30 open-source projects similar to firecracker-microvm/firecracker, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Firecracker alternative.
UTM is a comprehensive virtualization suite that provides a unified interface for running guest operating systems on host hardware. It functions as a cross-platform system emulator and hypervisor, coordinating both hardware-accelerated virtualization and software-based instruction emulation to execute diverse operating systems. By leveraging native kernel-level virtualization frameworks, the software achieves near-native performance while maintaining strict security through sandboxed process isolation. The project distinguishes itself by enabling full-featured desktop operating systems to run
Kata Containers is an OCI container runtime that launches containers inside lightweight virtual machines to combine hardware-level isolation with container operational speed. It functions as a hardware-isolated container engine and lightweight VM hypervisor, providing a virtual machine monitor interface that abstracts multiple hypervisors to optimize for performance or specific hardware emulation. The project distinguishes itself through a confidential computing runtime that leverages hardware-backed trusted execution environments, such as Intel TDX and AMD SEV-SNP, to protect data in use. It
OSV is a unikernel operating system and cloud-native execution environment designed to run as a secure microVM on hypervisors such as KVM, Firecracker, Xen, and VMware. It functions as a Linux binary compatible runtime, allowing unmodified Linux binaries to be executed as secure microVMs without requiring recompilation. The project distinguishes itself through its ability to package applications into minimal bootable images and its provide of a virtual machine management API. This REST interface enables remote monitoring of system health, management of execution traces, and control over guest
Cloud Hypervisor is a Rust-based hypervisor and KVM virtual machine monitor designed to execute 64-bit guest operating systems. It functions as a user-space virtual machine manager that employs a minimal emulation layer to reduce memory overhead and latency for cloud workloads. The project distinguishes itself through the use of a memory-safe language to implement a virtio device emulator and a user-space device model. It provides a standardized web API for managing virtual machine lifecycles and resource configurations. The platform covers broad virtualization capabilities, including the em
Vagga is a containerization tool without daemons
WSL is a compatibility layer and virtualization platform that enables the execution of native Linux binaries directly on a host operating system. By utilizing a lightweight virtual machine and direct kernel system call mapping, it provides a high-performance environment that bridges Linux-based command line utilities with host-native tools. This architecture allows for full system call compatibility while maintaining minimal resource overhead. The platform distinguishes itself through deep integration with the host environment, allowing users to run isolated Linux distributions alongside stan
This project provides a containerized virtualization engine that runs full Windows operating system instances within isolated containers. By acting as a cross-platform virtualization runtime, it enables the deployment of desktop environments on any host that supports standard container runtimes, ensuring consistent execution across diverse infrastructure. The system distinguishes itself by utilizing kernel-level virtualization primitives and hardware emulation to execute guest operating systems. It leverages accelerated kernel execution to offload CPU instructions to the host processor for pe
Streisand is an orchestration system for deploying multi-protocol tunneling services and traffic obfuscation tools designed to circumvent regional network restrictions. It functions as a deployment utility and manager for various VPN and proxy services on remote cloud servers. The system distinguishes itself through a network obfuscation toolkit that wraps traffic in layers to evade deep packet inspection and bandwidth throttling. It automates the setup of multiple protocols, including WireGuard, OpenVPN, Shadowsocks, OpenConnect, OpenSSH, and Tor bridges. The project also includes utilities
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Organizr is a self-hosted service dashboard that aggregates links to all of your self-hosted applications into a single landing page for quick access. It functions as a unified tab manager, loading multiple services as individual tabs within one webpage to consolidate browser tabs and reduce clutter. The project provides role-based access control, restricting dashboard visibility and service links based on user authentication and permissions. It includes an external authentication gateway that validates credentials through Plex, Emby, LDAP, or sFTP, and a user management backend for creating,
Pi-hole is a self-hosted network utility that functions as a DNS sinkhole server to provide network-wide ad blocking. By acting as a dedicated network gateway, it intercepts and discards requests for known advertising, tracking, and malicious domains across an entire local network, preventing unwanted content from loading on any connected device. The software operates through a lightweight background daemon that handles high volumes of concurrent DNS queries with minimal resource overhead. It utilizes a host-file injection mechanism to redirect traffic toward its local filtering engine and ap
一款轻量级、跨平台的 Mini Kubernetes AI Dashboard,支持大模型+智能体+MCP(支持设置操作权限),集成多集群管理、智能分析、实时异常检测等功能,支持多架构并可单文件部署,助力高效集群管理与运维优化。
Microsandbox is a runtime for creating and managing lightweight, hardware-isolated virtual machines — called sandboxes — that boot directly from standard OCI container images. Each sandbox runs as its own host process with a separate kernel, filesystem, and network stack, providing process-per-sandbox isolation. The project includes a command-line tool and multi-language SDKs (Rust, TypeScript, Python, Go) for programmatic lifecycle control, and it communicates with sandbox agents over Unix sockets using a CBOR-encoded protocol. What distinguishes Microsandbox is its combination of host-manag
Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster. The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-
Security Monkey is a cloud security posture management tool and configuration auditor. It functions as a monitoring platform that tracks cloud assets and records state changes to identify when security policies are altered or insecure configurations are introduced. The system maintains a multi-cloud asset inventory, tracking resources across AWS, GCP, OpenStack, and GitHub organizations. It provides a centralized interface for searching and browsing assets across multiple cloud providers and regions. The platform covers cloud security auditing and infrastructure change tracking by comparing
SerenityOS is a complete, self-hosted desktop operating system built from the kernel up. It features a monolithic kernel architecture that manages system services, hardware drivers, and networking within a single address space. The system provides a full computing environment, including a proprietary windowing system and a suite of native desktop applications, all while maintaining a POSIX-compliant interface for standard system programming. The project is distinguished by its integrated development workflow, which relies on a cross-compilation build pipeline to generate system images from ho
Airflow is a platform for programmatically authoring, scheduling, and monitoring complex data pipelines. It functions as a workflow automation engine that manages the lifecycle of recurring business processes by executing code-defined task dependencies. By representing workflows as directed acyclic graphs, the system ensures that task execution order and data flow are explicitly defined and reliably maintained across distributed computing environments. The platform distinguishes itself through a highly modular, provider-based architecture that decouples core orchestration logic from external
This project is a Linux kernel designed for Windows Linux integration, providing the underlying operating system kernel required to execute binary files and applications within the Windows Subsystem for Linux. It utilizes hypervisor-based virtualization to run a full kernel within a lightweight utility virtual machine managed by a Windows host. The repository enables the customization and compilation of the kernel from source. This allows for the modification of system behavior, the addition of specific drivers, and the tailoring of hardware compatibility for virtualized environments. The sy
OpenSandbox is a secure execution environment and runtime designed for running untrusted code and scripts generated by AI agents. It utilizes a containerized code execution engine and microVM-based isolation to protect host systems from malicious actions while providing isolated virtual environments. The project features a sandbox server based on the Model Context Protocol to automate the creation and control of virtual workspaces. It supports the deployment of secure remote desktop hosts, including headless web browsers and editor instances, for automated interaction. The system includes an
Colima is a command-line utility that provides lightweight container runtimes and local Kubernetes orchestration by managing isolated virtual machine environments. It functions as a virtualization manager that abstracts the underlying container engine, allowing users to run containerized applications and system workloads on non-native operating systems without the overhead of heavy desktop software. The project distinguishes itself through its support for hardware-accelerated workloads, enabling direct GPU passthrough to virtual machines for high-performance machine learning tasks. It offers
WSABuilds is a management framework designed to deploy and customize virtualized mobile runtime environments on desktop operating systems. It provides a comprehensive suite of tools for building, installing, and maintaining these environments, enabling the native execution of mobile applications alongside standard desktop software. The project distinguishes itself through its focus on deep system integration and lifecycle management. It allows users to generate tailored virtual environment packages by injecting administrative tools, service components, and specific configurations prior to dep
virt-manager is a graphical management interface for configuring hypervisors, virtual machine instances, and containers via the libvirt API. It provides a desktop environment for managing KVM-based virtualization on Linux hosts, acting as a centralized controller for both local and remote hypervisors. The project distinguishes itself through integrated management of the surrounding virtualization infrastructure. It includes dedicated interfaces for virtual network administration to connect guests to physical hardware and virtual storage management for organizing disk volumes into logical pool
Remotely is a remote desktop management suite and multi-tenant device orchestrator designed for organizing users and machines into isolated organizations. It serves as a centralized system for controlling remote screens, executing scripts on distant machines, and managing remote support ticketing. The platform distinguishes itself through a dedicated remote session archiver that records and saves desktop control sessions to a central server for auditing and security reviews. It also includes a public-facing support portal where end users submit requests that trigger notifications on an admini
Storm is a distributed stream processing framework designed to execute unbounded computations across a cluster to process real-time data streams. It functions as a data pipeline orchestrator that allows users to define and deploy declarative data flow graphs connecting streaming sources to processing components. The system operates as a multi-tenant distributed compute engine that isolates workloads and limits resource usage across shared clusters using dedicated pools and access control. It is also a secure distributed processing engine that employs encrypted node communication and SSL-secur
HAMi is a hardware orchestration and virtualization system designed to manage accelerators within Kubernetes. It functions as a device plugin that partitions physical hardware into isolated virtual slices, enabling multiple containers to share a single device through enforced memory limits and compute quotas. The project provides a virtualization manager and a heterogeneous compute scheduler that distributes tasks across diverse accelerator types. It uses packing and topology policies to optimize workload placement and allows for specific hardware targeting using unique device identifiers. T
vcluster is a Kubernetes virtual cluster platform that creates fully isolated Kubernetes environments with dedicated control planes, API servers, and RBAC on shared physical infrastructure. It virtualizes Kubernetes control planes by running them as pods inside a host cluster, as standalone binaries on bare metal or virtual machines, or within Docker containers, providing each tenant their own isolated Kubernetes environment without the overhead of managing separate physical clusters. The platform enables multi-tenant Kubernetes isolation through multiple tenancy models, from shared node pool
ClearML is a comprehensive MLOps platform designed to manage the entire machine learning lifecycle. It functions as an experiment tracking tool, a data versioning system, and a pipeline orchestrator, while providing infrastructure for GPU cluster management and model serving. The platform is distinguished by its ability to handle hybrid-cloud compute scheduling and fractional GPU allocation, allowing multiple workloads to share a single hardware accelerator. It employs a metadata-based approach to data versioning, using virtual views to track large datasets and artifacts without duplicating r
Meshery is a service mesh management plane and cloud native infrastructure orchestrator. It provides a visual design-as-code environment for modeling microservices and infrastructure components through declarative blueprints, functioning as a centralized platform for designing, deploying, and managing service mesh infrastructure. The platform is distinguished by its ability to translate visual designs into active deployments and its use of gRPC-based adapters to integrate with diverse infrastructure providers. It features a multi-tenant architecture that manages shared workspaces and role-bas