2017 jan-19 meetup-unikernels

Thenextbiglittlething?

DockerGrenobleMeetup,19Jan2017

MikeBright, @mjbright

@mjbright

ViktorFarcic,seniorconsultantatCloudBees

...Oneofthemostexcitingareasthatwillbecomeprominentin2017willbeunikernels.

Whilethemajorityoftheindustryisstilltryingtowraptheirheadsaroundcontainers,wewillstartseeingunikernelstakingoverthestage.

Theywill,inaway,unifyfunctionalitiesprovidedbyVMsandcontainers.

http://sdtimes.com/whats-horizon-2017/

http://sdtimes.com/whats-horizon-2017/

WhatareUnikernels?

Howdidwegethere?

Unikernelimplementations

CleanSlatePOSIXcompatibleTools

Future

Resources

Unikernels-Overview

@mjbright

WhatareUnikernels?"LibraryOS"UnikernelsareapplicationsimagesbuiltwithonlytheOperatingSystem

componentstheyactuallyrequire,e.g.TCPStack,Diskaccess.

Singleprocessapplications(nothreads,forkingormulti-user)withverysmallsize->highperformance,fastbootandsmallattacksurface(secure).

@mjbright

"LibraryOSes"

AUnikernelisbuiltbythecompilerlinkingonlytheOScomponentsneededbytheapplication.

TheOSbecomesa"LibraryOS"

Unlike"normal"applicationswhichsitatopagenericmonolithicLinuxkernel(orevenμ-kernel)whichhasmanyunneededfeatures,e.g.floppydriver.

WhatareUnikernels-howdidwegethere?

"LibraryOSes"Unneededfeaturesconsumeresourcesunnecessarily.

Unneededlegacyfeaturesrepresentasecurityrisk-especiallyinthecloud.




AtOctober's"DockerDistributedSummit",DockereventalkedofminimizingtheHypervisoralso.

"UnikernelsTheriseofthelibraryhypervisorinMirageOS"

(ACM:Unikernels:RiseoftheVirtualLibraryOperatingSystem,Jan2014)


https://blog.docker.com/2016/10/docker-distributed-system-summit-videos-podcast-episodes/

https://queue.acm.org/detail.cfm?id=2566628/



AtOctober's"DockerDistributedSummit",DockereventalkedofminimizingtheHypervisoralso.

"UnikernelsTheriseofthelibraryhypervisorinMirageOS"

(ACM:Unikernels:RiseoftheVirtualLibraryOperatingSystem,Jan2014)

Theseminimalsystemscantake~200msectoboot.

Thisopensupthepossibilityofservicesbeingspinupondemand(MirageOSjitsu).


https://blog.docker.com/2016/10/docker-distributed-system-summit-videos-podcast-episodes/

https://queue.acm.org/detail.cfm?id=2566628/

"LibraryOSes"Applicationdomains

Cloud,e.g.serverless

IoT(Embedded)

HPC

NFV( UnikernelsmeetNFVEricssonResearch)

WherewillUnikernelsbeused?

https://www.youtube.com/watch?v=3jGClCBXuTg

https://www.ericsson.com/research-blog/sdn/unikernels-meet-nfv/

"LibraryOSes"Applicationdomains

Cloud,e.g.serverless

IoT(Embedded)

HPC

NFV( UnikernelsmeetNFVEricssonResearch)

FromtheNFVContainersWhitePaper(2.3.Unikernels):

Unikernelsareessentiallysingle-applicationvirtualmachinesbasedonminimalisticOSes.SuchminimalisticOSeshaveminimumoverheadandaretypicallysingle-addressspace(sonouser/kernelspacedivideandnoexpensivesystemcalls)andhaveaco-operativescheduler(soreducingcontextswitchcosts).

