Repository: firecracker-microvm/firecracker (GitHub)
Documentation: https://firecracker-microvm.github.io/
Firecracker is a Virtual Machine Monitor (VMM) built on Linux’s KVM that creates and manages lightweight microVMs. Each microVM runs in ~125ms and uses ~5MB of memory overhead per instance.
- Memory safety without garbage collection: Critical for hypervisor code that manages isolation boundaries
- Deterministic performance: No GC pauses that would violate SLA requirements for Lambda cold starts
- Minimal attack surface: ~50,000 lines of Rust vs millions in QEMU
- AWS Lambda: Powers every Lambda function invocation (billions per day)
- AWS Fargate: Underlies container isolation
- Fly.io: Uses Firecracker for their edge compute platform
- Weaveworks: Ignite project wraps Firecracker for local Kubernetes nodes
- v1.8.0 (Sept 2024): Added CPU template versioning, improved snapshot performance
- v1.9.0 (Nov 2024): Enhanced metrics API, support for newer kernel features
- Active development on io_uring integration for even faster I/O
// Firecracker API call to create a microVM
let vm_config = VmConfig {
vcpu_count: 2,
mem_size_mib: 512,
boot_source: BootSource {
kernel_image_path: "/path/to/kernel",
boot_args: Some("console=ttyS0 reboot=k panic=1"),
},
};When you invoke a Lambda function, Firecracker provisions a fresh microVM in ~125ms, executes your code in complete isolation, then tears it down—handling millions of these cycles across AWS regions.
Repository: cloudflare/workerd (GitHub)
Documentation: https://developers.cloudflare.com/workers/
Cloudflare Workers runtime is written in C++ but uses Rust extensively in the surrounding infrastructure (edge routing, data plane). The actual “workerd” runtime leverages V8 isolates for JavaScript/WASM execution.
- Zero-copy networking: Rust powers the HTTP/3 and QUIC implementations (via
quiche) - Pingora: Cloudflare’s Rust-based proxy replacing nginx (1 trillion requests/day)
- Worker-to-Worker communication: Rust handles the RPC layer between isolates
- 6+ million websites use Workers for edge compute
- Pingora handles Cloudflare’s entire proxy layer (~1% of global internet traffic)
- D1 Database: Workers’ SQLite-based database uses Rust for replication
- Pingora open-sourced (Feb 2024): Rust proxy framework now public
- Hyperdrive (GA Oct 2024): Connection pooling to databases, Rust-based
- Workers AI (2024): Inference at edge, Rust orchestration layer
// Pingora-based edge router (simplified)
pub async fn handle_request(session: &mut Session) -> Result<()> {
// Zero-copy header inspection
if session.req_header().uri.path().starts_with("/api") {
proxy_to_backend(session, "api.backend.com").await
} else {
serve_from_cache(session).await
}
}Cloudflare replaced 800+ nginx configurations with a single Rust codebase, reducing latency by ~40% and memory usage by 70%.
Repository: Rust-for-Linux/linux (GitHub)
Documentation: https://rust-for-linux.com/
Rust-for-Linux enables safe systems programming within the Linux kernel itself. As of Linux 6.1 (Dec 2022), Rust is officially supported for writing drivers and kernel modules.
- Memory safety: ~70% of kernel vulnerabilities are memory-related (Google/Microsoft data)
- No null pointer dereferences: Type system prevents entire bug classes
- Concurrency without data races: Ownership model enforces safe parallelism
- Android: Google’s Binder driver rewrite in Rust (AOSP)
- Microsoft: Azure’s host kernel exploring Rust drivers
- Asahi Linux: Apple Silicon GPU drivers written in Rust
- Samsung: Evaluating Rust for firmware
- Linux 6.6 (Oct 2023): Expanded abstractions for block devices
- Linux 6.7 (Jan 2024): Better support for platform drivers
- Linux 6.11 (Sept 2024): Nova GPU scheduler landed (first major Rust component)
- Linux 6.13 (Jan 2025 target): Network PHY drivers in Rust
The Rust NVMe driver (in development) demonstrates the safety benefits:
// Traditional C: manual error checking, easy to miss
int nvme_setup_queue(struct nvme_queue *nvmeq) {
void *mem = dma_alloc_coherent(...);
if (!mem) return -ENOMEM; // Easy to forget cleanup
// ... more allocations that might fail
}
// Rust: RAII ensures cleanup, no memory leaks
fn nvme_setup_queue(&mut self) -> Result<Queue> {
let mem = DmaCoherent::alloc(size)?; // Auto-cleanup on error
let submission = DmaCoherent::alloc(SQ_SIZE)?;
Ok(Queue::new(mem, submission))
} // All resources freed automatically if any allocation failsReal bug prevented: The Rust borrow checker would have caught the use-after-free in CVE-2022-0487 (ext4 filesystem) at compile time.
