Profile picture
, 29 tweets, 7 min read
My Authors
Read all threads
I often hear people ask why Kubernetes and Firecracker (FC) can’t just be used together. It seems like an intuitive combination, Kubernetes is popular for orchestration, and Firecracker provides strong isolation boundaries. So why aren’t they compatible yet? Read on 🧵
First a brief explanation of Firecracker. Firecracker is a virtual machine monitor (vmm) written in Rust (read: cool) that was open sourced by AWS in 2018. I _highly_ recommend reading the FC paper for a more thorough explanation of what it is and is not. amazon.science/publications/f…
The short version is that FC prioritizes isolation/security, density, compatibility (w/ Linux APIs), speed, and performance. FC manages VMs and Kubernetes manages containers, and certain Linux container features don’t exactly translate to VMs. We’ll get to specifics shortly
In order to run a microVM (unit of work in FC), you interact the FC API over a unix domain socket. The FC API is restful and you can find the OpenAPI docs online, but the Kubernetes Kubelet (agent) doesn’t know how to talk to this API. github.com/firecracker-mi…
What the Kubelet _does_ know how to do is speak to a CRI API (Container Runtime Interface) to run a pod, or a group of containers together. Then how does Kubernetes talk to a runtime like containerd you ask? Good question! It doesn’t, or at least not directly.
It talks to the cri-containerd plugin embedded in the containerd runtime. containerd has the ability to run plugins, and these plugins can translate requests from other APIs into actions containerd knows how to do github.com/containerd/cri
Since Kubelet only knows CRI and adding support for Kubelet to directly talk to additional runtimes is a non-goal for Kubernetes, this means we need something else between containerd and Firecracker. Enter firecracker-containerd github.com/firecracker-mi…
“Ok so since Kubelet can talk CRI to containerd, and containerd can interact with Firecracker, what is the holdup?” Another astute question. The short answer is that like using Google Translate to go from Farsi to English to Chinese things get lost in translation.
Just like language, there isn’t always a direct translation between defining a Linux container and a microVM. One of the first hurdles is handling the workload lifecycle.
First off, containerd doesn't have a built-in notion of a group of containers today. cri-containerd assembles its own groups by namespace sharing with the pause container (if you've ever run `docker ps` and seen a pause container per pod, this is it)
An approach to getting around this for firecracker-containerd could be when a pause container gets created, Firecracker could create a microVM, boot a Linux image, and start containers inside the VM using runc. (This is how firecracker-containerd works with Fargate)
But because these containers run inside a microVM and due to the lack of grouping, there isn’t an explicit event signaling that the whole microVM needs to be torn down. So again, we would have to infer this from the pause container.
This would give us the following path for managing the VM lifecycle:
kubelet->cri-containerd->containerd->firecracker-containerd->Firecracker
And for the individual container lifecycles:
kubelet->cri-containerd->contanierd->firecracker-containerd->[microVM boundary]->runc
Next, lets talk about Linux containers. A container is not a primitive in Linux, it is composed of cgroups (resource constraints), namespaces (limiting what can be seen), and layered filesystems (think chroot), and all containers on a host share the same kernel.
You can think of a container as a regular Linux process with some extra, optional configuration added to it. You can use some of that configuration without using all of it
When you create a Linux container you don’t have to specify something like CPU or memory limits because without them a container will still work, it just won’t have limits. It will behave like any other non-containerized process and eat as much CPU/memory as the kernel will allow
In order for Firecracker to create a microVM, you must specify resource limits for CPU and memory. (See MachineConfiguration in the FC API) When kubelet talks to a CRI runtime, it first calls RunPodSandbox _without_ the ability to specify sizing information
“But I can set requests and limits on my pod spec don’t I?” You can, but those fields are optional and on a per-container level. In CRI these values are communicated on subsequent CreateContainer calls referencing a pre-created PodSandbox
github.com/kubernetes/cri…
This, critically, is the second point of contention for putting all the pieces together. We really need the kubelet to be able to specify the whole pod size (CPU and Memory) up front. The short explanation is that CRI is modeled around Linux containers, not microVMs.
We (AWS) have had conversations with the folks responsible for maintaining containerd and CRI about this, but a long term solution that fits microVM requirements has not been figured out yet. If this interests you, please join in the conversation!
So let’s wave our magic wand and say CRI gets updated to specify the whole pod size up front, or there is some MutatingAdmissionController that annotates the pod with that information and it gets plumbed down into the runtime, why is that not enough?
Well again, kubelet is closely modeled around Linux containers, and so lots of functionality is also tied to that. Remember the note above about how Firecracker prioritizes isolation? That extends to storage. From the Firecracker paper:
What this is saying is “We can’t guarantee the security of a shared filesystem, so we just don’t share one.” The first obvious implication of this is that hostMount volumes won’t work in Kubernetes. Less obvious is that most other volume drivers won’t work either.
At least not at first. Particularly painful would be the initial inability for kubelet to mount secrets, configMaps, ServiceAccount tokens, in-tree NFS, and more. The kubelet performs all these by using the mount syscall and sharing host files or directories into the container.
Now most of these things can be overcome, but the channel between the kubelet and the container wouldn’t be syscalls manipulating a shared kernel and filesystem (between the kubelet and the pod container).
While FC doesn’t share a filesystem with guests, a socket can be created so that a host agent and guest agent can communicate and perform actions like file or secret injection.
Note that you can use Kubernetes today with Kata containers, and Kata has some limited support for using Firecracker as a VMM to run containers, but it is still limited by the above issues and doesn’t support CPU/Memory limits or shared files.
github.com/kata-container…
firecracker-containerd is written by good folks like @samuelkarp @nmeyerhans @mak_pav and others. For a deeper dive into the technical bits of all this and other challenges, watch this great talk Sam gave at DockerCon 2019 about firecracker-containerd.
To sum it up: CRI doesnt let you specify resources upfront, grouping isnt supported in containerd, host file sharing for a microVM doesnt work like kubelet expects. These are surmountable, but community willingness and contribution will be required. Id love to see it happen! /end
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Micah Hausler

