I’ve recently discovered nixos containers and was wondering if there where any pros/cons of running them vs. Docker containers. Like if one needs to run a containerised service, would it be better to run it as a nixos container or a docker container in terms of resource consumption? And are there any limitations of each approach?
You must log in or register to comment.
The main advantage of NixOS containers, to my limited understanding, is that since they are built by Nix, all dependencies are updated with nixpkgs (no woefully out of date stuff in one of the layers of the container image) and you can pin these if you need to.
I’d like to understand the differences and similarities between the two better too though.
NixOS container is using systemd-nspawn/systemd container. Both are using Linux namespaces and cgroups.
A disadvantage of NixOS container is that it only supports rootful containers, i.e. root inside the container has the same privileges as root outside the container. This is also true for docker unless configured otherwise.
OCI containers (Docker, Podman) are often created by upstream themselves, which you might prefer.
I configure containers by using the podman backend (default) and
virtualisation.oci-containers.conrainers, which supports rootless podman [1]. Imo rootless is the best and most secure way to run containers on NixOS.Edit: I prefer NixOS packages if available and only use OCI (Docker) containers if not. The main reason being the simplified declarative configuration through NixOS options, which can also be used inside NixOS container.
[1]
virtualisation.oci-containers.containers.<name>.podman.user