SlideShare uma empresa Scribd logo
1 de 42
Baixar para ler offline
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Meena Gowdar (@meejamb)
Arun Gupta (@arungupta)
2019-07-17
Firecracker: secure and fast
microVMs for serverless computing
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
What is Firecracker?
Open source virtualization technology (microVM)
Security and isolation of traditional VMs
Speed and density of containers
Low resource overhead
Developed at Amazon
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
What problem are we helping to solve?
A really hard packing problem 
Time
Lambda Worker Load
Customer A FunctionA.01
Customer B Function B.07
Customer C FunctionC.42
Customer {N} Function {N}.{X}
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Benefits of Firecracker
Security Startup time Utilization
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Benefits of Firecracker
Security from
the ground up
KVM-based
virtualization
Speed
by design
<125ms to launch 150
microVMs per second/host
Scale
and efficiency
<5MB memory
footprint per microVM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker design principles
Multitenant
Any vCPU and memory combination
Oversubscription permissible
Steady mutation rate: 100+ microVMs/host/sec
Limited only by hardware resources
Host-facing REST API
Minimalist guest device model
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Host-facing REST API
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker architecture
Guest OS &
Container
workload
KVM I/O
Firecracker
scales to thousands of
multitenant microVMs
Configurable microVMs across CPU and memory, running
as user space processes
Guest OS & Container workload
RESTful
API
Network Storage
Metadata
Service
Rate limiting
Client
Control plane Data plane
Virtualization barrier Jailer barrier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS Lambda
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda worker
Provisions a secure environment for customer code execution
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda worker architecture
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
Your code
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda isolation
Keeping workloads safe and separate
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
Your code
One function
One account
Many accounts
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda isolation using EC2
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
Your code
EC2 instances
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda isolation using Firecracker
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
Your code
Firecracker
EC2 Bare Metal
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Lambda isolation using Firecracker
Keeping workloads safe and separate
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
Your code
One account & one function
Many accounts
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Workload Workload
Workload Workload
Workload Workload
Workload Workload
Allocate Workloads: pack server with one workload
ServerServer Server
Workload Workload
Workload Workload
Workload Workload
Workload Workload
Workload Workload
Workload Workload
Workload Workload
Workload Workload
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Workload
Workload
Workload
WorkloadWorkload
Workload
WorkloadWorkloadWorkload Workload
Workload
Workload
WorkloadWorkload
Workload
WorkloadWorkload
More efficient: pack server with many workloads
ServerServer Server
Workload
Workload
Workload
Workload
Workload
Workload
Workload
Take advantage
of statistical multiplexing
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Workload
Workload
Workload
WorkloadWorkload
Workload
WorkloadWorkloadWorkload Workload
Workload
Workload
WorkloadWorkload
Workload
WorkloadWorkload
Most efficient: placement optimization
ServerServer Server
Workload
Workload
Workload
Workload
Workload
Workload
Workload
Pick workloads that
pack well together
Minimize contention
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS Container Services landscape
Management
Deployment, scheduling,
scaling & management of
containerized applications
Hosting
Where the containers run
Amazon Elastic
Container Service
Amazon Elastic
Container Service
for Kubernetes
Amazon EC2 AWS Fargate
Image Registry
Container image repository
Amazon Elastic
Container Registry
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS Fargate
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate configurations
CPU (vCPU) MemoryValues (GB)
0.25 0.5, 1, 2
0.5 Min 1GB, max 4GB, in 1GB increments
1 Min 2GB, max 8GB, in 1GB increments
2 Min 4GB, max 16GB, in 1GB increments
4 Min 8GB, max 30GB, in 1GB increments
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with warm pool
Account 1
Account 2
Account 3
Service
Account
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with Firecracker
Account 1
Account 2
Account 3
Service
Account
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with Firecracker
Account 1
Account 2
Account 3
Service
Account
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with Firecracker
Account 1
Account 2
Account 3
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with Firecracker
Account 1
Account 2
Account 3
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fargate EC2 resource usage: with Firecracker
Account 1
Account 2
Account 3
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS Fargate price reduction
vCPU GB Memory Effective Price Cut
2 12 -47.00%
2 13 -47.90%
2 14 -48.60%
2 15 -49.30%
2 16 -50.00%
4 8 -35.00%
4 9 -36.20%
4 10 -37.30%
4 11 -38.30%
20% per vCPU per second
65% per GB per second
35%–50% cumulative
https://aws.amazon.com/blogs/compute/aws-fargate-price-reduction-up-to-50/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker and Containerd
Containerd to manage containers as Firecracker microVMs
Multi-tenant hosts
OCI image format
Work with popular orchestration frameworks
Kubernetes and Amazon ECS
Define a future: light as container, secure as VM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker and containerd architecture
microVM
Containerd FC Snapshotter
Container
Internal
FC Agent
runc
Content
Store
FC Runtime
VM Disk
Image
Kernel
Image
FirecrackerVMM
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker as an open source project
88 contributions from 32 open source community contributors (~22%)
Dozens of community bug reports, 19 feature requests, RFC feedback
Talks at 12 industry conferences across 2019
rust-vmm, working with other industry players to build VMM crates.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Transparent Roadmap
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker integration with open source projects
Kata Containers
UniK
OSv
Weave Ignite
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker and Kata Containers
Build lightweight virtual machine that seamlessly plugs into containers
Kata Containers supports multiple hypervisors
Default QEMU
Preliminary Firecracker support
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firecracker and Kata Containers
spec:
template:
spec:
runtimeClassName: kata-fc
CRI-O or Containerd
Annotations or RuntimeClass
runc Kata—runtime
BusyBox
POD
php
BusyBox
Firecracker Virtual Machine
POD
php
BusyBox
QEMU Virtual Machine
POD
php
Kubelet
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Weave Ignite
Open source VMM with a container UX
Combines Firecracker microVMs with OCI images
Works using GitOps
ignite gitops <repo>
github.com/weaveworks/ignite
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Who should use Firecracker directly?
Teams building compute services
Teams integrating Firecracker with container stacks
Developers & security engineers that want to contribute
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Getting started with Firecracker
Firecracker on AWS bare metal
Firecracker on other clouds with bare metal (e.g., Packet)
Firecracker on GCP nested-virt
Firecracker on Azure nested-virt
Firecracker on your dev machine (physical/nested-virt)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Firectl
Firectl is a CLI to create Firecracker microVMs
firectl 
--kernel=hello-vmlinux.bin 
--root-drive=hello-rootfs.ext4
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
References and contribute
https://github.com/firecracker-microvm/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Rate the session
Session page on conference website O’Reilly Events App
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Thank you!

