Secure, small & fast multi-tenant container and function-based services can easily be achieved by Firecracker. With Firecracker you’re able to deploy workloads in lightweight virtual machines (so called microVMs) with enhanced security and isolation of workloads over regular and traditional VMs while having all the benefits of speed and resource efficiency of containers. With a minimalistic design and the usage of Linux Kernel-based Virtual Machine (KVM), Firecracker combines the features of regular VMs and containers. Unnecessary devices and functions are excluded to reduce the memory footprint, as well as of surface area of possible attacks for each microVM. However, it requires a 64-bit AMD or ARM CPU with hardware virtualization. Limitations can be found here.

Getting Started with Firecracker to run microVMs. While the upstream documentation is pretty good I’ll cover some steps here as well. Next to the default control mechanism via socket, another example by providing a JSON config file will be explained.

Prerequisites:
As already mentioned Firecracker is KVM based. Therefore, make sure /dev/kvm is present and accessible.

Getting the Firecracker binaries:
To download the latest Firecracker release to your running system architecture simply run the following code.

release_url="https://github.com/firecracker-microvm/firecracker/releases"
latest=$(basename $(curl -fsSLI -o /dev/null -w  %{url_effective} ${release_url}/latest))
arch=`uname -m`
curl -L ${release_url}/download/${latest}/firecracker-${latest}-${arch}.tgz \
| tar -xz
# Link the binary to firecracker
ln -s release-${latest}-$(uname -m)/firecracker-${latest}-$(uname -m) firecracker

Start Firecracker with unix socket API
Firecracker can be controlled and orchestrated by a unix socket API. Therefore, just run the following code. Afterwards, Firecracker can be controlled to orchestrate microVMs.

./firecracker --api-sock /tmp/firecracker.socket

Create microVM
microVMs can be created in different ways. However, by default the API socket will be used for orchestration. Creating microVMs requires to following parts to the underlying hardware architecture:
* kernel image
* filesystem image (rootfs)
Lets start with this one…

Create microVM via API
A microVM can easily be created via the API with the following curl commands on our local unix socket:

# Adding a microVM kernel    
    curl --unix-socket /tmp/firecracker.socket -i \
      -X PUT 'http://localhost/boot-source'   \
      -H 'Accept: application/json'           \
      -H 'Content-Type: application/json'     \
      -d "{
            \"kernel_image_path\": \"/tmp/example_kernel.vmlinux\",
            \"boot_args\": \"console=ttyS0 reboot=k panic=1 pci=off\"
       }"

# Adding the filesystem image (roots)
    curl --unix-socket /tmp/firecracker.socket -i \
      -X PUT 'http://localhost/drives/rootfs' \
      -H 'Accept: application/json'           \
      -H 'Content-Type: application/json'     \
      -d "{
            \"drive_id\": \"rootfs\",
            \"path_on_host\": \"/tmp/example_rootfs.ext4\",
            \"is_root_device\": true,
            \"is_read_only\": false
       }"

# Optional resource adjustments
# Note: This can only be done before starting the microVM
    curl --unix-socket /tmp/firecracker.socket -i  \
      -X PUT 'http://localhost/machine-config' \
      -H 'Accept: application/json'            \
      -H 'Content-Type: application/json'      \
      -d '{
          "vcpu_count": 2,
          "mem_size_mib": 1024
      }'

# Start the microVM
    curl --unix-socket /tmp/firecracker.socket -i \
      -X PUT 'http://localhost/actions'       \
      -H  'Accept: application/json'          \
      -H  'Content-Type: application/json'    \
      -d '{
          "action_type": "InstanceStart"
       }'

Create microVM without API requests
Next to the previously mentioned possibility to start microVMs, there’s also a possibility to define a complete manifest as JSON config file. This is documented here and also provides an example config. Let’s have a more common config as an example for further usage (you may also have a look on Julia Evans blog post). Create a JSON config providing all necessary information including further network options:

# example_image.json
{
    "boot-source": {
        "boot_args": "ro console=ttyS0 noapic reboot=k panic=1 pci=off nomodules random.trust_cpu=on ip=10.10.10.1::10.10.10.2:255.255.255.252::eth0:off",
        "kernel_image_path": "/tmp/example_kernel.vmlinux"
    },
    "drives": [
        {
            "drive_id": "rootfs",
            "is_read_only": false,
            "is_root_device": true,
            "path_on_host": "/tmp/example_rootfs.ext4"
        }
    ],
    "machine-config": {
        "mem_size_mib": 2048,
        "vcpu_count": 4
    },
    "network-interfaces": [
        {
            "guest_mac": "02:FC:00:00:00:05",
            "host_dev_name": "tap0",
            "iface_id": "eth0"
        }
    ]
}

Afterwards the microVM can be started via the firecracker binary with:

./firecracker --api-sock /tmp/firecracker.socket --config-file example_image.json

This blog post provides a short and minimalstic overview for running microVMs with Firecracker. The next steps will result in adapting this for the Garden Linux project, as well as writing a PyTest IAAS for Firecracker.