Fire Up Your VMs with Weave Ignite
For the last few months we have been playing with a little side project called “Ignite”. Ignite is a GitOps-managed Virtual Machine (VM) with a container UX. A “container VM” that is both secure and lightning fast.
Happy birthday Weaveworks! Today we turn FIVE! It feels like we are older: startup years are a bit like dog years. Let’s celebrate with something fun :-) For the last few months we have been playing with a little side project called “Ignite” that I want to tell you about. Ignite is a GitOps-managed Virtual Machine (VM) with a container UX. A “container VM” that is both secure and lightning fast.
When Weaveworks started in 2014 we had a simple goal: to help developers use containers to deliver applications. Now it seems like everyone wants to do this. Containers are fast and easy to run anywhere, and Kubernetes has hit the mainstream. You probably know that Weaveworks uses GitOps to automate this. Weaveworks customers can provision and manage clusters direct from config, replace CD scripts with K8s automation, and manage canaries and feature flags. We thought it might be helpful to boot and manage secure VM clusters this way too.
Introducing Ignite - the GitOps VM
Weave Ignite is an open source VM with a container UX and built-in GitOps management.
- Combines Firecracker MicroVMs with Docker / OCI images to unify containers and VMs.
- Works in a GitOps fashion and can manage VMs declaratively and automatically like Kubernetes and Terraform.
Ignite is fast and secure because of Firecracker. This is an open source KVM implementation from AWS that is optimised for high security, isolation, speed and low resource consumption. AWS uses it as the foundation for their serverless offerings (AWS Lambda and Fargate) that need to load nearly instantly while also keeping users isolated (multitenancy). Firecracker has proven to be able to run 4000 micro-VMs on the same host!
Why Ignite?
Ignite is in alpha today; it may be driven forward by several use cases:
- Set up many secure VMs lightning fast. It's great for testing, CI and ephemeral workloads
- Launch and manage entire “app ready” stacks from Git because Ignite supports GitOps!
- Run even legacy or special apps in lightweight VMs (eg for multi-tenancy, or using weird/edge kernels)
And - potentially - we can run a cloud of VMs ‘anywhere’ using Kubernetes for orchestration, Ignite for virtualization, GitOps for management, and supporting cloud native tools and APIs.
Get Started with Ignite using GitOps
Ignite is a “GitOps-first” project, GitOps is supported out of the box using the
ignite gitops command. In Git you declaratively store the desired state of a set of VMs you want to manage. ignite gitops reconciles the state from Git, and applies the desired changes as state is updated in the repo. This can then be automated, tracked for correctness, and managed at scale - just some of the benefits of GitOps.
The workflow is simply this:
- Run
ignite gitops [repo], where repo points to your Git repo - Create a file with the VM specification, specifying how much vCPUs, RAM, disk, etc. you’d like from the VM
- Run
git pushand see your VM start on the host
See it in action!
All in all, Ignite VMs are installed, managed and observable using GitOps.
Get Started with the Ignite CLI
TL;DR - it’s just like Docker and you even start Docker (OCI) images!
The easiest way to use Ignite is to start with any Docker container that contains an init system at /sbin/init (e.g. systemd), eg centos:7. The only command you need to run is ignite run, like this:
ignite run centos:7 [--parameters]
Watch the Ignite intro video:
Please see weaveworks/ignite on GitHub for more, including technical notes and a list of target use cases. In particular, we have made two images that are easy to use out of the box: ‘weaveworks/ignite-ubuntu’ and ‘weaveworks/ignite-centos’, which are plain ubuntu and centos images from Docker Hub, with some common tools like openssh and systemd
How Ignite works
Ignite makes Firecracker easy to use by adopting its developer experience from containers. With Ignite, you pick an OCI-compliant image (Docker image) that you want to run as a VM, and then just execute ignite run instead of docker run. There’s no need to use VM-specific tools to build .vdi, .vmdk, or .qcow2 images, just do a docker build from any base image you want, and add your preferred contents.
When you run your OCI image using ignite run, Firecracker will boot a new VM in c.125 milliseconds (!) for you, using a default 4.19 linux kernel. If you want to use some other kernel, just specify the --kernel flag, pointing to another OCI image containing a kernel at /boot/vmlinux, and optionally your preferred modules. Next, the kernel executes /sbin/init in the VM, and it all starts up. After this, Ignite connects the VMs to any CNI network, integrating with e.g. Weave Net.
NOTE: Ignite is different from Kata Containers or gVisor. They don’t let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox). Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can “go a layer down” and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.
You can read more at weaveworks/ignite on GitHub.
Example Use Case: Run kubeadm in HA mode on Ignite VMs
kubeadm is the de-facto way of bootstrapping Kubernetes clusters. Weaveworks was a founding member, and has been committed to co-developing kubeadm ever since.
The following screencast shows how quickly you can create three VMs with Ignite and bootstrap kubeadm in High Availability mode. We also have a step-by-step guide of how you can accomplish this yourself.
Finland, Finland, Finland
Ignite is a clean room implementation of a project Lucas prototyped while on army service.
Lucas Käldström (@luxas) is a Kubernetes SIG Lead and Top CNCF Ambassador 2017, and is a longstanding member of the Weaveworks family since graduating from High School (story here). As a young Finnish citizen, Lucas had to do his mandatory Military Service for around a year.
Naturally for Lucas, he started evangelising Kubernetes within the military, and got assigned programming tasks. Security and resource consumption are critical army concerns, so Lucas and a colleague, Dennis Marttinen, decided to experiment with Firecracker, creating an elementary version of Ignite. On leaving the army they were granted permission to work on an open source rewrite, working with Weaveworks.
We teamed up with Lucas and Dennis to create a plan for Ignite, and iterate on the code and developer experience using our Kubernetes products as a proof point. This worked out great -- our cluster management products “just work” with Ignite & Kubernetes. We can create, deploy, and manage application clusters direct from config. This is incredibly cool.
Next Steps!
Contact me if your organisation is interested about learning how Weaveworks uses Ignite, Kubernetes and GitOps. We can show you the demos in depth. We can discuss commercial options using our Weaveworks Kubernetes Platform for fleet automation and app delivery.
Join us for an online intro with Lucas next Wednesday July 17th 10:00am PT to hear about Ignite! It's part of a special Weave Online User Group event.
We’ll publish more blogs and videos to show how to combine these technologies to enable fast and secure clusters.
The future is up to you. We think Ignite has great potential as a 100% open source community tool, to help streamline workflows involving virtualization, and can help bridge two worlds: containers and VMs. We want people to get involved and see where this goes!
--alexis
