Firecracker is a virtual machine monitor that uses the Linux Kernel-based Virtual Machine (KVM). This allows it to create minimalist-designed micro virtual machines (microVMs) and pack thousands of these microVMs onto a single machine to provide a smaller footprint for faster startup times and a reduced attack surface. In a demo at this week’s re:Invent conference, Firecracker was able to spin up 4,000 microVMs on one machine.
Firecracker also allows the use of container runtimes like Containerd to manage containers as microVMs. This allows Docker and container orchestration frameworks like Kubernetes to use Firecracker. However, initial integration with Kubernetes is limited to external APIs.
This minimal design does not support graphics or accelerators, or hardware pass-through, or most legacy devices. It basically acts as a next-generation hypervisor targeted at serverless workloads like functions and containers.
Firecracker sits below AWS’ Lambda and Fargate platforms. Lambda is AWS’ serverless architecture, while Fargate is a runtime layer on its EC2 that allows customers to run containers without managing servers and clusters.
Lambda uses Firecracker for provisioning and running sandboxes where customer code is executed. Fargate uses Firecracker to more rapidly provision bare metal instances and improve density of deployments without impacting security. This will eventually lower the cost of running serverless container architectures.
Firecracker is initially designed to run on an Intel processor with support for AMD and Arm architectures coming next year.
The Firecracker security concept is similar to that of the Kata and Nabla container platforms introduced earlier this year.
The Kata container platform implements isolation by running a dedicated kernel within each container. This cuts off the ability for a hacker to migrate an attack on a single container through a kernel to other running containers. The Kata container platform basically acts as a lighter-weight VM that can operate in a container environment.
Firecracker is being positioned as a next-generation of Kata that would be more focused on modern workloads.
The Nabla container platform is focused on making containers as secure as VMs. It tackles security by limiting the amount of interaction – or system calls – a Nabla container can have with other containers or the host. This reduces the attack surface for a potential attack.
This design differs from traditional Docker-based containers that allow for a host kernel to be shared by running containers, which leads to more interaction between the host and running container pods.
Open Source Concerns
AWS has been targeted by many as not being an active participant in the open source community. But, that may be changing. The company went to great lengths to note the open source nature of the Firecracker platform and its current work or plans to work with the open source community. The platform is licensed under Apache 2.0.
“By open sourcing Firecracker, we not only invite you to a deeper examination of the foundational technologies that we are building to underpin the future of serverless computing, but we also hope that you will join us in strengthening and improving Firecracker,” explained Arun Gupta, principal open source technologist at AWS, in a blog post.
Some that looked into the Firecracker specs have noted that at this point AWS has nearly full control. Though that might be expected as the platform has just been pushed into the open source community.