Firecracker — Secure and Fast microVMs
Firecracker microVMs - Technology behind AWS Lambda and AWS Fargate.
What is Firecracker?
Firecracker was built by developers at Amazon Web Services to enable services such as AWS Lambda and AWS Fargate to improve resource utilization and customer experience, while providing the security and isolation required of public cloud infrastructure.
Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.
Until now, you needed to choose between containers with fast startup times and high density, or VMs with strong hardware-virtualization-based security and workload isolation. With Firecracker, you no longer have to choose. Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers. Firecracker was developed at Amazon Web Services to improve the customer experience of services like AWS Lambda and AWS Fargate.
It excludes unnecessary devices and guest functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker currently supports Intel CPUs, with AMD and Arm support in developer preview.
How it works?
Firecracker runs in user space and uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. The fast startup time and low memory overhead of each microVM enables you to pack thousands of microVMs onto the same machine. This means that every function, container, or container group can be encapsulated with a virtual machine barrier, enabling workloads from different customers to run on the same machine, without any tradeoffs to security or efficiency. Firecracker is an alternative to QEMU, an established VMM with a general purpose and broad feature set that allows it to host a variety of guest operating systems.
You can control the Firecracker process via a RESTful API that enables common actions such as configuring the number of vCPUs or starting the machine. It provides built-in rate limiters, which allows you to granularly control network and storage resources used by thousands of microVMs on the same machine. You can create and configure rate limiters via the Firecracker API and define flexible rate limiters that support bursts or specific bandwidth/operations limitations. Firecracker also provides a metadata service that securely shares configuration information between the host and guest operating system. You can set up and configure the metadata service using the Firecracker API. Each Firecracker microVM is further isolated with common Linux user-space security barriers by a companion program called “jailer”. The jailer provides a second line of defense in case the virtualization barrier is ever compromised.
Benefits of Firecracker:
Security:
Firecracker microVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. Firecracker also implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the microVM.
Speed:
In addition to a minimal device model, Firecracker also accelerates kernel loading and provides a minimal guest kernel configuration. This enables fast startup times. Firecracker initiates user space or application code in as little as 125 ms and supports microVM creation rates of up to 150 microVMs per second per host.
Scale and Efficiency:
Each Firecracker microVM runs with a reduced memory overhead of less than 5 MiB, enabling a high density of microVMs to be packed on each server. Firecracker provides a rate limiter built into every microVM. This enables optimized sharing of network and storage resources, even across thousands of microVMs.
Compute Oversubscription:
All of the hardware compute resources exposed by Firecracker to guests can be securely oversubscribed.
What is the difference between Firecracker and QEMU?
Firecracker is an alternative to QEMU that is purpose-built for running serverless functions and containers safely and efficiently, and nothing more. Firecracker is written in Rust, provides a minimal required device model to the guest operating system while excluding non-essential functionality (only 5 emulated devices are available: virtio-net, virtio-block, virtio-vsock, serial console, and a minimal keyboard controller used only to stop the microVM). This, along with a streamlined kernel loading process enables a < 125 ms startup time and a < 5 MiB memory footprint. The Firecracker process also provides a RESTful control API, handles resource rate limiting for microVMs, and provides a microVM metadata service to enable the sharing of configuration data between the host and guest.
Firecracker RESTful API endpoints:
AWS Fargate cost savings using Firecracker:
Firecracker allowed AWS to improve the efficiency of Fargate and help us pass on cost savings to customers.
Effective January 7th, 2019 Fargate pricing per vCPU per second is being reduced by 20%, and pricing per GB of memory per second is being reduced by 65%. Depending on the ratio of CPU to memory that you’re allocating for your containers, you could see an overall price reduction of anywhere from 35% to 50%.
More Details on,
Getting Started:
you will need an uncompressed Linux kernel binary, and an ext4 file system image (to use as rootfs).
- To run an
x86_64guest you can download such resources from: kernel and rootfs. - To run an
aarch64guest, download them from: kernel and rootfs.
Appendix A: Setting Up KVM Access
Firecracker has also been integrated in container runtimes, for example Kata Containers and Weaveworks Ignite.
What is Container Runtime?
A container runtime is software that executes containers and manages container images on a node. Today, the most widely known container runtime is Docker, but there are other container runtimes in the ecosystem, such as rkt, containerd, and lxd.
I will be doing hello-world like application demo using both Kata Containers and Weaveworks Ignite. Stay tuned for update.
Thank you for reading… 😄
