arm64 + ubuntu18.04 安装firecracker

 https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md

 https://aws.amazon.com/cn/blogs/china/firecracker-open-source-secure-fast-microvm-serverless/

https://aws.amazon.com/cn/blogs/china/firecracker-lightweight-virtualization-for-serverless-computing/

root@ubuntu:~# uname -a
Linux ubuntu 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:10:24 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux
root@ubuntu:~# 
root@ubuntu:/etc/network# modprobe kvm
modprobe: FATAL: Module kvm not found in directory /lib/modules/5.0.0-23-generic
root@ubuntu:/etc/network# cd /lib/modules/5.0.0-23-generic
root@ubuntu:/lib/modules/5.0.0-23-generic# find ./ -name *kvm*
root@ubuntu:/lib/modules/5.0.0-23-generic#

firecracker 在 KVM 上构建并且需要 /dev/kvm 的读/写权限。登录一个终端中的主机,然后设置该访问权限:

  chmod 777 /dev/kvm
root@ubuntu:/etc/network# ls /dev/kvm
/dev/kvm
root@ubuntu:/lib/modules/5.0.0-23-generic# kvm-ok

Command 'kvm-ok' not found, but can be installed with:

apt install cpu-checker

root@ubuntu:/lib/modules/5.0.0-23-generic# apt install cpu-checker
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:

现在请使用以下命令安装 kvm-ok 实用程序,它用于确定您的服务器是否能够运行硬件加速的 KVM 虚拟机:

root@ubuntu:/lib/modules/5.0.0-23-generic# kvm-ok
INFO: /dev/kvm exists
KVM acceleration can be used
root@ubuntu:/lib/modules/5.0.0-23-generic#

下载firecracker

latest=$(basename $(curl -fsSLI -o /dev/null -w  %{url_effective} https://github.com/firecracker-microvm/firecracker/releases/latest))
curl -LOJ https://github.com/firecracker-microvm/firecracker/releases/download/${latest}/firecracker-${latest}-$(uname -m)
mv firecracker-${latest}-$(uname -m) firecracker
root@ubuntu:~# ls
firecracker.sh  firecracker-v0.22.0-aarch64
root@ubuntu:~# du -sh *
4.0K    firecracker.sh
1.6M    firecracker-v0.22.0-aarch64
root@ubuntu:~# 
root@ubuntu:~# mv firecracker-v0.22.0-aarch64  firecracker
root@ubuntu:~# ./firecracker --version
Firecracker v0.22.0

root@ubuntu:~#

下载kernel and rootfs

To run an aarch64 guest, download them from: kernel and rootfs.

2. 运行firecracker

  一直处于等待状态,直到InstanceStart

root@ubuntu:~# ./firecracker --api-sock /tmp/firecracker.socket

3、启动micro vm

root@ubuntu:~# kernel_path=$(pwd)"/rootfs/vmlinux.bin"
root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i 
>       -X PUT 'http://localhost/boot-source'   
>       -H 'Accept: application/json'           
>       -H 'Content-Type: application/json'     
>       -d "{
>             "kernel_image_path": "${kernel_path}",
>             "boot_args": "keep_bootcon console=ttyS0 reboot=k panic=1 pci=off"
>        }"
HTTP/1.1 204 
Server: Firecracker API
Connection: keep-alive

root@ubuntu:~# rootfs_path=$(pwd)"/rootfs/xenial.rootfs.ext4"
root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i 
>   -X PUT 'http://localhost/drives/rootfs' 
>   -H 'Accept: application/json'           
>   -H 'Content-Type: application/json'     
>   -d "{
>         "drive_id": "rootfs",
>         "path_on_host": "${rootfs_path}",
>         "is_root_device": true,
>         "is_read_only": false
>    }"
HTTP/1.1 204 
Server: Firecracker API
Connection: keep-alive

