[HN Gopher] Firecracker MicroVMs
___________________________________________________________________
Firecracker MicroVMs
Author : colinprince
Score : 104 points
Date : 2021-10-17 04:11 UTC (1 days ago)
(HTM) web link (firecracker-microvm.github.io)
(TXT) w3m dump (firecracker-microvm.github.io)
| paxys wrote:
| Does anyone know of any good orchestrators for Firecracker VMs?
| While the technology is great, the CLI and API are still a bit
| too complex and low-level to implement some basic use cases in
| production.
| badLiveware wrote:
| Kubernetes using Kata containers[1] as a containerd[2] backend
|
| [1] https://aws.amazon.com/blogs/opensource/kata-
| containers-1-5-...
|
| [2] https://github.com/kata-containers/kata-
| containers/blob/main...
| adolph wrote:
| How does that compare to firecracker-containerd?
|
| https://github.com/firecracker-microvm/firecracker-
| container...
|
| _This repository enables the use of a container runtime,
| containerd, to manage Firecracker microVMs. Like traditional
| containers, Firecracker microVMs offer fast start-up and
| shut-down and minimal overhead. Unlike traditional
| containers, however, they can provide an additional layer of
| isolation via the KVM hypervisor._
| NathanKP wrote:
| Take a look at Weaveworks Ignite for an open source tool for
| running Firecracker VMs from container images:
| https://github.com/weaveworks/ignite
|
| And of course AWS Fargate and Lambda use this tech under the
| hood transparently, so that's always an option if you don't
| want to host and operate it yourself.
| lgierth wrote:
| Ignite looked intruiging when I checked it out recently - but
| I need to import rootfs tarballs directly, without going
| through any registries. Any helpful pointers are appreciated
| :)
| fbleagh wrote:
| There's a firecracker driver for Hashi's Nomad. Haven't tried
| that driver, but nomad isn't bad.
|
| https://www.nomadproject.io/docs/drivers/external/firecracke...
| gnufx wrote:
| Depending on what you want, OpenNebula (opennebula.io) has been
| making a thing of Firecracker.
| staticassertion wrote:
| For those using firecracker, what's your method for building a
| rootfs?
| deivid wrote:
| I build them from docker images:
| https://blog.davidv.dev/docker-based-images-on-baremetal.htm...
| [deleted]
| lgierth wrote:
| I build them using Buildah, then mkfs.ext4, mount, cp, umount.
| It's a little bit annoying that I'm still using root at least
| for the mount part.
|
| OpenWrt's build system has a method of building rootfs ext4 and
| squashfs images without any root, it's somewhere in that large
| Makefile mess.
|
| (sorry, reposting this as I first replied to the wrong parent)
| bminor13 wrote:
| No experience with Firecracker specifically, but if squashfs
| images are sufficient, one should be able to build a tar
| archive of the filesystem without root (where all the files
| have the correct owners, mode, etc.) and then convert it to
| squashfs using `tar2sqfs` in
| https://github.com/AgentD/squashfs-tools-ng, also without
| root - I've done something like this to create squashfs
| images in constrained build environments, which worked well.
| mikepurvis wrote:
| I similarly have built bootable disk images with various
| tools including buildah and have never been able to fully get
| away from needing root for various chrooty/loopbacky parts of
| the process. In principle, it should be very possible to
| point grub at a filesystem-in-a-file and be like "install to
| that", but I could never make it happen; it always wanted to
| be trying to infer things about how to configure itself from
| examining the host system.
|
| And yes, I've studied the OpenWRT build to no avail. I would
| be delighted for someone to dissect whatever it is that goes
| on in there and write it up.
| agustif wrote:
| I bookmarked this about firecracker's internals in HN in the past
| https://www.talhoffman.com/2021/07/18/firecracker-internals/
| andrewstuart wrote:
| Note that this Amazon developed technology does not work on
| Amazon Web Services instances.
|
| It does however work on Google, Azure and Digital Ocean instances
| where you can configure nested virtualisation.
| cptnntsoobv wrote:
| It works on AWS's metal instances, doesn't it?
|
| That is definitely a constraint though, as the smallest
| available metal instances are pretty large, hence costly on a
| per instance basis.
| dang wrote:
| A past thread:
|
| _Firecracker: Secure and fast microVMs for serverless computing_
| - https://news.ycombinator.com/item?id=22512196 - March 2020 (103
| comments)
| gizdan wrote:
| Anyone any thought on using this in a homelab (just random
| servers such as laptops and microservers) with K8s vs normal
| containers?
| sudhirj wrote:
| Is there something new that prompted this posting?
| capableweb wrote:
| If I were to guess, I'd guess because Firecracker is something
| "that good hackers would find interesting"
| https://news.ycombinator.com/newsguidelines.html
| jrk wrote:
| I think the question is raised because Firecracker was
| released years ago and has been posted and discussed many
| times before.
| unixhero wrote:
| Aw geez. Seems like we're going to need a Firecracker awesomelist
| now then!
| m00dy wrote:
| anyone knows this can create gpu-enabled microvms ?
| lgierth wrote:
| No support for PCI devices at the moment, but I believe it's
| planned for some point in the future.
| wmf wrote:
| Maybe try Cloud Hypervisor instead.
| https://www.phoronix.com/scan.php?page=news_item&px=Cloud-Hy...
| sudhirj wrote:
| Best example of current usage that comes to mind (outside of
| AWS's own Lambda & Fargate) is Fly.io - they they use Firecracker
| for all the containers.
| ctvo wrote:
| Additionally, I remember browsing through BuildBuddy's project
| and saw they used it for build run isolation in their
| enterprise offering.
|
| - https://www.buildbuddy.io
|
| - https://github.com/buildbuddy-
| io/buildbuddy/blob/master/ente...
| imachine1980_ wrote:
| what is the advantage of server-less if you have to have to
| manage the servers?
| jjice wrote:
| This is more meant for providers. Best example being AWS's
| serverless offerings, as well as fly.io.
| staticassertion wrote:
| If you're hosting someone else's code.
| hinkley wrote:
| If you work at a large enough company it all starts to look
| like someone else's code.
|
| The malicious person can always find the worst way to break
| everything, but dumb luck can get you pretty close.
___________________________________________________________________
(page generated 2021-10-18 23:00 UTC)