Amazon has unleashed Firecracker – tiny, lightweight virtual machine technology the cloud giant had built and deployed for its own Lambda and Fargate managed container service.

This microVM service lets customers deploy serverless applications using minimalist, short-lived containers that developers can spin up and destroy faster than regular VMs.

Firecracker uses the Linux-kernal based Virtual Machine (KVM) to launch light-weight microVMs in non-virtualised environments.

It does this, AWS claims, in a “fraction of a second” while offering the full – ahem – security of a regular VM along with the resource efficiency of containers.

It foregoes many services and guest-facing features to produce 5Mb microVMs that spin up in around 125ms (this will get faster next year, Amazon says). Each microVM also includes a rate limiter that optimises resource sharing across thousands of the tiny software machines.

Firecracker microVMs run in user space outside the host kernel, accessed via a REST API to control basic microVM processes.

Guests see only a network and block I/O device, along with a Programmable Interval Timer, the KVM clock, a serial console, and a partial keyboard for system resets. It locks down system processes using cgroups, the process limitation feature introduced into the Linux kernel ten years ago. It provides no support for graphics or other accelerators, and no hardware pass-through, it only works with very recent kernels, and only with specific compilation options.

Firecracker doesn’t work with the Kubernetes container orchestration system, Docker containers or the OpenStack’s Kata containers. The latter isn’t surprising, because Firecracker effectively competes with Kata and QEMU, the underlying emulator platform that supports it.

AWS has bowled out Firecracker under an open-source Apache 2.0 license it seems in the expectation others will pick up this particular piece of slack. According to the AWS FAQ, here:

“We hope that others in the communities that build open source container technology find it useful. We are working to make Firecracker integrate naturally with the container ecosystem, with the goal to provide seamless integration in the future to provide more choices in how container workloads are isolated.”

Firecracker is the latest development in Amazon’s growing serverless smorgasbord that started with Lambda function-as-a-service in 2014 and saw Fargate released last year, for developers to launch containers without worrying about underlying server infrastructure.

According to AWS: “As Lambda grew, we saw the need for technology to provide a highly secure, flexible, and efficient runtime environment for services like Lambda and Fargate. Using our experience building isolated EC2 instances with hardware virtualisation technology, we started an effort to build a VMM that was tailored to integrate with container ecosystems.”

AWS initially used per-customer EC2 instances to support Lambda under the hood, shielding the customer from the hassle of server management (and of course making it easier for Amazon to suck developers further into its cloud). Fargate used Docker containers on EC2 instances.

Firecracker was built to combine efficiency and security when providing serverless compute. While they overlap, virtual machines and containers have their pros and cons. Whereas VMs each run their own kernel, containers frequently share the same set of kernel services. This makes VMs the more secure option, while containers use resources more efficiently. The microVM supposedly provides the best of both worlds.

The open-source project began as an evolution of the crosvm Chrome OS virtual machine monitor, using its support for the Linux KVM interface, although Firecracker development has now diverged, Amazon says.