Difference between LXC and systemd-nspawn?

Hello,

can anyone here please describe what differences there are between LXC and systemd-nspawn?

I could only find that systemd-nspawn is simpler, easier to configure and has less features. But otherwise I couldnt find any in-depth explanation.

I know that Proxmox uses LXC while TrueNAS Scale has community script for systemd-nspawn.

What are advantages/disadvantages? Is one more secure than other? Is there any reason why chose one rather than other?

I searched really hard but cant find nothing much. And reading source code is beyond my abilities. So I hope maybe someone here worked with both and can better explain how they differ.

Thanks.

Welcome!

Starting around 20 years ago, there was interest to add container support into the Linux kernel. That is, just like you can have virtual machines (assisted by hardware features of the CPU), you could have containers that are assisted by Linux kernel features.

The Linux kernel developers though did not want to implement specific container features, but they wanted to implement primitives that can be used in Linux Container, but also have other uses. It’s a smart decision, because it allows for more diverse implementations and it’s more future-proof.

The two most important Linux kernel features for the use in Linux Containers, are namespaces and cgroups. A container is a process tree (a collection of processes that an initial process will start other auxiliary processes). The host (your main operating system) will launch this process tree and separate it from the rest of the system using those namespaces and cgroups.

Having said that, it is quite easy to develop your own implementation of Linux Containers. Any many have implemented their own Linux Containers, from scratch.

The differentiating factor of LXC (the implementation that is supported from this project, and not another implementation that shares the lxc name), is that you get the whole infrastructure to easily start launching containers. That is, there are available images that you can select, are downloaded, and in a few seconds you get a running container.

Personally, I am using Incus, which has an even bigger infrastructure behind, and makes it very easy to launch, not only system containers, but virtual machines and even application containers (Docker). That is, in most of the cases, you would want something like Incus so that you can get your job done and not struggle to setup images, etc.

2 Likes