Run VMs like containers.
Isolated like nothing else.
Ignite is a MicroVM manager powered by Firecracker. Use Docker images you already have, get hardware-level isolation in under 150ms. One binary. No YAML gymnastics.
$ ign run ubuntu:latest --vcpu 2 --memory 512M -p 8080:80
โก VM booted in 127ms โ 172.19.0.2
# It's a real VM with its own kernel
$ ign exec my-vm uname -a
Linux ignite-vm 5.10.0-ignite #1 SMP x86_64 GNU/Linux
# Snapshot the entire machine state
$ ign snapshot my-vm --name before-deploy
๐ธ Snapshot saved: CPU + RAM + disk (12.4 MB delta)
# Everything goes wrong? Roll back instantly
$ ign restore my-vm --from before-deploy
โ Restored in 48ms โ every byte exactly as it was
The Problem
Containers share a kernel.
That's the problem.
Every container on a host shares the same Linux kernel. One kernel exploit, one container escape โ and the attacker owns everything. Namespaces are policies. VMs are physics.
One escape = full access
Isolated by hardware
How It Works
If you know Docker,
you already know Ignite.
Same workflow. Same images. Completely different isolation level.
Use Docker images you already have
Pull any image from Docker Hub or your private registry. No conversion step. No new image format to learn.
Ignite boots a real VM in <150ms
Firecracker creates a MicroVM with its own kernel, memory, and network stack. Hardware isolation via KVM โ not namespaces.
Manage it like Docker
Same CLI patterns you already know. ps, logs, exec, stop, rm โ they all work. Your muscle memory transfers 1:1.
$ ign logs my-vm -f
$ ign exec my-vm bash
Do what containers can't
Snapshot entire machine state. Time-travel to any point. Live-migrate between hosts. Hibernate to zero cost. Branch like git.
$ ign time-travel my-vm --to v1
$ ign teleport my-vm --to eu-west-1
Features
Everything you need.
Nothing you don't.
One binary gives you VM isolation, Docker compatibility, clustering, snapshots, and a dashboard.
Sub-150ms Boot
Firecracker's minimal device model means MicroVMs cold-boot faster than most containers warm-start.
Docker Image Compatible
Use any OCI image from Docker Hub or your private registry. No conversion, no new tooling.
Hardware Isolation
Each VM gets its own kernel via KVM. CPU-enforced memory isolation. Not a namespace โ a hardware guarantee.
Machine-State Snapshots
Capture CPU registers, all RAM, disk state. Restore to the exact microsecond. Impossible with containers.
Built-in Clustering
Ignite Swarm: VXLAN mesh networking, deterministic subnets. One command to init, one to join.
Compose Support
Multi-VM stacks from a single YAML file. Works with Docker Compose v3 syntax. Zero migration cost.
Tiny Overhead
Each MicroVM adds only ~5MB of overhead. Run hundreds on a single host without breaking a sweat.
Built-in Dashboard
Web dashboard served by the daemon at localhost:3000. Live VM status, metrics, and management. No install needed.
20+ CLI Commands
run, ps, stop, exec, logs, stats, inspect, snapshot, restore, and more. Complete VM lifecycle from your terminal.
Beyond Docker
Things containers
can never do.
Real VMs enable capabilities that are structurally impossible with containers. This is Ignite's permanent moat.
Teleport โ Live Migration
20โ80ms downtime. Any host.
Move a running VM between physical hosts with near-zero downtime. Pre-copy memory via KVM dirty page tracking. TCP connections survive. The service moves, not restarts.
โก Migrated in 47ms. TCP connections intact.
TimeMachine โ Git for Runtime
Branch, diff, time-travel your VMs.
Every snapshot is a commit. CoW delta layers store only what changed. Fork your prod database, test a migration, throw it away. Production debugging nobody else can offer.
$ ign branch my-db --from snap:6 experiment
$ ign time-travel my-db --to snap:3
Hibernation โ Zero Idle Cost
Scale to zero with full state.
Write complete VM state to disk. Release vCPUs, memory, everything. Resume in <200ms with the exact state preserved. Run 100 dev VMs at zero cost when idle.
๐ค 0 vCPUs, 0 MB โ state saved
$ ign start staging-env
โก Resumed in 180ms
vk8s โ Kubernetes CRI
Pods as real MicroVMs.