root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i 
>   -X PUT 'http://localhost/actions'       
>   -H  'Accept: application/json'          
>   -H  'Content-Type: application/json'    
>   -d '{
>       "action_type": "InstanceStart"
>    }'
HTTP/1.1 204 
Server: Firecracker API
Connection: keep-alive
root@ubuntu:~# ./firecracker --api-sock /tmp/firecracker.socket
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.14.138 (sandreim@firecracker-arm-ci) (gcc version 7.4.0 (Ubuntu/Linaro 7.4.0-1ubuntu1~18.04.1)) #1 SMP Tue Sep 10 12:26:05 UTC 2019
[    0.000000] Boot CPU: AArch64 Processor [410fd082]
[    0.000000] Machine model: linux,dummy-virt
[    0.000000] debug: skip boot console de-registration.
[    0.000000] earlycon: uart0 at MMIO 0x0000000040001000 (options '')
[    0.000000] bootconsole [uart0] enabled
[    0.000000] efi: Getting EFI parameters from FDT:
[    0.000000] efi: UEFI not found.
[    0.000000] NUMA: No NUMA configuration found
[    0.000000] NUMA: Faking a node at [mem 0x0000000000000000-0x0000000087ffffff]
[    0.000000] NUMA: NODE_DATA [mem 0x87edac80-0x87ef3fff]
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000080000000-0x0000000087ffffff]
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000080000000-0x0000000087ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000080000000-0x0000000087ffffff]
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] psci: SMC Calling Convention v1.1
[    0.000000] random: get_random_bytes called from start_kernel+0x9c/0x3f0 with crng_init=0
[    0.000000] percpu: Embedded 20 pages/cpu s42136 r8192 d31592 u81920
[    0.000000] Detected PIPT I-cache on CPU0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32256
[    0.000000] Policy zone: DMA
[    0.000000] Kernel command line: keep_bootcon console=ttyS0 reboot=k panic=1 pci=off earlycon=uart,mmio,0x40001000 root=/dev/vda rw
[    0.000000] PID hash table entries: 512 (order: 0, 4096 bytes)
[    0.000000] Memory: 102296K/131072K available (5948K kernel code, 538K rwdata, 1372K rodata, 448K init, 2746K bss, 28776K reserved, 0K cma-reserved)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     modules : 0xffffff8000000000 - 0xffffff8008000000   (   128 MB)
[    0.000000]     vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000   (   250 GB)
[    0.000000]       .text : 0xffffff8008080000 - 0xffffff8008650000   (  5952 KB)
[    0.000000]     .rodata : 0xffffff8008650000 - 0xffffff80087b0000   (  1408 KB)
[    0.000000]       .init : 0xffffff80087b0000 - 0xffffff8008820000   (   448 KB)
[    0.000000]       .data : 0xffffff8008820000 - 0xffffff80088a6a00   (   539 KB)
[    0.000000]        .bss : 0xffffff80088a6a00 - 0xffffff8008b55298   (  2747 KB)
[    0.000000]     fixed   : 0xffffffbefe7fb000 - 0xffffffbefec00000   (  4116 KB)
[    0.000000]     PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000   (    16 MB)
[    0.000000]     vmemmap : 0xffffffbf00000000 - 0xffffffc000000000   (     4 GB maximum)
[    0.000000]               0xffffffbf00000000 - 0xffffffbf00200000   (     2 MB actual)
[    0.000000]     memory  : 0xffffffc000000000 - 0xffffffc008000000   (   128 MB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000]  RCU restricting CPUs from NR_CPUS=128 to nr_cpu_ids=1.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: no VLPI support, no direct LPI support
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000003ffd0000
