<hannes>
and yes, you've to write your own tooling, but then you don't depend on qemu anymore (and reduce the attack surface even further) :)
<Ulrar>
Well you depend on ukvm insteand, but I guess that's as small as you can get
<Ulrar>
Do you have any way to handle high availability ? You seem to mention there is not respawn of virtual machines, what happens if they crash, or if the server reboots for some reason ?
<Ulrar>
We have a bunch of proxmox clusters at work so HA is easy, just wondering how that would translate for ukvm
<hannes>
in albatross I'm working on a "persist" feature to have persistent (i.e. if host reboots or albatross dies) virtual machines
<Ulrar>
Ah, great
<hannes>
the "respawn on exit" is imho a very bad idea - can lead to easily starve the host resources, and if you've a system which fails every now and then, you better debug and fix it than use a very ad-hoc respawn mechanism
<Ulrar>
Sure, but at the same time for pro use you'd rather have it restart (and be notified) than having the service down, even if it's your fault
<hannes>
there's as well (not yet in code) the plan for having scaling up and down (some sort of expert system watching load of unikernels, and physical hosts, etc) -- also the multi-physical-machine thingy is not up yet
<hannes>
certainly the scale-up/scale-down thingy will do redeployments! :)
<Ulrar>
That's cool, I'll keep an eye on that
<Ulrar>
Not sure I'm going to convince people here to go for mirageos, but if I do we very well might try albatross
<hannes>
it's a very early prototype (which I use personally for my 11 mirageos unikernels)
<Ulrar>
My problem now is to convince people to learn ocaml
<hannes>
since I use it on FreeBSD, the monitoring part is FreeBSD only atm
<hannes>
:|
<hannes>
where's "here"?
<Ulrar>
And myself, I've been doing Haskell for so long I'm having trouble getting back into ocaml
<hannes>
haha, I usually take the intersection of OCaml and Haskell (i.e. explicit errors, monads for errors, immutable state, ...)
<Ulrar>
oh I work for a small french company, we do a bunch of stuff (websites, IT outsourcing ..) and I'm currently planning new projects. If I'm going to develop tools, might aswell be with something cool like mirageos
<hannes>
yes! :D
<Ulrar>
I wanted to use Halvm at first, but I just can't stand Xen
<Ulrar>
so I've been playing a bit with mirageos, I like it
<Ulrar>
Just have to forget my Haskell habits. I keep using , for lists for example
<hannes>
I've just been working today on finally getting the automation with let's encrypt and MirageOS done... using dns challenge and an isolated unikernel (still needs some lines of code)
<Ulrar>
Everytime the error mystifies me, before I realise it's just ; instead
<Ulrar>
What do you mean, what does that do ?
<Kensan>
Ulrar: I think there were plans to port HalVM to Solo5 but I am not sure if there has been progress...
<Ulrar>
Kensan: Yeah, I've been told that's on pause
<Ulrar>
They are focusing on their commercial applications for now
<Kensan>
Ulrar: afaiu HalVM is basically the spare-time project of Adam Wick
<hannes>
just sitting there, waiting for certificate signing requests to drop in (via dynamic dns updates), and once the csr is there, it communicates with let's encrypt endpoints to retrieve a certificate and puts it back into the dns... so the other unikernel which just wants to have a let's encrypt certificate does not need a http stack or acme implementation
<Ulrar>
Kensan: Yes, I suppose. Unfortunate that it's not getting more attention, but oh well
<Ulrar>
hannes: ah, interested
<Ulrar>
We don't use the dns update system at all currently
<Ulrar>
I mean, validation
<hannes>
Ulrar: took me only a year to reimplement DNS in a way i'm sufficiently happy with
<Ulrar>
Probably should, the http validation is always failing ..
<hannes>
the http validation also requires you to have a http server in the virtual machine... which i do not appreciate
<Ulrar>
I don't know, I've been using cohttp, seems simple enough
<Ulrar>
why don't you like it ?
<hannes>
(plus only dns validation is allowing for wildcard certificates, not that the ocaml-letsencrypt supports the acmev2 yet)
<Ulrar>
Yeah there is that
<hannes>
Ulrar: because I like to run (a) smtp servers, (b) dns servers using let's encrypt certificates, and do not like to depend on too many libraries (and cohttp feels big)
<Ulrar>
My biggest problem with the http validation is the client's .htaccess always mess it up
<hannes>
that as well
<hannes>
in the end i want the unikernel to send their certificate signing request in the dhcp request and the dhcp server sending a full certificate back :)
<Ulrar>
Ah, that's an interesting idea
<Ulrar>
I've been thinking about making an app that would do dhcp and tftp server, and would feed virtual machines their unikernel that way at boot
<Ulrar>
and then just start new VMs with a defined mac address from the hypervisor's api
<Ulrar>
That way I could handle X hypervisors dynamically
<hannes>
interesting thought, i had a similar one: have albatross run y virtual machines by default, and only provision them to their specific service once requested (in the same vain as jitsu etc.) -- this would minimise boot times even further
<Ulrar>
Ah, yeah, I loved the idea of spawning them on demand too
<Ulrar>
Don't know how realistic that is for real world use
<hannes>
but that would require some sort of execve (or at least memory mapped writable and executable) -- both which i don't want
<hannes>
so atm albatross deploys by a tls connection where the virtual machine image is embedded in the x.509 client certifcate :)
<Ulrar>
Yeah, I read your blog post, but I'm not sure I understand everything I have to admit
<Ulrar>
I'll need to play with it a bit myself
<hannes>
pls go ahead and let me know if you have issues (either with code or docs) :)
<hannes>
I might be a bit too deep in asn.1 land ;)