from Hacker News

Show HN: Ephemeral VMs in 1 Microsecond

by fwsgonzo on 12/20/24, 10:43 AM with 47 comments

  • by jumploops on 12/23/24, 4:17 AM

    What do VMs mean in this context?

    I did a pass of the codebase and it seems they’re just forking processes?

    It’s unclear to me where the safety guarantees come from (compared to using e.g. KVM).

    Edit: it appears the safety guarantees come from libriscv[0]. As far as I can tell, these sandboxes are essentially RISC-V programs running in an isolated context (“machine”) where all the Linux syscalls are emulated and thus “safe.” Still curious what potential attack vectors may exist?

    [0] https://github.com/libriscv/libriscv/tree/dfb7c85d01f01cb38f...

  • by EgoIncarnate on 12/23/24, 6:58 AM

    The use of the term VM without further qualification in the title is unfortunate. Emulated VM would have been nicer to avoid confusion with hypervisor style virtual machines.

    Staring emphermial hypervisor VMs quickly is more noteworthy (since they are often slow to start) than an emulator VM where it's expected to be fast since it's usually not much more than setting up a datastructure and executing a call to an interpreter. I clicked hoping for the former, only to find out the project is the latter.

  • by ilaksh on 12/23/24, 7:20 AM

    Is this better than Firecracker? I was thinking about using that but it needs nested virtualization and the servers that support that aren't as good of a value. Anyone know a good option for nested virtualization that is inexpensive?

    Hetzner is really cheap but not sure about the cost effectiveness for the dedicated servers. Actually I think what I saw was that I couldn't get the one I wanted in a US datacenter.

  • by mdaniel on 12/23/24, 2:21 AM

    This GitHub org was cited several times in the recent "source available" annoucement for MoonBit, if one wishes to see more "in the wild" usage https://news.ycombinator.com/item?id=42450274

  • by rollcat on 12/23/24, 9:03 AM

    Tangential, but let's say I want to build a multiplayer game, where players (untrusted users) are allowed to run arbitrary code in some kind of a VM. I've so far established that:

    - The VM has to be built in a safe and performant language (like Rust, Go, or - if careful - modern C++), and available as a library to integrate with the rest of the game. However I don't trust myself to write safe C/C++ (the game is being prototyped in LÖVE/Lua).

    - Each VM instance needs a tight execution/instruction budget, to avoid stalling the server's main update loop; e.g. a timer/virtual "hardware interrupt", or simply counting cycles, or even something modelled after eBPF. The total number of VM instances running in a single game would also need to be limited somehow (e.g. making a key component scarce and/or non-renewable, or dividing the total instruction budget across all VMs, or requiring a player to be present in a nearby world chunk).

    Use cases are something like redstone in Minecraft: curious and technically-inclined players could build contraptions, like auto-farming crops, pranks/traps, defences, fancy gates/moats, etc. Not the core of the gameplay, but rather one aspect of it, for the curious to explore, learn, have fun with.

    There are many off-the-shelf VMs that do RISC-V or similar ISAs, and I'm considering picking one of those, but wondering if a RISC instruction set isn't too low-level for such a thing. On the other hand, it would be nice if the knowledge would be directly transferrable to the real world.

    Anyone tried to build something similar and can share their experience?

  • by elmigranto on 12/23/24, 2:39 PM

    > This project […] contains only the necessary parts for realistic benchmarking

    > The test program is a simple […] return string

    I understand how this is required to measure the effects of sandboxing in isolation. And the result is impressive.

    In what ways would you expect performance to be affected when workloads are more realistic as well?

  • by childintime on 12/23/24, 3:57 PM

    This competes with WASM Serverless, therefore something like Fermyon Spin, which is built on top of it (https://www.fermyon.com/serverless-guide/speed-and-execution...). Wake up a RISC-V emulator on a http request in 1µs, do your thing and exit. Then gone is the RISC-V VM. WASM takes a millisecond or more to spin up, as it is bytecode.

    Is there any cloud that provides RISC-V VM's, coupled with SQLite access for persistence?

  • by thornewolf on 12/23/24, 2:23 AM

    to check my understanding on what this is offering, I could build something on top of this that offers remote code execution for people without needing to worry about my system being compromised? or other people's processes interacting with one another, but the VM will still be able to make web requests itself?

  • by mattclarkdotnet on 12/23/24, 6:38 AM

    Having scanned the codebase, I think this is about quickly and safely launching and managing risc-v binaries as sandboxed processes? Which is useful, but has nothing to do with virtual machines in the usual sense of there being a hypervisor with hardware support for isolation.

  • by owenthejumper on 12/23/24, 1:02 PM

    Reminds me a bit of Cloudflare's isolates, but the title is super confusing

  • by kjok on 12/23/24, 1:07 AM

    What are the use cases?

  • by pyaamb on 12/23/24, 1:10 AM

    Whatever happened to Unikernels?