[    0.000000] arch_timer: cp15 timer(s) running at 50.00MHz (virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb8812736b, max_idle_ns: 440795202655 ns
[    0.000005] sched_clock: 56 bits at 50MHz, resolution 20ns, wraps every 4398046511100ns
[    0.002380] Console: colour dummy device 80x25
[    0.003267] Calibrating delay loop (skipped), value calculated using timer frequency.. 100.00 BogoMIPS (lpj=200000)
[    0.004973] pid_max: default: 32768 minimum: 301
[    0.005883] Security Framework initialized
[    0.006678] SELinux:  Initializing.
[    0.007483] Dentry cache hash table entries: 16384 (order: 5, 131072 bytes)
[    0.008719] Inode-cache hash table entries: 8192 (order: 4, 65536 bytes)
[    0.009835] Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.010967] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes)
[    0.016669] ASID allocator initialised with 32768 entries
[    0.017646] Hierarchical SRCU implementation.
[    0.019121] EFI services will not be available.
[    0.019951] smp: Bringing up secondary CPUs ...
[    0.020694] smp: Brought up 1 node, 1 CPU
[    0.021346] SMP: Total of 1 processors activated.
[    0.022122] CPU features: detected feature: GIC system register CPU interface
[    0.023343] CPU features: detected feature: 32-bit EL0 Support
[    0.024295] CPU features: detected feature: Kernel page table isolation (KPTI)
[    0.028396] CPU: All CPU(s) started at EL1
[    0.029080] alternatives: patching kernel code
[    0.031207] devtmpfs: initialized
[    0.032948] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.034563] futex hash table entries: 256 (order: 3, 32768 bytes)
[    0.035956] DMI not present or invalid.
[    0.037378] NET: Registered protocol family 16
[    0.039630] cpuidle: using governor ladder
[    0.040414] cpuidle: using governor menu
[    0.041078] vdso: 2 pages (1 code @ ffffff8008656000, 1 data @ ffffff8008825000)
[    0.042337] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.044642] DMA: preallocated 256 KiB pool for atomic allocations
[    0.055179] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.056907] dmi: Firmware registration failed.
[    0.058893] NetLabel: Initializing
[    0.059455] NetLabel:  domain hash size = 128
[    0.060165] NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
[    0.061414] NetLabel:  unlabeled traffic allowed by default
[    0.062856] clocksource: Switched to clocksource arch_sys_counter
[    0.063965] VFS: Disk quotas dquot_6.6.0
[    0.064622] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.069753] NET: Registered protocol family 2
[    0.072087] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    0.073242] TCP bind hash table entries: 1024 (order: 2, 16384 bytes)
[    0.074308] TCP: Hash tables configured (established 1024 bind 1024)
[    0.075682] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.076643] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.078062] NET: Registered protocol family 1
[    0.080339] audit: initializing netlink subsys (disabled)
[    0.081772] Initialise system trusted keyrings
[    0.082608] Key type blacklist registered
[    0.083353] audit: type=2000 audit(0.076:1): state=initialized audit_enabled=0 res=1
[    0.084702] workingset: timestamp_bits=36 max_order=15 bucket_order=0
[    0.090460] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.093841] Key type asymmetric registered
[    0.094629] Asymmetric key parser 'x509' registered
[    0.095448] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    0.096862] io scheduler noop registered (default)
