Most active commenters
  • ruben_varnish(5)
  • CoolCold(3)
  • codethief(3)

Deno Under TinyKVM in Varnish

(info.varnish-software.com)
99 points perbu | 29 comments | 11 Apr 25 05:37 UTC | HN request time: 1.435s | source | bottom
1. perbu ◴[11 Apr 25 05:37 UTC] No.43650793[source]
TinyKVM is now integrated into Varnish Cache Deno has been ported to run inside it.
2. ksimukka ◴[11 Apr 25 08:47 UTC] No.43651725[source]
“inline CSS wizardry by my friend Kyle”

Thank you for the kind words my friend. I enjoyed contributing to TinyKVM during my time at Varnish Software. It is nice to see that you are able to present and share it with the community.

3. Imustaskforhelp ◴[11 Apr 25 10:21 UTC] No.43652327[source]
Great post as usual!

Tinykvm is going to be the future

4. d0100 ◴[11 Apr 25 10:30 UTC] No.43652367[source]
I am looking for a Deno sandbox and this seems like a good idea.

Is there code available anywhere of this implementation?

replies(1): >>43652381 #
5. fwsgonzo ◴[11 Apr 25 10:34 UTC] No.43652381[source]
https://github.com/lrowe/deno_varnish

It's very much still a work-in-progress. But it works!

The main plugin repo is here: https://github.com/varnish/libvmod-tinykvm

replies(1): >>43655589 #
6. CoolCold ◴[11 Apr 25 11:16 UTC] No.43652606[source]
Nowadays I almost have zero intersection with Varnish - my own impression it was much more popular like 10 years ago or even more.

I know couple of frameworks/systems support it, especially in php world.

Looks like that it's lost in layers - dev guys don't care much, sysadmins are sort of extincted, noone to bother to add Varnish into request processing queue. Needless to say, people ok HN even complain on Nginx configs,while for base caching it's much simpler, from my perspective.

replies(4): >>43652810 #>>43653387 #>>43654493 #>>43654609 #
7. jesterson ◴[11 Apr 25 11:55 UTC] No.43652810[source]
Varnish is amazing. Nowadays people blow up projects with kubernetes, JS frameworks, million other tools, while the same can be achieved with varnish+nginx with much less efforts.
replies(2): >>43653957 #>>43656258 #
8. atonse ◴[11 Apr 25 13:13 UTC] No.43653387[source]
I had to scale a high profile Wordpress site during the pandemic. It got huge spikes daily during a press conference. It got 150k hits per second.

Apart from moving it from windows to Linux, I put it in front of varnish and spent a few hours tweaking the config to make sure everything still worked. It was my first time using varnish so it took longer.

It performed flawlessly for years.

Varnish was a real workhorse.

replies(1): >>43663641 #
9. mmastrac ◴[11 Apr 25 13:21 UTC] No.43653460[source]
These posts from Varnish initially confused me because the only Varnish project I had heard of was a cache/accelerator like nginx.

TinyKVM is an impressive marvel and I wonder if it would help to separate the branding from the older name.

replies(1): >>43656162 #
10. johnbellone ◴[11 Apr 25 13:45 UTC] No.43653725[source]
This is pretty damn sweet.
11. Twirrim ◴[11 Apr 25 14:07 UTC] No.43653957{3}[source]
Don't forget all those interconnected microservices, so that every request has to be handled by dozens of machines with lots of json flying everywhere eating up CPU time that could have been spent actually carrying out the business logic instead.
12. codethief ◴[11 Apr 25 14:47 UTC] No.43654409[source]
In case anyone from Varnish is around, possibly even the author himself: Last time we discussed TinyKVM here, I wanted to know[0] whether it could possibly be used as an OCI container runtime and what capabilities it would need? Background: I would like to use it as a runtime in order to allow for nesting containers in my CI pipelines, which is difficult with standard OCI runtimes like runc/crun without granting them privileges or at least additional capabilities that AppArmor is not happy about. Anyway, I'd still be very much interested in an answer! :)

[0]: https://news.ycombinator.com/item?id=43364218

replies(3): >>43655552 #>>43655776 #>>43656132 #
13. klooney ◴[11 Apr 25 14:55 UTC] No.43654493[source]
It competes with CDNs, is the problem- once you use one, they take care of the caching, and you don't need to run your own. People with global customers need a CDN, and they're to cheap to build your own.
14. pbowyer ◴[11 Apr 25 15:04 UTC] No.43654609[source]
I borderline love Varnish cache, but the way the open source and commercial versions have diverged and all the nice features only go into the $10k/yr+ commercial version sucks.

Features like the memory governer [0], because trying to predict how much memory (open-source) Varnish will use is an absolute PITA and a sure-fire way to run out of memory if you're not careful.

My clients can't justify the commercial license costs (as a sibling comment says, CDNs eat Varnish's lunch in that market) and yet what I can do with Varnish and the power it gives me makes it real magic.

It would be nice to see a modern reimplementation of Varnish, open-sourced, but I doubt that would ever happen.

0. https://info.varnish-software.com/blog/two-minute-tech-tuesd...

replies(2): >>43656222 #>>43663661 #
15. antoniomika ◴[11 Apr 25 16:20 UTC] No.43655552[source]
Check out sysbox[0], it's a runc based runtime that allows you to run "system" containers without privilege.

