Hacker News new | comments | ask | show | jobs | submit login

This is huge! It basically removes the VM as the security boundary for something like Fargate [1]. This should lead to a significant reduction in pricing since Fargate will no longer need to over provision in the background because VMs were being used even for tiny Fargate launch types.

It should hopefully eliminate the cost disparity between using Fargate vs running your own instances. Should also mean much faster scale out since you containers don't need to wait on an entire VM to boot!

Will be interesting to see what kind of collaboration they get on the project. This is a big test of AWS stewardship of an open source project. It seems to be competing directly with Kata Containers [2] so it will be interesting to see which solution is deemed technically superior.

[1] https://aws.amazon.com/fargate/ [2] https://katacontainers.io/

Indeed, this seems very similar to kata+runv+kvmtool(lkvm). I'm curious why they don't provide a comparison. Here's what I gathered:

- it seems to boot faster (how ?)

- it does not provide a pluggable container runtime (yet)

- a single tool/binary does both the VMM and the API server, in a single language.

Can anyone else chime in ?

> I'm curious why they don't provide a comparison

They do, if you read the FAQs: https://firecracker-microvm.github.io/#faq

I did, and it does not answer my question, because they only address the runv+qemu usecase, not the runv+kvmtool one:

Kata Containers is an OCI-compliant container runtime that executes containers within QEMU based virtual machines

From memory the original version of Intel Clear Containers had its own kvm based vmm but they moved back to qemu (or a more minimal patched version they maintain). They are working on containerd support so should be similar to Kata soon.

That's what I thought, too, but re-reading the articles, they were using a patched kvmtool: https://lwn.net/Articles/644675/

So this is exactly what runv's lkvm backend is doing (except kvmtool isn't patched anymore). And Intel Clear Containers do not exist anymore(many broken links on clear linux's website subsist, though), since they moved to Kata as well:


It sounds like it’s already being used in Lambda and Fargate, though I’m not sure how long that’s been the case:

> Firecracker has been battled-tested and is already powering multiple high-volume AWS services including AWS Lambda and AWS Fargate

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact