Firecracker How to Securely Run Thousands of Workloads on a Single Host
What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low resource overhead 2
Why? 3
AWS Lambda Event driven, serverless compute service Upload/Write Set triggers Pay only for the used your code compute time 4
AWS Lambda EC2 Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env EC2 Instance EC2 Instance EC2 Instance EC2 Instance EC2 Instance Nitro Hypervisor Hardware 5
AWS Lambda Firecracker Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env Hardware 6
AWS Lambda Firecracker Model (2) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env VM VM VM VM VM Hardware 7
AWS Lambda Firecracker Model (3) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env microVM microVM microVM microVM microVM Firecracker Firecracker Firecracker Firecracker Firecracker Hardware 8
How? 9
Firecracker Security Model 10
Jailer - CGROUPS Metering and limiting Linux mechanism - - Cgroup - group of processes - Cgroup controller - enforces limits on cgroup processes 3 cgroup v1 controllers: cpu, cpuset , pids - - Numa node for the cpuset controller 11
Jailer - Seccomp - Whitelist Approach - Advanced Filtering by default: - Syscall number - Syscall arguments - Execution stops on non-whitelisted syscalls 12
Other security features - Simple Guest Model - Written in Rust - Static linking 13
Running Firecracker 14
What you see, is what you get - Two static binaries - One-shot launch of a single microVM - rebooting a microVM => - killing corresponding Firecracker - Launch a new Firecracker process Firecracker microVM 15
Firecracker User Interface JSON struct VMM HTTP Server deserialize Firecracker 16
VM Configuration /machine-config VMM - vCPU Count - Memory Size VMConfig - CPU Templates - Topology: - Hyperthreading 17
I/O devices - Block devices - backed by file on host VMM - Network Interfaces - backed by TAP VMConfig device BlockDeviceConfigs - Virt I/O - Rate Limiters NetworkInterfaceConfigs 18
Boot Source /boot-source - Vmlinux Image (ELF for VMM x86_64) VMConfig - Boot Arguments - No BIOS BlockDeviceConfigs NetworkInterfaceConfigs BootSourceConfig 19
Starting the microVM VMM - Initialize memory - Setup the interrupt controller VMConfig - Load the kernel - Setup specific architecture BlockDeviceConfigs registers NetworkInterfaceConfigs - Attach legacy devices - Attach virtio devices BootSourceConfig - Create vcpus - Run the vcpus 20
It runs, now what? 21
Operating Firecracker at scale - Logging: Error, Warning, Info, Debug - Metrics - Flushed every 60 seconds - API Requests, Devices 22
Resource Update after Boot - Block Device: - Path BlockDeviceRescan - Size - Network Device: - Limit network packages 23
Where are we now? 24
Thousands of microVMs on a single host - Low memory footprint < 5 MiB - CPU and memory oversubscription - Bootime < 125 ms - Fine grained configuration of the VM - Guest Memory Size - Number of vCPUs 25
What’s next? 26
Enabling Container Workloads - Firecracker as a container runtime - Vsock support - ongoing progress to replace experimental with production ready 27
Platform Support - AMD Support - Status: Boots on AMD - Next: Solve boot time issue - ARM Support - Status: Boot with a root filesystem (PR in progress) - Next: Solve incorrect date 28
rust-vmm Stay tuned... 29
- Lightweight VMM - < 125 ms boot time - < 5 MiB memory - High densities Q&A https://github.com/firecracker-microvm dpopa@amazon.com 30
More recommend