Convert Figma logo to code with AI

firecracker-microvm logofirecracker

Secure and fast microVMs for serverless computing.

25,056
1,751
25,056
108

Top Related Projects

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.

15,712

Application Kernel for Containers

3,486

Ignite a Firecracker microVM

7,892

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

23,475

Podman: A tool for managing OCI containers and pods.

Quick Overview

Firecracker is a lightweight virtual machine (VM) manager that is designed to be fast, secure, and scalable. It is primarily used for running serverless workloads and microservices in a cloud environment. Firecracker is written in Rust and is designed to be highly performant and efficient.

Pros

  • Fast Startup Times: Firecracker is designed to start up VMs quickly, making it well-suited for serverless and microservices use cases.
  • High Security: Firecracker uses a minimal attack surface and a secure-by-default design to provide a high level of security.
  • Scalability: Firecracker is designed to be highly scalable, allowing users to run thousands of VMs on a single host.
  • Flexibility: Firecracker can be used to run a wide range of workloads, from simple web services to complex distributed systems.

Cons

  • Limited OS Support: Firecracker currently only supports Linux-based operating systems, which may limit its usefulness for some use cases.
  • Complexity: Firecracker is a relatively complex system, with a steep learning curve for new users.
  • Limited Documentation: The Firecracker project has relatively limited documentation, which can make it challenging for new users to get started.
  • Dependency on Rust: Firecracker is written in Rust, which may be a barrier for developers who are more familiar with other programming languages.

Code Examples

N/A (Firecracker is not a code library)

Getting Started

N/A (Firecracker is not a code library)

Competitor Comparisons

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

Pros of Kata Containers

  • Kata Containers provides a more comprehensive solution for running containers with enhanced security and isolation, compared to Firecracker.
  • Kata Containers supports a wider range of container runtimes, including Docker and Kubernetes, making it more versatile.
  • Kata Containers has a larger community and more active development, potentially offering better long-term support and feature updates.

Cons of Kata Containers

  • Kata Containers has a larger codebase and more complex architecture, which may result in a higher overhead and slower performance compared to Firecracker.
  • Kata Containers may have a steeper learning curve for users who are more familiar with lightweight virtualization solutions like Firecracker.

Code Comparison

Firecracker (5 lines):

pub fn start_microvm(
    config: &Config,
    logger: &Logger,
) -> Result<(Arc<Mutex<Vm>>, Arc<Mutex<EventManager>>), Error> {
    let vm = Vm::new(config, logger)?;
    let event_manager = EventManager::new(config, logger)?;
    Ok((Arc::new(Mutex::new(vm)), Arc::new(Mutex::new(event_manager))))
}

Kata Containers (5 lines):

func (c *container) start() error {
    if err := c.container.Start(); err != nil {
        return err
    }
    c.state.State = types.StateRunning
    return nil
}

A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.

Pros of Cloud Hypervisor

  • Improved Security: Cloud Hypervisor is designed with a focus on security, providing a smaller attack surface and more robust isolation mechanisms compared to Firecracker.
  • Enhanced Functionality: Cloud Hypervisor offers a wider range of features, including support for more hardware devices, PCI passthrough, and advanced networking capabilities.
  • Flexible Configuration: Cloud Hypervisor allows for more customization and configuration options, enabling users to tailor the hypervisor to their specific needs.

Cons of Cloud Hypervisor

  • Larger Codebase: Cloud Hypervisor has a larger codebase compared to Firecracker, which may result in a higher maintenance overhead and a longer learning curve for new contributors.
  • Slower Development Pace: The development of Cloud Hypervisor appears to be slower compared to the rapid pace of Firecracker, with fewer frequent releases and updates.
  • Limited Community: Firecracker has a larger and more active community, with more resources and support available for users and contributors.

Code Comparison

Here's a brief code comparison between Firecracker and Cloud Hypervisor:

Firecracker (main.rs):

fn main() {
    let mut api_server = ApiServer::new(
        config.api_socket,
        config.api_listeners,
        config.log_path,
        config.log_level,
        config.level_filter,
    );

    api_server.run();
}

Cloud Hypervisor (main.rs):

fn main() {
    let mut builder = Builder::new();
    builder.configure_logging();
    builder.configure_signal_handlers();

    let mut hypervisor = Hypervisor::new(builder.build());
    hypervisor.run();
}

Both code snippets show the entry point of the respective projects, where the main hypervisor instance is created and run. The differences highlight the different architectural approaches and feature sets of the two projects.

15,712

Application Kernel for Containers

Pros of gvisor

  • gvisor provides a more comprehensive and feature-rich container runtime environment, with support for a wider range of system calls and kernel features.
  • gvisor offers better security isolation, as it runs the container in a separate user-space kernel, providing an additional layer of protection.
  • gvisor has a more active development community and a larger set of contributors, leading to faster feature development and bug fixes.

