firecracker
play

Firecracker How to Securely Run Thousands of Workloads on a Single - PowerPoint PPT Presentation

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low


  1. Firecracker How to Securely Run Thousands of Workloads on a Single Host

  2. What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low resource overhead 2

  3. Why? 3

  4. AWS Lambda Event driven, serverless compute service Upload/Write Set triggers Pay only for the used your code compute time 4

  5. AWS Lambda EC2 Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env EC2 Instance EC2 Instance EC2 Instance EC2 Instance EC2 Instance Nitro Hypervisor Hardware 5

  6. AWS Lambda Firecracker Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env Hardware 6

  7. AWS Lambda Firecracker Model (2) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env VM VM VM VM VM Hardware 7

  8. AWS Lambda Firecracker Model (3) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env microVM microVM microVM microVM microVM Firecracker Firecracker Firecracker Firecracker Firecracker Hardware 8

  9. How? 9

  10. Firecracker Security Model 10

  11. Jailer - CGROUPS Metering and limiting Linux mechanism - - Cgroup - group of processes - Cgroup controller - enforces limits on cgroup processes 3 cgroup v1 controllers: cpu, cpuset , pids - - Numa node for the cpuset controller 11

  12. Jailer - Seccomp - Whitelist Approach - Advanced Filtering by default: - Syscall number - Syscall arguments - Execution stops on non-whitelisted syscalls 12

  13. Other security features - Simple Guest Model - Written in Rust - Static linking 13

  14. Running Firecracker 14

  15. What you see, is what you get - Two static binaries - One-shot launch of a single microVM - rebooting a microVM => - killing corresponding Firecracker - Launch a new Firecracker process Firecracker microVM 15

  16. Firecracker User Interface JSON struct VMM HTTP Server deserialize Firecracker 16

  17. VM Configuration /machine-config VMM - vCPU Count - Memory Size VMConfig - CPU Templates - Topology: - Hyperthreading 17

  18. I/O devices - Block devices - backed by file on host VMM - Network Interfaces - backed by TAP VMConfig device BlockDeviceConfigs - Virt I/O - Rate Limiters NetworkInterfaceConfigs 18

  19. Boot Source /boot-source - Vmlinux Image (ELF for VMM x86_64) VMConfig - Boot Arguments - No BIOS BlockDeviceConfigs NetworkInterfaceConfigs BootSourceConfig 19

  20. Starting the microVM VMM - Initialize memory - Setup the interrupt controller VMConfig - Load the kernel - Setup specific architecture BlockDeviceConfigs registers NetworkInterfaceConfigs - Attach legacy devices - Attach virtio devices BootSourceConfig - Create vcpus - Run the vcpus 20

  21. It runs, now what? 21

  22. Operating Firecracker at scale - Logging: Error, Warning, Info, Debug - Metrics - Flushed every 60 seconds - API Requests, Devices 22

  23. Resource Update after Boot - Block Device: - Path BlockDeviceRescan - Size - Network Device: - Limit network packages 23

  24. Where are we now? 24

  25. Thousands of microVMs on a single host - Low memory footprint < 5 MiB - CPU and memory oversubscription - Bootime < 125 ms - Fine grained configuration of the VM - Guest Memory Size - Number of vCPUs 25

  26. What’s next? 26

  27. Enabling Container Workloads - Firecracker as a container runtime - Vsock support - ongoing progress to replace experimental with production ready 27

  28. Platform Support - AMD Support - Status: Boots on AMD - Next: Solve boot time issue - ARM Support - Status: Boot with a root filesystem (PR in progress) - Next: Solve incorrect date 28

  29. rust-vmm Stay tuned... 29

  30. - Lightweight VMM - < 125 ms boot time - < 5 MiB memory - High densities Q&A https://github.com/firecracker-microvm dpopa@amazon.com 30

More recommend