All Projects → firecracker-microvm → Firecracker

firecracker-microvm / Firecracker

Licence: apache-2.0
Secure and fast microVMs for serverless computing.

Programming Languages

rust
11053 projects
python
139335 projects - #7 most used programming language
shell
77523 projects

Projects that are alternatives of or similar to Firecracker

Ops
ops - build and run nanos unikernels
Stars: ✭ 552 (-96.72%)
Mutual labels:  serverless, sandbox, minimalist, virtualization
Wasm3
🚀 The fastest WebAssembly interpreter, and the most universal runtime
Stars: ✭ 4,375 (-74%)
Mutual labels:  serverless, sandbox, containers, virtual-machine
Cc Oci Runtime
OCI (Open Containers Initiative) compatible runtime for Intel® Architecture
Stars: ✭ 418 (-97.52%)
Mutual labels:  containers, virtual-machine, virtualization
Core
Eru, a simple, stateless, flexible, production-ready orchestrator designed to easily integrate into existing workflows. Can run any virtualization things in long or short time.
Stars: ✭ 147 (-99.13%)
Mutual labels:  containers, virtual-machine, virtualization
Runtime
Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
Stars: ✭ 2,103 (-87.5%)
Mutual labels:  containers, virtual-machine, virtualization
Kata Containers
Kata Containers version 2.x repository. Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Stars: ✭ 1,053 (-93.74%)
Mutual labels:  containers, virtual-machine, virtualization
Runtime
OCI (Open Containers Initiative) compatible runtime using Virtual Machines
Stars: ✭ 588 (-96.51%)
Mutual labels:  containers, virtual-machine, virtualization
Joe
Run a Java program without an operating system by building the OS into the Java program
Stars: ✭ 76 (-99.55%)
Mutual labels:  serverless, virtual-machine, virtualization
Vic Product
vSphere Integrated Containers enables VMware customers to deliver a production-ready container solution to their developers and DevOps teams.
Stars: ✭ 143 (-99.15%)
Mutual labels:  containers, virtualization
Gvisor
Application Kernel for Containers
Stars: ✭ 12,012 (-28.61%)
Mutual labels:  sandbox, containers
Terrahub
Terraform Automation and Orchestration Tool (Open Source)
Stars: ✭ 148 (-99.12%)
Mutual labels:  serverless, containers
Maruos
Your phone is your PC.
Stars: ✭ 1,814 (-89.22%)
Mutual labels:  containers, virtualization
Pafish
Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
Stars: ✭ 2,026 (-87.96%)
Mutual labels:  sandbox, virtual-machine
Dapr
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge.
Stars: ✭ 16,274 (-3.28%)
Mutual labels:  serverless, containers
Asm
Assembly Tutorial for DOS
Stars: ✭ 125 (-99.26%)
Mutual labels:  virtual-machine, virtualization
Xs Vm
eXtremely small virtual machine -- for educational purposes :)
Stars: ✭ 155 (-99.08%)
Mutual labels:  virtual-machine, virtualization
Vorteil
turn your applications and containers into micro virtual machines
Stars: ✭ 120 (-99.29%)
Mutual labels:  containers, virtual-machine
Containers
Lightweight containers using Linux user namespaces
Stars: ✭ 153 (-99.09%)
Mutual labels:  containers, virtualization
Knctl
Knative CLI
Stars: ✭ 163 (-99.03%)
Mutual labels:  serverless, containers
Image Bootstrap
⛅️ Creates (chroots and) bootable virtual machine images; command line tool (Python 3)
Stars: ✭ 178 (-98.94%)
Mutual labels:  virtual-machine, virtualization

Firecracker Logo Title

Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads.

Read more about the Firecracker Charter here.

What is Firecracker?

Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.

Overview

The main component of Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel Virtual Machine (KVM) to create and run microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest-facing functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker has also been integrated in container runtimes, for example Kata Containers and Weaveworks Ignite.

Firecracker was developed at Amazon Web Services to accelerate the speed and efficiency of services like AWS Lambda and AWS Fargate. Firecracker is open sourced under Apache version 2.0.

To read more about Firecracker, check out firecracker-microvm.io.

