You’re comparing apples to oranges. One is a declarative Linux system environment creation solution and the other a daemon that starts sub-system environments using Linux namespaces.
You could in theory use NixOS to define a system environment that you’d run inside of a docker container. It’s a bit harder to get systemd running inside of Docker which NixOS heavily relies on but that’s beside the point. Easier integrations exist for LXD and systemd-nspawn which actually fulfil an equivalent purpose to Docker. The single component that is most comparable to Docker in a typical NixOS deployment would arguably be its init process (systemd), though its use extends far beyond setting up the namespace (the root namespace in this case).
As I understand it, the problem that both Nix and Docker try to solve is “How do I bundle and run this application in such a way that its dependencies are explicitly specified and don’t interfere with anything installed on the host system”.
They have different approaches, but I think that goal is the same?
I also wouldn’t be too sure on that “explicit” part for Docker. It’s somewhat isolated, sure, but everything but explicit: you can download arbitrary data from wherever you like.
You’re comparing apples to oranges. One is a declarative Linux system environment creation solution and the other a daemon that starts sub-system environments using Linux namespaces.
You could in theory use NixOS to define a system environment that you’d run inside of a docker container. It’s a bit harder to get systemd running inside of Docker which NixOS heavily relies on but that’s beside the point. Easier integrations exist for LXD and systemd-nspawn which actually fulfil an equivalent purpose to Docker. The single component that is most comparable to Docker in a typical NixOS deployment would arguably be its init process (systemd), though its use extends far beyond setting up the namespace (the root namespace in this case).
As I understand it, the problem that both Nix and Docker try to solve is “How do I bundle and run this application in such a way that its dependencies are explicitly specified and don’t interfere with anything installed on the host system”.
They have different approaches, but I think that goal is the same?
That’s Nix, not NixOS.
I also wouldn’t be too sure on that “explicit” part for Docker. It’s somewhat isolated, sure, but everything but explicit: you can download arbitrary data from wherever you like.
No, containers further isolate the network and hardware interaction of the process etc
Unless it has changed recently, Docker is not intended to be a security layer as far as I know.