Firecracker Network Setup

Firecracker has a solid documentation on setting up network:

Basically, I followed these steps and in the end I was able to connect a Firecracker instance to Internet.

  1. Create an iptable backup file, we’ll need it during clean up:

    $ sudo iptables-save > iptables.rules.old
  2. Create a tap device:

    $ sudo ip tuntap add tap0 mode tap
  3. Create a NAT interface. I’m using wlp3s0 interface, but it could be different if you’re connected via ethernet cable, e.g. eth0:

    $ sudo ip addr add dev tap0
    $ sudo ip link set tap0 up
    $ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
    $ sudo iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE
    $ sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    $ sudo iptables -A FORWARD -i tap0 -o wlp3s0 -j ACCEPT
  4. Pass --tap-device to a Firecracker instance:

    $ firectl --kernel=/tmp/vmlinux --root-drive=./rootfs.ext4 --kernel-opts="console=ttyS0 noapic reboot=k panic=1 pci=off nomodules rw" --tap-device=tap0/AA:FC:00:00:00:01
  5. Once you have booted the guest, bring up networking within the guest:

    # ip addr add dev eth0
    # ip link set eth0 up
    # ip route add default via dev eth0
  6. Alpine image comes with as a DNS server. If it’s missing you need to add one to /etc/resolv.conf:

    # cat /etc/resolv.conf 
  7. Run a test:

    # ping
    PING ( 56 data bytes
    64 bytes from seq=0 ttl=116 time=25.429 ms
    64 bytes from seq=1 ttl=116 time=29.473 ms
  8. Clean up:

    $ sudo ip link del tap0
    $ sudo iptables-restore < iptables.rules.old

It’s going to be interesting to see how it is going to play out in Kubernetes cluster.