Sensing the need to bring virtualization-based security rigor and multitenancy to serverless workloads, Amazon Web Services has released as open source a “micro-VM” ideally suited for serverless environments.
Many serverless workloads are event-driven, and often short-lived, and existing virtualization technologies don’t fit easily in this workflow. “We needed something that could give us the hardware virtualization-based security boundaries of virtual machines while maintaining the smaller package size and agility of containers and functions,” wrote AWS’ Technical Evangelist Arun Gupta and AWS serverless product manager Linda Lian, in a blog post announcing the release.
AWS has open sourced Firecracker: the foundation for provisioning and running Serverless workloads in a micro virtual machine. Extra dope! https://t.co/UzWepEeJ19
— Kelsey Hightower (@kelseyhightower) November 27, 2018
The company announced the project at its AWS re:Invent user conference, being held this week in Las Vegas.
Built on the Linux Kernel-based Virtual Machine (KVM) and written in Rust, Firecracker provides a way to create micro Virtual Machines (microVMs) in traditionally non-virtualized environments. The MicroVMs are created in less than a second and offer the security and workload isolation offered by traditional VMs as well as the resource efficiency of containers, explained AWS Chief Evangelist Jeff Barr in a post describing the technology in further detail. Firecracker offers a simple guest model, static linking, and a process jail with access to a small, tightly controlled list of system calls.
.@awscloud uses #Firecracker to power #Lambda, where it replaced EC2 to host #serverless compute jobs. With a boot time of .125 microseconds, this runtime can fire up 150 Micro-VMs/sec — Holly Mesrobian #awsreinvent2018 pic.twitter.com/nZk80h2Byr
— The New Stack (@thenewstack) November 29, 2018
Firecracker currently runs on Intel processors, with support for AMD and ARM chips coming in 2019. It can easily run on bare-metal services, including AWS’ own .metal instances. In his post, Barr offers a walk-through of how to run Firecracker on an n i3.metal instance. AWS itself uses Firecracker to run containerized workloads for customers of its Fargate service.
AWS has also introduced a prototype, based on containerd, that will allow the micro-VMs to be managed in container services such as the Docker runtime or Kubernetes.
Firecracker is licensed under Apache 2.0.
— The New Stack (@thenewstack) November 27, 2018
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Hightower.