Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think lightweight VMs will have a major impact. VMs are powerful and solve legions of problems that arise trying to make containers match them, which is exactly the road currently being paved by so much of Kubernetes.

Firecracker has a number of limitations, however. Firecracker is tailored to the highly vertical 'lambda' use case and too much of the power of the kernel and userspace is stripped away. You can't even live migrate a firecracker VM right now.

So yes, VMs are great and will ultimately resurge to the detriment of 'everything is a container' serverless orchestration, but Firecracker in its current form won't cut it. A gulf exists between giant cloud operators and their lucrative 'serverless' (only) model and everyone else. Everyone else must avoid the insurmountable costs associated with abandoning the immense value that stateful VMs provide and the minute something emerges that delivers a seamless VM orchestration system it will skyrocket.



Which kernel powers are you specifically talking about having been stripped away, and how are they relevant to serverside workloads? GPUs are the common one that gets brought up, but I'm not familiar with many others. Firecracker doesn't strip anything out of the guest kernel --- it boots a vanilla Linux kernel, which can be as heavy or light as you compile it to be.


From https://firecracker-microvm.github.io/:

  Firecracker is an alternative to QEMU that is purpose-built for running serverless
  functions and containers safely and efficiently, and nothing more. Firecracker is
  written in Rust, provides a minimal required device model to the guest operating
  system while excluding non-essential functionality (only 5 emulated devices are
  available: virtio-net, virtio-block, virtio-vsock, serial console, and a minimal
  keyboard controller used only to stop the microVM). This, along with a streamlined
  kernel loading process enables a < 125 ms startup time and a < 5 MiB memory 
  footprint.
Basically they removed anything that wasn't needed to run a Lambda. All your I/O, CPU, memory, etc are all going to be limited to one very simplistic implementation, in addition to whatever KVM exports. So rather than saying "what does it limit", it's more like "imagine anything that might take advantage of/depend on hardware, or even host<->guest or guest<->guest, and just forget about it".


Can you be specific about what those hardware things are, and why they matter for serverside workloads? Yes: the premise of Firecracker is that the hypervisor only supports the virtio devices, and doesn't emulate real hardware. Where does that end up being problematic?

I'm not sure what you mean by your "CPU and memory" being "limited", either.


I don't have direct experience with any of this, but just to hypothesize:

- Firecracker/KVM can introduce some CPU overhead, for which there are some workarounds (https://github.com/firecracker-microvm/firecracker/blob/main...)

- Firecracker networking uses a tap device. Want any kind of advanced networking hardware, say, to offload packet processing, do network inspection, etc, and access it from the containerized app? Not gonna work... IPSec/IKE VPN? May not work (iirc this requires some specific paravirt features? I might be misremembering). Have some advanced network controller that transparently handles mesh networks, or some other fancy shmancy system designed to manage complex interactions between containers and networks? Probably not gonna work due to assumptions about what lies between the layers, what components use what tricks to handle advanced routing (Netfilter, eBGP, sidecars, etc). To say nothing of link-level differences (what if your network isn't Ethernet?). And all traffic is copied from an I/O thread of an emulated network device to a host TAP device, before it makes it to the real device; my guess is network latency and maximum PPS were not a priority.

- The exposed CPU is based on what KVM supports exposing to guests; presumably QEMU supports a much wider selection. Clocksources, of which I know absolutely nothing (:D), are only allowed as kvm-clock.

- All I/O is rate-limited by a custom scheme built by the Firecracker authors. I'm sure this is fine for most use-cases, but some weird high-performance outlier is gonna hit some sort of bottleneck with this thing I'm sure.

- Firecracker emulated block devices are backed by files on the host. Ergo, any app that wants to control a disk directly, or use some fancy shmancy SAN directly, etc is out of luck.

- The guest requires a balloon driver to use balloon support, which means the guest needs this special software, and compromising the guest driver could be a serious issue. I don't know if Kata does this differently.

- Aarch64 support has a bunch of errata currently, so x86_64 is the only fully-supported platform; I dunno if Kata does any better, but this is a real hardware limitation, esp. if you're trying to buy a shit-ton of cheap powerful machines.

- This is not hardware-specific, but Firecracker seems limited to specific kernel releases; right now the latest it supports is 5.10, according to https://github.com/firecracker-microvm/firecracker/blob/main... They emphasize that they want your host and guest to run "a supported kernel", even if it's possible to run different ones. To me that says that there's the potential for Firecracker-specific bugs in newer (or older?) guest kernels. From that page: "Firecracker represents a component in a larger stack, one in which it is tightly coupled with the guest and host kernels on which it is run."

I would add that containers are used in far more settings than server-side, and would be great to have on the edge, in IoT, and on desktops, if they were a little less... funky. In general, containers requires a lot of extra steps to be "usable" as general purpose applications, and access to hardware will absolutely be a barrier we need to cross in order for "general purpose containerized apps" to become commonplace.