Mais conteúdo relacionado

Mais procurados

Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdKohei Tokunaga
 
Open shift 4 infra deep dive
Open shift 4    infra deep diveOpen shift 4    infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideBytemark
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for BeginnersOktay Esgul
 
Virtual machines and containers
Virtual machines and containersVirtual machines and containers
Virtual machines and containersPatrick Pierson
 
KubeVirt (Kubernetes and Cloud Native Toronto)
KubeVirt (Kubernetes and Cloud Native Toronto)KubeVirt (Kubernetes and Cloud Native Toronto)
KubeVirt (Kubernetes and Cloud Native Toronto)Stephen Gordon
 
Vulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerVulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerFlorian Bobin
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftDevOps.com
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerInstruqt
 
Dockers and containers basics
Dockers and containers basicsDockers and containers basics
Dockers and containers basicsSourabh Saxena
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefitsAmit Manwade
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 

Mais procurados (20)

Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
Open shift 4 infra deep dive
Open shift 4    infra deep diveOpen shift 4    infra deep dive
Open shift 4 infra deep dive
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
 
Kubernetes 101 Workshop
Kubernetes 101 WorkshopKubernetes 101 Workshop
Kubernetes 101 Workshop
 
Virtual machines and containers
Virtual machines and containersVirtual machines and containers
Virtual machines and containers
 
KubeVirt (Kubernetes and Cloud Native Toronto)
KubeVirt (Kubernetes and Cloud Native Toronto)KubeVirt (Kubernetes and Cloud Native Toronto)
KubeVirt (Kubernetes and Cloud Native Toronto)
 
Vulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers DockerVulgarisation de la technologie de containers Docker
Vulgarisation de la technologie de containers Docker
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Dockers and containers basics
Dockers and containers basicsDockers and containers basics
Dockers and containers basics
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
 
Docker compose
Docker composeDocker compose
Docker compose
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 

Semelhante a Secure and Fast microVM for Serverless Computing using Firecracker

Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...
Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...
Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...Amazon Web Services
 
Breaking the Monolith using AWS Container Services
Breaking the Monolith using AWS Container ServicesBreaking the Monolith using AWS Container Services
Breaking the Monolith using AWS Container ServicesAmazon Web Services
 
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...Mani Chandrasekaran
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Amazon EC2 Strategie per l'ottimizzazione dei costi
Amazon EC2 Strategie per l'ottimizzazione dei costiAmazon EC2 Strategie per l'ottimizzazione dei costi
Amazon EC2 Strategie per l'ottimizzazione dei costiAmazon Web Services
 
DevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the CloudDevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the CloudCobus Bernard
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsWhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsDevOps.com
 
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술Han Jin Ryu
 
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...AWSKRUG - AWS한국사용자모임
 
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019AWS Summits
 
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019Amazon Web Services
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfAmazon Web Services
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An IntroductionAmazon Web Services
 
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...Amazon Web Services Korea
 

Semelhante a Secure and Fast microVM for Serverless Computing using Firecracker (20)

Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...
Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...
Firecracker: Secure and fast microVMs for serverless computing - SEP316 - AWS...
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWS
 
Breaking the Monolith using AWS Container Services
Breaking the Monolith using AWS Container ServicesBreaking the Monolith using AWS Container Services
Breaking the Monolith using AWS Container Services
 
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...
India cloudsummit Bangalore - Advanced Container Use-cases on AWS Container S...
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
Amazon EC2 Strategie per l'ottimizzazione dei costi
Amazon EC2 Strategie per l'ottimizzazione dei costiAmazon EC2 Strategie per l'ottimizzazione dei costi
Amazon EC2 Strategie per l'ottimizzazione dei costi
 
Core services
Core servicesCore services
Core services
 
DevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the CloudDevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the Cloud
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술
 
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...
Firecracker, 서버리스 컴퓨팅을 위한 오픈소스 microVM 기술 :: 류한진 - AWS ...
 
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
 
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019Orchestrating containers on AWS  | AWS Summit Tel Aviv 2019
Orchestrating containers on AWS | AWS Summit Tel Aviv 2019
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdf
 
AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020
 
AWSome Day Brasil - Junho 2020
AWSome Day Brasil - Junho 2020AWSome Day Brasil - Junho 2020
AWSome Day Brasil - Junho 2020
 
AWSome Day 2019 - Mexico City
AWSome Day 2019 - Mexico CityAWSome Day 2019 - Mexico City
AWSome Day 2019 - Mexico City
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An Introduction
 
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...
 

Mais de Arun Gupta

5 Skills To Force Multiply Technical Talents.pdf
5 Skills To Force Multiply Technical Talents.pdf5 Skills To Force Multiply Technical Talents.pdf
5 Skills To Force Multiply Technical Talents.pdfArun Gupta
 
Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Arun Gupta
 
Machine Learning using Kubeflow and Kubernetes
Machine Learning using Kubeflow and KubernetesMachine Learning using Kubeflow and Kubernetes
Machine Learning using Kubeflow and KubernetesArun Gupta
 
Building Java in the Open - j.Day at OSCON 2019
Building Java in the Open - j.Day at OSCON 2019Building Java in the Open - j.Day at OSCON 2019
Building Java in the Open - j.Day at OSCON 2019Arun Gupta
 
Why Amazon Cares about Open Source
Why Amazon Cares about Open SourceWhy Amazon Cares about Open Source
Why Amazon Cares about Open SourceArun Gupta
 
