firecracker
play

Firecracker How to Securely Run Thousands of Workloads on a Single - PowerPoint PPT Presentation

Mar 25, 2023 •377 likes •697 views

Firecracker How to Securely Run Thousands of Workloads on a Single Host What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low

  1. Firecracker How to Securely Run Thousands of Workloads on a Single Host

  2. What is Firecracker? - Open Source Project - Virtual Machine Monitor (VMM) - Runs on top of KVM - Security and isolation of VMs - Speed and density of container - Low resource overhead 2

  3. Why? 3

  4. AWS Lambda Event driven, serverless compute service Upload/Write Set triggers Pay only for the used your code compute time 4

  5. AWS Lambda EC2 Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env EC2 Instance EC2 Instance EC2 Instance EC2 Instance EC2 Instance Nitro Hypervisor Hardware 5

  6. AWS Lambda Firecracker Model Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env Hardware 6

  7. AWS Lambda Firecracker Model (2) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env VM VM VM VM VM Hardware 7

  8. AWS Lambda Firecracker Model (3) Customer Customer Customer Customer Customer ... Code Code Code Code Code Lambda Lambda Lambda Lambda Lambda Env Env Env Env Env microVM microVM microVM microVM microVM Firecracker Firecracker Firecracker Firecracker Firecracker Hardware 8

  9. How? 9

  10. Firecracker Security Model 10

  11. Jailer - CGROUPS Metering and limiting Linux mechanism - - Cgroup - group of processes - Cgroup controller - enforces limits on cgroup processes 3 cgroup v1 controllers: cpu, cpuset , pids - - Numa node for the cpuset controller 11

  12. Jailer - Seccomp - Whitelist Approach - Advanced Filtering by default: - Syscall number - Syscall arguments - Execution stops on non-whitelisted syscalls 12

  13. Other security features - Simple Guest Model - Written in Rust - Static linking 13

  14. Running Firecracker 14

  15. What you see, is what you get - Two static binaries - One-shot launch of a single microVM - rebooting a microVM => - killing corresponding Firecracker - Launch a new Firecracker process Firecracker microVM 15

  16. Firecracker User Interface JSON struct VMM HTTP Server deserialize Firecracker 16

  17. VM Configuration /machine-config VMM - vCPU Count - Memory Size VMConfig - CPU Templates - Topology: - Hyperthreading 17

  18. I/O devices - Block devices - backed by file on host VMM - Network Interfaces - backed by TAP VMConfig device BlockDeviceConfigs - Virt I/O - Rate Limiters NetworkInterfaceConfigs 18

  19. Boot Source /boot-source - Vmlinux Image (ELF for VMM x86_64) VMConfig - Boot Arguments - No BIOS BlockDeviceConfigs NetworkInterfaceConfigs BootSourceConfig 19

  20. Starting the microVM VMM - Initialize memory - Setup the interrupt controller VMConfig - Load the kernel - Setup specific architecture BlockDeviceConfigs registers NetworkInterfaceConfigs - Attach legacy devices - Attach virtio devices BootSourceConfig - Create vcpus - Run the vcpus 20

  21. It runs, now what? 21

  22. Operating Firecracker at scale - Logging: Error, Warning, Info, Debug - Metrics - Flushed every 60 seconds - API Requests, Devices 22

  23. Resource Update after Boot - Block Device: - Path BlockDeviceRescan - Size - Network Device: - Limit network packages 23

  24. Where are we now? 24

  25. Thousands of microVMs on a single host - Low memory footprint < 5 MiB - CPU and memory oversubscription - Bootime < 125 ms - Fine grained configuration of the VM - Guest Memory Size - Number of vCPUs 25

  26. What’s next? 26

  27. Enabling Container Workloads - Firecracker as a container runtime - Vsock support - ongoing progress to replace experimental with production ready 27

  28. Platform Support - AMD Support - Status: Boots on AMD - Next: Solve boot time issue - ARM Support - Status: Boot with a root filesystem (PR in progress) - Next: Solve incorrect date 28

  29. rust-vmm Stay tuned... 29

  30. - Lightweight VMM - < 125 ms boot time - < 5 MiB memory - High densities Q&A https://github.com/firecracker-microvm dpopa@amazon.com 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

rust-vmm Building the Virtualization Stack of the Future Andreea Florescu

rust-vmm Building the Virtualization Stack of the Future Andreea Florescu

rust-vmm Building the Virtualization Stack of the Future Andreea Florescu &lt;fandree@amazon.com&gt; - Open Source Enthusiast Who am I? - Software Development Engineer @ Amazon - Firecracker maintainer - rust-vmm contributor 2 VMM or