I'm not trying to be argumentative, but rather just to clear things up for you:

All serverside cloud-style VMs get tap devices. That's not a Firecracker thing.

IPSEC works just fine from within a VM. Firecracker doesn't care; it's just a hypervisor.

I'm not sure what you're trying to say about the CPU thing; Firecracker is a hypervisor, not an emulator. Linux QEMU VMs are KVM, too.

SANs work fine from within VMs. The point of a SAN is that the disk isn't attached. Firecracker talks to host block devices the same way other hypervisors do.

Here's `uname -a` from a Firecracker:

    Linux 0a581153 5.12.2 #1 SMP Thu Jun 30 19:35:04 UTC 2022 x86_64 GNU/Linux
You're definitely not limited to older kernels.


> All serverside cloud-style VMs get tap devices

Unless you want to PCI pass-through an SRIOV VF into a guest? If you're paying out the ass for Cisco cloud gear you probably want the guest to have direct access to a card...

Again, I don't remember the specifics, but depending on the underlying networking (on the host etc), there may be some issues with IPSec (but I could be wrong). From some random searching: https://linux-ipsec.org/wp-content/uploads/slides/2018/quest...

> SANs work fine from within VMs. The point of a SAN is that the disk isn't attached. Firecracker talks to host block devices the same way other virtualizers do.

But you may want to talk to an attached HBA? Firecracker's docs (https://github.com/firecracker-microvm/firecracker/blob/main...) say: "Firecracker emulated block devices are backed by files on the host. To be able to mount block devices in the guest, the backing files need to be pre-formatted with a filesystem that the guest kernel supports."

Based on everything else in the Firecracker docs, I don't see any vHBA support provided, so the guest cannot access an HBA on the host. And a virtual device backed by a file is going to have crap performance.


Yep, PCI pass-through is 100% something you can't do with Firecracker. To me, that's a perfect example of a feature that's not really there to support cloud-style serverside workloads, but that might just be my bias.


I think the other way to look at it is there's just different workloads that need different solutions. Firecracker is perfect for Lamba-style workloads.

But some companies (who don't want to manage datacenter resources, but do want the large scale and flexibility of cloud computing) want a whiz-bang multi-tenant enterprise containerized solution (say, using K8s as orchestrator). And maybe one of their critical applications has certain requirements that necessitate an HBA, deep packet inspection, an HSM, a high-precision clock, etc. They need strong isolation guarantees, so they want a VM, but they want K8s to manage it.

Kata Containers seems to fit the latter, as it can change hypervisors, supports more architectures, advanced networking features, device assignment, etc. Seems to align most with on-prem cloud as it's maintained by the OpenStack people.


What you're calling a "Lambda-style workload" really seems to capture >95% of the EC2-style workload.


I'll bet you it's more like 85%. AWS has a good amount of hardware designed to pass through into the VM, various custom guest drivers, some advanced high-performance networking stuff, and the GPU support like you mentioned. Customers probably pay a hefty premium, so we shouldn't discount it from either a business or technical perspective.


>"All serverside cloud-style VMs get tap devices."

I'm having trouble understanding this sentence. Specifically "serverside cloud-style VMs." Does "serverside" mean from the host OS that's running the Hypervisor? Like if I were logged into that host an "ifconfig" would show me tap devices?


Yes, it does.


No, it doesn’t.


Why would you want to migrate a firecracker vm? They are supposed to be for small, short lived processes. Or in this case, Docker containers (which are likely to be controlled by some kind of orchestration).

If you want to be able to migrate a running VM, do you still really need it to start super fast? It’s going to be a long lived service (otherwise you wouldn’t migrate it), so a longer spin up time should be acceptable. If that’s the case, then you can use a different VM tech that supports migration (KVM/Xen/etc).


> If you want to be able to migrate a running VM, do you still really need it to start super fast?

Yes. "You" is two different people in this sentence. The person doing the migration is often not the person who owns whatever service is running in the VM. They have uncorrelated needs. As a platform operator, I want to migrate VMs to be able to balance load and evacuate dying hardware. As a service operator on that platform I want high uptime - or, more accurately to this case, low downtime.

One of the reasons someone goes for a long-lived service on a VM platform is because the service is in some sense critical: it's Bad News when it drops a connection or doesn't respond. So the operator of that service wants something with a fast restart so that if it ever does need to be bounced, it's back quickly and they return to whatever redundancy level they originally designed to as fast as possible.

"Long uptime means a slow boot is fine" has never been true, in my experience.


Just spawn a new VM on a hypervisor and delete the old VM on the hypervisor that is dying. You can also balance load this way.


Assume any suggestion starting with "just" is equally obvious to the operators as it is to you.

In this case, it would be helpful to start from the observation that live migration is non-negotiable, which immediately rules out any form of "turn it on then off again."