Machine learning using Kubernetes
Machine learning using KubernetesMachine learning using Kubernetes
Machine learning using KubernetesArun Gupta
 
Building Cloud Native Applications
Building Cloud Native ApplicationsBuilding Cloud Native Applications
Building Cloud Native ApplicationsArun Gupta
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
How to be a mentor to bring more girls to STEAM
How to be a mentor to bring more girls to STEAMHow to be a mentor to bring more girls to STEAM
How to be a mentor to bring more girls to STEAMArun Gupta
 
Java in a World of Containers - DockerCon 2018
Java in a World of Containers - DockerCon 2018Java in a World of Containers - DockerCon 2018
Java in a World of Containers - DockerCon 2018Arun Gupta
 
The Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 KeynoteThe Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 KeynoteArun Gupta
 
Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Arun Gupta
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitArun Gupta
 
Top 10 Technology Trends Changing Developer's Landscape
Top 10 Technology Trends Changing Developer's LandscapeTop 10 Technology Trends Changing Developer's Landscape
Top 10 Technology Trends Changing Developer's LandscapeArun Gupta
 
Container Landscape in 2017
Container Landscape in 2017Container Landscape in 2017
Container Landscape in 2017Arun Gupta
 
Java EE and NoSQL using JBoss EAP 7 and OpenShift
Java EE and NoSQL using JBoss EAP 7 and OpenShiftJava EE and NoSQL using JBoss EAP 7 and OpenShift
Java EE and NoSQL using JBoss EAP 7 and OpenShiftArun Gupta
 
Docker, Kubernetes, and Mesos recipes for Java developers
Docker, Kubernetes, and Mesos recipes for Java developersDocker, Kubernetes, and Mesos recipes for Java developers
Docker, Kubernetes, and Mesos recipes for Java developersArun Gupta
 
Thanks Managers!
Thanks Managers!Thanks Managers!
Thanks Managers!Arun Gupta
 
Migrate your traditional VM-based Clusters to Containers
Migrate your traditional VM-based Clusters to ContainersMigrate your traditional VM-based Clusters to Containers
Migrate your traditional VM-based Clusters to ContainersArun Gupta
 
NoSQL - Vital Open Source Ingredient for Modern Success
NoSQL - Vital Open Source Ingredient for Modern SuccessNoSQL - Vital Open Source Ingredient for Modern Success
NoSQL - Vital Open Source Ingredient for Modern SuccessArun Gupta
 

Mais de Arun Gupta (20)

5 Skills To Force Multiply Technical Talents.pdf
5 Skills To Force Multiply Technical Talents.pdf5 Skills To Force Multiply Technical Talents.pdf
5 Skills To Force Multiply Technical Talents.pdf
 
Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019
 
Machine Learning using Kubeflow and Kubernetes
Machine Learning using Kubeflow and KubernetesMachine Learning using Kubeflow and Kubernetes
Machine Learning using Kubeflow and Kubernetes
 
Building Java in the Open - j.Day at OSCON 2019
Building Java in the Open - j.Day at OSCON 2019Building Java in the Open - j.Day at OSCON 2019
Building Java in the Open - j.Day at OSCON 2019
 
Why Amazon Cares about Open Source
Why Amazon Cares about Open SourceWhy Amazon Cares about Open Source
Why Amazon Cares about Open Source
 
Machine learning using Kubernetes
Machine learning using KubernetesMachine learning using Kubernetes
Machine learning using Kubernetes
 
Building Cloud Native Applications
Building Cloud Native ApplicationsBuilding Cloud Native Applications
Building Cloud Native Applications
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with Kubernetes
 
How to be a mentor to bring more girls to STEAM
How to be a mentor to bring more girls to STEAMHow to be a mentor to bring more girls to STEAM
How to be a mentor to bring more girls to STEAM
 
Java in a World of Containers - DockerCon 2018
Java in a World of Containers - DockerCon 2018Java in a World of Containers - DockerCon 2018
Java in a World of Containers - DockerCon 2018
 
The Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 KeynoteThe Serverless Tidal Wave - SwampUP 2018 Keynote
The Serverless Tidal Wave - SwampUP 2018 Keynote
 
Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv Summit
 
Top 10 Technology Trends Changing Developer's Landscape
Top 10 Technology Trends Changing Developer's LandscapeTop 10 Technology Trends Changing Developer's Landscape
Top 10 Technology Trends Changing Developer's Landscape
 
Container Landscape in 2017
Container Landscape in 2017Container Landscape in 2017
Container Landscape in 2017
 
Java EE and NoSQL using JBoss EAP 7 and OpenShift
Java EE and NoSQL using JBoss EAP 7 and OpenShiftJava EE and NoSQL using JBoss EAP 7 and OpenShift
Java EE and NoSQL using JBoss EAP 7 and OpenShift
 
Docker, Kubernetes, and Mesos recipes for Java developers
Docker, Kubernetes, and Mesos recipes for Java developersDocker, Kubernetes, and Mesos recipes for Java developers
Docker, Kubernetes, and Mesos recipes for Java developers
 
Thanks Managers!
Thanks Managers!Thanks Managers!
Thanks Managers!
 
Migrate your traditional VM-based Clusters to Containers
Migrate your traditional VM-based Clusters to ContainersMigrate your traditional VM-based Clusters to Containers
Migrate your traditional VM-based Clusters to Containers
 
NoSQL - Vital Open Source Ingredient for Modern Success
NoSQL - Vital Open Source Ingredient for Modern SuccessNoSQL - Vital Open Source Ingredient for Modern Success
NoSQL - Vital Open Source Ingredient for Modern Success
 

Último

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Último (20)

