Hey everyone, I've been following the discussions here about isolating agents and finally decided to try something myself. I'm pretty new to this whole microVM/gVisor concept, so go easy on me 😅
I made a simple wrapper script to launch Claw agents inside gVisor's `runsc` sandbox. The idea was to get that extra isolation layer without having to manage full VMs. I basically just intercept the normal docker run command and pass it through to gVisor's OCI runtime. It seems to work for my basic test agents!
I have a few questions though, for the more experienced folks:
* How much of a real security bump is this over just a regular container? I've read the gVisor docs, but I'm curious about practical experiences.
* I'm noticing a small but noticeable startup delay. Is that normal, and are there big performance hits for I/O or network-heavy agents?
* My wrapper feels a bit... clunky. Is there a more standard way to integrate this? Should I be looking at Kubernetes with a runtime class instead?
I'm running this on a basic home server (Ubuntu 22.04). Really excited to hear what you all think and if this is even a useful direction.