Shulou(Shulou.com)06/03 Report--

I. AWS Serverless service

In recent years, AWS highly advocates the serverless model. Since the release of Lambda in 2014, serverless has become very popular, followed by the launch of AWS Fargate service in 2017 for its own container service platform, ECS. In 2019, EKS also supports AWS Fargate.

Now that more users are using serverless computing to build applications, AWS is designed so that users don't have to worry about infrastructure provisioning or management issues. Developers can use AWS Fargate to encapsulate their code as serverless containers or AWS Lambda to encapsulate their code as serverless functions. The low operating overhead of serverless will continue to play a key role in the future of computing.

As users increasingly adopt serverless technology, AWS recognizes that current virtualization technologies have not yet evolved to optimize for such event-driven and sometimes transient workloads. AWS believes that virtualization technologies specifically designed for serverless computing need to be built. This technology needs to provide virtual machine security boundaries based on hardware virtualization while maintaining the smaller encapsulation model and agility of containers and functions.

II. Firecracker Technology 2.1.Introductions

In the current technology environment, containers have fast start-up time and high density, and VM can virtualize hardware, have better security, and have better isolation to workloads. You can't have both container and VM features yet.

AWS has opened up Firecracker, a new virtualization technology that leverages KVM to create and manage multi-tenant containers and function-based services. You can start a lightweight micro virtual machine (microVM) in a non-virtualized environment in a fraction of a second, taking full advantage of the security and workload isolation provided by traditional virtual machines, while at the same time resource efficiency of containers.

Firecracker is an open source hypervisor (VMM) using virtual machine (KVM) technology based on Linux kernel. Firecracker allows you to create a mini virtual machine, or microVM. Firecracker adheres to the principle of minimalist design, which contains only the components needed to run secure, lightweight virtual machines. In all aspects of the design process, AWS optimizes Firecracker according to security, speed and efficiency requirements. For example, only relatively new Linux kernels are started, and only kernels compiled with a specific set of configuration options (there are more than 1000 kernel compilation configuration options). In addition, any type of graphics card or accelerator is not supported, hardware pass-through is not supported, and (most) older devices are not supported.

Firecracker starts with few kernel configurations, does not rely on emulated BIOS, and does not use full device mode. The only devices are semi-virtual network cards and semi-virtualized hard drives, as well as a single-button keyboard (reset pins are used when there is no power management device). This minimalist device mode not only helps to shorten the boot time (the i3.metal instance boot time using the default microVM model)

< 125 毫秒），同时也减少了***面，从而提高了安全性。请参阅有关 Firecracker 承诺支持以极低的开销执行容器和无服务器工作负载的更多信息。 2017 年秋，AWS 决定以 Rust 语言来编写 Firecracker，这是一种非常先进的编程语言，可保证线程和内存安全，防止缓存溢出以及可能导致安全性漏洞的许多其他类型的内存安全问题。请访问 Firecracker 设计以了解有关 Firecracker VMM 功能和架构的更多详细信息。 由于设备模型极简，内核加载过程也简单，可以实现小于 125 ms 的启动时间和更少的内存占用。Firecracker 目前支持 Intel CPU，并将于 2019 年开始支持 AMD 和 ARM，还将与 containerd 等流行的容器运行时集成。Firecracker 支持内核版本为 4.14 及更高版本的 Linux 主机和客户机操作系统。 Firecracker microVM 提高了效率和利用率，内存开销极低，每 microVM 的内存开销 < 5MiB。这意味着用户可以将数千个 microVM 封装到一个虚拟机中。可以使用进程中速率限制器来实现对网络和存储资源的共享方式的精细控制，即使跨数千个 microVM 也同样可行。所有硬件计算资源可以安全地超订，从而最大化可以在主机上运行的工作负载数量。 2.2、Firecracker 的优势 AWS 依据如下开放源项目的指导信条开发了 Firecracker。 内置安全性：AWS 提供了支持多租户工作负载并且不会被客户错误禁用的计算安全性屏障。客户工作负载被认为既神圣（不可侵犯）又邪恶（应当拒之门外）。高性能：可以在短至 125 毫秒内启动 microVM（在 2019 年可以更快），使其成为众多工作负载类型的理想选择，包括瞬态或短期工作负载。轻量虚拟化：重视瞬时性或无状态的工作负载，而非长时间运行或持续性的工作负载。Firecracker 的硬件资源开销是明确且又保障的。久经沙场：Firecracker 经过了很多测试，已经为包括 AWS Lambda 和 AWS Fargate 在内的多个高容量 AWS 服务提供支持。低开销：Firecracker 每个 microVM 消耗大约 5 MiB 的内存。你可以在同一实例上运行数千个具有不同 vCPU 和内存配置的安全 VM。功能极简主义：不会构建非我们的任务所明确要求的功能。每个功能仅实施一项。计算超订：Firecracker 向来宾开放的所有硬件计算资源都可以安全地超订。开源：Firecracker 是一个开源项目。AWS 已经准备好审核并接受拉取请求。2.3、Firecracker 的安全简单客户机模型：Firecracker 客户端提供了一个非常简单的虚拟化设备模型，以最小化***面：只有网络设备，block I / O 设备，可编程定时器，KVM 时钟，串行控制台和一个不完全的 键盘（刚好足以让 VM 重置）。进程监狱：使用 cgroups 和 seccomp BPF 对 Firecracker 进程进行监禁，并且可以访问一个严格控制的小型系统调用列表。静态链接：Firecracker 进程是静态链接的，可以从进程监狱中启动，以确保主机环境尽可能安全和干净。2.4、Firecracker 的工作模式2.4.1、与宿主机的关系 Firecracker 运行在 Linux 主机上，内核为4.14或更新内核，并且使用 Linux guest OSs (从这一点来说，称为 guest)。 启动该进程后，在发出 instanceart 命令之前，用户与 Firecracker API 交互以配置 microVM。 2.4.2、Firecracker 内部架构 每个 Firecracker 进程封装一个且只有一个 microVM。 该进程运行以下线程: API、 VMM 和 vCPU。 Api 线程负责 Firecracker 的 API 服务器和相关的控制平面。 它永远不会在虚拟机的快速路径上。 Vmm 线程公开机器模型、最小遗留设备模型、 microVM 元数据服务(MMDS)和 VirtIO 设备仿真 Net 和 Block 设备，并提供 i / o 速率限制。 除此之外，还有一个或多个 vCPU 线程(每个客户 CPU 核心一个)。 它们是通过 KVM 创建的，并运行 KVM run 主循环。 它们在设备模型上执行同步 i / o 和存储器映射输入输出操作。

2.4.3, how does Firecracker work

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.