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Patrick McKenzie
@patio11
Doing a livestream on Pioneer listening to entrepreneurs/etc demo their projects, and it sort of feels like living in the future to hear people in Malaysia, Australia, SF, EST in US, etc all synchronously work together on an event.

pioneer.app/livestream if interesting.
And thank goodness there will be a recording because while synchronous value creation is great one of the best things about the Internet is that it has practically infinite recall.
(Somebody please fix the problem that is "Video is much easier to create than text but much more difficult to remix/etc than text is.")
Read 3 tweets
Profile picture
Jake Burt
@JBurtBooks
So, with all the AMERICAN DIRT controversy going on, I thought I’d post a little thread about how I was nearly THAT AUTHOR, and how I learned not to be. I’ll title it “I’M WHITING A BOOK!” or “TOSS A COIN TO YOUR SENSITIVITY READER”
Back in 2015, I was hard at work on my second novel, THE RIGHT HOOK OF DEVIN VELMA. It’s set in Los Angeles, and it’s about friendship and fame in the age of social media. My two protagonists were PoC.

Oh, and in case it’s not obvious from my profile picture, I’m Caucasian.
At the time, I thought I was writing with the best of intentions (don’t we all?). I’ve since learned that I was MISintentioned, and I want to talk about how I learned that, so that other folks can too.
Read 23 tweets
Profile picture
Kirby Sommers
@KirbySommers
#Epstein #Maxwell #MEGA

After researching the Jeffrey Epstein case since his arrest in July I finally connected the missing dot.

Jeffrey Epstein was the super top secret mossad spy whose code name was "MEGA."

I did this b/c I was a victim, now a survivor of a wealthy
and powerful predator who has ties with Leslie Wexner, Bill Clinton, and really every single wealthy person and president since Kennedy.

I know what the Epstein victims feel like when someone steals something from you that you need to become a whole person.
Many of Epstein's victims never recovered. Those that have been brave enough to stand forward are still recovering. All they wanted was justice.

To face their abuser in a court of LAW and to feel vindicated.

That as we all know was denied to the many girls, now women,
Read 6 tweets
Profile picture
Rosemary Mosco
@RosemaryMosco
What kills me about this all-male video is that I hear people ask where the female equivalent of Bill Nye or Carl Sagan is hiding. And the thing is, she's not hiding. Twitter is PACKED with amazing women who make science videos, books, art, comics. They're right here. Hear them.
I mean holy crow, we've got videos by @ehmee and @zentouro and podcasts from @Ologies and @sciencevs and @Gastropodcast and books by @beatricebiology and @mary_roach and there are SO MANY OF YOU rocking science twitter, like @drmichellelarue and @AstroKatie and and and and and
I follow almost 1000 people and fully half of them are brilliant women who are scientists or science communicators or actors or speakers or musicians or writers or artists some combination thereof. And there are SO MANY MORE, I just don't have the bandwidth to follow everybody!
Read 4 tweets
Profile picture
{🌟}ᏕᏬᏕᎯᏁ🦋ᎯℒℐЅ ᏉᎾℒᎯT ℙℛᎾℙℛℐℐЅ🦋
@My2CentsGritXO
Americans want to be popular & on the edge of fashion / technology etc . That people will bring devices into theirhomes 🏡. Allowing themselves to be listened too at will .
Facial recognition selfies. Now we all know the reason behind them.Yet no one will stop using them .
People are so consumed with LOOKING good to others .. never realizing they fall into the trap of what society deems ... right .
#clothes - #homes - #cars - #schools - etc

Who are the #people telling the rest of us how & what we should have to look like we are successful.
Yet If we get mad 😡 or upset 😠 & start to ask questions —demand justice for America.Demand we stop being used for our resources. ( WELFARE )

People call use names bigot - racist - sexist - etc

They say if we love our COUNTRY we are somehow the extreme.

Hold fast & STAND 🆙
Read 6 tweets
Profile picture
Fyre Guts
@fyre_guts
More than 4 years after it started, I often hear people ask what #GamerGate is, and many around them won't know, either. I’ve been part of GamerGate since August 2014, so I can provide a summary of it. 1/
An anti-gamer bias was present in the media long before GamerGate, with Grand Theft Auto being blamed for mass shootings, and gamers being called "entitled" for disliking the poorly rebooted DmC. The strongest anti-gamer stance was taken by journalists at gaming publications 2/
like Kotaku, Polygon, Ars Technica, Gamasutra, among others. No one expected gaming outlets to bear so much hatred toward video game culture when Eron Gjoni's famous blog post went public. Eron described his struggle with his then girlfriend, Zoe Quinn, who had gaslighted him 3/
Read 15 tweets

Trending hashtags

#consent #k8s #UnitedStates #praise #reality #preventpanic #RightofthePeople #BaalI #executive #Youth #Teach #solidarity #nation #corrupt #veneer #ACQUISITIONS #Empowerment #TOWN #LOUDANDCLEAR #SpaceForce #FREEDOM #political #consequences #security #establishment

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!