30 open-source projects similar to nestybox/sysbox, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Sysbox alternative.
LXC is an OS-level virtualization framework and Linux container manager used to run multiple isolated Linux systems on a single host. It functions as a kernel namespace orchestrator and unprivileged container runtime, allowing for the creation and management of system containers without the overhead of a hypervisor. The project provides unprivileged container execution by mapping container root users to unprivileged host users to prevent host system access. It ensures security through system call filtering and root user isolation, enabling containers to run without requiring host root privile
runc is a command-line utility for spawning and running containers on Linux systems according to the Open Container Initiative specification. It serves as a low-level container execution engine that interfaces directly with the host operating system to manage the lifecycle of isolated processes. The tool functions as a Linux process containerizer, utilizing kernel features such as namespaces for process isolation and control groups for resource governance. It enforces security by restricting processes to specific directory trees and dropping unnecessary kernel privileges to minimize the attac
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
crun is a low-level container runtime that implements the Open Container Initiative specification for managing the lifecycle of isolated processes. It provides the core mechanisms for container creation, execution, and deletion, ensuring compatibility across platforms through standardized lifecycle management. The project distinguishes itself by offering a shared C library that allows container runtime operations to be embedded directly into other compiled applications. It further extends execution capabilities through specialized handlers that enable the deployment of containers within isola
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Kubernetes controller for GitHub Actions self-hosted runners
CRI-O is an open-source container runtime that implements the Kubernetes Container Runtime Interface (CRI) to manage container images, pods, and containers on cluster nodes using OCI-compatible runtimes. It serves as a node-level container manager that handles image pulling, container lifecycle, and resource monitoring for Kubernetes clusters, running containers according to the Open Container Initiative specifications. The runtime distinguishes itself through live configuration reloading that applies changes to runtime definitions, registry mirrors, and TLS certificates without restarting th
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
LXD is a unified platform for managing both system containers and virtual machines through a single REST API and command-line interface. It provides a programmatic HTTP interface for controlling the full lifecycle of instances, enabling automation and integration with external tools. The system runs unprivileged containers with per-instance UID/GID mappings, seccomp filters, and AppArmor profiles for kernel-level isolation, while supporting multiple storage backends including directory, Btrfs, LVM, ZFS, Ceph, LINSTOR, and TrueNAS through a unified driver interface. The platform distinguishes
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Open Multi-Agent is a TypeScript framework for multi-agent orchestration that decomposes natural language goals into a runtime-generated directed acyclic graph of tasks. It functions as a task orchestrator and workflow state manager, coordinating multiple AI models to execute parallel and sequential operations. The framework is distinguished by a proposer-judge consensus protocol used to validate agent outputs through a quorum of agreement. It employs provider-agnostic model routing to assign specific models to tasks based on roles or execution phases and utilizes state-based workflow checkpo
Rancher OS is a cloud-native, container-optimized Linux distribution designed to host and manage containerized workloads with a small host footprint. It functions as a Docker-based operating system that runs core system services and user applications as containers. The system implements an immutable infrastructure workflow by deploying the entire operating system as a set of read-only images. To prevent configuration drift and ensure a consistent boot state, the primary system partition is mounted as read-only, while persistent settings and user data are stored on a separate writable configur
Afero is a Go library that provides a unified filesystem abstraction, allowing applications to interact with local disk, in-memory storage, cloud services, archives, and remote systems through a single, consistent interface. At its core, it defines a standard interface that all filesystem backends implement, enabling developers to swap storage implementations without changing application code. The library distinguishes itself through its composable architecture, which includes layered filesystem composition for creating cached, sandboxed, or restricted storage views. It offers a copy-on-write
OpenHuman is an AI application framework for building private intelligence systems and personal AI layers. It provides a system for deploying private AI assistants that execute technical tasks and manage personal knowledge bases. The project features a model-agnostic request proxy that routes AI workloads to different large language models based on requirements for reasoning, speed, or vision. It integrates an OAuth-driven data integrator to synchronize personal information from external services into a local knowledge base composed of hierarchical Markdown summaries. The framework also inclu
