Convert Figma logo to code with AI

cloud-hypervisor logocloud-hypervisor

A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.

3,877
437
3,877
79
View on GitHub

Top Related Projects

firecracker-microvm's avatar

firecracker

25,056

Secure and fast microVMs for serverless computing.

kata-containers's avatar

kata-containers

5,320

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

weaveworks's avatar

ignite

3,486

Ignite a Firecracker microVM

containers's avatar

podman

23,003

Podman: A tool for managing OCI containers and pods.

containers's avatar

podman

22,991

Podman: A tool for managing OCI containers and pods.

Quick Overview

Cloud Hypervisor is an open-source Virtual Machine Monitor (VMM) designed for running modern, cloud-workload optimized guest operating systems. It's written in Rust, focusing on security, speed, and simplicity while leveraging KVM on Linux systems.

Pros

  • High performance due to its lightweight design and Rust implementation
  • Strong focus on security, benefiting from Rust's memory safety features
  • Optimized for cloud and container workloads
  • Supports modern technologies like virtio-fs and vhost-user

Cons

  • Limited guest OS support compared to more established hypervisors
  • Relatively new project, which may lead to less community support and documentation
  • Primarily focused on Linux hosts, with limited support for other platforms
  • May lack some advanced features found in more mature hypervisors

Getting Started

To get started with Cloud Hypervisor:

  1. Install Rust and cargo:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  1. Clone the repository:
git clone https://github.com/cloud-hypervisor/cloud-hypervisor.git
cd cloud-hypervisor
  1. Build Cloud Hypervisor:
cargo build --release
  1. Run a basic VM (assuming you have a kernel and rootfs):
./target/release/cloud-hypervisor \
    --kernel path/to/vmlinux \
    --disk path/to/rootfs \
    --cpus 4 \
    --memory size=512M \
    --net "tap=,mac=,ip=,mask="

For more detailed instructions and advanced usage, refer to the project's documentation on GitHub.

Competitor Comparisons

firecracker-microvm logo

firecracker

25,056

Secure and fast microVMs for serverless computing.

Pros of Firecracker

  • Extremely lightweight and fast boot times (as low as 125ms)
  • Strong isolation and security features, leveraging KVM
  • Optimized for serverless and container workloads

Cons of Firecracker

  • Limited device support and customization options
  • Primarily focused on Linux guests, less flexible for other OSes
  • Steeper learning curve for integration and management

Code Comparison

Firecracker configuration (YAML):

boot-source:
  kernel_image_path: "/path/to/kernel"
  boot_args: "console=ttyS0 reboot=k panic=1 pci=off"
drives:
  - drive_id: "rootfs"
    path_on_host: "/path/to/rootfs"
    is_root_device: true
    is_read_only: false

Cloud-Hypervisor configuration (JSON):

{
  "kernel": "/path/to/kernel",
  "cmdline": "console=ttyS0 reboot=k panic=1",
  "disk": [{"path": "/path/to/rootfs"}],
  "cpus": {"boot_vcpus": 1, "max_vcpus": 1},
  "memory": {"size": 512}
}

Both projects aim to provide lightweight virtualization solutions, but Firecracker focuses on serverless workloads with minimal overhead, while Cloud-Hypervisor offers more flexibility and device support for general-purpose VMs.

kata-containers logo

kata-containers

5,320

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

Pros of Kata Containers

  • Provides stronger isolation and security by running containers in lightweight VMs
  • Supports multiple hypervisors and architectures, offering greater flexibility
  • Offers seamless integration with container ecosystems like Kubernetes

Cons of Kata Containers

  • Higher resource overhead compared to Cloud Hypervisor's lightweight approach
  • More complex setup and configuration due to additional components
  • Potentially slower container startup times

Code Comparison

Kata Containers configuration example:

hypervisor:
  path: "/usr/bin/qemu-system-x86_64"
  kernel: "/usr/share/kata-containers/vmlinux.container"
  image: "/usr/share/kata-containers/kata-containers.img"

Cloud Hypervisor configuration example:

let vm_config = VmConfig {
    cpus: CpusConfig { boot_vcpus: 4, max_vcpus: 8 },
    memory: MemoryConfig { size: 1024 * 1024 * 1024 },
    kernel: Some(KernelConfig { path: String::from("/path/to/kernel") }),
    // ...
};

Both projects aim to provide lightweight virtualization solutions, but Kata Containers focuses on secure container isolation using VMs, while Cloud Hypervisor emphasizes a minimalist, high-performance approach to VM management. The choice between them depends on specific use cases and requirements.

weaveworks logo

ignite

3,486

Ignite a Firecracker microVM

Pros of Ignite

  • Focuses on running containerized applications in VMs, providing better isolation than traditional containers
  • Utilizes Firecracker for fast and secure VM provisioning
  • Integrates well with Kubernetes ecosystem and container workflows

