1- # Firecracker Design
1+ # Firecracker 架构设计
22
3- ## Scope
3+ ## 适用范围
44
5- ### What is Firecracker
5+ ### 什么是 Firecracker
66
7- Firecracker is a new virtualization technology that enables customers to deploy
8- lightweight * micro* Virtual Machines or microVMs. Firecracker microVMs combine
9- the security and workload isolation properties of traditional VMs with the
10- speed, agility and resource efficiency enabled by containers. They provide a
11- secure, trusted environment for multi-tenant services, while maintaining minimal
12- overhead.
7+ Firecracker 是一项新型虚拟化技术,支持用户部署轻量级 _ 微_ 虚拟机(microVM)。该技术融合了传统虚拟机的安全隔离特性与容器技术带来的高速运行、灵活部署及资源高效利用优势,为多租户服务提供安全可靠的环境,同时保持极低的系统开销。
138
14- The scope of this document is to describe the features and architecture of the
15- Firecracker virtual machine manager (VMM).
9+ 本文档旨在描述 Firecracker 虚拟机管理器(VMM)的功能与架构。
1610
17- ### Features
11+ ### 功能
1812
19- 1 . Firecracker can safely run workloads from different customers on the same
20- machine.
21- 1 . Customers can create microVMs with any combination of vCPU (up to 32) and
22- memory to match their application requirements.
23- 1 . Firecracker microVMs can oversubscribe host CPU and memory. The degree of
24- oversubscription is controlled by customers, who may factor in workload
25- correlation and load in order to ensure smooth host system operation.
26- 1 . With a microVM configured with a minimal Linux kernel, single-core CPU, and
27- 128 MiB of RAM, Firecracker supports a steady mutation rate of 5 microVMs per
28- host core per second (e.g., one can create 180 microVMs per second on a host
29- with 36 physical cores).
30- 1 . The number of Firecracker microVMs running simultaneously on a host is
31- limited only by the availability of hardware resources.
32- 1 . Each microVM exposes a host-facing API via an in-process HTTP server.
33- 1 . Each microVM provides guest-facing access to host-configured metadata via the
34- ` /mmds ` API.
13+ 1 . Firecracker 可在同一台机器上安全运行来自不同客户的工作负载。
14+ 1 . 客户可根据应用需求,自由组合 vCPU(最多 32 个)和内存创建微虚拟机。
15+ 1 . Firecracker 微虚拟机支持超额分配主机 CPU 和内存资源。超额分配程度由客户自主控制,可结合工作负载相关性与负载进行调整,确保主机系统平稳运行。
16+ 1 . 配置最小化 Linux 内核、单核 CPU 及 128 MiB 内存的微虚拟机时,Firecracker 支持 1 秒内单个主机核心稳定创建 5 个微虚拟机(例如:36 物理核心的主机可每秒创建 180 个微虚拟机)。
17+ 1 . 主机上同时运行的 Firecracker 微虚拟机数量仅受硬件资源可用性限制。
18+ 1 . 每个微虚拟机通过进程内 HTTP 服务器暴露面向主机的 API。
19+ 1 . 每个微虚拟机通过` /mmds ` API 提供面向客户机的访问通道,用于获取主机配置的元数据。
3520
36- ### Specifications
21+ ### 规格说明
3722
38- Firecracker's technical specifications are available in the
39- [ Specifications document] ( ../SPECIFICATION.md ) .
23+ Firecracker 的技术规格详见[ 规格说明文档] ( SPECIFICATION.md ) 。
4024
41- ## Host Integration
25+ ## 主机集成
4226
43- The following diagram depicts an example host running Firecracker microVMs.
27+ 下图展示了一个运行 Firecracker 微虚拟机的主机示例。
4428
45- ![ Firecracker Host Integration ] ( images/firecracker_host_integration.png?raw=true " Firecracker Host Integration ")
29+ ![ Firecracker主机集成 ] ( images/firecracker_host_integration.png?raw=true " Firecracker Host Integration ")
4630
47- Firecracker runs on Linux hosts and with Linux guest OSs (from this point on,
48- referred to as guests). For a complete list of currently supported kernel
49- versions, check out the [ kernel support policy] ( kernel-policy.md ) .
31+ Firecracker 运行于 Linux 主机,并支持 Linux 客户操作系统,guest OSs(下文统称客户系统)。当前支持的完整内核版本列表请参阅[ 内核支持政策] ( kernel-policy.md ) 。
5032
51- In production environments, Firecracker should be started only via the ` jailer `
52- binary. See [ Sandboxing] ( #Sandboxing ) for more details.
