How it works Features Beyond Docker Security Get started GitHub β†—
🌐 Now in v2.7.1 β€” Open Source Β· Apache 2.0

Run VMs like containers.
Pervasive as the sky.

Vyoma is a MicroVM manager powered by cloud-hypervisor. Use OCI images you already have, get hardware-level isolation in under 250ms. One binary. No YAML gymnastics.

$ sudo dpkg -i vyoma_2.7.0_amd64.deb
Get Started β†’ View on GitHub β†—
~250ms Cold boot (from pull)
~5 MB VM overhead
100% Kernel isolation
0 Config files needed
terminal β€” vyoma
# Boot an Ubuntu MicroVM via cloud-hypervisor
$ vyoma run ubuntu:latest --vcpu 2 --memory 512M -p 8080:80
⚑ VM booted in ~250ms β€” 172.16.0.2

# Check running VMs
$ vyoma ps
VM ID IP ADDRESS HOSTNAME
3f2a... 172.16.0.5 -

# View logs $ vyoma logs 3f2a... -f
[stdout] Alpine Linux 3.21

# Snapshot the entire machine state
$ vyoma snapshot my-vm --name before-deploy
πŸ“Έ Snapshot saved: CPU + RAM + disk (11.8 MB delta)

# Roll back instantly β€” full fidelity
$ vyoma restore my-vm --from before-deploy
βœ“ VM restored (snapshot loaded) β€” every byte exactly as it was

The Problem

Containers share a kernel.
That's the problem.

Every container on a host shares the same Linux kernel. One kernel exploit, one container escape β€” and the attacker owns everything. Namespaces are policies. VMs are physics.

Containers
App A
App B
App C
Shared Kernel ⚠️
Host OS

One escape = full access

Vyoma MicroVMs
App A
Kernel
App B
Kernel
App C
Kernel
cloud-hypervisor + KVM πŸ”’
Host OS

Isolated by hardware

How It Works

If you know Docker,
you already know Vyoma.

Same workflow. Same images. Completely different isolation level.

πŸ“¦
01

Use OCI images you already have

Pull any image from Docker Hub or your private registry. No conversion step. No new image format to learn. Vyoma speaks OCI natively.

$ vyoma pull nginx:latest
⚑
02

Vyoma boots a real VM in ~250ms

cloud-hypervisor creates a MicroVM with its own kernel, memory, and network stack. Hardware isolation via KVM β€” not namespaces. Not policy β€” physics.

$ vyoma run nginx:latest --vcpu 2 --memory 256M -p 80:80
πŸ› 
03

Manage it like Docker

Same CLI patterns you already know. ps, logs, exec, stop, rm β€” they all work. Your muscle memory transfers 1:1. Learn nothing new.

$ vyoma ps
$ vyoma logs my-vm -f
πŸš€
04

Do what containers can't

Snapshot entire machine state. Time-travel to any point. Live-migrate between hosts. Hibernate to zero cost. Branch like git.

$ vyoma snapshot my-vm --name v1
$ vyoma time-travel my-vm --to v1
$ vyoma teleport my-vm --to eu-west-1

Features

Everything you need.
Nothing you don't.

One binary gives you VM isolation, OCI compatibility, clustering, snapshots, and a dashboard.

⚑

Fast Boot (~250ms)

cloud-hypervisor's lean VMM boots a real kernel in about 250ms β€” comparable to a container start. Measured, not marketed.

πŸ“¦

OCI Image Compatible

Use any OCI image from Docker Hub or your private registry. No conversion, no new tooling, no new image format.

πŸ”’

Hardware Isolation

Each VM gets its own kernel via KVM. CPU-enforced memory isolation. Not a namespace β€” a hardware guarantee.

πŸ“Έ

Machine-State Snapshots

Capture CPU registers, all RAM, disk state. Restore to the exact microsecond. Structurally impossible with containers.

