/firecracker

Secure and fast microVMs for serverless computing.
virtual-machine sandbox virtualization rust containers cloud-native minimalist open-source serverless oversubscription
  1. Rust 90.1%
  2. Python 8.0%
  3. Shell 1.7%
  4. Other 0.2%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@andreeaflorescu
andreeaflorescu LoggerConfig refactoring 
Use default values instead of Option in the strongly typed serde
structure LoggerConfig. Doing this simplifies the code and it provides
a better mapping to the swagger defintion.

Signed-off-by: Andreea Florescu <fandree@amazon.com>
Latest commit 223bdb6 Dec 20, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.cargo build: remove gnu support and... Apr 30, 2018
.github Create PULL_REQUEST_TEMPLATE.md Nov 29, 2018
api_server LoggerConfig refactoring Dec 24, 2018
cpuid Moved gen code to directories with _gen suffix Dec 4, 2018
devices Upgrades epoll crate. Dec 21, 2018
docs logger: added documentation for LogDirtyPages Dec 24, 2018
dumbo Applied Rust 1.31 rustfmt Dec 13, 2018
fc_util license: add license headers for Firecracker files Nov 20, 2018
jailer Firecracker release v0.12.0 Dec 18, 2018
kernel Preallocate Cmdline internal String Nov 27, 2018
kvm Applied Rust 1.31 rustfmt Dec 13, 2018
kvm_gen vmm: log dirty pages Dec 12, 2018
logger Applied Rust 1.31 rustfmt Dec 13, 2018
memory_model memory_model: improve access request address range validation Dec 18, 2018
micro_http Tweaks to micro_http Nov 28, 2018
mmds mmds: return dictionary keys when path doesn't ... Dec 13, 2018
net_gen Moved gen code to directories with _gen suffix Dec 4, 2018
net_util Moved gen code to directories with _gen suffix Dec 4, 2018
rate_limiter Applied Rust 1.31 rustfmt Dec 13, 2018
resources Update resources/microvm-kernel-config Nov 2, 2018
seccomp Applied Rust 1.31 rustfmt Dec 13, 2018
src Log with DEFAULT_INSTANCE_ID in the absence of instance id Dec 13, 2018
sys_util Applied Rust 1.31 rustfmt Dec 13, 2018
tests api_server: logging improvements Dec 21, 2018
tools devtool: fix building on SELinux Dec 18, 2018
vhost_backend Moved gen code to directories with _gen suffix Dec 4, 2018
vhost_gen Moved gen code to directories with _gen suffix Dec 4, 2018
virtio_gen Moved gen code to directories with _gen suffix Dec 4, 2018
vmm LoggerConfig refactoring Dec 24, 2018
x86_64 Applied Rust 1.31 rustfmt Dec 13, 2018
.gitignore Remove Cargo.lock from .gitignore Nov 27, 2018
.mailmap docs: Add .mailmap file Dec 5, 2018
CHANGELOG.md logger: added documentation for LogDirtyPages Dec 24, 2018
CHARTER.md docs: rename files to the GitHub standard names Dec 4, 2018
CODE_OF_CONDUCT.md docs: rename files to the GitHub standard names Dec 4, 2018
CONTRIBUTING.md docs: rename files to the GitHub standard names Dec 4, 2018
CREDITS.md docs: Update CREDITS.md with firecracker contributors Dec 5, 2018
Cargo.lock Upgrades epoll crate. Dec 21, 2018
Cargo.toml Firecracker release v0.12.0 Dec 18, 2018
FAQ.md docs: rename files to the GitHub standard names Dec 4, 2018
LICENSE license: add Apache 2.0 license Nov 20, 2018
MAINTAINERS.md docs: add docs to clarify Firecracker's direction Nov 12, 2018
NOTICE license: add Apache 2.0 license Nov 20, 2018
README.md logger: added documentation for LogDirtyPages Dec 24, 2018
SECURITY-POLICY.md docs: Updated the FAQ and README documentation Nov 15, 2018
SPECIFICATION.md Correct Open API spec link in SPECIFICATION.md Nov 27, 2018
THIRD-PARTY license: add Apache 2.0 license Nov 20, 2018

README.md

Firecracker Logo Title

Our mission is to enable secure, multi-tenant, minimal-overhead execution of container and function workloads.

