Architecture
Vrtmv is a client–server system with three parts.
The client — vrtmv
A single binary that runs where the customer's disk images live. It probes a source, extracts an inventory locally, and performs every translation lookup over the network against the authenticated Vrtmv API. It never connects to the translation database directly, and it never sends workload data off-host — only package identifiers.
The client is written in Rust: it parses untrusted disk images, so memory safety is a security property, not a convenience.
The API — vrtmv-api
The only thing that connects to the Translation Index. It is the authentication and account boundary: licensing, metering, and quota all live here. Clients authenticate per account with a bearer token; each lookup is metered. See The Vrtmv API.
The Translation Index
A curated PostgreSQL database mapping packages, services, config paths, service accounts, and MAC policy across distributions, with provenance on every row. It is the product's moat, and it is served, not shipped — never embedded in the client. See The Translation Index.
The pipeline
A migration flows through five stages:
- Probe / source — detect the image format, or open a mounted root or SSH source.
- Inventory — read the distro (
os-release) and installed packages (dpkg / rpm) locally. - Resolve — map native package names to canonical slugs via the API.
- Translate — fetch the target-distro packages, config-path relocations, and conditionals for those canonicals.
- Render — evaluate conditionals against the local inventory and emit an Ansible role plus a JSON attestation.
Stages 1–2 are entirely local. Stages 3–4 send only identifiers to the API. Stage 5 is local again — which is what makes the attestation specific to this host.
Where your data goes
| Data | Leaves the host? |
|---|---|
Image contents, /etc, accounts, keys | No |
| Extracted inventory (package list) | No |
| Package identifiers (names, canonical slugs, release pair) | Yes — to the API, to look up translations |
| Depersonalized VM fingerprint (a one-way hash) | Yes — for metering only |