Amazon uses it mainly for Fargate and Lambda (from what I've read).
Docker is a container technology (shared kernel), while Firecracker is an actual VM manager so it provides better isolation. It is more comparable with QEMU.
I would love to see a high level overview and compare/contrast between different container and virtualization technologies out there. For those if us who have a good understanding of operating systems and hardware, but haven't been keeping up with the plethora of new technologies that are out there.
From what I understand, even QEMU can work in different modes, either emulating hardware or a system call interface. So I'm not sure which of those modes you are referring to.
QEMU cannot emulate a system call interface with KVM, only with just-in-time compilation. In hardware emulation mode however it can provide multiple hardware models, including one that is rather similar to Firecracker.
Why does FaaS (that's what Lambda is, right?) need more full blown virtualization? I thought you could maybe get away with even lighter separation than Docker?
Docker isn’t really designed to be a security boundary, so if you’re colocating containers from different customers (e.g. in Fargate), you need to separate them with a real security boundary like a VM. The same thing is true for lambdas: a lambda is just an archive and
the code in the archive needs to run somewhere where one customer cannot intercept another customer’s data.
To add on, AWS has never run Lambdas for different accounts on the same VM. Before Firecracker, they would run multiple Lambdas for the same account on the same VM. Now with Firecracker, they can run each lambda in its own VM.
I know very little about the actual technology, but I feel like the blurb on their front page explains this succinctly:
“ Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers”
AWS needs to separate one customer’s lambda executions from another’s. When you deploy Docker, isolation is guaranteed either because you do it on an underlying dedicated VM, or you give the Docker image to something like Fargate.
From what I understand, even QEMU can work in different modes, either emulating hardware or a system call interface. So I'm not sure which of those modes you are referring to.