https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md
https://aws.amazon.com/cn/blogs/china/firecracker-open-source-secure-fast-microvm-serverless/
root@ubuntu:~# uname -a Linux ubuntu 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:10:24 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux root@ubuntu:~#
root@ubuntu:/etc/network# modprobe kvm modprobe: FATAL: Module kvm not found in directory /lib/modules/5.0.0-23-generic root@ubuntu:/etc/network# cd /lib/modules/5.0.0-23-generic root@ubuntu:/lib/modules/5.0.0-23-generic# find ./ -name *kvm* root@ubuntu:/lib/modules/5.0.0-23-generic#
firecracker 在 KVM 上构建并且需要 /dev/kvm 的读/写权限。登录一个终端中的主机,然后设置该访问权限:
root@ubuntu:/etc/network# ls /dev/kvm
/dev/kvm
root@ubuntu:/lib/modules/5.0.0-23-generic# kvm-ok Command 'kvm-ok' not found, but can be installed with: apt install cpu-checker root@ubuntu:/lib/modules/5.0.0-23-generic# apt install cpu-checker Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed:
现在请使用以下命令安装 kvm-ok 实用程序,它用于确定您的服务器是否能够运行硬件加速的 KVM 虚拟机:
root@ubuntu:/lib/modules/5.0.0-23-generic# kvm-ok INFO: /dev/kvm exists KVM acceleration can be used root@ubuntu:/lib/modules/5.0.0-23-generic#
下载firecracker
latest=$(basename $(curl -fsSLI -o /dev/null -w %{url_effective} https://github.com/firecracker-microvm/firecracker/releases/latest)) curl -LOJ https://github.com/firecracker-microvm/firecracker/releases/download/${latest}/firecracker-${latest}-$(uname -m) mv firecracker-${latest}-$(uname -m) firecracker
root@ubuntu:~# ls firecracker.sh firecracker-v0.22.0-aarch64 root@ubuntu:~# du -sh * 4.0K firecracker.sh 1.6M firecracker-v0.22.0-aarch64 root@ubuntu:~#
root@ubuntu:~# mv firecracker-v0.22.0-aarch64 firecracker
root@ubuntu:~# ./firecracker --version Firecracker v0.22.0 root@ubuntu:~#
To run an aarch64 guest, download them from: kernel and rootfs.
2. 运行firecracker
一直处于等待状态,直到InstanceStart
root@ubuntu:~# ./firecracker --api-sock /tmp/firecracker.socket
3、启动micro vm
root@ubuntu:~# kernel_path=$(pwd)"/rootfs/vmlinux.bin" root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i > -X PUT 'http://localhost/boot-source' > -H 'Accept: application/json' > -H 'Content-Type: application/json' > -d "{ > "kernel_image_path": "${kernel_path}", > "boot_args": "keep_bootcon console=ttyS0 reboot=k panic=1 pci=off" > }" HTTP/1.1 204 Server: Firecracker API Connection: keep-alive root@ubuntu:~# rootfs_path=$(pwd)"/rootfs/xenial.rootfs.ext4" root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i > -X PUT 'http://localhost/drives/rootfs' > -H 'Accept: application/json' > -H 'Content-Type: application/json' > -d "{ > "drive_id": "rootfs", > "path_on_host": "${rootfs_path}", > "is_root_device": true, > "is_read_only": false > }" HTTP/1.1 204 Server: Firecracker API Connection: keep-alive root@ubuntu:~# curl --unix-socket /tmp/firecracker.socket -i > -X PUT 'http://localhost/actions' > -H 'Accept: application/json' > -H 'Content-Type: application/json' > -d '{ > "action_type": "InstanceStart" > }' HTTP/1.1 204 Server: Firecracker API Connection: keep-alive