33+ 在生产环境中,Firecracker 仅应通过 ` jailer ` 二进制程序启动。详情请参阅[ 沙箱化] ( #沙箱隔离 ) 。
5334
54- After launching the process, users interact with the Firecracker API to
55- configure the microVM, before issuing the ` InstanceStart ` command.
35+ 启动进程后,用户需通过 Firecracker API 配置微虚拟机,随后执行 ` InstanceStart ` 命令。
5636
57- ### Host Networking Integration
37+ ### 主机网络集成
5838
59- Firecracker emulated network devices are backed by TAP devices on the host. To
60- make use of Firecracker, we expect our customers to leverage on-host networking
61- solutions.
39+ Firecracker 模拟的网络设备由主机上的 TAP 设备提供支持。为充分利用 Firecracker 功能,我们建议用户采用基于主机的网络解决方案。
6240
63- ### Storage
41+ ### 存储
6442
65- Firecracker emulated block devices are backed by files on the host. To be able
66- to mount block devices in the guest, the backing files need to be pre-formatted
67- with a filesystem that the guest kernel supports.
43+ Firecracker 模拟的块设备由主机上的文件支持。为能在客户机中挂载块设备,这些支持文件需预先格式化为客户机内核支持的文件系统。
6844
69- ## Internal Architecture
45+ ## 内部架构
7046
71- Each Firecracker process encapsulates one and only one microVM. The process runs
72- the following threads: API, VMM and vCPU(s). The API thread is responsible for
73- Firecracker's API server and associated control plane. It's never in the fast
74- path of the virtual machine. The VMM thread exposes the machine model, minimal
75- legacy device model, microVM metadata service (MMDS) and VirtIO device emulated
76- Net, Block and Vsock devices, complete with I/O rate limiting. In addition to
77- them, there are one or more vCPU threads (one per guest CPU core). They are
78- created via KVM and run the ` KVM_RUN ` main loop. They execute synchronous I/O
79- and memory-mapped I/O operations on devices models.
47+ 每个 Firecracker 进程封装且仅封装一个微虚拟机。该进程运行以下线程:API、VMM 和 vCPU(s)。API 线程负责 Firecracker 的 API 服务器及相关控制平面,其运行路径永远不在虚拟机的快速路径中。VMM 线程提供 machine model、精简的 legacy device model、微虚拟机元数据服务(MMDS)以及 VirtIO 设备仿真网络、块存储和 Vsock 设备,并支持完整的 I/O 速率限制。此外还存在一个或多个 vCPU 线程(每个客户机 CPU 核心对应一个)。这些线程通过 KVM 创建,运行` KVM_RUN ` 主循环,并在 devices models 上执行同步 I/O 和内存映射 I/O 操作。
8048
81- ### Threat Containment
49+ ### 威胁隔离
8250
83- From a security perspective, all vCPU threads are considered to be running
84- malicious code as soon as they have been started; these malicious threads need
85- to be contained. Containment is achieved by nesting several trust zones which
86- increment from least trusted or least safe (guest vCPU threads) to most trusted
87- or safest (host). These trusted zones are separated by barriers that enforce
88- aspects of Firecracker security. For example, all outbound network traffic data
89- is copied by the Firecracker I/O thread from the emulated network interface to
90- the backing host TAP device, and I/O rate limiting is applied at this point.
91- These barriers are marked in the diagram below.
51+ 从安全角度出发,所有 vCPU 线程在启动瞬间即被视为运行恶意代码;这些恶意线程必须受到隔离。隔离机制通过嵌套多个信任区域实现,这些区域按信任度递增排列——从最低信任度(客户机 vCPU 线程)到最高信任度(主机)。各受信区域间设置了隔离屏障,用于强制执行 Firecracker 的安全策略。例如,所有外发网络流量数据
52+ 均由 Firecracker I/O 线程从模拟网络接口
53+ 复制至后端主机 TAP 设备,此时会实施 I/O 速率限制。
54+ 下图标注了这些隔离屏障的位置。
9255
93- ![ Firecracker Threat Containment ] ( images/firecracker_threat_containment.png?raw=true " Firecracker Threat Containment ")
56+ ![ Firecracker威胁隔离机制 ] ( images/firecracker_threat_containment.png?raw=true " Firecracker 威胁隔离机制 ")
9457
95- ## Components and Features
58+ ## 组件与特性
9659
9760### Machine Model
9861
99- #### Layout
62+ #### 布局
10063
101- Firecracker provides guests with storage and network access via emulated VirtIO
102- Net and VirtIO Block devices. It also exposes a serial console and partial
103- keyboard controller, the latter being used by guests to reset the VM (either
104- soft or hard reset). Within Firecracker, the purpose of the I8042 device is to
105- signal the microVM that the guest has requested a reboot.
