Re: Virtualisation alternatives for deploying a small number of services

[Tomas Volf]

On 2024-05-22 16:47:51 +0100, Fabio Natali wrote:
> Hi,
>
> I'd like to run a small number of VMs on a single physical machine. The
> reason for using VMs is security, i.e. to get a strong level of
> isolation when deploying some services.
>
> Among the options I've been considering:
>
> + libvirt, which I understand would imply some manual (potentially non
>   declarative?) setup, beyond defining and bringing up the libvirt Guix
>   service.
> + Ganeti, which might be a bit of an overkill for this particular use
>   case.
> + Guix's 'least-authority-wrapper', which of course would give me
>   containerisation rather than virtualisation, so not really what I'm
>   looking for.
>
> I think libvirt is my favourite option so far but I was wondering if
> there's any further alternative that I haven't been considering.
>
> I think the ideal solution would be some wrapper similar to the
> least-authority one, but that spins up a VM rather than a container. I
> see there's 'virtual-build-machine-service-type' which of course
> wouldn't fit the bill, but it might be close to the idea of a VM-based
> wrapper?
>
> Any ideas or pointers to existing solution are welcome.

If your main goal is strong isolation and security, you probably might want to
take a look at firecracker[0].  Downside is non-existent support in Guix, not
even a package.

The wrapper along the lines of least-authority is quite an interesting idea and
I will likely explore it a bit, thank you.

0: https://github.com/firecracker-microvm/firecracker

>
> Thanks, best, Fabio.
>
> (I'd be grateful if you could CC me in if replying as otherwise I might
> miss your email.)
>
>
> --
> Fabio Natali
> https://fabionatali.com
>

Have a nice day,
Tomas Volf

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

signature.asc
Description: PGP signature