30 open-source projects similar to cloud-hypervisor/cloud-hypervisor, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Cloud Hypervisor alternative.
seL4 is a formally verified microkernel whose C implementation is backed by machine-checked mathematical proofs of correctness, confidentiality, integrity, and availability. It enforces strict isolation between processes through hardware-enforced address space separation and a capability-based access control system, where each process holds explicit rights only to the resources it has been granted. The kernel exposes hardware resources through a minimal API of system calls that manage threads, address spaces, and inter-process communication, with synchronous IPC supporting sender-identifying b
microvm.nix is a declarative virtual machine manager and orchestrator for defining, building, and managing isolated guest environments using Nix. It functions as a virtual machine image builder that transforms system specifications into bootable disk images and runner scripts. The project provides a hypervisor abstraction layer, enabling the deployment of guest images across multiple virtualization backends through a unified configuration. It includes specialized tools for PCI hardware passthrough, granting virtual machines direct access to physical host USB and PCI devices. The framework co
Waydroid is a containerized mobile runtime that executes a full Android operating system directly on Linux desktop environments. By utilizing Linux kernel namespaces, it isolates the mobile environment while sharing the host kernel to provide native-like performance and hardware access for mobile applications. The project distinguishes itself through deep integration with the host system, bridging mobile display buffers to native desktop windows and translating host input events into mobile gestures. It enables multi-window management, allowing mobile applications to run alongside native desk
Lima is a virtualization engine designed to provision and manage lightweight Linux, macOS, and FreeBSD virtual machines. It functions as a comprehensive virtual machine manager that leverages native hypervisors and system emulation to provide isolated environments for container development, cross-architecture testing, and secure sandboxing. The project distinguishes itself through its template-driven provisioning system, which allows users to define and automate environment configurations via local files or remote URL schemes. It integrates deeply with host systems by providing automated file
Harvester is a hyperconverged infrastructure software platform that combines compute, storage, and networking into a single system for managing virtualized environments on bare metal servers. It functions as a virtualization management platform and KVM hypervisor manager, providing a centralized interface to orchestrate the full lifecycle of virtual machines. The project distinguishes itself by integrating Longhorn distributed block storage to provide redundant, software-defined storage and a bare metal provisioning tool for automated deployment. This allows for the orchestration of infrastru
KubeVirt is a Kubernetes virtualization platform and cloud-native hypervisor manager. It provides a runtime environment that allows virtual machines to be defined, launched, and managed as declarative resources within a Kubernetes cluster, enabling them to run alongside containers on the same nodes. The system enables the hybridization of cloud infrastructure by combining traditional virtual machines with containerized workloads on a single shared platform. It supports the live migration of running virtual machines between physical hosts to facilitate cluster maintenance and load balancing.
VirtualBuddy is a graphical user interface and manager for creating and running macOS virtual machines on Apple Silicon. It serves as an interface for the native Apple Virtualization Framework, allowing users to provision and boot guest operating systems on ARM-based hardware. The tool provides a dedicated environment for managing virtual machine administration and software compatibility testing across different macOS versions. It enables the execution of guests via local files, remote URLs, or image catalogs, and supports booting into recovery mode for system repairs. The system covers hard
Vagrant is a virtual machine environment manager and infrastructure as code tool used to create and configure consistent development environments. It acts as a virtual machine provisioner and hypervisor abstraction layer, allowing users to define machine specifications and automate software installation on guest systems via declarative configuration files. The project enables cross-hypervisor orchestration by decoupling the command interface from specific virtualization backends. It ensures environment consistency through the distribution of pre-configured machine images and the orchestration
Firecracker is a virtual machine monitor that leverages hardware-assisted virtualization to create and manage isolated execution environments. It functions as a lightweight runtime designed to launch virtual machines with minimal memory overhead and near-instantaneous startup times, providing the security of traditional hardware virtualization with the efficiency of containerized workloads. The project distinguishes itself through a security-focused architecture that enforces strict process boundaries using system-level barriers and restricted user privileges. It minimizes the attack surface
x11docker is an OCI container GUI orchestrator and hardware bridge designed to execute graphical applications and full desktop environments inside containers. It functions as a Linux GUI sandbox, linking containerized processes to host X11 or Wayland display servers and audio systems. The project differentiates itself by providing deep system integration for hardware acceleration, including NVIDIA driver automation and GPU passthrough. It supports cross-architecture GUI emulation and provides remote access capabilities through VNC, SSH forwarding, and browser-based HTML5 rendering. The tool
Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It
xhyve is a macOS virtual machine manager and virtualization tool that leverages the native hypervisor framework to run guest operating systems in userspace. It provides a virtualization layer for executing guest systems with hardware acceleration. The project features a hardware pass-through hypervisor that maps physical host devices directly to guest virtual machines to increase performance. It includes a remote framebuffer server and VNC access to enable interaction with the guest display and input devices from external devices. The tool covers virtual hardware emulation for storage, netwo
Tart is an Apple Silicon virtualization manager used to build and run macOS and Linux virtual machines using native hardware virtualization frameworks. It functions as a virtual machine cluster orchestrator and an ephemeral runner for executing continuous integration pipeline steps within isolated, short-lived environments. The system utilizes an OCI-compatible virtual machine registry to push and pull images via standardized container registries. It features a controller-worker architecture that schedules virtual machine lifecycles across remote worker nodes, incorporating a secure SSH jump
