Firecracker: A lightweight micro-VM for serverless applications

Virtualization/Containerization Operating Systems Reading Notes

Introduction

Serverless containers and functions

Options

Trade-offs and considerations from industry

  1. Soft-allocation and oversubscribed.

Personal thoughts

Extended reading

  1. This article mentioned that seccomp-bpf provides the most important security isolation boundary for Linux Containers. I feel it is worthwhile to explore a bit more on this domain: https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html, https://en.wikipedia.org/wiki/Seccomp, https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
  2. gVisor: https://gvisor.dev/
  3. Xen and the art of virtualization: https://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf

References