Hacker News new | past | comments | ask | show | jobs | submit login
ZeroVM – Hyperscale Cloud Infrastructure (zerovm.org)
92 points by schwuk on July 30, 2014 | hide | past | web | favorite | 20 comments


I wrote about a ZeroVM-on-Docker thing I was working[1] on in another thread just before this story showed up.

Note that ZeroVM isn't a conventional VM at all. All your software needs recompiling for it, and it is entirely deterministic (with all the positive and negative aspects of that).

For one set of use-cases this is very useful. I was looking at using it to run untrusted user-submitted, and potentially hostile code when a Docker container isn't sufficient on its own.

[1] https://news.ycombinator.com/item?id=8107151

The SELinux talks looks interesting. I spent a while trying to get SELinux and Docker working together[1]. I'll need to watch that.

[1] https://groups.google.com/forum/#!searchin/docker-user/SELin...

Does anyone use AppArmor in production? It isn't very visible.

Future hardware isolation: http://css.csail.mit.edu/6.858/2013/readings/intel-sgx.pdf

You may find MBox interesting:

Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.


I had trouble running it in Ubuntu because of AppArmor..

Thanks. Looks like one of those voluntary rootkits that installs defensive code in a role that malware has been known to occupy. It's a good sign for AppArmor that it prevented it from running :)

I wouldn't have said it was much like a rootkit. It's more akin to a container or a chroot, except run without special permissions.

What am I missing? (Or is it just that some rootkits use ptrace/Seccomp?)

LSM, LXC, chroot, seccomp have well defined APIs for separation. My comment was referring to ptrace.

Interposing (i.e violating API contracts) with ptrace is great for debugging or research prototypes, but the knowledge gained from that research needs to be made interoperable with existing APIs that have been battle tested. Paper said that ptrace/debug overhead is 100%, seccomp (an existing, non-debug API) reduces the need to use ptrace, halving runtime overhead.

Separately, a kernel exploit could break the "sandboxing" of ptrace or docker, hence the need for AppArmor and SE Linux. Here is a year-old Windows article about breaking out of Adobe and Chromium, principles are similar for Linux:


Can anyone more familiar with ZeroVM point out what's new?

Previous submissions/discussions:

Two years ago: https://news.ycombinator.com/item?id=3746222

About a year ago, acquisition by Rackspace: https://news.ycombinator.com/item?id=6588566

The similarities with Joyent's Manta is quite interesting:

(From January 2014): http://www.rackspace.com/blog/zerovm-design-summit-day-1-dig...

While I haven't played with Manta, the architecture really appeals to me -- it's nice to see more implementations along similar lines (but sadly, presumably, without zfs or equivalent ...).

I'm glad this exists. I wanted to do something similar, when I first heard about Native Client.

http://docs.zerovm.org/clitools.html#zvsh-and-zvapp The link to the docs are broken for zvsh and zvapp

That's a big constant performance hit to take, even at scale. However, this would be great for a) untrusted code and b) another level of portability for writing c programs.

Ah! This was a TechStars Cloud^H^H^H Rackspace company that got bought by Rackspace.

I disagree on the ^H's. In practice, AWS and SoftLayer spent as much or more time with the 2013 class than the Rackspace people did. I don't know about 2012 though...

San Antonio was never an accidental or incidental choice of venue. It's also not a place where either AWS or SoftLayer has a major presence.

It's also hard not to think of it as TechStars Rackspace when you're in a space sponsored by Rackspace, run by a former Rackspace exec, in a building named for the Rackspace chairman, and in a program administered by a former Rackspace exec. With Rackspace sponsoring, of course.

I work for a company that was in the same class as ZeroVM. I'm not a founder but I was around for the second half of the 2013 program.

Of course Rackspace was involved but Cloud isn't a "powered-by" program like those with Sprint or Nike. Other than ZeroVM, I don't think Rackspace was seriously involved with any of the other companies in the class.

In my experience, Rackspace was pretty hands-off, both with Techstars and Geekdom in general. I think you're trying to insinuate something negative about their involvement when it was only (IMO) positive.

I was in the first class.

I'm not trying to insinuate anything negative. I just think TechStars Cloud might as well have been a "powered-by" program by another name.

I work on the team at Rackspace that partners with Accelerators IE TechStars. I can tell you there is solid competition from both Amazon and Softlayer at Techstars and we have no extra/special influence in their accelerator.

Aside from being a pervasive presence, sure.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact