Why does FaaS (that's what Lambda is, right?) need more full blown virtualization? I thought you could maybe get away with even lighter separation than Docker?
Docker isn’t really designed to be a security boundary, so if you’re colocating containers from different customers (e.g. in Fargate), you need to separate them with a real security boundary like a VM. The same thing is true for lambdas: a lambda is just an archive and
the code in the archive needs to run somewhere where one customer cannot intercept another customer’s data.
To add on, AWS has never run Lambdas for different accounts on the same VM. Before Firecracker, they would run multiple Lambdas for the same account on the same VM. Now with Firecracker, they can run each lambda in its own VM.
I know very little about the actual technology, but I feel like the blurb on their front page explains this succinctly:
“ Firecracker enables you to deploy workloads in lightweight virtual machines, called microVMs, which provide enhanced security and workload isolation over traditional VMs, while enabling the speed and resource efficiency of containers”
AWS needs to separate one customer’s lambda executions from another’s. When you deploy Docker, isolation is guaranteed either because you do it on an underlying dedicated VM, or you give the Docker image to something like Fargate.