Stories with Tag KVM

• TinyKVM: Fast sandbox that runs on top of Varnish

  permalink

  Posted: 2025-03-14 02:12:11

  Verbose tl;dr

  TinyKVM leverages KVM virtualization to create an incredibly fast and lightweight sandbox environment specifically designed for Varnish Cache. It allows developers and operators to safely test Varnish Configuration Language (VCL) changes without impacting production systems. By booting a minimal Linux instance with a dedicated Varnish setup within a virtual machine, TinyKVM isolates experiments and ensures that faulty configurations or malicious code can't disrupt the live caching service. This provides a significantly faster and more efficient alternative to traditional testing methods, allowing for rapid iteration and confident deployments.

  The blog post "TinyKVM: Fast sandbox that runs on top of Varnish" introduces a novel sandboxing mechanism called TinyKVM, designed for exceptional speed and efficiency. It leverages the performance characteristics of Varnish, a widely-used high-performance HTTP accelerator, to create a secure and isolated environment for executing untrusted code, specifically Varnish Modules (VMODs).

  Traditional sandboxing methods often rely on techniques like seccomp-bpf and Linux namespaces, which while effective, introduce performance overhead. TinyKVM takes a different approach, utilizing Kernel-based Virtual Machine (KVM) technology, typically associated with full-blown virtual machines, in a highly optimized and minimal fashion. This allows for a much lighter footprint and reduced performance impact compared to traditional methods.

  The post details the meticulous engineering behind TinyKVM, highlighting several key aspects. First, it explains how TinyKVM boots a specifically crafted, minimal Linux kernel within the KVM environment. This kernel is stripped down to the bare essentials needed for running a VMOD, thereby minimizing resource consumption and boot time.

  Second, it describes the careful management of resources within the TinyKVM instance. Memory is tightly controlled, and the virtual disk is kept incredibly small, further contributing to the overall efficiency. The blog post emphasizes the quick startup time of TinyKVM, often measured in milliseconds, making it suitable for dynamic and on-demand sandboxing scenarios.

  Furthermore, the post touches upon the security benefits provided by TinyKVM. By leveraging hardware virtualization, it isolates the executing VMOD within its own virtual machine, effectively preventing any malicious code from impacting the host system or other VMODs. This strong isolation is critical for maintaining the integrity and stability of the Varnish deployment.

  Finally, the post emphasizes the practical applications of TinyKVM in real-world Varnish deployments. It enables developers to create and deploy powerful VMODs with enhanced security guarantees, without sacrificing the performance advantages offered by Varnish. This opens up possibilities for complex and potentially risky VMOD functionalities, while mitigating the associated security concerns. In essence, TinyKVM bridges the gap between performance and security in the context of Varnish modules, providing a fast and robust sandbox for executing untrusted code.

  • TinyKVM
  • Varnish
  • Sandbox
  • Virtualization
  • KVM
  • Security
  • performance
  • Web Application Firewall (WAF)
  • Caching
  • Edge Computing
  • Containerization

  Summary of Comments ( 40 )
  https://news.ycombinator.com/item?id=43358980

  Verbose tl;dr

  HN commenters discuss TinyKVM's speed and simplicity, praising its clever use of Varnish's infrastructure for sandboxing. Some question its practicality and security compared to existing solutions like Firecracker, expressing concerns about potential vulnerabilities stemming from running untrusted code within the Varnish process. Others are interested in its potential applications, particularly for edge computing and serverless functions. The tight integration with Varnish is seen as both a strength and a limitation, raising questions about its general applicability outside of the Varnish ecosystem. Several commenters request benchmarks comparing TinyKVM's performance to other sandboxing technologies.

  The Hacker News post discussing TinyKVM, a fast sandbox running on top of Varnish, has generated a moderate amount of discussion with several interesting points raised.

  One commenter questions the practicality of using TinyKVM for untrusted code execution, emphasizing that full virtualization, while offering stronger isolation, often comes with performance overhead. They suggest exploring alternative sandboxing techniques like seccomp-bpf and Landlock for better performance, albeit with potentially reduced security. Another commenter echoes this sentiment, highlighting the security concerns with nested virtualization and the potential for vulnerabilities within the hypervisor itself to be exploited.

