Firecracker is a new open source virtualization technology—widely used by AWS as part of its Fargate and Lambda services⁠—especially designed for creating and managing secure, multi-tenant container and function-based services. It enables to deploy workloads in lightweight VMs (called microVMs) which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers. This upcoming integration of OpenNebula 5.12 with Firecracker builds a next-generation platform for on-premises serverless computing.

Some of the benefits that this integration is going to provide:

• Seamless integration with container marketplaces like Docker Hub.
• Direct execution of Docker images on microVMs and composition of containers with auto-scaling.
• Multi-tenant, self-service cloud provisioning, including virtual data centers, data center federation and hybrid cloud computing.
• Mixed hypervisor environments with KVM and VMware.

By reducing the overhead gap between VMs and containers, microVMs provide users with the boot speed and light weight of containers plus the security of a Virtual Machine. On top of that, Firecracker microVMs are further isolated with common Linux user-space security barriers (using methods like chroot, seccomp or cgroups) by an auxiliary tool called jailer. This second line of defense isolates the process inside the hypervisor in case the virtualization barrier is ever compromised.

By integrating Firecracker as a new virtualization technology in the upcoming OpenNebula 5.12, we are not only incorporating an easy and secure solution for managing serverless workloads in private or hybrid clouds. To ensure that OpenNebula users are able to get the most out of this development, we’re also integrating Docker Hub as a new way for the user to retrieve images, making it very easy to deploy any image available at Docker Hub as a Firecracker microVM inside OpenNebula! 🚀

So far⁠—as you can see on the screencast above⁠—our Engineering Team has been successfully testing these new features on OpenNebula 5.10, so we can officially confirm now that Firecracker microVMs will be fully integrated and available to our users with the release of OpenNebula 5.12:

Networking

The networking subsystem will be fully integrated with Firecracker microVMs. This will allow microVMs to use any of the Virtual Networks available at your OpenNebula instances including all the protocols (based on Linux Bridging) already supported by OpenNebula, such as 802.1Q and VXLAN. This will make it very easy to start deploying new microVMs using existing networks and make them interact with already deployed applications based on current Virtual Machines or LXD system containers.

Contextualization

Contextualization is also fully supported by microVMs, allowing the user to easily deploy a microVM with all the configuration needed to be immediately functional without any manual intervention. This includes networking configuration or bootstrapping the serverless functions. As with other supported technologies (i.e. KVM, LXD and VMware vCenter), contextualization packages have to be installed in advance inside the image for contextualization to work properly. This won’t be necessary when retrieving images from Docker Hub, as the installation of contextualization packages has been included as part of the image build procedure, which is based on Dockerfiles.

VM Access

Apart from networking access, OpenNebula also provides VNC access to both VMs and containers. VNC access is also supported for microVMs. This will make it much easier to debug tasks running on microVMs, as the user will always have a channel to communicate with the VM even if networking is not operating properly or a SSH server is not available.

More to come…

This post is the first introduction to the world of the integration of Firecracker as a new officially supported virtualization technology within the upcoming OpenNebula 5.12. This project opens up a whole new set of possibilities and, as such, we’ll be working hard from now on, along with the OpenNebula Community, to bring to you interesting guides and use cases. In the meantime, you can have a look at our new Firecracker datasheet and, as usual, please don’t hesitate to send us your feedback, we’d love to hear how you are planning to use this amazing new features! 🤓