“Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.”
One of the great things embedded in Amazon Web Services DNA is their unparalleled vision and innovation in the compute resource space. In the cloud first era, AWS has constantly redefined what a compute resource is and should be. From the very start, AWS provided compute resource in the form of instances (virtualized servers), which quickly became the norm for customer compute resource. In more recent times, this innovation has continued in the form of services like ECS, Fargate, EKS, and Lambda, supported by underlying container technologies such as Docker. A constant theme in this innovation has been the miniaturization of compute resources, shrinking from monolithic instances to containers to serverless functions. Launching and leveraging smaller units of compute resource provides benefits to both AWS and its customers. AWS can distribute, balance and pack these smaller compute units more densely across its global, regional, and zonal physical resources. Customers can optimize their varying usage requirements versus spend equation.
AWS has leveraged container technology as an enabler for much of this miniaturization, providing a key advantage of faster launch times for the compute resource. However, running containers at scale in highly multi-tenanted environments has its own challenges, particularly when it comes to enforcing and ensuring security.
With all this in mind, AWS announced that they have made Firecracker open source at re:Invent 2018. Firecracker is their latest rethink to address the requirements of running multi-tenanted secured micro sized workloads. Firecracker provides a new type of virtualization technology which utilizes Linux KVM (Kernel-based Virtual Machines) and provides a RESTful-based API interface to a virtual machine manager (VMM). Spinning up and configuring microVMs is performed via the RESTful API. With Firecracker, you can launch literally thousands of micro-virtual machines, requiring only 5MiB of memory overhead per VM with sub-second launch time (<125ms). A microVM has all of the advantages typically associated with a virtual machine, but in a smaller and more compact footprint, accomplished without compromising on security and boundary isolation between guests on the same multi-tenanted host.
Firecracker has been designed and developed with the following key tenets :
- Built-In Security: We provide compute security barriers that enable multi-tenant workloads and cannot be mistakenly disabled by customers. Customer workloads are simultaneously considered sacred (shall not be touched) and malicious (shall be defended against).
- Light-weight Virtualization: We focus on transient or stateless workloads over long-running or persistent workloads. Firecracker’s hardware resources overhead is known and guaranteed.
- Minimalist in Features: If it’s not clearly required for our mission, we won’t build it. We maintain a single implementation per capability.
- Compute Oversubscription: All of the hardware compute resources exposed by Firecracker to guests can be securely oversubscribed.
To get Firecracker up and running you’ll need access to a bare metal server running Linux with KVM. AWS provides the i3. metal instance, but you can also run it on your workstation or other provider-supplied bare metal servers. If you’re considering using the i3.metal instance for running Firecracker, take into account the cost of running this beast (36 hyper-threaded cores, 512 GiB, 15.2TB SSD – costing $4.992 per hour On-Demand in Oregon).
From what I can tell having briefly read the docs and played with the technology, there aren’t many, if any, restrictions on what workload types can be processed within a microVM running on Firecracker. Having said that, and as the product name potentially implies, Firecracker’s niche spot is probably aimed at short-lived bursts of compute activity, since this is also evidenced by the fact that both Lambda and Fargate services now use Firecracker under the hood and were likely influencing its design. However, there really is no reason why longer-lived workloads can’t also be processed using this technology.
Let’s quickly summarize Firecracker key features:
- Millisecond launch time can be as low 125ms with 5MiB memory overhead
- Fully fledged micro virtual machines – not just containers
- Ring-fenced security and isolation enforced between microVMs on the same host
- Authored in Rust (https://www.rust-lang.org/)
- Requires Linux and KVM
- Now used internally by Fargate and Lambda
- Open sourced under the Apache version 2.0 license
- Documentation portal: https://firecracker-microvm.github.io/
- Source: https://github.com/firecracker-microvm/firecracker
Firecracker looks to be both promising and popular for provisioning compute resources. In the first 24 hours since announcement, the Firecracker GitHub repository has already accumulated 21 Pull Requests from community contributors, with several more new ones appearing during the time this blog post was authored. Indeed, this latest AWS compute resource innovation has *sparked* a lot of interest.
Go ahead and light the fuse…
Are you at re:Invent this year? Come visit us at booth #1809 and speak to a member of our team to see how we can transform your cloud training.
What Exactly Is a Cloud Architect and How Do You Become One?
One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...
Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More
Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...
DevSecOps: How to Secure DevOps Environments
Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...
Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform
Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...
Disadvantages of Cloud Computing
If you want to deliver digital services of any kind, you’ll need to estimate all types of resources, not the least of which are CPU, memory, storage, and network connectivity. Which resources you choose for your delivery — cloud-based or local — is up to you. But you’ll definitely want...
Google Cloud vs AWS: A Comparison (or can they be compared?)
The "Google Cloud vs AWS" argument used to be a common discussion among our members, but is this still really a thing? You may already know that there are three major players in the public cloud platforms arena: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)...
Deployment Orchestration with AWS Elastic Beanstalk
If you're responsible for the development and deployment of web applications within your AWS environment for your organization, then it's likely you've heard of AWS Elastic Beanstalk. If you are new to this service, or simply need to know a bit more about the service and the benefits th...
How to Use & Install the AWS CLI
What is the AWS CLI? | The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services and implement a level of automation. If you’ve been using AWS for some time and feel...
Cloud Academy’s Blog Digest: July 2019
July has been a very exciting month for us at Cloud Academy. On July 10, we officially joined forces with QA, the UK’s largest B2B skills provider (read the announcement). Over the coming weeks, you will see additions from QA’s massive catalog of 500+ certification courses and 1500+ ins...
AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security
If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog. It can be both d...
How to Become a DevOps Engineer
The DevOps Handbook introduces DevOps as a framework for improving the process for converting a business hypothesis into a technology-enabled service that delivers value to the customer. This process is called the value stream. Accelerate finds that applying DevOps principles of flow, f...
AWS AMI Virtualization Types: HVM vs PV (Paravirtual VS Hardware VM)
Amazon Machine Images (AWS AMI) offers two types of virtualization: Paravirtual (PV) and Hardware Virtual Machine (HVM). Each solution offers its own advantages. When we’re using AWS, it’s easy for someone — almost without thinking — to choose which AMI flavor seems best when spinning...