Virtualisation alternatives for deploying a small number of services

unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed

* Virtualisation alternatives for deploying a small number of services
@ 2024-05-22 15:47 Fabio Natali
  2024-05-22 17:16 ` Tomas Volf
  0 siblings, 1 reply; 3+ messages in thread
From: Fabio Natali @ 2024-05-22 15:47 UTC (permalink / raw)
  To: help-guix

Hi,

I'd like to run a small number of VMs on a single physical machine. The
reason for using VMs is security, i.e. to get a strong level of
isolation when deploying some services.

Among the options I've been considering:

+ libvirt, which I understand would imply some manual (potentially non
  declarative?) setup, beyond defining and bringing up the libvirt Guix
  service.
+ Ganeti, which might be a bit of an overkill for this particular use
  case.
+ Guix's 'least-authority-wrapper', which of course would give me
  containerisation rather than virtualisation, so not really what I'm
  looking for.

I think libvirt is my favourite option so far but I was wondering if
there's any further alternative that I haven't been considering.

I think the ideal solution would be some wrapper similar to the
least-authority one, but that spins up a VM rather than a container. I
see there's 'virtual-build-machine-service-type' which of course
wouldn't fit the bill, but it might be close to the idea of a VM-based
wrapper?

Any ideas or pointers to existing solution are welcome.

Thanks, best, Fabio.

(I'd be grateful if you could CC me in if replying as otherwise I might
miss your email.)

-- 
Fabio Natali
https://fabionatali.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Virtualisation alternatives for deploying a small number of services
  2024-05-22 15:47 Virtualisation alternatives for deploying a small number of services Fabio Natali
@ 2024-05-22 17:16 ` Tomas Volf
  2024-05-23 15:52   ` Fabio Natali
  0 siblings, 1 reply; 3+ messages in thread
From: Tomas Volf @ 2024-05-22 17:16 UTC (permalink / raw)
  To: Fabio Natali; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 1847 bytes --]

On 2024-05-22 16:47:51 +0100, Fabio Natali wrote:
> Hi,
>
> I'd like to run a small number of VMs on a single physical machine. The
> reason for using VMs is security, i.e. to get a strong level of
> isolation when deploying some services.
>
> Among the options I've been considering:
>
> + libvirt, which I understand would imply some manual (potentially non
>   declarative?) setup, beyond defining and bringing up the libvirt Guix
>   service.
> + Ganeti, which might be a bit of an overkill for this particular use
>   case.
> + Guix's 'least-authority-wrapper', which of course would give me
>   containerisation rather than virtualisation, so not really what I'm
>   looking for.
>
> I think libvirt is my favourite option so far but I was wondering if
> there's any further alternative that I haven't been considering.
>
> I think the ideal solution would be some wrapper similar to the
> least-authority one, but that spins up a VM rather than a container. I
> see there's 'virtual-build-machine-service-type' which of course
> wouldn't fit the bill, but it might be close to the idea of a VM-based
> wrapper?
>
> Any ideas or pointers to existing solution are welcome.

If your main goal is strong isolation and security, you probably might want to
take a look at firecracker[0].  Downside is non-existent support in Guix, not
even a package.

The wrapper along the lines of least-authority is quite an interesting idea and
I will likely explore it a bit, thank you.

0: https://github.com/firecracker-microvm/firecracker

>
> Thanks, best, Fabio.
>
> (I'd be grateful if you could CC me in if replying as otherwise I might
> miss your email.)
>
>
> --
> Fabio Natali
> https://fabionatali.com
>

Have a nice day,
Tomas Volf

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Virtualisation alternatives for deploying a small number of services
  2024-05-22 17:16 ` Tomas Volf
@ 2024-05-23 15:52   ` Fabio Natali
  0 siblings, 0 replies; 3+ messages in thread
From: Fabio Natali @ 2024-05-23 15:52 UTC (permalink / raw)
  To: Tomas Volf; +Cc: help-guix

On 2024-05-22, 19:16 +0200, Tomas Volf <~@wolfsden.cz> wrote:
> If your main goal is strong isolation and security, you probably might
> want to take a look at firecracker[0].  Downside is non-existent
> support in Guix, not even a package.

Hey Tomas,

Thanks for getting back to me!

You're right, Firecracker seems to perfectly address my objectives - but
yeah, the fact that there's no Guix support makes it a bit less
appealing. I guess I'm willing to accept some performance overhead in
exchange for QEMU's good level of integration. But thanks for suggesting
this as an option.

Looking at Firecracker brought another project to my attention,
MicroVM.nix⁰. If I'm not mistaken, it would look like the NixOS
equivalent of what I was looking for.

It'd be nice to create a 'least-authority-wrapper' variant that's
VM-based. If you like, keep me posted on your findings and feel free to
DM me if you want to brainstorm the idea together.

Cheers, Fabio.

⁰ https://github.com/astro/microvm.nix

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-05-23 15:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-22 15:47 Virtualisation alternatives for deploying a small number of services Fabio Natali
2024-05-22 17:16 ` Tomas Volf
2024-05-23 15:52   ` Fabio Natali

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).