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

Secure and Fast microVM for Serverless Computing using Firecracker

  • 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Meena Gowdar (@meejamb) Arun Gupta (@arungupta) 2019-07-17 Firecracker: secure and fast microVMs for serverless computing
  • 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential What is Firecracker? Open source virtualization technology (microVM) Security and isolation of traditional VMs Speed and density of containers Low resource overhead Developed at Amazon
  • 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential What problem are we helping to solve? A really hard packing problem  Time Lambda Worker Load Customer A FunctionA.01 Customer B Function B.07 Customer C FunctionC.42 Customer {N} Function {N}.{X}
  • 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Benefits of Firecracker Security Startup time Utilization
  • 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Benefits of Firecracker Security from the ground up KVM-based virtualization Speed by design <125ms to launch 150 microVMs per second/host Scale and efficiency <5MB memory footprint per microVM
  • 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker design principles Multitenant Any vCPU and memory combination Oversubscription permissible Steady mutation rate: 100+ microVMs/host/sec Limited only by hardware resources Host-facing REST API Minimalist guest device model
  • 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Host-facing REST API
  • 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker architecture Guest OS & Container workload KVM I/O Firecracker scales to thousands of multitenant microVMs Configurable microVMs across CPU and memory, running as user space processes Guest OS & Container workload RESTful API Network Storage Metadata Service Rate limiting Client Control plane Data plane Virtualization barrier Jailer barrier
  • 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Lambda
  • 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda worker Provisions a secure environment for customer code execution
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda worker architecture Hardware Host OS Hypervisor Guest OS Sandbox Lambda Runtime Your code
  • 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda isolation Keeping workloads safe and separate Hardware Host OS Hypervisor Guest OS Sandbox Lambda Runtime Your code One function One account Many accounts
  • 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda isolation using EC2 Hardware Host OS Hypervisor Guest OS Sandbox Lambda Runtime Your code EC2 instances
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda isolation using Firecracker Hardware Host OS Hypervisor Guest OS Sandbox Lambda Runtime Your code Firecracker EC2 Bare Metal
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Lambda isolation using Firecracker Keeping workloads safe and separate Hardware Host OS Hypervisor Guest OS Sandbox Lambda Runtime Your code One account & one function Many accounts
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Workload Workload Workload Workload Workload Workload Workload Workload Allocate Workloads: pack server with one workload ServerServer Server Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload Workload
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Workload Workload Workload WorkloadWorkload Workload WorkloadWorkloadWorkload Workload Workload Workload WorkloadWorkload Workload WorkloadWorkload More efficient: pack server with many workloads ServerServer Server Workload Workload Workload Workload Workload Workload Workload Take advantage of statistical multiplexing
  • 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Workload Workload Workload WorkloadWorkload Workload WorkloadWorkloadWorkload Workload Workload Workload WorkloadWorkload Workload WorkloadWorkload Most efficient: placement optimization ServerServer Server Workload Workload Workload Workload Workload Workload Workload Pick workloads that pack well together Minimize contention
  • 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Container Services landscape Management Deployment, scheduling, scaling & management of containerized applications Hosting Where the containers run Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes Amazon EC2 AWS Fargate Image Registry Container image repository Amazon Elastic Container Registry
  • 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Fargate
  • 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate configurations CPU (vCPU) MemoryValues (GB) 0.25 0.5, 1, 2 0.5 Min 1GB, max 4GB, in 1GB increments 1 Min 2GB, max 8GB, in 1GB increments 2 Min 4GB, max 16GB, in 1GB increments 4 Min 8GB, max 30GB, in 1GB increments
  • 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with warm pool Account 1 Account 2 Account 3 Service Account
  • 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with Firecracker Account 1 Account 2 Account 3 Service Account
  • 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with Firecracker Account 1 Account 2 Account 3 Service Account
  • 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with Firecracker Account 1 Account 2 Account 3
  • 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with Firecracker Account 1 Account 2 Account 3
  • 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Fargate EC2 resource usage: with Firecracker Account 1 Account 2 Account 3
  • 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential AWS Fargate price reduction vCPU GB Memory Effective Price Cut 2 12 -47.00% 2 13 -47.90% 2 14 -48.60% 2 15 -49.30% 2 16 -50.00% 4 8 -35.00% 4 9 -36.20% 4 10 -37.30% 4 11 -38.30% 20% per vCPU per second 65% per GB per second 35%–50% cumulative https://aws.amazon.com/blogs/compute/aws-fargate-price-reduction-up-to-50/
  • 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker and Containerd Containerd to manage containers as Firecracker microVMs Multi-tenant hosts OCI image format Work with popular orchestration frameworks Kubernetes and Amazon ECS Define a future: light as container, secure as VM
  • 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker and containerd architecture microVM Containerd FC Snapshotter Container Internal FC Agent runc Content Store FC Runtime VM Disk Image Kernel Image FirecrackerVMM
  • 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker as an open source project 88 contributions from 32 open source community contributors (~22%) Dozens of community bug reports, 19 feature requests, RFC feedback Talks at 12 industry conferences across 2019 rust-vmm, working with other industry players to build VMM crates.
  • 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Transparent Roadmap
  • 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker integration with open source projects Kata Containers UniK OSv Weave Ignite
  • 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker and Kata Containers Build lightweight virtual machine that seamlessly plugs into containers Kata Containers supports multiple hypervisors Default QEMU Preliminary Firecracker support
  • 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firecracker and Kata Containers spec: template: spec: runtimeClassName: kata-fc CRI-O or Containerd Annotations or RuntimeClass runc Kata—runtime BusyBox POD php BusyBox Firecracker Virtual Machine POD php BusyBox QEMU Virtual Machine POD php Kubelet
  • 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Weave Ignite Open source VMM with a container UX Combines Firecracker microVMs with OCI images Works using GitOps ignite gitops <repo> github.com/weaveworks/ignite
  • 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Who should use Firecracker directly? Teams building compute services Teams integrating Firecracker with container stacks Developers & security engineers that want to contribute
  • 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Getting started with Firecracker Firecracker on AWS bare metal Firecracker on other clouds with bare metal (e.g., Packet) Firecracker on GCP nested-virt Firecracker on Azure nested-virt Firecracker on your dev machine (physical/nested-virt)
  • 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Firectl Firectl is a CLI to create Firecracker microVMs firectl --kernel=hello-vmlinux.bin --root-drive=hello-rootfs.ext4
  • 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential References and contribute https://github.com/firecracker-microvm/
  • 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Rate the session Session page on conference website O’Reilly Events App
  • 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Thank you!