[    0.097769] io scheduler cfq registered
[    0.098982] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.100842] console [ttyS0] disabled
[    0.101480] 40001000.uart: ttyS0 at MMIO 0x40001000 (irq = 7, base_baud = 1500000) is a 16550A
[    0.103104] console [ttyS0] enabled
[    0.103104] console [ttyS0] enabled
[    0.104624] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    0.104624] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    0.109583] loop: module loaded
[    0.109583] loop: module loaded
[    0.111782] tun: Universal TUN/TAP device driver, 1.6
[    0.111782] tun: Universal TUN/TAP device driver, 1.6
[    0.113946] rtc-pl031 40002000.rtc: rtc core: registered pl031 as rtc0
[    0.113946] rtc-pl031 40002000.rtc: rtc core: registered pl031 as rtc0
[    0.116470] hidraw: raw HID events driver (C) Jiri Kosina
[    0.116470] hidraw: raw HID events driver (C) Jiri Kosina
[    0.118496] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[    0.118496] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[    0.121228] ip_tables: (C) 2000-2006 Netfilter Core Team
[    0.121228] ip_tables: (C) 2000-2006 Netfilter Core Team
[    0.123287] Initializing XFRM netlink socket
[    0.123287] Initializing XFRM netlink socket
[    0.124907] NET: Registered protocol family 10
[    0.124907] NET: Registered protocol family 10
[    0.128481] Segment Routing with IPv6
[    0.128481] Segment Routing with IPv6
[    0.129837] NET: Registered protocol family 17
[    0.129837] NET: Registered protocol family 17
[    0.131737] Bridge firewalling registered
[    0.131737] Bridge firewalling registered
[    0.133216] NET: Registered protocol family 40
[    0.133216] NET: Registered protocol family 40
[    0.135063] registered taskstats version 1
[    0.135063] registered taskstats version 1
[    0.136422] Loading compiled-in X.509 certificates
[    0.136422] Loading compiled-in X.509 certificates
[    0.139391] Loaded X.509 cert 'Build time autogenerated kernel key: b3774bf1581b8d0fab766a23125e46fa20f6b48c'
[    0.139391] Loaded X.509 cert 'Build time autogenerated kernel key: b3774bf1581b8d0fab766a23125e46fa20f6b48c'
[    0.142816] zswap: default zpool zbud not available
[    0.142816] zswap: default zpool zbud not available
[    0.144429] zswap: pool creation failed
[    0.144429] zswap: pool creation failed
[    0.146028] Key type encrypted registered
[    0.146028] Key type encrypted registered
[    0.147673] rtc-pl031 40002000.rtc: setting system clock to 2020-09-27 03:15:57 UTC (1601176557)
[    0.147673] rtc-pl031 40002000.rtc: setting system clock to 2020-09-27 03:15:57 UTC (1601176557)
[    0.154643] EXT4-fs (vda): mounted filesystem with ordered data mode. Opts: (null)
[    0.154643] EXT4-fs (vda): mounted filesystem with ordered data mode. Opts: (null)
[    0.157147] VFS: Mounted root (ext4 filesystem) on device 254:0.
[    0.157147] VFS: Mounted root (ext4 filesystem) on device 254:0.
[    0.159736] devtmpfs: mounted
[    0.159736] devtmpfs: mounted
[    0.160921] Freeing unused kernel memory: 448K
[    0.160921] Freeing unused kernel memory: 448K
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.31:  No such file or directory
[    0.252285] systemd[1]: systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
[    0.252285] systemd[1]: systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
[    0.260373] systemd[1]: Detected architecture arm64.
[    0.260373] systemd[1]: Detected architecture arm64.