Cons of Ignite

  • Limited to running on Linux hosts only
  • Requires specific kernel configurations and may not work on all Linux distributions
  • Less flexible than Cloud Hypervisor for general-purpose virtualization tasks

Code Comparison

Ignite (using Docker-like syntax):

ignite run weaveworks/ignite-ubuntu \
    --cpus 2 \
    --memory 1GB \
    --size 6GB \
    --ssh

Cloud Hypervisor (using command-line options):

cloud-hypervisor \
    --cpus boot=2 \
    --memory size=1G \
    --disk path=/path/to/disk.img \
    --net tap=tap0

Both projects aim to provide lightweight virtualization solutions, but they target different use cases. Ignite focuses on running containerized applications in VMs, while Cloud Hypervisor is a more general-purpose VMM. The code examples show the different approaches to VM creation and configuration, with Ignite using a Docker-like syntax and Cloud Hypervisor using command-line options.

containers logo

podman

23,003

Podman: A tool for managing OCI containers and pods.

Pros of Podman

  • Daemonless architecture, improving security and resource usage
  • Compatible with Docker commands and images, easing adoption
  • Rootless containers support, enhancing security and user isolation

Cons of Podman

  • Less mature ecosystem compared to Docker
  • Potentially slower performance for some operations due to daemonless design

Code Comparison

Cloud-Hypervisor (Rust):

let vmm = Vmm::new(vm_params)?;
vmm.boot()?;

Podman (Go):

cmd := exec.Command("podman", "run", "-it", "ubuntu")
err := cmd.Run()

Key Differences

  • Cloud-Hypervisor is a lightweight VMM for cloud workloads, while Podman is a container engine
  • Cloud-Hypervisor focuses on virtualization, Podman on containerization
  • Cloud-Hypervisor is written in Rust, Podman in Go
  • Cloud-Hypervisor targets cloud and edge computing, Podman aims for general-purpose container management

Use Cases

Cloud-Hypervisor:

  • Cloud-native and serverless deployments
  • Edge computing with minimal overhead

Podman:

  • Local development environments
  • CI/CD pipelines
  • Production container orchestration (with Kubernetes)

Both projects aim to provide efficient, secure solutions for running isolated workloads, but they approach this goal from different perspectives: virtualization vs. containerization.

containers logo

podman

22,991

Podman: A tool for managing OCI containers and pods.

Pros of Podman

  • Daemonless architecture, improving security and resource usage
  • Compatible with Docker commands and images, easing adoption
  • Rootless containers support, enhancing security and user isolation

Cons of Podman

  • Less mature ecosystem compared to Docker
  • Potentially slower performance for some operations due to daemonless design

Code Comparison

Cloud-Hypervisor (Rust):

let vmm = Vmm::new(vm_params)?;
vmm.boot()?;

Podman (Go):

cmd := exec.Command("podman", "run", "-it", "ubuntu")
err := cmd.Run()

Key Differences

  • Cloud-Hypervisor is a lightweight VMM for cloud workloads, while Podman is a container engine
  • Cloud-Hypervisor focuses on virtualization, Podman on containerization
  • Cloud-Hypervisor is written in Rust, Podman in Go
  • Cloud-Hypervisor targets cloud and edge computing, Podman aims for general-purpose container management

Use Cases

Cloud-Hypervisor:

  • Cloud-native and serverless deployments
  • Edge computing with minimal overhead

Podman:

  • Local development environments
  • CI/CD pipelines
  • Production container orchestration (with Kubernetes)

Both projects aim to provide efficient, secure solutions for running isolated workloads, but they approach this goal from different perspectives: virtualization vs. containerization.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

1. What is Cloud Hypervisor?

Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of the KVM hypervisor and the Microsoft Hypervisor (MSHV).

The project focuses on running modern, Cloud Workloads, on specific, common, hardware architectures. In this case Cloud Workloads refers to those that are run by customers inside a Cloud Service Provider. This means modern operating systems with most I/O handled by paravirtualised devices (e.g. virtio), no requirement for legacy devices, and 64-bit CPUs.

Cloud Hypervisor is implemented in Rust and is based on the Rust VMM crates.

Objectives

High Level

  • Runs on KVM or MSHV
  • Minimal emulation
  • Low latency
  • Low memory footprint
  • Low complexity
  • High performance
  • Small attack surface
  • 64-bit support only
  • CPU, memory, PCI hotplug
  • Machine to machine migration

Architectures

Cloud Hypervisor supports the x86-64 and AArch64 architectures. There are minor differences in functionality between the two architectures (see #1125).

Guest OS

Cloud Hypervisor supports 64-bit Linux and Windows 10/Windows Server 2019.

