24 comments

[ 4.6 ms ] story [ 42.4 ms ] thread
This seems like real black magic.

Is there any way that TinyKVM + KVM Server could ever be made to work with a GUI program? The sandboxing performance seems free and possibly safer than other solutions.

Instead of firejail or bubblewrap would it ever be possible for me to wrap say Firefox (or a much less complicated GUI program) inside of TinyKVM and restrict it to just network access and reading/writing to ~/Downloads? Likely a way more ambitious target than you had ever imagined, but I can dream.

I am wondering if I could default wrap every command on my terminal to run inside a TinyKVM, no network access, and only permissions to the current directory or below.

I'm pretty hopeful that the combination of per-request isolation and the new snapshot functionality we're currently working on will be a big step forward for those running server-side JS at scale.

Having each request start from the exact same program state should make reproducing and fixing production issues easier. In a way it combines the predictability of the CGI programming model with the speed of a warmed modern JIT runtime.

Does the "KVM" part have any connection to a KVM switch, or is it a different acronym?
I spent a while mixing this up with PiKVM and was having trouble understanding how any of it would fit in with that project. Made a lot more sense once I got over that.
I was so confused by this article.

I was confusing it with TinyPilot, a hardware KVM made by an indie hacker Michael Lynch, that I think has since been acquired.

This is great in how simple it seems. Cool.
How does this compare to Amazon's Firecracker VM?
Firecracker runs a full Linux guest within KVM while TinyKVM runs just a single process within KVM and handles syscalls on the host by validating permissions then calling the host kernel syscall.

This minimises memory usage and lets us track file descriptors which lets us very quickly reset the guest process (under 100us for deno.)

Could someone give a high-level overview of what this is and why you'd use it?
This is amazing! I am also a little bit obsessed with fast-booting kvm for per-request isolation, and have managed to get Linux to pid1 in 3.6ms, I am starting to go a little insane because I don't know how to measure the rest of the CPU time (would love a flamegraph somehow) -- the ftrace data just... confuses me
I got a question: in what scenarios is it vulnerable to use containers as a sandbox?
Assuming your containers are secure to begin with (which can be tricky to set up), when a new container escape kernel bug is inevitably released you're in a race to patch it before someone exploits your system.
Every time I click on one of these posts, I'm expecting it to be a tiny KVM switch. When did this whole KVM nomenclature catch on for virtual machines?