Create secure simple containers with the systemd tools Nspawnd and Portabled

Isolation Ward

Conclusions

Very few admins are aware of the systemd components Nspawnd and Portabled discussed in this article, and this cluelessness is a mistake, despite your opinion of systemd. If you use one of today's major distributions, chances are you have a setup with systemd. If it is already in place, why not just use it?

Both tools presented here offer genuine added value. Chroot is now considered insecure, and for good reason: Several scenarios have been documented for breaking out of a chroot environment. Namespaces in the Linux kernel are not only more modern, but also far more focused on security, where they offer considerable benefits. If you want to isolate applications, either from each other or from the rest of the system, without having to deal with the complexity of Docker or Podman, it is a very good idea to take a closer look at the systemd add-on Nspawnd.

The same goes for Portabled. Strictly speaking, the idea behind it is nothing other than what the major vendors are currently pursuing with their container strategies. Instead of the dependency hell of the usual package managers, cleanly defined container images contain just the bare necessities and otherwise have no external dependencies. Portabled can be forgiven for not following the container mantra "a microarchitecture application in a container" – especially against the background that Portabled is more likely to be used in classic environments in most cases anyway. In return, you can look forward to more convenience, enhanced security, and better administrability.

Anyone who is concerned about isolating services and securing their systems should definitely have these two standard systemd functions on their radar.

The Author

Freelance journalist Martin Gerhard Loschwitz focuses primarily on topics such as OpenStack, Kubernetes, and Ceph.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=