Most active commenters
  • gbxk(10)

←back to thread

Show HN: Katakate – Dozens of VMs per node for safe code exec

(github.com)
120 points gbxk | 21 comments | 21 Oct 25 15:22 UTC | HN request time: 0.628s | source | bottom

I've built this to make it easy to host your own infra for lightweight VMs at large scale.

Intended for exec of AI-generated code, for CICD runners, or for off-chain AI DApps. Mainly to avoid Docker-in-Docker dangers and mess.

Super easy to use with CLI / Python SDK, friendly to AI engs who usually don't like to mess with VM orchestration and networking too much.

Defense-in-depth philosophy.

Would love to get feedback (and contributors: clear & exciting roadmap!), thx

1. mentalgear ◴[21 Oct 25 16:22 UTC] No.45657697[source]
I would really like to see a good local sandboxing solution in this space, something that is truly local-first. This is especially important since many coding models / agentic builders will eventually become lightweight enough to run them on-device instead of having to buy tokens and share user data with big LLM cloud providers.
replies(7): >>45658204 #>>45658498 #>>45659517 #>>45661176 #>>45662480 #>>45662484 #>>45666374 #
2. dloss ◴[21 Oct 25 17:00 UTC] No.45658204[source]
Anthropic recently released a sandboxing tool based on bubblewrap (Linux, quite lightweight) and sandbox-exec (macOS). https://github.com/anthropic-experimental/sandbox-runtime

I wonder if nsjails or gVisor may be useful as well. Here's a more comprehensive list of sandboxing solutions: https://github.com/restyler/awesome-sandbox

replies(1): >>45658509 #
3. gbxk ◴[21 Oct 25 17:19 UTC] No.45658498[source]
(sorry I didn't reply in-thread, I'm new to HN, re-posting response here:)

Exactly! The main local requirement is to have hardware virtualization available (e.g. /dev/kvm) but that should be fine on your local linux machine. Won't work in cloud machines or on Mac ARM in current form but maybe if I extend

replies(1): >>45658539 #
4. gbxk ◴[21 Oct 25 17:20 UTC] No.45658509[source]
wow that's super new! Thanks for that, will look deeply into it and compare
5. ofrzeta ◴[21 Oct 25 17:21 UTC] No.45658539[source]
There are some providers that offer KVM nested virtualization, I think Google Cloud, Digital Ocean ... any others?
replies(1): >>45658639 #
6. gbxk ◴[21 Oct 25 17:27 UTC] No.45658639{3}[source]
True! GCP does. I haven't tested it yet. I didn't know D.O does. If anyone knows others, I'm interested too!
replies(1): >>45661910 #
7. elric ◴[21 Oct 25 18:19 UTC] No.45659517[source]
Are there any such solutions that can adequately protect against side-channel attacks (à la rowhammer, meltdown, spectre, ...)? I mean protecting local file access and network access is pretty easy, but side-channels and VM escaping attacks seem like a bigger concern.
replies(2): >>45659610 #>>45659728 #
8. gbxk ◴[21 Oct 25 18:25 UTC] No.45659610[source]
That's an interesting direction! TEE support would be relatively straightforward with current stack (and it's on my roadmap), so that could be a first step forward.
9. ATechGuy ◴[21 Oct 25 18:34 UTC] No.45659728[source]
Side-channel attacks apply to multi-tenant cloud environments, not local.
replies(1): >>45660139 #
10. elric ◴[21 Oct 25 19:03 UTC] No.45660139{3}[source]
That seems like a naive take. If any of your local VMs are internet connected and are compromised, side channel attacks could be used to exfiltrate data from other VMs or the host.
replies(1): >>45660552 #
11. ATechGuy ◴[21 Oct 25 19:32 UTC] No.45660552{4}[source]
Then why only apply to VMs, why not apps?
12. mkagenius ◴[21 Oct 25 20:21 UTC] No.45661176[source]
> something that is truly local-first

Hey, we built coderunner[1] exactly for this purpose. It's completely local. We use apple containers for this (which are 1:1 mapped to a lightweight VM).

1. Coderunner - https://github.com/instavm/coderunner

replies(1): >>45666715 #
13. eyberg ◴[21 Oct 25 21:23 UTC] No.45661910{4}[source]
We (NanoVMs) can run (both unikernel and normal linux) virtualized workloads on plain old ec2 instances (eg: t2.small).
replies(1): >>45666616 #
14. _false ◴[21 Oct 25 22:23 UTC] No.45662480[source]
What about this: https://github.com/apple/container
replies(1): >>45666610 #
15. sshine ◴[21 Oct 25 22:23 UTC] No.45662484[source]
https://rstrict.cloud/ is a CLI built in Rust on top of the Landlock API for the Linux kernel.

It lets you narrow the permission scope of an executable using simple command line wrappers.

replies(1): >>45666618 #
16. kernc ◴[22 Oct 25 08:45 UTC] No.45666374[source]
Local-first (on Lunix), POSIX shell: https://github.com/sandbox-utils/sandbox-run
replies(1): >>45666721 #
17. gbxk ◴[22 Oct 25 09:19 UTC] No.45666610[source]
Very cool one. That's dedicated to Apple ARM which I don't currently support so the two are complimentary. Apple containers shares some primitives with Kata. I'll investigate if it's possible to use Apple containers as a VMM inside Kata, or creating an Apple Containers runtime class in Kubernetes. If either is possible, we could then potentially use Apple containers as a backend in Katakate. I need more time to study that.
18. gbxk ◴[22 Oct 25 09:20 UTC] No.45666616{5}[source]
Interesting, thanks for sharing!
19. gbxk ◴[22 Oct 25 09:20 UTC] No.45666618[source]
Thanks, will study that one too!
20. gbxk ◴[22 Oct 25 09:35 UTC] No.45666715[source]
Very cool! Apple containers run on Apple ARM so it's complimentary to my stack which doesn't support ARM yet (but soon will when extending to Qemu which supports ARM). Thanks for sharing!
21. gbxk ◴[22 Oct 25 09:36 UTC] No.45666721[source]
Thanks for sharing, adding it to my list.