dm0/Firecracker
Project ID: 82217
Description
Firecracker for Fedora
This is an alternate build of Fedora's Firecracker package to provide the full set of security features by building static binaries with musl. Rust RPMs supporting musl targets are included in this repository, but they are just build dependencies. Users only need to install the firecracker
package.
Both of Firecracker's supported architectures, x86_64
and aarch64
, are provided here. There is ongoing work in Firecracker to support riscv64
, so these Rust packages support building it, but they can't be distributed here because Copr doesn't have a RISC-V option.
Installation Instructions
To run an example VM, start the API server:
# Install the package.
sudo dnf -y copr enable dm0/Firecracker
sudo dnf -y install firecracker
# Download an example kernel and disk image to /tmp.
wget -P /tmp https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/kernels/vmlinux.bin https://s3.amazonaws.com/spec.ccfc.min/img/quickstart_guide/x86_64/rootfs/bionic.rootfs.ext4
# Run the API server in the foreground. This will be the serial prompt when the VM starts.
firecracker --api-sock /tmp/firecracker.socket
Then use the REST API in another terminal to start the VM. The API requests should return HTTP 204 codes, and the VM should boot to a shell where the reboot
command will gracefully shut down the system and exit Firecracker.
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/boot-source' --json '{"kernel_image_path":"/tmp/vmlinux.bin","boot_args":"console=ttyS0 reboot=k panic=1 pci=off"}'
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/drives/rootfs' --json '{"drive_id":"rootfs","path_on_host":"/tmp/bionic.rootfs.ext4","is_root_device":true,"is_read_only":false}'
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/machine-config' --json '{"vcpu_count":2,"mem_size_mib":1024}' # optional
curl --unix-socket /tmp/firecracker.socket -iX PUT 'http://localhost/actions' --json '{"action_type":"InstanceStart"}'
Alternatively, a VM can be started directly with a JSON configuration file instead of the API server.
firecracker --no-api --config-file /dev/stdin
{
"boot-source": {
"kernel_image_path": "/tmp/vmlinux.bin",
"boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
},
"drives": [
{
"drive_id": "rootfs",
"path_on_host": "/tmp/bionic.rootfs.ext4",
"is_root_device": true,
"is_read_only": false
}
],
"machine-config": {
"vcpu_count": 2,
"mem_size_mib": 1024
}
}
Fedora kernels are usable as Firecracker guests with some additional preparation. The overall idea is to strip off the kernel's compression layer and load its modules to support VirtIO hardware. After running the following steps, the VM can be started with the previous methods by changing the boot-source
JSON keys to have "kernel_image_path": "/tmp/vmlinux.fedora"
and "initrd_path": "/tmp/initrd.cpio"
(and the rootfs
drive should set "is_root_device": false
when using an initrd).
# Install kernel scripts and BusyBox to build an initrd.
sudo dnf -y install busybox kernel-devel
# Select the installed Fedora kernel version to use.
kerneldir=/lib/modules/$(uname -r)
# Extract the bare vmlinux kernel image for Firecracker to start.
"$kerneldir/build/scripts/extract-vmlinux" "$kerneldir/vmlinuz" > /tmp/vmlinux.fedora
# Write a simple BusyBox initrd that just loads Fedora's VirtIO drivers and switches to the disk image.
mkdir -p /tmp/initrd/{bin,dev,lib,proc,sys,sysroot}
cp -t /tmp/initrd/bin /usr/sbin/busybox
for cmd in ash insmod mount mountpoint reboot sed sleep switch_root ; do ln -fns busybox "/tmp/initrd/bin/$cmd" ; done
for mod in failover net_failover virtio_blk virtio_mmio virtio_net ; do xz -cd "$kerneldir"/kernel/*/*/"$mod.ko.xz" > "/tmp/initrd/lib/$mod.ko" ; done
cat << 'EOF' > /tmp/initrd/init ; chmod 0755 /tmp/initrd/init
#!/bin/ash -ex
trap -- 'reboot -f ; exec sleep 10' EXIT
mountpoint -q /dev || mount -t devtmpfs devtmpfs /dev
mountpoint -q /proc || mount -t proc proc /proc
mountpoint -q /sys || mount -t sysfs sysfs /sys
for mod in /lib/*.ko ; do insmod "$mod" $(sed -n "s/.* ${mod:5:-3}\.\([^ ]*\).*/\1/p" /proc/cmdline) ; done
#exec ash -l # Use this for interactive initrd debugging.
mount /dev/vda /sysroot
exec switch_root /sysroot /bin/bash -l
EOF
find /tmp/initrd -mindepth 1 -printf '%P\n' | cpio -D /tmp/initrd -H newc -R 0:0 -o > /tmp/initrd.cpio
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
Release | Architectures | Repo Download |
---|---|---|
Fedora 40 | aarch64 (100)*, i386 (28)*, x86_64 (197)* | Fedora 40 multilib x86_64+i386 (45 downloads) |
Fedora 41 | aarch64 (138)*, i386 (12)*, x86_64 (107)* | Fedora 41 multilib x86_64+i386 (20 downloads) |
* Total number of downloaded packages.
External Repository List
The following repositories are accessible during builds