Firecracker is a free to use and open source virtualization technology for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.

The microVM technology was developed by Amazon Web Services (AWS)  to accelerate the speed and efficiency of Fargate and Lambda services. OpenNebula has managed to bridge the gap between two technological worlds, leaving behind the old dilemma between using containers–lighter but with weaker security–or Virtual Machine–with strong security but high overhead.

In this guide we explore how you can install and use Firecracker to run your microVMs on OpenNebula Nodes. This setup is performed on a Debian 10 Node but the same process can be done on any supported operating system.

Setup requirements

  • Installed and Configured OpenNebula Front-end
  • A physical host (x86-64 Intel or AMD processor) with virtualization capabilities

Step 1: Add OpenNebula Repositories

After OpenNebula front-end has been installed and configured, login to your the node where Firecracker will be setup.

$ ssh [email protected]

CentOS 8:

sudo rpm -ivh
sudo tee /etc/yum.repos.d/opennebula.repo<<EOT
name=OpenNebula Community Edition

CentOS 7:

sudo rpm -ivh
sudo tee /etc/yum.repos.d/opennebula.repo<<EOT
name=OpenNebula Community Edition


sudo apt update
sudo apt install wget gnupg2 -y
wget -q -O- | sudo apt-key add -
echo "deb stable opennebula" | sudo tee /etc/apt/sources.list.d/opennebula.list
sudo apt update

Step 2: Update the OpenNebula Firecracker Node

Upgrade the system before doing any installations:

Ubuntu | Debian:

sudo apt update
sudo apt -y full-upgrade
sudo reboot


sudo yum -y upgrade
sudo reboot

Step 3: Set Server hostname and Configure NTP

Login to the OpenNebula Firecracker Node and configure the hostname.

sudo hostnamectl set-hostname

Where is the actual LXD server hostname.

Consider adding the Server’s IP and hostname to /etc/hosts.

$ sudo vim /etc/hosts onefirecracker01 # Set correctly

Uninstall ntp package before installing chrony.

# Debian / Ubuntu
$ sudo apt remove ntp

# CentOS
$ sudo yum -y remove ntp

Install chrony ntp server pacakges:

# Ubuntu / Debian
sudo apt update
sudo apt install curl chrony -y

# CentOS
sudo yum -y install curl chrony

Set correct timezone on the server:

sudo timedatectl set-timezone Africa/Nairobi
sudo timedatectl set-ntp yes

Start and enable chrony ntp service:

# Debian / Ubuntu
sudo systemctl restart chrony
sudo systemctl enable chrony

# CentOS
sudo systemctl start chronyd
sudo systemctl enable chronyd

Initiate time synchronization using the following command:

$ sudo chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
^-           3   6    35    13    -49ms[  -49ms] +/-  167ms
^-                 2   6    17    14   +655us[ +655us] +/-  109ms
^*                 2   6    17    16   +251us[ +116ms] +/-  109ms
^+           3   6    33    13    -49ms[  -49ms] +/-  167ms

Step 4: Install OpenNebula Firecracker Node Packages

Now that we’ve added the repositories we can install OpenNebula Firecracker Node Packages:

# Debian | Ubuntu
$ sudo apt update
$ sudo apt install opennebula-node-firecracker

# CentOS
$ sudo yum install opennebula-node-firecracker

Accept any prompts you get during installation:

The following additional packages will be installed:
  libarchive-tools libarchive13 libutempter0 lsof screen
Suggested packages:
  lrzip perl byobu | screenie | iselect
The following NEW packages will be installed:
  libarchive-tools libarchive13 libutempter0 lsof opennebula-node-firecracker screen
0 upgraded, 6 newly installed, 0 to remove and 24 not upgraded.
Need to get 1,340 kB of archives.
After this operation, 2,786 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

Step 5: Configure Passwordless SSH on Front-end

The OpenNebula Front-end will connect to the hypervisor Nodes using SSH. You’ll need to configure Front-end and all Hypervisor Nodes to connect to each other over SSH without password authentication. This eliminates any manual intervention.

OpenNebula front-end node actions:

Login to your Front-end OpenNebula node:

$ ssh [email protected]_ip

Switch to oneadmin user:

$ sudo su - oneadmin
[email protected]:~$

When OpenNebula server package is installed on the Front-end, a SSH key pair is automatically generated for the oneadmin user into:

$ file /var/lib/one/.ssh/id_rsa
/var/lib/one/.ssh/id_rsa: OpenSSH private key
$ file /var/lib/one/.ssh/
/var/lib/one/.ssh/ OpenSSH RSA public key

Copy the contents of /var/lib/one/.ssh/ file from frontend:

$ cat /var/lib/one/.ssh/

OpenNebula LXD node actions:

Login to OpenNebula LXD node to be configured:

$ ssh [email protected]

Switch to oneadmin user account with the commands below:

$ sudo su - oneadmin
[email protected]:~$

Create the authorized keys file if doesn’t exist:

$ touch /var/lib/one/.ssh/authorized_keys

Add the copied Frontend SSH public key to file:

$ vim /var/lib/one/.ssh/authorized_keys

Test Passwordless SSH connectivity from Front-end

I recommend you add IP and hostname mapping in the Frontend /etc/hosts file:

$ sudo vim /etc/hosts onefirecracker01 # Set correctly

As oneadmin user initiate an SSH request:

$ sudo su - oneadmin
[email protected]:~$ ssh [email protected]

Confirm SSH connectivity without password authentication:

Warning: Permanently added 'onefirecracker01,' (ECDSA) to the list of known hosts.
Linux 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$

Step 6: Add Firecracker Node to OpenNebula

Login to Sunstone web interface and navigate to Infrastructure -> Hosts

install opennebula kvm node 01

Click on the + button.

install opennebula kvm node 02

Choose “Firecracker” as your host type:

install firecracker opennebula node 01

Wait for the host to be added then confirm its status

install firecracker opennebula node 02

Step 7: Configure Firecracker Node Networking

Next step is configuration of Networking on the node. Refer to below two guides:

Step 8: Deploy Nginx test Application

Once OpenNebula’s front-end and the Firecracker hypervisor are installed, we can proceed to deploy one simple application.

Navigate to “Storage” > “MarketPlaces” > “DockerHub

install firecracker opennebula node 03

Click on the “Apps” tab and search and select “Nginx

install firecracker opennebula node 04

Download it into the default datastore.

install firecracker opennebula node 05
install firecracker opennebula node 06

When Nginx is imported from Docker Hub, a VM template is also created – “Templates” > “VMs” > “nginx”

install firecracker opennebula node 07

You’ll have to update the template by clicking “Update“:

install firecracker opennebula node 08

In the advanced options select VNet network and IP address.

install firecracker opennebula node 09

In “OS & CPU” select the kernel image imported.

install firecracker opennebula node 10

Add the container start script.

install firecracker opennebula node 11

Update the Custom Vars by setting the root password.

install firecracker opennebula node 12

Once the VM template is updated you can instantiate it to create a microVM.

install firecracker opennebula node 13

You can check the instance console to confirm it is running:

install firecracker opennebula node 14

In order to access the VM outside the host you can set the following iptables rules.

iptables -A PREROUTING -t nat -i enp4s0 -p tcp --dport 80 -j DNAT --to
iptables -A FORWARD -p tcp -d --dport 80 -j ACCEPT


  • is the IP address of the MicroVM
  • enp4s0 is the physical network interface

Open your browser to access the Nginx application by using the public IP of the host where the container is running:

install firecracker opennebula node 15

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here