
AWS Firecracker - Secure and fast microVMs for serverless computing - mcrute
https://github.com/firecracker-microvm/firecracker
======
smartbit
To my knowledge AWS EC2 uses (a derivative of) Xen, Google uses KVM and
Microsoft Azure uses Hyper-v. Now AWS is making inroads into KVM with
Firecracker, does this mean that the days of Xen are counted?

Edit: Brandan Gregg introduces Nitro ( _based on the KVM core kernel module_ )
[https://news.ycombinator.com/item?id=15812803](https://news.ycombinator.com/item?id=15812803)
in nov ‘17

~~~
blasdel
The c5, m5, t3, c5d, m5d, z1d, r5, r5d, m5a, r5a, a1, c5n, p3dn instance
families all use the Nitro Hypervisor, which is based on Linux KVM code but
offloading a lot of functionality to the Nitro System instead of using the
normative QEMU setup.

Firecracker runs as a process in a customer-provided Linux 4.14 or newer
kernel using the upstream KVM apis, that can be on an EC2 Metal Instance or on
your own hardware.

~~~
__bjoernd
How could you miss z1? ;)

~~~
blasdel
Thanks for the reminder, ironically I put a lot of work into launching that
platform!

------
mcrute
There's also an AWS blog article:
[https://aws.amazon.com/blogs/aws/firecracker-lightweight-
vir...](https://aws.amazon.com/blogs/aws/firecracker-lightweight-
virtualization-for-serverless-computing/)

------
cheeseburgerj
What does this do that kubernetes doesn't?

Forgive my ignorance but this seems like AWS to try and get the lock-in back
that they lost with Kubernetes becoming popular

~~~
mcrute
Firecracker serves an entirely different purpose from Kubernetes. Kubernetes
is a cluster scheduler but the containers being scheduled still need a runtime
(typically Docker, containerd, or CRI-O) to execute the process within the
container. These runtimes typically share a single Linux kernel instance and
use the kernel cgroups feature to isolate workloads. In multi-tenant
environments where each tenant is running unrestricted code this presents and
unacceptably high security risk. If a hacker compromises one container and
escapes the cgroup confinement they can potentially impact the security of
other containers. Fargate is the building block for an alternative container
runtime that uses extremely lightweight VMs and isolated kernel instances
instead of the more traditional approach of sharing a kernel between all
processes.

~~~
arun_gupta
You can also see an early proof of concept integration with containerd at
[https://github.com/firecracker-microvm/firecracker-
container...](https://github.com/firecracker-microvm/firecracker-containerd)

