I built a CLI that wraps Firecracker to make hardware-isolated VMs as easy to use as containers. The entire workflow: $ curl -fsSL https://vmsan.dev/install | bash $ vmsan create --runtime node22 --connect root@vm-f91c4e0:~# That's it. You're inside an isolated microVM with its own kernel. ~125ms boot, ~5MB memory overhead. No YAML. No JSON configs. No daemon. No SSH keys. State is just files in ~/.vmsan/. What it does: $ vmsan create --from-image python:3.13-slim # any Docker image as a VM $ vmsan list # list running VMs $ vmsan exec cat /etc/os-release # run a command $ vmsan exec -i bash # interactive PTY shell $ vmsan upload ./script.py /tmp/script.py # push files in $ vmsan download /tmp/out.csv ./ # pull files out $ vmsan network --policy deny-all # cut network access $ vmsan stop # stop $ vmsan rm # clean up Every command supports --json for piping into jq or scripting: $ vmsan list --json | jq '.[].id' "vm-f91c4e0" "vm-a3d8b12" $ VM=$(vmsan create --from-image node:22-alpine --json | jq -r '.id') $ vmsan exec $VM node -e "console.log(process.version)" v22.14.0 $ vmsan rm $VM You can also publish a port and get a public URL instantly: $ vmsan create --publish-port=8080 ✔️ https://vm-29bdc529.vmsan.app Under the hood: Firecracker VMM (same tech behind AWS Lambda), jailer with seccomp-bpf, each VM gets its own TAP device on a /30 subnet. A tiny Go agent (~2MB) inside the VM handles exec/files/shell over HTTP. The CLI is TypeScript/Bun. I built this because raw Firecracker is powerful but unusable without writing JSON configs, creating TAP devices by hand, and building rootfs images manually. vmsan does all of that in the background. Requires Linux with KVM. Works on bare metal, Proxmox, or any VPS with KVM access. Github: https://github.com/angelorc/vmsan Docs: https://vmsan.dev   submitted by   /u/bitangel84 [link]   [comments]