726 views • 35 slides
QMPI: A Library for Multithreaded MPI Applications Alex Brooks Hoang-Vu Dang Marc Snir Outline

QMPI: A Library for Multithreaded MPI Applications Alex Brooks Hoang-Vu Dang Marc Snir Outline

QMPI: A Library for Multithreaded MPI Applications Alex Brooks Hoang-Vu Dang Marc Snir Outline Motivation Communication Model Qthreads QMPI Summary 2 MOTIVATION 3 Issue Large numbers of threads performing

329 views • 30 slides
Generating Plans in Concurrent, Probabilistic, Oversubscribed Domains Li Li and Nilufer Onder

Generating Plans in Concurrent, Probabilistic, Oversubscribed Domains Li Li and Nilufer Onder

Generating Plans in Concurrent, Probabilistic, Oversubscribed Domains Li Li and Nilufer Onder Department of Computer Science Michigan Technological University (Presented by: Li Li) AAAI 08 Chicago July 16, 2008 Outline Example domain

485 views • 36 slides
Fast In Memory Checkpointing with POSIX API for Legacy Exascale Applications Jan Fajerski,

Fast In Memory Checkpointing with POSIX API for Legacy Exascale Applications Jan Fajerski,

Fast In Memory Checkpointing with POSIX API for Legacy Exascale Applications Jan Fajerski, Matthias Noack, Alexander Reinefeld, Florian Schintke, Thorsten Schtt, Thomas Steinke Zuse Institute Berlin SPPEXA Symposium, 26.01.2016 FFMK: A

603 views • 23 slides
The Impact of Process Placement and Oversubscription on Application Performance: A Case Study for

The Impact of Process Placement and Oversubscription on Application Performance: A Case Study for

The Impact of Process Placement and Oversubscription on Application Performance: A Case Study for Exascale Computing Florian Wende, Thomas Steinke, Alexander Reinefeld Zuse Institute Berlin EASC2015: EXASCALE APPLICATIONS AND SOFTWARE CONFERENCE

416 views • 24 slides
Customer Performance Jim Warner University of California Santa Cruz March 2014 Exaggerated

Customer Performance Jim Warner University of California Santa Cruz March 2014 Exaggerated

Wireless Carrier Claims versus Customer Performance Jim Warner University of California Santa Cruz March 2014 Exaggerated claims might have an economic impact. What about over subscription reducing performance during high use? What is

307 views • 9 slides
CloudMirror : T enant Network Abstraction that Reflects Applications Needs Myungjin Lee

CloudMirror : T enant Network Abstraction that Reflects Applications Needs Myungjin Lee

CloudMirror : T enant Network Abstraction that Reflects Applications Needs Myungjin Lee University of Edinburgh In collaboration with: Jeongkeun JK Lee, Lucian Popa, Bryan Stephenson, Yoshio Turner, Sujata Banerjee, Puneet Sharma

564 views • 19 slides
Concise parallelism Natural C/C++ Parallelism A single operator to control multiple parallel

Concise parallelism Natural C/C++ Parallelism A single operator to control multiple parallel

Concise parallelism Natural C/C++ Parallelism A single operator to control multiple parallel programming paradigms void salute() { parallel() { Natural C/C++ semantics int idx = pix(); and variable visibility A single operator to serial() rules

302 views • 8 slides
2017 Primary Intake Admissions Briefings Fair Access September 2016 Changes for 2016 New IT

2017 Primary Intake Admissions Briefings Fair Access September 2016 Changes for 2016 New IT

2017 Primary Intake Admissions Briefings Fair Access September 2016 Changes for 2016 New IT System Main application process remains unchanged The full scheme can be found on: www.kent.gov.uk/admissionscriteria Key Dates for Parents

1.09k views • 51 slides
OVE OVERTIME RTIME RU RULES LES TROY T. SEIBEL COMMISSIONER OF LABOR NORTH DAKOTA DEPARTMENT

OVE OVERTIME RTIME RU RULES LES TROY T. SEIBEL COMMISSIONER OF LABOR NORTH DAKOTA DEPARTMENT

7/1/2016 Jun June e 2 2 , 2 2 , 2 0 2 016 HR CONTACTS MEETING 1 :3 0 p.m 1 :3 0 p .m. ITD B ITD Bui uild lding, g, Rm Rm 4 2 5 4 2 5 Welc elcome me &amp; &amp; Int Introduc ucti tions s - Becky Becky Sicb Sicble le

