firecracker-containerd

This repository enables the use of a container runtime,containerd, to manageFirecracker microVMs.Like traditional containers, Firecracker microVMs offer fast start-up andshut-down and minimal overhead. Unlike traditional containers, however, theycan provide an additional layer of isolation via the KVM hypervisor.

Potential use cases of Firecracker-based containers include:

• Sandbox a partially or fully untrusted third party containerin its own microVM. This would reduce the likelihood ofleaking secrets via the third party container, for example.
• Bin-pack disparate container workloads on the same host,while maintaining a high level of isolation between containers. Becausethe overhead of Firecracker is low, the achievable containerdensity per host should be comparable torunning containers using kernel-based container runtimes,without the isolation compromise of such solutions. Multi-tenanthosts would particularly benefit from this use case.

To maintain compatibility with the container ecosystem, where possible, we usecontainer standards such as the OCI image format.

There are several components in this repository that enable containerd to useFirecracker microVMs to run containers:

• A control plugin managing the lifecycle of theruntime and implementing our control API tomanage the lifecycle of microVMs. The control plugin is compiled in to thecontainerd binary since building a Go plugin out-of-tree is hard,which requires us to build a specialized containerd binary forfirecracker-containerd.
• A runtime linking containerd (outside the microVM) to theFirecracker virtual machine monitor (VMM). The runtime is implemented as anout-of-processshim runtimecommunicating over ttrpc.
• An agent running inside the microVM, which invokesrunC via containerd's containerd-shim-runc-v1to create standard Linux containers inside the microVM.
• A root file filesystem image builder thatconstructs a firecracker microVM root filesystem containing runc andthe firecracker-containerd agent.

For more detailed information on the components and how they work, seearchitecture.md.

Roadmap

To support the widest variety of workloads, firecracker-containerd has to workwith popular container orchestration frameworks such as Kubernetes and AmazonECS, so we will work to ensure that the software is conformant or compatiblewhere necessary. The project currently allows you to launch a few containerscolocated in the same microVM, and we are exploring how to raise the number ofcontainers. We recently added support for configuring networking at the microVMlevel with CNI plugins and provide a CNI plugin suitable for chaining called"tc-redirect-tap". Our short term roadmap includes constraining or "jailing"the Firecracker VMM process to improve the host security posture. Ourlonger-term roadmap includes polishing, packaging, and generally makingfirecracker-containerd easier to run as well as exploring CRI conformance andcompatibility with Kubernetes.

Details of specific roadmap items are tracked in GitHubissues.

Usage

For detailed instructions on building and runningfirecracker-containerd, see thegetting started guide and thequickstart guide.

Questions?

Please use GitHubissues toreport problems, discuss roadmap items, or make feature requests.

If you've discovered an issue that may have security implications tousers or developers of this software, please do not report it usingGitHub issues, but instead followFirecracker's security reportingguidelines.

Other discussion: For general discussion, please join us in the #containerdchannel on the Firecracker Slack.

License

This library is licensed under the Apache 2.0 License.