Playing with

AWS Firecracker VMM

之 大熱天捲起袖子動手玩

...

Ernest Chiang @ COSCUP 2020, Track: Cloud Native Hub

Give me a place to stand on, and I will move the Earth.

—Archimedes

sli.do

  • #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm
  • #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm
  • #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm #awsvmm
  • 議程中有任何問題、好奇、疑問,都可以隨時丟進 sli.do
  • US$25 AWS Credits 問券連結,也放在 sli.do 裡頭喔

Ernest Chiang

Worked on process integration engineering in semiconductor industry @tsmc.

Doing product and technology integration in fitness industry @pafers.

Off Work TGO Networks Taipei. AWS Community Hero. Mozillian. AIESECer.

Outline

  • Problems & Solutions
  • Firecracker
  • Virtualization & Containerization
  • Lambda & Fargate
  • Firecracker & containerd
  • Live Demo
    • Getting started with Firecracker in 2 Minutes
    • Creating 4,000 microVMs in 90 seconds
  • Firecracker & Open Source Projects

Problems & Solutions

Firecracker, Part 1

What is Firecraker

Firecracker is an open source VMM that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

What is Firecraker

Firecracker is an open source VMM that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

What problem is AWS helping to solve?

What problem is AWS helping to solve?

What problem is AWS helping to solve?

Multiple functions
on multiple environments
from multiple accounts.

What is Firecracker

  • Open source virtualization technology (microVM)
  • Security and isolation of traditional VMs
  • Speed and density of containers
  • Low resource overhead
  • Developed at Amazon

Benefits of Firecracker

Benefits of Firecracker

安全隔離好                  

啟動時間短                  

產能效率高                  

#像極了愛情                                            

                                                                                    -- AWS Firecracker VMM

Virtualization & Containerization

Virtualization (1/3)

In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, storage devices, and computer network resources.

Virtualization (2/3)

Creating a virtual version of something:

  • CPU
  • Memory
  • Device/IO (Storage, NIC)

Virtualization (3/3)

Hypervisor (1/6)

A hypervisor (or virtual machine monitor, VMM, virtualizer) is computer software, firmware or hardware that creates and runs virtual machines.

Hypervisor (2/6)

In 1974, Gerald J. Popek and Robert P. Goldberg classified two types of hypervisor:

  • Type-1, native or bare-metal hypervisors
  • Type-2 or hosted hypervisors

Hypervisor (3/6)

The distinction between these two types is not always clear.
For instance, Linux's Kernel-based Virtual Machine (KVM) and FreeBSD's bhyve are kernel modules that effectively convert the host operating system to a type-1 hypervisor.

Hypervisor (4/6)

At the same time, since Linux distributions and FreeBSD are still general-purpose operating systems, with applications competing with each other for VM resources, KVM and bhyve can also be categorized as type-2 hypervisors.

Hypervisor (5/6)

Hypervisor (6/6)

KVM

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor.

Containerization

Operating-system-level virtualization, also known as containerization, refers to an operating system feature in which the kernel allows the existence of multiple isolated user-space instances. Such instances, called containers, partitions, virtual environments (VEs) or jails (FreeBSD jail or chroot jail), may look like real computers from the point of view of programs running in them.

Containerization

Firecracker, Part 2

Host-facing REST API

Firecracker

  • Started with a branch of crosvm
    • Removed >50% of the code
  • 96% fewer lines of code than QEMU
  • Simplified device model
    • no BIOS, no PCI, etc
  • Apache 2.0 license

Security Models (1/2)

Security Models (2/2)

Firecracker

  • In production in AWS Lambda
    • Millions of workloads
    • Trillions of requests/month

AWS Lambda

Lambda worker architecture

Lambda worker isolation

Lambda isolation comparison

Lambda isolation using Firecracker

Allocate Workloads:

More efficient:

AWS Container Services landscape

AWS Fargate

Fargate configurations

CPU (vCPU) Memory Values (GB)
0.25 0.5, 1, 2
0.5 Min 1GB, max 4GB, in 1GB increments
1 Min 2GB, max 8GB, in 1GB increments
2 Min 4GB, max 16GB, in 1GB increments
4 Min 8GB, max 30GB, in 1GB increments

Firecracker & containerd

Firecracker & containerd

  • containerd to manage containers as Firecracker microVMs.
  • Multi-tenant hosts
  • OCI image format
  • Work with popular orchestration frameworks
    • Kubernetes and Amazon ECS
  • Define a future: light as container, secure as VM

OCI Image & OCI Runtime

  • containerd
  • runc
    • is a CLI tool for spawning and running containers according to the OCI specification.