root@ubuntu:~# ./firecracker --api-sock /tmp/firecracker.socket [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 4.14.138 (sandreim@firecracker-arm-ci) (gcc version 7.4.0 (Ubuntu/Linaro 7.4.0-1ubuntu1~18.04.1)) #1 SMP Tue Sep 10 12:26:05 UTC 2019 [ 0.000000] Boot CPU: AArch64 Processor [410fd082] [ 0.000000] Machine model: linux,dummy-virt [ 0.000000] debug: skip boot console de-registration. [ 0.000000] earlycon: uart0 at MMIO 0x0000000040001000 (options '') [ 0.000000] bootconsole [uart0] enabled [ 0.000000] efi: Getting EFI parameters from FDT: [ 0.000000] efi: UEFI not found. [ 0.000000] NUMA: No NUMA configuration found [ 0.000000] NUMA: Faking a node at [mem 0x0000000000000000-0x0000000087ffffff] [ 0.000000] NUMA: NODE_DATA [mem 0x87edac80-0x87ef3fff] [ 0.000000] Zone ranges: [ 0.000000] DMA [mem 0x0000000080000000-0x0000000087ffffff] [ 0.000000] Normal empty [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000080000000-0x0000000087ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000080000000-0x0000000087ffffff] [ 0.000000] psci: probing for conduit method from DT. [ 0.000000] psci: PSCIv1.0 detected in firmware. [ 0.000000] psci: Using standard PSCI v0.2 function IDs [ 0.000000] psci: Trusted OS migration not required [ 0.000000] psci: SMC Calling Convention v1.1 [ 0.000000] random: get_random_bytes called from start_kernel+0x9c/0x3f0 with crng_init=0 [ 0.000000] percpu: Embedded 20 pages/cpu s42136 r8192 d31592 u81920 [ 0.000000] Detected PIPT I-cache on CPU0 [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32256 [ 0.000000] Policy zone: DMA [ 0.000000] Kernel command line: keep_bootcon console=ttyS0 reboot=k panic=1 pci=off earlycon=uart,mmio,0x40001000 root=/dev/vda rw [ 0.000000] PID hash table entries: 512 (order: 0, 4096 bytes) [ 0.000000] Memory: 102296K/131072K available (5948K kernel code, 538K rwdata, 1372K rodata, 448K init, 2746K bss, 28776K reserved, 0K cma-reserved) [ 0.000000] Virtual kernel memory layout: [ 0.000000] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB) [ 0.000000] vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000 ( 250 GB) [ 0.000000] .text : 0xffffff8008080000 - 0xffffff8008650000 ( 5952 KB) [ 0.000000] .rodata : 0xffffff8008650000 - 0xffffff80087b0000 ( 1408 KB) [ 0.000000] .init : 0xffffff80087b0000 - 0xffffff8008820000 ( 448 KB) [ 0.000000] .data : 0xffffff8008820000 - 0xffffff80088a6a00 ( 539 KB) [ 0.000000] .bss : 0xffffff80088a6a00 - 0xffffff8008b55298 ( 2747 KB) [ 0.000000] fixed : 0xffffffbefe7fb000 - 0xffffffbefec00000 ( 4116 KB) [ 0.000000] PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000 ( 16 MB) [ 0.000000] vmemmap : 0xffffffbf00000000 - 0xffffffc000000000 ( 4 GB maximum) [ 0.000000] 0xffffffbf00000000 - 0xffffffbf00200000 ( 2 MB actual) [ 0.000000] memory : 0xffffffc000000000 - 0xffffffc008000000 ( 128 MB) [ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] Hierarchical RCU implementation. [ 0.000000] RCU restricting CPUs from NR_CPUS=128 to nr_cpu_ids=1. [ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1 [ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0 [ 0.000000] GICv3: no VLPI support, no direct LPI support [ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000003ffd0000 [ 0.000000] arch_timer: cp15 timer(s) running at 50.00MHz (virt). [ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb8812736b, max_idle_ns: 440795202655 ns [ 0.000005] sched_clock: 56 bits at 50MHz, resolution 20ns, wraps every 4398046511100ns [ 0.002380] Console: colour dummy device 80x25 [ 0.003267] Calibrating delay loop (skipped), value calculated using timer frequency.. 