access and capable of running software such as Systemd,
33- Docker, and Kubernetes in them, ** seamlessly and securely** .
31+ Sysbox-EE enables Docker containers to act as virtual servers capable of running
32+ software such as Systemd, Docker, and Kubernetes in them, ** seamlessly and
33+ securely** . This implies the ability for these containers to run inner
34+ containers (nested) while providing strong isolation from the underlying host.
3435
35- Sysbox-EE uses Sysbox at its core, but adds proprietary enterprise-level
36- features around lifecycle, security, efficiency, scalability, and robustness
37- to the Sysbox core. In addition, Sysbox-EE comes with professional support from
38- Nestybox.
36+ Sysbox-EE uses Sysbox at its core, but adds enterprise-level features around
37+ lifecycle, security, efficiency, scalability, and robustness. More on this
38+ in the [ features] ( #key-features ) section.
3939
40- ## Free for Individual Developers, Paid for Enterprise
40+ ## Videos
41+
42+ We have some sample videos showing Sysbox-EE in action:
43+
44+ - [ Docker Sandboxing] ( https://asciinema.org/a/kkTmOxl8DhEZiM2fLZNFlYzbo?speed=2 )
45+
46+ - [ Kubernetes-in-Docker] ( https://asciinema.org/a/V1UFSxz6JHb3rdHpGrnjefFIt?speed=1.75 )
47+
48+ ## Audience
49+
50+ Sysbox-EE is meant for engineers looking to use Sysbox as part of their
51+ company's IT operations.
52+
53+ Sysbox-EE is also meant for engineers looking to try Sysbox using an easy to
54+ install (i.e., packaged) version of the software.
4155
4256Sysbox-EE is ** free for individual developers** , but licensed for enterprise
4357use.
4458
4559That is, if you are an engineer that wants to try Sysbox (at home or at your
4660work), it's free. However, if you want to use it as part of the IT
47- infrastructure of your company, it's licensed (non-free), so please [ contact us] ( #contact ) .
61+ infrastructure of your company, it's non-free, so please [ contact us] ( #contact ) .
62+
63+ ## System Containers
64+
65+ We call the containers deployed by Sysbox ** system containers** , to highlight the
66+ fact that they can run not just micro-services (as regular containers do), but
67+ also system software such as Docker, Kubernetes, Systemd, inner containers, etc.
68+
69+ More on system containers [ here] ( docs/user-guide/concepts.md#system-container ) .
4870
4971## Key Features
5072
51- Sysbox-EE includes all of [ Sysbox's features ] ( https://github.com/nestybox/sysbox/README.md#sysbox-features ) ,
52- and in addition includes the following:
73+ Sysbox-EE includes all features of the open-source Sysbox runtime (aka core
74+ features), plus enterprise-level features. These are described below.
5375
54- ### Lifecycle
76+ ### Core Features
5577
56- * Package installer that checks host requirements and eases installation and
57- configuration.
78+ #### Systemd-in-Docker
5879
59- ### Security
80+ - Run Systemd inside a Docker container easily, without complex container configurations.
6081
61- * Stronger cross-container isolation (Sysbox-EE assigns exclusive user-ID and
62- group-ID ranges to each container).
82+ - Enables you to containerize apps that rely on Systemd (e.g., legacy apps).
6383
64- ### Efficiency
84+ #### Docker-in-Docker
6585
66- * Important optimizations for running containers in containers. This speeds
67- up container deployment and significantly reduces storage overhead.
86+ - Run Docker inside a container easily and without unsecure privileged containers.
6887
69- * For example, with Sysbox (open-source version), a 10-node Kubernetes-in-Docker
70- cluster starts in < 3 minutes and consumes up 10GB; with Sysbox-EE starts in
71- < 2 minutes and consumes < 1GB of storage overhead.
88+ - Full isolation between the Docker inside the container and the Docker on the host.
7289
73- ### Scalability
90+ #### Kubernetes-in-Docker
7491
75- * Higher efficiency means you can launch more containers per host.
92+ - Deploy Kubernetes (K8s) inside containers with proper isolation (no
93+ privileged containers), using simple Docker images and Docker run commands
94+ (no need for custom Docker images with tricky entrypoints).
7695
77- ### Robustness
96+ - Deploy directly with ` docker run ` commands for full flexibility, or using a
97+ higher level tool (e.g., such as [ kindbox] ( https://github.com/nestybox/kindbox ) ).
7898
79- * Sysbox-EE is tested and hardened for operation in production environments.
99+ #### Strong container isolation
80100
81- ## Videos
101+ - Root user in the system container maps to a fully unprivileged user on the host.
82102
83- We have some sample videos showing Sysbox in action:
103+ - The procfs and sysfs exposed in the container are fully namespaced.
