Description

Firecracker for Fedora

This is an alternate build of the official Fedora package to provide the full set of security features by building static binaries with musl.

Note the AArch64 package deviates from Fedora's Rust configuration by using some C functions from LLVM's compiler runtime. (Upstream Rust also uses them.) This discrepancy can be resolved when the compiler-builtins crate implements quad math functions.

Installation Instructions

Users only need to install the firecracker package. The other packages in the repository are build dependencies.

To run an example VM, start the API server:

# Install the package.
sudo dnf -y copr enable dm0/Firecracker
sudo dnf -y install firecracker

# Download an example kernel and disk image to /tmp.
wget -P /tmp https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/kernels/vmlinux.bin https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/rootfs/bionic.rootfs.ext4

# Run the API server in the foreground.  This will be the serial prompt when the VM starts.
firecracker --api-sock /tmp/firecracker.socket

Then use the REST API in another terminal to start the VM. The API requests should return HTTP 204 codes.

curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/boot-source' --json '{"kernel_image_path":"/tmp/vmlinux.bin","boot_args":"console=ttyS0 reboot=k panic=1 pci=off"}'
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/drives/rootfs' --json '{"drive_id":"rootfs","path_on_host":"/tmp/bionic.rootfs.ext4","is_root_device":true,"is_read_only":false}'
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/machine-config' --json '{"vcpu_count":2,"mem_size_mib":1024}'  # optional
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/actions' --json '{"action_type":"InstanceStart"}'

Alternatively, a VM can be started directly with a JSON configuration file instead of the API server.

firecracker --no-api --config-file /dev/stdin
{
  "boot-source": {
    "kernel_image_path": "/tmp/vmlinux.bin",
    "boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
  },  
  "drives": [
    {
      "drive_id": "rootfs",
      "path_on_host": "/tmp/bionic.rootfs.ext4",
      "is_root_device": true,
      "is_read_only": false
    }
  ],
  "machine-config": {
    "vcpu_count": 2,
    "mem_size_mib": 1024
  }
}

Current Fedora kernels (at least Linux 6.3) are usable as Firecracker guests with some additional preparation. The overall idea is to strip off the kernel's compression layer and load its modules to support VirtIO hardware. After running the following steps, the VM can be started with the previous methods by changing the boot-source JSON keys to have "kernel_image_path": "/tmp/vmlinux.fedora" and "initrd_path": "/tmp/initrd.cpio" (and the rootfs drive should preferably set "is_root_device": false with an initrd).

# Install kernel scripts and BusyBox to build an initrd.
sudo dnf -y install busybox kernel-devel

# Select the installed Fedora kernel version to use.
kerneldir=/lib/modules/$(uname -r)

# Extract the bare vmlinux kernel image for Firecracker to start.
"$kerneldir/build/scripts/extract-vmlinux" "$kerneldir/vmlinuz" > /tmp/vmlinux.fedora

# Write a simple BusyBox initrd that just loads Fedora's VirtIO drivers and switches to the disk image.
mkdir -p /tmp/initrd/{bin,dev,lib,proc,sys,sysroot}
cp -t /tmp/initrd/bin /usr/sbin/busybox
for cmd in ash insmod mount mountpoint reboot sed sleep switch_root ; do ln -fns busybox "/tmp/initrd/bin/$cmd" ; done
for mod in failover net_failover virtio_blk virtio_mmio virtio_net ; do xz -cd "$kerneldir"/kernel/*/*/"$mod.ko.xz" > "/tmp/initrd/lib/$mod.ko" ; done
cat << 'EOF' > /tmp/initrd/init ; chmod 0755 /tmp/initrd/init
#!/bin/ash -ex
trap -- 'reboot -f ; exec sleep 10' EXIT
mountpoint -q /dev || mount -t devtmpfs devtmpfs /dev
mountpoint -q /proc || mount -t proc proc /proc
mountpoint -q /sys || mount -t sysfs sysfs /sys
for mod in /lib/*.ko ; do insmod "$mod" $(sed -n "s/.* ${mod:5:-3}\.\([^ ]*\).*/\1/p" /proc/cmdline) ; done
#exec ash -l  # Use this for interactive initrd debugging.
mount /dev/vda /sysroot
exec switch_root /sysroot /bin/bash -l
EOF
find /tmp/initrd -mindepth 1 -printf '%P\n' | cpio -D /tmp/initrd -H newc -R 0:0 -o > /tmp/initrd.cpio

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release	Architectures	Repo Download
Fedora 39	aarch64 (70)*, i386 (83)*, x86_64 (278)*	Fedora 39 multilib x86_64+i386 (49 downloads)
Fedora 40	aarch64 (69)*, i386 (24)*, x86_64 (144)*	Fedora 40 multilib x86_64+i386 (38 downloads)
Fedora 41	aarch64 (58)*, i386 (8)*, x86_64 (61)*	Fedora 41 multilib x86_64+i386 (12 downloads)

* Total number of downloaded packages.

External Repository List

The following repositories are accessible during builds

• https://download.copr.fedorainfracloud.org/results/dm0/Firecracker/$distname-$releasever-$basearch/
• https://download.copr.fedorainfracloud.org/results/dm0/Firecracker/$distname-$releasever-i386/