Firecracker

Firecracker, developed as the execution infrastructure for AWS Lambda and AWS Fargate, runs on Linux's KVM (Kernel-based Virtual Machine). Traditional VMs required tens of seconds to start because they loaded entire OS images, but Firecracker radically strips away unnecessary device emulation, virtualizing only the serial port, network, and block storage. This deliberate simplification keeps the memory footprint under 5 MB and boot time below 125 ms. ### Differences from Containers Containers (such as Docker) share the host OS kernel, which means that if a kernel vulnerability is discovered, there is a risk of isolation between tenants being compromised. Firecracker assigns an independent kernel to each workload, allowing it to maintain strong isolation even in multi-tenant environments. At the same time, its boot speed is roughly on par with containers — which is its greatest differentiating point from traditional VMs. ### Use Cases The most familiar example is AWS Lambda. Each time a user invokes a function, a Firecracker microVM spins up and is discarded once execution completes. Even when thousands of microVMs coexist on a single physical server, their memory spaces and filesystems remain completely isolated from one another. Beyond serverless, adoption is growing in CI/CD pipelines where a clean VM is used and discarded for each build, as well as in edge locations where limited hardware resources need to be efficiently partitioned. Being implemented in Rust gives it high memory safety, and it is also gaining recognition in the finance and healthcare sectors, where security requirements are stringent. ### Limitations and Caveats Firecracker is not a general-purpose VM. It does not support GPU passthrough or GUI display, and supported kernels are limited to Linux. For running Windows workloads or performing GPU-based inference, QEMU/KVM or dedicated instances remain the viable alternatives.