I’ve recently discovered nixos containers and was wondering if there where any pros/cons of running them vs. Docker containers. Like if one needs to run a containerised service, would it be better to run it as a nixos container or a docker container in terms of resource consumption? And are there any limitations of each approach?
NixOS container is using systemd-nspawn/systemd container. Both are using Linux namespaces and cgroups.
A disadvantage of NixOS container is that it only supports rootful containers, i.e. root inside the container has the same privileges as root outside the container. This is also true for docker unless configured otherwise.
OCI containers (Docker, Podman) are often created by upstream themselves, which you might prefer.
I configure containers by using the podman backend (default) and
virtualisation.oci-containers.conrainers, which supports rootless podman [1]. Imo rootless is the best and most secure way to run containers on NixOS.Edit: I prefer NixOS packages if available and only use OCI (Docker) containers if not. The main reason being the simplified declarative configuration through NixOS options, which can also be used inside NixOS container.
[1]
virtualisation.oci-containers.containers.<name>.podman.user