firecracker-containerd enables containerd to manage containers as Firecracker microVMs
This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor.
Potential use cases of Firecracker-based containers include:
To maintain compatibility with the container ecosystem, where possible, we use container standards such as the OCI image format.
There are several components in this repository that enable containerd to use Firecracker microVMs to run containers:
containerd-shim-runc-v1to create standard Linux containers inside the microVM.
For more detailed information on the components and how they work, see architecture.md.
To support the widest variety of workloads, firecracker-containerd has to work with popular container orchestration frameworks such as Kubernetes and Amazon ECS, so we will work to ensure that the software is conformant or compatible where necessary. The project currently allows you to launch a few containers colocated in the same microVM, and we are exploring how to raise the number of containers. We recently added support for configuring networking at the microVM level with CNI plugins and provide a CNI plugin suitable for chaining called "tc-redirect-tap". Our short term roadmap includes constraining or "jailing" the Firecracker VMM process to improve the host security posture. Our longer-term roadmap includes polishing, packaging, and generally making firecracker-containerd easier to run as well as exploring CRI conformance and compatibility with Kubernetes.
Details of specific roadmap items are tracked in GitHub issues.
For detailed instructions on building and running firecracker-containerd, see the getting started guide and the quickstart guide.
Please use GitHub issues to report problems, discuss roadmap items, or make feature requests.
If you've discovered an issue that may have security implications to users or developers of this software, please do not report it using GitHub issues, but instead follow Firecracker's security reporting guidelines.
Other discussion: For general discussion, please join us in the
channel on the Firecracker Slack.
This library is licensed under the Apache 2.0 License.