ExamplesofsuchminimalisticOSesareMiniOS[MINIOS]whichrunsonXenandOSv[OSV]whichrunsonKVM,XenandVMWare.

https://datatracker.ietf.org/doc/draft-natarajan-nfvrg-containers-for-nfv/?include_text=1

WherewillUnikernelsbeused?

@mjbright

https://www.youtube.com/watch?v=3jGClCBXuTg

https://www.ericsson.com/research-blog/sdn/unikernels-meet-nfv/

https://datatracker.ietf.org/doc/draft-natarajan-nfvrg-containers-for-nfv/?include_text=1

UnikernelFamilies ManyUnikernelimplementationsexist,therearetwo

mainclassesofUnikernels




Sometakeaclean-slateapproachandemphasizesafetyandsecurity.ThesetendtousethesamelanguagefortheapplicationandtheLibraryOScomponents.

MirageOS(Ocaml)HalVM(Haskell)




Sometakeaclean-slateapproachandemphasizesafetyandsecurity.ThesetendtousethesamelanguagefortheapplicationandtheLibraryOScomponents.

MirageOS(Ocaml)HalVM(Haskell)

OthersfavourbackwardcompatibilityofexistingapplicationsbasedonPOSIX-compatibility.

Manyapplicationshavebeenported

OSv(Tomcat,Jetty,Cassandra,OpenJDK,...)Rumprun(MySQL,PHP,Nginx)


UnikernelImplementationsTechnology Description

ClickOScnp.neclab.eu

Forembeddednetworkh/w.~5MBimages,boots<20ms,45μsdelay,100VMs=>10Gbps

Clivelsub.org

WritteninGo.Fordistributedandcloud.

DrawbridgeMS

Researchprototype.Picoprocess/containerwithminimalkernelAPIsurface,andWindowslibraryOS.

Graphenegraphene

Securing"multi-process"legacyapps-addsIPC.

HaLVMgalois.com

PortofGHC(GlasgowHaskellCompiler)suite.WriteappsinHaskelltorunonXen.

IncludeOSincludeos.org

ResearchprojectforC++codeonvirtualhardware.

LINGerlangonxen.org

Erlang/OTPrunsonXen.

MirageOSmirage.io

Clean-slatelibraryOSforsecure,high-perfnetworkapps.Morethan100MirageOSlibrariesplusOCamlecosystem.

OSvosv.ioCloudius

RunLinuxbinaries(w.limitations),supportsC/C++,JVM,Ruby,Node.js

Rumprunrumpkernel.org

FreeBSD-RunsPOSIXs/wonBMorVM(Xen).

http://cnp.neclab.eu/

http://lsub.org/ls/clive.html

https://www.microsoft.com/en-us/research/project/drawbridge/

http://graphene.cs.stonybrook.edu/

http://localhost:9002/2017-Jan-19_Meetup_Unikernels/galois.com

http://www.includeos.org/

http://erlangonxen.org/

https://mirage.io/

http://osv.io/

http://rumpkernel.org/

Clean-Slate

https://mirage.io/

OCaml-Based

MirageOS"LibraryOS"componentsarewritteninOcaml.

ML-derivedlanguagesarebestknownfortheirstatictypesystemsandtype-inferringcompilers.

OCamlunifiesfunctional,imperative,andobject-orientedprogrammingunderanML-liketypesystem.

OCamlhasextensivelibrariesavailable

(Unisonutility)

Unikernelimplementations-MirageOS/Ocaml

https://mirage.io/

https://en.wikipedia.org/wiki/OCaml

Clean-Slate

https://mirage.io/

OCaml-Based

MirageOSUnikernelsarebasedontheMirage-OSUnikernelbase(OSlibrary).

ThemiragetoolisusedtobuildUnikernelsforvariousbackends:

XenHypervisor(PV)Unix(LinuxorOS/Xbinaries)Browser(viaOcaml->JScompiler!!)EvenanexperimentalBMbackendforRaspberryPi

Unikernelimplementations-MirageOS-2

https://mirage.io/

Clean-Slate

https://mirage.io/

OCaml-Based

MirageOSUnikernelsarebasedontheMirage-OSUnikernelbase(OSlibrary).

