Firecracker is a minimal KVM-based virtual machine monitor written in Rust by AWS, originally built to run Lambda and Fargate. It launches microVMs — lightweight VMs with a stripped-down device model — in under 125ms and uses only a few megabytes of memory per VM, so you can densely pack thousands of them on one host and still get hardware-level isolation between tenants.
The trick is aggressive minimalism. Firecracker’s VMM implements only the devices you actually need to run a serverless workload: virtio-net, virtio-block, virtio-vsock, a serial console, and a minimal PS/2 keyboard. There’s no BIOS, no PCI, no USB, no graphics — boot goes straight into a Linux kernel via the 64-bit Linux boot protocol. Each microVM is a single process controlled over a REST API on a Unix socket, which makes it easy to wrap in orchestrators. The codebase is small enough to audit, and it runs under seccomp-bpf on the host for defense in depth.
Outside AWS, Firecracker is the runtime under Fly.io’s machines, Kata Containers’ firecracker backend, Koyeb, and a growing set of CI-sandboxing systems (Depot, Namespace, etc.). It competes conceptually with gVisor (userspace syscall interception, weaker isolation, no KVM required) and Cloud Hypervisor (a more feature-complete Rust VMM that Firecracker actually shares code lineage with). If you need “run untrusted code fast with real VM isolation,” Firecracker is the reference answer.