🌐

Built-in Clustering

Vyoma Swarm: VXLAN mesh networking, deterministic subnets. One command to init, one to join.

πŸ“

Compose Support

Multi-VM stacks from a single YAML file. Works with Docker Compose v3 syntax. Zero migration cost.

~30MB

Tiny Overhead

Each MicroVM adds about 30MB of overhead (kernel + virtio). Run dozens on a single host.

πŸ“Š

Built-in Dashboard

Web dashboard served by the daemon at localhost:8080. Live VM status, metrics, and management. No install needed.

πŸ”§

20+ CLI Commands

run, ps, stop, exec, logs, stats, inspect, snapshot, restore, teleport and more. Complete VM lifecycle from your terminal.

Beyond Docker

Things containers
can never do.

Real VMs enable capabilities that are structurally impossible with containers. This is Vyoma's permanent moat.

πŸš€ In Progress

Teleport β€” Live Migration

<1 second downtime. Any host.

Move a running VM between physical hosts with near-zero downtime. Pre-copy memory via KVM dirty page tracking. TCP connections survive. The service moves, not restarts.

$ vyoma teleport api-server --to node-eu-west-1
⚑ Migration complete in ~480ms. TCP connections intact.
βͺ v2.0

TimeMachine β€” Git for Runtime

Keep snapshot, history, time‑travelling superpowers.

Take snapshots, inspect history, and roll back to any snapshot. CoW delta layers store only what changed. Impossible with containers because they can't capture CPU state or in-memory data. Perfect for safe experimentation and debugging.

$ vyoma history my-db
$ vyoma branch my-db --from snap:6 experiment
$ vyoma time-travel my-db --to snap:3
πŸ’€ v2.0

Hibernation β€” Zero Idle Cost

Scale to zero with full state.

Write complete VM state to disk. Release vCPUs, memory, everything. Resume in <200ms with the exact state preserved. Run 100 dev VMs at zero cost when idle.

$ vyoma hibernate staging-env
πŸ’€ 0 vCPUs, 0 MB β€” state saved
$ vyoma start staging-env
⚑ Resumed in 180ms
πŸ”— Alpha

vk8s β€” Kubernetes CRI

Pods as MicroVMs (experimental)

Kubernetes can use Vyoma for pod isolation via the CRI shim. Pod = MicroVM. Under active development. Not production ready yet, but early adopters can apply to test it out.

containerRuntimeEndpoint:
unix:///var/run/vyoma-cri.sock
runtimeClassName: vyoma-microvm

Security

7 layers of defense.
Each independent.

An attacker must break every single layer to compromise a host. Three are enforced by hardware. The rest are defense-in-depth.

πŸ”’

~50k lines of Rust VMM
vs millions in QEMU

1

KVM Hardware Isolation

Active

CPU-enforced memory boundaries. Not policy β€” physics.

2

cloud-hypervisor Isolation

Active

Rust VMM with minimal attack surface. ~50k lines vs millions in QEMU.

3

Minimal Device Model

Active

Only virtio-net/blk/vsock + serial. No USB, BIOS, or legacy PCI attack surface.

4

Least-Privilege Daemon

Shipped

Dedicated vyoma user. Only CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_NET_RAW, and others. No root runtime.

5

WireGuard Mesh Encryption

v1.5

All cluster traffic inside WireGuard tunnels. Zero config. Always-on.

6

Image Signing (Ed25519)

Shipped

Cryptographic verification before boot. Only signed OCI images can run.

7

Capability-Based API Auth

v2.0

Token‑based auth today; scoped tokens planned.

Comparison

Docker vs Vyoma.
Honest comparison.

Vyoma isn't replacing containers for everything. It's for when isolation actually matters.