2. Getting Started

The following sections describe how to build and run Cloud Hypervisor.

Prerequisites for AArch64

  • AArch64 servers (recommended) or development boards equipped with the GICv3 interrupt controller.

Host OS

For required KVM functionality and adequate performance the recommended host kernel version is 5.13. The majority of the CI currently tests with kernel version 5.15.

Use Pre-built Binaries

The recommended approach to getting started with Cloud Hypervisor is by using a pre-built binary. Binaries are available for the latest release. Use cloud-hypervisor-static for x86-64 or cloud-hypervisor-static-aarch64 for AArch64 platform.

Packages

For convenience, packages are also available targeting some popular Linux distributions. This is thanks to the Open Build Service. The OBS README explains how to enable the repository in a supported Linux distribution and install Cloud Hypervisor and accompanying packages. Please report any packaging issues in the obs-packaging repository.

Building from Source

Please see the instructions for building from source if you do not wish to use the pre-built binaries.

Booting Linux

Cloud Hypervisor supports direct kernel boot (the x86-64 kernel requires the kernel built with PVH support or a bzImage) or booting via a firmware (either Rust Hypervisor Firmware or an edk2 UEFI firmware called CLOUDHV / CLOUDHV_EFI.)

Binary builds of the firmware files are available for the latest release of Rust Hypervisor Firmware and our edk2 repository

The choice of firmware depends on your guest OS choice; some experimentation may be required.

Firmware Booting

Cloud Hypervisor supports booting disk images containing all needed components to run cloud workloads, a.k.a. cloud images.

The following sample commands will download an Ubuntu Cloud image, converting it into a format that Cloud Hypervisor can use and a firmware to boot the image with.

$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
$ qemu-img convert -p -f qcow2 -O raw focal-server-cloudimg-amd64.img focal-server-cloudimg-amd64.raw
$ wget https://github.com/cloud-hypervisor/rust-hypervisor-firmware/releases/download/0.4.2/hypervisor-fw

The Ubuntu cloud images do not ship with a default password so it necessary to use a cloud-init disk image to customise the image on the first boot. A basic cloud-init image is generated by this script. This seeds the image with a default username/password of cloud/cloud123. It is only necessary to add this disk image on the first boot. Script also assigns default IP address using test_data/cloud-init/ubuntu/local/network-config details with --net "mac=12:34:56:78:90:ab,tap=" option. Then the matching mac address interface will be enabled as per network-config details.

$ sudo setcap cap_net_admin+ep ./cloud-hypervisor
$ ./create-cloud-init.sh
$ ./cloud-hypervisor \
	--kernel ./hypervisor-fw \
	--disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask="

If access to the firmware messages or interaction with the boot loader (e.g. GRUB) is required then it necessary to switch to the serial console instead of virtio-console.

$ ./cloud-hypervisor \
	--kernel ./hypervisor-fw \
	--disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask=" \
	--serial tty \
	--console off

Custom Kernel and Disk Image

Building your Kernel

Cloud Hypervisor also supports direct kernel boot. For x86-64, a vmlinux ELF kernel (compiled with PVH support) or a regular bzImage are supported. In order to support development there is a custom branch; however provided the required options are enabled any recent kernel will suffice.

To build the kernel:

# Clone the Cloud Hypervisor Linux branch
$ git clone --depth 1 https://github.com/cloud-hypervisor/linux.git -b ch-6.2 linux-cloud-hypervisor
$ pushd linux-cloud-hypervisor
# Use the x86-64 cloud-hypervisor kernel config to build your kernel for x86-64
$ wget https://raw.githubusercontent.com/cloud-hypervisor/cloud-hypervisor/main/resources/linux-config-x86_64
# Use the AArch64 cloud-hypervisor kernel config to build your kernel for AArch64
$ wget https://raw.githubusercontent.com/cloud-hypervisor/cloud-hypervisor/main/resources/linux-config-aarch64
$ cp linux-config-x86_64 .config  # x86-64
$ cp linux-config-aarch64 .config # AArch64
# Do native build of the x86-64 kernel
$ KCFLAGS="-Wa,-mx86-used-note=no" make bzImage -j `nproc`
# Do native build of the AArch64 kernel
$ make -j `nproc`
$ popd

For x86-64, the vmlinux kernel image will then be located at linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin. For AArch64, the Image kernel image will then be located at linux-cloud-hypervisor/arch/arm64/boot/Image.

Disk image

For the disk image the same Ubuntu image as before can be used. This contains an ext4 root filesystem.

