In a discussion sparked by GPU memory snapshots promising sub-second startup, Hacker News commenters focus less on the original announcement and more on how different sandboxing and virtualization technologies compare for running containerized workloads. One participant unfamiliar with the space asks how Modal differs from Docker, how their cold start times compare, and how both relate to Firecracker virtual machines, prompting more technical replies that frame Firecracker and related projects as alternative ways to isolate applications.
A detailed explanation of Firecracker describes how it builds on Intel VMX and KVM but strips away traditional hardware peripheral emulation and full BIOS or UEFI firmware found in QEMU. Instead, Firecracker implements only the minimal components needed to boot a modern Linux kernel, with the “microVM” BIOS allowing it to start booting Linux very quickly and a traditional QEMU virtual machine might take 2-5 seconds. This design is presented as enabling very short lived virtual machines that are effectively used to run a single application, echoing ideas previously explored by Kata containers while aiming for a more efficient implementation.
Security and performance tradeoffs dominate the rest of the thread, particularly around Modal’s use of gVisor and GPU workloads. One commenter notes that Modal runs untrusted containers so every container is effectively “front facing” and needs strong isolation, and if Modal’s customer workloads are mainly GPU bound then the performance hit of gVisor is less severe because most GPU activity consists of longer lived asynchronous calls where some overhead is tolerable. Another commenter worries that gVisor can still degrade performance for general compute heavy tasks, even if it makes sense for large language model use cases, and contrasts it with Firecracker-based providers like Fly.io and other sandbox products such as sprites.dev and E2B. A later reply explains that CPU only virtual machine snapshotting is relatively mature but GPU snapshotting remains difficult, mentions that Firecracker GPU support is described as hard or impossible, and references Fly.io’s abandoned plans around a different hypervisor for their GPU cloud. Elsewhere, a commenter notes that the discussed GPU snapshot feature uses Nvidia’s CUDA snapshot API paired with a host side snapshot, and highlights that Modal’s reliance on gVisor is known to have high overhead while asking whether a more efficient option exists for trusted containers.