[0]: https://github.com/nestybox/sysbox

replies(1): >>43663401 #
16. mdaniel ◴[11 Apr 25 16:24 UTC] No.43655589{3}[source]
It would be awesome if that deno_varnish repo had a license to know who can use it under what circumstances
replies(1): >>43657836 #
17. laurencerowe ◴[11 Apr 25 16:39 UTC] No.43655776[source]
As I understand it TinyKVM is so fast because it does not run a full Linux guest but rather a thin layer with just enough syscall compatibility to run single threaded Linux static binaries.

I’ve been running varnish/tinykvm using podman by using passing /dev/kvm into the container and adding myself to the kvm group. https://github.com/lrowe/deno_varnish?tab=readme-ov-file#run...

Maybe you would be better off with something like krun which is built to run OCI containers in a full Linux kvm guest. https://josecastillolema.github.io/podman-wasm-libkrun/

18. ruben_varnish ◴[11 Apr 25 17:12 UTC] No.43656132[source]
Sorry for not replying. But good to see you got your answer in the end.

Tip, Although not entirely what you asked, but related: what about using more caving in your CI/CD Pipeline. Customers see incredible time savings when using Varnish on that context (mostly with Enterprise w/MSE4 as you will need a massive cache, but it can be useful even with Varnish Cache grounding on your pipeline and workflow). If you are interested, read more here: https://www.varnish-software.com/solutions/data-ai-accelerat...

replies(1): >>43663341 #
19. ruben_varnish ◴[11 Apr 25 17:15 UTC] No.43656162[source]
TinyKVM is certainly technology that in itself is rather groundbreaking, but it is obviously even more powerful in the context of request handling at lightning speed. But you are right it could be used for other things.

Would you have read this if neither Deno, Varnish or TinyKVM would have been in the title? ;)

But we hear you. Will put a page on our website and should probably consider seeing up a community site as well as it is indeed, grabbing some attention.

replies(1): >>43669827 #
20. ruben_varnish ◴[11 Apr 25 17:22 UTC] No.43656222{3}[source]
I do owe you an email reply on that. I haven't forgotten that, just so you know.

But yes, Varnish Cache is not exactly what you would call Cloud Native.

Varnish Software have launched Pro currently on AWS only at a much lower price point, but it is still somewhat limited. I think that a Free-tier providing some of the goodies you mention would also cover much of what's needed for today's workloads including better memory management, in-core TLS and a better developer experience by having much better K8s support. Much of this could and should go into Varnish Cache, but that is a longer road as the project as such has a different focus than we do.

Expect more on that front this year @pbower :)

21. ruben_varnish ◴[11 Apr 25 17:26 UTC] No.43656258{3}[source]
Imagine having all that being run by Varnish as the data plane?

Do you think the whole MACH stack users would then move their workload to such a controller/ingress/gateway?

I think they wouldn't, because they don't necessarily understand (or need?) the advantages of caching at scale and flexibility that Varnish provides.

But if you say that you will accelerate everything in their K8s cluster... Then maybe ;)

We'll see. I have a wish for Kubecon in Q4

22. laurencerowe ◴[11 Apr 25 19:54 UTC] No.43657836{4}[source]
It's not really usable yet beyond benchmarking as I've been focussed on understanding the performance characteristics.

I will add a license (hopefully MIT like Deno) once there is clarity around the licensing of the TinyKVM guest API files.

replies(1): >>43659256 #
23. ruben_varnish ◴[11 Apr 25 22:14 UTC] No.43659256{5}[source]
Let us get back to you on that.

Leaning towards making the modules/examples permissive, indeed.

24. codethief ◴[12 Apr 25 11:03 UTC] No.43663341{3}[source]
> Sorry for not replying.

No worries, I know how it is! :)

> But good to see you got your answer in the end.

Well, almost. Even outside that above usecase I'd still be interested in the capabilities TinyKVM needs and its overall security model & properties! There are far too many Github projects out there these days that claim to do sandboxing and for an outsider it's very difficult to compare them security-wise.

> what about using more caving in your CI/CD Pipeline.

The caching itself is not the issue. We already heavily cache image layers when building container images. The issue (one of them) is that on our platform AppArmor prevents containers from mounting anything, including overlayfs file systems. The latter, however, are needed for Docker/Podman to do proper image layering. The only non-mount alternative I'm aware of, Kaniko, avoids overlayfs but at the cost of severe I/O and performance impact AFAIU this is because it manually detects changes in a given image layer by walking the directory tree. See also https://github.com/GoogleContainerTools/kaniko/issues/875

25. codethief ◴[12 Apr 25 11:13 UTC] No.43663401{3}[source]
Thanks, I've come across sysbox before. But it seems it's become relatively quiet since it's gotten acquired by Docker? Moreover, I've yet to hear of anyone who has been using it in production.
26. CoolCold ◴[12 Apr 25 11:57 UTC] No.43663641{3}[source]
Indeed, that's one of the most popular cases and I even used it myself couple of times.

Though when frontend devs cannot explain which CORS headers and for which origins they do need (again, I'm sysasmin, not even daily reader of Mozilla Developer Network), chances for server/infra level like Varnish to be mentioned is close to 0. With higher chances k8s cluster introduction to be mentioned.

27. CoolCold ◴[12 Apr 25 12:01 UTC] No.43663661{3}[source]
Afair Varnish can store cache in files too? I may be messing things here, as I use Nginx like 500 times more often.

If yes, you can store that data with fixed size tmpfs - while on servers with modern NVMe handling 5 Gbyte/sec I would not bother.

28. mmastrac ◴[13 Apr 25 03:21 UTC] No.43669827{3}[source]
I would definitely consider growing the TinyKVM brand!