100.00 BogoMIPS (lpj=200000) [ 0.004973] pid_max: default: 32768 minimum: 301 [ 0.005883] Security Framework initialized [ 0.006678] SELinux: Initializing. [ 0.007483] Dentry cache hash table entries: 16384 (order: 5, 131072 bytes) [ 0.008719] Inode-cache hash table entries: 8192 (order: 4, 65536 bytes) [ 0.009835] Mount-cache hash table entries: 512 (order: 0, 4096 bytes) [ 0.010967] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes) [ 0.016669] ASID allocator initialised with 32768 entries [ 0.017646] Hierarchical SRCU implementation. [ 0.019121] EFI services will not be available. [ 0.019951] smp: Bringing up secondary CPUs ... [ 0.020694] smp: Brought up 1 node, 1 CPU [ 0.021346] SMP: Total of 1 processors activated. [ 0.022122] CPU features: detected feature: GIC system register CPU interface [ 0.023343] CPU features: detected feature: 32-bit EL0 Support [ 0.024295] CPU features: detected feature: Kernel page table isolation (KPTI) [ 0.028396] CPU: All CPU(s) started at EL1 [ 0.029080] alternatives: patching kernel code [ 0.031207] devtmpfs: initialized [ 0.032948] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns [ 0.034563] futex hash table entries: 256 (order: 3, 32768 bytes) [ 0.035956] DMI not present or invalid. [ 0.037378] NET: Registered protocol family 16 [ 0.039630] cpuidle: using governor ladder [ 0.040414] cpuidle: using governor menu [ 0.041078] vdso: 2 pages (1 code @ ffffff8008656000, 1 data @ ffffff8008825000) [ 0.042337] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers. [ 0.044642] DMA: preallocated 256 KiB pool for atomic allocations [ 0.055179] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages [ 0.056907] dmi: Firmware registration failed. [ 0.058893] NetLabel: Initializing [ 0.059455] NetLabel: domain hash size = 128 [ 0.060165] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO [ 0.061414] NetLabel: unlabeled traffic allowed by default [ 0.062856] clocksource: Switched to clocksource arch_sys_counter [ 0.063965] VFS: Disk quotas dquot_6.6.0 [ 0.064622] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) [ 0.069753] NET: Registered protocol family 2 [ 0.072087] TCP established hash table entries: 1024 (order: 1, 8192 bytes) [ 0.073242] TCP bind hash table entries: 1024 (order: 2, 16384 bytes) [ 0.074308] TCP: Hash tables configured (established 1024 bind 1024) [ 0.075682] UDP hash table entries: 256 (order: 1, 8192 bytes) [ 0.076643] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes) [ 0.078062] NET: Registered protocol family 1 [ 0.080339] audit: initializing netlink subsys (disabled) [ 0.081772] Initialise system trusted keyrings [ 0.082608] Key type blacklist registered [ 0.083353] audit: type=2000 audit(0.076:1): state=initialized audit_enabled=0 res=1 [ 0.084702] workingset: timestamp_bits=36 max_order=15 bucket_order=0 [ 0.090460] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.093841] Key type asymmetric registered [ 0.094629] Asymmetric key parser 'x509' registered [ 0.095448] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253) [ 0.096862] io scheduler noop registered (default) [ 0.097769] io scheduler cfq registered [ 0.098982] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.100842] console [ttyS0] disabled [ 0.101480] 40001000.uart: ttyS0 at MMIO 0x40001000 (irq = 7, base_baud = 1500000) is a 16550A [ 0.103104] console [ttyS0] enabled [ 0.103104] console [ttyS0] enabled [ 0.104624] cacheinfo: Unable