Cons of gvisor

  • gvisor has a larger codebase and a more complex architecture, which can make it more challenging to understand and maintain.
  • gvisor may have higher resource requirements compared to Firecracker, as it runs a full user-space kernel for each container.
  • gvisor's performance may be slightly lower than Firecracker's, especially for workloads that don't require the additional security features.

Code Comparison

Firecracker (Rust):

pub fn start_microvm(
    config: &Config,
    logger: &Logger,
) -> Result<(Pid, Arc<Mutex<Microvm>>), Error> {
    let microvm = Microvm::new(config, logger)?;
    let pid = microvm.start()?;
    Ok((pid, Arc::new(Mutex::new(microvm))))
}

gvisor (Go):

func (s *Server) Run(ctx context.Context) error {
    s.wg.Add(1)
    defer s.wg.Done()

    for {
        select {
        case <-ctx.Done():
            return ctx.Err()
        case req := <-s.requests:
            s.handleRequest(ctx, req)
        }
    }
}
3,486

Ignite a Firecracker microVM

Pros of Ignite

  • Ignite provides a more user-friendly interface and CLI, making it easier for developers to manage their Kubernetes-based environments.
  • Ignite integrates with popular container runtimes like Docker and containerd, providing a more seamless experience for users.
  • Ignite supports a wider range of Kubernetes features and functionality compared to Firecracker.

Cons of Ignite

  • Ignite has a larger codebase and dependencies, which can make it more complex to set up and maintain compared to Firecracker.
  • Ignite may have a higher resource footprint than Firecracker, as it includes additional components and features.
  • Ignite's focus on Kubernetes integration may make it less suitable for use cases that don't require Kubernetes.

Code Comparison

Firecracker (written in Rust):

pub fn start_microvm(
    config: &Config,
    logger: &Logger,
) -> Result<(Pid, Arc<Mutex<Vm>>), Error> {
    let mut vm = Vm::new(config, logger)?;
    vm.start()?;
    let pid = vm.pid();
    Ok((pid, Arc::new(Mutex::new(vm))))
}

Ignite (written in Go):

func (i *Ignite) Start(ctx context.Context) error {
    if err := i.ensureInitialized(); err != nil {
        return err
    }

    if err := i.startContainerRuntime(ctx); err != nil {
        return err
    }

    if err := i.startKubernetes(ctx); err != nil {
        return err
    }

    return nil
}
7,892

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...

Pros of nerdctl

  • nerdctl provides a familiar Docker-like CLI interface, making it easier for users already familiar with Docker to transition to containerd.
  • nerdctl supports a wide range of container-related features, such as image management, networking, and volume management, out of the box.
  • nerdctl is actively maintained and developed by the containerd team, ensuring it stays up-to-date with the latest containerd features and improvements.

Cons of nerdctl

  • nerdctl is a higher-level tool that abstracts away some of the low-level details of containerd, which may be less appealing for users who prefer more control over the underlying container runtime.
  • nerdctl's feature set may be overkill for users who only need a simple container runtime, as it adds additional complexity and dependencies.

Code Comparison

Firecracker:

pub fn start_microvm(
    config: &Config,
    logger: &Logger,
    metrics: &Metrics,
) -> Result<(), StartMicrovmError> {
    let mut microvm = Microvm::new(config, logger, metrics)?;
    microvm.start()?;
    Ok(())
}

nerdctl:

func (c *ContainerService) Create(ctx context.Context, req *api.CreateContainerRequest) (*api.CreateContainerResponse, error) {
    container, err := c.create(ctx, req)
    if err != nil {
        return nil, err
    }

    return &api.CreateContainerResponse{
        Container: container,
    }, nil
}
23,475

Podman: A tool for managing OCI containers and pods.

Pros of Podman

  • Podman is a more mature and feature-rich container runtime, with a larger community and more extensive documentation.
  • Podman provides a more user-friendly interface, with a command-line tool that closely resembles the Docker CLI.
  • Podman has better support for rootless containers, which can be beneficial for security and ease of use.

Cons of Podman

  • Firecracker is a more lightweight and specialized solution, focused on providing a secure and efficient virtualization platform.
  • Firecracker has a smaller codebase and may be easier to understand and contribute to for developers.
  • Firecracker is designed to be more tightly integrated with cloud infrastructure, which may be a better fit for certain use cases.