172 views • 5 slides
A dynamic service mechanic problem for a housing corporation Marloes Cremers

A dynamic service mechanic problem for a housing corporation Marloes Cremers

05-13-08 | 1 A dynamic service mechanic problem for a housing corporation Marloes Cremers m.l.a.g.cremers@rug.nl Joint work with Joaquim Gromicho (Ortec, VU) Wim Klein Haneveld Maarten van der Vlerk 05-13-08 | 2 Outline Introduction

386 views • 22 slides
Compensation Policies for University Staff (Effective July 1, 2015) Breakout Session Agenda

Compensation Policies for University Staff (Effective July 1, 2015) Breakout Session Agenda

Compensation Policies for University Staff (Effective July 1, 2015) Breakout Session Agenda Background Definitions Key Elements of the Compensation Policies Q &amp; A Background Why are we changing our compensation policies?

560 views • 19 slides
+ Decision Structures &amp; Boolean Logic CSCI-UA.002 + Sequence Structures n What we have been

+ Decision Structures &amp; Boolean Logic CSCI-UA.002 + Sequence Structures n What we have been

+ Decision Structures &amp; Boolean Logic CSCI-UA.002 + Sequence Structures n What we have been programming so far is known as a sequence structure n Sequence structures are sets of statements that execute in the order in which they

882 views • 74 slides
s rs stts r Pr tt

s rs stts r Pr tt

s rs stts r Pr tt t r t r t r

1.15k views • 25 slides
RCC: High-Throughput Secure Transaction Processing Shawn Qiu, Di Zhao Introduction Resilient

RCC: High-Throughput Secure Transaction Processing Shawn Qiu, Di Zhao Introduction Resilient

RCC: High-Throughput Secure Transaction Processing Shawn Qiu, Di Zhao Introduction Resilient Concurrent Consensus is a paradigm used to increase throughput of consensus protocols such as PBFT , HotStuff , ZYZZYVA, etc Works with

816 views • 26 slides
Stellar Transactions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Stellar Transactions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Stellar Transactions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 26, 2019 1 / 13 Stellar Transactions Commands to modify ledger state Contain upto

297 views • 13 slides
t Wait a few blocks until you Txn=#871 George Anna 1 . can say that the transaction is

t Wait a few blocks until you Txn=#871 George Anna 1 . can say that the transaction is

RECAP View of someone who wants to make a transaction Block = # Prev = # B 1 B 2 ... B 8 B 9 B 10 B ... B Txn #871 t Wait a few blocks until you Txn=#871 George Anna 1 . can say that the transaction is

580 views • 20 slides
Setting DBMS must allow concurrent access to databases. Imagine a bank where account

Setting DBMS must allow concurrent access to databases. Imagine a bank where account

Setting DBMS must allow concurrent access to databases. Imagine a bank where account information is Database Transactions stored in a database not allowing concurrent access. Then only one person could do a withdrawal in an ATM machine

583 views • 9 slides
Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand

Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand

Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand Lets do our own research: How many brands of shampoo can you name? Lets do our own research: How many brands of shampoo can you name? The

590 views • 47 slides
JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project

JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project

JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project Presentation 17-754: Analysis of Software Artifacts Some slides adapted from a talk by Neelakantan Krishnaswami

628 views • 11 slides
Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * ,

Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * ,

Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * , Mahmood Ali ^ , and Michael Ernst $ Presenter: Yossi Gil + + IBM * Victoria,NZ ^ MIT $ Washington Ownership + Immutability Our previous work OGJ:

517 views • 22 slides
Object Ownership in Program Verification Werner Dietl - University of Washington Peter Mller -

Object Ownership in Program Verification Werner Dietl - University of Washington Peter Mller -

Object Ownership in Program Verification Werner Dietl - University of Washington Peter Mller - ETH Zrich Presentation by Roman Schmocker Motivation Object Ownership The basic concepts Goal: Information on Heap structuring

527 views • 27 slides
Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017

Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017

NW SOFTW ARE QUALITY CIFIC CONFERENCE A P Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017 JIM.TRENTADUE@OUTLOOK.COM PNSQC NW SOFTW ARE QUALITY CIFIC CONFERENCE A P Agenda Agile evolution

631 views • 15 slides
Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie Balzer, Thomas R. Gross, and Peter Mller School of Computer Science, Carnegie Mellon University Department of Computer Science, ETH Zurich FOOL 2012

1.53k views • 130 slides

More recommend