to detect cache hierarchy for CPU 0 [ 0.104624] cacheinfo: Unable to detect cache hierarchy for CPU 0 [ 0.109583] loop: module loaded [ 0.109583] loop: module loaded [ 0.111782] tun: Universal TUN/TAP device driver, 1.6 [ 0.111782] tun: Universal TUN/TAP device driver, 1.6 [ 0.113946] rtc-pl031 40002000.rtc: rtc core: registered pl031 as rtc0 [ 0.113946] rtc-pl031 40002000.rtc: rtc core: registered pl031 as rtc0 [ 0.116470] hidraw: raw HID events driver (C) Jiri Kosina [ 0.116470] hidraw: raw HID events driver (C) Jiri Kosina [ 0.118496] nf_conntrack version 0.5.0 (1024 buckets, 4096 max) [ 0.118496] nf_conntrack version 0.5.0 (1024 buckets, 4096 max) [ 0.121228] ip_tables: (C) 2000-2006 Netfilter Core Team [ 0.121228] ip_tables: (C) 2000-2006 Netfilter Core Team [ 0.123287] Initializing XFRM netlink socket [ 0.123287] Initializing XFRM netlink socket [ 0.124907] NET: Registered protocol family 10 [ 0.124907] NET: Registered protocol family 10 [ 0.128481] Segment Routing with IPv6 [ 0.128481] Segment Routing with IPv6 [ 0.129837] NET: Registered protocol family 17 [ 0.129837] NET: Registered protocol family 17 [ 0.131737] Bridge firewalling registered [ 0.131737] Bridge firewalling registered [ 0.133216] NET: Registered protocol family 40 [ 0.133216] NET: Registered protocol family 40 [ 0.135063] registered taskstats version 1 [ 0.135063] registered taskstats version 1 [ 0.136422] Loading compiled-in X.509 certificates [ 0.136422] Loading compiled-in X.509 certificates [ 0.139391] Loaded X.509 cert 'Build time autogenerated kernel key: b3774bf1581b8d0fab766a23125e46fa20f6b48c' [ 0.139391] Loaded X.509 cert 'Build time autogenerated kernel key: b3774bf1581b8d0fab766a23125e46fa20f6b48c' [ 0.142816] zswap: default zpool zbud not available [ 0.142816] zswap: default zpool zbud not available [ 0.144429] zswap: pool creation failed [ 0.144429] zswap: pool creation failed [ 0.146028] Key type encrypted registered [ 0.146028] Key type encrypted registered [ 0.147673] rtc-pl031 40002000.rtc: setting system clock to 2020-09-27 03:15:57 UTC (1601176557) [ 0.147673] rtc-pl031 40002000.rtc: setting system clock to 2020-09-27 03:15:57 UTC (1601176557) [ 0.154643] EXT4-fs (vda): mounted filesystem with ordered data mode. Opts: (null) [ 0.154643] EXT4-fs (vda): mounted filesystem with ordered data mode. Opts: (null) [ 0.157147] VFS: Mounted root (ext4 filesystem) on device 254:0. [ 0.157147] VFS: Mounted root (ext4 filesystem) on device 254:0. [ 0.159736] devtmpfs: mounted [ 0.159736] devtmpfs: mounted [ 0.160921] Freeing unused kernel memory: 448K [ 0.160921] Freeing unused kernel memory: 448K SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory [ 0.252285] systemd[1]: systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) [ 0.252285] systemd[1]: systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) [ 0.260373] systemd[1]: Detected architecture arm64. [ 0.260373] systemd[1]: Detected architecture arm64. Welcome to Ubuntu 18.04.2 LTS! [ 0.265412] systemd[1]: Set hostname to <fadfdd4af58a>. [ 0.265412] systemd[1]: Set hostname to <fadfdd4af58a>. [ 0.356837] random: fast init done [ 0.356837] random: fast init done [ 0.374322] random: systemd: uninitialized urandom read (16 bytes read) [ 0.374322] random: systemd: uninitialized urandom read (16 bytes read) [ 0.377079] systemd[1]: Started Dispatch Password Requests