Repository: linkerd/linkerd2 and linkerd/linkerd2-proxy (GitHub)
Documentation: https://linkerd.io/
Linkerd is a service mesh for Kubernetes. The data plane (proxy) was rewritten from Go to Rust in 2018 for the v2 architecture.
- Predictable latency: P99 latency <1ms vs 10-20ms in Go (due to GC pauses)
- Memory efficiency: 10MB per proxy vs 50-100MB in Envoy (C++)
- Correctness: Protocol parsers (HTTP/2, gRPC) need zero bugs
- CNCF Graduated Project (July 2021)
- Used by: Nordstrom, Microsoft, HP, Expedia, Studyo
- Buoyant Enterprise for Linkerd: Production support for Fortune 500s
- v2.15 (Feb 2024): Gateway API support, improved mTLS performance
- v2.16 (Aug 2024): Native sidecar containers (Kubernetes 1.29+)
- v2.17 (Nov 2024): Mesh expansion to VMs, circuit breaking improvements
- Linkerd-viz dashboard: Now Rust-based (replacing Go components)
// Linkerd proxy's load balancing (simplified from linkerd2-proxy)
impl<T> Service<Request> for Balancer<T> {
fn call(&mut self, req: Request) -> Self::Future {
// EWMA load balancing: track latency per endpoint
let endpoint = self.pick_least_loaded();
// Automatic retry with backoff
self.with_retry(endpoint, req, RetryPolicy::default())
}
}Performance comparison: In a 1,000-service mesh, Linkerd adds ~0.5ms P99 latency vs 2-5ms for Envoy-based meshes (Istio, Consul).
Repository: krustlet/krustlet (GitHub)
Documentation: https://krustlet.dev/
Krustlet is a Kubernetes kubelet implementation that runs WebAssembly workloads instead of containers. It implements the Kubelet API, allowing WASM modules to be scheduled via standard Kubernetes manifests.
- WASM-native: Rust compiles to WASM efficiently, dogfooding the ecosystem
- Wasmtime integration: Bytecode Alliance’s runtime is Rust-based
- Async runtime: Tokio for handling thousands of concurrent pods
- Fermyon Spin: Serverless WASM platform uses Krustlet patterns
- WASI proposals: Krustlet team contributes to WASI standards
- Edge Kubernetes: Enables ultra-lightweight workloads (<1MB)
- Project Status (2024): Archive mode—concepts adopted by containerd/runwasi
- containerd-wasm-shims: Successor project, supports Docker/K8s natively
# Deploy WASM module to Kubernetes via Krustlet
apiVersion: v1
kind: Pod
metadata:
name: wasm-calculator
spec:
containers:
- name: app
image: webassembly.azurecr.io/calculator:v1
nodeSelector:
kubernetes.io/arch: wasm32-wasiThe WASM binary is ~500KB vs ~50MB for a container image, starts in <10ms, and uses <5MB RAM.
Repository: containers/youki (GitHub)
Documentation: https://containers.github.io/youki/
Youki is an OCI (Open Container Initiative) runtime written in Rust, compatible with Docker/Podman/Kubernetes. It’s a drop-in replacement for runc (Go).
- Security: Container runtimes are high-value attack targets
- Performance: Faster container creation (~30% faster than runc)
- Cgroup v2 support: Better resource management
- Adopted by containers organization (part of official OCI ecosystem)
- Used in production: Some edge deployments (Fly.io experiments)
- Academic interest: Cited in container security research
- v0.3.3 (Oct 2024): Full cgroup v2 support, improved rootless containers
- v0.4.0 (Jan 2025 target): Seccomp optimizations, better logging
- Integration: Working on containerd integration for wider adoption
# Run container with youki instead of runc
$ sudo youki create --bundle /path/to/bundle container_id
$ sudo youki start container_id
# Performance comparison (container creation time):
# runc: ~15ms
# youki: ~10ms (40% faster on cold start)Repository: tikv/tikv (GitHub)
Documentation: https://tikv.org/
TiKV is a distributed, transactional key-value store that serves as the storage layer for TiDB (distributed SQL database). It uses the Raft consensus algorithm and RocksDB for local storage.
