Run untrusted code in hardened VMs.
Hotcell runs code inside tiny virtual machines. Each execution gets its own kernel, its own memory, its own process tree. The code cannot see or touch the host because it is running on separate virtual hardware.
let config = VmConfig {
rootfs_path: rootfs.path().to_path_buf(),
command: vec!["/bin/echo".into(),
"hello from a VM".into()],
backend: "libkrun".into(), // or "firecracker"
..Default::default()
};
let result = hotcell::worker::run_vm(
&config, worker_bin
).await?;VM Isolation
Each execution gets its own kernel, memory space, and process tree. Two pluggable VMM backends — libkrun (macOS + Linux) and Firecracker (Linux only) — provide hardware-level virtualization. The code cannot see or touch the host because it is running on separate virtual hardware.
OCI Image Support
Pull and run standard Docker/OCI images. No special image format needed — just hardened security for your existing containers.
Real-Time Streaming
Stream console output in real-time via SSE or WebSocket. No waiting for the VM to exit — see output as it happens.
Pluggable Backends
Choose your VMM per-request. libkrun for macOS + Linux with virtiofs and TSI networking. Firecracker for stronger Linux isolation with ext4 block devices.
Dual-Platform
macOS (Apple Silicon via Hypervisor.framework) and Linux (x86_64/aarch64 via KVM). Native hypervisors for zero-overhead performance.
Ready to try Hotcell?
Hotcell is a Rust library and HTTP server for running code in hardware-isolated VMs. Two pluggable VMM backends, real-time streaming, and a defense-in-depth security model with 127+ tests.