Serverless Architecture Without the Lock-in: A Pragmatic Guide to Self-Hosted FaaS
Let's address the elephant in the server room immediately: "Serverless" is a marketing misnomer. There are servers. There are always servers. The only question is whether you control them, or if you're renting execution time by the millisecond from a US-based hyperscaler that holds your billing scalability hostage.
As a CTO operating in the European market—specifically here in Norway—the allure of AWS Lambda or Azure Functions often crashes hard against the rocks of two realities: Schrems II compliance and unpredictable OPEX.
In late 2022, sticking your head in the sand regarding data sovereignty is no longer a strategy. Datatilsynet (The Norwegian Data Protection Authority) has been clear. If you are processing sensitive customer data, relying entirely on US-controlled cloud primitives introduces legal friction that most pragmatic leaders want to avoid. Furthermore, for high-throughput workloads, the "pay-per-invocation" model eventually intersects and surpasses the cost of provisioned infrastructure.
This article outlines a battle-tested pattern: Self-Hosted Functions-as-a-Service (FaaS). We will look at how to deploy OpenFaaS on high-performance KVM infrastructure (like CoolVDS) to get the developer velocity of serverless with the cost control and legal safety of a private cloud.
The Architecture: OpenFaaS on K3s
We aren't going to build a heavy Kubernetes cluster using Rancher or OpenShift for this; that's overkill for a pure FaaS setup. Instead, we use K3s (a lightweight Kubernetes distribution) on top of standard NVMe VPS instances. This gives us the container orchestration we need without the bloated memory footprint.
Why KVM Matters for FaaS
Containers are not secure boundaries; they are isolation mechanisms. In a multi-tenant environment, you want the hard hardware virtualization of KVM (Kernel-based Virtual Machine) underneath your nodes. This prevents "noisy neighbor" issues where another tenant's CPU spike steals cycles from your function's cold start.
Pro Tip: When selecting a VPS for FaaS, ignore the marketing fluff about "burstable" CPU. FaaS workloads are "spiky" by nature. You want dedicated cores or high-priority threads. We utilize CoolVDS instances because they expose the underlying CPU flags correctly, allowing the K3s scheduler to optimize context switching.
Step 1: The Foundation
Assuming you are running a fresh Debian 11 or Ubuntu 20.04 LTS instance on a CoolVDS NVMe node. First, we tune the kernel for high-concurrency ephemeral connections. Serverless functions spin up and die rapidly, which can exhaust the TCP stack if not tuned.
# /etc/sysctl.conf
# Increase system file descriptor limit
fs.file-max = 2097152
# Tune network stack for short-lived connections
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_max_syn_backlog = 5000
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15Apply these changes with sysctl -p. If you skip this, your API Gateway will start throwing 502s during load testing, not because the CPU is full, but because you ran out of sockets.
Step 2: Deploying the FaaS Layer
We use arkade, a brilliant CLI tool that simplifies installing apps to Kubernetes. It saves hours of wrestling with Helm charts.
# Install arkade
curl -sLS https://get.arkade.dev | sudo sh
# Install K3s (lightweight K8s)
curl -sfL https://get.k3s.io | sh -
# Install OpenFaaS using arkade
arkade install openfaasOnce deployed, OpenFaaS provides an API Gateway, a UI, and a Prometheus metrics stack. The Gateway delegates incoming HTTP requests to the functions (containers).
The Developer Experience
The main argument for AWS Lambda is ease of use. OpenFaaS matches this with the faas-cli. Developers define a function in a YAML file, and the CLI handles the Docker build and push.
Here is a standard stack.yml for a Python function intended to process image resizing (a common FaaS use case):
version: 1.0
provider:
name: openfaas
gateway: http://127.0.0.1:8080
functions:
image-resizer:
lang: python3-http
handler: ./image-resizer
image: registry.yourcompany.no/image-resizer:latest
environment:
read_timeout: 10s
write_timeout: 10s
limits:
memory: 128Mi
requests:
memory: 64MiThe beauty here is portability. This function runs on your laptop, on a CoolVDS staging server, or your on-prem production cluster. No proprietary IAM roles or ARN strings to debug.
Performance Optimization: Cold Starts
The nemesis of serverless is the "cold start"—the time it takes to spin up a container from zero to handle a request. In a public cloud, you have zero control over this. On your own infrastructure, you can optimize aggressively.
The bottleneck is almost always Disk I/O (pulling the Docker image) or Memory bandwidth (starting the runtime).
- NVMe is non-negotiable: We benchmarked standard SSDs vs. NVMe on image pull times. NVMe drives (standard on CoolVDS) reduced 500MB Docker image pull times by roughly 65%.
- Pre-pulling Images: You can configure a Kubernetes DaemonSet to pre-pull common base images (like
python:3-alpineornode:16-alpine) to all nodes in your cluster.
Comparison: Public Cloud vs. CoolVDS FaaS
| Feature | Public Cloud FaaS | Self-Hosted (CoolVDS) |
|---|---|---|
| Data Location | Opaque (Region/Zone) | Exact Datacenter (Oslo/Europe) |
| Execution Time Limit | Usually 15 mins max | Unlimited |
| Cost Model | Per request + GB/second | Flat monthly fee |
| Hardware Control | None | Full Kernel/Sysctl access |
The Compliance Angle (Norwegian Context)
Operating in Norway requires strict adherence to privacy standards. By hosting your FaaS infrastructure on a provider like CoolVDS, you ensure that the physical bytes of your data do not traverse the Atlantic. You can configure your ingress controller (Nginx or Traefik) to log access strictly locally, ensuring that metadata about your users is not inadvertently siphoned into a US-based analytics aggregator.
When NOT to use this pattern
I will be the first to admit this setup isn't for a simple "Hello World" blog. It requires maintenance. You need to patch the OS. You need to monitor K3s. If your team has zero operational capability, managed services are still a valid choice—just be ready to pay the premium.
However, for teams that have outgrown the "hobby tier" of cloud providers and need serious horsepower without the serious bill, the KVM + OpenFaaS pattern is the gold standard in 2022.
Next Steps
Don't let latency or legal fears paralyze your architecture. You can build a robust, serverless platform today that you actually own.
Spin up a high-frequency NVMe instance on CoolVDS today and test the arkade install openfaas command yourself. Speed matters.