Notas do Editor

  1. “Fast” is not a word that’s usually associated with a virtual machines. But that’s exactly what you need to create runtimes that are secure enough for a multitenant environment, yet nimble enough to be well suited for function and container compute platforms. Let’s learn about what Firecracker is and how it enables fast and secure serverless computing.
  2. Firecracker is an open source virtualization technology. It’s a Virtual Machine Manager (VMM) that uses the Linux Kernel-based Virtual Machine (KVM) to create and manage light weight virtual machines, dubbed “microVMs”. Before Firecracker, it was hard to avoid choice between containers with fast startup times and high density, or VMs with strong hardware-virtualization-based security and workload isolation. With Firecracker, you no longer have to choose. <CLICK> These microVMs provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers. <CLICK> It comes with an extremely low resource overhead. That makes it very suitable for serverless computing. <CLICK> Firecracker was developed at Amazon Web Services to improve the customer experience of services like AWS Lambda and AWS Fargate. When we launched Lambda in November of 2014, we were focused on providing a secure serverless experience. At launch we used per-customer EC2 instances to provide strong security and isolation between customers. As Lambda grew, we saw the need for technology to provide a highly secure, flexible, and efficient runtime environment for services like Lambda and Fargate. We needed something that could give us the hardware virtualization-based security boundaries of virtual machines, while maintaining the smaller package size and agility of containers and functions.
  3. Taking the case of Lambda … <CLICK> Let’s zoom in on a single Lambda “worker” server. It’s a physical machine, so it has fixed compute resources over time (e.g., CPU, memory). <CLICK> Lambda customers are paying for a specific compute resource cap per function – which we must guarantee. Each invoke then consumes some unknowable fraction of that cap, and the invokes happen in some unknowable succession. How can we make efficient use of our fixed physical machine? <CLICK><CLICK><CLICK> We add more functions to the same server. Ideally from different customers. For a large enough N, we can start using statistics and other big-number methods to ensure even near-full usage of the server. Ah, but wait, any of these N functions can run arbitrary binary code that might be malicious. How do we isolate all these execution environments? Containers would work, but they are not the most secure execution environment. <CLICK> We need to use VMs … but VMs don’t usually work well for high density, oversubscribed, high mutation rate sandbox environments. Firecracker though, is built specifically for, and only for, this type of environment.
  4. Firecracker implements a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the microVM. This improves security, decreases the startup time, and increases hardware utilization. Let’s look at that how.
  5. Firecracker microVMs use KVM-based virtualizations that provide enhanced security over traditional VMs. This ensures that workloads from different end customers can run safely on the same machine. And because of minimal device model, it also reduces the attack surface area which provides more security. <CLICK> In addition to a minimal device model, Firecracker also accelerates kernel loading and provides a minimal guest kernel configuration. The only devices are virtio net and virtio block, as well as basic few-buttons keyboard (the reset pin helps when there’s no power management device). This enables fast startup times. Firecracker initiates user space or application code in less than 125ms and supports peak microVM creation rates of 150 microVMs per second per host. <CLICK> Each Firecracker microVM runs with a reduced memory overhead of less than 5MiB, enabling a high density of microVMs to be packed on each server. Firecracker also provides a rate limiter built into every microVM. This enables optimized sharing of network and storage resources, even across thousands of microVMs on a host. With Firecracker, you can see that we are making the same deep investments in our infrastructure to support serverless computing as we have to support EC2 instances. Firecracker currently supports Intel CPUs, with AMD and Arm support currently in the Alpha stage (working, but not extensively tested). Firecracker will also be integrated with popular container runtimes such as containerd.
  6. Let’s talk about the Firecracker design principles. Firecracker can safely run workloads from different customers on the same machine. This is possible because it provides hardware virtualization-based security. Customers can create microVMs with any combination of vCPU and memory to match their application requirements. This allows to map nicely to different Lambda and Fargate combinations. We’ll look at that later. Firecracker microVMs oversubscribe host CPU and memory by default. The degree of oversubscription is controlled by customers, who may factor in workload correlation and load in order to ensure smooth host system operation. With a microVM configured with a minimal Linux kernel, single-core CPU, and 128 MB of RAM, Firecracker supports a steady mutation rate of ~4 microVMs per host core per second (e.g., one can create ~150 microVMs per second on a host with 36 physical cores). The number of Firecracker microVMs running simultaneously on a host is limited only by the availability of hardware resources. Each microVM exposes a host-facing API via an in-process HTTP server. Each microVM can provide guest-facing access to host-configured metadata via the /MMDS API.
  7. The API is accessible through HTTP calls on specific URLs carrying JSON modeled data. The transport medium is a Unix Domain Socket. / returns general information about an instance. Firecracker microVMs can execute actions that can be triggered via PUT requests on the /actions resource. Actions are: InstanceStart: The InstanceStart action powers on the microVM and starts the guest OS SendCtrlAltDel: This action will send the CTRL+ALT+DEL key sequence to the microVM. By convention, this sequence has been used to trigger a soft reboot and, as such, most Linux distributions perform an orderly shutdown and reset upon receiving this keyboard input. Since Firecracker exits on CPU reset, SendCtrlAltDel can be used to trigger a clean shutdown of the microVM. BlockDeviceRescan: The BlockDeviceRescan action is used to trigger a rescan of one of the microVM's attached block devices. Rescanning is necessary when the size of the block device's backing file (on the host) changes and the guest needs to refresh its internal data structures to pick up this change. This action is therefore only allowed after the guest has booted. GET /machine-config gets the machine configuration of the VM. When called before the PUT operation, it will return the default values for the vCPU count (=1), memory size (=128 MiB). PUT updates the Virtual Machine Configuration with the specified input. Firecracker starts with default values for vCPU count (=1) and memory size (=128 MiB). With Hyperthreading enabled, the vCPU count is restricted to be 1 or an even number, otherwise there are no restrictions regarding the vCPU count. If any of the parameters has an incorrect value, the whole update fails. /drives creates new drive with ID specified by drive_id path parameter. If a drive with the specified ID already exists, updates its state based on new input. Will fail if update is not possible.
