libkrun + krunvm
Github randomly recommended me libkrun which is a library backing krunvm. It’s something similar to firecracker, but even simpler.
The most interesting feature there is:
“virtio-vsock (specialized for TSI, Transparent Socket Impersonation)”
AF_VSOCK
Linux/KVM AF_VSOCK is a way to avoid bridging and ethernet emulation for both performance and reduced attack surface. As far as I can tell only code mere mortals can use in a general way is to route over it is to use socat vsock support.
Seems that libkrun implements a slirp-style network forwarded on kvm host side and I have no clue what they do inside kvm. If you figure that out, ping me on my socials.
Update: More info in twitter discussion.
Embedding JITTED WASM in libkrun
HN completely ignored the story on how to marry above with WASM.
Why?
But there’s an scenario where Virtualization is not optional, and that’s when you want to protect the workload with Confidential Computing technologies such as SEV or TDX, as both of them are built on top of the existing Virtualization capabilities provided by the hardware.
Metallize
I once wrote a tool to make it easy to generate machine images using docker. I posted a re-implementation of that here: https://github.com/tarasglek/metallize
I need to make a really high performance networking setup to drive multiple 100G nics at max perf which required network namespaces, carefully setup subnets, cpu pinning, a custom fio, etc. Docker was the quickest way to iterate on those.
Apparently there is a way to do something similar using podman/buildah.
Conclusion
This set of technologies clicked together in my head from that random github recommendation. Writing these in a blog post in unlikely case this ever comes in handy.