My VM is lighter (and safer) than your container (2017)

Original Article ↗ Hacker News Discussion ↗

MicroVMs, Unikernels, and Performance

  • Discussion centers on micro‑VMs (LightVM, Firecracker) and unikernels as lighter, safer alternatives to containers with very fast cold starts (single‑digit to tens of milliseconds in some reports).
  • Boot time comparisons are tricky: some numbers measure VM creation only, others go from creation to userland/app ready.
  • Unikernels are described as highly specialized VMs where the app and minimal OS kernel are compiled into one image, reducing overhead and attack surface.

Security and Isolation: Containers vs VMs

  • Many argue containers provide weaker isolation; a kernel exploit can escape containers, while VMs offer hardware‑level isolation and are preferred by clouds for multi‑tenant security.
  • Some claim containers are “not a security boundary” or only an incidental one; others say they are a “pretty good” boundary for many use cases.
  • Running containers inside VMs is common for stronger isolation, though some see “VM + single container” as needless layering if you could just run the app directly in a VM/unikernel.

Rootless Containers and User Namespaces

  • Rootless containers rely on Linux user namespaces; these arrived around 2013 but were not widely used initially due to security concerns and rough edges.
  • Podman and rootless Docker are cited as ways to avoid needing a privileged daemon, though some feel Docker has been slow to make rootless the default.
  • Skeptics note rootless mode doesn’t remove the fundamental issue: all containers still share one kernel.

Containers as Packaging and Developer UX

  • Strong consensus that containers’ main value is packaging, reproducible environments, and deployment UX, not security.
  • They solve dependency hell, enable consistent CI/CD, and are easy for developers to adopt; this ecosystem momentum is seen as a major moat.
  • VMs/unikernels could, in principle, provide the same reproducibility, but tooling for building, updating, and monitoring large fleets of lightweight VMs is less mature.

Tools, Ecosystem, and Practical Concerns

  • Mentioned projects: Firecracker, Kata Containers, gVisor, libkrun, kuasar, Firecracker‑containerd, KraftCloud/Unikraft, Fly.io.
  • Some platforms take Docker images and convert them to micro‑VMs or unikernels at deploy time, trying to combine container workflows with VM‑level isolation and performance.
  • Concerns raised about operational complexity (networking, OS updates, debugging), limited micro‑VM use on non‑bare‑metal cloud VMs, and rough edges on macOS tooling.