Comment by antonvs
7 days ago
Why a VM as opposed to just a container?
Containers are more flexible, especially in cloud environments. You can run containers on a cloud VM, or in a managed cloud cluster. Micro VMs can’t typically be used that way.
(I work at a SaaS that relies heavily on this model.)
We thought about using a container too. Easier to set up and everything. But it seems like microVMs give better isolation, and companies like Manus are also using Vms instead of containers.
Any chance we can talk about this in detail?
Sure, happy to discuss in detail, here or in email (where we can arrange anything else.) Base64 decode the value in my profile a couple of times (sorry for the inconvenience.)
Re isolation, my question would be, what's the threat model? Despite the theoretical risks, for example, cloud providers run user containers on their managed clusters and other service. Of course, those services and the containers they run are locked down in various ways, but that can be replicated if you're running on bare metal.
Especially if you're going to be running in the cloud, microVMs will hurt you in terms of performance, because you'll be running your own VMs within the cloud provider VMs. Similarly, using microVMs makes it harder if not impractical to take advantage of orchestrators like Kubernetes.
If you're running on bare metal, then it's probably not the best idea to run containers directly on e.g. an un-hardened Linux. You'd be better off running something like k8s for container management, and run that on a container-specific OS like Flatcar.
In that scenario, I suppose the advantage of a microvm is mainly that it could help protect you from threats you may not have considered - after all, you and I aren't AWS or Google. But pragmatically, I think the disadvantages of micro VMs outweigh the largely theoretical risks.