More Related Content Similar to Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney (20) More from Amazon Web Services (20) Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Deep Dive in to Firecracker: Using lightweight
virtual machines to enhance the container
security boundary
Mitch Beaumont
Senior Solutions Architect
Amazon Web Services
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Serverless compute at AWS
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Running containers and serverless at scale
Different security boundaries than
instances
Inefficient resource utilisation
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Running containers and serverless at scale
Different security boundaries than
instances
Inefficient resource utilisation
6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What would a virtual machine look like if
it were designed for today’s world of
containers and function based services?
7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Virtualisation
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
Virtualisation
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
Virtualisation
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
Virtualisation
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
Virtualisation
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What just happened?
Ring 0
Ring 1
Ring 2
Ring 3
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Trap and emulate: virtual machine monitor
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Trap and emulate: virtual machine monitor
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Trap and emulate: virtual machine monitor
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Trap and emulate: virtual machine monitor
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Wait … what?
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Virtualisation and statistical majority?
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What’s a statistical majority?
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What just happened?
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Trap and emulate
<_start>:
e9 59 e1 17 00 jmpq ffff82d08037e15e
0f 1f 00 nopl (%rax)
<multiboot1_header_start>:
02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh
00 00 add %al,(%rax)
fb sti
4f 52 rex.WRXB push %r10
e4 0f in $0xf,%al
<multiboot1_header_end>:
0f 1f 40 00 nopl 0x0(%rax)
<multiboot2_header_start>:
d6 (bad)
50 push %rax
52 push %rdx
e8 00 00 00 00 callq ffff82d080200020
88 00 mov %al,(%rax)
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Hypervisor bloat …
24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What would a virtual machine look like if
it were designed for today’s world of
containers and function based services?
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Secure
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Secure Fast
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Secure Fast Efficient
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Firecracker
RESTful
API
Networks Storage
Rate Limiting
Metadata
36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Serverless compute at AWS
38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What’s new and what’s next?
• [NEW] Firectl: Command-line tool
for managing Firecracker
MicroVMs
• [NEW] Integration with container
runtimes like Kata Containers
• [NEXT] Integration to enable
ContainerD to manage
Firecracker MicroVMs
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Wrap up
• Opensource, Apache, version 2.0 license
• Contribute at https://github.com/firecracker-microvm/
• Join the conversation at firecracker-microvm.slack.com
43. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mitch Beaumont
beaumonm@amazon.com