pve-microvm patches Proxmox VE’s qemu-server internals to expose QEMU’s microvm machine type through the standard PVE tooling, offering a novel middle ground between containers and full virtual machines. It delivers VMs with KVM-level hardware isolation but boots almost as fast as containers — as low as 31 ms for a minimal BSD guest, up to around 8 seconds for Debian. This makes it well suited for ephemeral and semi-trusted workloads where you want better isolation than containers but faster startup than traditional VMs.
exposing qemu microvm machine type within proxmox ve
At its core, pve-microvm is a Debian package that patches internal components of Proxmox VE’s qemu-server to expose and manage QEMU’s microvm machine type through the usual Proxmox web UI and CLI tools. This means you get access to microVMs without needing a separate runtime like Firecracker or custom orchestration.
The microvm machine type is built into QEMU, so every PVE node already has the underlying capability. pve-microvm bridges the gap by making it manageable through PVE’s standard workflows: creating, cloning, migrating, backing up, and integrating with all supported storage backends (LVM, ZFS, Ceph, NFS, CIFS). It supports a broad range of guest OSes — 21 in total — including 13 Linux distros, multiple BSD variants, Plan 9, unikernels, and even Firecracker itself.
Under the hood, microVMs use KVM for hardware isolation with their own kernels, unlike containers which share the host kernel. This reduces the attack surface compared to full VMs by using a minimal virtio-pcie interface, shrinking the virtual hardware footprint. The OCI-to-bootable-disk pipeline (pve-oci-import) converts container images into bootable microVM images, enabling rapid provisioning of ephemeral sandboxes.
By patching qemu-server internals rather than building a new runtime, pve-microvm delivers seamless integration into the PVE ecosystem, including features like high availability and offline migration with minimal downtime.
balancing isolation, speed, and compatibility
What sets pve-microvm apart is its pragmatic tradeoff: it offers near-container boot times with full hardware isolation, something neither LXC containers nor traditional VMs fully achieve.
The benchmark numbers tell the story:
- 31 ms cold boot for SmolBSD (a minimal BSD guest)
- ~2 seconds boot time for Alpine Linux
- ~8 seconds boot time for Debian
For comparison, standard VMs boot in 2–10 seconds, while LXC containers boot in about 50 ms but share the host kernel, which is a security risk for untrusted code.
The code quality reflects its experimental status. The package patches internal PVE components, which can be risky and require maintenance with PVE upgrades. However, these patches are fully reversible, allowing fallback to stock PVE if needed.
The microvm approach minimizes the virtual hardware exposed, reducing the attack surface and improving security posture for semi-trusted workloads like coding agents or ephemeral sandboxes.
Supporting a wide variety of guest OSes shows the flexibility of the approach but also adds complexity. Not all OSes will have identical support for virtio-pcie or microvm-specific quirks, so testing and tuning are needed.
Overall, the project balances practical integration, performance, and isolation tradeoffs in a way that fills a niche gap in virtualization tooling.
quick start with pve-microvm
Installation is straightforward with the provided Debian package:
# Install
dpkg -i pve-microvm_0.3.6-1_all.deb
After installation, you can use the Proxmox VE web UI or CLI to create and manage microVMs just like regular VMs, but with the microvm machine type enabled. The package integrates transparently with existing storage backends and PVE features like cloning and backups.
verdict: specialized tool for fast, hardware-isolated ephemeral vms
pve-microvm is a niche but valuable project if you want to run ephemeral VMs with hardware isolation and container-like boot times inside Proxmox VE, without adopting a separate runtime.
Its strengths lie in seamless PVE integration, support for many guest OSes, and impressive boot performance benchmarks. The tradeoff is that it patches internal PVE components, which makes it experimental and potentially fragile across PVE upgrades.
If you need a middle ground between containers and traditional VMs for semi-trusted workloads, especially ephemeral sandboxed tasks, pve-microvm is worth exploring. For production environments demanding rock-solid stability, the experimental nature and patch-based approach may be a limitation.
For anyone already invested in Proxmox VE and looking to improve sandbox isolation without sacrificing management convenience or speed, this project offers a compelling option to test in your lab or development environment.
Related Articles
- microvm.nix: declarative MicroVM management with Nix flakes — microvm.nix offers declarative MicroVMs on NixOS/macOS using eight hypervisors, enabling version-controlled, reproducibl
- Colmena: A stateless, Rust-based deployment tool for NixOS with Nix Flakes support — Colmena is a lightweight Rust tool for stateless, parallel NixOS deployments using Nix Flakes. It wraps core Nix command
- Jan: a local-first desktop app for large language models with Tauri and Rust — Jan is an open-source desktop app that runs large language models locally using Tauri, Node.js, and Rust. It offers priv
- etcd: a robust distributed key-value store built on Go and Raft — etcd is a distributed key-value store in Go that uses the Raft consensus algorithm for high availability and consistency
- Agno: Building production-ready agentic software with minimal code — Agno provides a minimal, production-ready Python framework for scalable agentic software with per-user isolation and nat
→ GitHub Repo: rcarmo/pve-microvm ⭐ 115 · Shell