$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img # x86-64
$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-arm64.img # AArch64
$ qemu-img convert -p -f qcow2 -O raw focal-server-cloudimg-amd64.img focal-server-cloudimg-amd64.raw # x86-64
$ qemu-img convert -p -f qcow2 -O raw focal-server-cloudimg-arm64.img focal-server-cloudimg-arm64.raw # AArch64

Booting the guest VM

These sample commands boot the disk image using the custom kernel whilst also supplying the desired kernel command line.

  • x86-64
$ sudo setcap cap_net_admin+ep ./cloud-hypervisor
$ ./create-cloud-init.sh
$ ./cloud-hypervisor \
	--kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \
	--disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \
	--cmdline "console=hvc0 root=/dev/vda1 rw" \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask="
  • AArch64
$ sudo setcap cap_net_admin+ep ./cloud-hypervisor
$ ./create-cloud-init.sh
$ ./cloud-hypervisor \
	--kernel ./linux-cloud-hypervisor/arch/arm64/boot/Image \
	--disk path=focal-server-cloudimg-arm64.raw path=/tmp/ubuntu-cloudinit.img \
	--cmdline "console=hvc0 root=/dev/vda1 rw" \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask="

If earlier kernel messages are required the serial console should be used instead of virtio-console.

  • x86-64
$ ./cloud-hypervisor \
	--kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \
	--console off \
	--serial tty \
	--disk path=focal-server-cloudimg-amd64.raw \
	--cmdline "console=ttyS0 root=/dev/vda1 rw" \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask="
  • AArch64
$ ./cloud-hypervisor \
	--kernel ./linux-cloud-hypervisor/arch/arm64/boot/Image \
	--console off \
	--serial tty \
	--disk path=focal-server-cloudimg-arm64.raw \
	--cmdline "console=ttyAMA0 root=/dev/vda1 rw" \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask="

3. Status

Cloud Hypervisor is under active development. The following stability guarantees are currently made:

  • The API (including command line options) will not be removed or changed in a breaking way without a minimum of 2 major releases notice. Where possible warnings will be given about the use of deprecated functionality and the deprecations will be documented in the release notes.

  • Point releases will be made between individual releases where there are substantial bug fixes or security issues that need to be fixed. These point releases will only include bug fixes.

Currently the following items are not guaranteed across updates:

  • Snapshot/restore is not supported across different versions
  • Live migration is not supported across different versions
  • The following features are considered experimental and may change substantially between releases: TDX, vfio-user, vDPA.

Further details can be found in the release documentation.

As of 2023-01-03, the following cloud images are supported:

Direct kernel boot to userspace should work with a rootfs from most distributions although you may need to enable exotic filesystem types in the reference kernel configuration (e.g. XFS or btrfs.)

Hot Plug

Cloud Hypervisor supports hotplug of CPUs, passthrough devices (VFIO), virtio-{net,block,pmem,fs,vsock} and memory resizing. This document details how to add devices to a running VM.

Device Model

Details of the device model can be found in this documentation.

Roadmap

The project roadmap is tracked through a GitHub project.

4. Relationship with Rust VMM Project

In order to satisfy the design goal of having a high-performance, security-focused hypervisor the decision was made to use the Rust programming language. The language's strong focus on memory and thread safety makes it an ideal candidate for implementing VMMs.

Instead of implementing the VMM components from scratch, Cloud Hypervisor is importing the Rust VMM crates, and sharing code and architecture together with other VMMs like e.g. Amazon's Firecracker and Google's crosvm.

Cloud Hypervisor embraces the Rust VMM project's goals, which is to be able to share and re-use as many virtualization crates as possible.

Differences with Firecracker and crosvm

A large part of the Cloud Hypervisor code is based on either the Firecracker or the crosvm project's implementations. Both of these are VMMs written in Rust with a focus on safety and security, like Cloud Hypervisor.

The goal of the Cloud Hypervisor project differs from the aforementioned projects in that it aims to be a general purpose VMM for Cloud Workloads and not limited to container/serverless or client workloads.

The Cloud Hypervisor community thanks the communities of both the Firecracker and crosvm projects for their excellent work.

5. Community

The Cloud Hypervisor project follows the governance, and community guidelines described in the Community repository.

Contribute

The project strongly believes in building a global, diverse and collaborative community around the Cloud Hypervisor project. Anyone who is interested in contributing to the project is welcome to participate.

Contributing to a open source project like Cloud Hypervisor covers a lot more than just sending code. Testing, documentation, pull request reviews, bug reports, feature requests, project improvement suggestions, etc, are all equal and welcome means of contribution. See the CONTRIBUTING document for more details.

Slack

Get an invite to our Slack channel, join us on Slack, and participate in our community activities.

Mailing list

Please report bugs using the GitHub issue tracker but for broader community discussions you may use our mailing list.

Security issues

Please contact the maintainers listed in the MAINTAINERS.md file with security issues.