🌐 Website · 📚 Documentation · 💰 Pricing · 🛒 Marketplace · 🤝 Partners · 🎓 Certification · 🐛 Bug Bounty · 📡 Status
OXware replaces VMware vSphere — without the licence. Confidential VMs (SEV/TDX) · DRS · HA · live migration · cluster federation · 6-language web UI · SOC 2 in progress · MIT licensed · save 90%+ vs vSphere.
| OXware | VMware vSphere | Proxmox VE | |
|---|---|---|---|
| Open source (MIT) | ✅ | ❌ | ✅ (GPL) |
| Per-CPU socket tax | ❌ none | 💸 yes | ❌ none |
| Confidential VMs (SEV/TDX) | ✅ | ✅ | partial |
| vTPM 2.0 per VM | ✅ | ✅ | partial |
| Cluster federation API | ✅ v2 | ✅ vCenter | ❌ |
| Live migration | ✅ | ✅ | ✅ |
| Runbook auto-remediation | ✅ | partial | ❌ |
| GitOps (ArgoCD/Flux) | ✅ | ❌ | ❌ |
| Kubernetes CSI driver | ✅ | ✅ | community |
| KubeVirt bridge | 🟡 beta | ❌ | ❌ |
| Built-in compliance scanner | ✅ | partial | ❌ |
| 3-year cost (32 cores, 50 VMs) | ~$2,250 | ~$200,000 | ~$5,000 |
We hate "✅" tables that lie. Here is exactly what is production-grade, what is usable-but-young, and what is honestly not finished yet. CI runs the real test suite on every push (badge above is live).
| Area | Status | What that means |
|---|---|---|
| VM lifecycle (create/start/stop/snapshot/clone/migrate) | 🟢 Stable | Core path, covered by the test suite + daily use |
| Networking (bridges, NAT, IPAM, nftables, port-forward) | 🟢 Stable | Real libvirt + nftables, SSRF-guarded outbound |
| Storage (qcow2, LVM, NFS, snapshots, 3-2-1 backup) | 🟢 Stable | Backup verified with mount + boot check |
| Auth / RBAC / JWT (HS256-locked, CSRF, audit log) | 🟢 Stable | Algorithm allowlist enforced + tested |
| Confidential VMs (SEV/TDX), vTPM 2.0 | 🟡 Beta | Works on supported hardware; needs host firmware |
| Ceph storage backend | 🟡 Community | Functional, community-tested, not first-class yet |
| AI planner / NL commands | 🟡 Optional | With AI key = AI; without a key it tells you so and falls back to transparent heuristics (source: "heuristic") — no fake "AI" output |
| KubeVirt bridge | 🟡 Beta | Cluster registration, VMI→OXware translation, and a polling reconcile loop that creates missing VMs. Needs pip install kubernetes pyyaml; degrades honestly (reports the reason) if absent or a cluster is unreachable. Streaming Watch + orphan auto-delete are opt-in/roadmap |
| Bare-metal autoinstall | 🟢 Stable | Per-install random password hash, SSH-key-only login |
| VM I/O perf (iothreads/io_uring/multiqueue/vhost) | 🟢 Stable | libvirt XML, Proxmox-parity; most changes need VM restart |
| Host kernel ops (zram/zswap/governor/turbo) | 🟢 Stable | sysfs-backed, root-gated |
| eBPF observability (syscall/latency/XDP) | 🟡 Beta | Real bpftrace/XDP; needs the toolchain + root, else reports disabled |
| Kernel livepatch | 🟡 Optional | Wraps canonical-livepatch / kpatch when installed |
| OXware LKMs (oxware_audit / oxware_guard) | 🟡 Beta | Real kprobe modules; build + load on the host to activate |
| Desktop (Electron) app | 🟠 Early | Wraps the web UI; some links still placeholder |
Legend: 🟢 stable · 🟡 beta/optional · 🟠 partial/early. If something here drifts from reality, open an issue — honesty in this table is a feature.
curl -sSL https://oxware.top/install.sh | sudo bashUbuntu 22.04+ / Debian 12+ • x86_64 with VT-x or AMD-V • 4 GB RAM minimum Installation takes ~3 minutes. Panel listens on
https://<host-ip>:8006.
Prefer not to pipe curl into bash?
git clone https://github.com/ShinnAsukha/oxware-hypervisor.git /opt/oxware-src
cd /opt/oxware-src
sudo bash install.sh
|
|
Full parity, 2400+ entries per language. CI gate blocks any merge that introduces an untranslated Turkish string.
