Nucleus is a minimalist container runtime built for Linux that replaces heavyweight Docker‑style engines with direct kernel primitives. It creates isolated sandboxes using namespaces, cgroups v2, seccomp and Landlock, while a fully declarative Nix model builds the root filesystem and declares services. The project ships three modes: default Agent for fast‑startup AI workloads, Strict Agent for fail‑closed isolation, and Production for long‑running NixOS services.

Cold‑start measurements show 12 ms launch time, compared with roughly 500 ms for Docker on the same host. In a PostgreSQL pgbench run, Nucleus kept throughput within a few percent of bare‑metal, sometimes edging it in read‑heavy scenarios. Latency remained under 0.1 ms in both worker and io_uring configurations. Benchmarks run on Linux 6.18 measured the steady‑state cost of isolation, not VM or gVisor emulation overhead.

Nucleus’s deep Nix integration means root filesystems are built as pinned store closures, enabling reproducible, auditable builds and per‑service security policies written in TOML or JSON. Optional gVisor support adds an application kernel for extra hardening, while the runtime can generate OCI bundles for runsc. It is not a Docker drop‑in but a hardened sandbox and single‑host orchestrator.