84104
85- - [ Docker Sandboxing] ( https://asciinema.org/a/kkTmOxl8DhEZiM2fLZNFlYzbo?speed=2 )
105+ - Programs running inside the system container (e.g., Docker, Kubernetes, etc)
106+ are limited to using the resources given to the system container itself.
86107
87- - [ Kubernetes-in-Docker] ( https://asciinema.org/a/V1UFSxz6JHb3rdHpGrnjefFIt?speed=1.75 )
108+ - Avoid the need for unsecure privileged containers.
109+
110+ #### Inner Container Image Preloading
111+
112+ - You can create a system container image that includes inner container
113+ images, with a simple Dockerfile or Docker commit.
114+
115+ ### Enterprise-level Features
116+
117+ #### Lifecycle
118+
119+ * Sysbox-EE package installer and systemd services.
120+
121+ #### Security
122+
123+ * Stronger cross-container isolation (Sysbox-EE assigns exclusive
124+ user-namespaces user-ID and group-ID mappings to each container).
125+
126+ #### Efficiency
127+
128+ * Important optimizations for running containers in containers. This speeds
129+ up container deployment and significantly reduces storage overhead.
130+
131+ * For example, with Sysbox-EE, a 10-node Kubernetes-in-Docker cluster
132+ starts in ~ 2 minutes and consumes only 1GB of overhead. In contrast,
133+ the Sysbox open-source version takes ~ 3 minutes and consumes up 10GB
134+ for this same cluster.
135+
136+ #### Scalability
137+
138+ * Higher efficiency means you can launch more system containers per host.
139+
140+ #### Robustness
141+
142+ * Sysbox-EE is tested and hardened for operation in production environments.
88143
89144## Download
90145
@@ -150,17 +205,23 @@ If you run into problems during install, see the [troubleshooting doc](docs/user
150205
151206## Using Sysbox
152207
153- Once Sysbox-EE is installed, you launch a system container with Docker as follows:
208+ Once Sysbox-EE is installed, you use it as follows:
154209
155210``` console
156211$ docker run --runtime=sysbox-runc --rm -it --hostname my_cont debian:latest
157212root@my_cont:/ #
158213```
159214
160- This launches a system container. Looks very much like a regular container,
161- except that within it you can now run system software such as Docker,
162- Kubernetes, etc. seamlessly, without complicated Docker run commands or complex
163- images, and securely (no privileged containers!).
215+ This launches a system container. It looks very much like a regular container,
216+ but it's different under the hood.
217+
218+ In this container, you can now run system software such as Systemd, Docker,
219+ Kubernetes, etc., seamlessly and securely, just as you would on a physical host
220+ or virtual machine.
221+
222+ You can launch inner containers (and even inner privileged containers), with
223+ strong isolation from the underlying host. No more complex docker images or
224+ docker run commands, and no need for unsecure privileged containers.
164225
165226The [ Sysbox Quickstart Guide] ( docs/quickstart/README.md ) and the [ Nestybox Blog Site] ( https://blog.nestybox.com ) have
166227many usage examples.
@@ -173,37 +234,35 @@ regular Docker containers; they won't conflict and can co-exist side-by-side.
173234## Documentation
174235
175236We have several documents to help you get started and get the best out of
176- system containers.
237+ Sysbox-EE:
177238
178239- [ Sysbox Quick Start Guide] ( docs/quickstart/README.md )
179240
180241 - Provides many examples for using system containers. New users
181242 should start here.
182243
183- - [ Sysbox Distro Compatibility Doc] ( docs/distro-compat.md )
184-
185- - Distro compatibility requirements.
186-
187244- [ Sysbox User Guide] ( docs/user-guide/README.md )
188245
189246 - Provides more detailed information on Sysbox features.
190247
248+ - [ Sysbox Distro Compatibility Doc] ( docs/distro-compat.md )
249+
250+ - Distro compatibility requirements.
251+
191252- [ Issue Guidelines] ( docs/issue-guidelines.md )
192253
193254 - Guidelines for filing issues in the Sysbox-EE GitHub project site.
194255
195256In addition, the [ Nestybox blog site] ( https://blog.nestybox.com ) has articles
196257on how to use system containers.
197258
198- ## Integration with Container Managers
259+ ## Integration with Container Managers & Orchestrators
199260
200261Though Sysbox is OCI-based (and thus compatible with OCI container managers),
201262it's currently only tested with Docker / containerd.
202263
203- We don't yet support using other container managers to deploy system containers
204- with Sysbox.
205-
206- We don't yet support using Kubernetes to deploy system containers with Sysbox.
264+ In particular, we don't yet support using Kubernetes to deploy system containers
265+ with Sysbox (though we [ plan to] ( #roadmap ) ).
207266
208267## Troubleshooting
209268
0 commit comments