Secure and fast microVMs for serverless computing.
The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:
Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads.
Read more about the Firecracker Charter here.
Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
The main component of Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel Virtual Machine (KVM) to create and run microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest-facing functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker currently supports Intel, AMD (preview) and Arm (preview) CPUs. Firecracker has also been integrated in container runtimes, for exampleKata Containersand Weaveworks Ignite.
To read more about Firecracker, check outfirecracker-microvm.io.
To get started with Firecracker, download the latestrelease binaries or build it from source.
You can build Firecracker on any Unix/Linux system that has Docker running (we use a development container) and
installed, as follows:
git clone https://github.com/firecracker-microvm/firecracker cd firecracker tools/devtool build toolchain="$(uname -m)-unknown-linux-musl"
The Firecracker binary will be placed at
. For more information on building, testing, and running Firecracker, go to thequickstart guide.
The overall security of Firecracker microVMs, including the ability to meet the criteria for safe multi-tenant computing, depends on a well configured Linux host operating system. A configuration that we believe meets this bar is included in the production host setup document.
Firecracker is already running production workloads within AWS, but it's still Day 1 on the journey guided by our mission. There's a lot more to build and we welcome all contributions.
Firecracker's overall architecture is described inthe design document.
Firecracker consists of a single micro Virtual Machine Manager process that exposes an API endpoint to the host once started. The API isspecified in OpenAPI format. Read more about it in the API docs.
The API endpoint can be used to:
Configure the data tree of the guest-facing metadata service. The service is only available to the guest if this resource is configured.
Firecracker's performance characteristics are listed as part of thespecification documentation. All specifications are a part of our commitment to supporting container and function workloads in serverless operational models, and are therefore enforced via continuous integration testing.
The security of Firecracker is our top priority. If you suspect you have uncovered a vulnerability, contact us privately, as outlined in oursecurity policy document; we will immediately prioritize your disclosure.
Frequently asked questions are collected in our FAQ doc.
You can get in touch with the Firecracker community in the following ways: - Security-related issues, see our security policy document. - Chat with us on our Slack workspace. Note: most of the maintainers are on a European time zone.- Open a GitHub issue in this repository. - Email the maintainers at [email protected].
When communicating within the Firecracker community, please mind ourcode of conduct.