upvote

points

by ilaksh3 hours ago |
comments
upvoteby nyrikki2 hours ago|
next
[-]
Are you looking for highly ephemeral nodes, where you are writing automation that will use the API to orchestrate it? Or do you just want small microVMs that you launch and kill?

Firecracker just has a ReSTful unix socket with a defined API and launches KVM vms with limited options.

For custom SMB I still think libvirt is a lower entry cost and may have transferable use cases to longer lived VMs, so you can just launch a qemu microvm[0] and use virsh and/or libvirt xml to set up the networking.

The ~400ms boot time of a qemu microvm vs ~120ms for firecracker may not be an issue for some loads, but qemu will also allow you a bit more density of placement than firecracker. qemu microvms will use a bit more memory individually, but they will also tend to use less real system memory with a larger number of microVMs.

It is all tradeoffs, and kata containers are yet another option that may apply depending on your use case.

You can run your own firecracker or qemu/kvm microvms on most instances that allow nested hypervisors, or on a local host. If cost containment is critical to you this is one possible way forward.

Really it just depends on if you want/need ReSTful control, or need to support short lived serverless functions, or if CLIs fit better and you many want to support full VMs.

They both are just Virtual Machine Monitors that targeted different use cases and decided on different tradeoffs.

Just be careful about hosting traditional containers and microVMs on the same system, that config is going to be problematic do to fundamental reasons that are too complex to properly address here.

[0] https://www.qemu.org/docs/master/system/i386/microvm.html

reply
upvoteby ilaksh2 hours ago|
parent|
[-]
Thanks. I just looked into qemu microvms. Might be an option but I already have gvisor set up.
reply
upvoteby dbmikus3 hours ago|
prev|
next
[-]
Why do you want to self-host vs. using one of the many providers out there?

Daytona, E2B, OpenComputer, Freestyle, Blaxel, Vercel, Modal, Cloudflare, Tensorlake, Superserve, etc. etc.

Some of them work by pre-purchasing credits, so you can control the blast radius of spend.

Also, if you want a more embedded sandbox runtime as a library instead of a daemon + REST API, you can check out libkrun (and friendly layers on top of it like https://microsandbox.dev/ and https://smolmachines.com/)

reply
upvoteby khurs3 hours ago|
parent|
next
[-]
self host = better spec machine for same price.
reply
upvoteby rvz2 hours ago|
parent|
prev|
[-]
Even with the Hetzner price increase, it is still far cheaper than all of them with self-hosting.
reply
upvoteby coppsilgold2 hours ago|
prev|
next
[-]
The simplest worthwhile DIY sandbox you can have is to layer two tools: bwrap and gvisor.

    bwrap args -- gvisor args do args -- /path/sandboxee args
bwrap will set up the environment and then gvisor elevates it into a true sandbox.

Standalone gvisor (not the 'do' subcommand) used to be a mess with the OCI json requirement, but recently they began work on presenting their own bwrap interface (likely to pursue AI agent uses) though I wouldn't use it myself yet.

People often look down on gvisor because they think it's some kind of syscall filter, it is not. It can use one of ptrace, seccomp or even KVM to intercept ALL syscalls and service them with it's own logic (which is in Go). Basically it's a VMM and kernel in one.

reply
upvoteby vidarh3 hours ago|
prev|
next
[-]
Hetzner is still cheap compared to AWS.
reply
upvoteby magnio3 hours ago|
parent|
next
[-]
Yeah, the big 3 cloud markup is so high that most VPS providers can hike price 10x and they are still cheaper.
reply
upvoteby vmg122 hours ago|
parent|
prev|
[-]
You can't run firecracker on AWS.
reply
upvoteby tmzt1 hours ago|
parent|
next
[-]
You can with the newer instances that suport nested VM. There was a recent story about this here https://news.ycombinator.com/item?id=48556561.
reply
upvoteby otterley1 hours ago|
parent|
prev|
[-]
Yes you can.
reply
upvoteby alexellisuk3 hours ago|
prev|
next
[-]
For self-hosting, have a look at what we're building with SlicerVM.com (disclosure: I'm the founder). Also runs just as well on Apple Silicon.

We run quite a few Slicer instances on mini PCs and Ryzen builds - also on Hetzner (and yes ouch 120 EUR / mo up to ~ 550 EUR / mo for 16core / 128GB RAM feels almost unfair)

reply
upvoteby ilaksh1 hours ago|
parent|
[-]
Interesting. How does this compare to Firecracker? Also PhoenixNap looks really interesting. Do you happen to know if Linux software compatibility holds up on Ampere? 80 cores for $400 a month seems pretty good.
reply
upvoteby Multicomp3 hours ago|
prev|
next
[-]
This reminds me of Fly.io's model off the top of my head, though its not a self-hosted firecracker as such.
reply
upvoteby ilaksh1 hours ago|
parent|
[-]
I specifically complained to a fly.io staff on here about their "gotcha, b*tch" usage based pricing which they basically copied from AWS, and they stood by it and other people here backed them up. No one is giving me a pile of free money, so I can't risk that kind of thing.
reply
upvoteby CuriouslyC3 hours ago|
prev|
[-]
Cloudflare is cost effective for certain types of workloads, I've heard of businesses getting surprisingly far on the $5/mo worker plan.
reply
upvoteby Multicomp3 hours ago|
parent|
[-]
At my day job, workers and sqlite-backed durable objects that quickly hibernate and quickly resume are quite nice, I prefer that to standard lambda.
reply