April 22, 2021
Yann Léger
@yann_eu
Alisdair Broshar
@AlisdairBroshar
Virtualization is a core component of cloud computing and the key technology to optimize usage of hardware's resources. While it has been around for decades, new innovations continue to improve its efficiency and performance for modern workloads.
In this blog post, we provide a brief overview of virtualization and its history as well as explain how Firecracker and lightweight virtualization are fueling modern deployments. Firecracker is an open-source technology used at Koyeb to power serverless workloads.
This is our first post one about virtualization and the container ecosystem. It's also part of our series about Firecracker, our first Firecracker post explains how the technology works and the second covers why we think it is so great.
Virtualization technology creates multiple isolated environments, also known as virtual machines (VMs), from a single physical resource. The software responsible for this process is known as the hypervisor, or Virtual Machine Monitor (VMM). A hypervisor sits on top of a piece of hardware and distributes its resources to the VMs that the hypervisor generates and manages.
The history of virtualization is rooted in the early days of computing. The first success is commonly situated to be during the mainframe days of the 60s. Computer scientists at IBM were seeking to reduce the expensive costs of running computers and overall maximize the efficiency of those computer resources. Their innovations led them to be able to run multiple isolated systems at the same time with the CP-40 system.
There are two types of hypervisors:
Type 1 Hypervisors are the ones used in the server world as they are purposely designed for performance. On the other side, Type 2 Hypervisors are mostly used on PCs where individuals mostly use standard operating systems.
In the cloud computing industry, Type 1 Hypervisors are the norm. They are used to increase efficiency. At Koyeb, we currently use Fedora CoreOS with Linux KVM and Firecracker as a Type 1 Hypervisor.
As the cloud computing industry heavily relies on virtualization, different kind of virtualization have emerged inside of Type 1 Hypervisors. There are three main approaches to server virtualization that have been around since the 2000s.
Kernel-level | Paravirtualization | Hardware-assisted | |
---|---|---|---|
Projects | Linux cgroups, OpenVZ | Xen | KVM and also Xen |
Guest Kernel | Same as Host | Modified | Standard |
Security | Low by default | High | High |
Performance Overhead | Low | Medium | High |
Boot-time | Milliseconds | 10s of seconds | 10s of seconds |
Kernel-level virtualization
Kernel-level virtualization like Linux cgroups is lightweight and has fast startup times, but low security and poor isolation by design. If you want to run multi-tenant workloads, you will need to combine kernel-level isolation with other technology to provide multi-tenant workloads to achieve satisfactory levels of security and isolation. If you want to learn more about kernel-level security, check out Jessie Frazelle's blog post Containers, Security, and Echo Chambers.
Paravirtualization
Paravirtualization uses a modified kernel approach to virtualization. It provides a high level of security with more overhead and longer boot-times than a kernel-level approach. Paravirtualization like Xen, an open-source hypervisor built-in the Linux kernel, still powers a large part of AWS today.
Hardware-assisted virtualization
Hardware-assisted virtualization provides the best isolation for workloads, but it requires the support of the processor, and startup times are longer. KVM is a type of hardware-assisted virtualization. The cloud computing industry heavily relies on this kind of virtualization. Since the 2010s, most IaaS providers have been using this kind of technology thanks to the emergence of specialized instructions on x86 architectures.
VMs using hardware-assisted virtualization are great for enabling multi-tenant workloads by creating truly secure and isolated environments however modern apps require even faster startup times and more efficient distribution of computing resources.
The incentives advancing virtualization technology today remain similar to those decades ago: the quest for even more performant and efficient ways to use physical resources continues.
Today, containers are a popular deployment choice for modern apps because they provide consistent deployments across devices with a standardized unit of software and low resource overhead.
Since the emergence of the container in the early 2010s, the container ecosystem has significantly grown, now consisting of many components divided into several categories such as container images, runtimes, and orchestrators. Simply put:
Even though the ecosystem has flourished, security, isolation, and performance remain a core concern, especially in multi-tenant environments similar to the Koyeb Serverless Platform.
This is where container runtimes come into the pictures since container runtimes execute containers. The main three approaches to executing containers in an isolated manner use the different types of server virtualization:
Firecracker was designed to run serverless functions and containers securely and efficiently. It is a lightweight virtualization technology that uses Linux KVM to provision and manage microVMs.
KVM transforms Linux into a Type 1 hypervisor that enables you to run multiple isolated environments. Since KVM is built into Linux, it includes all the operating system-level components that a hypervisor needs.
Firecracker microVMs are more lightweight compared to other VMs using QEMU thanks to Firecracker's minimalist design. Firecracker was written in Rust, a compiled language that is memory-efficient, stable, and fast. During the design, unnecessary devices and guest functionality were dropped in order to achieve a smaller memory footprint and reduce security risks.
MicroVM technology enables workloads to be as secure and isolated as hardware-assisted VM solutions while providing the density and speed offered by container technologies. If you want to learn more, you can read our Firecracker MicroVMs: Lightweight Virtualization for Containers and Serverless Workloads or 10 Reasons Why We Love Firecracker MicroVMs blog post.
At Koyeb, we've selected Firecracker to securely run our users' serverless workloads. As a cloud service provider, Firecracker enables us to provide multi-tenancy security, fast startup times for scale-to-zero and autoscaling features, and increased density compared to earlier virtualization technologies. Securing and powering serverless deployments, Firecracker is a vital component of the Koyeb stack.
Koyeb is the next-generation and developer-friendly serverless platform where you can deploy web apps and services, APIs, event-driven functions, background workers, and more.
See the benefits of going serverless, get started with a free account today!
Here are some useful resources to get you started:
If you want to learn more about Firecracker and microVMs, check out our Firecracker MicroVMs: Lightweight Virtualization for Containers and Serverless Workloads and 10 Reasons Why We Love Firecracker MicroVMs blog posts.
Koyeb is a developer-friendly serverless platform to deploy any apps globally.
Start for freeDeploy 2 services for free and enjoy our predictable pricing as you grow
Get up and running in 5 minutes