Skip to content

feat(guest): add sysbox container runtime v0.6.7#35

Merged
kvinwang merged 6 commits intomainfrom
feat/sysbox-runtime
Feb 9, 2026
Merged

feat(guest): add sysbox container runtime v0.6.7#35
kvinwang merged 6 commits intomainfrom
feat/sysbox-runtime

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Feb 7, 2026

Summary

  • Add Nestybox Sysbox v0.6.7 as an alternative container runtime (sysbox-runc, sysbox-fs, sysbox-mgr)
  • Builds from source with verified reproducible builds (identical binaries across clean builds)
  • Register sysbox-runc in Docker daemon config for both standard and NVIDIA images

Details

  • Recipe: dstack-sysbox_0.6.7.bb fetches 7 git repos (sysbox, sysbox-runc, sysbox-fs, sysbox-mgr, sysbox-ipc, sysbox-libs, fuse)
  • Offline compile: do_configure[network]=1 vendors Go deps; do_compile uses -mod=vendor (no network)
  • Protobuf: Pre-generated .pb.go files avoid build-time protoc dependency
  • Fuse fork: Orphaned bazil/fuse commit forked to Dstack-TEE/fuse with named branch sysbox-v0.6.7
  • Kernel: CONFIG_USER_NS=y, CONFIG_CONFIGFS_FS=m added via kernel config fragments
  • Systemd: Three services (sysbox.service, sysbox-fs.service, sysbox-mgr.service) enabled by default

Test plan

  • Recipe builds successfully with bitbake dstack-sysbox
  • Reproducibility verified: two clean builds (with cleansstate) produce identical md5 hashes for all 3 binaries

@kvinwang kvinwang mentioned this pull request Feb 7, 2026
Open
2 tasks
@kvinwang
feat(guest): add sysbox container runtime v0.6.7
71d9054 
Add Nestybox Sysbox as an alternative container runtime, enabling
rootless containers to run workloads like Systemd, Docker, and
Kubernetes inside containers.

Recipe builds sysbox-runc, sysbox-fs, and sysbox-mgr from source with
reproducible builds verified (identical binaries across clean builds).

Key design decisions:
- Network access only in do_configure (go mod vendor); do_compile is
  fully offline with -mod=vendor
- Pre-generated protobuf .pb.go files to avoid protoc build dependency
- Orphaned bazil/fuse commit forked to Dstack-TEE/fuse with named branch
- Kernel configs: CONFIG_USER_NS=y, CONFIG_CONFIGFS_FS=m
- Docker daemon configured with sysbox-runc runtime
@kvinwang kvinwang force-pushed the feat/sysbox-runtime branch from 7bdd26a to 71d9054 Compare February 8, 2026 00:12
@kvinwang
chore: trigger CI review
500a531
@kvinwang
fix(sysbox): adapt services for dm-verity read-only rootfs
9a4f0f6 
- Remove --log file paths (rootfs is read-only), output to journal+console
- Add rsync and fuse to RDEPENDS (required by sysbox-mgr and sysbox-fs)
- Pre-create /etc/subuid and /etc/subgid entries via pkg_postinst
- Add After=dstack-prepare.service so sysbox starts after /etc overlay
- Bind-mount sysbox data dir to persistent storage (overlayfs not allowed)
kvinwang
kvinwang commented Feb 8, 2026
View reviewed changes
@kvinwang
docs(sysbox): add comments explaining sysctl values
4057785
@kvinwang
refactor: move sysbox bind-mount from service into dstack-prepare
4790f5e 
Move the sysbox persistent storage bind-mount from sysbox-mgr.service
ExecStartPre into dstack-prepare.sh, alongside docker and containerd
mounts. This keeps all container runtime storage mounts in one place.
@kvinwang
Update dstack/ submodule
af0eb9d
@kvinwang kvinwang merged commit 87ec15e into main Feb 9, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kvinwang