Playing with AWS Firecracker VMM (Part 2)

之 抓住夏天的尾巴

之 還是要捲起袖子動手玩

...

Ernest Chiang @ Cloud Native Taiwan User Group
Aug 31, 2020

Give me a place to stand on, and I will move the Earth.

—Archimedes

sli.do

  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • 議程中有任何問題、好奇、疑問,都可以隨時丟進 sli.do
  • US$25 AWS Credits 問券連結,也放在 sli.do 裡頭喔

Ernest Chiang

Worked on process integration engineering in semiconductor industry @tsmc.

Doing product and technology integration in fitness industry @pafers.

Off Work TGO Networks Taipei. AWS Community Hero. Mozillian. AIESECer.

Outline

  • Part 1: COSCUP 2020
  • Part 2: Cloud Native Taiwan User Group
  • Firecracker
    • Virtualization & Containerization
  • Lambda & Fargate
  • Firecracker & containerd
  • Firecracker & Open Source Projects (Weave Ignite)

Part 1: COSCUP 2020

Part 2: Cloud Native Taiwan User Group

Firecracker

What is Firecraker

Firecracker is an open source VMM that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

What is Firecraker

Firecracker is an open source VMM that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

What problem is AWS helping to solve?

What problem is AWS helping to solve?

What problem is AWS helping to solve?

  • Multiple functions
  • on multiple environments
  • from multiple accounts.

Firecracker

  • Open source virtualization technology (microVM)
  • Security & isolation of traditional VMs
  • Speed & density of containers
  • Low resource overhead
  • Developed at Amazon

Firecracker Facts

  • Started with a branch of crosvm
    • Removed >50% of the code
  • 96% fewer lines of code than QEMU
  • Simplified device model
    • no BIOS, no PCI, etc
  • Apache 2.0 license

Virtualization

&

Containerization

1. Virtualization

Creating a virtual version
of something:

  • CPU
  • Memory
  • Device/IO (Storage, NIC)

2. Hypervisor (1/3)

A hypervisor (or virtual machine monitor, VMM, virtualizer) is computer software, firmware or hardware that creates and runs virtual machines.

2. Hypervisor (2/3)

2. Hypervisor (3/3)

3. KVM

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel
that allows the kernel to function as a hypervisor.

4. Containerization (1/n)

  • OS-level virtualization, also known as containerization, refers to an OS feature in which the kernel allows the existence of multiple isolated user-space instances.
  • Such instances, called containers, partitions, virtual environments (VEs) or jails (FreeBSD jail or chroot jail), may look like real computers from the point of view of programs running in them.

4. Containerization

Back to Firecracker

A purpose-built open source VMM

Firecracker Security Models (1/2)

Firecracker Security Models (2/2)

Host-facing REST API

Demo #1

Getting Started with Firecracker in 2 Minutes

Getting started with Firecracker

  • Firecracker on AWS bare metal
  • Firecracker on other clouds with bare metal (e.g., Packet)
  • Firecracker on GCP nested-virt
  • Firecracker on Azure nested-virt
  • Firecracker on your dev machine (physical/nested-virt)

Demo #1

Getting Started with Firecracker in 2 Minutes:

Firecracker on VirtualBox on macOS on Macbook Pro

https://github.com/dwchiang/firecracker-workshops/tree/master/01-getting-started

Let's Go!

Getting Started with Firecracker in 2 Minutes

Firecracker & AWS Lambda

Firecracker & AWS Lambda

Problems & Solutions

Lambda worker architecture

Lambda worker isolation

Lambda isolation comparison

Lambda isolation using Firecracker

Allocate Workloads:

More efficient:

Firecracker

AWS Container Services landscape

Containers run on Amazon EC2 and/or AWS Fargate

Firecracker & AWS Fargate

Fargate configurations

CPU (vCPU) Memory Values (GB)
0.25 0.5, 1, 2
0.5 Min 1GB, max 4GB, in 1GB increments
1 Min 2GB, max 8GB, in 1GB increments
2 Min 4GB, max 16GB, in 1GB increments
4 Min 8GB, max 30GB, in 1GB increments

Demo #2

Creating 4,000 microVMs in 90 Seconds

Demo #2

Creating 4,000 microVMs in 90 Seconds:

Firecracker on EC2 Bare Metal instance

https://github.com/dwchiang/firecracker-workshops/tree/master/02-4000-microVMs

Type Name vCPU ECU Memory Instance Storage Cost per hour
i3.metal 64 208 512 GiB 8 x 1900 NVMe SSD $4.992
m5.metal 96 345 384 GiB EBS Only $4.608
m5d.metal 96 345 384 GiB 4 x 900 NVMe SSD $5.424
c5.metal 96 375 192 GiB EBS Only $4.08
c5d.metal 96 375 192 GiB 4 x 900 NVMe SSD $4.608

Savings on Spot Instance

Let's Go!

