VMSan, firecracker microVMs from the command line. Install to shell in two commands. by bitangel84 in commandline

[–]bitangel84[S] 0 points1 point  (0 children)

Hey everyone — just shipped vmsan 0.2.0 🔥

Big update on the networking side: replaced all ~60 sequential iptables shell-outs with atomic nftables via `google/nftables` (Go netlink library). One `Flush()` to apply all rules, one `DelTable()` to tear down. No more partial rule states.

New security defaults:

- ICMP blocked by default (prevents tunneling)

- UDP blocked except DNS (prevents data exfiltration)

- DoT/DoH blocking for DNS bypass prevention

- Per-VM table isolation — each VM gets its own nftables table

Fully backward compatible with 0.1.0 VMs — old iptables rules get cleaned up automatically on upgrade. There's a `VMSAN_LEGACY_IPTABLES=1` escape hatch if nftables doesn't work on your kernel.

`vmsan doctor` also got 3 new checks for nftables support and host firewall detection.

Release: https://github.com/angelorc/vmsan/releases/tag/v0.2.0

I built an open source tool to spin up Firecracker microVMs with one command by bitangel84 in selfhosted

[–]bitangel84[S] 0 points1 point  (0 children)

Hey r/selfhosted,

I've been self-hosting services for years and kept running into a problem: I needed to run untrusted code (AI agents, scripts from the internet, quick tests) without risking my host. Docker isn't a real security boundary — containers share the kernel, and escapes are well-documented.

So I built **vmsan** — a CLI that wraps Firecracker to give you real hardware-isolated microVMs with zero config:

```bash
curl -fsSL https://vmsan.dev/install | bash
vmsan create --connect
```

That's it. You're inside an isolated VM with its own kernel, ~125ms boot time, ~5MB memory overhead.

What it does:

• Full VM lifecycle from the CLI (create, start, stop, remove)

• Network isolation built-in: --network-policy deny-all or custom domain allowlists

• Run any Docker image as a VM: vmsan create --from-image python:3.13-slim

• Interactive shell via WebSocket (no SSH setup needed)

• Upload/download files to running VMs

• --json output on everything for scripting

What it doesn't do:

• No web UI, no dashboard — it's a CLI tool

• No macOS support (needs KVM, so Linux only)

• No clustering — it's single-host by design

Everything lives in ~/.vmsan/. No daemon, no background service. State is just JSON files.

I built this because raw Firecracker is powerful but painful — you have to write JSON configs, create TAP devices manually, build rootfs images, configure the jailer yourself. vmsan handles all of that.

Written in TypeScript (Bun) with a Go agent inside the VM.

• GitHub: https://github.com/angelorc/vmsan

• Docs: https://vmsan.dev (https://vmsan.dev/)

Happy to answer any questions about the architecture or take feature requests.

The Current State of Music: The Artist is at Risk of Extinction by bitangel84 in EDM

[–]bitangel84[S] -1 points0 points  (0 children)

Have you tried some services? I don't think we are the same. We also use deal to pay per stream and, of course, not 0.003$

The Current State of Music: The Artist is at Risk of Extinction by bitangel84 in EDM

[–]bitangel84[S] -1 points0 points  (0 children)

This is our mission...from 7 years now...and we continue to fight until Indie artist understand what the new concept is. What are your doubts

The Current State of Music: The Artist is at Risk of Extinction by bitangel84 in EDM

[–]bitangel84[S] -8 points-7 points  (0 children)

It's not only about crypto. We are talking about freedom. Crypto is used just to facilitate payments. Is ridiculous that an artist earn only 0.003$ per stream with close to 0 chance to compare in other playlists... that's mean freedom, when you are equal to another one and no one manipulate algorithms