mvm-deployment
Get /dev/kvm from a hosted box, run the live half of mvm’s test suite, host mvmd, tear it down.
This repo is the deployment scaffolding for mvm and the (private) mvmd —
bash scripts, cloud-init, and a provider-agnostic up.sh /
down.sh dispatcher with seven adapters. It does not contain
mvm or mvmd source.
$ PROVIDER=gcp bash ops/ephemeral/up.sh
==> provider: gcp
==> region: us-central1-a
==> type: n2-standard-4
==> waiting for cloud-init to finish (this can take ~5–10 min) …
==> rsync mvm + mvmd
==> running post-deploy.sh (cargo build mvmd + install systemd units)
==> ready.
ssh mvm@<ip> ‘bash ~/smoke-mvmd.sh’
ssh mvm@<ip> ‘bash ~/run-tests.sh —continue’W7 verification — 2/7 providers green
| Provider | SKU | Status | Cycle | Spend |
|---|---|---|---|---|
| Hetzner Cloud | cpx51 | no nested virt anywhere — runs the no-KVM lane only | 15 min | — |
| GCP | n2-standard-4 | ✓ verified 2026-05-06 | 25 min | $0.10 |
| AWS | c5.metal | ✓ verified 2026-05-06 | 35 min | $2.50 |
| Azure | D4s_v3 | pending — needs az login | — | — |
| Vultr | vbm-4c-32gb | pending — needs VULTR_API_KEY | — | — |
| Latitude.sh | bare metal | pending — needs LATITUDE_API_TOKEN | — | — |
| Equinix Metal | bare metal | pending — needs metal init | — | — |
| OVH | bare metal | pending — needs three OVH_* env vars | — | — |
“Verified” means: provision → cloud-init done → rsync mvm + mvmd → cargo
build mvmd → all four mvmd services active → seccomp functional probe
passes → smoke pass → down.sh clean. See the
full matrix for bugs each adapter has
surfaced and what was fixed.
What it looks like under the hood
operator workstation provisioned cloud host
───────────────────── ──────────────────────
~/mvm/ (public) ─┐
├─rsync─→ /home/mvm/mvm/, /home/mvm/mvmd/
~/mvmd/ (private) ┘ ↓
cargo build —release
↓
/usr/local/bin/{mvmd, mvm-hostd}
↓
systemctl enable —now
mvm-hostd, mvmd-agent,
mvmd-coordinator, mvmd-gatewayup.sh and down.sh know nothing
provider-specific — each providers/<name>.sh is a small
bash file implementing four functions:
provider_default_instance_type,
provider_default_region,
provider_up <label> <cloud-init>, and
provider_down <label-or-empty>. Adding a new provider is
that one file, no other changes.
What this is
- Bash + cloud-init + a four-function adapter contract.
- Provision-once, tear-down-when-done. No state preserved.
- A live-KVM target for the seccomp functional probe and Firecracker smoke.
- A hosting environment for mvmd’s four systemd services.
- A per-provider verification matrix that catches real bugs.
What this isn’t
- A managed-service / SaaS shape for mvmd. Separate product surface.
- Multi-node / multi-region / HA / failover. Plan 43 covers single-host.
- The mvm Rust source. That lives at tinylabscom/mvm.
- The mvmd source. Private repo.
- A microVM security or red-team posture. ADR-002 in mvm proper.