Container Plumbing Days 2025

Traditional container runtimes rely on OS-level isolation using namespaces and cgroups. While efficient, this approach can fall short in multi-tenant environments where stronger workload isolation is essential. To mitigate these risks, containers execute within sandboxes, often in the form of VMs. However, this approach typically involves extra components to manage the container lifecycle within the VM, adding complexity and increasing resource usage.

What if we could have the best of both worlds, strong isolation and low overhead? The key lies in specialization! Unikernels and
stripped-down Linux VMs, tailored for a single application, offer VM-grade isolation with small resource usage and fast boot times.

This talk introduces urunc, a novel container runtime that makes this approach practical. Urunc reverses the traditional model: instead of running containers inside VMs, it runs lightweight VMs, as containers. CRI-compatible, urunc integrates seamlessly with Kubernetes, enabling the orchestration of such VMs just like regular containers. The talk covers the design and architecture of urunc, its key differences with other sandboxing technologies and includes a live demo.