Per-function containers

Container runtime for serverless functions

Node.js, Python, and Go each ship with dependencies per function inside their own container—a POSIX-friendly filesystem layout without hand-rolling a VM farm for every service.

Last updated: 2026-06-28

Direct answer

Container runtime for serverless functions. Package each function with its own dependencies and let the platform schedule a container per function—no shared interpreter to babysit.

When it fits

  • Conflicting libraries across functions
  • Security-sensitive isolation requirements

Tradeoffs

  • Dedicating a VM to every function is heavy for a small team to operate; containers hit a practical middle ground between density and isolation.
  • A pure PaaS without isolation guarantees pushes all of that risk onto application-level discipline alone.

Shared runtimes leak complexity

When everything runs in one shared interpreter, dependency conflicts and accidental global state eventually become production incidents.

Security reviews also ask harder questions when unrelated tenants or features share a process and its memory.

Why not raw VMs only

Dedicating a VM to every function is heavy for a small team to operate; containers hit a practical middle ground between density and isolation.

A pure PaaS without isolation guarantees pushes all of that risk onto application-level discipline alone.

What the container runtime gives you

Package each function with its own dependencies and let the platform schedule a container per function—no shared interpreter to babysit.

The same container boundary serves gateway HTTP invokes, pipeline lambda steps, and async jobs, so one isolation model covers every entry point.

Engineering benefits

Reproducibility

Deploy artifacts match production more closely than ad hoc hosts, so “works on my machine” gaps shrink.

Blast radius

Failures and leaks stay contained to a single function instance instead of spreading through a shared process.

Polyglot

Mix Node.js, Python, and Go in one workspace and use each language where it excels.

How to ship functions with Inquir’s container runtime

Same per-function containers for gateway invokes, pipeline steps, and async jobs.

1

Author

Declare entrypoints and dependencies per function.

2

Deploy

Ship bundles through the browser or API workflows.

3

Run

Let the scheduler place containers on available capacity.

The container is the dependency boundary

Treat the container as the unit of dependency closure: everything the handler needs ships inside it.

deploy-model.js
// Platform bundles deploy artifacts; you focus on handler + package manifests.

When containers help

When this works

  • Conflicting libraries across functions
  • Security-sensitive isolation requirements

When to skip it

  • Extremely tiny scripts where overhead dominates

FAQ

Can functions read and write local disk?

Treat filesystems inside containers as ephemeral unless your deployment explicitly documents durable volumes; persist user data to external stores.

How does container isolation help security reviews?

Separate processes and file systems per function reduce blast radius compared to one shared interpreter serving unrelated routes.

Does every function need its own container image?

Each function carries its own dependency closure; that trades a bit of overhead for reproducible deploys and fewer “works on the server” surprises.