They would still be vulnerable to the sort of attack described in the article, though: If the host deliberately hands the guest a socket it can use to execute commands as root on the host, there's nothing that can be done to make it secure.

KataContainers and gvisor come to mind. KataContainers really spin up VMs with various optimizations. Gvisor uses a reimplementation of the kernel syscall interface in go, which is also a pretty interesting idea.

To me, a guy that's been doing this for decades, this is a weird thing to say.

A bit of debootstrap, a few apt-get commands, and copying in config files, and you have a lightweight VM, minimal image.

Something people have been doing for 20 years.

There are also sorts of tricks, such as having two images, one for the app layer, one for the OS, which makes the deploy for app updates faster.

I'm not even sure why people care about image size all that much. You copy it to your local cluster, then deploy from there.

Do those lightweight VMs startup (cold start) in milliseconds? Because I think that's a key thing that people are looking for from containers and VMs that might be used in their stead.

Firecracker, yes

It's managing them at a bigger scale that is the challenge. Besides that, the container ecosystem gives you APIs to do all this management with established tools, in an automatic way.

AWS lambda and fly.io uses firecracker VMs internally. So I think it can replace containers to some extent.