TinyKVM: Fast sandbox that runs on top of Varnish

by perbuon 3/14/2025, 2:12:11 AM with 20 comments
  • by chatmastaon 3/14/2025, 4:22:05 AM

    I love this. Please never stop doing what you’re doing.

    edit: Of course you’re the top contributor to IncludeOS. That was the first project I thought of while reading this blog post. I’ve been obsessed with the idea of Network Function Virtualization for a long time. It’s the most natural boundary for separating units of work in a distributed system and produces such clean abstractions and efficient scaling mechanisms.

    (I’m also a very happy user of Varnish in production btw. It’s by far the most reliable part of the stack, even more than nginx. Usually I forget it’s even there. It’s never been the cause of a bug, once I got it configured properly.)

  • by nine_kon 3/14/2025, 4:54:50 AM

    Oh. It's like Firecracker, only much faster 8-)

    What I like most is the ability to instantly reset the state of the VM to a known predefined state. It's like restarting the VM without any actual restart. It looks like an ideal course of action for network-facing services that are constantly under attack: even if an attack succeeds, the result is erased on the next request.

    Easy COW page sharing for programs that are not written with that in mind, like ML model runners, is also pretty nice.

  • by ruben_varnishon 3/14/2025, 5:15:40 AM

    Original post: https://fwsgonzo.medium.com/tinykvm-the-fastest-sandbox-564a...

    You can find a bunch of posts related to this topic there as well.

  • by laurenceroweon 3/14/2025, 9:24:36 AM

    This is really exciting. The 2.5us snapshot restore performance is on a par with Wasmtime but with the huge advantage of being able to run native code, albeit with the disadvantage of much slower but still microsecond interop.

    I see there is a QuickJS demo in the tinykvm_examples repo already but it'd be great to see if it's possible to get a JIT capable JavaScript runtime working as that will be an order of magnitude faster. From my experiments with server rendering a React app native QuickJS was about 12-20ms while v8 was 2-4ms after jit warmup.

    I need to study this some more but I'd love to get to the point where there was a single Deno like executable that ran inside the sandbox and made all http requests through Varnish itself. A snapshot would be taken after importing the specified JS URl and then each request would run in an isolated snapshot.

    Probably needs a mechanism to reset the random seed per request.

  • by rwmjon 3/14/2025, 12:39:53 PM

    Isn't this basically libkrun? https://github.com/containers/libkrun

  • by wmfon 3/14/2025, 4:02:43 AM

    Fascinating but I'm having trouble understanding the big picture. This runs a user process in a VM with no kernel? Does every system call become a VM exit and get proxied to the host? Or are there no system calls?

  • by oulipoon 3/14/2025, 9:26:23 AM

    I'm new to this area, can someone ELI5 this? What's the difference/advantages/disadvantages compared to other process isolation like containers?

    Would I use this to run a distributed infra on a server a bit like docker-compose? or it's not related?

  • by tuananhon 3/14/2025, 7:44:17 AM

    this is really cool if it works for your use cases.

    Some notes from the post

    > I found that TinyKVM ran at 99.7% native speed

    > As long as they are static and don’t need file or network access, they might just run out-of-the box.

    > The TinyKVM guest has a tiny kernel which cannot be modified

  • by notpushkinon 3/14/2025, 6:54:40 AM

    This is so cool.

    I’m exploring micro-VMs for my self-hosted PaaS, https://lunni.dev/ – and something with such little overhead seems like a really interesting option!

  • by Tepixon 3/14/2025, 9:06:10 AM

    Interesting to see the performance gain. But without file i/o and network access, what are the use cases?

  • by otterleyon 3/14/2025, 8:27:19 PM

    There's nothing in the article that suggests that it runs on top of Varnish; in fact, the author even says it's not intended to run Varnish in it.

  • by winternewton 3/14/2025, 7:36:47 AM

    I'm curious: would it be a good idea to switch my desktop Linux pc to using huge pages across the board?

  • by conradevon 3/14/2025, 8:39:42 AM

    Could this be used to migrate execution of a single program between two different machines?

  • by dangoodmanUTon 3/14/2025, 4:25:09 AM

    quick someone make rust bindings

  • by jensneuseon 3/14/2025, 6:43:28 AM

    Is this a modern version of CGI with process isolation?

  • by incanus77on 3/14/2025, 8:09:41 PM

    Not entirely what this is intended for, but does anyone have experience running an X server (or Wayland, I don't care)?

    I'm doing some dev (on Mac) against RDP server and occasionally have other needs like that for a client. Currently I use UTM (nice QEMU Mac frontend) along with a DietPi (super stripped-down Debian) VM for these sorts of things.

    I'm pretty familiar with Docker, but have a good idea of what sorts of hoop-jumping might be needed to get a graphics server to run there. Wondering if there's a simpler path.

  • by codethiefon 3/14/2025, 4:29:25 PM

    In case the author is around: Are there any plans to wrap this in an OCI-compliant runtime?

  • by jedisct1on 3/14/2025, 11:18:07 AM

    Quicky someone make Zig bindings.

  • by gunianon 3/14/2025, 6:16:55 AM

    man see virtualization man happy man see it no crossplatform man sad

  • by curtisszmaniaon 3/14/2025, 1:18:27 PM

    [dead]