Automaxprocs is a Go runtime configuration tool and CPU quota manager designed to automatically align the maximum number of operating system threads with the CPU resources available to a Linux container. It functions as a resource optimizer that ensures the Go runtime respects the constraints of containerized environments. The project specifically manages the alignment of process counts with Completely Fair Scheduler quotas. It enables Go applications to maintain stable performance across various container sizes by dynamically adjusting the runtime processor count to match allocated resources
Dify-sandbox is a secure runtime environment designed for the execution of untrusted code snippets. It functions as a containerized sandbox that isolates processes from the host operating system, ensuring that arbitrary scripts can be run without granting them unauthorized access to sensitive data or critical system resources. The project distinguishes itself through a multi-layered security approach that combines kernel-level isolation with strict resource management. By utilizing Linux namespaces and container-based process isolation, it partitions system resources to maintain visibility bo
This project provides containerized distribution templates and images for deploying a media server. It enables the operation of a media server within Docker or Kubernetes environments, utilizing package management charts to streamline installation and management of home cinema libraries. The project focuses on high-performance video processing through hardware accelerated transcoding, which is achieved by passing through graphics processing unit devices to the container. It ensures data persistence by mapping host directories for configuration databases and large-scale media libraries. The s
Bubblewrap is an unprivileged sandbox execution utility for Linux that isolates processes from the host system. It creates secure environments by leveraging Linux namespaces to separate system resources, including network, PID, and IPC stacks. The project distinguishes itself by enabling the execution of untrusted software without requiring root privileges on the host machine. It prevents privilege escalation by disabling the execution of setuid binaries and uses user identity mapping to isolate process permissions from the host operating system. The tool manages a comprehensive security sur
Isolate is a low-level sandbox designed to execute untrusted programs within a strictly controlled environment. It functions as a process isolation engine that prevents potentially harmful code from interacting with or damaging the host operating system. The tool leverages Linux kernel primitives, including namespaces and control groups, to partition system resources and enforce hardware usage boundaries. By applying filesystem virtualization and system call filtering, it restricts the visibility and interaction of a process with the host, ensuring that untrusted applications operate only wit
Vagga is a containerization tool without daemons
Youki is an OCI container runtime written in Rust. It implements the Open Container Initiative runtime specification to manage the lifecycle of containerized processes and ensure compatibility with standard container images and engines. The runtime is designed for memory safety and supports rootless container execution, allowing containers to run as non-root users to reduce security risks and limit privilege escalation. It provides core container management capabilities, including spawning and managing OCI containers. This is achieved through Linux namespace isolation, cgroup-based resource
.. image:: https://travis-ci.org/01org/cc-oci-runtime.svg?branch=master :target: https://travis-ci.org/01org/cc-oci-runtime
Libpod is a container management library for running and controlling the lifecycle of Open Container Initiative compliant containers and images across different storage backends. It provides a programmatic interface for the remote control and automation of container environments. The project enables the coordination of multiple containers into pods that share network namespaces and other shared resources. It supports rootless container execution by using user namespaces to launch containers without administrative privileges. The library covers a broad range of system operations, including im
Bocker is a minimal container management tool written in Bash that implements core container functionality using Linux namespaces and control groups. It serves as a Linux container manager capable of starting and managing isolated processes and images through low-level kernel features. The project includes an OCI image tool for pulling, saving, and building container images compatible with industry standards. It further integrates a cgroup resource controller to restrict CPU and memory consumption for isolated processes. The tool covers the full container lifecycle, including process isolati
A basic user tool to execute simple docker containers in batch or interactive systems without root privileges.
rkt is a secure Linux container engine and pod-native container manager. It provides a composable execution environment for launching and managing isolated application containers on Linux, serving as a runtime designed around open industry standards for image formats and networking interfaces. The system is distinguished by a pod-native execution model that groups multiple containers and shared resources into single, self-contained units. It utilizes pluggable execution engines to provide secure isolation, including the use of hardware-based virtualization to create security boundaries betwee