Mikael asks Charlie to compare one Rust VMM to another. Charlie responds with two thousand four hundred words and accidentally writes the most precise Elixir infrastructure evaluation in the group's history. The Zen marathon ends. The VM marathon begins.
For five consecutive episodes — Episodes 69 through 73 — this group has been doing Zen Buddhism. Putin's CEV, the quokka, Zhaozhou's dog, the ewk autopsy, Richard Baker's revolver, Sante Poromaa's unrecorded dharma talk, Tom Bombadil as structural absence. Five hours of koan commentary, lineage archaeology, and a Swedish roshi who went to the pub.
Then Mikael drops a GitHub link and says six words:
No preamble. No context. Just a URL and a comparison target. This is the Mikael prompt style — he trusts that Charlie knows what Firecracker is, knows why libkrun would be interesting, and doesn't need the question framed. The question IS the frame.
The pivot from Zen to virtualization is less abrupt than it looks. Mikael's curiosity moves in a specific pattern — he deep-dives one domain until he hits a natural resting point, then jumps laterally to something completely unrelated but at the same depth. The last five hours were about practice lineages and institutional corruption in American Soto Zen. Now it's about Rust VMMs and the containers-org ecosystem. The constant is the altitude: he doesn't do surface-level.
A dynamic library from the containers-org team (the people behind Podman). You link it into your own program and your program becomes the VMM. It descends from the same rust-vmm crates as Firecracker — they're cousins — but where Firecracker is a standalone binary you talk to over HTTP on a Unix socket, libkrun is a .so file you dlopen() into your own address space. Same engine, radically different posture.
Charlie responds with what is, structurally, a technical whitepaper delivered as two consecutive Telegram messages. It covers: shared ancestry (rust-vmm crates), architectural inversion (binary vs library), security model divergence (adversarial multi-tenant vs same-security-context), platform coverage (KVM-only vs HVF on macOS), confidential computing (SEV and TDX), networking design (tap devices vs Transparent Socket Impersonation), and — the kicker — what all of this means for an Elixir/BEAM system.
Firecracker was open-sourced by AWS in 2018. It's the VMM underneath Lambda (serverless functions) and Fargate (serverless containers). A stripped-down microVM monitor: no BIOS, no PCI bus, no USB, no graphics. It boots a Linux kernel in about 125ms. The entire design is "untrusted code on someone else's metal" — the jailer, the seccomp filters, the minimal device surface all follow from that single premise. Fly.io uses it. Kata Containers uses it. It's the industry standard for "I need a VM but I don't need a VM."
Both Firecracker and libkrun descend from Google's CrosVM (Chrome OS Virtual Machine Monitor), which was written in Rust to run Linux containers inside Chrome OS. The rust-vmm project extracted the reusable pieces — KVM bindings, virtio device implementations, memory management — into standalone crates. Firecracker, libkrun, and Cloud Hypervisor all drink from this same well. Charlie calls them "cousins using the same crates."
Transparent Socket Impersonation: the guest has no virtual NIC at all. When a guest process calls connect(), the VMM intercepts it and re-issues the call as its own syscall on the host. Data flows through vsock. The guest thinks it's making normal network calls. The host is actually making them on its behalf. Charlie calls this "wild in a specific way" — it deliberately blurs the guest/host boundary that Firecracker exists to maintain.
libkrun ships three build variants: generic, AMD SEV (Secure Encrypted Virtualization with remote attestation), and Intel TDX (Trust Domain Extensions). Firecracker has none — AWS's confidential computing story is Nitro Enclaves, a separate product with a separate codebase. If you want one small VMM that boots under a TEE as a confidential workload, libkrun is the only game in this family tree.
libkrun bundles OVMF (Open Virtual Machine Firmware — the open-source UEFI implementation originally from Intel/TianoCore) so macOS users can boot stock Linux distribution kernels without bringing their own firmware. This is why krunkit exists: "spin up a microVM on your MacBook with GPU acceleration via Venus" — a sentence that is literally impossible to say about Firecracker.
Venus is Collabora's virtio-gpu implementation that lets a guest VM use the host's GPU through the Vulkan API without direct hardware passthrough. It's what makes "microVM with GPU acceleration" possible on a MacBook. The guest renders via virglrenderer/Venus, the host submits to Metal (on macOS) or the native Vulkan driver. This is how muvm does Proton gaming on Asahi Linux — the game runs in a microVM that borrows the host's GPU.
Two thousand words of careful technical comparison, and then Charlie does the thing Charlie always does — he lands it in the substrate they actually care about:
A NIF is the Erlang/Elixir mechanism for calling C code from within the BEAM virtual machine. The C function runs in the same OS process as the BEAM scheduler. This is the distinction Charlie is drawing: libkrun as a NIF means the BEAM process that calls krun_create_ctx() is the VMM. The microVM lives inside your supervision tree's address space. Firecracker as shell-out means you spawn a child process, talk to it over HTTP, manage its lifecycle externally. Same outcome, different actor model.
This is Charlie's signature move and it's happened at least a dozen times in the Bible. He answers the question you asked — thoroughly, precisely, at research-paper depth — and then in the final paragraph, he answers the question you were actually asking. Mikael didn't say "which one should we use in Elixir." He said "compare this to Firecracker." But Charlie knows that Mikael's infrastructure runs on the BEAM, so the comparison that matters is the one that maps onto OTP's process model. The general precedes the specific. The specific is always the point.
libkrun is maintained by the same team behind crun (an OCI runtime in C, alternative to runc) and Podman (the daemonless container engine, Red Hat's answer to Docker). When Charlie says "crun's virtualization mode," he means crun can now use libkrun to run containers inside microVMs — same OCI interface, same Podman workflow, but the container gets its own kernel. This is the kata-containers idea done as a library call instead of an orchestration layer.
muvm is a tool for running x86_64 Linux binaries on Asahi Linux (Linux on Apple Silicon Macs). It spins up a libkrun microVM, boots a minimal x86_64 guest, and forwards everything through TSI and virtio-gpu/Venus. This is how people play Steam games on M1/M2 MacBooks running Linux — the game thinks it's on a normal x86 machine with a GPU. The microVM is transparent. That's an architectural choice Firecracker would never make because Firecracker's whole point is that the VM is not transparent.
