Skip to content

2020-02-14 Containers

Firecracker Microvm

Firecracker#

Virtual Machine Manager

Uses KVM (Linux Kernel based virtual Machine)

  • Security and isolation of traditional VMs
  • Speed and density of containers
  • Low Resource overhead
  • Developed at Amazon

Benefits of Firecracker#

  • Security
  • Startup time - less than 125ms to launch 150 microVMs per second per host
  • Utilisation (scale and efficiency) - < 5MB memory footprint

Also has a rate limiter to distribute VMs inside a single host.

So you have to use the kata container runtime on Firecracker? Still integrating with container-d.

What is the difference between runC, containerD and docker? * Docker is an OCI image format

Alternate to QEMU - an established VMM (Virtual Machine Manager)

Design Principles#

  • Multitenancy - hardware virtualisation based security
  • Any vCPU and Memory combination
  • Oversubscription permissible
  • Steady mutation - can launch 100 microVMs per host per second, 4 microVMs per physical core
  • Host-facing REST API

Architecture#

  • Runs in userspace

Bare Metal -> KVM -> Firecracker (userspace)

Customer Code (In container) -> Guest OS (Kernel on VM) -> Hypervisor (KVM) -> Host OS -> Hardware

Guest OS is linked to a single customer account Hypervisor and host OS have many customer accounts (multitenancy).

Firecracker sits on the hypervisor and host OS part.

Firecracker and Containers#

  • Management - Deployment and scheduling (Amazon ECS, Amazon EKS)
  • Hosting - Amazon EC2, AWS Fargate
  • Image Registry - you do not want to think about the registry

Fargate - run container with this much vCPU and this much Memory

Essentially you can move the Guest VM’s around on bare metal hosts belonging to different customers

Firecracker reduces costs for customers

Firecracker and ContainerD#

  • Use containerd to manage containers as Firecracker microVMs
  • Multi-tenant Hosts
  • OCI Image format

Make it work with Kubernetes and Kubernetes distributions like Rancher.

Firecracker integration with Opensource#

Kata Containers#

Lightweight VM for running containers. Seamlessly plugs into containers. Firecracker is more lightweight VMM than Qemu.

In k8s you can set to use katacontainers:

spec:
  template:
    spec:
      runtimeClassName: kata-fc

Weave Ignite#

  • Open source VMM with a container UX
  • Combines Firecracker microVMs with OCI images
  • GitOps Continuous Integration - quick testing

Getting Started with Firecracker#

Just like kubectl there is firectl

firectl --kernel=hello-vmlinux.bin --root-drive=hello-rootfs.ext4
  • UniK - take application source / container and run on firecracker
  • OSv

Sources#