- Raft implementation: Consensus requires correctness—no data races
- gRPC performance: Rust’s zero-cost abstractions for networking
- Memory safety under load: Prevents crashes during replication
- CNCF Graduated Project (Sept 2020)
- Production users: Zhihu (200M users), Bank of Beijing, Shopee
- TiDB Cloud: Managed service on AWS/GCP
- PingCAP revenue: $100M+ ARR (2023)
- v8.1 (May 2024): Faster transaction commit, improved compaction
- v8.5 (Nov 2024): Titan storage engine (large value optimization)
- TiKV Coprocessor: Pushed-down computation for analytics
// TiKV client (using tikv-client crate)
use tikv_client::TransactionClient;
let client = TransactionClient::new(vec!["127.0.0.1:2379"]).await?;
let mut txn = client.begin_optimistic().await?;
// ACID transaction across distributed nodes
txn.put("key1".to_owned(), "value1").await?;
txn.put("key2".to_owned(), "value2").await?;
txn.commit().await?; // Two-phase commit via RaftScale: TiKV handles 150+ TB datasets with <10ms P99 latency at Zhihu.
Repository: vectordotdev/vector (GitHub)
Documentation: https://vector.dev/
Vector is an observability data pipeline that collects, transforms, and routes logs/metrics/traces. It’s designed to replace Logstash, Fluentd, and Telegraf.
- Memory efficiency: 10x less memory than JVM-based alternatives
- Throughput: Processes 10M+ events/sec per instance
- Reliability: No crashes from OOM under load spikes
- Datadog acquired Vector (July 2021) for $300M+
- T-Mobile, Comcast, Discord: Processing billions of events/day
- Replaces Logstash fleets: Cost savings of 70-90% in infrastructure
- v0.38 (May 2024): Native OpenTelemetry support, OTLP source/sink
- v0.40 (Oct 2024): Adaptive concurrency, reduced latency by 30%
- v0.41 (Dec 2024 target): ClickHouse sink optimizations
# Vector pipeline (vector.toml)
[sources.nginx_logs]
type = "file"
include = ["/var/log/nginx/*.log"]
[transforms.parse_logs]
type = "remap"
inputs = ["nginx_logs"]
source = '''
. = parse_json!(.message)
.status_code = to_int(.status)
'''
[sinks.s3_archive]
type = "aws_s3"
inputs = ["parse_logs"]
compression = "gzip"Performance: Vector processes 2M events/sec at 50MB/sec throughput using ~100MB RAM (Logstash would need 2-4GB).
Repository: foniod/redbpf (GitHub)
Documentation: https://github.com/foniod/redbpf/wiki
RedBPF is a Rust framework for writing eBPF programs and loaders. eBPF allows running sandboxed programs in the Linux kernel for observability, networking, and security.
- Type-safe eBPF: Prevents kernel crashes from malformed BPF programs
- Easier than C: eBPF in C requires manual verification helpers
- Aya alternative: Another Rust eBPF framework (more active)
- Fonio (acquired by Datadog): Used RedBPF for Datadog’s eBPF agent
- Aya adoption: Now more popular (used by Cilium experiments)
- Teaching tool: Universities use for eBPF education
- RedBPF maintenance mode: Community shifted to Aya
- Aya v0.13 (Nov 2024): Latest Rust eBPF framework, very active
// Aya eBPF program (RedBPF successor)
#[map]
static EVENTS: PerfEventArray<PacketLog> = PerfEventArray::new(0);
#[xdp]
pub fn packet_filter(ctx: XdpContext) -> u32 {
match try_packet_filter(ctx) {
Ok(ret) => ret,
Err(_) => xdp_action::XDP_PASS,
}
}
fn try_packet_filter(ctx: XdpContext) -> Result<u32, ()> {
let eth = ctx.ethernet()?;
if eth.dst_addr == [0xff; 6] { // Broadcast
let log = PacketLog { src: eth.src_addr };
EVENTS.output(&ctx, &log, 0);
}
Ok(xdp_action::XDP_PASS)
}Repository: facebook/buck2 (GitHub)
Documentation: https://buck2.build/
Buck2 is Meta’s rewrite of their Buck build system (originally in Java) in Rust. It’s a language-agnostic build system similar to Bazel but with better performance and remote execution.
