gvisor VS firecracker

Compare gvisor vs firecracker and see what are their differences.

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
gvisor firecracker
70 76
15,544 25,076
0.9% 1.4%
9.9 9.9
about 15 hours ago 2 days ago
Go Rust
Apache License 2.0 Apache License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

gvisor

Posts with mentions or reviews of gvisor. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-07-25.
  • Unfashionably secure: why we use isolated VMs
    6 projects | news.ycombinator.com | 25 Jul 2024
    If you think about it virtualization is just a narrowing of the application-kernel interface. In a standard setting the application has a wide kernel interface available to it with dozens (ex. seccomp) to 100's of syscalls. A vulnerablility in any one of which could result in complete system compromise.

    With virtualization the attack surface is narrowed to pretty much just the virtualization interface.

    The problem with current virtualization (or more specifically, the VMM's) is that it can be cumbersome, for example memory management is a serious annoyance. The kernel is built to hog memory for cache and etc. but you don't want the guest to be doing that - since you want to overcommit memory as guests will rarely use 100% of what is given to them (especially when the guest is just a jailed singular application), workarounds such as free page reporting and drop_caches hacks exist.

    I would expect eventually to see high performance custom kernels for a application jails - for example: gVisor[1] acts as a syscall interceptor (and can use KVM too!) and a custom kernel. Or a modified linux kernel with patched pain points for the guest.

    [1] <https://gvisor.dev/>

  • Syd the perhaps most sophisticated sandbox for Linux
    1 project | news.ycombinator.com | 17 Jul 2024
  • Hacking Alibaba Cloud's Kubernetes Cluster
    3 projects | dev.to | 1 Jul 2024
    Hillai: Following our research, Alibaba took several steps to address the vulnerabilities we discovered. They limited image pull secret permissions to read-only access, preventing unauthorized uploads. Additionally, they implemented a secure container technology similar to Google's gVisor project. This technology hardens containers and makes them more difficult to escape from, adding another layer of security.
  • We Improved the Performance of a Userspace TCP Stack in Go by 5X
    4 projects | news.ycombinator.com | 5 Jun 2024
    If you want to use netstack without Bazel, just use the go branch:

    https://github.com/google/gvisor/tree/go

    go get gvisor.dev/gvisor/pkg/tcpip@go

    The go branch is auto generated with all of the generated code checked in.

  • My VM is lighter (and safer) than your container
    12 projects | news.ycombinator.com | 14 May 2024
  • Maestro: A Linux-compatible kernel in Rust
    7 projects | news.ycombinator.com | 3 Jan 2024
    Isn't gVisor kind of this as well?

    "gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux."

    https://github.com/google/gvisor

  • Google/Gvisor: Application Kernel for Containers
    3 projects | news.ycombinator.com | 2 Jan 2024
  • GVisor: OCI Runtime with Application Kernel
    1 project | news.ycombinator.com | 2 Jan 2024
  • How to Escape a Container
    4 projects | news.ycombinator.com | 20 Dec 2023
  • Faster Filesystem Access with Directfs
    1 project | news.ycombinator.com | 28 Jul 2023
    This sort of feels like seeing someone riding a bike and saying: why don’t they just get a car? The simple fact is that containers and VMs are quite different. Whether something uses VMX and friends or not is also a red herring, as gVisor also “rolls it own VMM” [1].

    [1] https://github.com/google/gvisor/tree/master/pkg/sentry/plat...

firecracker

Posts with mentions or reviews of firecracker. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-07-07.
  • I'm Funding Ladybird Because I Can't Fund Firefox
    7 projects | news.ycombinator.com | 7 Jul 2024
    What he said is true, AWS uses Rust heavily in some of AWS core systems https://aws.amazon.com/blogs/devops/why-aws-is-the-best-plac....

    Some of the open source projects you can find are AWS Firecracker https://github.com/firecracker-microvm/firecracker and Cloudflare Pingora https://github.com/cloudflare/pingora

  • Lambda Internals: Why AWS Lambda Will Not Help With Machine Learning
    1 project | dev.to | 25 Apr 2024
    This architecture leverages microVMs for rapid scaling and high-density workloads. But does it work for GPU? The answer is no. You can look at the old 2019 GitHub issue and the comments to it to get the bigger picture of why it is so.
  • Show HN: Add AI code interpreter to any LLM via SDK
    5 projects | news.ycombinator.com | 12 Apr 2024
    Hi, I'm the CEO of the company that built this SDK.

    We're a company called E2B [0]. We're building and open-source [1] secure environments for running untrusted AI-generated code and AI agents. We call these environments sandboxes and they are built on top of micro VM called Firecracker [2].

    You can think of us as giving small cloud computers to LLMs.