In this case, I think the “just” is justified. (Normally I’d agree with you)

If you’re starting from the premise that live migration is non-negotiable, then I’d argue that you likely don’t need a quick start. Long lived services can afford a slower start using a different VM technology. We’re not talking hours to provision a server, but the difference between 100ms and a few minutes.

My question to you is — what kind of service would need to start fast and be able to migrate? I just don’t see that Venn diagram having a big overlap. But maybe I’m wrong…


Doesn't matter what the service is. The features are used and therefore valued by two different audiences (who may in some circumstances be the same individuals wearing different hats). Live migration: platform ops. Fast boot: platform users.

The platform ops people want to offer the best service possible to the platform users. Fast boot is a feature users may want for their services, so the operators want to offer it. It's directly user-facing, and is a feature users can evaluate on when selecting the platform.

The platform ops people also want to offer high uptime and good performance. So behind the scenes they use live migration to mitigate host risk and balance load. Live migration is not user-facing, and is not a feature users can or should evaluate on when selecting the platform, because they shouldn't have to care.

> what kind of service would need to start fast and be able to migrate?

For ops, all VMs need to be able to migrate. For users, some services need fast boot. Therefore all services that need fast boot also need to migrate.


> Why would you want to migrate a firecracker vm?

I wouldn't. I pointed out the lack of live migration as an of example why firecracker can't cut it as the basis of general purpose VM orchestration platform.

> then you can use a different VM tech that supports migration (KVM/Xen/etc)

"KVM/Zen/etc" are in the dark ages compared to the state of the art of Kubernetes container orchestration.

The reason for that isn't technical; KVM is incredible and full-featured VMs conceivably could be orchestrated with the same fidelity as containers. The reason is business: the cloud behemoths invest only in their serverless business models; thus k8s, firecracker, etc. I contend there is an enormous market for orchestration of more complex workloads that VMs suit well.


I think that is GP's point: Firecracker shouldn't be considered a general-purpose solution for more secure containerized workloads.


Can you try to make that a little more specific? What does "general-purpose" mean here? "Secure containerized workloads" tends to imply serverside. It's hard to think of things --- other than GPU access --- that Firecracker takes away here.


> It's hard to think of things

No, it isn't. Investigate the K8S world and observe the backflips and somersaults being performed there to deal with networking and storage. Much of that is a consequence of people trying make containers do things that should be run in VMs. A full featured Linux kernel and certain key user space tools can obviate much of that nonsense with ease, deliver better performance, use less resources and be vastly less complex.


If it's not hard to name a thing that Firecracker makes difficult for a serverside workload, could you... name one?

Firecracker runs a full-featured Linux kernel. It's a hypervisor. It's not a kind of kernel.


> If it's not hard to name a thing that Firecracker makes difficult for a serverside workload, could you... name one?

I already did that with live migration. But ok.

Encrypted storage: https://github.com/firecracker-microvm/firecracker/issues/65...: WONTFIX

The answer given is appropriate for firecracker use cases but insufficient otherwise. I'm not anti-firecracker; it's the right choice for many things. Just not all things.

The sort of VM I want orchestrated has encrypted (by contract) multi-pathed network block devices to encrypted storage volumes. 3-10 per tenant. This is trivial for a full-featured kernel; multi-path just works, encryption just works.

VLAN: https://github.com/weaveworks/ignite/issues/810: Open. Maybe one day.

Again, trivial for a full-featured Linux kernel. Has been for ages.

I think you're missing the point. It's not about what hypothetical thing firecracker can or can't do. It's about elevating VM orchestration to some degree of parity with what has been created for container orchestration. These VMs and their complex storage and networking requirements should be modeled as we model containers now; through an orchestration system that makes management easy and as foolproof as possible. The fact that firecracker isn't sufficient to be the Micro-VM of choice for this isn't relevant.


You can encrypt a drive from within Firecracker trivially. It's just Linux, and they're just block devices.

You can do all the standard Linux tap interface networking with Firecracker; it just presents as virtio ethernet to the guest.

This is the second time you've compared Firecracker to a "full-featured Linux kernel". Again: Firecracker is a hypervisor. It's not a kernel. It runs Linux kernels. "Full-featured" Linux kernels. Whatever kernel you compile.


Well now you're arguing with the developers of both firecracker and ignite. Maybe go to the issues I linked and correct them.


No, you're linking to tickets that I don't think you really grok. That's someone asking for an extra encryption feature on the host side for Firecracker images, not someone saying it's impossible to encrypt a drive from within a Firecracker VM, which is obviously possible. You can just, you know, boot one up and try.

The other link you provided is to an Ignite ticket that's talking about integrating Firecracker with Linux namespaces. That has nothing to do with what Firecracker itself is capable of doing. If you want to slag Ignite, that's fine with me; I don't know much about the project, and am just here because weird things are being said about Firecracker, like that it doesn't run "full Linux kernels".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: