systemd-nspawn does the same things as docker, but with much smaller attack surface and can be sandboxed very effectively by the unit files.
The isolation provided by unit files is orthogonal with running containers.
nspawn is not even running a dedicated daemon. Plus, it's no secret that docker was not designed with security in mind and its isolation is bolted on. [1]
Furthermore, systemd is already installed and running on most systems (like it or not)
The isolation provided by unit files is orthogonal with running containers.
nspawn is not even running a dedicated daemon. Plus, it's no secret that docker was not designed with security in mind and its isolation is bolted on. [1]
Furthermore, systemd is already installed and running on most systems (like it or not)
[1] https://www.cvedetails.com/vendor/13534/Docker.html