  The discussion delves into the specific use case of TinyKVM within Varnish, with some commenters expressing confusion about its intended purpose. One user questions the benefit of running untrusted code within a caching layer like Varnish, suggesting it might introduce unnecessary complexity and security risks. Another user speculates about potential applications, such as running plugins or extensions within Varnish, but acknowledges the lack of clarity in the blog post regarding the specific motivations and use cases.

  Several commenters express interest in the performance claims made about TinyKVM, with one highlighting the impressive boot times mentioned in the article. However, they also emphasize the importance of further benchmarking and real-world testing to validate these claims.

  The conversation also touches upon the choice of Firecracker as the underlying virtualization technology, with one commenter mentioning its origins within AWS Lambda and its suitability for lightweight virtualization tasks. Another commenter raises the question of alternative sandbox solutions and wonders if there are any compelling reasons to choose TinyKVM over existing options.

  Finally, there are some comments focused on the technical details of TinyKVM, with one commenter inquiring about the feasibility of running graphical applications within the sandbox and another discussing the implications of running the sandbox within a multi-tenant environment.

• Cloud Virtualization: Red Hat, AWS Firecracker, and Ubicloud internals

  permalink

  Posted: 2025-01-24 15:59:23

  Verbose tl;dr

  The blog post explores different virtualization approaches, contrasting Red Hat's traditional KVM-based virtualization with AWS Firecracker's microVM approach and Ubicloud's NanoVMs. KVM, while robust, is deemed resource-intensive. Firecracker, designed for serverless workloads, offers lightweight and secure isolation but lacks features like live migration and GPU access. Ubicloud positions its NanoVMs as a middle ground, leveraging a custom hypervisor and unikernel technology to provide a balance of performance, security, and features, aiming for faster boot times and lower overhead than KVM while supporting a broader range of workloads than Firecracker. The post highlights the trade-offs inherent in each approach and suggests that the "best" solution depends on the specific use case.

  This Ubicloud blog post delves into the intricacies of cloud virtualization, comparing and contrasting different approaches with a focus on Red Hat's KVM-based solution, AWS's Firecracker microVM, and Ubicloud's own container-based virtualization technology. It begins by establishing the fundamental concept of virtualization as abstracting hardware resources to create isolated environments for running applications. The post then emphasizes the evolving landscape of cloud virtualization, moving from traditional, fully virtualized machines to lighter-weight solutions optimized for specific use cases.

  The discussion around Red Hat's virtualization centers on its utilization of Kernel-based Virtual Machine (KVM), a mature and widely adopted hypervisor within the Linux kernel. KVM leverages hardware virtualization extensions, providing near-native performance for guest operating systems. The blog post highlights the robustness and comprehensive feature set of KVM, making it suitable for a broad range of workloads. However, it also acknowledges the overhead associated with managing full virtual machines, particularly regarding boot times and resource consumption.

  Next, the post explores AWS Firecracker, a specialized microVM designed for serverless computing and containerized workloads. Firecracker’s minimalist approach prioritizes speed and security by implementing a highly optimized and stripped-down virtual machine monitor (VMM). This lean design results in significantly faster startup times and reduced resource usage compared to traditional VMs, making it ideal for rapidly scaling serverless functions. The blog post points out that Firecracker leverages KVM for its underlying virtualization capabilities, building upon its proven foundation. It also notes the specific focus of Firecracker on running single applications, aligning it closely with container-based deployments.

  Finally, the post introduces Ubicloud's container-based virtualization technology. This approach leverages Linux containers, specifically LXD, as the core virtualization mechanism. By utilizing containers, Ubicloud aims to achieve even greater efficiency and density compared to microVMs. The blog post emphasizes the near-instantaneous startup times and minimal resource footprint of containers, allowing for highly dynamic and scalable cloud environments. Furthermore, it highlights the integration of LXD with systemd, providing a robust and familiar management framework. The post contrasts this approach with traditional VMs and microVMs, highlighting the trade-offs between performance, isolation, and compatibility. Specifically, it acknowledges that containers, while offering exceptional performance and density, may not provide the same level of isolation as full VMs or even microVMs, depending on the specific configuration and security requirements.

  In conclusion, the blog post provides a comprehensive overview of different virtualization techniques in the cloud, showcasing the evolution from traditional VMs towards more specialized and efficient solutions like microVMs and container-based virtualization. It underscores the importance of choosing the right virtualization technology based on specific workload requirements, balancing performance, security, and manageability. Ubicloud positions its container-based approach as a compelling option for use cases prioritizing speed, density, and simplified management.