64+ Firecracker 通过模拟的 VirtIO 网络设备和 VirtIO 块设备为客户机提供存储和网络访问。它还暴露了串行控制台和部分键盘控制器,后者用于客户机重置虚拟机(软重置或硬重置)。在 Firecracker 中,I8042 设备的作用是向微虚拟机发出信号,表明客户机已请求重启。
10665
107- In addition to the Firecracker provided device models, guests also see the
108- Programmable Interrupt Controllers (PICs), the I/O Advanced Programmable
109- Interrupt Controller (IOAPIC), and the Programmable Interval Timer (PIT) that
110- KVM supports.
66+ 除 Firecracker 提供的设备模型外,客户机还能识别 KVM 支持的可编程中断控制器(PIC)、I/O 高级可编程中断控制器(IOAPIC)以及可编程间隔计时器(PIT)。
11167
112- #### Exposing the CPU to the guest
68+ #### 向客户机暴露 CPU 信息
11369
114- Firecracker allows control of what processor information is exposed to the guest
115- by using [ CPU templates] ( cpu_templates/cpu-templates.md ) . CPU templates can be
116- set via the Firecracker API. Users can choose from existing static CPU templates
117- and/or creating their own custom CPU templates.
70+ Firecracker 允许通过[ CPU 模板] ( cpu_templates/cpu-templates.md ) 控制向客户机暴露的处理器信息。CPU 模板可通过 Firecracker API 设置,用户既可选择现有静态 CPU 模板,也可创建自定义 CPU 模板。
11871
119- #### Clocksources available to guests
72+ #### 提供给客户机的时钟源
12073
121- Firecracker only exposes kvm-clock to customers.
74+ Firecracker 仅向客户机暴露 kvm-clock 时钟源。
12275
123- ### I/O: Storage, Networking and Rate Limiting
76+ ### I/O:存储、网络与速率限制
12477
125- Firecracker provides VirtIO/block and VirtIO/net emulated devices, along with
126- the application of rate limiters to each volume and network interface to make
127- sure host hardware resources are used fairly by multiple microVMs. These are
128- implemented using a token bucket algorithm based on two buckets. One is
129- associated with the number of operations per second and the other one with the
130- bandwidth. The customer can create and configure rate limiters via the API by
131- specifying token bucket configurations for ingress and egress. Each token bucket
132- is defined via the bucket size, I/O cost, refill rate, maximum burst, and
133- initial value. This enables the customer to define flexible rate limiters that
134- support bursts or specific bandwidth/operations limitations. For vhost-user
135- devices, customers should implement rate limiting on the side of the vhost-user
136- backend that they provide.
78+ Firecracker 提供 VirtIO/block 和 VirtIO/net 模拟设备,并为每个卷和网络接口应用速率限制器,确保多台微虚拟机公平使用主机硬件资源。这些限制器基于双桶的令牌桶算法实现: 其中一个桶关联每秒操作次数,另一个则关联带宽。为入站(ingress)和出站(egress)指定令牌桶配置,客户可以通过 API 创建和配置速率限制器。每个令牌桶通过桶容量、I/O 成本、补充速率、最大突发量及初始值进行定义。这使客户能够灵活配置支持突发模式或特定 带宽/操作 限制的速率限制器。对于 vhost-user 设备,客户需在其提供的 vhost-user 后端侧实现速率限制功能。
13779
138- ### MicroVM Metadata Service
80+ ### 微虚拟机元数据服务
13981
140- Firecracker microVMs expose access to a minimal MicroVM-Metadata Service (MMDS)
141- to the guest through the API endpoint. The metadata stored by the service is
142- fully configured by users.
