[eptcyka]

With WASM, you get better isolation than a regular virtual machine, you can be more granular with scheduling and the attack surface is far smaller than a regular VM. When compared to namespaces containers, you don’t need to rely on the kernel attack surface being tight for security. And you get to intercept all syacalls ala gvisor with less complexity. The downside is interaction with specialty hardware and performance.

[jrockway]

Why WASM and not gVisor, which runs any program compiled to your architecture with similar isolation from the host kernel?

[FooBarWidget]

> With WASM, you get better isolation than a regular virtual machine, you can be more granular with scheduling

Why is this so?

[whalesalad]

This doesn’t answer my question. A container is not a VM.

[eptcyka]

A container can be a VM, this provides a container with similar isolation characteristics to a VM with less complexity on the orchestrator/runc side of things.