OPS VS talos

I am a bit confused, there are three sites:

* https://nanos.org/

* https://nanovms.com/

* https://ops.city/

And I am not sure what "thing" I am using. Is there some disambiguation? I know is OPS is the orchestration CLI, but I am confused at the difference between Nanos and NanoVMs. What should I call the section of my README that deals with this tech? Currently gone with Nanos/OPS but I am confused.

Sorry - just now seeing this.

We don't have any $7/unikernel offerings out there at all. We do have a desktop app that costs $7.

As for your other comment - one of the really awesome things about unikernels is that you don't have to roll your own infrastructure.

The way these are made is that all the infrastructure management is pushed onto the cloud of choice.

I'd highly encourage you to if you haven't to download https://ops.city and try to deploy something to GCP or AWS or wherever - it's free and would answer a lot of questions/assumptions you might have.

I've been looking at a few.

https://github.com/cloudius-systems/osv

https://ops.city/ (also nanovms) - this is one that I actually got working to at least demo state

I work with https://nanos.org && https://ops.city - we can run thousands of these on commodity hardware.

Might be a rhetorical question but are you on the cloud?

If so what language, apps are you running? I'd encourage you to take a look at https://ops.city && see if that is something that would work well for your use-case. It effectively turns your application into a server with no ability to run other programs on it and doesn't even have the notion of users or the ability to ssh in. The auditing requirements you are looking for go way down too as most of the things like "open a port", "log when rm -rf ~/.bash_history", or things like that simply don't happen. We actually measured the security controls from the the STIGs that are referenced in the other post and were seeing up to 70% reduction in them when deploying like this versus a deb/ubuntu instance, not to mention you don't have a half-dozen different interpreters, tens of users, thousands of shared libraries, etc.

Happy to answer any questions as I'm one of the authors/maintainers.

Definitely agree with the top part, however, I should note that, ops, the tool's, whole existence is to create disk images and upload them to any cloud, any hypervisor.

In particular, both https://ops.city && https://nanos.org are Go unikernels running on GCP and their deploys take just a few seconds to push out. AWS can be even faster cause we skip the s3 upload part. We also have lots of people using Azure which would be utilizing vhdx.

Translating x86 -> arm or vice-versa is always going to be slow. No amount of software will ever overcome that. If you are using arm you really need to embrace it. Running x86 on arm is only a hack - whether it's apple or some random github - it will only ever be a hack. It is one thing to dev on arm and deploy to x86 but expecting x86 to perform remotely close to the same exp on arm isn't something that's going to happen.

Having said that..

If you really want to run x86 images on arm, and while we're definitely not 1:1 with docker (and don't want to be) we're interested in people's experiences with https://ops.city as there is native hardware accelerated arm support and x86 on arm. (I'm with the company behind it.) It's definitely going to be more performant than a docker image since docker/k8s not only rely on a full blown linux but also abuse iptables, et al. It also has support for bridging (outside of the vm) and 9pfs so that would help alleviate your pain.

I'm with that organization that works on https://nanos.org and https://ops.city . If you aren't a software engineer but still would like to use unikernels you're in luck - we also have a package repository at https://repo.ops.city/ (running as a go unikernel on GCP) that will allow you to run and deploy pre-made applications. If you don't see something that you'd like to us there's also a way of importing docker containers into unikernels via ops which works for most (but not all) applications.

For instance the filesystems have no permissions because there are no users because it is only running one process. Linux is ~30M LOC and half of that is drivers. When you deploy to a cloud you only really need a handful of drivers - something to talk to the disk, the network, a clock, etc. That's very different than deploying to bare metal servers where you have hundreds of different nics, usb, disk drives, etc. .... but it goes a lot further than that. The CFS scheduler and others are written specifically with the intention that the operating system is going to have to manage tens or hundreds of applications with tens of users. If you go to AWS and boot up a linux instance you'll find around a hundred programs running without you installing anything - even if it is on a vm with only one thread. Multiple processes which unikernels eschew come with a ton of baggage. Shared memory, IPC calls, scheduling, permissions, etc. We used to get questions asking why we didn't just make patches to linux (which this paper argues for btw) and the answer is simple - doing so is actually more work and harder to deal with than just writing a new unikernel specific kernel from scratch which is what we did. Might be worth pointing out that I've worked at a unikernel company for the past 5 years that is in charge of the open source https://nanos.org and https://ops.city toolchains.