Firecracker & containerd Architecture

Live Demo

Live Demo #1

Getting Started with Firecracker in 2 Minutes

Getting started with Firecracker

  • Firecracker on AWS bare metal
  • Firecracker on other clouds with bare metal (e.g., Packet)
  • Firecracker on GCP nested-virt
  • Firecracker on Azure nested-virt
  • Firecracker on your dev machine (physical/nested-virt)

Getting started with Firecracker

  • Firecracker on AWS bare metal
  • Firecracker on other clouds with bare metal (e.g., Packet)
  • Firecracker on GCP nested-virt
  • Firecracker on Azure nested-virt
  • Firecracker on your dev machine (physical/nested-virt)

Live Demo #1

Getting Started with Firecracker in 2 Minutes:

Firecracker on VirtualBox on macOS on Macbook Pro

https://github.com/dwchiang/firecracker-workshops/tree/master/01-getting-started

Live Demo #2

Creating 4,000 microVMs in 90 Seconds

Live Demo #2

Creating 4,000 microVMs in 90 Seconds:

Firecracker on EC2 Bare Metal instance

https://github.com/dwchiang/firecracker-workshops/tree/master/02-4000-microVMs

Type Name vCPU ECU Memory Instance Storage Cost per hour
i3.metal 64 208 512 GiB 8 x 1900 NVMe SSD $4.992
m5.metal 96 345 384 GiB EBS Only $4.608
m5d.metal 96 345 384 GiB 4 x 900 NVMe SSD $5.424
c5.metal 96 375 192 GiB EBS Only $4.08
c5d.metal 96 375 192 GiB 4 x 900 NVMe SSD $4.608

Savings on Spot Instance

Firecracker & Open Source Projects

Firecracker Integration with Open Source Projects

  • Kata Containers
  • UniK
  • OSv
  • Weave Ignite

Weave Ignite

  • Open source VMM with a container UX
  • Combines Firecracker microVMs with OCI images
  • Works using GitOps
    • ignite gitops <repo>

Who would use Firecracker?

  • Teams building compute services
  • Teams integrating Firecracker with container stacks
  • Developers & security engineers who want to contribute

Takeaways

安全隔離好                  

啟動時間短                  

產能效率高                  

#像極了愛情                                            

                                                                                    -- AWS Firecracker VMM

Firecracker Security Model

Q&A

&

Thank you

Blog https://www.ernestchiang.com
Twitter @dwchiang                                              

#CrossFieldIntegration
#TechnicalManagement
#Bluetooth #AWS

https://bit.ly/awsvmm2020

抽獎活動

&

$25 AWS Credits

Community

Community

Reference

Reference: Firecracker

Reference: Firecracker

Reference: Firecracker

Reference: Firecracker

Reference: ecosystems

  • Weave Ignite is an open source Virtual Machine (VM) manager with a container UX and built-in GitOps management.
  • OSv is an open-source versatile modular unikernel designed to run single unmodified Linux application securely as microVM on top of a hypervisor, when compared to traditional operating systems which were designed for a vast range of physical machines.

Reference: ecosystems

  • Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

Reference: ecosystems

Reference: Virtualization

Open Source at AWS

Firecracker design principles

  • Multitenant
  • Any vCPU and memory combination
  • Oversubscription permissible
  • Steady mutation rate: 100+ microVMs/host/sec
  • Limited only by hardware resources
  • Host-facing REST API
  • Minimalist guest device model

Slido Poll Results

2020-0801