Blending Containers and Virtual Machines: A Study of Firecracker and gVisor
With serverless computing, providers deploy application code and manage resource allocation dynamically, eliminating infrastructure management from application development. This model comes with the benefit of no administration, flexible scaling, pay on use, and high availability. AWSLambda, Google Cloud Functions and Azure functions all provide this compute model for production use.
Serverless providers have a variety of virtualization platforms to choose from for isolating functions, ranging from native Linux processes to Linux containers to lightweight isolation platforms, such as Google gVisor and AWS Firecracker. These platforms form a spectrum as they move functionality out of the host kernel and into an isolated guest environment. For example, gVisor handles many system calls in a user-mode Sentry process while Firecracker runs a full guest operating system in each microVM. A common theme across these platforms are the twin goals of strong isolation and high performance.
In this paper, we perform a comparative study of Docker containers (LXC), gVisor secure containers, and Firecracker microVMs to understand how they use Linux kernel services differently: how much does their use of host kernel functionality vary? We also evaluate the performance costs of the designs with a series of microbenchmarks targeting different kernel subsystems.
Our results show that despite moving much functionality out of the kernel, both Firecracker and gVisor execute substantially more kernel code than native Linux. gVisor and Docker containers execute substantially the same code, although with different frequency.