AWS Firecracker Takes on Serverless Security, Speed Challenges
Better security and more speed – what else could we ask of serverless computing? At re:Invent this week, AWS launched a new take on virtual machines with a virtualization technology and open source project (under the Apache 2.0 license) for running multi-tenant container workloads.
Called Firecracker, the offering is designed to combine the speed, resource efficiency and performance enabled by containers along with the security and isolation of traditional VMs. Firecracker implements a virtual machine manager based on Linux's Kernel-based Virtual Machine (KVM), and provides a RESTful API to create and manage microVMs with any combination of vCPU and memory as required by applications.
Again with security and speed in mind, AWS built Firecracker with minimal device emulation for faster startup time, and provides a reduced memory footprint for a smaller security attack surface, and offers a sandboxed environment for each container.
At re:Invent in Las Vegas, AWS VP of Global Infrastructure and Customer Support Peter DeSantis said Firecracker builds on the cloud provider’s existing virtual technologies, Fargate – a compute engine for the AWS EC2 container service that enables running containers without provisioning servers or clusters – and AWS Lambda, which enables running of code directly, without provisioning, on a pay-as-you-go basis. DeSantis said Lambda currently processes trillions of requests for hundreds of thousands of customers each month while Fargate runs tens of millions of containers each week.
But these services pose security and performance limitations, DeSantis explained.
Peter DeSantis of AWS
“When building services like Fargate and Lambda,” he said, “there’s an important technical trade off to consider: some providers choose to run multiple containers and code for multiple customers inside a single server or virtual machine. This is tempting because it provides excellent efficiency and makes it easy to achieve low latency. However, a multi-tenant approach like this doesn’t provide the high security separation that a single tenant instance or server would.”
DeSantis said Firecracker micro virtual machines, or MicroVMs, are minimalist by design – they includes only what’s required to run secure, lightweight VMs.
“At every step of the design process, we optimized Firecracker for security, speed and efficiency,” wrote AWS’s Arun Gupta (principal open source technologist) and Linda Lian (serverless product manager) in a blog on the product. “For example, we can only boot relatively recent Linux kernels, and only when they are compiled with a specific set of configuration options (there are 1000+ kernel compile config options). Also, there is no support for graphics or accelerators of any kind, no support for hardware passthrough, and no support for (most) legacy devices.”
The result, according to DeSantis: Firecracker microVMs initiate user space code in under 150 milliseconds, and it can create 150 microVMs per second per server. Each virtual machine requires less than 5 MB of overhead, allowing maximized density on a server, he said.
“As our customers increasingly adopted serverless, we realized that existing virtualization technologies were not developed to optimize for the event-driven, sometimes short-lived nature of these kinds of workloads,” wrote Gupta and Lian. “We saw a need to build virtualization technology specifically designed for serverless computing. We needed something that could give us the hardware virtualization-based security boundaries of virtual machines, while maintaining the smaller package size and agility of containers and functions.”
By working with the KVM hardware virtualization layer, Firecracker provides the same security as the traditional virtual machine, DeSantis explained. “It also provides a minimal device model, which excludes all non-essential functionality and decreases the attack surface of the microVM,” he said. “There is no better way to improve sec than by reducing the surface area.”
Customers can run Firecracker on AWS bare metal I3 instances and on other bare-metal servers, including on-premises environments and developer laptops. Firecracker runs on Intel processors today, with support for AMD and ARM coming in 2019.