to Console Directory Watch. [ 0.377079] systemd[1]: Started Dispatch Password Requests to Console Directory Watch. [ OK ] Started Dispatch Password Requests to Console Directory Watch. [ 0.381892] random: systemd: uninitialized urandom read (16 bytes read) [ 0.381892] random: systemd: uninitialized urandom read (16 bytes read) [ 0.384431] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 0.384431] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ OK ] Started Forward Password Requests to Wall Directory Watch. [ 0.388734] random: systemd: uninitialized urandom read (16 bytes read) [ 0.388734] random: systemd: uninitialized urandom read (16 bytes read) [ 0.391020] systemd[1]: Reached target Local Encrypted Volumes. [ 0.391020] systemd[1]: Reached target Local Encrypted Volumes. [ OK ] Reached target Local Encrypted Volumes. [ 0.394355] systemd[1]: Reached target Paths. [ 0.394355] systemd[1]: Reached target Paths. [ OK ] Reached target Paths. [ 0.397136] systemd[1]: Reached target Remote File Systems. [ 0.397136] systemd[1]: Reached target Remote File Systems. [ OK ] Reached target Remote File Systems. [ 0.400413] systemd[1]: Reached target Swap. [ 0.400413] systemd[1]: Reached target Swap. [ OK ] Reached target Swap. [ 0.403270] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point. [ 0.403270] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point. [ OK ] Set up automount Arbitrary Executab…rmats File System Automount Point. [ OK ] Created slice System Slice. [ OK ] Reached target Slices. [ OK ] Listening on Journal Socket. Starting Load Kernel Modules... Starting Remount Root and Kernel File Systems... [ OK ] Created slice system-serialx2dgetty.slice. [ OK ] Listening on udev Control Socket. Mounting Huge Pages File System... [ OK ] Listening on Journal Socket (/dev/log). Starting Create Static Device Nodes in /dev... Mounting POSIX Message Queue File System... [ OK ] Listening on Journal Audit Socket. Starting Journal Service... [ OK ] Listening on udev Kernel Socket. Starting udev Coldplug all Devices... Mounting Kernel Debug File System... [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Reached target Sockets. [ OK ] Started Load Kernel Modules. [ OK ] Started Journal Service. [ OK ] Started Remount Root and Kernel File Systems. [ OK ] Mounted Huge Pages File System. [ OK ] Started Create Static Device Nodes in /dev. [ OK ] Mounted POSIX Message Queue File System. [ OK ] Mounted Kernel Debug File System. [ OK ] Reached target Local File Systems (Pre). Starting udev Kernel Device Manager... Starting Load/Save Random Seed... [ OK ] Reached target Local File Systems. Starting Flush Journal to Persistent Storage... Starting Apply Kernel Variables... [ OK ] Started Load/Save Random Seed. [ OK ] Started udev Kernel Device Manager. [ OK ] Started udev Coldplug all Devices. [ OK ] Started Apply Kernel Variables. [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Create Volatile Files and Directories. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Reached target System Initialization. [ OK ] Reached target Basic System. [ OK ] Started Discard unused blocks once a week. [ OK ] Started Set the CPU Frequency Scaling governor. [ OK ] Started Message of the Day. Starting getty on tty2-tty6 if dbus and logind are not available... Starting fcnet.service... Starting OpenBSD Secure Shell server... [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. Starting Permit User Sessions... [ OK ] Found device /dev/ttyS0. [ OK ] Started Permit User Sessions. [ OK ] Started fcnet.service. