Docker Alternative for Secure Microvms

Name: Docker Alternative for Secure Microvms
Availability: InStock
Author: sankalpnarula

by sankalpnarula·Apr 3, 2026·4 points·2 comments

Visit Project View on HN

AI Analysis

●●SolidShip ItSolve My Problem

Firecracker microVMs with Docker CLI UX, though Kata Containers already solves container isolation.

Strengths

•OCI image translation removes manual disk image creation for Firecracker instances.
•Automated IPAM and NAT routing simplifies microVM networking compared to raw TAP.
•Host daemon manages jailer isolation automatically without per-VM configuration files.

Weaknesses

•Requires root access and KVM, limiting local development on restricted corporate machines.
•Wake-on-request proxy is marked WIP, reducing immediate value for serverless-like workflows.

Post Description

https://github.com/herd-core/herd

Lately, I have been trying to understand the security aspect of docker containers, and what I have realized is that all docker containers share the host's kernel. Any zero day vulneerability in the kernel can be used to gain access to the host os.

In order to deal with this, I did some research turns out Amazon has open sourced the core technology behind their serverless technology lambda. But in its current state its very hard to setup, let alone run anything securly. This technology is called firecracker microvm's

It started off as a go library, for creating process pools to just do a simple firecracker spawn, turned into a full fledged host side daemon.

deploying a microvm through an image is now as simple as running

`herd deploy --image postgres:latest -p 5432:5432 -e POSTGRES_PASSWORD=postgres`

with boot times ~500ms

That brings us to today. I am looking for people to test this out and provide some feedback, I have been warned/cautioned by a lot of friends that building in isolation is a recipe for disaster.

PS: it only works on linux, macos doesn't have the required isolation, and I stopped caring about winslop.