Hacker News: sys_call

NUMA: Cores, memory, and the distance between them

sys_call — Wed, 24 Jun 2026 16:10:08 +0000

Article URL: https://edera.dev/stories/numa-part-1-cores-memory-and-the-distance-between-them

Comments URL: https://news.ycombinator.com/item?id=48662018

Points: 117

# Comments: 25

Rendering OCI Images in Rust: Introducing Ocirender

sys_call — Wed, 25 Mar 2026 18:50:31 +0000

Article URL: https://edera.dev/stories/rendering-oci-images-the-right-way-introducing-ocirender

Comments URL: https://news.ycombinator.com/item?id=47521569

Points: 5

# Comments: 0

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 20:19:31 +0000

We run unmodified containers in a VM guest environment, so you get the developer ergonomics of containers with the security and hardware controls of a VMM.

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 20:18:28 +0000

Yes, precisely. This also provides container operators with the benefits of a hypervisor, like memory ballooning, and dynamically allocating CPU and memory to workloads, improving resource utilization and the current node overprovisioning patterns.

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 14:43:33 +0000

A zone is jargon for a virtual machine guest environment (an homage to Solaris Zones). Styrolite and Edera runs containers inside virtual machine guests for improved isolation and resource management.

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 14:40:21 +0000

gVisor runs a userspace kernel that proxies syscalls to a shared host kernel. Running an "application kernel" in userspace impacts performance because it goes through two schedulers. Virtual machine isolation is more restrictive because it doesn't share any kernel state with other containers. We have a whitepaper that compares the performance of gVisor and Stylorite/Edera if you want to see the differences http://arxiv.org/abs/2501.04580

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 14:34:39 +0000

gVisor emulates a kernel in userspace, providing some isolation but still relying on a shared host kernel. The recent Nvidia GPU container toolkit vulnerability was able to privilege escalate and container escape to the host because of a shared inode.

Styrolite runs containers in a fully isolated virtual machine guest with its own, non-shared kernel, isolated from the host kernel. Styrolite doesn't run a userspace kernel that traps syscalls; it runs a type 1 hypervisor for better performance and security. You can read more in our whitepaper: http://arxiv.org/abs/2501.04580

New comment by sys_call in "Building a Linux Container Runtime from Scratch"

sys_call — Thu, 27 Mar 2025 14:30:12 +0000

Non-root containers still operate under a shared kernel. Non-root containers that run under a vulnerable kernel can lead to privilege escalation and container escapes.

Styrolite is a container runtime engine that runs containers in a virtual machine guest environment with no shared kernel state. It uses a type 1 hypervisor to fully isolate a running container from the node and other containers. It's similar to Firecracker or Kata containers, but doesn't require bare metal instances (runs on standard EC2, etc) and utilizes paravirtualization.

New comment by sys_call in "New Relic to open-source Pixie’s eBPF observability platform"

sys_call — Thu, 10 Dec 2020 19:01:01 +0000

Also https://ebpf.io/