[riyakhanna1983]

Thanks! gVisor intercepts app syscalls and serve them in user space (inside separate VMs, one for each container), which reduces runtime performance significantly. Both Firecracker and gVisor use VMs to sandbox container code.

Kwarantine, on the other hand, directly runs container code on the hardware (no VMs). It uses MMU/page tables to provide a different kernel to each container.

[bem]

Makes sense. Why do you think Google and Amazon didn't pursue that approach for services like Cloud Functions and Lambda? Is there a trade-off or is it a matter of complexity?

[ashishbijlani]

I believe they are constantly working on optimizing their infrastructure, and we will see improved versions of gVisor and Firecracker soon.