Hacker News new | past | comments | ask | show | jobs | submit login

gVisor is also pretty neat, they say KVM support is experiemental though: https://github.com/google/gvisor

gVisor is used behind Go 1.11 on App Engine so Google must be fairly confident that it's a sufficient security boundary though I'm fairly sure they don't use the public KVM isolation so YMMV.

gVisor is a kernel implemented in userspace. The one downside of gVisor is that not all syscalls are implemented and they're relying on the community to implement them. This is what was holding me back from adopting it for a project.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact