Status of NetBSD virtualization roadmap - support jails like features?

[Matthias Petermann <mp%petermann-it.de@localhost>]

Hello all,

this mail is more or less my personal reflection on the virtualization 
capabilities of NetBSD combined with the question where the journey 
could go.

I basically use all virtualization technologies offered on NetBSD:

* Xen for virtualizing entire servers on production environments.
* Qemu/nvmm for virtualization currently on the desktop (playground)
* Chroots for administrative isolation of services - I use these like 
jails with the knowledge that they don't provide the same security.

My motivation: I am looking for a particularly high performance 
virtualization solution on NetBSD. Especially disk and network IO plays 
a role for me.

So far I thought that nvmm could play a bigger role in the future, 
because there are some interesting approaches, for example [1].

However, this week I read a post on Reddit[2] that was a bit disturbing 
to me. Meaningfully, it proclaims that the main development platform for 
nvmm is now DragonflyBSD rather than NetBSD. It also claims that the 
implementation in NetBSD is now "stale and broken". Comparing the 
timestamps of the last commits in the repositories [3] and [4], the last 
activities are only three months apart. The nature and extent of the 
respective changes is difficult for me to evaluate. Is anyone here 
deeper into this and can say what the general state of nvmm in NetBSD is?

Regardless, I still think it wouldn't hurt if NetBSD could implement 
some sort of jail. There have been promising projects in the past [5] 
and [6] that seem to have put a lot of thought into a clean integration 
with the NetBSD APIs kauth and the secmodels. So far, however, none of 
these approaches has made it beyond prototype status. Does anyone know 
if there is a code repository for [5]? I would be interested to see the 
implementation or the approaches to it. I realize that a complete jail 
implementation comparable to FreeBSD is not an easy task. However, for 
certain use cases, it would be helpful to be able to take away some of 
the privileges of a process running as root in a chroot jail, such as 
sending signals to processes outside the jail. Are there any examples of 
this available?

Kind regards
Matthias

[1] 
https://imil.net/blog/posts/2020/fakecracker-netbsd-as-a-function-based-microvm/

[2] https://www.reddit.com/r/NetBSD/comments/sq62bc/nvmm_status/

[3] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/nvmm/?only_with_tag=MAIN

[4] 
https://github.com/DragonFlyBSD/DragonFlyBSD/tree/master/sys/dev/virtual/nvmm

[5] http://2008.asiabsdcon.org/papers/P3A-paper.pdf

[6] https://github.com/smherwig/netbsd-sandbox