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Created slice system-getty.slice. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty5. Starting Discard unused blocks... [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Daily apt download activities... [ OK ] Started Discard unused blocks. [ OK ] Started Update UTMP about System Runlevel Changes. [FAILED] Failed to start Daily apt download activities. See 'systemctl status apt-daily.service' for details. Starting Daily apt upgrade and clean activities... [FAILED] Failed to start Daily apt upgrade and clean activities. See 'systemctl status apt-daily-upgrade.service' for details. Ubuntu 18.04.2 LTS fadfdd4af58a ttyS0 fadfdd4af58a login:
root@ubuntu:~# ps -elf | grep firecracker 0 S root 7033 3868 0 80 0 - 34171 ep_pol 11:00 pts/0 00:00:01 ./firecracker --api-sock /tmp/firecracker.socket 0 S root 7127 7096 0 80 0 - 1096 pipe_w 11:28 pts/2 00:00:00 grep --color=auto firecracker root@ubuntu:~#
Firecraker调研-初探
简介
Firecracker 是 AWS 开源的用于 Serverless 计算的安全且快速的微虚拟机(microVM)。
根据AWS官方网站介绍,在推出AWS Lambda之时, 为了达到理想的隔离状况,为每位客户使用了专用的EC2实例。
后来因为效率原因,开发了Firecracker
特性
- 安全,使用多重隔离和保护,暴露的攻击面极小 。
- 高性能,在125ms的时间内启动microVM(2019年将会进一步加快)。
- 经过广泛测试,已经为多种高容量AWS服务提供支持,包括AWS Lambda 和 AWS Fargate。
- 低开销,每个microVM仅占用5MiB内存
安全性
以下列出Firecracker的一部分安全功能:
- 简单访客模型-Firecracker访客将获得非常简单的虚拟化设备模型,以最大限度地缩减攻击面:网络设备,块I/O设备,可编程的间隔定时器,KVM时钟,串型控制器和部分键盘
- 进程监禁- Firecracker进程使用cgroup和seccomp BPF进行监禁,而且可以访问一小部分收到严密控制的系统调用
- 静态链接- Firecracker进程以静态形式链接,可以通过jailer启动,以尽可能确保托管环境安全干净
quick-start 操作
在本地电脑上操作,Firecracker目前支持 Linux x86_64 主机,内核版本在4.14+,同时需要开启KVM功能,且能够读写/dev/kvm
首先需要三个文件(firecracker二进制文件,根文件系统和Linux内核)
打开两个命令行窗口
-
在第一个窗口:
-
确保Firecracker能够创建其Unix socket:
1rm -f /tmp/firecracker.socket -
启动Firecracker:
1./firecracker --api-sock /tmp/firecracker.socket
-
-
在第二个窗口:
-
设置内核:
1
2
3
4
5
6
7
8curl --unix-socket /tmp/firecracker.socket -i
-X PUT 'http://localhost/boot-source'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-d '{
"kernel_image_path": "./hello-vmlinux.bin",
"boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
}' -
设置根文件系统:
1
2
3
4
5
6
7
8
9
10curl --unix-socket /tmp/firecracker.socket -i
-X PUT 'http://localhost/drives/rootfs'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-d '{
"drive_id": "rootfs",
"path_on_host": "./hello-rootfs.ext4",
"is_root_device": true,
"is_read_only": false
}' -
启动机器
1
2
3
4
5
6
7curl --unix-socket /tmp/firecracker.socket -i
-X PUT 'http://localhost/actions'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-d '{
"action_type": "InstanceStart"
}'
-
裸机实例上创建上千个 microVMs? for ((i=0; i<1000; i++)); do ./firecracker-v0.10.1 --api-sock /tmp/firecracker-$i.sock & done 多个 microVM 可以配置同一个共享根文件系统,然后为每个 microVM 分配自己的读/写份额。
参考
Tutorial: Getting Started with Firecracker on VMware Fusion
https://thenewstack.io/tutorial-getting-started-with-firecracker-on-vmware-fusion/
查询
root@ubuntu:~# cat get_vm.sh curl -s --unix-socket /tmp/firecracker.socket -X GET 'http://localhost/machine-config' -H 'Accept: application/json' -H 'Content-Type: application/json' root@ubuntu:~# bash get_vm.sh { "vcpu_count": 1, "mem_size_mib": 128, "ht_enabled": false, "cpu_template": "Uninitialized" }