Hacker News new | ask | show | jobs
by dilyevsky 1052 days ago
Firecracker is hardware-based virtualization. gVisor is not virtualization at all but more like advanced sandboxing - it intercepts syscalls and proxies them on processeses behalf. That means gVisor is slower on i/o (which this new feature is trying to solve) but it also means it’s easier to implement and operate and you can run it in more environments (for examples in VMs where nested virtualization is not supported).
1 comments
ec109685 1052 days ago
What are the reasons these days to not enable nested virtualization? I know AWS doesn’t.
link
dilyevsky 1052 days ago
Afaik their hardware just didnt support it, not sure why it’s still not supported at this day and age.

Performance used to be a problem with nested virt but afaik both hw and software have caught up

link