Creating a development sandbox with crosvm
15 points by derat
15 points by derat
If crosvm stops receiving updates at some point, I figure that I’ll just try to replicate my setup using a different hypervisor.
I haven't tried it, but Spectrum started off using crosvm for this and later switched to Cloud Hypervisor (https://spectrum-os.org/software/cloud-hypervisor/).
(I'm still using crosvm in my own setup - Qubes-lite with KVM and Wayland - but should probably move to something else too)
I've done quite a lot of R&D on this topic for a desktop related project.. muvm inside of bubblewrap is what we ended up with in terms of the VMM. It's easier to use than everything else and it just "feels right". You get a command to enter a different kernel but it feels like just entering a subshell on the host (with the same filesystem). If you want to sandbox the FS just run it under bwrap.
That's a nice overview of the state of GPU support. It also makes me glad I haven't tried to get it working yet, since I have an AMD GPU and am using kernel 6.12. :-)
muvm sounds interesting. For my use case, I'm uneasy with the idea of automatically sharing the host filesystem with the VM (when I was using bwrap more heavily, my scripts for setting up environments were getting more complicated than I was comfortable with). This approach makes a lot of sense given a focus on being able to easily run mostly-trusted programs in their own microVMs, though.
Thanks, that's a super-interesting writeup! I'd been considering trying out Qubes OS for a while but hadn't thought through the GPU limitations (discussed more in this forum thread from early 2025). Not being able to easily share a GPU across multiple VMs sounds like it'd make it painful to use for a setup like yours, with different VMs for different tasks.
Thank you for the pointer to Cloud Hypervisor, too. That sounds like a credible alternative to try if/when I need to jump ship from crosvm.
(And just to mention it since I didn't see it until now, it looks like there's a Google-but-unofficial Rust rewrite of sommelier now. Not much activity there, though, so I'm not sure what the current state is.)