3

Does systemd-nspawn do special inside to a chroot or does it just provide a different method of running chroot + the appropriate ro --bind mounts for proc, sys. The docs say,

similar to chroot(1), but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name

I'm not sure of how any of those are defined,

  • virtualizes the file system hierarchy

    Isn't this what chroot does changing the root?

  • as well as the process tree

    I'm not sure what this means.

  • various IPC subsystems

    What subsystems? Can someone tell me exactly what that means?

  • host and domain name

    I'm not sure what this means either? Isn't this just /proc/sys/kernel/domainname, and /proc/sys/kernel/hostname

I've used chroot and mount --bind scripts. It seems like this is more convince but I'm blurry on any additional functionality. What new things does this provide to me?

Improve this question
1
  • 1
    systemd-nspawn can do almost the equivalent of a full boot (the init system is started, services are started according to the init config, etc.). They're pretty much containers. chroot + bind mounts are not anywhere close to being fully functional containers. Commented Jul 23, 2018 at 1:49

2 Answers 2

Reset to default
5
  • virtualizes the file system hierarchy

It uses mount namespaces. It's more powerful than chroot because you can mount and umount filesystems under your namespace and those will be hidden from the outside, or from other mount namespaces.

Take a look at this article on Linux namespaces (and, in particular, mount namespaces) to have an overview of what they do.

  • as well as the process tree

That means you get new PID numbers inside the namespace. PID 1 inside the namespace could be PID 12001 outside it, PID 40 inside it might be PID 13987 outside it, and so on. In particular, not all PIDs are mapped inside the namespace, so if you use a command such as ps -ef inside it, you'll only see processes that are in that namespace, and not ones from the outside, or from other pid namespaces.

The article mentioned above also gives a nice overview on PID namespaces.

  • various IPC subsystems

Shared memory, semaphores... The stuff shown by the ipcs command. Again, that article I pointed out has a bit more on that. (If you haven't heard of SysV IPC or the ipcs command, you can probably ignore this one.)

  • host and domain name

This is actually the UTS namespace, and once again, that article has more details.

It virtualizes what the uname command returns (you can take a look at uname -a inside the container.) Also, hostname and domainname commands. Yes, the two /proc files you mentioned too.

So, in short, this is telling you that systemd-nspawn is using Linux namespaces to give you container isolation. That's also what other container technologies (such as Docker) employ.

Improve this answer
-1

There is also an important limitation of systemd-nspawn: you can only have one instance at any one time, while chroot allows you to chroot multiple times into the same directory.

That means that if you use systemd-nspawn to "chroot" into a directory, you cannot run it again from e.g. another shell until the first instance exits.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.