82+ Firecracker 微虚拟机通过 API 端点向客户机提供对精简版微虚拟机元数据服务(MMDS)的访问权限。该服务存储的元数据完全由用户配置。
14383
144- ### Sandboxing
84+ ### 沙箱隔离
14585
146- #### __ Firecracker process __
86+ #### ** Firecracker 进程机制 **
14787
148- Firecracker is designed to assure secure isolation using multiple layers. The
149- first layer of isolation is provided by the Linux KVM and the Firecracker
150- virtualization boundary. To assure defense in depth, Firecracker should only run
151- constrained at the process level. This is achieved by the following: seccomp
152- filters for disallowing unwanted system calls, cgroups and namespaces for
153- resource isolation, and dropping privileges by jailing the process. Seccomp
154- filters are automatically installed by Firecracker, while for the latter, we
155- recommend starting Firecracker with the ` jailer ` binary that's part of each
156- Firecracker release.
88+ Firecracker 采用多层隔离机制确保安全防护。
89+ 第一层隔离由 Linux KVM 与 Firecracker 虚拟化边界共同实现。
90+ 为达成深度防御目标,Firecracker 仅应在进程层级运行受限程序。具体实现方式为:通过 seccomp 过滤器禁止非必要系统调用,利用 cgroups 和命名空间实现资源隔离,并通过进程监狱(jailing)机制削减特权。seccomp 过滤器由 Firecracker 自动安装,而对于后两项隔离机制,我们建议使用随每个 Firecracker 版本发布的 ` jailer ` 二进制文件启动 Firecracker。
15791
15892##### Seccomp
15993
160- Seccomp filters are used by default to limit the host system calls Firecracker
161- can use. The default filters only allow the bare minimum set of system calls and
162- parameters that Firecracker needs in order to function correctly.
94+ Seccomp 过滤器默认用于限制 Firecracker 可调用的主机系统调用。默认的过滤器仅允许 Firecracker 正常运行所必需的最少系统调用及其参数。
16395
164- The filters are loaded in the Firecracker process, on a per-thread basis, before
165- executing any guest code.
96+ 这些过滤器会在执行任何客户机代码前,以线程为单位加载到 Firecracker 进程中。
16697
167- For more information, check out the [ seccomp documentation ] ( seccomp.md ) .
98+ 更多信息请参阅 [ seccomp 文档 ] ( seccomp.md ) 。
16899
169- #### __ Jailer process __
100+ #### ** 监狱管理进程 **
170101
171- The Firecracker process can be started by another ` jailer ` process. The jailer
172- sets up system resources that require elevated permissions (e.g., cgroup,
173- chroot), drops privileges, and then exec()s into the Firecracker binary, which
174- then runs as an unprivileged process. Past this point, Firecracker can only
175- access resources that a privileged third-party grants access to (e.g., by
176- copying a file into the chroot, or passing a file descriptor).
102+ Firecracker 进程可由另一个` 监狱管理 ` 进程启动。监狱管理进程会配置需要提升权限的系统资源(如 cgroup、chroot),降级自身权限,然后通过 exec()调用进入 Firecracker 二进制文件,使其作为无特权进程运行。在此之后,Firecracker 只能访问由具有特权的第三方授予访问权限的资源(例如,通过将文件复制到 chroot 环境中,或传递文件描述符)。
177103
178- ##### Cgroups and Quotas
104+ ##### 控制组( Cgroups)与 配额( Quotas)
179105
180106Each Firecracker microVM can be further encapsulated into a cgroup. By setting
181107the affinity of the Firecracker microVM to a node via the cpuset subsystem, one
@@ -185,11 +111,7 @@ resources. In addition to setting the affinity, each Firecracker microVM can
185111have its own dedicated quota of the CPU time via the cpu subsystem, thus
186112guaranteeing that resources are fairly shared across Firecracker microVMs.
187113
188- ### Monitoring
114+ ### 监控
189115
190- Firecracker emits logs and metric counters, each on a named pipe that is passed
191- via the API. Logs are flushed line by line, whereas metrics are emitted when the
192- instance starts, then every 60 seconds while it's running, and on panic.
193- Firecracker customers are responsible for collecting data in the Firecracker log
194- files. In production builds, Firecracker does not expose the serial console
195- port, since it may contain guest data that the host should not see.
116+ Firecracker 会输出日志和指标计数器,各自通过一个经由 API 传入的命名管道进行传输。日志按行逐行刷新,而指标在实例启动时输出,运行期间每 60 秒输出一次,并在发生恐慌时输出。
117+ Firecracker 客户需自行负责收集 Firecracker 日志文件中的数据。在生产环境中,Firecracker 不会暴露串行控制台端口,因其可能包含主机不应访问的客户机数据。
0 commit comments