Loading…
Pack a Linux app into one signed archive. Push it to a registry. Pull it on any server and it comes up as a sandboxed systemd service — no image to build, no operating system to bundle, no daemon left running.
Engineered for production at
Why niso
Every part of niso uses the primitives Linux already ships. No background runtime to upgrade, no orchestrator to babysit, no opaque image layers to rebuild. Just packages, registries, and systemd.
Manifest-first
Entrypoint, runtime, ports, mounts, health probe, isolation preset — packed into one signed artifact. No Dockerfile, no compose drift, no hidden state.
[package]
name = "my-api"
version = "2.4.0"
[runtime]
use = "nodejs:20"
[healthcheck]
http = "http://127.0.0.1:8080/health"
[isolation]
preset = "server"
[isolation.resources]
memory_max = "512M"Isolation
Each service runs in its own namespace with capability drops, syscall filters and resource caps generated from a single preset.
Footprint
Compressed, deduplicated, content-addressed. Pull a service in under a second on a cold cache.
Fleet
Canary → wave → confirm. Automatic rollback on health-check failure. State stored as plain files; rollback is a symlink swap.
Signed by default
Every package is signed by its publisher. Servers refuse to activate anything that doesn’t verify against a trusted key — no opt-in needed.
ed25519:8f3a4c9b1e2d5a07…b9f4e1
grundlabs · trusted on 1,247 hosts
Operational profile
Numbers measured on a 4 vCPU / 8 GB Debian 12 host running the official niso packages for postgres, redis and node — see methodology.
Average package size
vs. 240 MB Docker slim · 28× smaller
Activation overhead
systemd unit start to TCP listening
Background daemons
no service mesh, no shim, no broker
Stock kernel features
namespaces · cgroups v2 · seccomp · LSM
niso vs. Docker
niso doesn’t replace containers — it replaces the runtime around them. Linux already supplies the isolation primitives; niso just packages, signs and supervises.
Docker numbers measured against postgres:16-alpine on the same host. Docker and the Docker logo are trademarks of Docker, Inc. niso is not affiliated with or endorsed by Docker, Inc.
Architecture
A package is a signed archive. A registry stores them. A CLI fetches and activates them. systemd runs them. There is no orchestrator-of-orchestrators — every step is a file or a unit you can read, copy and audit.
/run/niso/services.json.journalctl -u 'niso-*'.Release notes
One short email when a milestone version ships. No marketing, no drip sequence — you can unsubscribe with a single click.
Ready when you are
Install the CLI on a single host, browse the package catalog, or run the quickstart and have a sandboxed service answering on a port before your next coffee.
Talk to engineering
Air-gapped registries, private signing keys, fleet-wide RBAC, SLA support. We’ll help you migrate one service at a time.
enterprise@grundlabs.com
Catalog
The packages engineering teams pull most often. Every entry is signed, versioned, and scanned before publication.
Node.js 24.15.0 (Krypton LTS)