hngopher.com

       [HN Gopher] An Update on TinyKVM
       ___________________________________________________________________
        
       An Update on TinyKVM
        
       Author : ingve
       Score  : 31 points
       Date   : 2025-10-25 20:51 UTC (2 hours ago)
        
 (HTM) web link (fwsgonzo.medium.com)
 (TXT) w3m dump (fwsgonzo.medium.com)
        
       | 3eb7988a1663 wrote:
       | This seems like real black magic.
       | 
       | Is there any way that TinyKVM + KVM Server could ever be made to
       | work with a GUI program? The sandboxing performance seems free
       | and possibly safer than other solutions.
       | 
       | Instead of firejail or bubblewrap would it ever be possible for
       | me to wrap say Firefox (or a much less complicated GUI program)
       | inside of TinyKVM and restrict it to just network access and
       | reading/writing to ~/Downloads? Likely a way more ambitious
       | target than you had ever imagined, but I can dream.
       | 
       | I am wondering if I could default wrap every command on my
       | terminal to run inside a TinyKVM, no network access, and only
       | permissions to the current directory or below.
        
         | wmf wrote:
         | It sounds like you're talking about Qubes.
        
         | jchw wrote:
         | That really isn't unreasonable at all IMO, it's just that it
         | might be hard to do with userspace syscall emulation, since
         | graphical programs will likely need a lot more of the syscall
         | surface. For X11 and Wayland, you'll need some way of handling
         | UNIX domain sockets. Wayland applications will require shared
         | memory too, though you could get away with something like
         | Waypipe instead to serialize everything. You'd probably want
         | some sort of intermediary between any X11/Wayland
         | communications anyways, just to add additional isolation.
         | 
         | It might be easier to adapt gVisor to handle this sort of
         | workload. Adjacent comment mentions Qubes which does the same
         | thing but uses an entire guest kernel.
         | 
         | (If you are creative enough, you can probably come up with some
         | solutions. Qt apps could be made to work with a custom QPA that
         | can somehow funnel information in and out of the sandbox. You
         | could definitely run something like Waypipe or Xpra in the
         | sandbox too, but again I imagine those would wind up requiring
         | a much greater degree of emulation. It's not like I've actually
         | _tried_ this, though, so I could be off.)
        
         | rolandog wrote:
         | You can do this with Guix [0], with the added benefit of
         | package reproducibility.
         | 
         | [0]: https://www.futurile.net/2023/04/29/guix-shell-virtual-
         | envir...
        
       | laurencerowe wrote:
       | I'm pretty hopeful that the combination of per-request isolation
       | and the new snapshot functionality we're currently working on
       | will be a big step forward for those running server-side JS at
       | scale.
       | 
       | Having each request start from the exact same program state
       | should make reproducing and fixing production issues easier. In a
       | way it combines the predictability of the CGI programming model
       | with the speed of a warmed modern JIT runtime.
        
       ___________________________________________________________________
       (page generated 2025-10-25 23:00 UTC)