  • Cloud Computing
  • Virtualization
  • Cloud Virtualization
  • Red Hat
  • AWS
  • Firecracker
  • Ubicloud
  • MicroVMs
  • Containerization
  • KVM
  • Linux
  • Open Source
  • Cloud Infrastructure
  • IaaS
  • Serverless
  • Cloud Native
  • Private Cloud

  Summary of Comments ( 6 )
  https://news.ycombinator.com/item?id=42814373

  Verbose tl;dr

  HN commenters discuss Ubicloud's blog post about their virtualization technology, comparing it to Firecracker. Some express skepticism about Ubicloud's performance claims, particularly regarding the overhead of their "shim" layer. Others question the need for yet another virtualization technology given existing solutions, wondering about the specific niche Ubicloud fills. There's also discussion of the trade-offs between security and performance in microVMs, and whether the added complexity of Ubicloud's approach is justified. A few commenters express interest in learning more about Ubicloud's internal workings and the technical details of their implementation. The lack of open-sourcing is noted as a barrier to wider adoption and scrutiny.

  The Hacker News post titled "Cloud Virtualization: Red Hat, AWS Firecracker, and Ubicloud internals" has generated a modest number of comments, primarily focusing on the technical aspects of virtualization and containerization. Several commenters engage with the technical details presented in the Ubicloud blog post.

  One commenter points out the benefits of using KVM for virtualization, highlighting its maturity and wide adoption as key advantages. This commenter also mentions that Firecracker leverages KVM, emphasizing that Firecracker isn't a completely new hypervisor but rather builds upon existing, well-established technology. They also draw a comparison between Firecracker and Kata Containers, another virtualization technology focused on lightweight VMs, suggesting that Kata might be a more suitable alternative in some scenarios.

  Another comment thread delves into the differences between containerization and virtualization, with one user questioning the performance implications of virtualization over containerization when used specifically for microservices. This leads to a discussion about the security benefits of virtualization, arguing that the isolation provided by virtual machines offers a stronger security posture compared to containers, especially in multi-tenant environments. This thread further explores the trade-offs between performance and security, suggesting that the choice between containers and virtualization depends heavily on the specific use case and the prioritization of security vs. performance.

  One commenter mentions gVisor as another isolation technology worth considering, positioning it as a more secure alternative to running containers directly on the host kernel. They also touch upon the concept of Unikernels and their potential for enhanced security and performance in cloud environments.

  Finally, a commenter raises the point about the complexity of container runtimes like containerd and CRI-O, highlighting that these tools are not as straightforward as they might initially seem. This comment underscores the challenges involved in managing containerized environments at scale.

  While the discussion doesn't represent a large volume of comments, it offers valuable insights into various aspects of cloud virtualization and containerization, highlighting the trade-offs between different technologies and approaches, and focusing on the practical considerations for implementing these technologies in real-world scenarios.

• Euro-cloud provider Anexia moves 12,000 VMs off VMware to homebrew KVM platform

  permalink

  Posted: 2025-01-13 12:19:15

  Verbose tl;dr

  Austrian cloud provider Anexia has migrated 12,000 virtual machines from VMware to its own internally developed KVM-based platform, saving millions of euros annually in licensing costs. Driven by the desire for greater control, flexibility, and cost savings, Anexia spent three years developing its own orchestration, storage, and networking solutions to underpin the new platform. While acknowledging the complexity and effort involved, the company claims the migration has resulted in improved performance and stability, along with the substantial financial benefits.

  Austrian cloud provider Anexia, in a significant undertaking spanning two years, has migrated 12,000 virtual machines (VMs) from VMware vSphere, a widely-used commercial virtualization platform, to its own internally developed platform based on Kernel-based Virtual Machine (KVM), an open-source virtualization technology integrated within the Linux kernel. This migration, affecting a substantial portion of Anexia's infrastructure, represents a strategic move away from proprietary software and towards a more open and potentially cost-effective solution.

  The driving forces behind this transition were primarily financial. Anexia's CEO, Alexander Windbichler, cited escalating licensing costs associated with VMware as the primary motivator. Maintaining and upgrading VMware's software suite had become a substantial financial burden, impacting Anexia's operational expenses. By switching to KVM, Anexia anticipates significant savings in licensing fees, offering them more control over their budget and potentially allowing for more competitive pricing for their cloud services.

  The migration process itself was a complex and phased operation. Anexia developed its own custom tooling and automation scripts to facilitate the transfer of the 12,000 VMs, which involved not just the VMs themselves but also the associated data and configurations. This custom approach was necessary due to the lack of existing tools capable of handling such a large-scale migration between these two specific platforms. The entire endeavor was planned meticulously, executed incrementally, and closely monitored to minimize disruption to Anexia's existing clientele.

  While Anexia acknowledges that there were initial challenges in replicating specific features of the VMware ecosystem, they emphasize that their KVM-based platform now offers comparable functionality and performance. Furthermore, they highlight the increased flexibility and control afforded by using open-source technology, enabling them to tailor the platform precisely to their specific requirements and integrate it more seamlessly with their other systems. This increased control also extends to security aspects, as Anexia now has complete visibility and control over the entire virtualization stack. The company considers the successful completion of this migration a significant achievement, demonstrating their technical expertise and commitment to providing a robust and cost-effective cloud infrastructure.

  • Cloud Computing
  • Virtualization
  • KVM
  • VMware
  • Anexia
  • Migration
  • Data Center
  • infrastructure
  • Open Source
  • Proprietary Software
  • Cost Savings
  • Europe
  • Homebrew
  • Custom Platform
  • Server Management
  • Virtual Machines
  • Data Centers
  • Cost Reduction
  • Cloud Infrastructure
  • Private Cloud
  • Hybrid Cloud
  • Server Virtualization
  • Virtual Machines (VMs)

  Summary of Comments ( 21 )
  https://news.ycombinator.com/item?id=42682671

  Verbose tl;dr

  Hacker News commenters generally praised Anexia's move away from VMware, citing cost savings and increased flexibility as primary motivators. Some expressed skepticism about the "homebrew" aspect of the new KVM platform, questioning its long-term maintainability and the potential for unforeseen issues. Others pointed out the complexities and potential downsides of such a large migration, including the risk of downtime and the significant engineering effort required. A few commenters shared their own experiences with similar migrations, offering both warnings and encouragement. The discussion also touched on the broader trend of moving away from proprietary virtualization solutions towards open-source alternatives like KVM. Several users questioned the wisdom of relying on a single vendor for such a critical part of their infrastructure, regardless of whether it's VMware or a custom solution.

  The Hacker News comments section for the article "Euro-cloud provider Anexia moves 12,000 VMs off VMware to homebrew KVM platform" contains a variety of perspectives on the motivations and implications of Anexia's migration.

  Several commenters focus on the cost savings as the primary driver. They point out that VMware's licensing fees can be substantial, and moving to an open-source solution like KVM can significantly reduce these expenses. Some express skepticism about the claimed 70% cost reduction, suggesting that the figure might not account for all associated costs like increased engineering effort. However, others argue that even with these additional costs, the long-term savings are likely substantial.

  Another key discussion revolves around the complexity and risks of such a large-scale migration. Commenters acknowledge the significant technical undertaking involved in moving 12,000 VMs, and some question whether Anexia's "homebrew" approach is wise, suggesting potential issues with maintainability and support compared to using an established KVM distribution. Concerns are raised about the potential for downtime and data loss during the migration process. Conversely, others praise Anexia for their ambition and technical expertise, viewing the move as a bold and innovative decision.

  A few comments highlight the potential benefits beyond cost savings. Some suggest that migrating to KVM gives Anexia more control and flexibility over their infrastructure, allowing them to tailor it to their specific needs and avoid vendor lock-in. This increased control is seen as particularly valuable for a cloud provider.

  The topic of feature parity also emerges. Commenters discuss the potential challenges of replicating all of VMware's features on a KVM platform, especially advanced features used in enterprise environments. However, some argue that KVM has matured significantly and offers comparable functionality for many use cases.

  Finally, some commenters express interest in the technical details of Anexia's migration process, asking about the specific tools and strategies used. They also inquire about the performance and stability of Anexia's KVM platform after the migration. While the original article doesn't provide these specifics, the discussion reflects a desire for more information about the practical aspects of such a complex undertaking. The lack of technical details provided by Anexia is also noted, with some speculation about why they chose not to disclose more.