MicroVM and Firecracker: Discover Advantages and Disadvantages
During virtualization revolution, physical servers replaced with virtual machines to run multiple different workloads on a single server hardware, but virtual machines were still large and needs some resources to run as isolated servers. Virtual machines need to have their own operating system and applications. Also, they need to manage and configure separately. MicroVM or Micro Virtual Machine offering benefits of two different technologies and Firecracker will help you to implementing that.
What’s MicroVM and What’s Difference Traditional Virtual Machine?
Traditional virtual machine offers isolated environment to run multiple services and applications like physical machine. In other hand, containers offering speed to run and setup but security was always the big concern.
MicroVM offering both benefits of using container and virtual machine. It is isolated like a virtual machine and very fast to deploy like container.
Firecracker enables you to deploy workloads in lightweight virtual machines, called MicroVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers.
Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker is generally available on 64-bit Intel, AMD and Arm CPUs with support for hardware virtualization.
Firecracker is used by/integrated with (in alphabetical order): appfleet , containerd via firecracker-containerd , Fly.io , Kata Containers , Koyeb , Northflank , OpenNebula , Qovery , UniK , Weave FireKube (via Weave Ignite ) , and webapp.io . Firecracker can run Linux and OSv guests.
How It Works?
Firecracker runs in user space and uses the Linux Kernel-based Virtual Machine (KVM) to create MicroVMs. The fast startup time and low memory overhead of each MicroVM enables you to pack thousands of MicroVMs onto the same machine. This means that every function, container, or container group can be encapsulated with a virtual machine barrier, enabling workloads from different customers to run on the same machine, without any tradeoffs to security or efficiency. Firecracker is an alternative to QEMU , an established VMM with a general purpose and broad feature set that allows it to host a variety of guest operating systems.
You can control the Firecracker process via a RESTful API that enables common actions such as configuring the number of vCPUs or starting the machine. It provides built-in rate limiters, which allows you to granularly control network and storage resources used by thousands of MicroVMs on the same machine. You can create and configure rate limiters via the Firecracker API and define flexible rate limiters that support bursts or specific bandwidth/operations limitations. Firecracker also provides a metadata service that securely shares configuration information between the host and guest operating system. You can set up and configure the metadata service using the Firecracker API. Each Firecracker microVM is further isolated with common Linux user-space security barriers by a companion program called “jailer”. The jailer provides a second line of defense in case the virtualization barrier is ever compromised.
Firecracker’s benefits are as follows:
Security from the ground up
Firecracker MicroVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. Firecracker also implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the MicroVM.
Speed by design
In addition to a minimal device model, Firecracker also accelerates kernel loading and provides a minimal guest kernel configuration. This enables fast startup times. Firecracker initiates user space or application code in as little as 125ms and supports MicroVM creation rates of up to 150 MicroVM per second per host.
Scale and efficiency
Each Firecracker MicroVM runs with a reduced memory overhead of less than 5 MiB, enabling a high density of MicroVMs to be packed on each server. Firecracker provides a rate limiter built into every MicroVM. This enables optimized sharing of network and storage resources, even across thousands of MicroVMs.