This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary.
The runtime distinguishes itself through its ability to virtualize core system resources, including an independent userspace network stack and proxy-based filesystem access. These mechanisms ensure that containerized applications remain isolated from the host, even when requiring access to specialized hardware like GPUs, which are handled through secure passthrough proxies. Additionally, the runtime supports state serialization, allowing for the checkpointing and restoration of running container states to facilitate migration and persistence across different host environments.
Beyond its core isolation capabilities, the project provides a comprehensive suite of tools for managing container lifecycles, resource accounting, and observability. It includes features for filesystem virtualization, such as writable overlays and read-only image support, alongside telemetry interfaces for monitoring performance and security events. The runtime is designed to operate across diverse Linux environments, including bare-metal and virtual machines, without requiring specialized virtualization hardware.
The project is distributed as an open-source runtime that integrates directly into existing container management workflows.
