AWS Firecracker: 10 things every tech pro should know

AWS Firecracker is tiny, efficient, fast, and might redefine the virtual machine. Here's what you need to know about this AWS product.

Amazon: The world's most innovative tech company From Alexa Skills Blueprints to AWS to Prime, Larry Dignan and Bill Detwiler make the case for Amazon as the most innovative tech company on the planet.

Cloud-based virtual computing has been the go-to for years, and AWS has been the reigning champion for most of that time. AWS has noticed that modern serverless cloud computer users focus on two things: Containers and functions. In other words, lots of small impact, segmented virtual machines (VMs).

Enter Firecracker, the latest VM product from Amazon Web Services. Firecracker, in the words of AWS Chief Evangelist Jeff Barr, is "what a virtual machine would look like if it was designed for today's world of containers and functions."

Firecracker is a very different kind of product—it acts like a combination of a VM and a container. Here are 10 things tech pros should know about AWS Firecracker.

SEE: Amazon Web Services: An insider's guide (free PDF) (TechRepublic)

1. AWS Firecracker is a Kernel-based Virtual Machine

Also known (a bit confusingly) as a KVM, Kernel-based Virtual Machines are VMs that run in the Linux kernel and treat the kernel as their hypervisor. Multiple KVMs can be run at once, and like typical VMs each has its own virtualized hardware.

AWS calls each instance of Firecracker a "microVM."

2. AWS designed Firecracker to be secure

Firecracker is built with multiple layers of security, including the following:

  • A simple guest model that allows Firecracker users access to minimal elements of the KVM: "a network device, a block I/O device, a Programmable Interval Timer, the KVM clock, a serial console, and a partial keyboard (just enough to allow the VM to be reset)."
  • Firecracker is jailed through the use of seccomp BPF and control groups. Also, it has access to only a limited list of system calls.
  • The Firecracker process is statically linked, which means all the libraries it needs to run are included in its executable code. This makes new Firecracker environments safer by eliminating outside libraries.

3. AWS Firecracker VMs have an incredibly small footprint

Each Firecracker microVM only uses about 5 MiB, or roughly 5.24 MB, of memory. According to AWS, that means thousands of Firecracker microVMs can be run on a single virtual CPU.

AWS users who want to deploy Firecracker in their own AWS instances won't have to worry about using much processing power, even with lots of Firecracker VMs running.

4. AWS Firecracker is a fast, high-performance system designed for short-lived tasks

AWS sees Firecracker as the next generation of event-driven computing, and its quick launch, minimal resource design is built for doing quick computations that require a container-like microVM to spin up, execute, and spin down in order to wait for a new task.

A single Firecracker microVM can be launched in 125 ms, and AWS said that launch times should get even shorter in 2019. You'd be hard-pressed to find something faster.

5. AWS Firecracker is very stripped down

As mentioned in the security section of this article, Firecracker microVMs don't contain much. You'll only find Virtio network drivers, Virtio block drivers, a Programmable Interval Timer, the KVM clock, a serial console, and a single-button keyboard.

Firecracker isn't a complete device model, it doesn't have any emulated BIOS, and it gives potential attackers very little to work with. Its lack of features also make it incredibly fast.

6. AWS Firecracker doesn't support Kubernetes, Docker, or non-Intel chips

As The Register points out, Firecracker has a few shortcomings, especially for those using AMD or ARM systems: Neither of those chipsets will support Firecracker yet, though AWS has said support for both is coming in 2019.

Neither Kubernetes or Docker are supported either, but AWS is working on something similar: Its "containerd" container runtime has some prototype code that allows it to manage containers as Firecracker microVMs. The Register said that, with further work, Docker and Kubernetes support may emerge.

7. Amazon is already using Firecracker

Those concerned about the practicality, stability, or usability of Firecracker need not be concerned: Amazon is already using it in places you're likely familiar with: AWS Lambda and AWS Fargate.

In Lambda, Firecracker is used to provision and run sandboxes where Lambda functions are executed, which AWS said makes Lambda faster and more secure.

In Fargate, Firecracker has actually replaced AWS EC2 as the dedicated environment for executing Fargate tasks. Now all of those Fargate instances run inside dedicated Firecracker microVMs.

8. AWS Firecracker is open source

Those interested in being part of the development process of AWS Firecracker are in luck: It's open source, available on GitHub, and ready for contribution.

AWS said it's "ready to review and accept pull requests, and look forward to collaborating with contributors from all over the world." Not only that, but organizations that want to build custom Firecracker deployments can start today as well.

9. You can run AWS Firecracker on a local machine

Firecracker is designed to run on AWS .metal instances, as well as on any bare-metal servers.

Running AWS Firecracker in the cloud isn't required—it can run in on-premise servers and even on developer laptops.

10. You can learn to get started with AWS Firecracker on GitHub

The Firecracker GitHub repository has a thorough getting started page that includes Firecracker prerequisites, how to get the Firecracker binary, how to run it, how to build it from source, and more.

Also see

firecracker-logo.jpg
Image: Amazon

By Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.