HN
Today

Show HN: Smol machines – subsecond coldstart, portable virtual machines

Smol machines introduces lightweight, portable virtual machines with sub-second cold starts, aiming to provide hardware isolation with container-like ergonomics. HN is abuzz, weighing its potential to streamline development and deployment against established container solutions like Docker and Firecracker. The project stands out for its unique blend of performance, portability, and strong isolation guarantees for untrusted code.

72
Score
30
Comments
#4
Highest Rank
11h
on Front Page
First Seen
Apr 17, 6:00 PM
Last Seen
Apr 18, 4:00 AM
Rank Over Time
106456677788

The Lowdown

Smol machines is a command-line interface (CLI) tool designed to manage and run custom Linux virtual machines, emphasizing speed, portability, and isolation. It offers sub-second cold start times, cross-platform compatibility on macOS and Linux, and elastic memory usage.

  • Core Functionality: Enables users to create and manage custom Linux virtual machines locally, featuring rapid cold starts and efficient resource utilization.
  • Portability: Allows packing a complete, stateful virtual machine into a single .smolmachine file, which can be rehydrated and run on any supported host architecture.
  • Key Use Cases:
    • Sandboxing Untrusted Code: Provides hardware-isolated environments for running potentially malicious software, with granular control over network access.
    • Portable Executables: Transforms complex workloads into self-contained binaries, bundling all dependencies to eliminate installation steps and ensure consistent execution.
    • Persistent Development Environments: Supports creating persistent VMs where installed packages and configurations survive restarts, simplifying development workflows.
    • Secure Authentication: Facilitates secure use of Git and SSH by forwarding the host's SSH agent into the VM without exposing private keys.
    • Declarative Configuration: Utilizes Smolfile (TOML-based) for reproducible and version-controlled VM environment definitions.
  • Technical Underpinnings: Leverages native hypervisor frameworks (Apple's Hypervisor.framework on macOS, KVM on Linux) coupled with libkrun and a custom libkrunfw kernel. It employs virtio balloon for elastic memory and intelligent vCPU management for near-zero idle cost.
  • Competitive Landscape: Positioned as an alternative to traditional containers, QEMU, Colima, and Firecracker, offering distinct advantages in isolation, boot time, and artifact portability.

In essence, Smol machines presents a novel approach to software packaging and execution, blending the lightweight nature and developer experience of containers with the robust isolation and portability of full virtual machines.

The Gossip

Contender Comparisons

Discussion revolves around how Smol machines compares to existing technologies like Docker, Firecracker, and other micro-VM projects. The author clarifies their motivation to improve upon Firecracker's design for broader use cases, sparking debate on whether it's truly a "replacement" or a complementary tool, particularly concerning Docker's widespread adoption.

Performance Prowess

Users expressed significant interest in the claimed sub-second cold start times, inquiring about the underlying technical methods. The author explained the approach involves brute-force trimming unnecessary Linux kernel modules. Other contributors shared their experiences achieving similar rapid boot times in related projects.

Feature Focus & Future Frontiers

The community actively explored potential use cases for Smol machines, from packaging JVM apps to sandboxing AI models. Users also inquired about planned features, specifically GPU passthrough (which is actively being worked on), Windows support (via WSL), and the capability for inter-machine piping, which the author confirmed is already functional.

Security Scrutiny & Isolation Intricacies

A critical theme emerged concerning the security model of `libkrun`, which Smol machines utilizes. Commenters highlighted that `libkrun`'s default security model assumes the guest and VMM share the same security context, necessitating host-level security features like namespaces for true isolation, prompting questions about the project's overall security guarantees.