# Firecracker — Secure Lightweight MicroVMs for Serverless > Firecracker is AWS' open source virtual machine monitor that boots minimal KVM-based microVMs in milliseconds — the engine behind Lambda and Fargate, reusable in your own serverless stack. ## Install Save in your project root: # Firecracker — Secure Lightweight MicroVMs for Serverless ## Quick Use ```bash # Download the static binary and a guest kernel/rootfs ARCH=$(uname -m) release_url=https://github.com/firecracker-microvm/firecracker/releases latest=$(basename $(curl -fsSLI -o /dev/null -w %{url_effective} ${release_url}/latest)) curl -L ${release_url}/download/${latest}/firecracker-${latest}-${ARCH}.tgz | tar -xz # Start the API socket, then POST a VM config and InstanceStart action ./release-${latest}-${ARCH}/firecracker-${latest}-${ARCH} --api-sock /tmp/firecracker.socket # Then use the REST API (see docs/getting-started.md) to boot the microVM ``` ## Introduction Firecracker is a KVM-based virtual machine monitor written in Rust that AWS open-sourced in 2018 to power Lambda and Fargate. It runs stripped-down microVMs with no legacy devices, a tiny attack surface, and boot times under 125 ms, letting you pack thousands of strongly isolated guests on a single host. It has over 33,000 GitHub stars and a CNCF-adjacent governance model. ## What Firecracker Does - Launches Linux microVMs via KVM with a virtio-only device model (net, block, vsock, balloon). - Exposes a REST API on a Unix socket for snapshot/restore, hot-attach, and lifecycle control. - Supports snapshotting so you can pre-warm VMs and restore in under 10 ms for serverless cold-start elimination. - Enforces rate limiters on disk and network I/O for noisy-neighbor isolation. - Runs on x86_64 and aarch64 with the same minimal binary footprint (~5 MB). ## Architecture Overview Firecracker is a single Rust binary built on top of `rust-vmm` crates. It uses KVM for hardware virtualization and implements only virtio-net, virtio-block, virtio-vsock, virtio-balloon, and a serial console — no PCI, no BIOS, no USB. A dedicated API thread speaks JSON over a Unix socket; a vCPU thread and an I/O thread handle the guest. Seccomp filters restrict host syscalls to a minimal allowlist, so an escape from the guest has an extremely narrow blast radius. jailer wraps the process with cgroups, chroot, and namespaces before exec. ## Self-Hosting & Configuration - Run on any Linux 4.14+ host with KVM enabled (`/dev/kvm` accessible) — bare metal, or nested virt on AWS .metal or GCP n2. - Launch via the `firecracker` binary and manage VMs through the Unix socket API, or use orchestrators like firecracker-containerd, Kata, weaveworks/ignite, or fly.io's internal tooling. - Use `jailer` in production to apply cgroups, chroot, and seccomp before exec. - Snapshots are two files (mem + vmstate) you can cache on fast local NVMe for sub-10 ms restore. - Wire networking with a TAP device or Cilium/Tailscale userspace overlay. ## Key Features - Sub-125 ms boot times and ~5 MiB memory overhead per VM. - Hardware-enforced isolation via KVM — stronger than container namespaces. - Snapshot/restore for instant cold-start elimination. - Minimal device model and seccomp reduce attack surface dramatically. - Actively developed by AWS with a predictable release cadence and LTS branches. ## Comparison with Similar Tools - **QEMU** — full-featured emulator, heavy and slower boot; Firecracker trades features for speed and security. - **Cloud Hypervisor** — Intel-led rust-vmm sibling with broader device support; more features, slightly higher overhead. - **Kata Containers** — uses Firecracker or Cloud Hypervisor under OCI semantics for VM-isolated pods. - **gVisor** — syscall-level sandbox, no KVM required; weaker isolation model but simpler to deploy. - **Nabla / Unikernels** — specialized single-purpose VMs; Firecracker runs unmodified Linux guests. ## FAQ **Q:** Can I run Windows guests? A: Not officially. Firecracker targets Linux workloads and intentionally omits devices Windows requires. **Q:** How do I use Firecracker with containers? A: Use firecracker-containerd or Kata Containers; both present an OCI runtime while launching each pod in a microVM. **Q:** Does it support live migration? A: Not live migration, but snapshot/restore covers most of the same use cases. **Q:** What networking options are available? A: TAP devices with a virtio-net front end. Pair with routing, bridging, or a CNI plugin for production setups. ## Sources - https://github.com/firecracker-microvm/firecracker - https://firecracker-microvm.github.io/ --- Source: https://tokrepo.com/en/workflows/ccce9812-3907-11f1-9bc6-00163e2b0d79 Author: AI Open Source