It doesn't work with Docker, K8s right now, but everyone's going nuts anyway for AWS's Firecracker microVMs

If it's good enough for Lambda and Fargate, it's probably good enough for you

re:Invent Pay-or-else compute biz AWS lit the fuse for Firecracker, the virtualization technology it uses to power its serverless Lambda offering and its Fargate managed container contrivance.

Firecracker, now available as open source on GitHub, relies on the Linux Kernel-based Virtual Machine (KVM) to create a new flavor of lightweight VMs. These microVMs strive to combine the security and isolation of virtual machines with the speed and resource thrift of containers.

"You can launch lightweight micro-virtual machines (microVMs) in non-virtualized environments in a fraction of a second, taking advantage of the security and workload isolation provided by traditional VMs and the resource efficiency that comes along with containers," said Jeff Barr, chief evangelist for AWS, in a blog post.

The software represents an attempt to create a virtualization technology better suited to event-driven, transient workloads – serverless applications that sit around doing nothing then suddenly spin up resources before going idle again.

According to AWS, Firecracker can launch user space or application code in less than 125ms and microVMs at a rate of 150 per second per host. It churns out fairly compact microVMs too, with each requiring less than 5MiB of memory overhead, so thousands can co-exist on a single server. The compute-only guest CPU performance reaches more than 95 per cent of bare-metal, per the spec.

Other virtualization projects such as Kata Containers and gVisor, have pursued similar goals.

Firecracker strives to be more minimalistic: It emulates only four devices – virtio-net, virtio-block, serial console, and a single button keyboard controller to stop the microVM – and its kernel loading process has been optimized. It also includes a RESTful control API, handles resource rate limiting, and supports a microVM metadata service for passing config data between the host and guest.

AWS boss Andy Jassy speaking at AWS SFO Summit 2015

Amazon's homegrown 2.3GHz 64-bit Graviton processor was very nearly an AMD Arm CPU


Firecracker was derived from Chromium OS's Virtual Machine Monitor (crosvm), an open source virtual machine monitor (VMM) written in Rust.

The project may be the highest profile production deployment of Rust, a programming language backed by Mozilla that has become more popular lately.

"In the fall of 2017, we decided to write Firecracker in Rust, a modern programming language that guarantees thread and memory safety and prevents buffer overflows and many other types of memory safety errors that can lead to security vulnerabilities," explained Arun Gupta, principal open source technologist, and Linda Lian, senior product marketing manager, in a blog post.

Firecracker is designed to be processor agnostic, though at present it runs only on Intel hardware, under Linux kernel version 4.14 or later; AMD and Arm support is coming in 2019 according to AWS.

It doesn't presently work with Docker or container orchestrator Kubernetes, but AWS has built prototype code that lets containerd, a container runtime, manage containers as Firecracker microVMs. With further work, Docker and Kubernetes compatibility may emerge.

By releasing Firecracker under an open source Apache 2.0 licensing, AWS hopes other developers and organizations will advance the virtualization tech even further. ®

Broader topics

Other stories you might like

  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Oracle cloud growth up 19% but it's still a market minnow
    Acquisition of health data specialist Cerner adds $15.8b to Big Red's debt

    Oracle has impressed the markets with strong revenue growth for cloud infrastructure and applications-as-a-service.

    However, Oracle is still struggling to gain a larger share of the global cloud market, where it lags behind AWS, Microsoft Azure, and Google Cloud.

    Big Red's total revenue for Q4, which ended May 31, hit $11.8 billion, up 5 per cent on the same period a year ago. Total cloud revenue, including infrastructure and software-as-a-service, reached $2.9 billion, up 19 percent. Cloud ERP Fusion revenue increased 20 percent while NetSuite ERP cloud revenue grew 27 per cent.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading

Biting the hand that feeds IT © 1998–2022