Install Firecracker on OpenNebula and run microVM

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Firecracker is a free-to-use open source virtualization technology used to create and manage secure, multi-tenant container and function-based services that provide a serverless operating model. Firecracker runs workloads in so-called lightweight virtual machines Mini virtual machine, It combines the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.

The microVM technology is powered by Amazon Web Services (AWS) Speed ​​up and efficiency Fargate with Lambda service. OpenNebula managed to do it Bridging the gap between the two technological worlds, So as to get rid of the old problems between using portable but weaker containers or using high-security but expensive virtual machines.

In this guide, we explore how to install and use Firecracker to run microVM on OpenNebula nodes. The setup is performed on Debian 10 nodes, but the same process can be performed on any supported operating system.

Set up requirements

  • OpenNebula frontend installed and configured
  • Physical host with virtualization function (x86-64 Intel or AMD processor)

Step 1: Add the OpenNebula repository

After installing and configuring the OpenNebula front end, log in to the node where Firecracker will be set up.

$ ssh [email protected]

CentOS 8:

sudo rpm -ivh
sudo tee /etc/yum.repos.d/opennebula.repo<<EOT
name=OpenNebula Community Edition

CentOS 7:

sudo rpm -ivh
sudo tee /etc/yum.repos.d/opennebula.repo<<EOT
name=OpenNebula Community Edition

Debian / Ubuntu:

sudo apt update
sudo apt install wget gnupg2 -y
wget -q -O- | sudo apt-key add -
echo "deb stable opennebula" | sudo tee /etc/apt/sources.list.d/opennebula.list
sudo apt update

Step 2: Update the OpenNebula firecracker node

Before any installation, please upgrade the system:

Ubuntu | Debian:

sudo apt update
sudo apt -y full-upgrade
sudo reboot


sudo yum -y upgrade
sudo reboot

Step 3: Set the server hostname and configure NTP

Log in to the OpenNebula Firecracker node and configure the hostname.

sudo hostnamectl set-hostname is the actual hostname of the LXD server.

Consider adding the server’s IP and hostname to /etc/hosts.

$ sudo vim /etc/hosts onefirecracker01 # Set correctly

Uninstall the ntp package before installing chrony.

# Debian / Ubuntu
$ sudo apt remove ntp

# CentOS
$ sudo yum -y remove ntp

Install chrony ntp server function:

# Ubuntu / Debian
sudo apt update
sudo apt install curl chrony -y

# CentOS
sudo yum -y install curl chrony

Set the correct time zone on the server:

sudo timedatectl set-timezone Africa/Nairobi
sudo timedatectl set-ntp yes

Start and enable the chrony ntp service:

# Debian / Ubuntu
sudo systemctl restart chrony
sudo systemctl enable chrony

# CentOS
sudo systemctl start chronyd
sudo systemctl enable chronyd

Use the following command to start time synchronization:

$ sudo chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
^-           3   6    35    13    -49ms[  -49ms] +/-  167ms
^-                 2   6    17    14   +655us[ +655us] +/-  109ms
^*                 2   6    17    16   +251us[ +116ms] +/-  109ms
^+           3   6    33    13    -49ms[  -49ms] +/-  167ms

Step 4: Install the OpenNebula firecracker node package

Now that we have added the repository, we can install OpenNebula Firecracker Node Packages:

# Debian | Ubuntu
$ sudo apt update
$ sudo apt install opennebula-node-firecracker

# CentOS
$ sudo yum install opennebula-node-firecracker

Accept all prompts received during installation:

The following additional packages will be installed:
  libarchive-tools libarchive13 libutempter0 lsof screen
Suggested packages:
  lrzip perl byobu | screenie | iselect
The following NEW packages will be installed:
  libarchive-tools libarchive13 libutempter0 lsof opennebula-node-firecracker screen
0 upgraded, 6 newly installed, 0 to remove and 24 not upgraded.
Need to get 1,340 kB of archives.
After this operation, 2,786 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

Step 5: Configure passwordless SSH on the front end

The OpenNebula front end will use SSH to connect to the hypervisor node. You need to configure the front-end node and all hypervisor nodes to connect to each other via SSH without password authentication. This eliminates any manual intervention.

OpenNebula front-end node operation:

Log in to your front-end OpenNebula node:

$ ssh [email protected]_ip

Switch to an administrator user:

$ sudo su - oneadmin
[email protected]:~$

After installing the OpenNebula server software package on the front end, an SSH key pair will be automatically generated for the oneadmin user. The key pair includes:

$ file /var/lib/one/.ssh/id_rsa
/var/lib/one/.ssh/id_rsa: OpenSSH private key
$ file /var/lib/one/.ssh/
/var/lib/one/.ssh/ OpenSSH RSA public key

Copy the contents of the /var/lib/one/.ssh/ file from the front end:

$ cat /var/lib/one/.ssh/

OpenNebula LXD node operation:

Log in to the OpenNebula LXD node to be configured:

$ ssh [email protected]

Use the following command to switch to the oneadmin user account:

$ sudo su - oneadmin
[email protected]:~$

Create an authorization key file (if it does not exist):

$ touch /var/lib/one/.ssh/authorized_keys

Add the copied front-end SSH public key to the file:

$ vim /var/lib/one/.ssh/authorized_keys

Test passwordless SSH connection from the front end

I suggest you add IP and hostname mapping in the frontend /etc/hosts file:

$ sudo vim /etc/hosts onefirecracker01 # Set correctly

Initiate an SSH request as the oneadmin user:

$ sudo su - oneadmin
[email protected]:~$ ssh [email protected]

The SSH connection can be confirmed without password verification:

Warning: Permanently added 'onefirecracker01,' (ECDSA) to the list of known hosts.
Linux 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$

Step 6: Add the firecracker node to OpenNebula

Log in to the Sunstone web interface and navigate to infrastructure -> host

Click on + Button.Install opennebula kvm node 02

select”firecracker“As your host type:Install firecracker opennebula node 01

Wait for the host to be added, and then confirm its statusInstall firecracker opennebula node 02

Step 7: Configure the firecracker node network

The next step is to configure the network on the node. Please refer to the following two guides:

Step 8: Deploy the Nginx test application

Once the OpenNebula front end and Firecracker hypervisor are installed, we can proceed to deploy a simple application.

navigation”Store“>”Bazaar“>”DockerHubInstall firecracker opennebula node 03

Click “application“Tab, then search and select “NginxInstall firecracker opennebula node 04

Download it to default data storage.Install firecracker opennebula node 05Install firecracker opennebula node 06

When importing Nginx from Docker Hub, a VM template is also created – “Templates”> “Virtual Machines”> “nginx”Install firecracker opennebula node 07

You must click “Update“:Install firecracker opennebula node 08

In the advanced options, select “VNet network and IP address”.Install firecracker opennebula node 09

in”Operating system and CPU“Select the imported kernel image.Install firecracker opennebula node 10

Add container startup script.Install firecracker opennebula node 11

Update custom variables by setting the root password.Install firecracker opennebula node 12

After the VM template is updated, you can instantiate it to create a microVM.Install firecracker opennebula node 13

You can check the instance console to confirm that it is running:Install firecracker opennebula node 14

In order to access the VM outside the host, you can set the following iptables rules.

iptables -A PREROUTING -t nat -i enp4s0 -p tcp --dport 80 -j DNAT --to
iptables -A FORWARD -p tcp -d --dport 80 -j ACCEPT

where is it:

  • is the IP address of MicroVM
  • enp4s0 is the physical network interface

Open a browser and use the public IP of the host running the container to access the Nginx application:Install firecracker opennebula node 15

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Related Posts