A few years ago I invested in a small startup called `hyper.sh`. It open sourced a container runtime called `runV` which provided exactly this: security of virtual machines plus convenience of containers.<p>The project later merged with Intel Clear Container to become what's now called Kata Containers (<a href="https://katacontainers.io/" rel="nofollow">https://katacontainers.io/</a>) and is now widely used by several Internet giants like Alibaba and Baidu.<p>The startup was acquired by Ant Finance a couple of years ago.<p>(I recorded a podcast with one of hyper.sh engineer if you can listen to Mandarin <a href="https://pan.icu/25" rel="nofollow">https://pan.icu/25</a>)
There are a few existing projects out there like this (running Docker images as virtual machines, specifically) if folks are interested. Slim [0] is the one I can remember off the top of my head. I think there are a couple more.<p>Still, neat to have the walkthrough here in this post.<p><a href="https://github.com/ottomatica/slim" rel="nofollow">https://github.com/ottomatica/slim</a>
As I understand the landscape here, the big enabling win of microvms is faster boot time; there's a cool qemu-lite slide deck that goes into detail about how they cut down boot time:<p><a href="https://www.linux-kvm.org/images/d/d2/03x05B-Chao_Peng-Light_Weight_Virtualization_with_QEMU_KVM.pdf" rel="nofollow">https://www.linux-kvm.org/images/d/d2/03x05B-Chao_Peng-Light...</a><p>The big win was slashing away the BIOS stuff.<p>We use AWS's Firecracker to turn our customers Docker containers into Firecracker microvms (Firecracker is Amazon's Rust VMM, the engine for Fargate and Lambda). Anecdotally: in my dev environment, the difference between Firecracker boot times and native Docker container startup is imperceptible; the logging we do swamps the VM boot stuff. It's <i>very</i> fast.
> Can we somehow combine the advantages of the docker ecosystem with VMs?<p>Shameless plug: this is exactly what our goal is with <a href="https://kwarantine.xyz" rel="nofollow">https://kwarantine.xyz</a> We are creating a new hypervisor (from scratch) that can run strongly isolated Docker/LXC containers.
For an even more lightweight approach to running containers in VMs see: <a href="https://github.com/containers/krunvm" rel="nofollow">https://github.com/containers/krunvm</a><p>It's powered by <a href="https://github.com/containers/libkrun" rel="nofollow">https://github.com/containers/libkrun</a>.
I had fun exploring Docker->VM conversion a while back [1], though the larger goal in my case was to be able to make the build path to custom GCP VM Images a bit simpler. Exciting to see other cases where folks are finding this sort of flow useful!<p>1: <a href="https://thekev.in/blog/2019-08-05-dockerfile-bootable-vm/index.html" rel="nofollow">https://thekev.in/blog/2019-08-05-dockerfile-bootable-vm/ind...</a>
I understand, it's cool to do content marketing. but folks proof-read your articles. Firecracker was created by AWS and rightly states so on the page.
I think a lot of folks are going out of their way to misunderstand what happened. Yes there are other similar projects and containers. No, none come from a long established <i>COMMUNITY RUN PROJECT</i>. This is something akin to the difference between VirtualBox and OpenBSD’s vmd. Ones a product with a “free” tier, the other is a community project.
Why not run containers in VMs in containers in VMs? :)<p>Seriously, VMs are hardly as secure as many people want to believe unless you're utilizing enclaves and even that has vulnerabilities. I think a better approach is Seccomp and whatever other filtering makes sense.