A Docker-based installer for Sysbox on read-only dstack systems.
cd installer
chmod +x build.sh
./build.sh sysbox-installer latestSingle command installation in a CVM:
docker run --rm --privileged --pid=host --net=host -v /:/host \
sysbox-installer:latestThat's it! The installer will:
- Check for existing installations
- Build and install Sysbox from source
- Handle /etc volatile overlay mount preserving configs
- Configure Docker runtime using Sysbox's official script
- Create transient systemd services and start daemons
docker run -it --rm --privileged --pid=host --net=host -v /:/host \
sysbox-installer:latest bashThen run: /usr/local/bin/install-sysbox-complete.sh
docker run --rm sysbox-installer:latest cat /usr/local/share/BUILD_INFO# Basic system container
docker run --runtime=sysbox-runc -it ubuntu bash
# Docker-in-Docker
docker run --runtime=sysbox-runc -d --name docker-container docker:dind
# Kubernetes-in-Docker
docker run --runtime=sysbox-runc -d --name k8s-node kindest/node:latest# Check status
systemctl status sysbox-mgr sysbox-fs
# Restart services
systemctl restart sysbox-mgr sysbox-fs
# View logs
journalctl -u sysbox-mgr -u sysbox-fsinstaller/
├── build.sh # Build script
├── README.md # This file
├── docker/
│ └── Dockerfile # Multi-stage build with source compilation
└── scripts/
├── install-sysbox-complete.sh # Main installation script
├── verify-downloads.sh # SHA256 verification for downloads
├── sysbox-mgr.service # systemd service for sysbox-mgr
└── sysbox-fs.service # systemd service for sysbox-fs
- Checks existing installation - Detects and reports existing Sysbox installations
- Copies binaries - Places Sysbox binaries in
/usr/bin(writable location) - Sets up /etc overlay - Creates volatile overlay preserving existing configs (WireGuard, Docker)
- Creates symlinks - Links fusermount, modprobe, iptables for Sysbox requirements
- Configures Docker - Uses Sysbox's official docker-cfg script to properly merge runtime configuration
- Creates systemd services - Installs transient service files in
/run/systemd/system - Starts services - Starts Sysbox manager and filesystem daemons
- Sysbox data:
/dstack/persistent/sysbox-data - Binaries:
/usr/bin
- All downloads verified with SHA256 checksums
- Sysbox built from official Git repository (recursive clone)
- Uses specific version tags (v0.6.7)
- Proper systemd service isolation
systemctl status sysbox-mgr sysbox-fs
journalctl -u sysbox-mgr -u sysbox-fsdocker info | grep -A5 Runtimesdocker run --runtime=sysbox-runc --rm alpine echo "Test successful"systemctl stop sysbox-mgr sysbox-fs
systemctl disable sysbox-mgr sysbox-fs
rm -f /run/systemd/system/sysbox-*.service
systemctl daemon-reload
umount /etc # If volatile overlay mounted
rm -rf /dstack/persistent/sysbox-*- Docker installed and running
- Privileged container execution
- dstack system with ZFS persistent storage
- systemd for service management
Releases are automated via GitHub Actions with sigstore attestation:
-
Tag a new version:
git tag v1.0.0 git push origin v1.0.0
-
The workflow will automatically:
- Build the Docker image
- Push to Docker Hub
- Generate sigstore attestation
- Create a GitHub release
All released images are signed with sigstore for supply chain security:
# Install cosign
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
# Verify the image (replace VERSION and DIGEST)
cosign verify-attestation \
--type https://slsa.dev/provenance/v1 \
--certificate-identity-regexp "^https://github.com/YOUR_ORG/dstack-sysbox-installer/.github/workflows/release.yml@refs/tags/vVERSION$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
docker.io/YOUR_ORG/dstack-sysbox-installer@sha256:DIGESTYou can also verify on Sigstore Search.
For issues with the installer, check:
- Docker daemon is running
- Container has privileged access
/dstack/persistent/is available and writable- systemd is available on the host
For Sysbox issues, see: https://github.com/nestybox/sysbox