I similarly have built bootable disk images with various tools including buildah and have never been able to fully get away from needing root for various chrooty/loopbacky parts of the process. In principle, it should be very possible to point grub at a filesystem-in-a-file and be like "install to that", but I could never make it happen; it always wanted to be trying to infer things about how to configure itself from examining the host system.
And yes, I've studied the OpenWRT build to no avail. I would be delighted for someone to dissect whatever it is that goes on in there and write it up.
No experience with Firecracker specifically, but if squashfs images are sufficient, one should be able to build a tar archive of the filesystem without root (where all the files have the correct owners, mode, etc.) and then convert it to squashfs using `tar2sqfs` in https://github.com/AgentD/squashfs-tools-ng, also without root - I've done something like this to create squashfs images in constrained build environments, which worked well.
I think the question is more along the lines of - was there another news, recently posted, that prompted this post?
Like for example if fly.io was announced yesterday, and they said they used Firecracker, then someone would submit this link about Firecracker.
So the original poster in this thread was wondering if there was something to that effect. Not decrying something being posted that was not new or already discussed before...
as long as we're quoting the rules, "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."
assume that the parent's not saying "you shouldn't have posted this, it's old", but rather "i'm interested in firecracker, was there some new development i missed that prompted this submission"... if the answer is no that's okay, but if the answer is yes i'd love to hear about it.
Yeah, I’m actually curious if there’s a new major release or feature launch that I missed. I keep tabs on the project, didn’t think anything new suddenly happened.
This is tricky for Firecracker, both because of security (and the attendant switching costs of keeping exactly one VM connected to a GPU at a time) and because of the Firecracker tenet of supporting oversubscription. They've been talking about it for a couple years. I think they're actually talking about forking off a GPU-capable variant of the project to work around the drama.
Does anyone know of any good orchestrators for Firecracker VMs? While the technology is great, the CLI and API are still a bit too complex and low-level to implement some basic use cases in production.
This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor.
Take a look at Weaveworks Ignite for an open source tool for running Firecracker VMs from container images: https://github.com/weaveworks/ignite
And of course AWS Fargate and Lambda use this tech under the hood transparently, so that's always an option if you don't want to host and operate it yourself.
Ignite looked intruiging when I checked it out recently - but I need to import rootfs tarballs directly, without going through any registries. Any helpful pointers are appreciated :)
Firecracker relies on KVM in the Linux kernel which relies on VT-x or similar. Offering VT-x inside a VM that's already using VT-x is called nested virtualization. EC2 VMs do not support nested virtualization, while others do.
That said, it works fine on EC2 Bare Metal instances.
(n.b., I work on the virtualization stack on Google Compute Engine)
I just deployed a WordPress container on the same host that runs everything else. Makes me a bit uncomfortable. Was thinking about running a VM just as a Docker Swarm worker node, but this post reminded me that these virtualization runtimes exist. Looks like there's a drop-in containerd replacement using firecracker. Kata containers look a bit better supported, though?
What are you worried about them doing? If they take over the app inside the container, they can access your database and seed malware in your users' browsers.
I don't think you can be too paranoid about container escapes. We actually don't consider containers to be a reliable security boundary - we take it where we can, but if we need real isolation it has to be combined with another approach.
61 comments
[ 4.9 ms ] story [ 72.9 ms ] threadOpenWrt's build system has a method of building rootfs ext4 and squashfs images without any root, it's somewhere in that large Makefile mess.
(sorry, reposting this as I first replied to the wrong parent)
And yes, I've studied the OpenWRT build to no avail. I would be delighted for someone to dissect whatever it is that goes on in there and write it up.
https://fly.io/blog/docker-without-docker/
Thanks for these write-ups. They make for a riveting read, even when more than half of it usually is beyond my technical know-how.
Firecracker: Secure and fast microVMs for serverless computing - https://news.ycombinator.com/item?id=22512196 - March 2020 (103 comments)
“If a story has not had significant attention in the last year or so, a small number of reposts is ok. Otherwise we bury reposts as duplicates.”
https://news.ycombinator.com/newsfaq.html
Like for example if fly.io was announced yesterday, and they said they used Firecracker, then someone would submit this link about Firecracker.
So the original poster in this thread was wondering if there was something to that effect. Not decrying something being posted that was not new or already discussed before...
assume that the parent's not saying "you shouldn't have posted this, it's old", but rather "i'm interested in firecracker, was there some new development i missed that prompted this submission"... if the answer is no that's okay, but if the answer is yes i'd love to hear about it.
- https://www.buildbuddy.io
- https://github.com/buildbuddy-io/buildbuddy/blob/master/ente...
This might be related to my network problem, I will try other deploy ways when I get some spare time.
[1] https://aws.amazon.com/blogs/opensource/kata-containers-1-5-...
[2] https://github.com/kata-containers/kata-containers/blob/main...
https://github.com/firecracker-microvm/firecracker-container...
This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor.
And of course AWS Fargate and Lambda use this tech under the hood transparently, so that's always an option if you don't want to host and operate it yourself.
https://www.nomadproject.io/docs/drivers/external/firecracke...
The malicious person can always find the worst way to break everything, but dumb luck can get you pretty close.
It does however work on Google, Azure and Digital Ocean instances where you can configure nested virtualisation.
That is definitely a constraint though, as the smallest available metal instances are pretty large, hence costly on a per instance basis.
Why not? And what is Google, Azure and DI doing differently
That said, it works fine on EC2 Bare Metal instances.
(n.b., I work on the virtualization stack on Google Compute Engine)
@bushbaba I wonder how large the percentage hit could be, if it's like 1% or 10%, if you happen to know
And how that percentage hit compares with gvisor performance wise
Or am I too paranoid about container escapes?