Thank you for your response!
Looking at Capsicum, I think it has an even lower safety profile than
NaCl - my usecase might just run any beastly binary code, so the sandbox
wall needs to be the toughest you got, so using BHyVe here makes sense.
Also there's a "generality problem" - running x86 from scratch is a very
general problem, the instruction set doesn't change so there's no
version conflicts, the host program could be ported to other
environments maintaining guest binary compatibility and so on, so a safe
x86 sandbox makes a lot of sense.
Great news to hear that all of this can be done and is satisfactorily
much so within the scope BHyVe's intended use!
Right, so a VT-x takes time - if we're talking 2500 cycles per
roundtrip, then you get approx one million of them per second - fair
Though, as you point out this is a hardcore usecase indeed:
As you point out the VM is launched absolutely bare.
So then, strategies would need to be devised for how to run the code.
I guess this would range all the way from running a barebones memory
management and pthreads implemenation (both those exist at least for
amd64, if I got it right, not sure how up to date they are though),
..to running a minimal BSD/Linux kernel within the VM for maxing
Perhaps some neat memory dumping drick could be applied to zero the
BSD/Linux kernel boot time, i.e. the kernel doesn't boot but it's just
loaded from a hibernated memory image.
I guess the most critical thing about the BSD/Linux kernel option would
be how memory it consumes in itself, and that would need to be evaluated
Okay, so, there are two aspects to this problem now:
(1) The BHyVe specific parts, about how to use BHyVe's interfaces to
deliver the virtualization/sandbox aspect, and
(2) The guest specific parts, as in how run the intended
libraries/binaries as close to the metal as possible and with as low RAM
overhead as possible (and CPU overhead) within the sandbox.
I guess (2) is off-topic to this mailing list so should be looked into
If you have any spontaneous thoughts on that one though, of course feel
free to share them :)
And, (1) is on this ML's topic, so I can direct any subsequent questions
about that to here.
If you have any particular references with regard to header files, man
page or example program source files, feel free to pass them!
On 2014-12-07 04:25, Peter Grehan wrote:
Can the following under any circumstance be done with BHyVe?
Depends on how you define "any" :)
BHyVe_sandbox* s = BHyVe_createSandbox(100KB RAM, 2 CPU cores,void*
pointer to the audio codec binary code,int size of the same code);
and then pass in data for procedure invocation like BHyVe_call(s,
"encoder_iterate", my arguments);
bhyve provides what looks like a bare-metal system. While you can
inject code and register state (ala bhyveload/grub-bhyve), the code
has to be essentially an operating system, since the only interface
provided is hardware.
For example, to run with > 1 CPUs, you would have to program APIC
registers to startup up additional CPUs - very much less friendly than
pthread_create() in a POSIX environment.
And I'd have 50 000 of these running simultaneously on one machine,
their respective heap size is 100KB each so that's only 5GB RAM in
As I get more data to encode from the network from any of the 50 000
audio streams I'm listening to, I feed the respective audio encoder
instance with the respective data with it, reactively.
Key characteristics here are
* How light a BHyVe instance is (like, does a BHyVe instance require
allocation of any device file or FD otherwise), and
Not too much. It requires an amount of kernel memory for guest data
structures, maybe in the order of 10s of KBs.
* How lightweight trampolines between OS host process and guest code
You have to do a VT-x context switch into the guest each time you'd
want to run it - that's a few thousand cycles.
* I guess, if an OS scheduler context switch is needed for switching
between my host "my_audio_encoding_service_program.c" code and the
library code - can this be done like 100 000 times in a second.
It could be done, but perhaps something like FreeBSD's capsicum
sandboxing would be a better fit for this type of task than a VM.
That's not to day it couldn't be done, just that it's a lot of work
to get there.
email@example.com mailing list
To unsubscribe, send any mail to