I have been following ZeroVM since it's inception and often go to the website and stare longingly at my screen thinking of amazing things it could do (when coupled with OpenStack Swift to make "ZeroCloud"). If you look at my HN comment history you can see multiple articles about "serverless" where I tried to tell people about ZeroVM.
But they got bought by Rackspace (who originally open sourced Swift) in late 2013, and then their github account activity dropped to 0 by early 2015. Rackspace has probably one of the worlds largest Swift deployments, so maybe one day they will do some cool things with ZeroVM ala ZeroCloud but for now the forward movement of the project seems dead or at least proprietary :(
Other interesting implementations of the same concept include Joyents Manta, which is also open source and actually probably more flexible than ZeroCloud (you can SSH into your container).
Yeah the lack of further work on ZeroVM is unfortunate. You may be interested in https://github.com/openstack/storlets which is conceptually similar and is being actively developed.
I knew some of the devs (they were in the same TechStars Cloud group as the last company I worked for). Brilliant team that lost the wind in their sails after the acquisition.
Thanks for posting that. It was the exact question in my mind.
For anyone who's worked with it, does the fact that it's pure userspace have any negatives? Performance? What about access to system resources, opening sockets, etc.
I don't know anything about ZeroVM, but performance would only come into play when/if it crosses boundaries, and even then, only if the APIs at the boundary are slow. User space on Linux provides a lot of features to make crossing boundaries not slow. Zero copy write with sendfile(), efficient async I/O with epoll(), etc. are tools to allow user space applications to cross that boundary efficiently.
That said, user space file systems are slower than in-kernel file systems; at least, according to the data I've seen. But, I suspect ZeroVM will be used in ways that aren't quite the pathological case of a user-space filesystem under benchmark load.
As for access, Linux has a nice capabilities system to allow user space to access privileged resources as a non-privileged user and without being in ring 0 (if privileged access is even needed, which it likely won't be in the cases where this will be used, I would think). Again, this would still be through the public APIs, and not by acting like the kernel and hitting the hardware directly.
I don't think, or get the impression, that this would be used for full-system virtualization. It seems to be more targeted toward an AWS Lambda sort of usage pattern; a micro-VM that spins up to serve one API request, or to act as a long-running tiny daemon to do some housekeeping task. It looks like a fancy fork(), to me, rather than a competitor to Docker or LXC (and especially not KVM or Xen, which can run a whole Linux kernel in the VM).
> I don't think, or get the impression, that this would be used for full-system virtualization. It seems to be more targeted toward an AWS Lambda sort of usage pattern; a micro-VM that spins up to serve one API request, or to act as a long-running tiny daemon to do some housekeeping task. It looks like a fancy fork(), to me, rather than a competitor to Docker or LXC (and especially not KVM or Xen, which can run a whole Linux kernel in the VM).
Almost. With ZeroCloud (OpenStack Swift + ZeroVM + appropriate middleware), you should imagine Lambda+S3 in the same service! Your "function" executes much, much closer to the location of the data, it doesn't require "shipping" from the storage service to the compute service and back again. You can take in an object, perform a transform (e.g. text search, encryption, transcode, etc) and store the result as a new object.
If you think about it, it's kind of the future of large scale computing, immutable dataset + immutable compute, that can horizontally scale to huge numbers of nodes.
> With ZeroCloud (OpenStack Swift + ZeroVM + appropriate middleware), you should imagine Lambda+S3 in the same service!
Is that something that exists in a production form today? What's an example of the use case? I'm having trouble visualizing this "Your "function" executes much, much closer to the location of the data, it doesn't require "shipping" from the storage service to the compute service and back again." That sounds like going back to a monolithic model where data and functions are tightly coupled, but I assume I'm visualizing it wrong, since that would be moving backward.
Suppose you have a dataset big enough that it needs to be spread across a storage cluster. Now you'd like to run some kind of operation that's either completely parallel, or fits the map/reduce model. Maybe you have a petabyte worth of video files and you want to generate thumbnails, or extract metadata, or find all frames of video with text in them.
If compute is separated from storage, then all of that video data has to be streamed over the network from a storage node to a compute node before computation can even begin; the data is "shipped" to compute.
Presumably the function you want to execute is vastly smaller than the data. It would require much less time and bandwidth to run the function on the same node as the data it's accessing; no network overhead. Assuming you have an adequate balance between compute and storage, you get much lower latency access to the data.
Some downsides include
- running arbitrary code on your storage node means trusting your users or having very good sandboxing
- you now have to balance compute and storage on any given node
Joyent Manta is basically this. (https://www.joyent.com/manta) Bryan Cantrill has a good talk on why it's a useful thing. (I'd link it but I'm on mobile)
Then it's Software Fault Isolation (SFI) rather than a VM if it's NaCl-based. Sounds like just a bad, naming choice far as comprehensibility goes. Anyone curious about such tech can Google for that phrase plus "security" and "pdf." Throw in word "survey" for at least one paper with a summary of old methods.
I have always been a fan of ZeroVM. I had decided to take the task of adding multi-threaded support so that we'd have NaCL-enforced security and performance constraints, rather than depending upon the Linux kernel for the same. This turned out to be more complex for my skill levels and I gave up mid-way.
I recommend that you try out ZeroVM for your Python apps. I've seen great demos where Rackspace devs applied on-the-fly transformations to content being served from swift. e.g. one demo added watermarks to files, another transcoded video streams.
At a ZeroVM workshop in Atlanta at the OpenStack summit some years ago, one of the participants started a discussion with the ZeroVM devs about running ZeroVM apps via the firmware of SSD drives.
Unfortunately, this nice technology didn't quite catch on.
ZeroVM reduces the accepted X86 instructions and also restricts more syscalls than Google NaCl.
Per Google's NaCl devs, NaCl's restrictions result in an average of 10% drop in performance, though it's application specific. ZeroVM should result in slightly greater drop in performance given its restrictions.
To make this project viable they would have to re-build it around WebAssembly[1] instead. NaCl was conceived before WebAssembly emerged as the standard for binary executables for the web and is now in maintenance mode.
But they got bought by Rackspace (who originally open sourced Swift) in late 2013, and then their github account activity dropped to 0 by early 2015. Rackspace has probably one of the worlds largest Swift deployments, so maybe one day they will do some cool things with ZeroVM ala ZeroCloud but for now the forward movement of the project seems dead or at least proprietary :(
Other interesting implementations of the same concept include Joyents Manta, which is also open source and actually probably more flexible than ZeroCloud (you can SSH into your container).