HN Reader

This seems like real black magic.

Is there any way that TinyKVM + KVM Server could ever be made to work with a GUI program? The sandboxing performance seems free and possibly safer than other solutions.

Instead of firejail or bubblewrap would it ever be possible for me to wrap say Firefox (or a much less complicated GUI program) inside of TinyKVM and restrict it to just network access and reading/writing to ~/Downloads? Likely a way more ambitious target than you had ever imagined, but I can dream.

I am wondering if I could default wrap every command on my terminal to run inside a TinyKVM, no network access, and only permissions to the current directory or below.

I was so confused by this article.

I was confusing it with TinyPilot, a hardware KVM made by an indie hacker Michael Lynch, that I think has since been acquired.

First I'd heard of this project; here's an introduction from the author: https://fwsgonzo.medium.com/tinykvm-the-fastest-sandbox-564a...

Could someone give a high-level overview of what this is and why you'd use it?

I'm pretty hopeful that the combination of per-request isolation and the new snapshot functionality we're currently working on will be a big step forward for those running server-side JS at scale.

Having each request start from the exact same program state should make reproducing and fixing production issues easier. In a way it combines the predictability of the CGI programming model with the speed of a warmed modern JIT runtime.

This is amazing! I am also a little bit obsessed with fast-booting kvm for per-request isolation, and have managed to get Linux to pid1 in 3.6ms, I am starting to go a little insane because I don't know how to measure the rest of the CPU time (would love a flamegraph somehow) -- the ftrace data just... confuses me

How does this compare to Amazon's Firecracker VM?

I spent a while mixing this up with PiKVM and was having trouble understanding how any of it would fit in with that project. Made a lot more sense once I got over that.

I got a question: in what scenarios is it vulnerable to use containers as a sandbox?

Does the "KVM" part have any connection to a KVM switch, or is it a different acronym?

This is great in how simple it seems. Cool.