🇹🇷 Türkçe · 🇬🇧 English · 🇪🇸 Español · 🇩🇪 Deutsch · 🇨🇳 中文 · 🇫🇷 Français
┌─────────────────────────────────────────────────────────────┐
│ Web UI (HTML/JS, no build step) REST API + WebSocket │
│ ↕ ↕ │
│ Flask 3.x backend │
│ ↕ ↕ │
│ libvirt / QEMU nftables / iptables │
│ ↕ │
│ KVM (Linux kernel) │
└─────────────────────────────────────────────────────────────┘
- Backend — Python 3.11+, Flask, Flask-SocketIO, libvirt-python
- Frontend — Single-page HTML + vanilla JS (no React/Vue/Webpack)
- Reverse proxy — nginx + Let's Encrypt
- Process supervision — systemd
- Storage — qcow2 default, plus LVM / ZFS / Ceph / NFS / MinIO / S3
- Networking — libvirt bridges, nftables firewall, optional Open vSwitch
| Where | What |
|---|---|
| oxware.top | Marketing site + live demo + cost calculator |
| oxware.top/docs/ | Full installation + admin guide |
| oxware.top/pricing/ | Pricing — Standard $35/mo · Pro $250/yr · Lifetime $2000 |
| oxware.top/marketplace/ | Curated plugin + template registry |
| oxware.top/partners/ | Reseller program — 30% recurring commission |
| oxware.top/certification/ | OXware Certified Administrator ($99 exam) |
| oxware.top/compliance/ | SOC 2 / ISO 27001 / CIS / NIST / PCI / HIPAA |
| oxware.top/status/ | Live SaaS uptime + incident history |
| oxware.top/security/bug-bounty/ | Bug bounty program (up to $5,000 / bug) |
| Discord | Community chat — questions, plugin showcase, alpha-test announcements |
| SECURITY.md | Vulnerability disclosure policy + SEC-001..033 history |
| CHANGELOG.md | Per-release feature + security changelog |
| MODULARIZATION_PLAN.md | v2.8 app.py → blueprints migration plan |
| CONTRIBUTING.md | Dev setup + PR guidelines + commit format |
VM boot health-check, per-VM disk I/O QoS, AI Ops Insights with role-gated tools, carbon/energy report, snapshot-chain analysis, Vault→VM secret injection, attestation dashboard, federation mTLS, SDN VXLAN overlays, built-in L4 load balancer, golden-image marketplace, OVA export, vApp boot orchestration, scheduled reports, live VM thumbnails, 14 panel themes, onboarding tour, firmware boot splash. Full i18n parity across EN/ES/DE/ZH/FR. See CHANGELOG.md.
Modularization seed: app.py split into 5 domain blueprints. New /api/v2/ endpoints under auth, vms, networks, storage, monitoring. Legacy /api/* untouched. See MODULARIZATION_PLAN.md.
Security (SEC-029..033) — Safe archive extraction, DNS rebinding mitigation, FTP backup deprecated, SSH known-hosts + first-contact approval, Bandit + pip-audit in CI.
8 new feature modules — Kubernetes CSI driver, KubeVirt bridge, GitOps manager, Firecracker microVM runtime, OAuth2 provider presets, audit-log retention policy, CycloneDX SBOM generator, PWA offline mode.
i18n parity — French (FR) added; 6 languages with CI gate.
See CHANGELOG.md for the full list.
OXware ships with security_utils.py carrying validated helpers for SSRF blocking (validate_external_url), shell argv injection guards (validate_vm_id, safe_subprocess_arg), safe archive extraction (safe_tar_extract, safe_zip_extract), and DNS rebinding mitigation (resolve_safe_host).
33 SEC-tracked patches to date (SEC-001 through SEC-033) across auth, federation, runbook executor, plugin SDK, and bulk operations. Full history in SECURITY.md.
Found a vulnerability? Report via GitHub Security Advisories or email root@oxware.top. Bounties up to $5,000 / bug — see the Bug Bounty program.
# Get a JWT token
curl -k -X POST https://host:8006/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"yourpass"}'
# Use it
curl -k https://host:8006/api/vms -H "Authorization: Bearer $TOKEN"Swagger UI lives at https://<host>:8006/api/docs. Full OpenAPI 3 spec at /api/openapi. ~290 endpoints across VM management, networking, storage, RBAC, monitoring, CSI, KubeVirt, GitOps, Firecracker, runbooks, federation, OAuth2, SBOM, PWA, and the new v2.8 /api/v2/* blueprint routes.
A Terraform provider ships with oxware_vm, oxware_network, oxware_storage_pool resources.
PRs welcome. Please read CONTRIBUTING.md first:
- Run
make i18n-checkbefore pushing if you touchedindex.html - Run
make securityto fire Bandit + pip-audit - Run
make test— the SEC-017..033 regression suite must stay green - New features need an entry in
CHANGELOG.md - Don't add new routes to
app.py— use a blueprint underoxware/backend/blueprints/. SeeMODULARIZATION_PLAN.md.
By the way — a quick ⭐ star is the cheapest way to say thanks and helps OXware appear in GitHub trending. It takes a second.
- Discord — discord.gg/c6yHhKrQs5
- GitHub Discussions — github.com/ShinnAsukha/oxware-hypervisor/discussions
- Issues — github.com/ShinnAsukha/oxware-hypervisor/issues
- Security — GitHub Security Advisories or
root@oxware.top
OXware is released under the MIT License. Use it commercially, fork it, embed it, sell support around it — go ahead. Just keep the copyright notice.
A Pro / Lifetime plan unlocks priority issue triage, all v2.x updates, and partner perks. Source remains MIT regardless. See pricing for details. Pricing is symbolic; the code is and will remain free.
Built with ❤️ for operators who think VMware should not charge per CPU socket.
⭐ Star this repo · 💬 Join Discord · ⬇️ Get OXware · 🌐 oxware.top