- Incremental compilation: Complex dependency graphs need fast hashing
- Concurrency: Builds utilize all CPU cores without data races
- Remote execution protocol: Network-heavy, needs efficient I/O
- Meta’s monorepo: Builds all of Facebook/Instagram/WhatsApp
- Prelude open-sourced: Default build rules for C++/Rust/Python
- Discord, Hugging Face: Early adopters outside Meta
- 2024.09.15: Improved BXL (Buck2 Extension Language), Starlark optimizations
- 2024.11.01: Better Windows support, Bazel migration tooling
- Active development: 50+ commits/week, biweekly releases
# BUCK file (build definition)
cxx_binary(
name = "my_app",
srcs = glob(["src/**/*.cpp"]),
deps = ["//third-party:folly"],
)
# Build with Buck2
$ buck2 build //my_app:my_app
# With remote execution (distributed build):
$ buck2 build --remote-only //my_app:my_appPerformance: Meta reports 2-3x faster clean builds vs Bazel, 5-10x faster incremental builds.
Repository: vercel/turbo (GitHub)
Documentation: https://turbo.build/
Turborepo is a build system for JavaScript/TypeScript monorepos. The core task scheduler was rewritten from Go to Rust in 2022 (called “Turbopack” engine).
- Fast hashing: Content-addressable caching requires fast hashing
- SWC integration: Rust-based JS/TS compiler (700x faster than Babel)
- Webpack replacement: Turbopack aims to replace Webpack
- Vercel acquired Turborepo (2021), now powers Next.js
- AWS, Netflix, Twitch: Using Turborepo for monorepo management
- npm downloads: 5M+/week
- Turbo 2.0 (Sept 2024): Rust-based task scheduler GA
- Turbopack Beta (Oct 2024): Next.js dev server replacement
- Nov 2024: React Server Components support in Turbopack
// turbo.json
{
"pipeline": {
"build": {
"dependsOn": ["^build"],
"outputs": ["dist/**"]
},
"test": {
"dependsOn": ["build"],
"cache": false
}
}
}Performance: Turbopack achieves ~10x faster HMR (Hot Module Replacement) vs Webpack in large Next.js apps.
Repository: BurntSushi/ripgrep (GitHub)
Documentation: https://github.com/BurntSushi/ripgrep/blob/master/GUIDE.md
ripgrep (rg) is a line-oriented search tool that recursively searches directories for regex patterns. It’s designed to replace grep, ag, and ack.
- Speed: SIMD optimizations via
memchr, faster than grep - Correctness: Unicode support by default, no encoding bugs
- Git-aware: Built-in .gitignore parsing without external tools
- Most popular Rust CLI tool: 48k+ GitHub stars
- Bundled in: VS Code, Sublime Text, Atom, many IDEs
- Microsoft: Uses rg in Azure DevOps search
- v14.1.0 (Feb 2024): PCRE2 JIT improvements, 15% faster regex
- v14.2.0 (Oct 2024): Better hyperlink support, JSON output mode
- Active maintenance, incremental improvements
# Search for TODO comments across a large codebase
$ rg "TODO|FIXME" --type rust
# Performance comparison (Linux kernel source, ~30M LOC):
# grep -r "TODO": ~8 seconds
# ag "TODO": ~3 seconds
# rg "TODO": ~0.5 seconds (15x faster than grep)
# With .gitignore respect and multiline context
$ rg "fn main" -A 5 --type rustRepository: zellij-org/zellij (GitHub)
Documentation: https://zellij.dev/
zellij is a terminal multiplexer (like tmux/screen) with a focus on ease of use, plugins, and modern UX. It uses WebAssembly for plugins.