    We recently created a dedicated SDK for building custom code interpreters in Python or JS/TS. We saw this need after a lot of our users have been adding code execution capabilities to their AI apps with our core SDK [3]. These use cases were often centered around AI data analysis so code interpreter-like behavior made sense

    The way our code interpret SDK works is by spawning an E2B sandbox with Jupyter Server. We then communicate with this Jupyter server through Jupyter Kernel messaging protocol [4].

    We don't do any wrapping around LLM, any prompting, or any agent-like framework. We leave all of that on users. We're really just a boring code execution layer that sats at the bottom that we're building specifically for the future software that will be building another software. We work with any LLM. Here's how we added code interpreter to Claude [5].

    Our long-term plan is to build an automated AWS for AI apps and agents.

    Happy to answer any questions and hear feedback!

    [0] https://e2b.dev/

    [1] https://github.com/e2b-dev

    [2] https://github.com/firecracker-microvm/firecracker

    [3] https://e2b.dev/docs

    [4] https://jupyter-client.readthedocs.io/en/latest/messaging.ht...

    [5] https://github.com/e2b-dev/e2b-cookbook/blob/main/examples/c...

  • Fly.it Has GPUs Now
    5 projects | news.ycombinator.com | 13 Feb 2024
    As far as I know, Fly uses Firecracker for their VMs. I've been following Firecracker for a while now (even using it in a project), and they don't support GPUs out of the box (and have no plan to support it [1]).

    I'm curious to know how Fly figured their own GPU support with Firecracker. In the past they had some very detailed technical posts on how they achieved certain things, so I'm hoping we'll see one on their GPU support in the future!

    [1]: https://github.com/firecracker-microvm/firecracker/issues/11...

  • MotorOS: a Rust-first operating system for x64 VMs
    7 projects | news.ycombinator.com | 7 Jan 2024
    I pass through a GPU and USB hub to a VM running on a machine in the garage. An optical video cable and network compatible USB extender brings the interface to a different room making it my primary “desktop” computer (and an outdated laptop as a backup device). Doesn’t get more silent and cool than this. Another VM on the garage machine gets a bunch of hard drives passed through to it.

    That said, hardware passthrough/VFIO is likely out of the current realistic scope for this project. VM boot times can be optimized if you never look for hardware to initialize in the first place. Though they are still likely initializing a network interface of some sort.

    “MicroVM” seems to be a term used when as much as possible is stripped from a VM, such as with https://github.com/firecracker-microvm/firecracker

  • Virtual Machine as a Core Android Primitive
    2 projects | news.ycombinator.com | 5 Dec 2023
    According to their own FAQ it is indeed: https://github.com/firecracker-microvm/firecracker/blob/main...
  • Sandboxing a .NET Script
    1 project | /r/dotnet | 22 Oct 2023
    What about microVMs like firecracker?
  • We Replaced Firecracker with QEMU
    5 projects | news.ycombinator.com | 10 Jul 2023
    Dynamic memory management - Firecracker's RAM footprint starts low, but once a workload inside allocates RAM, Firecracker will never return it to the host system. After running several workloads inside, you end up with an idling VM that consumes 32 GB of RAM on the host, even though it doesn't need any of it.

    Firecracker has a balloon device you can inflate (ie: acquire as much memory inside the VM as possible) and then deflate... returning the memory to the host.

    https://github.com/firecracker-microvm/firecracker/blob/main...

  • I'm looking for a virtual machine that prioritizes privacy and does not include tracking or telemetry.
    1 project | /r/privacy | 5 Jun 2023
  • Neverflow: Set of C macros that guard against buffer overflows
    4 projects | news.ycombinator.com | 2 Jun 2023
    Very few things in those companies are being written in Rust, and half of those projects chose Rust around ideological reasons rather than technical, with plenty of 'unsafe' thrown in for performance reasons

    https://github.com/firecracker-microvm/firecracker/search?q=...

    The fact that 'unsafe' even exists in Rust means it's no better than C with some macros.

    Don't get me wrong, Rust has it's place, like all the other languages that came about for various reasons, but it's not going to gain wide adoption.

    Future of programming consists of 2 languages - something like C that has a small instruction set for adopting to new hardware, and something that is very high level, higher than Python with LLM in the background. Everything in the middle is fodder.

What are some alternatives?

When comparing gvisor and firecracker you can also consider the following projects:

podman - Podman: A tool for managing OCI containers and pods.

cloud-hypervisor - A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.

wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN

bottlerocket - An operating system designed for hosting containers

kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

libkrun - A dynamic library providing Virtualization-based process isolation capabilities

sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

krunvm - Create microVMs from OCI images

containerd - An open and reliable container runtime

deno-deploy

KubeArmor - Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

tfjs - A WebGL accelerated JavaScript library for training and deploying ML models.

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured