Show HN: Sub-millisecond VM sandboxes using CoW memory forking

 (github.com)

94 points | by adammiribyan 15 hours ago

13 comments

  • cperciva 3 hours ago
    Don't forget about entropy! You've just created two identical copies of all of your random number generators, which could be very very bad for security.

    The firecracker team wrote a very good paper about addressing this when they added snapshot support.

    [-]
    • Retr0id 54 minutes ago
      I suppose it'd be easy enough to re-seed RNGs, but re-relocating ASLR sounds like a pain. (Although I suppose for Python that doesn't matter)
      [-]
      • hinkley 27 minutes ago
        Off the cuff, the first step to ASLR is don’t publish your images and to rotate your snapshots regularly.

        The old fastCGI trick is to buffer the forking by idling a half a dozen or ten copies of the process and initialize new instances in the background while the existing pool is servicing new requests. By my count we are reinventing fastCGI for at least the fourth time.

        Long running tasks are less sensitive to the startup delays because we care a lot about a 4 second task taking an extra five seconds and we care much less about a 1 minute task taking 1:05. It amortizes out even in Little’s Law.

  • crawshaw 3 hours ago
    Nice to see this work! I experimented with this for exe.dev before we launched. The VM itself worked really well, but there was a lot of setup to get the networking functioning. And in the end, our target are use cases that don't mind a ~1-second startup time, which meant doing a clean systemd start each time was easier.

    That said, I have seen several use cases where people want a VM for something minimal, like a python interpreter, and this is absolutely the sort of approach they should be using. Lot of promise here, excited to see how far you can push it!

    [-]
    • indigodaddy 3 hours ago
      simonw seems like he's always wanting what you describe, maybe more for wasm though
  • indigodaddy 3 hours ago
    Does this need passthrough or might we be able to leverage PVM with it on a passthrough-less cloud VM/VPS?
  • vmg12 4 hours ago
    Does it only work with that specific version of firecracker and only with vms with 1 vcpu?

    More than the sub ms startup time the 258kb of ram per VM is huge.

  • indigodaddy 3 hours ago
    Your write-up made me think of:

    https://codesandbox.io/blog/how-we-clone-a-running-vm-in-2-s...

    Are there parallels?

  • diptanu 3 hours ago
    The tricky part of doing this in production is cloning sandboxes across nodes. You would have to snapshot the resident memory, file system (or a CoW layer on top of the rootfs), move the data across nodes, etc.
    [-]
  • latortuga 2 hours ago
    Similar to sprites.dev?
  • jauntywundrkind 4 hours ago
    Mods: can we merge with https://news.ycombinator.com/item?id=47412812?
  • buckle8017 3 hours ago
    This is how android processes work, but it's a security problem breaking some ASLR type things.
  • handfuloflight 4 hours ago
    Can you run this in another sandbox? Not sure why you'd want to... but can you?
    [-]
    • wmf 4 hours ago
      It's pretty common to run VMs within containers so an attacker has to escape twice. You can probably disable 99% of system calls.
    • Teknoman117 4 hours ago
      Nested page tables / nested virtualization made it to consumer CPUs about a decade ago, so yes :)
  • justboy1987 38 minutes ago
    [dead]
  • codance 3 hours ago
    [dead]