Isolation classes

Flocks names what it actually enforces. There are three isolation classes; each has a precise threat model.

Class	OS support	Useful for	Hostile-multi-tenant?
Process	Everywhere	Dev, single-tenant private mesh	No
Jail	Linux (cgroups + namespaces)	Trusted-team private mesh	Partial
MicroVM	Linux (Firecracker)	Platform mode, paying tenants	Yes

The roost picks the strongest the host supports and refuses to run if the requested floor isn’t met. There is no fallback that silently lowers the trust posture.

What each class actually does

Process

The agent runs as a child process with its own PID, with nice / ulimit applied. The kernel + filesystem are shared. Adequate for dev, lightweight private meshes, and any deployment where every workload is run by the same operator.

Jail

cgroups v2 limit CPU + memory; PID, net, mount, and IPC namespaces isolate the agent from other workloads on the same roost. Suitable for trusted teams; not an answer to hostile multi-tenancy.

MicroVM

A Firecracker microVM per workload. Hardware-virtualised KVM boundary; ephemeral rootfs; no shared kernel. This is the threshold for paying tenants on shared roosts.

Get started

Install

Concepts

Architecture

Modes

Drivers

Connect (desktop)

Security

Contributing

Isolation classes

What each class actually does

Process

Jail

MicroVM

Get started

Install

Concepts

Architecture

Modes

Drivers

Connect (desktop)

Security

Contributing

​What each class actually does

​Process

​Jail

​MicroVM

What each class actually does

Process

Jail

MicroVM