Show HN: Nucleus – A security-hardened, Nix-native container runtime (github.com)

Nucleus, a new minimalist container runtime for Linux, has been introduced as a lightweight and security-hardened solution designed specifically for isolated execution environments. Unlike traditional container runtimes, Nucleus leverages Linux kernel primitives to minimize overhead while providing a fully declarative model powered by Nix. The runtime supports three modes: agent mode for fast, ephemeral workloads; strict agent mode for enhanced isolation; and production mode, which ensures strict operational security and reproducibility. For production services, configurations are predefined in NixOS, enhancing service stability, reproducibility, and auditability. The significance of Nucleus lies in its advanced security features and efficiency. With a startup time of just 12 ms, it dramatically outperforms Docker's approximately 500 ms, offering near bare-metal performance for database operations. Nucleus incorporates extensive isolation mechanisms using cgroups, namespaces, and seccomp for syscall filtering, making it ideal for running untrusted or ephemeral workloads. Its design choice to forgo traditional container image structures in favor of more secure Nix store closures leads to higher reproducibility and policy enforcement. This innovative approach positions Nucleus as a compelling alternative for developers prioritizing security and streamlined operations in their AI and production environments.