  8. Firecracker runs in user space and uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. The fast startup time and low memory overhead of each microVM enables you to pack thousands of microVMs onto the same machine. This means that every function or container group can be encapsulated with a virtual machine barrier, enabling workloads from different customers to run on the same machine, without any tradeoffs to security or efficiency. Firecracker is an alternative to QEMU, an established VMM with a general purpose and broad feature set that allows it to host a variety of guest operating systems. <CLICK> You can control the Firecracker process via a RESTful API that enables common actions such as configuring the number of vCPUs or starting the machine. It provides built-in rate limiters, which allows you to granularly control network and storage resources used by thousands of microVMs on the same machine. You can create and configure rate limiters via the Firecracker API and define flexible rate limiters that support bursts or specific bandwidth/operations limitations. Firecracker also provides a metadata service that securely shares configuration information between the host and guest operating system. You can set up and configure the metadata service using the Firecracker API.
  9. Let’s look at how AWS Lambda uses Firecracker. As we build out AWS Lambda, we’re optimizing for security, reliability, performance, security and cost – in the serverless domain. AWS Lambda is event-driven, serverless code execution, currently available in all AWS Regions as a “foundational” service. We launch Lambda in every new Region that AWS launches. We build our systems behind the scenes to distribute load, scale up and down, and detect and route around failure … so you don’t need to. And of course, as we do that, we must preserve isolation and maximize utilization. Just three years after general availability, AWS Lambda already processes trillions of requests every month, for hundreds of thousands of active customers.
  10. One of the primary systems in the Lambda architecture is called a Worker – this is where we provision a secure environment for customer code execution. What does a Worker do? It creates and manages a collection of Sandboxes It sets limits on Sandbox … such as memory/CPU available for function execution It downloads customer code and mounts it for execution It manages multiple Language Runtimes It executes Customer Code through Initialization and Invoke And finally … It manages AWS owned agents for monitoring and operational controls … like CloudWatch
  11. Let’s look a little closer at the logical view of Lambda worker. At the top is your code, this is the most important part. This is what we run on your behalf. This is your zip, your layers and of course any language that you want to bring along. We support a number of languages, through different Runtimes, including Node, Python, Java, C#, and more. Underneath the Runtime is a Sandbox that hosts the runtime. This is the copy of Linux that we provide and you look around to see what’s on the file system. All of these containers run on a Guest OS – we use Amazon Linux. GuestOS is multiplexed across hardware using virtualization. That virtualization is enabled using a Hypervisor, and Host OS that the Hypervisor runs in. Host OS is also Amazon Linux for us. And finally we have the Physical System Hardware.
  12. To keep workloads safe and separate … Code, runtime and sandbox are only ever used for a single function. Multiple invocations will land in the same sandbox. This means if you call a function, and call it again and again, they will go to the same sandbox serially. They won’t overlap concurrently and that’s where we scale up. And we do that for a whole lot of good reasons. But the biggest of those is efficiency. But the tmpfs that comes with sandbox is never used across multiple sandboxes. Guest operating systems are shared across multiple functions in an account but are never used across multiple AWS accounts. There is 1:N mapping for an AWS account to EC2 instances or equivalent hypervisor isolated environment. So we never use the same virtual machine across multiple AWS accounts. The boundary that we put between different accounts is virtualization. Then, we do share the underlying hardware across multiple AWS accounts. We do this because Lambda functions are really small and underlying hardware is really big. We can’t have a 128MB RAM machine so we use virtualization to chop up a box into multiple pieces. The question we get asked most often is ISLOATION. It means two things … SECURITY and other is OPERATIONAL ISOLATION. By that I mean how you run functions at a consistent performance when there are other functions on the same hardware.
  13. Let’s take a look at how we do isolation. There are two ways we run Lambda functions today One mode is where each worker is a separate EC2 instance. That’s a great security boundary and it’s a fast way to build the functionality. This is how we created Lambda and this mode is used today as well.
  14. And the other mode is using Firecracker. We run a bare metal instance, the same ones that you can launch using EC2 console. And then we run 1000s of Firecracker microVMs on that hardware Firecracker microVM technology provides a sufficient security boundary to host multiple accounts. Under Firecracker, we are able to run with much more flexibility on high performance EC2 Bare Metal Hardware.
  15. This really simplifies the security model for us. So instead of having one function, one account and many accounts, this is now simplified to one function in a microVM and multiple microVMs across multiple accounts on a piece of hardware. And this is really good for us in a whole lot of ways which we’ll talk about it a bit later. This is a good programming model as well because it provides good isolation even between functions.
  16. Another optimization that we do in Lambda is how we pick workloads to run on a worker. So, this is a worker and a server. Yes, there are servers in serverless. When we look at this from a server perspective, vs. sandboxes, packing the same workload on a server is inefficient. You may think about running multiple copies of the same workload on the same machine. So you cut it up into multiple sandboxes and you run multiple copies of the same workload. It turns out that is a bad thing to do because functions tend to consume the same type of resources, and also be active in the same time interval. And what that means is one spikes up in CPU, its quite likely another one will spike up because they’re doing the same work. Or this could be memory or whatever your function is doing. This really limits how densely you can pack on the hardware. This means your sever will be either running hot …. or nearly idle.
  17. You can take advantage of statistics and simply put as many uncorrelated workloads on the server as you can. So have a diverse set of workloads instead of multiple copies of the same workload. And this makes the workload way better behaved. It really brings down those peaks and brings up the average. Because AWS runs so many workloads, we can find the uncorrelated workloads and distribute them across a set of servers to improve this situation. That way, we have a chance of the workloads packing well together.