Creating 4,000 microVMs in 90 Seconds

Firecracker & containerd

Firecracker & containerd

OCI Image & OCI Runtime

  • containerd
  • runc
    • is a CLI tool for spawning and running containers according to the OCI specification.

OCI Image & OCI Runtime

  • Let's rotate the chart.
  • containerd --> runc --> container

Firecracker & containerd

Part of stack Example components
Container runtime runc, Firecracker
Local management Docker, containerd
Cluster orchestrator Amazon ECS, Kubernetes, Mesos

Firecracker & containerd Architecture (1/3)

Firecracker & containerd Architecture (2/3)

Firecracker & containerd Architecture (3/3)

How to run containers

with firecracker-containerd

  • Deep Dive into firecracker-containerd (re:Invent 2019, CON408)
  • Demo of Extending containerd - Samuel Karp & Maksym Pavlenko, Amazon

Firecracker & Open Source Projects

Firecracker Integration with Open Source Projects

  • Kata Containers
  • UniK
  • OSv
  • Weave Ignite

Weave Ignite

Weave Ignite

  • ignite ps -a
  • ignite logs <vm>
  • ignite stop <vm>... [flags]
  • ignite rm <vm>... [flags]
  • ignite stop <vm>... [flags]

Who would use Firecracker?

  • Teams building compute services
  • Teams integrating Firecracker with container stacks
  • Developers & security engineers who want to contribute

Takeaways

安全隔離好                  

啟動時間短                  

產能效率高                  

#像極了愛情                                            

                                                                                    -- AWS Firecracker VMM

Q&A

&

Thank you

Blog https://www.ernestchiang.com
Twitter @dwchiang                                              

#CrossFieldIntegration
#TechnicalManagement
#Bluetooth #AWS

sli.do

  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2 #awsvmm2
  • 議程中有任何問題、好奇、疑問,都可以隨時丟進 sli.do
  • US$25 AWS Credits 問券連結,也放在 sli.do 裡頭喔

Community

Community

Reference

Reference: Firecracker

Reference: Firecracker

Reference: Firecracker

Reference: Firecracker

Reference: ecosystems

Reference: ecosystems

Reference: ecosystems

  • Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

Reference: ecosystems

Reference: Virtualization

Reference: AWS Nitro System

  • AWS Nitro System by James Hamilton (VP and Distinguished Engineer at AWS), 2019.
    • The Nitro hypervisor is built on a minimized and modified Linux kernel, including the KVM subsystem that is responsible for programming hardware virtualization features of the processor.

Open Source at AWS

Firecracker design principles

  • Multitenant
  • Any vCPU and memory combination
  • Oversubscription permissible
  • Steady mutation rate: 100+ microVMs/host/sec
  • Limited only by hardware resources
  • Host-facing REST API
  • Minimalist guest device model

身為 AWS Community Hero 複刻一個 PAFERS Fitness Services 也是很合理的。

IoT, Bluetooth 通訊, 規格

今天快速複習 Part 1,將上次沒講清楚的細節交代一下。

- 不同 Hypervisor。 - 以前是用 EC2 instance 做隔離。現在用 Firecracker 做隔離。

Fargate 和 EC2 一樣可以自選 CPU, Memory 尺寸大小。

1. 三個客戶帳號 2. 每個 workload 運行在一個 EC2 instance 中(黃色的隔離) 3. (看不到) 的 AWS Service Account 管理著這些 EC2 instances

4. 我們改用 Firecracker 運作的 Fargate 來取代 EC2(黃色的隔離)

5. 改用 Fargate 之後,沒有了 EC2,所以不需要 AWS Service Account 了。

6. Firecracker 跑在 EC2 bare metal 上。(很大台)

7. 打散 workload。

1. 通常魚與熊掌難以兼得,當兩個都要的時候(小孩字才做選擇!),通常要做客製化,也就是為特定目的打造 (purpose-built)。 2. 兩個都要,其實就是要打通兩條路,兩個分開來管理,。

我們把圖倒過來看。

1. containerd 請 runc 起一個 container

2. containerd 請 Firecracker 起一個 microVM 3. 將 container 包在 microVM 裡面隔離

4. 打個洞,讓 containerd 透過 Firecracker Snapshotter 將 container rootfs 放進去 microVM 變成 container。

不需要 runc 了。