Deploying AWS Firecracker for Development
Why use AWS’s Firecracker Micro-VMs? Well Firecracker brings some realistic goals and important improvements to the world of VMs and containers. It’s a true blend of both worlds benefits and very little in the line of drawbacks unless you require a rich device interface (TPM or PCI passthrough). In short KVM/Firecracker is like KVM/QEMU+Libvirt but stripped down to the absolute bare minimums creating a fast, secure and remarkably stable system.
For reference my setup is using Fedora 29 though any Linux with kernel 4.14+ and KVM installed should be the same.
Step 1. Preparing the host!
Note! Be sure to download and setup firecracker as the user you intend to run it as. This will guarantee all necessary files are owned by the user and prevent permission issues later.
- First install KVM and reboot to new kernel
dnf install qemu-kvm && reboot- Create a regular user, no wheel or sudo
$ useradd firecracker- As root or sudo user, grant the new user access to /dev/kvm
$ sudo setfacl -m u:firecracker:rw /dev/kvm- “su” to the user you created and pull the latest binaries from, https://github.com/firecracker-microvm/firecracker/releases (Source builds may be covered in another post)
$ su firecracker
$ wget https://github.com/firecracker-microvm/firecracker/releases/download/v0.14.0/firecracker-v0.14.0
#Jailer below is required for production use but not mandatory for development until a later release
$ wget https://github.com/firecracker-microvm/firecracker/releases/download/v0.14.0/jailer-v0.14.0Step 2. Create a Micro-VM and test it out!
- Download the hello-world kernel and filesystem to the same folder as the firecracker binary
curl -fsSL -o hello-vmlinux.bin https://s3.amazonaws.com/spec.ccfc.min/img/hello/kernel/hello-vmlinux.bin
curl -fsSL -o hello-rootfs.ext4 https://s3.amazonaws.com/spec.ccfc.min/img/hello/fsfiles/hello-rootfs.ext4- Now lets configure and boot the VM by using two terminals. The first command runs the firecracker binary and readies the HTTP server for commands via curl on the unix socket “/tmp/firecracker.socket”. The first two curls are to configure firecracker process and the third boots the micro-VM. Each curl operation returns HTTP 204 status codes when successful.
#Remove old unix sockets before starting the firecracker binary
rm -f /tmp/firecracker.socket#Terminal 1
./firecracker --api-sock /tmp/firecracker.socket#Terminal 2
##########
#Configure kernel
curl --unix-socket /tmp/firecracker.socket -i \
-X PUT 'http://localhost/boot-source' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"kernel_image_path": "./hello-vmlinux.bin",
"boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
}'
##########
#Configure filesystem
curl --unix-socket /tmp/firecracker.socket -i \
-X PUT 'http://localhost/drives/rootfs' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"drive_id": "rootfs",
"path_on_host": "./hello-rootfs.ext4",
"is_root_device": true,
"is_read_only": false
}'
##########
#Boot the Micro-VM
curl --unix-socket /tmp/firecracker.socket -i \
-X PUT 'http://localhost/actions' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"action_type": "InstanceStart"
}'
- Returning to the first terminal you should now be presented with the output of the prior curls and a login prompt for an alpine linux Micro-VM. The credentials are root/root.
Welcome to Alpine Linux 3.8Kernel 4.14.55-84.37.amzn2.x86_64 on an x86_64 (ttyS0)localhost login:
- Once you’re done (while logged in) simply type “reboot” which acts as a shutdown command and terminates the Micro-VM and the firecracker process.
Thats it! Rather simple isn't it? In the future I plan to publish some ways I make use of firecracker and results of tests for seeing exactly how seamlessly it can be blended with traditional KVM/QEMU+Libvirt environments. I also plan to cover the basics like networking, OS hardening and the jailer at some point. So hopefully someone finds this useful!
More details can be found in the official documentation:
Getting started: https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md
Design: https://github.com/firecracker-microvm/firecracker/blob/master/docs/design.md
Yay first post! Feedback and comments are appreciated.
