dm0/Firecracker

Project ID: 82217

Description

Firecracker for Fedora

This is an alternate build of Fedora's Firecracker package to provide the full set of security features by building static binaries with musl. Rust RPMs supporting musl targets are included in this repository, but they are just build dependencies. Users only need to install the firecracker package.

Both of Firecracker's supported architectures, x86_64 and aarch64, are provided here. There is ongoing work in Firecracker to support riscv64, so these Rust packages support building it, but they can't be distributed here because Copr doesn't have a RISC-V option.

Installation Instructions

To run an example VM, start the API server:

# Install the package. sudo dnf -y copr enable dm0/Firecracker sudo dnf -y install firecracker # Download an example kernel and disk image to /tmp. wget -P /tmp https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/kernels/vmlinux.bin https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/rootfs/bionic.rootfs.ext4 # Run the API server in the foreground. This will be the serial prompt when the VM starts. firecracker --api-sock /tmp/firecracker.socket

Then use the REST API in another terminal to start the VM. The API requests should return HTTP 204 codes, and the VM should boot to a shell where the reboot command will gracefully shut down the system and exit Firecracker.

curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/boot-source' --json '{"kernel_image_path":"/tmp/vmlinux.bin","boot_args":"console=ttyS0 reboot=k panic=1 pci=off"}' curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/drives/rootfs' --json '{"drive_id":"rootfs","path_on_host":"/tmp/bionic.rootfs.ext4","is_root_device":true,"is_read_only":false}' curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/machine-config' --json '{"vcpu_count":2,"mem_size_mib":1024}' # optional curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/actions' --json '{"action_type":"InstanceStart"}'

Alternatively, a VM can be started directly with a JSON configuration file instead of the API server.

firecracker --no-api --config-file /dev/stdin { "boot-source": { "kernel_image_path": "/tmp/vmlinux.bin", "boot_args": "console=ttyS0 reboot=k panic=1 pci=off" }, "drives": [ { "drive_id": "rootfs", "path_on_host": "/tmp/bionic.rootfs.ext4", "is_root_device": true, "is_read_only": false } ], "machine-config": { "vcpu_count": 2, "mem_size_mib": 1024 } }

Fedora kernels are usable as Firecracker guests with some additional preparation. The overall idea is to strip off the kernel's compression layer and load its modules to support VirtIO hardware. After running the following steps, the VM can be started with the previous methods by changing the boot-source JSON keys to have "kernel_image_path": "/tmp/vmlinux.fedora" and "initrd_path": "/tmp/initrd.cpio" (and the rootfs drive should set "is_root_device": false when using an initrd).

# Install kernel scripts and BusyBox to build an initrd. sudo dnf -y install busybox kernel-devel # Select the installed Fedora kernel version to use. kerneldir=/lib/modules/$(uname -r) # Extract the bare vmlinux kernel image for Firecracker to start. "$kerneldir/build/scripts/extract-vmlinux" "$kerneldir/vmlinuz" > /tmp/vmlinux.fedora # Write a simple BusyBox initrd that just loads Fedora's VirtIO drivers and switches to the disk image. mkdir -p /tmp/initrd/{bin,dev,lib,proc,sys,sysroot} cp -t /tmp/initrd/bin /usr/sbin/busybox for cmd in ash insmod mount mountpoint reboot sed sleep switch_root ; do ln -fns busybox "/tmp/initrd/bin/$cmd" ; done for mod in failover net_failover virtio_blk virtio_mmio virtio_net ; do xz -cd "$kerneldir"/kernel/*/*/"$mod.ko.xz" > "/tmp/initrd/lib/$mod.ko" ; done cat << 'EOF' > /tmp/initrd/init ; chmod 0755 /tmp/initrd/init #!/bin/ash -ex trap -- 'reboot -f ; exec sleep 10' EXIT mountpoint -q /dev || mount -t devtmpfs devtmpfs /dev mountpoint -q /proc || mount -t proc proc /proc mountpoint -q /sys || mount -t sysfs sysfs /sys for mod in /lib/*.ko ; do insmod "$mod" $(sed -n "s/.* ${mod:5:-3}\.\([^ ]*\).*/\1/p" /proc/cmdline) ; done #exec ash -l # Use this for interactive initrd debugging. mount /dev/vda /sysroot exec switch_root /sysroot /bin/bash -l EOF find /tmp/initrd -mindepth 1 -printf '%P\n' | cpio -D /tmp/initrd -H newc -R 0:0 -o > /tmp/initrd.cpio

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 40 aarch64 (100)*, i386 (28)*, x86_64 (197)* Fedora 40 multilib x86_64+i386 (45 downloads)
Fedora 41 aarch64 (138)*, i386 (12)*, x86_64 (107)* Fedora 41 multilib x86_64+i386 (20 downloads)

* Total number of downloaded packages.

External Repository List

The following repositories are accessible during builds