Code Comparison

Firecracker (5 lines):

pub fn start_microvm(
    config: &Config,
    logger: &Logger,
) -> Result<(Arc<Mutex<Vm>>, Arc<Mutex<EventManager>>), Error> {
    let vm = Vm::new(config, logger)?;
    let event_manager = EventManager::new(logger.clone());
    Ok((Arc::new(Mutex::new(vm)), Arc::new(Mutex::new(event_manager))))
}

Podman (5 lines):

func (r *Runtime) CreateContainer(ctx context.Context, name string, options *CreateOptions) (*Container, error) {
    if err := r.lock(name); err != nil {
        return nil, err
    }
    defer r.unlock(name)
    return r.createContainer(ctx, name, options)
}

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Firecracker Logo Title

Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads.

Read more about the Firecracker Charter here.

What is Firecracker?

Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.

Overview

The main component of Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel Virtual Machine (KVM) to create and run microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest-facing functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker has also been integrated in container runtimes, for example Kata Containers and Flintlock.

Firecracker was developed at Amazon Web Services to accelerate the speed and efficiency of services like AWS Lambda and AWS Fargate. Firecracker is open sourced under Apache version 2.0.

To read more about Firecracker, check out firecracker-microvm.io.

Getting Started

To get started with Firecracker, download the latest release binaries or build it from source.

You can build Firecracker on any Unix/Linux system that has Docker running (we use a development container) and bash installed, as follows:

git clone https://github.com/firecracker-microvm/firecracker
cd firecracker
tools/devtool build
toolchain="$(uname -m)-unknown-linux-musl"

The Firecracker binary will be placed at build/cargo_target/${toolchain}/debug/firecracker. For more information on building, testing, and running Firecracker, go to the quickstart guide.

The overall security of Firecracker microVMs, including the ability to meet the criteria for safe multi-tenant computing, depends on a well configured Linux host operating system. A configuration that we believe meets this bar is included in the production host setup document.

Contributing

Firecracker is already running production workloads within AWS, but it's still Day 1 on the journey guided by our mission. There's a lot more to build and we welcome all contributions.

To contribute to Firecracker, check out the development setup section in the getting started guide and then the Firecracker contribution guidelines.

Releases

New Firecracker versions are released via the GitHub repository releases page, typically every two or three months. A history of changes is recorded in our changelog.

The Firecracker release policy is detailed here.

Design

Firecracker's overall architecture is described in the design document.

Features & Capabilities

Firecracker consists of a single micro Virtual Machine Manager process that exposes an API endpoint to the host once started. The API is specified in OpenAPI format. Read more about it in the API docs.

The API endpoint can be used to:

  • Configure the microvm by:
    • Setting the number of vCPUs (the default is 1).
    • Setting the memory size (the default is 128 MiB).
    • Configuring a CPU template.
  • Add one or more network interfaces to the microVM.
  • Add one or more read-write or read-only disks to the microVM, each represented by a file-backed block device.
  • Trigger a block device re-scan while the guest is running. This enables the guest OS to pick up size changes to the block device's backing file.
  • Change the backing file for a block device, before or after the guest boots.
  • Configure rate limiters for virtio devices which can limit the bandwidth, operations per second, or both.
  • Configure the logging and metric system.
  • [BETA] Configure the data tree of the guest-facing metadata service. The service is only available to the guest if this resource is configured.
  • Add a vsock socket to the microVM.
  • Add a entropy device to the microVM.
  • Start the microVM using a given kernel image, root file system, and boot arguments.
  • [x86_64 only] Stop the microVM.

Built-in Capabilities:

  • Demand fault paging and CPU oversubscription enabled by default.
  • Advanced, thread-specific seccomp filters for enhanced security.
  • Jailer process for starting Firecracker in production scenarios; applies a cgroup/namespace isolation barrier and then drops privileges.

Tested platforms

We test all combinations of:

InstanceHost OS & KernelGuest RootfsGuest Kernel
c5n.metalal2 linux_5.10ubuntu 22.04linux_4.14
m5n.metalal2023 linux_6.1linux_5.10
m6i.metallinux_6.1
m6a.metal
m6g.metal
m7g.metal

Known issues and Limitations

  • The pl031 RTC device on aarch64 does not support interrupts, so guest programs which use an RTC alarm (e.g. hwclock) will not work.

Performance

Firecracker's performance characteristics are listed as part of the specification documentation. All specifications are a part of our commitment to supporting container and function workloads in serverless operational models, and are therefore enforced via continuous integration testing.

Policy for Security Disclosures

The security of Firecracker is our top priority. If you suspect you have uncovered a vulnerability, contact us privately, as outlined in our security policy document; we will immediately prioritize your disclosure.

FAQ & Contact

Frequently asked questions are collected in our FAQ doc.

You can get in touch with the Firecracker community in the following ways:

When communicating within the Firecracker community, please mind our code of conduct.