On 2024-05-22 16:47:51 +0100, Fabio Natali wrote: > Hi, > > I'd like to run a small number of VMs on a single physical machine. The > reason for using VMs is security, i.e. to get a strong level of > isolation when deploying some services. > > Among the options I've been considering: > > + libvirt, which I understand would imply some manual (potentially non > declarative?) setup, beyond defining and bringing up the libvirt Guix > service. > + Ganeti, which might be a bit of an overkill for this particular use > case. > + Guix's 'least-authority-wrapper', which of course would give me > containerisation rather than virtualisation, so not really what I'm > looking for. > > I think libvirt is my favourite option so far but I was wondering if > there's any further alternative that I haven't been considering. > > I think the ideal solution would be some wrapper similar to the > least-authority one, but that spins up a VM rather than a container. I > see there's 'virtual-build-machine-service-type' which of course > wouldn't fit the bill, but it might be close to the idea of a VM-based > wrapper? > > Any ideas or pointers to existing solution are welcome.
If your main goal is strong isolation and security, you probably might want to take a look at firecracker[0]. Downside is non-existent support in Guix, not even a package. The wrapper along the lines of least-authority is quite an interesting idea and I will likely explore it a bit, thank you. 0: https://github.com/firecracker-microvm/firecracker > > Thanks, best, Fabio. > > (I'd be grateful if you could CC me in if replying as otherwise I might > miss your email.) > > > -- > Fabio Natali > https://fabionatali.com > Have a nice day, Tomas Volf -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature
