The first time I got a Firecracker VM to boot and respond to a vsock ping from the host, I sat there grinning like an idiot. Typed a command on my machine, it reached through a kernel-level socket into a completely separate Linux system with its own kernel, and got a reply. Under a second. That was about 30 hours into the project. The previous 29 were mostly fighting with rootfs images and iptables rules. Part 1 covered why I built this — Firecracker MicroVMs for running Claude Code in full-permission isolation. This post is the actual build. Rootfs, networking, the guest agent, and the streaming pipeline. Building the rootfs A Firecracker VM needs two things: an uncompressed Linux kernel (vmlinux, not bzImage — there's no bootloader) and an ext4 filesystem image to use as the root disk. The kernel is straightforward — grab a prebuilt 6.1 LTS vmlinux. The rootfs took more work. It's a standard ext4 image with Debian Bookworm, and it needs everything Claude Code might want: Node.js 24,…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.