Hacker News new | past | comments | ask | show | jobs | submit login

> Modal has an isolated container runtime that lets us share each host’s CPU and memory between workloads.

Looks like Modal hosts workloads in Containers, not VMs. How do you enforce secure isolation with this design? A single kernel vulnerability could lead to remote execution on the host, impacting all workloads . Am I missing anything?




I mentioned this in another comment thread, but we use gVisor to enforce isolation. https://gvisor.dev/users/

It's also used by Google Kubernetes Engine, OpenAI, and Cloudflare among others to run untrusted code.


And Google's own serverless offerings (App Engine, Cloud Run, Cloud Functions) :-)

Disclaimer: I'm an SRE on the GCP Serverless products.


Neat, thanks for sharing! Glad to know we're in good company here.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: