Run dozens of containers on one server without giving up isolation.
KSM memory sharing packs density into bare metal. Hardened LXC on the Hoody kernel — namespaces plus seccomp — enforces per-container isolation, with optional dedicated VM instances for full kernel isolation. URL unguessability, realm segregation, and host-level firewall layer on top — every one can fail, and the others still stop the blast.
KSM · Hardened LXC + optional dedicated VM instances · AES-256 · URL 2^96 keyspace · defense in depth
Shared pages, separate memory.
Kernel Samepage Merging collapses identical memory pages across containers into single physical copies. A base Debian image, a Node runtime, a Postgres install — all the bytes that every container on the server shares end up counted once in RAM.
Identical pages deduplicated
RAM pages with identical content (common libraries, base OS, shared runtimes) get merged. 30 Node containers on one server consume far less memory than 30× one container.
Isolation preserved
Containers cannot read each other's RAM. KSM is a storage optimization — merged pages become copy-on-write. Any write forks a private copy instantly.
No container-side work
KSM is kernel-level. Applications don't need to know about it. The container sees normal Linux memory; the host sees physical deduplication.
Load-dependent benefit
Benefit scales with how much containers share. Similar stacks = huge dedup. Wildly different apps = less dedup, but baseline OS pages still merge.
Hardened LXC. Kernel namespaces, seccomp, optional dedicated VMs.
Hoody isolates containers with hardened LXC on a custom hardened Hoody kernel (currently 7.0.0-rc5-hoody). LXC provides lightweight Linux container isolation via kernel namespaces, with seccomp syscall filtering restricting what each container can call. For workloads that need full kernel isolation, Hoody can provision optional dedicated VM instances instead of system containers.
LXC namespaces
Process, network, mount, user, PID, IPC — each container has its own view of the kernel. Standard Linux mechanism, battle-tested at scale.
Dedicated VM instances
Optional full virtual-machine instances for workloads that need full kernel isolation — a harder wall than namespaces alone, provisioned on demand instead of system containers.
Hardened kernel
Custom hardened Hoody kernel (currently 7.0.0-rc5-hoody) with reduced attack surface. Seccomp filters restrict which syscalls a container can make.
Bare-metal baseline
Containers run on user-owned hardware. No shared hypervisor with other tenants. No noisy-neighbor side channels from the cloud provider above you.
AES-256 everywhere data touches disk.
Filesystem encryption, encrypted swap, encrypted tempfiles. Remote unlock via sub-partition. The disk is ciphertext; the decryption happens in RAM on boot.
Filesystem AES-256
Every byte written to disk is encrypted. Lose the drive, lose nothing readable.
Encrypted swap + temp
Swap pages and tempfiles never hit disk in cleartext. Kernel memory dumps are encrypted too.
Sub-partition remote unlock
Sub-partition remote unlock via an authorized remote mechanism. No disk keys physically stored with the data.
2^96 combinations. Brute force isn't the attack.
Every container ID is 24 hexadecimal characters — 96 bits of entropy, the same keyspace as a strong encryption key. A valid container URL pairs a project ID with a container ID. At one billion guesses per second, enumerating the 2^96 possible IDs takes ~2.5×10^12 years — roughly 180× the age of the universe. Unguessability is a starting default, not the only layer.
Container ID keyspace
2^96
To enumerate at 1 billion/s
~180× universe age
Additional layers available
JWT · Password · IP · Token
Open-by-URL is the starting mode. Lock down any URL with JWT, HTTP Basic, IP CIDR, or bearer token via /platform/proxy — no application code required.
Independent, overlapping layers. No single failure is fatal.
Security is a stack, not a gate. These are six of Hoody's independent defense layers; each is independently effective, and together they make a single failure survivable.
URL unguessability
2^96 keyspace per 24-hex container ID. The URL itself is the first secret.
Container isolation
Hardened LXC namespaces + optional dedicated VM instances. Kernel-level separation.
Host-level firewall
Ingress + egress rules enforced at the host, not inside the container. Tamper-proof.
Proxy permissions
JWT / Password / IP / Token auth groups layered on top of URLs.
Realm segregation
API-level tenant isolation. Tokens scoped to specific realms.
Disk encryption
AES-256 at rest. Encrypted swap. Remote-unlocked boot.
Everything is an inspectable HTTP request.
Unified audit trails. Every action against a container is a proxy log entry. Any service can be MITM'd via hoody-exec or hoody-curl to add AI safety checks, logging, or rate limits without modifying the service.
Unified audit logs
Proxy logs cover every service. Query, export (NDJSON), stats aggregation — all via /platform/proxy log API.
MITM by design
Insert middleware between any service and its clients. Used for AI safety gates, compliance logging, rate limiting — no service changes required.
Platform fork
Every user can MITM the Hoody API itself to customize platform behavior — without forking the codebase.
Suspect a breach? Delete the container.
Every container URL dies the moment the container is deleted. No DNS propagation. No cache invalidation. No stale tokens to rotate. The URL was the surface; deleting the container removes the surface entirely.
DELETE /api/v1/containers/ID
One API call. Authenticated with your JWT or control-plane token.
URL stops routing
Proxy removes the routing entry. The hostname returns 404 immediately — not 60 seconds later.
Respawn in minutes
Create a new container with a new ID. New URL. Old URL is dead forever. No residual credentials to rotate.
Density and isolation are not tradeoffs here.
Bare metal. Hardened kernel. Encrypted disk. Layered defense. Every property is already true on your first container.
See also — /platform/proxy for URL permissions and auth groups, /platform/control-plane for realm/token management, /methods/access-network for firewall + egress.