  18. We can do better than that where we find workloads that are anti correlated such as down on CPU when another one spikes up. The most efficient placement strategy is to pick the workloads that pack well together … … and minimize contention. So it’s all about putting the workloads where we can get optimum hardware utilization.
  19. Now, lets look at how Firecracker is used with Fargate. But before we talk about that, lets look at the container services landscape. Your containers can be managed by Amazon ECS or EKS. Amazon ECS is Amazon’s managed container orchestration platform. Amazon EKS provides an upstream compatible managed Kubernetes control plane. You can run ECS using EC2 virtual machines or using Fargate where you don’t need to manage the servers or clusters and just run containers. EKS data plane can only run using EC2-based instances at this time. We also have a fully-managed registry service to store container images: ECR Let’s look at Fargate more closely and see how Firecracker is used there.
  20. AWS Fargate is a compute engine for Amazon ECS that allows you to run containers without having to manage servers or clusters.  With AWS Fargate, you only have to think about the containers so you can just focus on building and operating your application. AWS Fargate eliminates the need to manage a cluster of Amazon EC2 instances. You no longer have to pick the instance types, manage cluster scheduling, or optimize cluster utilization. All of this goes away with Fargate. AWS Fargate makes it easy to scale your applications. You no longer have to worry about provisioning enough compute resources for your container applications. After you define your application requirements (e.g., CPU, memory, etc.), AWS Fargate manages all the scaling and infrastructure needed to run your containers in a highly-available manner. AWS Fargate seamlessly integrates with Amazon ECS. You just define your application as you do for Amazon ECS. You package your application into task definitions, specify the CPU and memory needed, define the networking and IAM policies that each container needs, and upload everything to Amazon ECS. After everything is setup, AWS Fargate launches and manages your containers for you. Just a year after after general availability, AWS Fargate runs tens of millions of containers for customers every week.
  21. Fargate tasks can be provisioned using over 40 different combinations of CPU and memory. Fargate takes care of provisioning, maintaining and scaling the task and customers pay only for what their application. Like Lambda, any optimizations in placing Fargate tasks is something that customers don’t need to worry about, This is where the Fargate and Firecracker integration helps out. Let’s take a look.
  22. Containers are a set of processes running in cgroups and namespaces. These constructs provide a weak form of isolation. Although they can isolate well-meaning processes from each other to a certain degree, they were never designed for running hostile multi-tenant workloads side by side on top of the same kernel. In order to provide the desired level of security, each Fargate task has its own isolation boundary and does not share the underlying kernel, CPU resources, memory resources, or elastic network interface with another task. Fargate maintains a warm pool of EC2 instances. This allows to scale the tasks rapidly instead of provisioning an EC2 instance on demand. When a customer request to run a Fargate task, we match an EC2 instance that satisfies the vCPU and memory requirement required by the task. This results in some resource waste in EC2 instances. EC2 offers a really large variety of compute instances whether its general purpose, compute-, memory- or storage-optimized, Intel- or AMD-based, GPU powered or bare metal. But there is no 1-1 match between different vCPU and memory combinations offered by Fargate and EC2 instance types. For example, there is no EC2 instance that offers 0.25 vCPU and 0.5 GB RAM. So we pick an instance type to ensure there is enough vCPU and memory available to run the task. Customers do not see this happening as it happens in the AWS service account and they’re oblivious to it. An EC2 instance is not used across multiple AWS accounts. This is good for the customer as they get hardware virtualization-based security. But this is inefficient resource utilization as there is a likely loss of compute and memory. Just like Lambda, Fargate isolates tasks inside a hypervisor boundary, and Firecracker helps make that more efficient.
  23. With Firecracker, <CLICK> one task per EC2 instance model goes away <CLICK> and each Fargate task is now run in a microVM with minimal overhead. This allows us to exactly match the vCPU and memory requirements of the task. <CLICK> This also means that we don’t need the warm pool and so that goes away as well. <CLICK> In order to provision Fargate tasks in microVM, we can use bare metal instances, the same that you can provision using EC2 console. <CLICK> And because each microVM provides hardware virtualization-based security already, we can pack these microVMs a lot more densely without compromising security. This allows us to utilize EC2 instances more efficiently. The security model also simplifies and allows Fargate tasks from multiple accounts to be spread across multiple instances. And we also balance the tasks across bare metal instances across AZs. This gives high availability and resiliency to customer applications.
  24. With Firecracker, <CLICK> one task per EC2 instance model goes away <CLICK> and each Fargate task is now run in a microVM with minimal overhead. This allows us to exactly match the vCPU and memory requirements of the task. <CLICK> This also means that we don’t need the warm pool and so that goes away as well. <CLICK> In order to provision Fargate tasks in microVM, we can use bare metal instances, the same that you can provision using EC2 console. <CLICK> And because each microVM provides hardware virtualization-based security already, we can pack these microVMs a lot more densely without compromising security. This allows us to utilize EC2 instances more efficiently. The security model also simplifies and allows Fargate tasks from multiple accounts to be spread across multiple instances. And we also balance the tasks across bare metal instances across AZs. This gives high availability and resiliency to customer applications.
  25. With Firecracker, <CLICK> one task per EC2 instance model goes away <CLICK> and each Fargate task is now run in a microVM with minimal overhead. This allows us to exactly match the vCPU and memory requirements of the task. <CLICK> This also means that we don’t need the warm pool and so that goes away as well. <CLICK> In order to provision Fargate tasks in microVM, we can use bare metal instances, the same that you can provision using EC2 console. <CLICK> And because each microVM provides hardware virtualization-based security already, we can pack these microVMs a lot more densely without compromising security. This allows us to utilize EC2 instances more efficiently. The security model also simplifies and allows Fargate tasks from multiple accounts to be spread across multiple instances. And we also balance the tasks across bare metal instances across AZs. This gives high availability and resiliency to customer applications.
