Firecracker: How to Build a Linux Kernel

By: Jody Scott 05.07.2019
Firecracker: How to Build a Linux Kernel

Amazon pioneered server-less or lambda functions a few years ago. Despite the name, the functions do require a server. Originally Amazon chose to run the functions on EC2. The choice of EC2 was a tradeoff as it reduced the time to get functions to the market at the cost of boot time. Amazon developed Firecracker to address these shortcomings by booting a system in seconds. Furthermore Amazon elected to release Firecracker as an open source project.

Using Firecracker Directly

If you use functions as an Amazon service then you benefit from Firecracker without needing to do anything. But if you want to use Firecracker directly then you will need an image and a kernel. Amazon provides an example that you can download but the information on how to build your own is scant. So we wrote a script and put this blog post together to help you.

This will be a three part post covering how to build the EXT4 filesystem, the Linux Kernel (and modules), and finally how to install the Aporeto Enforcerd. Aporeto Enterprise Enforcerd is the container image of the distributed enforcer set that secures cloud applications with API control, network security, runtime protection, and access control capabilities powered by application identity.

Firecracker and Enforcerd

Enforcerd for Docker Engine is the distributed enforcement node component for a set of hosts that are protected by the Aporeto Security platform. enforcerd gives each Docker container its own firewall, with access control via identity derived from the Docker Engine host, Docker labels, and Aporeto network policy. For enforcerd to obtain and enforce network policy, it must be registered with an instance of the Aporeto service. Click here to learn how to install, deploy, and verify enforcerd.

Firecracker requires an uncompressed Linux Kernel with some modules compiled in. Building the kernel is no different than normal, we just need to modify the config file. We will also build the kernel modules. This step is only necessary if we require a module that is not compiled into the kernel.

To build the process, click here. If you want to save time, you can download the prebuilt kernel here, and the modules here.

Recent Posts Secure Your Cloud Credentials with Identity Federation for Airtight Kubernetes Security Aporeto Launches New Identity Federation Capabilities for Kubernetes Pods & Istio Service Mesh, Delivering Security as Code to Accelerate DevSecOps Easy Application Network Encryption and Access Control Without Re-coding Your Application