Your Container Is Not a Sandbox
SMRTR summary
Containers share a host kernel, making them a resource control tool, not a true security boundary — proven by eight container escape CVEs in just 18 months. MicroVMs, booting in ~125ms with under 5 MiB overhead, solve this via hardware-level isolation. The rust-vmm shared Rust crate ecosystem quietly matured across AWS, Intel, Google, and Microsoft, and agentic AI's demand for safe code execution is now pulling it all into the spotlight.
SMRTR provides this summary for quick context. The original article belongs to lobste.rs.
Read the original article