Welcome to Ubuntu 18.04.2 LTS!

[    0.265412] systemd[1]: Set hostname to <fadfdd4af58a>.
[    0.265412] systemd[1]: Set hostname to <fadfdd4af58a>.
[    0.356837] random: fast init done
[    0.356837] random: fast init done
[    0.374322] random: systemd: uninitialized urandom read (16 bytes read)
[    0.374322] random: systemd: uninitialized urandom read (16 bytes read)
[    0.377079] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[    0.377079] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[    0.381892] random: systemd: uninitialized urandom read (16 bytes read)
[    0.381892] random: systemd: uninitialized urandom read (16 bytes read)
[    0.384431] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[    0.384431] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[    0.388734] random: systemd: uninitialized urandom read (16 bytes read)
[    0.388734] random: systemd: uninitialized urandom read (16 bytes read)
[    0.391020] systemd[1]: Reached target Local Encrypted Volumes.
[    0.391020] systemd[1]: Reached target Local Encrypted Volumes.
[  OK  ] Reached target Local Encrypted Volumes.
[    0.394355] systemd[1]: Reached target Paths.
[    0.394355] systemd[1]: Reached target Paths.
[  OK  ] Reached target Paths.
[    0.397136] systemd[1]: Reached target Remote File Systems.
[    0.397136] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[    0.400413] systemd[1]: Reached target Swap.
[    0.400413] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    0.403270] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[    0.403270] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[  OK  ] Set up automount Arbitrary Executab…rmats File System Automount Point.
[  OK  ] Created slice System Slice.
[  OK  ] Reached target Slices.
[  OK  ] Listening on Journal Socket.
         Starting Load Kernel Modules...
         Starting Remount Root and Kernel File Systems...
[  OK  ] Created slice system-serialx2dgetty.slice.
[  OK  ] Listening on udev Control Socket.
         Mounting Huge Pages File System...
[  OK  ] Listening on Journal Socket (/dev/log).
         Starting Create Static Device Nodes in /dev...
         Mounting POSIX Message Queue File System...
[  OK  ] Listening on Journal Audit Socket.
         Starting Journal Service...
[  OK  ] Listening on udev Kernel Socket.
         Starting udev Coldplug all Devices...
         Mounting Kernel Debug File System...
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Reached target Sockets.
[  OK  ] Started Load Kernel Modules.
[  OK  ] Started Journal Service.
[  OK  ] Started Remount Root and Kernel File Systems.
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Started Create Static Device Nodes in /dev.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Reached target Local File Systems (Pre).
         Starting udev Kernel Device Manager...
         Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems.
         Starting Flush Journal to Persistent Storage...
         Starting Apply Kernel Variables...
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Started udev Coldplug all Devices.
[  OK  ] Started Apply Kernel Variables.
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Reached target Basic System.
[  OK  ] Started Discard unused blocks once a week.
[  OK  ] Started Set the CPU Frequency Scaling governor.
[  OK  ] Started Message of the Day.
         Starting getty on tty2-tty6 if dbus and logind are not available...
         Starting fcnet.service...
         Starting OpenBSD Secure Shell server...
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Started Daily apt download activities.
[  OK  ] Started Daily apt upgrade and clean activities.
[  OK  ] Reached target Timers.
         Starting Permit User Sessions...
[  OK  ] Found device /dev/ttyS0.
[  OK  ] Started Permit User Sessions.
[  OK  ] Started fcnet.service.
[  OK  ] Started getty on tty2-tty6 if dbus and logind are not available.
[  OK  ] Started OpenBSD Secure Shell server.
[  OK  ] Created slice system-getty.slice.
[  OK  ] Started Getty on tty2.
[  OK  ] Started Getty on tty6.
[  OK  ] Started Getty on tty3.
[  OK  ] Started Getty on tty4.
[  OK  ] Started Getty on tty5.
         Starting Discard unused blocks...
[  OK  ] Started Serial Getty on ttyS0.
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Daily apt download activities...
[  OK  ] Started Discard unused blocks.
[  OK  ] Started Update UTMP about System Runlevel Changes.
[FAILED] Failed to start Daily apt download activities.
See 'systemctl status apt-daily.service' for details.
         Starting Daily apt upgrade and clean activities...
[FAILED] Failed to start Daily apt upgrade and clean activities.
See 'systemctl status apt-daily-upgrade.service' for details.

