Fast CI with MicroVMs

132 点作者 alexellisuk超过 2 年前

16 条评论

> I spoke to the GitHub Actions engineering team, who told me that using an ephemeral VM and an immutable OS image would solve the concerns.that doesn't solve them all. the main problem is secrets. if a job has access to an api token that can be used to modify your code or access a cloud service, a PR can abuse that to modify things it shouldn't. a second problem is even if you don't have secrets exposed, a PR can run a crypto miner, wasting your money. finally, a self-hosted runner is a step into your private network and can be used for attacks, which firecracker can help mitigate but never eliminate.the best solution to these problems is 1) don't allow repos to trigger your CI unless the user is trusted or the change has been reviewed, 2) always use least privilege and zero-trust for all access (yes even for dev services), 3) add basic constraints by default on all jobs running to prevent misuse, and then finally 4) provide strong isolation in addition to ephemeral environments.

评论 #33672319 未加载

评论 #33661364 未加载

no_wizard超过 2 年前

Firecracker is pretty great, good to see it can be used in a CI environment like this, definitely peaking my interest.I know its the backbone of what runs fly.io[0] as well[0]: <a href="https://fly.io/docs/reference/architecture/#microvms" rel="nofollow">https://fly.io/docs/reference/architecture/#microvms</a>

评论 #33662321 未加载

评论 #33661018 未加载

评论 #33665402 未加载

ignoramous超过 2 年前

Sounds similar to webapp.io (layerci) that has been discussed quite a few times here: <a href="https://news.ycombinator.com/item?id=31062301" rel="nofollow">https://news.ycombinator.com/item?id=31062301</a>> Friction starts when the 7GB of RAM and 2 cores allocated causes issues for usWell, I just create a 20GB swap. There's ample disk space but swap is slow for sure.> MicroVMCoincidentally, QEMU now sports a firecracker-inspired microvm: <a href="https://github.com/qemu/qemu/blob/a082fab9d25/docs/system/i386/microvm.rst" rel="nofollow">https://github.com/qemu/qemu/blob/a082fab9d25/docs/system/i3...</a> / <a href="https://mergeboard.com/blog/2-qemu-microvm-docker/" rel="nofollow">https://mergeboard.com/blog/2-qemu-microvm-docker/</a>

评论 #33661347 未加载

评论 #33662404 未加载

评论 #33661589 未加载

avita1超过 2 年前

Something I've increasingly wondered is if the model of CI where a totally pristine container (or VM) gets spun on each change for each test set imposes an floor on how fast CI can run.Each job will always have to run a clone, always pay the cost of either bootstrapping a toolchain or download a giant container with the toolchain, and always have to download a big remote cache.If I had infinity time, I'd build a CI system that found a runner that maintained some state (gasp!) about the build and went to a test runner that had most of its local build cache downloaded, source code cloned, and toolchain bootstrapped.

评论 #33658415 未加载

评论 #33663133 未加载

评论 #33668421 未加载

评论 #33662680 未加载

评论 #33662449 未加载

评论 #33658387 未加载

评论 #33671798 未加载

评论 #33664827 未加载

评论 #33658615 未加载

评论 #33658463 未加载

评论 #33658494 未加载

bkq超过 2 年前

Good article. Firecracker is something that has definitely piqued my interest when it comes to quickly spinning up a throwaway environment to use for either development or CI. I run a CI platform [1], which currently uses QEMU for the build environments (Docker is also supported but currently disabled on the hosted offering), startup times are ok, but having a boot time of 1-2s is definitely highly appealing. I will have to investigate Firecracker further to see if I could incorporate this into what I'm doing.Julia Evans has also written about Firecracker in the past too [2][3].[1] - <a href="https://about.djinn-ci.com" rel="nofollow">https://about.djinn-ci.com</a>[2] - <a href="https://jvns.ca/blog/2021/01/23/firecracker--start-a-vm-in-less-than-a-second/" rel="nofollow">https://jvns.ca/blog/2021/01/23/firecracker--start-a-vm-in-l...</a>[3] - <a href="https://news.ycombinator.com/item?id=25883253" rel="nofollow">https://news.ycombinator.com/item?id=25883253</a>

评论 #33659149 未加载

lxe超过 2 年前

Firecracker is nice but still very limited to what it can do.My gripe with all CI systems is that an an industry standard we've universally sacrificed performance for hermeticity and re-entrancy, even when it doesn't really gives us a practical advantage. Downloading and re-running containers and vms, endlessly checking out code, installing deps over and over is just a waste of time, even with caching, COW, and other optimizations.

评论 #33658445 未加载

评论 #33658819 未加载

评论 #33659270 未加载

评论 #33659072 未加载

评论 #33658833 未加载

评论 #33659132 未加载

fideloper超过 2 年前

This project looks really neat!Firecracker is very cool, I wish/hope tooling around it matures enough to be super easy. I'd love to see the technical details on how this is run. It looks like it's closed source?The need for baremetal for Firecracker is a bit of a shame, but it's still wicked cool. (You can run it on a DO droplet but nested virtualization feels a bit icky?)I run a CI app myself, and have looked at firecracker. Right now I'm working on moving some compute to Fly.io and it's Machines API, which is well suited for on-demand compute.

评论 #33657686 未加载

ridiculous_fish超过 2 年前

The article does not say what a MicroVM is. From what I can gather, it's using KVM to virtualize specifically a Linux kernel. In this way, Firecracker is somewhat intermediate between Docker (which shares the host kernel) and Vagrant (which is not limited to running Linux). Is that accurate?Is it possible to use a MicroVM to virtualize a non-Linux OS?

评论 #33658663 未加载

f0e4c2f7超过 2 年前

This seems pretty interesting to me. I haven't messed with firecracker yet but it seems like a possible alternative to docker in the future.

评论 #33659188 未加载

kernelbugs超过 2 年前

Would have loved to see more of the technical details involved in spinning up Firecracker VMs on demand for Github Actions.

评论 #33657703 未加载

Sytten超过 2 年前

Wondering if it would be possible to run macos. The hosted runner of Github Actions for macos are really really horrible, our builds take easily 2x to 3x more time than hosted Windows and Linux machines.

rad_gruchalski超过 2 年前

Congratulations on the launch.The interesting part of this is that the client supplies the most difficult resource to get for this setup. As in, a machine on which Firecracker can run.

评论 #33661401 未加载

brightball超过 2 年前

I’m curious to see how k8s isn’t a good fit for this? I’m not a k8s advocate for production code but at the CI level it seems ideal.

评论 #33658671 未加载

imachine1980_超过 2 年前

Realy cool what is the license? , there any way I can contribute code/test/documentation to this project ?

a-dub超过 2 年前

this is cool. throwing firecracker at CI is something i've been thinking about since i first read about firecracker.i was thinking more along the lines of, can you checkpoint a bunch of common initialization and startup and then massively parallelize?

评论 #33658689 未加载

deltaci超过 2 年前

congratulations on the launch. it looks pretty much like a self-hosted version of <a href="https://buildjet.com/for-github-actions" rel="nofollow">https://buildjet.com/for-github-actions</a>

评论 #33659239 未加载