AWS Firecracker: A Micro-VM for Serverless Deployments

27 Nov 2018 11:54am, by

Sensing the need to bring virtualization-based security rigor and multitenancy to serverless workloads, Amazon Web Services has released as open source a “micro-VM” ideally suited for serverless environments.

Many serverless workloads are event-driven, and often short-lived, and existing virtualization technologies don’t fit easily in this workflow. “We needed something that could give us the hardware virtualization-based security boundaries of virtual machines while maintaining the smaller package size and agility of containers and functions,” wrote  AWS’ Technical Evangelist Arun Gupta and AWS serverless product manager Linda Lian, in a blog post announcing the release.

The company announced the project at its AWS re:Invent user conference, being held this week in Las Vegas.

Built on the Linux Kernel-based Virtual Machine (KVM) and written in Rust, Firecracker provides a way to create micro Virtual Machines (microVMs) in traditionally non-virtualized environments. The MicroVMs are created in less than a second and offer the security and workload isolation offered by traditional VMs as well as the resource efficiency of containers, explained AWS Chief Evangelist Jeff Barr in a post describing the technology in further detail. Firecracker offers a simple guest model, static linking, and a process jail with access to a small, tightly controlled list of system calls.

Firecracker currently runs on Intel processors, with support for AMD and ARM chips coming in 2019. It can easily run on bare-metal services, including AWS’ own .metal instances.  In his post, Barr offers a walk-through of how to run Firecracker on an n i3.metal instance. AWS itself uses Firecracker to run containerized workloads for customers of its Fargate service.

AWS has also introduced a prototype, based on containerd, that will allow the micro-VMs to be managed in container services such as the Docker runtime or Kubernetes.

Firecracker is licensed under Apache 2.0.


The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Hightower.