Firecracker: Building The EXT4 Filesystem Image

By: Jody Scott 05.14.2019
Firecracker: Building The EXT4 Filesystem Image

In November 2018, Amazon presented Firecracker at AWS Reinvent, a new virtualization and open source technology that enables service owners to operate secure multi-tenant, container-based services by combining the speed, resource efficiency, and performance enabled by containers. This is combined with the security and isolation offered by traditional Virtual Machines (VM).

Firecracker Components

Firecracker uses a virtual machine manager (VMM) based on Linux’s Kernel-based Virtual Machine (KVM). It also provides a RESTful API to create and manage microVMs with any combination of vCPU and memory to match application requirements.

How is Firecracker built?

Firecracker is built with minimal device emulation that enables faster startup time, provides a reduced memory footprint for each microVM, and offers a trusted sandboxed environment for each container. Furthermore, Amazon elected to release Firecracker as an open source project under Apache 2.0.

If you use functions as an Amazon service, you benefit from Firecracker without needing to do anything extra. But if you want to use Firecracker directly, you will need an image and a kernel. Amazon provides an example that you can download but the information on how to build your own is scant. So we wrote a script and put this blog post together to help you.

This will be a three part post covering how to build the EXT4 filesystem, the Linux Kernel (and modules), and finally how to install the Aporeto Enforcerd. This blog entry builds upon the work we did in the first blog entry.

The EXT4 Filesystem

Firecracker requires a filesystem image in the EXT4 format. We want to keep this small. The example that AWS provides is based on Alpine Linux. We have put together a script that runs inside a container and generates an EXT4 filesystem.

As per GitHub’s build instructions, you must run a container using your desired image and do any desired changes such as adding users, configuring networking, and installing applications. After that, you can then execute the script alpine2firecracker. This should generate a ext4 filesystem called rootfs.ext4 and a build log file called build.log. The complete instructions can be found here.

Keep an eye out for the upcoming third and final installment of this series.

Recent Posts Secure Your Cloud Credentials with Identity Federation for Airtight Kubernetes Security Aporeto Launches New Identity Federation Capabilities for Kubernetes Pods & Istio Service Mesh, Delivering Security as Code to Accelerate DevSecOps Easy Application Network Encryption and Access Control Without Re-coding Your Application