zlacker

[return to "We replaced Firecracker with QEMU"]
1. gwd+j3[view] [source] 2023-07-10 14:29:35
>>hugodu+(OP)
Listen people, Firecracker is NOT A HYPERVISOR. A hypervisor runs right on the hardware. KVM is a hypervisor. Firecracker is a process that controls KVM. If you want to call firecracker (and QEMU, when used in conjunction with KVM) a VMM ("virtual machine monitor") I won't complain. But please please please, we need a word for what KVM and Xen are, and "hypervisor" is the best fit. Stop using that word for a user-level process like Firecracker.
◧◩
2. Muffin+Qc[view] [source] 2023-07-10 15:10:45
>>gwd+j3
> virtual machine monitor

Is it good to think of libvirt as a virtual machine mointor, or is that more "virtual machine management"?

◧◩◪
3. zbroze+Yf[view] [source] 2023-07-10 15:24:01
>>Muffin+Qc
I'd love to get a clear explanation of what libvirt actually does. As far as I can tell it's a qemu argument assembler and launcher. For my own use-case, I just launch qemu from systemd unit files:

https://wiki.archlinux.org/title/QEMU#With_systemd_service

◧◩◪◨
4. bonzin+dp[view] [source] 2023-07-10 16:06:54
>>zbroze+Yf
The main important point is that Libvirt takes care of privilege separation.

It makes sure that if your VM and/or QEMU are broken out of, there are extra layers to prevent getting access to the whole physical machine. For example it runs QEMU as a very limited user and, if you're using SELinux, the QEMU process can hardly read any file other than the vm image file.

By contrast the method in the arch wiki runs QEMU as root. QEMU is exposed to all sort of untrusted input, so you really don't want it to run as root.

Libvirt also handles cross machine operations such as live migration, and makes it easier to query a bunch of things from QEMU.

For more info see https://www.redhat.com/en/blog/all-you-need-know-about-kvm-u...

[go to top]