Read more about the Firecracker Charter here.

What is Firecracker?

Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.

The main component of Firecracker is a virtual machine monitor (VMM) that uses the Linux Kernel Virtual Machine (KVM) to create and run microVMs. Firecracker has a minimalist design. It excludes unnecessary devices and guest-facing functionality to reduce the memory footprint and attack surface area of each microVM. This improves security, decreases the startup time, and increases hardware utilization. Firecracker currently supports Intel CPUs, with planned AMD and Arm support. Firecracker will also be integrated with popular container runtimes.

Firecracker was developed at Amazon Web Services to accelerate the speed and efficiency of services like AWS Lambda and AWS Fargate. Firecracker is open sourced under Apache version 2.0.

To read more about Firecracker, check out firecracker-microvm.io.

Getting Started

You can build Firecracker on any system that has Docker running (we use a development container). The simple steps to get & build Firecracker are:

git clone https://github.com/firecracker-microvm/firecracker
cd firecracker
tools/devtool build

The Firecracker binary will be placed at build/debug/firecracker. For more information on building, testing, and running Firecracker, go to the quickstart guide.

The overall security of Firecracker microVMs, including the ability to meet the criteria for safe multi-tenant computing, depends on a well configured Linux host operating system. A configuration that we believe meets this bar is included in the production host setup document.

Contributing

Firecracker is already running production workloads within AWS, but it's still Day 1 on the journey guided by our mission. There's a lot more to build and we welcome all contributions.

To contribute to Firecracker, check out the development setup section in the getting started guide and then the Firecracker contribution guidelines.

Releases

New Firecracker versions are released via the GitHub repository releases page, typically every one or two months. A history of changes is recorded in our changelog.

Design

Firecracker's overall architecture is described in the design document.

Features & Capabilities

Firecracker consists of a single micro Virtual Machine Manager process that exposes an API endpoint to the host once started. The API is specified in OpenAPI format. Read more about it in the API docs.

The API endpoint can be used to:

  • Configure the microvm by:
    • Setting the number of vCPUs (the default is 1).
    • Setting the memory size (the default is 128 MiB).
    • Choosing a CPU template (currently, C3 and T2 are available).
  • Add one or more network interfaces to the microVM.
  • Add one or more read-write or read-only disks to the microVM, each represented by a file-backed block device.
  • Trigger a block device re-scan while the guest is running. This enables the guest OS to pick up size changes to the block device's backing file.
  • Change the backing file for a block device, before or after the guest boots.
  • Configure rate limiters for virtio devices which can limit the bandwidth, operations per second, or both.
  • Configure the logging and metric system.
  • [BETA] Configure the data tree of the guest-facing metadata service. The service is only available to the guest if this resource is configured.
  • [EXPERIMENTAL] Add one or more vsock sockets to the microVM.
  • Start the microVM using a given kernel image, root file system, and boot arguments.
  • Stop the microVM.

Built-in Capabilities:

  • Demand fault paging and CPU oversubscription enabled by default.
  • Jailer process for starting Firecracker in production scenarios; applies a cgroup/namespace/seccomp rule isolation barrier and then drops privileges.

Performance

Firecracker's performance characteristics are listed as part of the specification documentation. All specifications are a part of our commitment to supporting container and function workloads in serverless operational models, and are therefore enforced via continuous integration testing.

Policy for Security Disclosures

The security of Firecracker is our top priority. If you suspect you have uncovered a vulnerability, contact us privately, as outlined in our security policy document; we will immediately prioritize your disclosure.

FAQ & Contact

Frequently asked questions are collected in our FAQ doc.

You can get in touch with the Firecracker community in the following ways:

When communicating within the Firecracker community, please mind our code of conduct.