Kubernetes uses Ignite for pod isolation. Each pod = one MicroVM. VM-level isolation between pods. Teleport-backed node drain โ workloads migrate instead of dying.
unix:///var/run/ignite-cri.sock
runtimeClassName: ignite-microvm
Security
7 layers of defense.
Each independent.
An attacker must break every single layer to compromise a host. Three are enforced by hardware. The rest are defense-in-depth.
50,000 lines of Rust VMM
vs millions in QEMU
KVM Hardware Isolation
ActiveCPU-enforced memory boundaries. Not policy โ physics.
Firecracker Jailer
Activeseccomp-bpf allowlist. ~50 syscalls. Chroot + namespaces.
Minimal Device Model
ActiveOnly virtio-net/blk/vsock + serial. No USB, BIOS, or legacy PCI.
Least-Privilege Daemon
v1.2Dedicated system user. Only CAP_NET_ADMIN + CAP_SYS_ADMIN.
WireGuard Mesh Encryption
v1.5All cluster traffic inside WireGuard tunnels. Zero config.
Image Signing (Ed25519)
v1.5Cryptographic verification. Only signed images can run.
Capability-Based API Auth
v2.0Scoped tokens per VM, per operation, per time window.
Comparison
Docker vs Ignite.
Honest comparison.
Ignite isn't replacing containers for everything. It's for when isolation actually matters.
| Feature | Docker | Ignite ๐ฅ |
|---|---|---|
| Isolation model | Namespaces (kernel shared) | KVM (own kernel per VM) |
| Cold start | ~500ms | <150ms |
| Memory overhead | ~2MB | ~5MB |
| Image format | OCI | OCI (same images) |
| CLI familiarity | docker run/ps/stop | ign run/ps/stop (superset) |
| Hardware snapshots | โ Not possible | โ CPU + RAM + disk |
| Live migration | โ Not possible | โ 20-80ms downtime |
| Time travel / branching | โ Not possible | โ Git-like history |
| Hibernate to zero | โ Loses state | โ Full state preserved |
| Kernel customization | โ Host kernel | โ Per-VM kernel |
| Security layers | 2โ3 | 7 independent layers |
| Compose support | docker-compose.yml | Same file, vm: extensions |
Get Started
From zero to MicroVM
in 60 seconds.
Install
Single binary. No dependencies. Works on any Linux with KVM.
curl -sfL https://get.ignite.dev | sh
# Verify everything works
ign doctor
โ KVM available
โ Firecracker bundled
โ ignited running
โ Network configured
Run your first VM
Pull any Docker image. Boot it as an isolated MicroVM.
ign run ubuntu:latest --vcpu 2 --memory 512M
# It's a real VM
ign exec my-vm cat /proc/cpuinfo
# Full docker-like management
ign ps
ign logs my-vm -f
ign stats my-vm
Deploy a full stack
Use your existing docker-compose.yml. Add VM superpowers.
ign up -d
# Add VM-specific config (optional)
services:
api:
image: myapp:latest
vm: # Ignite extension
vcpus: 4
memory: 1G
kernel: 6.1-ignite-slim
Ecosystem
Not just a runtime.
A complete platform.
CLI, dashboard, compose, clustering, SDK, registry โ all built-in or coming soon.
CLI
20+ commands. Superset of Docker CLI.
Dashboard
Web UI at localhost:3000. Always available.
Compose
Multi-VM stacks. Docker Compose v3 compatible.
Swarm
VXLAN mesh clustering. One command setup.
SDK
Go, Rust, Python. Programmatic VM management.
VS Code
Extension for managing VMs from your editor.
Ignite Hub
Image registry + Docker Hub bridge.
Studio
Visual compose editor + network topology.
Open Source
Built in public.
By developers, for developers.
Ignite is Apache 2.0 licensed. The entire codebase is Rust + TypeScript. Contributions welcome โ from bug fixes to building the features Docker can never have.
โโโ crates/ # Rust workspace (4 crates โ 11 in v2)
โโโ ui/ # TypeScript dashboard
โโโ tests/ # Integration + chaos + compat
โโโ packaging/ # .deb/.rpm + systemd
Ready to run VMs
like it's 2027?
One binary. Under 150ms boot. Your Docker images. Your muscle memory.
But with real isolation, real snapshots, and real migration.
Free & open source ยท Apache 2.0 ยท Works on any Linux with KVM