SLIDE 1
What is Firecracker?
- Open Source Project
- Virtual Machine Monitor (VMM)
- Runs on top of KVM
- Security and isolation of VMs
- Speed and density of container
- Low resource overhead
2
Firecracker How to Securely Run Thousands of Workloads on a Single - - PowerPoint PPT Presentation
Firecracker How to Securely Run Thousands of Workloads on a Single - - PowerPoint PPT Presentation
Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low
SLIDE 2
SLIDE 3
Why?
3
SLIDE 4
Event driven, serverless compute service
AWS Lambda
4
Upload/Write your code
Set triggers Pay only for the used compute time
SLIDE 5
AWS Lambda EC2 Model
5
Hardware EC2 Instance Lambda Env Customer Code Nitro Hypervisor EC2 Instance Lambda Env Customer Code EC2 Instance Lambda Env Customer Code EC2 Instance Lambda Env Customer Code EC2 Instance Lambda Env Customer Code
...
SLIDE 6
AWS Lambda Firecracker Model
6
Hardware Lambda Env Customer Code Lambda Env Customer Code Lambda Env Customer Code Lambda Env Customer Code Lambda Env Customer Code
...
SLIDE 7
AWS Lambda Firecracker Model (2)
7
Hardware VM Lambda Env Customer Code VM Lambda Env Customer Code VM Lambda Env Customer Code VM Lambda Env Customer Code VM Lambda Env Customer Code
...
SLIDE 8
AWS Lambda Firecracker Model (3)
8
Hardware microVM Lambda Env Customer Code microVM Lambda Env Customer Code microVM Lambda Env Customer Code microVM Lambda Env Customer Code microVM Lambda Env Customer Code
...
Firecracker Firecracker Firecracker Firecracker Firecracker
SLIDE 9
How?
9
SLIDE 10
Firecracker Security Model
10
SLIDE 11
Jailer - CGROUPS
11
- Metering and limiting Linux mechanism
- Cgroup - group of processes
- Cgroup controller - enforces limits on cgroup
processes
- 3 cgroup v1 controllers: cpu, cpuset, pids
- Numa node for the cpuset controller
SLIDE 12
Jailer - Seccomp
- Whitelist Approach
- Advanced Filtering by default:
- Syscall number
- Syscall arguments
- Execution stops on non-whitelisted syscalls
12
SLIDE 13
Other security features
- Simple Guest Model
- Written in Rust
- Static linking
13
SLIDE 14
Running Firecracker
14
SLIDE 15
What you see, is what you get
- Two static binaries
- One-shot launch of a single microVM
- rebooting a microVM =>
- killing corresponding Firecracker
- Launch a new Firecracker process
15
Firecracker microVM
SLIDE 16
Firecracker User Interface
16
HTTP Server VMM JSON deserialize struct Firecracker
SLIDE 17
VM Configuration
17
/machine-config
- vCPU Count
- Memory Size
- CPU Templates
- Topology:
- Hyperthreading
VMM VMConfig
SLIDE 18
I/O devices
18
- Block devices - backed by file on
host
- Network Interfaces - backed by TAP
device
- Virt I/O
- Rate Limiters
VMM VMConfig BlockDeviceConfigs NetworkInterfaceConfigs
SLIDE 19
Boot Source
19
VMM VMConfig BlockDeviceConfigs NetworkInterfaceConfigs BootSourceConfig
/boot-source
- Vmlinux Image (ELF for
x86_64)
- Boot Arguments
- No BIOS
SLIDE 20
Starting the microVM
20
VMM VMConfig BlockDeviceConfigs NetworkInterfaceConfigs BootSourceConfig
- Initialize memory
- Setup the interrupt controller
- Load the kernel
- Setup specific architecture
registers
- Attach legacy devices
- Attach virtio devices
- Create vcpus
- Run the vcpus
SLIDE 21
It runs, now what?
21
SLIDE 22
Operating Firecracker at scale
22
- Logging: Error, Warning, Info, Debug
- Metrics
- Flushed every 60 seconds
- API Requests, Devices
SLIDE 23
Resource Update after Boot
- Block Device:
- Path
- Size
- Network Device:
- Limit network packages
23
BlockDeviceRescan
SLIDE 24
Where are we now?
24
SLIDE 25
Thousands of microVMs on a single host
25
- Low memory footprint < 5 MiB
- CPU and memory oversubscription
- Bootime < 125 ms
- Fine grained configuration of the VM
- Guest Memory Size
- Number of vCPUs
SLIDE 26
What’s next?
26
SLIDE 27
Enabling Container Workloads
- Firecracker as a container runtime
- Vsock support - ongoing progress to replace
experimental with production ready
27
SLIDE 28
Platform Support
- AMD Support
- Status: Boots on AMD
- Next: Solve boot time issue
- ARM Support
- Status: Boot with a root filesystem (PR in progress)
- Next: Solve incorrect date
28
SLIDE 29
rust-vmm
Stay tuned...
29
SLIDE 30
Q&A
- Lightweight VMM
- < 125 ms boot time
- < 5 MiB memory
- High densities
https://github.com/firecracker-microvm
30
dpopa@amazon.com