Feature Docker Vyoma 🌐
Isolation model Namespaces (kernel shared) KVM (own kernel per VM)
Cold start ~100ms ~250ms
Memory overhead ~2MB ~30MB
Image format OCI OCI (same images)
CLI familiarity docker run/ps/stop vyoma run/ps/stop (superset)
VMM backend runc / containerd cloud-hypervisor (Rust)
Hardware snapshots ❌ Not possible βœ… CPU + RAM + disk
Live migration ❌ Not possible βœ… <1 second downtime
Machine-state snapshots ❌ Not possible βœ… Restore any snapshot
Hibernate to zero ❌ Loses state βœ… Full state preserved
Kernel customization ❌ Host kernel βœ… Per-VM kernel
Security layers 2–3 7 independent layers
Compose support docker-compose.yml Same file, vm: extensions

Get Started

From zero to MicroVM
in 60 seconds.

1

Install

Installs with a single .deb/.rpm. Requires KVM, cgroups v2, and a Linux kernel 5.10+.

# One-line install
sudo dpkg -i vyoma_2.7.0_amd64.deb

# Verify everything works
vyoma doctor
  βœ“ KVM Device Access (/dev/kvm)
  βœ“ Cgroups v2 (/sys/fs/cgroup)
  βœ“ Cloud Hypervisor Binary
  βœ“ Virtiofsd Binary
  βš  Vyoma Bridge (vyoma0)
  βœ“ debugfs (e2fsprogs)
2

Run your first VM

Pull any OCI image. Boot it as an isolated MicroVM in milliseconds.

# Boot Ubuntu with 2 vCPUs, 512MB RAM
vyoma run ubuntu:latest --vcpu 2 --memory 512M

# List running VMs
vyoma ps

# Follow VM logs
vyoma logs my-vm -f
3

Deploy a full stack

Use your existing docker-compose.yml. Add VM superpowers.

# docker-compose.yml works unchanged
vyoma up -d

# Add VM-specific config (optional)
services:
  api:
    image: myapp:latest
    deploy:
      resources:
        limits:
          cpus: "4"
          memory: "1G"

Ecosystem

Not just a runtime.
A complete platform.

CLI, dashboard, compose, clustering, SDK, registry β€” all built-in or coming soon.

πŸ’» Shipped

CLI

Web UI at localhost:8080. Real-time status. UI overhaul planned.

🎨 Active

Dashboard

Web UI at localhost:8080. Live metrics, VM management.

πŸ“¦ Shipped

Compose

Multi-VM stacks. Docker Compose v3 compatible. Zero migration.

⚑ Shipped

Swarm

VXLAN mesh clustering. Deterministic subnets. One command setup.

πŸ”§ Alpha

SDK

Go, Rust, Python. Programmatic VM management APIs.

πŸ“ Planned

VS Code

Extension for managing VMs from VS Code. On roadmap.

🌐 Planned

Vyoma Hub

OCI registry + Docker Hub bridge. Curated base images.

πŸ–₯ Planned

Studio

Visual compose editor + network topology visualizer.

Open Source

Built in public.
By developers, for developers.

Vyoma is Apache 2.0 licensed. The entire codebase is Rust + Go + TypeScript, powered by cloud-hypervisor. Contributions welcome β€” from bug fixes to building the features Docker can never have.

Rust
Go
TypeScript
cloud-hypervisor
KVM
Apache 2.0
VyomaVM/Vyoma/
β”œβ”€β”€ crates/   # Rust workspace (14+ crates)
β”œβ”€β”€ ui/       # TypeScript dashboard
β”œβ”€β”€ tests/    # Integration + chaos + compat
β”œβ”€β”€ packaging/ # .deb/.rpm + systemd
└── vk8s/ # Go Kubernetes integration
Star on GitHub Browse Issues

Ready to run VMs
pervasive as the sky?

One binary. Under 1 second boot. Your OCI images. Your muscle memory.
But with real isolation, real snapshots, and real migration.

Get Started β†’ GitHub β†—

Free & open source Β· Apache 2.0 Β· cloud-hypervisor + KVM Β· Works on any Linux