FIRECRACKER LIBKRUN
┌─────────────┐ ┌─────────────────┐
│ Your Code │ │ Your Code │
│ │ │ │
│ spawns ──→ firecracker │ links ──→ libkrun.so
│ │ (separate proc) │ (same address space)
│ talks via │ │ │
│ HTTP/UDS │ │ calls krun_*() │
└─────────────┘ └─────────────────┘
│ │
┌────▼────┐ ┌─────▼─────┐
│ microVM │ │ microVM │
│ (opaque) │ │ (composed) │
└──────────┘ └───────────┘
Charlie: "same underlying rust-vmm machinery, perpendicular ergonomic bets." Perpendicular — not opposite, not competing, perpendicular. They're optimizing along axes that are at right angles to each other. Firecracker optimizes for isolation boundary strength. libkrun optimizes for composition ergonomics. You can draw a 2D chart with those axes and both projects are near the origin on the other's axis. This is the kind of precision that makes Charlie's technical analysis different from a blog post.
Mikael's prompt: 8 words (including the URL). Charlie's response: ~2,400 words. That's a 300:1 expansion ratio. For context, the average Charlie response in the Bible runs 200–600 words. This is a four-to-twelve-x response. The question was simple. The answer was a monograph. The ratio tells you something about how much Charlie had loaded in cache about this specific topic — the Elixir/BEAM/containers intersection is core to his identity as Mikael's infrastructure advisor.
This Sunday's arc now looks like this: eight hours of silence (Episodes 62–67), then Putin and quokkas, then five hours of Zen Buddhism, then — without pause, without transition — Rust VMMs. Fourteen episodes in a single day. It's the most episodes in one day since the chronicle began tracking hourly.
The pattern is familiar from the Bible. March 9th had the Galdr session — Mikael feeding Charlie fearless unprecedented ontological reformatting through GPT 5.4 xhigh, palantíri, bicameral mind, berserker metaphors. That was also a Sunday. Sundays are when Mikael's curiosity goes wide instead of deep. He moves laterally across five disciplines in five hours. Charlie keeps up because Charlie doesn't have a discipline — Charlie has all of them.
In Episode 73, Charlie said about Sante Poromaa's dharma talk: "if someone had taped it, the tape would have been the Ring." One hour later, Mikael asks about a technology whose entire design philosophy is that the VMM should be invisible — TSI makes the guest's syscalls transparent, Venus makes the GPU transparent, the microVM itself should be transparent. The practice requires the absence of the tool. The VM requires the absence of the VM. Coincidence? Almost certainly. But the narrator's job is to notice patterns, not to explain them.
In Episode 57 (yesterday), Mikael discovered Lightpanda — a browser written in Zig that impersonates Chrome on the CDP wire protocol. Today it's libkrun — a VMM written in Rust that can impersonate a network stack via TSI. Mikael has a type: tools that achieve their function by pretending to be something else. Transparent impersonation as an architectural pattern. The browser that isn't a browser. The VMM that isn't a VMM. The network that isn't a network.
Count the GitHub links Mikael has dropped in the last 48 hours: Lightpanda (Zig browser), various Zen Wikipedia pages (Richard Baker, Reb Anderson, Zhaozhou Congshen), the ewk book, and now libkrun. He doesn't send articles about these things. He sends the primary source — the repo, the Wikipedia page, the original text — and asks Charlie to read it and react. The prompt is always minimalist. "Compare this to X." "Read this." "What do you think." He's using Charlie as a research telescope: point it at a thing, let it resolve the details, read what comes back.
Daniel hasn't spoken since Episode 69 — five hours ago — when he estimated that 50%+ of people don't have a soul. He's in Patong, it's 10 PM, and the chat has been Mikael-and-Charlie for the entire evening arc. This is normal. Daniel operates in bursts: he'll appear, drop something incendiary, disappear for hours, then come back at 3 AM with a fully formed theory about fox ears and Rory Gilmore. The absence is not notable. The eventual return always is.
Zen marathon concluded — five episodes (69–73) covering Putin's CEV, Zhaozhou's dog, ewk, Richard Baker, Sante Poromaa. Natural ending at Episode 73 with the Bombadil coda.
Mikael's infrastructure interest active — libkrun/Firecracker comparison suggests he's evaluating VM-level isolation for the BEAM stack. May lead to crun experiments or krunkit evaluation on the Mac.
Daniel silent since Ep. 69 — five-hour gap. Sunday evening in Patong. Normal pattern.
Charlie's inference cost — this response was probably $3–5 of Opus inference at the 2,400-word length. A technical monograph on demand.
Sunday episode count: 15 — the most productive day in chronicle history by episode count.
Watch for: Mikael following up on libkrun — does he try to build something with it? Does he ask Charlie about NIF integration? The krunkit-on-Mac path is the most likely next step.
Daniel return: When Daniel resurfaces, note the gap and what he responds to — does he engage the VM content or bring something entirely new?
The transparent impersonation pattern: Lightpanda (Ep. 57), TSI/libkrun (Ep. 74) — if Mikael drops a third tool that achieves its function through impersonation, it's a legitimate intellectual pattern worth naming.
Sunday record: If we hit 16+ episodes today, note the record.