It's very heavyweight, and there's no good shared filesystem option.
We did use virtualization for a bunch of stuff before the move to Apple Silicon, back when Hypervisor.framework and xhyve actually existed and were plausibly useful.
Those also fell by the wayside in the architecture migration and now virtualization has a massive performance cost.
Apparently the M4 chips are on ARMv9 which is apparently much better at virtualization, but it remains to be seen whether apple provides anything lightweight again.
Filesystem perf is definitely an issue, but cpu wise virtualization perf is basically free on Apple Silicon. I don’t know why you think Hypervisor.framework went away or became useless in the architecture migration. Obviously x86 VMs are slow, but we’ve been using arm64 VMs for years now with great results.
I guess your dainty, utopian senses are irrationally offended by something that works. Some types of virtualization offer hard isolation guarantees while cgroups, chroot, jails and the like provide pretend isolation lacking hard guarantees about either security or resource limits. KVM is tiny and so is Virtualization.framework. If you want perfect "containers", you're not going to find them anywhere because they try solve a problem (convenience, speed, and isolation) at the wrong level, in the wrong way. Type 1 Xen and VMware are the gold standards supporting all sorts of deduplication, replication, and migration options that containers can't touch. Type 2 Kata Containers is another option out there with stronger guarantees with the same interface as CRI. If these don't work for you, write a better solution that can divvy disk IOPS and latency, process manipulation, memory shares and bandwidth, network bandwidth and priority, and VFS fairly while sandboxing misbehaving processes from taking down other containers on the same host. I submit that these are essentially impossible goals with the architecture of Linux, which is why variants of virtualization providing paravirtualized guests is generally superior in providing service guarantees because there is out-of-band management exterior to fallible, DoSable containers.
burke|1 year ago
We did use virtualization for a bunch of stuff before the move to Apple Silicon, back when Hypervisor.framework and xhyve actually existed and were plausibly useful.
Those also fell by the wayside in the architecture migration and now virtualization has a massive performance cost.
Apparently the M4 chips are on ARMv9 which is apparently much better at virtualization, but it remains to be seen whether apple provides anything lightweight again.
plorkyeran|1 year ago
darklion|1 year ago
hi-v-rocknroll|1 year ago
I guess your dainty, utopian senses are irrationally offended by something that works. Some types of virtualization offer hard isolation guarantees while cgroups, chroot, jails and the like provide pretend isolation lacking hard guarantees about either security or resource limits. KVM is tiny and so is Virtualization.framework. If you want perfect "containers", you're not going to find them anywhere because they try solve a problem (convenience, speed, and isolation) at the wrong level, in the wrong way. Type 1 Xen and VMware are the gold standards supporting all sorts of deduplication, replication, and migration options that containers can't touch. Type 2 Kata Containers is another option out there with stronger guarantees with the same interface as CRI. If these don't work for you, write a better solution that can divvy disk IOPS and latency, process manipulation, memory shares and bandwidth, network bandwidth and priority, and VFS fairly while sandboxing misbehaving processes from taking down other containers on the same host. I submit that these are essentially impossible goals with the architecture of Linux, which is why variants of virtualization providing paravirtualized guests is generally superior in providing service guarantees because there is out-of-band management exterior to fallible, DoSable containers.