On May 28, Marc Brooker, AWS senior principal engineer, presented and hosted a live Q&A on Firecracker, an open source virtualization technology that's purpose-built for creating and managing secure, multi-tenant container and function-based services.
Since 2014, Amazon Web Services (AWS) has been offering “serverless” computing through AWS Lambda. With Lambda, customers don’t have to worry about managing servers or adjusting capacity in response to fluctuating demand. AWS does the provisioning automatically, and customers simply pay for the resources they use.
"When we first built Lambda," explains Brooker, "we had to choose between two security approaches. One, containerization, is fast and resource efficient but doesn’t provide strong isolation between customers; the other, running code inside a virtual machine, offers greater security at the cost of computational overhead. Security is always our top priority at AWS, so we built Lambda using traditional VMs."
Brooker says customers then challenged the team to offer faster scaling, lower latency, and advanced features like provisioned concurrency.
"We knew we couldn’t build those features on traditional VMs, so we built Firecracker, which we released in November 2018 as an open-source virtualization platform," Brooker explains.
Firecracker offers the best of both worlds: the security of hardware-virtualization-based virtual machines and the resource efficiency and fast startup time of containers. Firecracker has been deployed in two publicly available serverless computer services within AWS (Lambda and Fargate), where it supports millions of production workloads, and trillions of requests each month.
Earlier this year, at the USENIX Symposium on Networked Systems Design and Implementation (NSDI ’20), Brooker and colleagues presented a paper, Firecracker: Lightweight Virtualization for Serverless Applications, which explains what the team learned from seamlessly migrating Lambda customers to Firecracker.