←back to thread

Deno Under TinyKVM in Varnish

(info.varnish-software.com)
99 points perbu | 6 comments | 11 Apr 25 05:37 UTC | HN request time: 0.445s | source | bottom
1. codethief ◴[11 Apr 25 14:47 UTC] No.43654409[source]
In case anyone from Varnish is around, possibly even the author himself: Last time we discussed TinyKVM here, I wanted to know[0] whether it could possibly be used as an OCI container runtime and what capabilities it would need? Background: I would like to use it as a runtime in order to allow for nesting containers in my CI pipelines, which is difficult with standard OCI runtimes like runc/crun without granting them privileges or at least additional capabilities that AppArmor is not happy about. Anyway, I'd still be very much interested in an answer! :)

[0]: https://news.ycombinator.com/item?id=43364218

replies(3): >>43655552 #>>43655776 #>>43656132 #
2. antoniomika ◴[11 Apr 25 16:20 UTC] No.43655552[source]
Check out sysbox[0], it's a runc based runtime that allows you to run "system" containers without privilege.

[0]: https://github.com/nestybox/sysbox

replies(1): >>43663401 #
3. laurencerowe ◴[11 Apr 25 16:39 UTC] No.43655776[source]
As I understand it TinyKVM is so fast because it does not run a full Linux guest but rather a thin layer with just enough syscall compatibility to run single threaded Linux static binaries.

I’ve been running varnish/tinykvm using podman by using passing /dev/kvm into the container and adding myself to the kvm group. https://github.com/lrowe/deno_varnish?tab=readme-ov-file#run...

Maybe you would be better off with something like krun which is built to run OCI containers in a full Linux kvm guest. https://josecastillolema.github.io/podman-wasm-libkrun/

4. ruben_varnish ◴[11 Apr 25 17:12 UTC] No.43656132[source]
Sorry for not replying. But good to see you got your answer in the end.

Tip, Although not entirely what you asked, but related: what about using more caving in your CI/CD Pipeline. Customers see incredible time savings when using Varnish on that context (mostly with Enterprise w/MSE4 as you will need a massive cache, but it can be useful even with Varnish Cache grounding on your pipeline and workflow). If you are interested, read more here: https://www.varnish-software.com/solutions/data-ai-accelerat...

replies(1): >>43663341 #
5. codethief ◴[12 Apr 25 11:03 UTC] No.43663341[source]
> Sorry for not replying.

No worries, I know how it is! :)

> But good to see you got your answer in the end.

Well, almost. Even outside that above usecase I'd still be interested in the capabilities TinyKVM needs and its overall security model & properties! There are far too many Github projects out there these days that claim to do sandboxing and for an outsider it's very difficult to compare them security-wise.

> what about using more caving in your CI/CD Pipeline.

The caching itself is not the issue. We already heavily cache image layers when building container images. The issue (one of them) is that on our platform AppArmor prevents containers from mounting anything, including overlayfs file systems. The latter, however, are needed for Docker/Podman to do proper image layering. The only non-mount alternative I'm aware of, Kaniko, avoids overlayfs but at the cost of severe I/O and performance impact AFAIU this is because it manually detects changes in a given image layer by walking the directory tree. See also https://github.com/GoogleContainerTools/kaniko/issues/875

6. codethief ◴[12 Apr 25 11:13 UTC] No.43663401[source]
Thanks, I've come across sysbox before. But it seems it's become relatively quiet since it's gotten acquired by Docker? Moreover, I've yet to hear of anyone who has been using it in production.