Originally developed at AWS to power AWS Lambda, Firecracker, which enables creating and managing secure microVMs for serverless computing, recently reached version 1.0.
Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
At the heart of Firecracker is a virtual machine monitor (VMM) that relies on Linux's Kernel-based Virtual Machine (KVM). What distinguishes Firecracker from virtualization layers like QEMU and other hypervisors is its focus on lightweight, serverless workloads inside isolated VMs. QEMU, on the other hand, is a general-purpose virtualization layer that addresses a broader range of use cases.
When AWS started working on Firecracker, they sought a way to improve how they were supporting AWS Lambda functions through per-customer EC2 instances. EC2 granted security, flexibility, and isolation, but AWS Lambda growth required reducing memory overhead, improving launch time, and integrating better with containers.
Currently, a Firecracker VM can be fully launched in less than 125 ms, with the sheer creation of the microVM requiring less than 7 ms. The memory footprint of each microVM is less than 5MiB, which means you can pack many of them on a single server.
An additional advantage of Firecracker, according to its creators, is enhanced security, a direct consequence of its minimalist approach that reduces supported devices and functionality, thus shrinking the attack surface area of each VM. Indeed, only five emulated devices are available: virtio-net, virtio-block, virtio-vsock, serial console, and a minimal keyboard controller used only to stop the microVM.
Firecracker is written in Rust and also provides a REST control API, which enables starting an instance, getting or setting a VM configuration, managing snapshots, and so on. Additionally, the API includes a metadata service which enables the sharing of configuration data between the host and guest.
Firecracker is used at several container hosting platform like appfleet, Fly.io, Koyeb, and more. Its microVMs can be managed using a number of container runtimes, including containerd through firecracker-containerd, Weave Kubes, and Kata Containers, thus enabling its integration with Kubernetes.