From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:1008:1e59::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id YNwmAU1mT2a5ogAAA41jLg
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 23 May 2024 17:52:45 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id iJGbNkxmT2Z+cQAA62LTzQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 23 May 2024 17:52:45 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=esyKVrOQ;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1716479564;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=4osrxm8uWObLS8SPtLH9a9c5U4XrFx9fc2eDOBG1QVI=;
	b=Thcy76TGKpuo67dHgXtiHHJZycoKd8Q06higjlxJtgWZuFnb0b4+ngSzNnjEUwIzK2o45m
	07MdGLvIPN6cCG/EKB5o5pIouj1js931bktw508YyFi8JAwNoY1o/COMFINC0TY3btl3a2
	9mVMh7slrF0sFfjChFMFB6XNXykzFgUJ5rJCNO7fttcxdUnGav3q1YHXy/GyvY2YMa4hBp
	k4ZfYTEcsjOUmuUJpRXGfqq7VVNRz94V8AzQBxyA+2f4wjdzuDgPdENXJGlDoSD1+3RMcE
	edPQNUpfWPTCuFBooEWHA0LWQHEpMtTpSGCgUMUT88p5LugZmRk1QOWuAZ8WtQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1716479564; a=rsa-sha256; cv=none;
	b=Vetz5/Z7fETfn+Rz6AnH/tw77sCNKG6GNuUB1Argh1YwRYepCBuLC/Nw5DSCq8YlP49Evd
	Y2AySBV7SmCCZk7XlTD0NvELGt7CAJU6yKLOqZu9c1FbKDamubd/MlRhCcFOfhnA3pmXvX
	euKTLYWkrg7XNye1VrLHG9vEXCIkz/2JrNIIeTh1Fv8Xho5j+2Was+plsqgHOukt+V9AvP
	PUsIX6VwFprATH4gw5l9kW0iSeymdlLl8oSsXosBuBEPEd5hnGEirtfvrMgtChg5okIiTK
	Wpv+PCBQiU1bkcAFojDEQ4H0CxsnQDBAvrUpozBbq9p+phArFTB/A0NkCsX1uA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=esyKVrOQ;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 7897C5392
	for <larch@yhetil.org>; Thu, 23 May 2024 17:52:44 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces@gnu.org>)
	id 1sAAjn-0006A9-OX; Thu, 23 May 2024 11:52:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1sAAjl-00065U-5O
 for help-guix@gnu.org; Thu, 23 May 2024 11:52:13 -0400
Received: from relay3-d.mail.gandi.net ([2001:4b98:dc4:8::223])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1sAAjf-0006Fx-7i
 for help-guix@gnu.org; Thu, 23 May 2024 11:52:12 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 7BDEB60009;
 Thu, 23 May 2024 15:52:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com;
 s=gm1; t=1716479521;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=4osrxm8uWObLS8SPtLH9a9c5U4XrFx9fc2eDOBG1QVI=;
 b=esyKVrOQkYwrLELf0fbbX0fsDDud1fWoTnbtdE1EM731MlfZOs/4B9+hD80vkXdCe0KZSY
 rH+ilDmeL6mGjbQ95OsoZo4aCrbqmDwi0xzPPo3w2Z4/xqfW1UO6clUvBSyHy3MysKtvD2
 z75c+YAMCPK3syuQJ0s3LfKNgPPKY83wx0EfMUG0sEruIezbLlP3tLAV3jOImcbBkm+YQM
 1qYMXX77o9KoHFP4D7pcj0K2VbbfbOaLPbeXWex2KrWptqZ2Ty9VaQhvezJof6JxB1bhut
 TyKCrqk+T4Xn3v9pTIlzemz7eT0hEKCyNK3+p/RTSER7K3jd9I99Nh6hKm10FA==
From: Fabio Natali <me@fabionatali.com>
To: Tomas Volf <~@wolfsden.cz>
Cc: help-guix@gnu.org
Subject: Re: Virtualisation alternatives for deploying a small number of
 services
In-Reply-To: <Zk4ohuH5wb-DEEY9@ws>
References: <875xv5voew.fsf@fabionatali.com> <Zk4ohuH5wb-DEEY9@ws>
Date: Thu, 23 May 2024 16:52:01 +0100
Message-ID: <87zfsgttjy.fsf@fabionatali.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-GND-Sasl: me@fabionatali.com
Received-SPF: pass client-ip=2001:4b98:dc4:8::223;
 envelope-from=me@fabionatali.com; helo=relay3-d.mail.gandi.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001,
 T_SPF_HELO_TEMPERROR=0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: help-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -4.66
X-Spam-Score: -4.66
X-Migadu-Queue-Id: 7897C5392
X-Migadu-Scanner: mx11.migadu.com
X-TUID: YWt9Q79Rrba2

On 2024-05-22, 19:16 +0200, Tomas Volf <~@wolfsden.cz> wrote:
> If your main goal is strong isolation and security, you probably might
> want to take a look at firecracker[0].  Downside is non-existent
> support in Guix, not even a package.

Hey Tomas,

Thanks for getting back to me!

You're right, Firecracker seems to perfectly address my objectives - but
yeah, the fact that there's no Guix support makes it a bit less
appealing. I guess I'm willing to accept some performance overhead in
exchange for QEMU's good level of integration. But thanks for suggesting
this as an option.

Looking at Firecracker brought another project to my attention,
MicroVM.nix=E2=81=B0. If I'm not mistaken, it would look like the NixOS
equivalent of what I was looking for.

It'd be nice to create a 'least-authority-wrapper' variant that's
VM-based. If you like, keep me posted on your findings and feel free to
DM me if you want to brainstorm the idea together.

Cheers, Fabio.


=E2=81=B0 https://github.com/astro/microvm.nix