Ubuntu 18.04.2 LTS fadfdd4af58a ttyS0

fadfdd4af58a login: 

root@ubuntu:~# ps -elf | grep firecracker
0 S root      7033  3868  0  80   0 - 34171 ep_pol 11:00 pts/0    00:00:01 ./firecracker --api-sock /tmp/firecracker.socket
0 S root      7127  7096  0  80   0 -  1096 pipe_w 11:28 pts/2    00:00:00 grep --color=auto firecracker
root@ubuntu:~#

Firecraker调研-初探

简介

Firecracker 是 AWS 开源的用于 Serverless 计算的安全且快速的微虚拟机(microVM)。
根据AWS官方网站介绍,在推出AWS Lambda之时, 为了达到理想的隔离状况,为每位客户使用了专用的EC2实例。
后来因为效率原因,开发了Firecracker

特性

  • 安全,使用多重隔离和保护,暴露的攻击面极小 。
  • 高性能,在125ms的时间内启动microVM(2019年将会进一步加快)。
  • 经过广泛测试,已经为多种高容量AWS服务提供支持,包括AWS Lambda 和 AWS Fargate。
  • 低开销,每个microVM仅占用5MiB内存

安全性

以下列出Firecracker的一部分安全功能:

  • 简单访客模型-Firecracker访客将获得非常简单的虚拟化设备模型,以最大限度地缩减攻击面:网络设备,块I/O设备,可编程的间隔定时器,KVM时钟,串型控制器和部分键盘
  • 进程监禁- Firecracker进程使用cgroup和seccomp BPF进行监禁,而且可以访问一小部分收到严密控制的系统调用
  • 静态链接- Firecracker进程以静态形式链接,可以通过jailer启动,以尽可能确保托管环境安全干净

quick-start 操作

在本地电脑上操作,Firecracker目前支持 Linux x86_64 主机,内核版本在4.14+,同时需要开启KVM功能,且能够读写/dev/kvm
首先需要三个文件(firecracker二进制文件,根文件系统和Linux内核)
打开两个命令行窗口

  • 在第一个窗口:

    • 确保Firecracker能够创建其Unix socket:

      1
      		 
      rm -f /tmp/firecracker.socket

    • 启动Firecracker:

      1
      		 
      ./firecracker --api-sock /tmp/firecracker.socket

  • 在第二个窗口:

    • 设置内核:

      1
      2
      3
      4
      5
      6
      7
      8
      		 
      curl --unix-socket /tmp/firecracker.socket -i 
          -X PUT 'http://localhost/boot-source'   
          -H 'Accept: application/json'           
          -H 'Content-Type: application/json'     
          -d '{
              "kernel_image_path": "./hello-vmlinux.bin",
              "boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
          }'

    • 设置根文件系统:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      		 
      curl --unix-socket /tmp/firecracker.socket -i 
          -X PUT 'http://localhost/drives/rootfs' 
          -H 'Accept: application/json'           
          -H 'Content-Type: application/json'     
          -d '{
              "drive_id": "rootfs",
              "path_on_host": "./hello-rootfs.ext4",
              "is_root_device": true,
              "is_read_only": false
          }'

    • 启动机器

      1
      2
      3
      4
      5
      6
      7
      		 
      curl --unix-socket /tmp/firecracker.socket -i 
          -X PUT 'http://localhost/actions'       
          -H  'Accept: application/json'          
          -H  'Content-Type: application/json'    
          -d '{
              "action_type": "InstanceStart"
           }'
      		 
 裸机实例上创建上千个 microVMs?

for ((i=0; i<1000; i++)); do
    ./firecracker-v0.10.1 --api-sock /tmp/firecracker-$i.sock &
done
多个 microVM 可以配置同一个共享根文件系统,然后为每个 microVM 分配自己的读/写份额。

 参考

Tutorial: Getting Started with Firecracker on VMware Fusion

https://thenewstack.io/tutorial-getting-started-with-firecracker-on-vmware-fusion/

查询

root@ubuntu:~# cat get_vm.sh 
curl -s --unix-socket /tmp/firecracker.socket  
        -X GET 'http://localhost/machine-config' 
        -H 'Accept: application/json' 
        -H 'Content-Type: application/json'
root@ubuntu:~# bash  get_vm.sh
{ "vcpu_count": 1, "mem_size_mib": 128,  "ht_enabled": false,  "cpu_template": "Uninitialized" }
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/dream397/p/13738392.html