So... if you're at the point where you're using a single VM, I have to ask why b...

imtringued · 2026-04-23T13:40:39 1776951639

If you've ever had the displeasure of seeing the sorry state of VM tooling you would have known that building custom VM images is a very complicated endeavour compared to podman build or docker build.

I once tried to build a simple setup using VM images and the complexity exploded to the point where I'm not sure why anyone should bother.

When building a container you can just throw everything into it and keep the mess isolated from other containers. If you use a VM, you can't use the OCI format, you need to build custom packages for the OS in question. The easiest way to build a custom package is to use docker. After that you need to build the VM images which requires a convoluted QEMU and libvirt setup and a distro specific script and a way to integrate your custom packages. Then after all of this is done you still need to test it, which means you need to have a VM and you need to make it set itself up upon booting, meaning you need to learn how to use cloud-init.

Just because something is "mature" doesn't mean it is usable.

The overhead of docker is basically insignificant and imperceptible (especially if you use host networking) compared to the day to day annoyances you've invited into your life by using VM images. Starting a a VM for testing purposes is much slower than starting a container.

tayo42 · 2026-04-23T16:15:18 1776960918

This comment chain is probably talking about like aws images, amis, which is just an api call and it snapshots the vm for you. Or use packer

staticassertion · 2026-04-23T12:33:55 1776947635

There's one extra process that takes up a tiny bit of CPU and memory. For that, you get an immutable host, simple configuration, a minimal SBOM, a distributable set of your dependencies, x-platform for dev, etc.

amusingimpala75 · 2026-04-23T13:27:45 1776950865

Yes but NixOS does all of these things already, without the process overhead

umvi · 2026-04-23T13:51:55 1776952315

Even the minimal SBOM part? It's hard to be more minimal than a busybox binary.

amusingimpala75 · 2026-04-23T15:00:00 1776956400

That’s fair, NixOS avoids the direct stuff from Docker itself but if you’re basing on an Alpine image or something that would probably be more minimal / smaller

staticassertion · 2026-04-23T23:13:56 1776986036

Nix wraps your process in namespaces and seccomp?

amusingimpala75 · 2026-04-23T23:33:07 1776987187

Not by default but tools like agent-sandbox.nix (bwrap, seccomp) or other nixpak (just bwrap but more popular) can provide those capabilities if you want in a fairly simple interface

mkj · 2026-04-23T11:50:20 1776945020

How is docker a context switch overhead? It's the same processes running on the same kernel.

BirAdam · 2026-04-23T12:03:56 1776945836

You're adding all of the other supporting processes within the container that needn't be replicated.

akdev1l · 2026-04-23T12:27:04 1776947224

It depends, you could have an application with something like

FROM scratch

COPY my-static-binary /my-static-binary

ENTRYPOINT “/my-static-binary”

Having multiple processes inside one container is a bit of an anti-pattern imo

dnnddidiej · 2026-04-23T12:32:56 1776947576

Sidecars? Not in a simple app.