  26. With Firecracker, <CLICK> one task per EC2 instance model goes away <CLICK> and each Fargate task is now run in a microVM with minimal overhead. This allows us to exactly match the vCPU and memory requirements of the task. <CLICK> This also means that we don’t need the warm pool and so that goes away as well. <CLICK> In order to provision Fargate tasks in microVM, we can use bare metal instances, the same that you can provision using EC2 console. <CLICK> And because each microVM provides hardware virtualization-based security already, we can pack these microVMs a lot more densely without compromising security. This allows us to utilize EC2 instances more efficiently. The security model also simplifies and allows Fargate tasks from multiple accounts to be spread across multiple instances. And we also balance the tasks across bare metal instances across AZs. This gives high availability and resiliency to customer applications.
  27. With Firecracker, <CLICK> one task per EC2 instance model goes away <CLICK> and each Fargate task is now run in a microVM with minimal overhead. This allows us to exactly match the vCPU and memory requirements of the task. <CLICK> This also means that we don’t need the warm pool and so that goes away as well. <CLICK> In order to provision Fargate tasks in microVM, we can use bare metal instances, the same that you can provision using EC2 console. <CLICK> And because each microVM provides hardware virtualization-based security already, we can pack these microVMs a lot more densely without compromising security. This allows us to utilize EC2 instances more efficiently. The security model also simplifies and allows Fargate tasks from multiple accounts to be spread across multiple instances. And we also balance the tasks across bare metal instances across AZs. This gives high availability and resiliency to customer applications.
  28. At AWS, we always look for innovative ways to be use our resources efficiently and lower our operational cost. This allows us to pass those cost savings to customers. We’ve lowered our prices 69 times (TODO: check this number) since inception and customers love it! Earlier this year we reduced prices for Fargate task by 30-50%. Innovations such as Firecracker allow us to improve the efficiency of Fargate and help us pass on cost savings to customers.
  29. Firecracker-containerd project enables containerd to manage containers as Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor. Because the overhead of Firecracker is low, the achievable container density per host should be comparable to running containers using kernel-based container runtimes, without the isolation compromise of such solutions. To maintain compatibility with the container ecosystem, where possible, we use container standards such as the OCI image format.
  30. This diagram shows how containerd runtime creates Firecracker microVMs. The architecture consists of three main components - Snapshotter, Runtime and Agent. A runtime linking containerd (outside the microVM) to the Firecracker virtual machine manager (VMM). The runtime is implemented as an out-of-process shim runtime communicating over ttrpc. It uses the VM disk image and kernel image to create the microVM. A snapshotter that creates files used as block-devices for pass-through into the microVM. This snapshotter is used for providing the container image to the microVM. The snapshotter runs as an out-of-process gRPC proxy plugin. An agent running inside the microVM, which invokes runC via containerd's containerd-shim-runc-v1 to create standard Linux containers inside the microVM.
  31. AWS released Firecracker as an open source project at re:Invent 2018. Since then we’ve head … In case you have any ideas, we’re currently inviting everyone to contribute 2020 Roadmap proposals on our GitHub repository (until the end of the month).
  32. These are the teams that have integrated with Firecracker so far. <Click> kata containers and Ignite – we will deep dive this in the next few slides. <CLICK> UniK is as an orchestration platform for light-weight VMs. It provides tools for compiling application sources or containers into unikernels which are lightweight bootable disk images and microVMs. In addition, UniK runs and manages unikernels and microVMs on a variety of cloud providers, as well as locally. In January this year, UniK announced supporting Firecracker to launch microVMs. <CLICK> OSv is a new open-source operating system for virtual-machines. OSv was designed from the ground up to execute a single application on top of a hypervisor, resulting in superior performance and effortless management when compared to traditional operating systems which were designed for a vast range of physical machines. The easiest way to run OSv on Firecracker is to use a Python script firecracker.py. The firecracker.py automates process of launching firecracker VMM executable and submitting necessary REST api calls over UNIX domain socket to create and start OSv micro-VM.
  33. Lets talk about how Firecracker and Kata Containers. First, what is Kata Containers? Kata Containers is an open source project that is building a lightweight VM that feel and perform like containers. While Kata Containers was initially based on QEMU, the project was designed up front to support multiple hypervisor solutions. Firecracker addresses Kata end users’ requests for a more minimal hypervisor solution for simple use cases. The Kata community began working with Firecracker right after the launch. As a result, Kata Containers 1.5 introduced preliminary support for the Firecracker hypervisor. This is complementary to the project’s existing QEMU support. Given the tradeoff on features available in Firecracker, we expect people will use Firecracker for feature-constrained workloads, and use a minimal QEMU when working with more advanced workloads (for example, if device assignment is necessary, QEMU should be used).
  34. It is possible to utilize runc, Kata + QEMU and Kata + Firecracker in a single Kubernetes cluster, as shown in the diagram. To achieve this configuration, the cluster must be configured to use either CRI-O or containerd, and must be configured to use the runtimeClass feature of Kubernetes. RuntimeClass is an alpha feature for selecting the container runtime configuration to use to run a pod’s containers. With runtimeClass configured in Kubernetes as well as in CRI-O/containerd, end users can select the type of isolation they’d like on a per-workload basis. In this example, two runtimeClasses are registered: kata-qemu and kata-fc. <CLICK> Selecting Firecracker-based isolation is as simple as patching existing workloads with the shown YAML snippet. To utilize QEMU, the runtimeClassName tag would be modified to kata-qemu. TODO: current status?
  35. Weave Ignite is an open source Virtual Machine Manager with a container UX. With Ignite, you pick an OCI-compliant image (Docker image) that you want to run as a VM, and then just execute ”ignite run” instead of docker run. There’s no need to use VM-specific tools to build .vdi, .vmdk, or .qcow2 images, just do a docker build from any base image you want, and add your preferred contents. “ignite run” will use Firecracker to boot a new VM in c.125 milliseconds, using a default 4.19 linux kernel. If you want to use some other kernel, just specify the --kernel flag, pointing to another OCI image containing a kernel at /boot/vmlinux, and optionally your preferred modules. Next, the kernel executes /sbin/init in the VM, and it all starts up. After this, Ignite connects the VMs to any CNI network. In Git you declaratively store the desired state of a set of VMs you want to manage. ”ignite gitops” reconciles the state from Git, and applies the desired changes as state is updated in the repo. This can then be automated, tracked for correctness, and managed at scale.