AWS open-source its KVM-based Firecracker lightweight virtualization technology, aiming to improve serverless security and performance.
At Amazon re:Invent conference at the end of last month, AWS launched its new version of open-source Firecracker lightweight virtualization technology, aiming to further drive the adoption of serverless computing.
There has long been a debate about whether it is necessary to run containers over an extra layer of isolation provided by some form of virtual machine hypervisor. As for serverless technology, that is, event-driven functions executed inside containers, AWS has isolated its Lambda serverless services on dedicated elastic computing cloud (EC2) virtual instances. The newly released MSK technology provides another way to isolate microservices and serverless functions with less performance overhead and better security with lightweight microvirtual machines.
The GitHub project page of Firecracker reads:
“Firecracker is an open source virtualization technology specifically designed for creating and managing secure multi-tenant containers and function-based services, which can offer a serverless mode of operation. Firecracker performs workloads in lightweight virtual machines, also known as Microvms. Microvirtual machines combine the security and isolation attributes provided by hardware virtualization technology with the speed and flexibility provided by containers.
AWS Lambda itself was launched at the Re :Invent conference in 2014, catalyzing the entire serverless movement. In 2017, AWS released the AWS Fargate service, which provides a new model for deploying application containers in a serverless manner.
Plain Docker containers benefit from multiple isolation methods provided by the underlying operating system (typically Linux). The problem is that in large multi-tenant environments, such as the cloud, the core isolation provided by containers is inadequate, which is why AWS and other large container users have turned to various virtual machine management technologies to provide an additional layer of isolation.
security
Full virtual machine hypervisors, such as KVM and Xen, contain an operating system that can have an impact on performance and storage requirements. On the contrary, each micro vm of Firecracker occupies only 5MB memory. Although Firecracker itself is not a full VIRTUAL machine, it uses the open source KVM VIRTUAL machine manager to create and manage micro virtual machines. Firecracker is a high-performance technology written in the open source Rust programming language, whose built-in memory and type safety functions help improve overall security.
The risk of running containers on a host operating system is that an attacker may gain unauthorized access to system resources. With Firecracker, the simple client mode reduces the attack interface.
The Firecracker client has a very simple virtualization device mode that minimalizes the attacking interface: a network device, a block I/O device, a programmable interval timer, KVM clock, a serial port console, and part of the keyboard (just enough for virtual machine reboot).
Although AWS did not publicly release Firecracker until Nov 26, the technology has already been used to protect AWS Lambda and Fargate services.
Competitive Firecracker is not the first to use lightweight VM management mode to enhance container isolation. Back in November 2014, Ubuntu Linux announced plans for LXD as a lightweight virtual machine manager for improved container security and deployment density.
In December 2017, the OpenStack Foundation released a Kata Containers plan based on Intel Clear Containers. In May 2018, Google gVisor sandbox container isolation was launched, providing similar virtualization security improvements.
Currently, Firecracker is only available for Intel cpus, but the public roadmap indicates that iT will be available for AMD and ARM chips in the future.