firecracker
firecracker copied to clipboard
firecracker-microvm
[Feature Request] Running a Linux binary without supplying a new VM or OS
Feature Request
A picture is worth a thousand words:
# Hypothetical use case - not implemented
$ wget https://...untrusted-linux-executable
$ firecracker -ro='/' ./untrusted-linux-executable
Hi! I'm your untrusted-linux-executable, running on firecracker
For many use cases, the existing host OS has the kernel and all libs needed; if the Firecracker guest can read-only access to them, we can skip the step of providing a VM image, kernel, libs, etc.
I'd like to be able to run an untrusted executable via firecracker without having to provide it any special files or images.
Is this doable now? If so, how (I wasn't able to figure it out). If not, it would be a great feature.
Describe the desired solution
Included above
Describe possible alternatives
1: A script to set up the root fs as read only for firecracker and launch a bin within it 2: Dedicated files that are known to be the minimal needed to run Linux, plus a script to automate this
[Author TODO: How do you work around not having this feature?]
Copying dedicated files for each instance
Additional context
[Author TODO: Add additional context about this feature request here.]
Checks
- [X ] Have you searched the Firecracker Issues database for similar requests?
- [ X] Have you read all the existing relevant Firecracker documentation?
- [ X] Have you read and understood Firecracker's core tenets?
Note that I am very new to Firecracker -- if I'm misunderstanding something, please clarify.
I'll add as an alternative: firejail works this way, but has much less security, and I believe worse performance, than firecracker.
How would firecracker know the path to the current kernel though? What if the current kernel is not compatible with Firecracker (compressed etc)? How would any arbitrary initrd be configured to launch an application?
I love this user-story, but I can't see a way to make it technically feasible without shipping a kernel & making a ton of assumptions that make it no-longer generally useful.
Hi @srobertjames ,
Is this doable now? If so, how (I wasn't able to figure it out). If not, it would be a great feature.
This is not possible just with Firecracker. Still, using the current Firecracker APIs one can add an additional layer, like a script, plus a microVM kernel and a rootfs, and implement the user story that you described.
Thanks!
This all makes sense. Would it be possible to include a sample script to do that? This would be very useful for many, and would help those new to firecracker understand what a minimal deployment looks like.
Such a script would need to be tailored per use case, and we would let the community develop it as 3rd party tools. For example if your untrusted-linux-executable is just for a simple command working just with STDIN/STDOUT like an "echo", you can create a rootfs where the untrusted-linux-executable would be run at init, input will be given in a file, and you can use firectl to run the microVM with that rootfs.
If you would like to run any executable, maybe you should think about packaging into an container that will run in a microVM. You can take a look at firecracker-containerd, or other community developments like WeaveWorks Firekube, and KataContainers that run containers in Firecracker.
No action items left here. If anymore details are needed, feel free to start a discussion about it.
