Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS re:Inforce 2019

3,412 views

Published on

Firecracker is open-source and purpose-built for creating and managing secure, multitenant containers and functions-based services. Firecracker runs in user space and uses Linux’s KVM to create microVMs. The fast startup time and low memory overhead of microVMs enable you to pack thousands of them onto one machine. This talk explains Firecracker’s foundation, the minimal device model, and how it interacts with various containers. Attendees learn about the performance, security, and utilization improvements enabled by Firecracker and how Firecracker is used for Lambda and Fargate. This session includes a demonstration of running thousands of microVMs on various cloud providers.

  • Be the first to comment

Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker: Secure and fast microVMs for serverless computing Meena Gowdar Senior Product Manager Amazon Web Services S E P 3 1 6
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Introduction to Firecracker Use case: AWS Lambda Use case: AWS Fargate Open-source community engagement
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Firecracker? Open-source virtualization technology (microVM) Security and isolation of traditional VMs Speed and density of containers Low resource overhead Developed at Amazon
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What problem are we helping to solve? A really hard packing problem ☺ Time Lambda worker load Customer A function A.01 Customer B function B.07 Customer C function C.42 Customer {N} function {N}.{X}
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of Firecracker Security Startup time Utilization
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of Firecracker Security from the ground up KVM-based virtualization Speed by design < 125 ms to launch 150 microVMs per second/host Scale and efficiency < 5 MB memory footprint per microVM
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker design principles Multi-tenant Any vCPU and memory combination Oversubscription permissible Steady mutation rate: 100+ microVMs/host/sec Limited only by hardware resources Host-facing REST API Minimalist guest device model
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Host-facing REST API
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker design Guest OS and container workload KVM I/O Firecracker scales to thousands of multi-tenant microVMs Configurable microVMs across CPU and memory, running as user space processes Guest OS and container workload RESTful API Network Storage Metadata service Rate limiting Client Control plane Data plane Virtualization barrier Jailer barrier
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda worker Provisions a secure environment for customer code execution
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda worker architecture Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation One function One account Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation using Amazon EC2 Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code EC2 instances
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation using Firecracker Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Firecracker Amazon EC2 bare metal
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation using Firecracker One account and one function Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Allocate workloads: Pack server with one workload Workload Workload Workload Workload Workload Workload Workload Workload ServerServer Server Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Take advantage of statistical multiplexing
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. More efficient: Pack server with many workloads Workload Workload Workload Workload Workload Workload Workload Workload ServerServer Server Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Take advantage of statistical multiplexing
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Most efficient: Placement optimization Workload Workload Workload Workload Workload Workload Workload Workload ServerServer Server Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Pick workloads that pack well together Minimize contention
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS container services landscape Management Deployment, scheduling, scaling, and management of containerized applications Hosting Where the containers run Amazon Elastic Container Service (Amazon ECS) Amazon Elastic Container Service for Kubernetes (Amazon EKS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Fargate Image registry Container image repository Amazon Elastic Container Registry (Amazon ECR)
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate configurations CPU (vCPU) Memory values (GB) 0.25 0.5, 1, 2 0.5 Min 1 GB, max 4 GB, in 1 GB increments 1 Min 2 GB, max 8 GB, in 1 GB increments 2 Min 4 GB, max 16 GB, in 1 GB increments 4 Min 8 GB, max 30 GB, in 1 GB increments
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate Amazon EC2 resource usage: With warm pool Service account Account 1 Account 2 Account 3
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate Amazon EC2 resource usage: with Firecracker Service account Account 1 Account 2 Account 3
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate Amazon EC2 resource usage: With Firecracker Service account Account 1 Account 2 Account 3
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate Amazon EC2 resource usage: With Firecracker Account 1 Account 2 Account 3
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate Amazon EC2 resource usage: With Firecracker Account 1 Account 2 Account 3
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fargate price reduction vCPU GB memory Effective price cut 2 12 -47.00% 2 13 -47.90% 2 14 -48.60% 2 15 -49.30% 2 16 -50.00% 4 8 -35.00% 4 9 -36.20% 4 10 -37.30% 4 11 -38.30% 20% per vCPU per second 65% per GB per second 35%–50% cumulative https://aws.amazon.com/blogs/compute/aws-fargate-price-reduction-up-to-50/
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker-Containerd Containerd to manage containers as Firecracker microVMs Multi-tenant hosts OCI image format Work with popular orchestration frameworks Kubernetes and Amazon ECS Define a future: light as container, secure as VM
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker and Containerd architecture microVM Containerd FC snapshotter Container Internal FC agent runc Content store FC runtime VM disk image Kernel image Firecracker VMM
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker as an open-source project 84 contributions from the open source community (~27%) Dozens of bug reports, several feature requests, RFC feedback Talks at 12 industry conferences across 2019 rust-vmm, working with other industry players to build VMM crates
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker as an open-source project Kata Containers UniK OSv
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker and Kata Containers Build lightweight virtual machine that seamlessly plugs into containers Kata Containers supports multiple hypervisors Default QEMU Preliminary Firecracker support
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker and Kata Containers spec: template: spec: runtimeClassName: kata-fc CRI-O or Containerd Annotations or RuntimeClass runc Kata—runtime BusyBox POD php BusyBox Firecracker virtual machine POD php BusyBox QEMU virtual machine POD php Kubelet
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Who should use Firecracker directly? Teams building compute services Teams integrating Firecracker with container stacks Developers who want to contribute
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting started with Firecracker Firecracker on AWS bare metal Firecracker on other clouds with bare metal (e.g., Packet) Firecracker on GCP nested-virt Firecracker on Azure nested-virt Firecracker on your dev machine (physical/nested-virt)
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Firectl Firectl is a CLI to create Firecracker microVMs firectl --kernel=hello-vmlinux.bin --root-drive=hello-rootfs.ext4
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. References and contribute https://github.com/firecracker-microvm/
  43. 43. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Meena Gowdar meenag@amazon.com

×