- Async I/O: Tokio handles thousands of PTY file descriptors
- WASM plugins: Wasmer integration for third-party extensions
- Memory safety: Terminal emulation is complex and bug-prone
- Growing adoption: 20k+ GitHub stars
- Plugin ecosystem: 50+ community plugins
- Terminal of choice: For many Rust developers
- v0.40.0 (Aug 2024): Session resurrection, better tmux migration
- v0.41.0 (Nov 2024): Improved floating panes, SSH integration
- Plugin API v2: More stable WASM interface
# Start zellij with a layout
$ zellij --layout compact
# Create a new tab, split vertically
$ zellij action new-tab
$ zellij action new-pane --direction right
# Load a plugin (WASM-based)
$ zellij action load-plugin file:/path/to/plugin.wasmComparison: zellij starts in ~50ms vs tmux’s ~200ms, better responsiveness on remote servers.
Repository: astral-sh/ruff (GitHub)
Documentation: https://docs.astral.sh/ruff/
ruff is an extremely fast Python linter and formatter, written in Rust. It aims to replace Flake8, Black, isort, pylint, and dozens of other Python tools.
- Speed: 10-100x faster than pylint (1000+ rules checked in <100ms)
- Single binary: No Python install needed, works everywhere
- Correctness: Rust’s type system prevents parser bugs
- Most transformative Python tool since Black
- Adoption: Pandas, FastAPI, Pydantic, Jupyter, Airflow
- Astral raised $15M (Sept 2024): VC funding for Rust Python tools
- ruff-server (LSP): VS Code integration for real-time linting
- v0.6.0 (Aug 2024): Python 3.13 support, 100+ new rules
- v0.7.0 (Nov 2024): Formatter parity with Black, faster by 5x
- Jupyter notebook support: Linting in .ipynb files
# pyproject.toml
[tool.ruff]
line-length = 88
select = ["E", "F", "I", "N", "W"]
ignore = ["E501"]
[tool.ruff.lint]
extend-select = ["UP", "RUF", "B"]# Lint a project
$ ruff check .
# Format code
$ ruff format .
# Performance comparison (on Pandas codebase, ~500K LOC):
# pylint: ~180 seconds
# flake8: ~60 seconds
# ruff check: ~0.5 seconds (360x faster than pylint)Impact on CI/CD: Teams replace 5-10 Python tool invocations with a single ruff check that runs in <1 second, drastically speeding up CI pipelines.
Traditional systems programming forced a choice:
- C/C++: Fast but unsafe (70% of security bugs are memory-related)
- Go/Java: Safe but GC pauses wreck P99 latency
- Rust: Fast AND safe—no compromises
Rust’s abstractions compile to the same assembly as hand-written C:
// This high-level Rust code...
vec.iter().filter(|x| x.is_positive()).sum()
// ...generates the same assembly as:
int sum = 0;
for (int i = 0; i < len; i++) {
if (vec[i] > 0) sum += vec[i];
}The ownership system prevents data races at compile time:
- Firecracker: Safely manages thousands of VMs concurrently
- TiKV: Raft consensus without race conditions
- Linkerd: Handles 100k+ concurrent connections per proxy
- Single binary deploys: No runtime dependencies
- Predictable memory: No GC, deterministic resource usage
- Cross-compilation: Easy targeting of multiple architectures
Rust → WASM is the smoothest path:
- Krustlet: Kubernetes for WASM workloads
- Cloudflare Workers: WASM at edge, Rust tooling
- containerd-wasm-shims: Container runtimes executing WASM
- Firecracker: Powers AWS Lambda (billions of invocations/day)
- TiKV: CNCF graduated, handles 100+ TB databases
- Vector: Datadog’s data pipeline, processes trillions of events
- ripgrep: Bundled in major IDEs, industry standard
- Buck2: Meta’s internal standard, growing external adoption
- Linkerd: CNCF graduated, competing with Istio
- ruff: Becoming Python ecosystem default
- Rust-for-Linux: Kernel drivers landing, but limited scope
- Youki: OCI-compliant but runc still dominant
- Krustlet: Archived, but patterns live on in containerd
Books:
- Programming Rust (O’Reilly) - Systems programming fundamentals
- Rust for Rustaceans (No Starch Press) - Advanced patterns
Documentation:
- Comprehensive guides at each project’s repository
- https://rust-lang.github.io/api-guidelines/ - API design
Community:
- https://users.rust-lang.org/ - Rust Users Forum
- https://discord.gg/rust-lang - Real-time help
- https://this-week-in-rust.org/ - Weekly newsletter
The Rust infrastructure revolution isn’t coming—it’s already here. From the Linux kernel to AWS Lambda, from your terminal to the database powering your app, Rust is quietly becoming the foundation of modern systems.