LXD is a unified platform for managing both system containers and virtual machines through a single REST API and command-line interface. It provides a programmatic HTTP interface for controlling the full lifecycle of instances, enabling automation and integration with external tools. The system runs unprivileged containers with per-instance UID/GID mappings, seccomp filters, and AppArmor profiles for kernel-level isolation, while supporting multiple storage backends including directory, Btrfs, LVM, ZFS, Ceph, LINSTOR, and TrueNAS through a unified driver interface. The platform distinguishes
Foreman is a lifecycle infrastructure management platform used for automating the provisioning, configuration, and monitoring of physical, virtual, and cloud servers. It serves as a central hub for managing the entire lifespan of a server, from initial deployment and operating system upgrades to decommissioning and auditing. The platform functions as a hybrid cloud manager and bare-metal provisioning tool, providing a unified interface to control virtual machine lifecycles across diverse hypervisors and public cloud providers. It automates hardware discovery and operating system deployment us
Quickemu is a command-line utility designed to automate the deployment and management of virtual machine instances. It functions as an automated provisioner that handles the acquisition of operating system images and the generation of optimized configuration files, allowing users to launch virtualized environments with minimal manual setup. The tool leverages hardware-accelerated emulation to execute virtual machines, mapping host-native resources directly to the guest environment to maintain performance. It utilizes shell-scripted orchestration to manage the lifecycle of these instances, sto
Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure
Talos is a minimal, immutable Linux distribution designed specifically for deploying and managing Kubernetes clusters. It functions as an API-driven infrastructure manager that replaces traditional shell access with a declarative gRPC interface to control operating system state and configuration. The system is distinguished by its use of a read-only root filesystem and a security-hardened kernel, which removes standard GNU utilities to reduce the attack surface. It ensures environment consistency by distributing the operating system as versioned, signed images and utilizes TPM-backed verified
WinApps is a utility designed to run Windows applications within a virtualized environment while integrating them directly into a Linux desktop. By utilizing remote desktop protocols to stream graphical interfaces, the software allows virtualized programs to appear and behave as if they were installed natively on the host operating system. The project distinguishes itself by automating the discovery and configuration of these applications. It scans the guest registry to identify installed software and automatically generates desktop entries and shortcuts, enabling users to launch Windows prog
This project provides a containerized environment for running a full macOS desktop operating system. It utilizes a hardware-accelerated virtualization engine to execute the guest environment, allowing for the deployment and management of virtual machines through standard container orchestration tools. The platform distinguishes itself by enabling direct hardware passthrough, which maps physical host disks, partitions, and USB controllers directly into the virtual machine for native driver access. It also supports advanced network integration, allowing the guest system to obtain its own unique
This project is an OCI-compatible container runtime that executes workloads within lightweight virtual machines. By leveraging hardware-based virtualization, it provides strong security isolation between containerized processes and the host operating system, serving as a drop-in replacement for traditional container execution environments. The runtime distinguishes itself through a hypervisor-agnostic architecture that abstracts underlying virtualization operations, allowing for consistent container lifecycle management across different backends. It integrates directly with standard container
Microsandbox is a runtime for creating and managing lightweight, hardware-isolated virtual machines — called sandboxes — that boot directly from standard OCI container images. Each sandbox runs as its own host process with a separate kernel, filesystem, and network stack, providing process-per-sandbox isolation. The project includes a command-line tool and multi-language SDKs (Rust, TypeScript, Python, Go) for programmatic lifecycle control, and it communicates with sandbox agents over Unix sockets using a CBOR-encoded protocol. What distinguishes Microsandbox is its combination of host-manag
microsandbox is a platform that runs untrusted code inside hardware-isolated microVMs, each with its own kernel, filesystem, and network stack. It boots directly from standard OCI container images, supports copy-on-write filesystem layers, and integrates with AI agents to execute tool calls and generated code in isolated environments with secret protection. What sets microsandbox apart is its host-side network proxy that enforces firewall rules, intercepts DNS, inspects TLS traffic, and injects secrets at the network boundary without exposing them inside the VM. It provides SSH access to micr
Docker-OSX is a containerized virtualization platform that enables the execution of full operating systems within isolated environments. By leveraging hardware-accelerated hypervisors and machine emulation, the project allows guest operating systems to run with near-native performance, effectively mimicking dedicated physical hardware within a container. The platform distinguishes itself by providing a complete infrastructure for remote desktop and headless management, allowing users to interact with virtualized graphical environments over network protocols. It supports advanced hardware inte
PureDarwin is a macOS application that serves as a unified virtual machine manager for running Darwin-based operating systems. It wraps QEMU system emulator processes with a native macOS interface built using Apple's SwiftUI framework, allowing users to launch and manage multiple virtual machines from a single application window. The application is configuration-driven, starting virtual machines from user-defined JSON or plist files that specify disk images and hardware parameters. Each virtual machine runs as a separate QEMU child process with independent memory and CPU allocation, and multi
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
Hyperlight is an embedded virtual machine manager designed to execute guest binaries within hardware-isolated code sandboxes. It utilizes a KVM micro-VM manager to run untrusted third-party code, enforcing strict memory boundaries to prevent unauthorized host access. The project features a guest-host function bridge that facilitates bidirectional communication and a state snapshot tool for saving and restoring the memory state of a sandbox to reduce startup latency. The system includes a toolchain for guest binary cross-compilation and mechanisms for managing resource constraints, such as fi
Tools to set up a quick macOS VM in QEMU, accelerated by KVM.
rkt is a pod-native container engine and runtime for Linux that executes containerized applications as isolated pods. It serves as an OCI container runtime and a Linux container manager, supporting the execution of images based on Open Container Initiative, appc, and Docker specifications. The project distinguishes itself by offering hardware-level container isolation, allowing pods to run within virtual machines using KVM or QEMU for a dedicated kernel. It further separates itself through secure container deployment practices, utilizing SELinux mandatory access control and TPM-backed integri