←back to thread

Apptainer: Application Containers for Linux

(apptainer.org)
106 points cl3misch | 3 comments | 26 Jun 25 09:45 UTC | HN request time: 0.001s | source
1. Simran-B ◴[26 Jun 25 10:08 UTC] No.44385872[source]
Flatpak considers to move from OSTree to containers, citing the well-maintained tooling as a major plus point. How would that differ from Apptainers?
replies(1): >>44386927 #
2. Imustaskforhelp ◴[26 Jun 25 12:50 UTC] No.44386927[source]
Maybe the idea is that flatpak can have better sandbox control over applications running in flatpak using xdg-dbus ie. you can select the permissions that you want to give to a flatpak application and so sometimes it can act near native and not be completely isolated like containers.

Also I am not sure if apptainers are completely isolated.

Though I suppose through tools like https://containertoolbx.org/ such point also becomes moot & then I guess if they move to container, doesn't it sort of become like toolbx?

To be honest, I think a lot of tools can have a huge overlap b/w them and I guess that's okay too

replies(1): >>44390768 #
3. lotharcable ◴[26 Jun 25 20:05 UTC] No.44390768[source]
Containers in Linux are more a conceptual collection of different isolation techniques. Mostly just based on Linux namespaces. But things like cgroups, Linux capabilities, occasionally MAC (selinux, etc) and a few other items often get thrown in the mix.

https://www.redhat.com/en/blog/7-linux-namespaces

After a quick view of the apptainer documentation it looks like it minimally takes advantage of user and mount namespaces. So each apptainer gets its own idea of what the users/groups are and what the file system looks like.

Flatpak is more about desktop application sandboxing. So while it does use user and mount namespaces like apptainer it takes advantage of more Linux features then that to help enhance the isolation.

Which appears to be the opposite of the point of apptainer. Apptainer wants to use containers that integrate tightly with the rest of the system with very little isolation versus Flatpak wants to be maximally isolated with only the permissions necessary for the application.

That isn't to say that apptainer can't use more Linux features to increase isolation. It supports the use of cgroups for resource quotas and can take advantage of different types of namespaces for network isolation among other things.

Now as far as "OSTree vs containers" statement you are replying to... This is kinda misleading.

OSTree is designed to manage binaries files in a way similar to git with text file. It isn't a type of container technology in itself. It just used for managing how objects on the file system are arranged and managed.

It is used by some flatpak applications, but it is used for things besides flatpak.

The 'containers' he mentioned is really a reference to OCI container image format.

OCI container images is, again, a way to manage the file system contents typically used in containers. It isn't a container technology itself.

It is like a tarball, but for file system images.

OCI containers is a standardized version of Docker images.

Due to the popularity and ubiquity of OCI image related tools and hosting software it makes sense for Flatpak to support it.

OCI images, when combined with bootc, also can be used to deploy Linux container images to "bare hardware". Which is gaining popularity in helping to create and deploy "immutable" or "atomic" Linux distributions. Fedora Atomic-based OSes seem to be moving to use Bootc with OCI over pure OSTree approach... although they still use OSTree in some capacity.

Incidentally Apptainer supports the use of OCI images (in addition to it's native SIF) as well as other commonly used container technologies like CNI. CNI is container network interface and is used with Kubernetes among other things.