1. 32
  1. 2

    Why would one run Firecracker instead of Raspian? Honest question.

    1. 15

      Firecracker is a fast, lightweight virtualization tool. It was open sourced by Amazon and is part of the stack that lets AWS Lambda run tons of tiny “functions” in isolation from each other on a single server.

      You still need an OS underneath, since the virtual machine needs a host to provide storage, networking, etc. (Not to mention the filesystem images normally used under Firecracker are very minimal, so you can’t really develop or debug in that environment.)

      The more reasonable question is probably, “why use Firecracker instead of Docker?” In that case: Firecracker gives you much stronger security boundaries between “micro VMs” than Docker does between containers. If you don’t need that (i.e., all your containers are running code you trust) then it almost certainly isn’t worth the learning curve to go with Firecracker.

      1. 2

        Thanks - that’s helpful. In that case, it sounds more of a gVisor than a Docker to me.

        1. 4

          What’s the overhead difference between the two?

          1. 4

            Both gVisor and firecracker are “slow” but useable and in this case, being a raspberry pi I’m going to guess that performance is not a huge limiting factor. gVisor can be ridiculously slow in many cases - they used to talk about performance penalties for “syscall heavy applications”, which is just a ridiculous statement to make. (Looks as if they’ve updated their perf docs recently: https://gvisor.dev/docs/architecture_guide/performance/ ) . Firecracker even though billed as ‘fast’ trades a slower run-time for a faster boot time although it appears there are plans to fix that.

            Having said that docker is unsafe at any speed. The claims of isolation in that ecosystem are kinda like the marketing claims from database companies that write to /dev/null.

      2. 1

        When you primarily intend to run containers on it, I suppose.

      3. 2

        Interesting and impressive… I would also be interested in what kind of performance one can draw out from this lightweight virtualization.

        I know that on x86, the overhead is almost negligible, but I wonder how these virtualisation instructions perform on ARMv8 and if KVM was optimized for it. I have a raspberry pi 4B, thanks to this article I will start playing with firecracker on it :) .

        1. 3

          OP/Author here. There are many details about performance here. To me it was really surprising to see how much overhead Firecracker has (hardly noticeable at all). I would like to investigate this further and create a workflow to be able to deploy my applications like that (similar to Dockerfile is guess).

          1. 2

            Hey, thanks for the link, that looks great. I knew that Firecracker was really fast, but I never saw this paper.

            However, it doesn’t specify on which architecture and CPU the performance testing was done. I suspect that these were made on beefy server x86_64 CPUs. My original question was more about the performance on ARMv8 or Raspberry PI CPUs. I feel that I would have to benchmark myself.

            1. 2

              My original question was more about the performance on ARMv8 or Raspberry PI CPUs. I feel that I would have to benchmark myself.

              I see. I do not expect that big of a different between the x86 and arm in terms of overhead. I would be definitely interested in a benchmark. I think there is an open ticket in the Firecracker repo to work on the performance regression testing.