I do owe you an email reply on that. I haven't forgotten that, just so you know.
But yes, Varnish Cache is not exactly what you would call Cloud Native.
Varnish Software have launched Pro currently on AWS only at a much lower price point, but it is still somewhat limited. I think that a Free-tier providing some of the goodies you mention would also cover much of what's needed for today's workloads including better memory management, in-core TLS and a better developer experience by having much better K8s support. Much of this could and should go into Varnish Cache, but that is a longer road as the project as such has a different focus than we do.
TinyKVM is certainly technology that in itself is rather groundbreaking, but it is obviously even more powerful in the context of request handling at lightning speed. But you are right it could be used for other things.
Would you have read this if neither Deno, Varnish or TinyKVM would have been in the title? ;)
But we hear you. Will put a page on our website and should probably consider seeing up a community site as well as it is indeed, grabbing some attention.
Sorry for not replying. But good to see you got your answer in the end.
Tip, Although not entirely what you asked, but related: what about using more caving in your CI/CD Pipeline. Customers see incredible time savings when using Varnish on that context (mostly with Enterprise w/MSE4 as you will need a massive cache, but it can be useful even with Varnish Cache grounding on your pipeline and workflow). If you are interested, read more here: https://www.varnish-software.com/solutions/data-ai-accelerat...
Well, almost. Even outside that above usecase I'd still be interested in the capabilities TinyKVM needs and its overall security model & properties! There are far too many Github projects out there these days that claim to do sandboxing and for an outsider it's very difficult to compare them security-wise.
> what about using more caving in your CI/CD Pipeline.
The caching itself is not the issue. We already heavily cache image layers when building container images. The issue (one of them) is that on our platform AppArmor prevents containers from mounting anything, including overlayfs file systems. The latter, however, are needed for Docker/Podman to do proper image layering. The only non-mount alternative I'm aware of, Kaniko, avoids overlayfs but at the cost of severe I/O and performance impact
AFAIU this is because it manually detects changes in a given image layer by walking the directory tree. See also https://github.com/GoogleContainerTools/kaniko/issues/875
> I suspect what you are actually asking to implement an OCI runtime with TinyKVM
Yes, that's what I meant! :) Apologies for the confusion!
On a related note, since you know the author ;), what capabilities[0] do I need to run TinyKVM?
The reason I'm asking is that I'm interested in nesting containers. E.g., I have a CI pipeline whose jobs run in containers and these jobs are in turn supposed to build container images. Today, this is very difficult to do securely (i.e. using rootless containers and no privileges, possibly with AppArmor & seccomp enabled) because the average OCI runtime requires capabilities that the parent OCI runtime doesn't grant by default (or that AppArmor disables by default).
Now, I only know very little about virtualization but I have been curious whether a virtualization-based sandbox might provide a way out here since IIUC the capabilities of the guest process running inside the sandbox/VM get emulated to some agree and don't necessarily need to be backed by capabilities available to the VM process on the host.
I still believe the nexus needs to be described clearer and more strongly in the story in order to support the title here in HN that it runs on top of Varnish. Even the blog title itself does not make such a claim.
Leaning towards making the modules/examples permissive, indeed.