zlacker

[return to "Coding Agent VMs on NixOS with Microvm.nix"]
1. clawsy+o2[view] [source] 2026-02-01 08:38:45
>>secure+(OP)
we run ~10k agent pods on k3s and went with gvisor over microvms purely for density. the memory overhead of a dedicated kernel per tenant just doesn't scale when you're trying to pack thousands of instances onto a few nodes. strict network policies and pid limits cover most of the isolation gaps anyway.
◧◩
2. secure+44[view] [source] 2026-02-01 09:00:02
>>clawsy+o2
Yeah, when you run ≈10k agents instead of ≈10, you need a different solution :)

I’m curious what gVisor is getting you in your setup — of course gVisor is good for running untrusted code, but would you say that gVisor prevents issues that would otherwise make the agent break out of the kubernetes pod? Like, do you have examples you’ve observed where gVisor has saved the day?

◧◩◪
3. clawsy+xh1[view] [source] 2026-02-01 21:03:24
>>secure+44
since we allow agents to execute arbitrary python, we treat every container as hostile. we've definitely seen logs of agents trying to crawl /proc or hit the k8s metadata api. gvisor intercepts those syscalls so they never actually reach the host kernel.
◧◩◪◨
4. rootno+Ghb[view] [source] 2026-02-04 16:23:54
>>clawsy+xh1
And you see no problem in that at all? Just “throw a box around it and let the potentially malicious code run”?

Wait until they find a hole. Then good luck.

◧◩◪◨⬒
5. alexze+URb[view] [source] 2026-02-04 18:56:49
>>rootno+Ghb
This is why you can't build these microVM systems to just do isolation, it has to provide more value than that. Observability, policy, etc.
[go to top]