Intel today announced a new special-purpose Linux hypervisor for cloud native workloads built on the Rust virtual machine manager, or rust-vmm — the open source set of hypervisor components that Amazon’s Firecracker micro virtual machine is built on.
Intel last year began stripping out hundreds of thousands of lines of legacy code from the traditional enterprise hypervisor QEMU, under a project named Nemu. That legacy code was intended to, say, emulate floppy drives or keyboards. Instead, they have focused the new hypervisor on just those components that are useful in the cloud including security, memory safety, thread safety and performance.
“We’ve realized there are a lot of things getting used in cloud software that really need modernization,” Imad Sousou, vice president of the software and services group at Intel, said. “We’re just reusing what was being used for enterprise into cloud and edge and that might not necessarily be the right thing.”
A Modern, Secure Hypervisor
Removing the heavy, desktop and server oriented emulation components of Linux — roughly 80 percent of the original QEMU code, Sousou estimates — cuts the virtual machine boot time significantly. The result is VMs that behave more like containers. They spin up faster and run with less overhead but retain the process isolation that makes them more secure than containers.
Granted, not everyone needs that level of security, Sousou said. For most workloads, containers are secure enough. However, in some specialized industries or enterprises only VMs can offer the level of isolation they need to meet strict security and compliance requirements. The problem is that VMs take too much time to load and can be much less efficient and costly to run at scale as a result of this legacy code designed for physical computing.
Improving container security with virtualization is a problem that Intel has been working for many years to solve. So far their efforts to make containers more secure have resulted in the creation of Kata Containers which essentially wraps containers in a VM to achieve that process isolation. Now they are going back to the root of the problem, Sousou said, to the hypervisor itself.
The rust-vmm project is part of a larger effort by Intel to work with its ecosystem partners on a number of software projects that help ensure their infrastructure runs well on top of Intel hardware.
Nemu laid the foundation for rust-vmm, which has since attracted contributions from Alibaba, Amazon, Google and Red Hat. Amazon has contributed parts of Firecracker to the project and Google has contributed CrosVM, a VMM for Chrome OS.
“All of us have an interest in having a secure hypervisor that’s suitable for modern useages,” Sousou said.
Rust-vmm is the Yocto of Virtualization
The rust-vmm project is a collection of components from which cloud providers can assemble their own special-purpose hypervisors. Amazon, for example, can use the components to run FaaS in VMs with its own open source Firecracker project, a technology that analyst Janakiram MSV writes, “has the potential to disrupt the current container and serverless technologies.”
In this respect, rust-vmm is similar to Intel’s Yocto Project for embedded Linux. With Yocto, users can pick and choose from the operating system components most useful to them and discard the rest to create a performant, custom embedded Linux distribution without building it from scratch every time. With rust-vmm, users can pick and choose from the virtualization components they need. These include components such as KVM API wrappers, Virtio based device models and virtual machine memory libraries.
Intel is taking this modular approach to architecture and open source projects in other areas of the software stack as well, including cloud, edge and artificial intelligence workloads.
Intel has developed a completely new architecture for BIOS, for example, reducing legacy code to make it more suitable for cloud, edge and AI. The project will also work on changing operating systems to take over functionality traditionally handled by BIOS, Sousou said. “This is an entire system that can get fired up in milliseconds, and be much more secure, runs virtualization and can partition itself better.”
Feature image courtesy of Intel.
Red Hat OpenShift is a sponsor of The New Stack.