| ▲ | Show HN: Docker Alternative for Secure Microvms | |
| 4 points by sankalpnarula 9 hours ago | 2 comments | ||
https://github.com/herd-core/herd Lately, I have been trying to understand the security aspect of docker containers, and what I have realized is that all docker containers share the host's kernel. Any zero day vulneerability in the kernel can be used to gain access to the host os. In order to deal with this, I did some research turns out Amazon has open sourced the core technology behind their serverless technology lambda. But in its current state its very hard to setup, let alone run anything securly. This technology is called firecracker microvm's It started off as a go library, for creating process pools to just do a simple firecracker spawn, turned into a full fledged host side daemon. deploying a microvm through an image is now as simple as running `herd deploy --image postgres:latest -p 5432:5432 -e POSTGRES_PASSWORD=postgres` with boot times ~500ms That brings us to today. I am looking for people to test this out and provide some feedback, I have been warned/cautioned by a lot of friends that building in isolation is a recipe for disaster. PS: it only works on linux, macos doesn't have the required isolation, and I stopped caring about winslop. | ||
| ▲ | traeficc 2 hours ago | parent | next [-] | |
Did you look at Docker sbx https://docs.docker.com/reference/cli/sbx/ ? Docker Sandboxes run AI coding agents in isolated microVM sandboxes. Each sandbox gets its own Docker daemon, filesystem, and network ~ the agent can build containers, install packages, and modify files without touching your host system. | ||
| ▲ | unsnap_biceps 5 hours ago | parent | prev [-] | |
It might be good to describe why existing solutions (like Kata containers) wasn't a good solution for you. | ||