Getting Started

To get started with Firecracker, download the latest release binaries or build it from source.

You can build Firecracker on any Unix/Linux system that has Docker running (we use a development container) and bash installed, as follows:

git clone https://github.com/firecracker-microvm/firecracker
cd firecracker
tools/devtool build
toolchain="$(uname -m)-unknown-linux-musl"

The Firecracker binary will be placed at build/cargo_target/${toolchain}/debug/firecracker. For more information on building, testing, and running Firecracker, go to the quickstart guide.

The overall security of Firecracker microVMs, including the ability to meet the criteria for safe multi-tenant computing, depends on a well configured Linux host operating system. A configuration that we believe meets this bar is included in the production host setup document.

Contributing

Firecracker is already running production workloads within AWS, but it's still Day 1 on the journey guided by our mission. There's a lot more to build and we welcome all contributions.

To contribute to Firecracker, check out the development setup section in the getting started guide and then the Firecracker contribution guidelines.

Releases

New Firecracker versions are released via the GitHub repository releases page, typically every two or three months. A history of changes is recorded in our changelog.

The Firecracker release policy is detailed here.

Design

Firecracker's overall architecture is described in the design document.

Features & Capabilities

Firecracker consists of a single micro Virtual Machine Manager process that exposes an API endpoint to the host once started. The API is specified in OpenAPI format. Read more about it in the API docs.

The API endpoint can be used to:

  • Configure the microvm by:
    • Setting the number of vCPUs (the default is 1).
    • Setting the memory size (the default is 128 MiB).
    • [x86_64 only] Choosing a CPU template (currently, C3 and T2 are available).
  • Add one or more network interfaces to the microVM.
  • Add one or more read-write or read-only disks to the microVM, each represented by a file-backed block device.
  • Trigger a block device re-scan while the guest is running. This enables the guest OS to pick up size changes to the block device's backing file.
  • Change the backing file for a block device, before or after the guest boots.
  • Configure rate limiters for virtio devices which can limit the bandwidth, operations per second, or both.
  • Configure the logging and metric system.
  • [BETA] Configure the data tree of the guest-facing metadata service. The service is only available to the guest if this resource is configured.
  • Add a vsock socket to the microVM.
  • Start the microVM using a given kernel image, root file system, and boot arguments.
  • [x86_64 only] Stop the microVM.

Built-in Capabilities:

  • Demand fault paging and CPU oversubscription enabled by default.
  • Advanced, thread-specific seccomp filters for enhanced security.
  • Jailer process for starting Firecracker in production scenarios; applies a cgroup/namespace isolation barrier and then drops privileges.

Supported platforms

We continuously test Firecracker on machines with the following CPUs micro-architectures: Intel Skylake, Intel Cascade Lake, AMD Zen2 and ARM64 Neoverse N1.

Firecracker is generally available on Intel x86_64, AMD x86_64 and ARM64 CPUs (starting from release v0.24) that offer hardware virtualization support, and that are released starting with 2015. All production use cases should follow these production host setup instructions.

Firecracker may work on other x86 and Arm 64-bit CPUs with support for hardware virtualization, but any such platform is currently not supported and not fit for production. If you want to run Firecracker on such platforms, please open a feature request.

Firecracker currently only supports little-endian platforms, which includes x86_64 and many aarch64 CPUs. Other systems and architectures may not provide a little-endian mode, and Firecracker may not work correctly on such systems.

Known issues and Limitations

  • The SendCtrlAltDel API request is not supported for aarch64 enabled microVMs.
  • Configuring CPU templates is only supported for Intel enabled microVMs.

Performance

Firecracker's performance characteristics are listed as part of the specification documentation. All specifications are a part of our commitment to supporting container and function workloads in serverless operational models, and are therefore enforced via continuous integration testing.

Policy for Security Disclosures

The security of Firecracker is our top priority. If you suspect you have uncovered a vulnerability, contact us privately, as outlined in our security policy document; we will immediately prioritize your disclosure.

FAQ & Contact

Frequently asked questions are collected in our FAQ doc.

You can get in touch with the Firecracker community in the following ways:

When communicating within the Firecracker community, please mind our code of conduct.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].