As any technologist understands, the cloud industry has been rapidly evolving in recent years, with new technologies and architectures emerging every few years. One of the most promising new technologies in mind (and something I have been introduced to in the last few years) is Firecracker and MicroVMs. Services such as AWS Fargate are poised to change the way we think about cloud computing and the serverless model they allow us to use at the compute layer. In this blog post, we’ll take a closer look at what Firecracker and MicroVMs are and why they’re important.
So what are MicroVMs?
MicroVMs are small, secure, and fast virtual machines that are designed to run a single process or application. Unlike traditional VMs, which run an entire operating system, MicroVMs only run the necessary components for a specific workload. This results in a smaller footprint, faster start times, and improved security – all of which are distinct improvements over traditional VMs.
Firecracker is an open source virtual machine monitor (VMM) that employs the Linux Kernel-based Virtual Machine (KVM) to offer the ability to create micro Virtual Machines or microVMs. The fundamental design of Firecracker is minimalist and purposefully streamlined to include only those components that are necessary for running secure and lightweight VMs. Throughout the development process, AWS and the community have taken great care to optimize Firecracker for security, speed, and efficiency. As an example, Firecracker is equipped to boot relatively recent Linux kernels solely when they have been compiled with a specific set of configuration options, which consists of over 1000 kernel compile config options.
What is Firecracker?
Firecracker is an open-source virtualization technology that enables the creation of secure, multi-tenant, and low-footprint virtual machines (VMs) called MicroVMs. Developed by Amazon Web Services (AWS), Firecracker is designed to run containerized workloads at scale and provides the benefits of both containers and traditional VMs.Firecracker uses the Linux Kernel-based Virtual Machine (KVM) to generate microVMs, and it operates in user space. Thanks to the low memory overhead and rapid startup time of each microVM, it’s possible to host thousands of them on the same machine. This makes it possible to encapsulate every function, container, or container group with a virtual machine barrier, allowing workloads from multiple customers to run on the same machine without compromising either security or efficiency.
The guiding principles for the open source project at https://firecracker-microvm.github.io/ were established by AWS during the development of Firecracker. These principles are as follows:
Built-In Security: Firecracker is designed to erect security barriers that enable multi tenant workloads, while preventing end users from inadvertently disabling them. It simultaneously protects customer workloads against malicious attacks while treating them as sacred and unalterable.
Light-Weight Virtualization: Firecracker prioritizes transient or stateless workloads over long-running or persistent workloads. The hardware resources overhead for Firecracker is known and guaranteed.
Minimalist in Features: Firecracker is built to include only those features required to accomplish its mission. The project maintains a single implementation per capability.
Compute Oversubscription: Firecracker exposes all of its hardware compute resources to guests, which can be securely oversubscribed.
Benefits of Firecracker and MicroVMs
MicroVMs offer several advantages over traditional VMs, including improved security, cost-effectiveness, scalability, and performance.
One key benefit of MicroVMs is their isolation, which makes it more challenging for attackers to exploit vulnerabilities or steal data. Firecracker includes built-in security features, such as network isolation, that provide additional protection against cyber attacks.
Because they are smaller and faster than traditional VMs, MicroVMs use fewer resources, which makes them more cost-effective to run. Additionally, Firecracker enables the creation of thousands of MicroVMs on a single host, which makes it easy to scale applications and workloads as needed.
MicroVMs start quickly and run efficiently, making them ideal for running cloud-native applications and services. With their improved performance compared to traditional VMs, MicroVMs can help deliver high performing applications.
How Firecracker and MicroVMs Work
Traditional VMs have some limitations when they run workloads like containers or even smaller serverless functions. They are large and resource-intensive virtual constructs that can take several minutes to deploy. In addition, most servers can only host a handful of VMs due to their high resource requirements. Since each VM needs its own OS, it can lead to unnecessary duplication of resources, making VMs costly to deploy.
Illustration: Firecracker runs in the user space and uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs(source: https://firecracker-microvm.github.io/)
As shown above, Firecracker uses a lightweight virtualization layer to create and run MicroVMs on a host. Each MicroVM runs its own instance of a guest operating system, which is isolated from other MicroVMs on the same host. Firecracker provides network isolation, which enables MicroVMs to communicate with each other and with external resources, while also preventing unauthorized access. In a certain sense, Micro VMs offer benefits of a hybrid model. In a micro VM environment, standard server hardware is used to run a host OS, like Linux, that provides the KVM necessary for micro VMs. A micro VM engine, such as Firecracker, is then run on top of the host OS, serving as the hypervisor that provides the API, network, storage, and management tools required to operate each micro VM. Once the micro VM engine is up and running, it creates fully isolated virtual instances that can host a guest OS and container-type workloads. These instances are small, isolated, and administrators can generate them quickly and in large numbers.
Conclusion
Firecracker is the driving force behind the AWS Lambda service, which currently manages hundreds of thousands of AWS customers and handles trillions of requests every month.That alone describes the incredible power of the above model. The next blog will discuss AWS Fargate – a container management service that uses Firecracker microVMs and allows developers to run their containers on the AWS platform without having to manage the underlying servers.