You an also build from source here: https://github.com/nanovms/nanos && https://github.com/nanovms/ops .

There are also packages available through AUR/homebrew and the like: https://ops.city/downloads .

The script is only there facilitate the 'install' such as ensuring you have qemu installed locally or assessing whether you have kvm/hvf rights/etc.

Also, I don't think this is documented yet but you can target various PRs/builds with ops via this way:

ops run /bin/ls --nanos-version d632de2

Super cool. I always enjoy reading about systems that challenge, well, "ossified" assumptions. An OS not providing a shell, for example? Madness! ... or is it genius, if the OS has a specific purpose...? It's thought-provoking, if nothing else.

I'm a bit skeptical of parts. For instance, the "init" binary being less than 400 lines of golang - wow! And sure, main.go [1] is less than 400 lines and very readable. Then you squint at the list of imported packages, or look to the left at the directory list and realize main.go isn't nearly the entire init binary.

That `talosctl list` invocation [2] didn't escape my notice either. Sure, the base OS may have only a handful of binaries - how many of those traditional utilities have been stuffed into the API server? Not that I disagree with the approach! I think every company eventually replaces direct shell access with a daemon like this. It's just that "binary footprint" can get a bit funny if you have a really sophisticated API server sitting somewhere.

[1]: https://github.com/siderolabs/talos/blob/main/internal/app/m...

[2]: https://www.talos.dev/v1.6/reference/cli/#talosctl-list

Where `kube.cue` sets reasonable defaults (e.g. image is /). The "cluster" runs on a mini PC in my basement, and I have a small Digital Ocean VM with a static IP acting as an ingress (networking via Tailscale). Backups to cloud storage with restic, alerting/monitoring with Prometheus/Grafana, Caddy/Tailscale for local ingress.

[1] https://www.talos.dev/

[2] https://cuelang.org/

Looks somewhat similar to the talos Linux project[1]

[1] https://www.talos.dev/

Talos Linux basically implements their entire userspace in Go and its similar to BottleRocketOS, because it is designed to host Kubernetes.

https://www.talos.dev/

You might be surprised to find that Talos os (linux distro for kubernetes) mostly uses Go: https://github.com/siderolabs/talos

I've been using a 3 nuc (actually Ryzen devices) k3s on SuSE MicroOS https://microos.opensuse.org/ for my homelab for a while, and I really like it. They made some really nice decisions on which parts of k8s to trim down and which Networking / LB / Ingress to use.

The option to use sqlite in place of etcd on an even lighter single node setup makes it super interesting for even lighter weight homelab container environment setups.

I even use it with Longhorn https://longhorn.io/ for shared block storage on the mini cluster.

If anyone uses it with MicroOS, just make sure you switch to kured https://kured.dev/ for the transactional-updates reboot method.

I'd love to compare it against Talos https://www.talos.dev/ but their lack of support for a persistent storage partition (only separate storage device) really hurts most small home / office usage I'd want to try.

If you’re interested in something not AWS check out Talos https://www.talos.dev/

It’s been around longer than Bottlerocket

Can't talk about work, but my homelab is Azure and Oracle managed k8s (AKS/OKE), with onprem Talos soon (Turing Pi 2). My Flux monorepo has the details. OKE performs noticably worse (update cycle, features, control plane performance), but it provides 4 ARM cores and 24GB RAM free so I can't complain

Talos