Disk Quotas & Network Throttling

Disk quotas in Firecracker microVMs are enforced at the block device level. The writable overlay has a fixed maximum size — typically 10-20 GB depending on the VM tier. This quota covers everything: the repository clone, installed dependencies, build artifacts, test output, and any temporary files the task creates. When the quota is exhausted, all writes fail with ENOSPC and the task terminates. There is no warning threshold — the first sign of trouble is the error itself.

Network throttling uses tc (traffic control) rules applied to the TAP interface connecting each microVM to the host network. Bandwidth is capped at a fixed rate — typically 100 Mbps for standard tiers — and connection counts are limited to prevent port exhaustion. DNS resolution goes through a host-side resolver that enforces the allowlist: only approved domains (package registries, git hosts) resolve successfully. Requests to non-allowlisted domains receive NXDOMAIN, not a timeout. This fail-fast behavior is intentional — it makes misconfigured network access obvious immediately.

# Disk quota enforcement

Overlay max:       10-20 GB (tier-dependent)
Filesystem:        ext4 on virtio-blk
Quota check:       Block device level (not filesystem)
Exhaustion:        ENOSPC → task fails
Monitoring:        df -h inside task logs

# Network throttling

Bandwidth:         100 Mbps (standard), 1 Gbps (compute)
Connections:       256 concurrent max
DNS:               Host-side resolver with allowlist
Blocked domains:   NXDOMAIN (not timeout)
Egress filtering:  iptables + tc on host TAP

# Common disk consumers
- node_modules:    200 MB – 1.5 GB
- .git:            50 MB – 2 GB (use shallow clone)
- Build artifacts:  100 MB – 5 GB
- Test screenshots: 10 MB – 500 MB