Firecracker is a ~50,000-line Rust VMM that gives AWS Lambda and Fargate hardware-isolated microVMs booting in ~125ms with under 5 MiB overhead.
Key Takeaways
Three thread types (API, VMM, vCPU) and four virtio devices replace the full 1998 PC stack, cutting boot time from 5+ seconds to ~125ms.
The jailer pre-sandboxes the VMM with chroot, PID namespace, unprivileged uid, and cgroup limits before Firecracker even starts; seccomp level 2 then constrains each thread to its minimum syscall surface.
Snapshots freeze memory and device state to disk; restore skips kernel boot and JVM warmup entirely – this is the exact mechanism behind Lambda SnapStart’s sub-second Java cold starts.
Firecracker sits between gVisor (user-space kernel, 10-30% syscall overhead, faster start) and QEMU (full emulated PC, 5+ second boot) on the isolation-vs-density spectrum.
Containers share 30M+ lines of host kernel code across all tenants; one syscall bug compromises every tenant – hardware virtualization via KVM eliminates that shared surface.
