Getting Started with Firecracker

Published: at 12:00 AM

Articles in this Series

Firecracker is a Virtual Machine Monitor (VMM), a software layer that allows running lightweight VMs on a single physical machine. It is optmized for running microVMs, which provide a secure execution environment & have a small memory and CPU footprint which allows fast startup times and efficient resource utilization.

This is mostly a rehash of the getting-started on the firecracker wiki, we’ll get into more interesting things once we have the base understanding down.

Table of contents

Open Table of contents

Why should I use firecracker?

Firecracker is light weight compared to the alterntives (i.e. QEMU). It has a boot time that’s measured in milliseconds (or faster, with some tuning) and has isolation between microVMs for a strong security posture

There are some reasons not to use firecracker

  1. Limited feature set: Firecracker was designed for serverless computing, so some workloads (i.e. GPU driven) won’t work well.
  2. The performance overhead of not running on bare metal

In general, it’s a pretty good fit for something that’s multitenant & running untrusted workloads.

Setting up the environment

The first step in working with firecracker is getting a host setup with access to the linux Kernel Virtualization Machine (KVM). I went with a GCP compute instance since they’re pretty cheap and I have free credits.

PROJECT=firecracker-project
REGION=us-west1
ZONE=us-west1-a

# Create the GCP project (this takes a few mintues)
gcloud projects create $PROJECT --enable-cloud-apis --set-as-default

# Set some defaults
gcloud config set project $PROJECT
gcloud config set compute/region $REGION
gcloud config set compute/zone $ZONE

INSTANCE_NAME=fc-vm

# Nested virtualization is the hard requirement here
# for allowing access to KVM
gcloud compute instances create $INSTANCE_NAME \
--enable-nested-virtualization \
--min-cpu-platform="Intel Haswell" \
--machine-type=n1-standard-2 \
--boot-disk-size=100GB

You can tell if your host is allowed to use KVM by checking the following commands

# is the KVM module installed
lsmod | grep kvm
# Output from when it's installed
kvm_intel             327680  0
kvm                   942080  1 kvm_intel
irqbypass              16384  1 kvm


# Some linux distributions rely on an Access Control List (ACL)
# to manage access to /dev/kvm.
# In order to give permission to yourself, run the following
sudo setfacl -m u:$(whoami):rw /dev/kvm

# Other distributions use the `kvm` group.
# You can check if your linux distribution does
# that by running the following command
bash -c '[ $(stat -c "%G" /dev/kvm) = kvm ] \
&& echo "The /dev/kvm device is managed by the kvm group"'

# To add yourself to that group run the following
sudo usermod -aG kvm $(whoami)

# Then refresh the settings for that group
# for the current terminal session
newgrp kvm

Downloading the required files

To run a guest image, we need a few things:

  1. The firecracker binary
  2. A kernel image
  3. A rootfs image

Let’s download those from the firecracker CI pipeline so that we can get a simple VM up and running

ARCH="$(uname -m)"

# Download v1.6.0 of the firecracker binary
curl -L https://github.com/firecracker-microvm/firecracker/releases/download/v1.6.0/firecracker-v1.6.0-$ARCH.tgz | tar -xz
mv release-v1.6.0-$ARCH/firecracker-v1.6.0-${ARCH} /tmp/firecracker

# Download a linux kernel binary
wget -O /tmp/kernel.bin https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.8/${ARCH}/vmlinux-5.10.209

# Download a rootfs
wget -O /tmp/rootfs.ext4 https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.8/${ARCH}/ubuntu-22.04.ext4

Writing a configuration file

The simplest microVM you can create is one with only the boot source (the kernel binary) and a root filesystem (the ubuntu ext4 file). The microVM will have no network connectivity, but that’s an issue to solve later. Write the following into a file (I’m going to use ./vmconfig.json)

{
  "boot-source": {
    "kernel_image_path": "/tmp/kernel.bin",
    "boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
  },
  "drives": [
    {
      "drive_id": "rootfs",
      "is_root_device": true,
      "is_read_only": false,
      "path_on_host": "/tmp/rootfs.ext4"
    }
  ]
}

Launching a uVM

Finally all the files are downloaded, the configuration set, we can spawn a microVM through firecracker!

# Firecracker won't start if the socket file has already been
# created so attempt to delete it first
rm -f /tmp/firecracker.socket \
&& firecracker \
--api-sock /tmp/firecracker.socket \
--config-file ./vmconfig.json

You can view code samples for this article on my github

Articles in this Series