Question: Thoughts on comparison to bubblewrap?

[danthegoodman1]

TinyKVM is very cool. I'm enjoying reading about it, and eager to play with it for various workload secure isolation use cases.

With it's minimal overhead, it reminds me very much of bubblewrap from a usage perspective (minimal overhead to launch a binary). I'm sure you're familiar with it, so I'm wondering how you think about TinyKVM and bubblewrap?

To me, they seem to accomplish similar goals, albeit TinyKVM can more easily be used in code rather than just calling bubblewrap as an executable. I'm sure there are some feature differences as well.

I'm surely not as familiar with virtualization as you, but it seems bubblewrap goes for a more "entire container limited in permissions", where as TinyKVM is more "just the binary"?

[fwsGonzo]

I'm surely not as familiar with virtualization as you, but it seems bubblewrap goes for a more "entire container limited in permissions", where as TinyKVM is more "just the binary"?

That's correct! TinyKVM is intentionally just the CPU processing part with memory sharing, a few fancy features on top and stuff to make it run fast. There is of course nothing stopping anyone from implement enough system call emulation to embed Chromium, or whatever they desire. It all comes down to how fast you can type!

[danthegoodman1]

Thanks for the quick reply! If something like varnish is using this to handle every request, what interface do you use to pass request handler input and output? I’m guessing not stdout?

[fwsGonzo]

what interface do you use to pass request handler input and output?

Something that looks (and quacks) like a regular function call, a VM call. You can pass inputs, get return value(s), push to the stack and if you allocate using mmap you can pass larger data in and out.