I’ve recently discovered nixos containers and was wondering if there where any pros/cons of running them vs. Docker containers. Like if one needs to run a containerised service, would it be better to run it as a nixos container or a docker container in terms of resource consumption? And are there any limitations of each approach?

  • Chewy@discuss.tchncs.deEnglish
    5·
    3 days ago

    NixOS container is using systemd-nspawn/systemd container. Both are using Linux namespaces and cgroups.

    A disadvantage of NixOS container is that it only supports rootful containers, i.e. root inside the container has the same privileges as root outside the container. This is also true for docker unless configured otherwise.

    OCI containers (Docker, Podman) are often created by upstream themselves, which you might prefer.

    I configure containers by using the podman backend (default) and virtualisation.oci-containers.conrainers, which supports rootless podman [1]. Imo rootless is the best and most secure way to run containers on NixOS.

    Edit: I prefer NixOS packages if available and only use OCI (Docker) containers if not. The main reason being the simplified declarative configuration through NixOS options, which can also be used inside NixOS container.

    [1] virtualisation.oci-containers.containers.<name>.podman.user

    • beeng@discuss.tchncs.deEnglish
      1·
      2 days ago

      Damn, didn’t know it was rootful only. Work is going nuts atm about non zero userId in containers.

      There goes my idea about solving some of our packaging a distribution problems with nix build.

    • ShareniEnglish
      1·
      2 days ago

      This is also true for docker unless configured otherwise

      Just to make sure, it’s the rootless Daemon?

      Also, another option for OP; nixos base image docker container