Thanks! Performance wise, we've not noticed any reduction in performance compared to a regular container, mainly because Sysbox sits on some control-path operations (e.g., accesses to /proc/sys, mount syscall, etc) but is really not intercepting anything on the datapath. For example, deploying K8s inside a system container takes < 40 seconds on my laptop, same as it takes with K8s.io KinD which uses the OCI runc (with privileged containers). Having said this, we've not done a thorough perf analysis yet.
As far as using this in production, the software is well tested but has not been used in production to the best of our knowledge. It has room to mature still, both in term of functionality and security, but it's in pretty good shape already. We hope open-sourcing it allows it to mature it faster.
We are out of the critical path, meaning we only emulate interactions with procfs / sysfs, and we only intercept mount syscalls at the moment, so we don't see any tangible performance hit. Having said that, we haven't done large scaling&perf tests yet.
As far as using this in production, the software is well tested but has not been used in production to the best of our knowledge. It has room to mature still, both in term of functionality and security, but it's in pretty good shape already. We hope open-sourcing it allows it to mature it faster.
And as far as limitations, there are a few, here is a list: https://github.com/nestybox/sysbox/blob/master/docs/user-gui... . We hope to remove some of these as the product matures too.