FAQ — Hardpipe

Why not just use VMware or Nutanix?

DISA STIG checklists exist for both: Nutanix Acropolis STIG (NCP #1325, 03/2026) and several versions of VMware vSphere. That is the rule set. But neither Nutanix nor VMware publishes its actual scan report against that STIG: the announced scores (90%, 95%) are marketing figures, not auditable. Hardpipe publishes its full HTML OpenSCAP report — every rule, every PASS, every FAIL is inspectable. You can replay the scan on your own ISO and confirm.

In addition, VMware Government / DoD is a US edition. Banners, documentation and regulatory mappings are aligned with US federal requirements — not the EU framework (GDPR, NIS2, RGS, HDS).

Why Harvester and not oVirt, Proxmox or a custom stack?

Harvester v1.8 combines in a single product:

• Native Kubernetes (RKE2) — same control plane for VMs and containers
• SL Micro 6.2 — immutable OS with signed rootfs, ideal for compliance
• SUSE upstream — European (German) vendor, sovereignty
• KubeVirt + Longhorn — proven CNCF stack, no lock-in

oVirt is in maintenance mode. Proxmox is not K8s-native. A custom stack costs years of development and has no EU commercial support.

How to qualify for ANSSI (RGS / SecNumCloud)?

Hardpipe provides the technical base (hardened OS, hardened K8s, reproducible scan). RGS qualification additionally requires:

• Third-party audit by a CESTI
• Formal security documentation (security target, protection profile)
• Penetration tests
• Incident response process

We plan to submit Hardpipe for ANSSI "Standard" qualification in 2027, targeting "Enhanced" in the medium term.

How to contribute?

• Upstream SUSE SSG: our OVAL-strict recipes can be backported. Issue tracker: https://github.com/ComplianceAsCode/content
• Harvester upstream: SELinux fixes for KubeVirt / Longhorn are relevant to the whole Harvester community. Open issues: https://github.com/harvester/harvester/issues
• Our repo: access on request via Gitea.

How does this differ from Talos Linux or Flatcar?

Talos and Flatcar are immutable Kubernetes OSes but do not provide an HCI stack (no integrated KubeVirt + Longhorn, no VM orchestrator). Hardpipe targets the "VM + container" use case on the same infrastructure — a drop-in replacement for vSphere.

Can I use it in production today?

Hardpipe v29 is beta. For critical production, validate:

1. Load testing on your hardware
2. Validation of your workloads (GPU drivers, vGPU, SR-IOV, etc.)
3. Proven upgrade procedure on your target

For PoC, compliance tests or labs: ready to use.

What are the costs?

• Software: open source (SUSE Virtualization under SUSE EULA; the Hardpipe layer will be MIT/Apache)
• Support: optional via SUSE (Harvester support)
• Hardware: standard x86_64 servers (32+ threads, 128+ GB RAM, SSD/NVMe). No per-socket or per-VM licensing like VMware.

What is the performance impact?

OS hardening adds < 2% overhead (measured on synthetic benchmarks). SELinux enforcing adds 1-3% depending on workload. Kernel audit (auditd) can add 3-8% depending on rule count.

For typical workloads (web, databases, ML), the impact is negligible. For HFT trading, prefer a non-hardened stack.

How are upgrades handled?

Harvester uses Fleet + Elemental for atomic upgrades (OS + K8s + operators in one transaction). Signed bundles are distributed via OCI registry. Automatic rollback on failure.

On the compliance side, each upgrade re-triggers an OpenSCAP scan to confirm the score stays ≥ 95%.

Is there commercial support?

Not yet. Hardpipe is a research/demonstration project. If you are interested in a partnership (hoster, integrator, security consultancy), contact us via Gitea.