ThemiragetoolisusedtobuildUnikernelsforvariousbackends:

XenHypervisor(PV)Unix(LinuxorOS/Xbinaries)Browser(viaOcaml->JScompiler!!)EvenanexperimentalBMbackendforRaspberryPi

Buildingapplicationsforunixorxen

mirageconfigure-tunixmake./mir-console

mirageconfigure-txenmake****xencreate./mir-console.xen

Unikernelimplementations-MirageOS-2

@mjbright

https://mirage.io/

Clean-Slate

https://mirage.io/

BNCPinata:http://ownme.ipredator.se/

Networkingapplications

e.g.CyberChaff"falsenetworkhosts"

PayGarden,SeanGrove

"Babystepstounikernelsinproduction"

Toopainfultocreate/configureAMIimagesonAWSSolo5allowstocreateKVMimagesdeployableonGCE

Unikernelimplementations-MirageOS-UseCases

@mjbright

https://mirage.io/

https://www.youtube.com/watch?v=i9eu9e7gN0Q

Clean-Slate

HalVM-TheHaskellLightweightVirtualMachine:GHCrunningonXen

https://github.com/GaloisInc/HaLVM

HalVM3isreconsideringit'sUnikernelbasehttp://uhsure.com/halvm3.html

Userumpkernel(NetBSDbase)ShifttoSolo5?

Unikernelimplementations-HalVM

@mjbright

https://github.com/GaloisInc/HaLVM

https://github.com/GaloisInc/HaLVM/tree/halvm3

http://uhsure.com/halvm3.html

POSIX-based

http://osv.iohttp://blog.osv.io

OSv-CapableofrunningPOSIXbinaries

canrunJVMCassandra:https://www.penninkhof.com/2015/05/minimalist-cassandra-vm-using-osv/

UsedinMikelangelo(EUProject)TheMIKELANGELOprojectaimstobringHighPerformanceComputing(HPC)tothecloud.HPCtraditionallyinvolvesbleedingedgetechnologies,includinglotsofCPUcores,Infinibandinterconnectsbetweennodes,MPIlibrariesformessagepassing,and,surprise—NFS,averyoldtimeroftheUNIXuniverse.

BuildingOSvImagesUsingDocker:http://blog.osv.io/blog/blog/2015/04/27/docker/

SDI:ODL+OSv:http://blog.osv.io/blog/blog/2015/03/31/sdi/

Unikernelimplementations-OSv

@mjbright

http://osv.io/

http://blog.osv.io/

https://www.penninkhof.com/2015/05/minimalist-cassandra-vm-using-osv/

http://blog.osv.io/blog/blog/2015/04/27/docker/

http://blog.osv.io/blog/blog/2015/03/31/sdi/

ToolsUnik:toolforcompilingappstounikernels(varioustechnologies)

Solo5:Analternativeunikernel-baseforMirageOS

Providesqemu/KVMsupportforMirageOS

ukvm:AnalternativeVMMonitor

a"libraryhypervisor"

capstan:OSvbuildtool

UnikernelTools

@mjbright

https://github.com/emc-advanced-dev/unik

https://developer.ibm.com/open/openprojects/solo5-unikernel/

http://osv.io/capstan/

Clean-SlateMirageOSjitsu:"Just-In-TimeSummoningofUnikernels"

ADNSserverthatstartsunikernelsondemand.

TestedwithMirageOSandRumprununikernels.

https://github.com/mirage/jitsu

UnikernelTools

@mjbright



UnikernelsorContainers? SowhathasthisgottodowithContainers?

WhydidDockerbuyUnikernelSystems(Jan2016)?

Info.Q/Amir,Aug2016

UnikernelsandContainers

https://www.infoq.com/interviews/chaudhry-unikernels-docker

UnikernelsorContainers? SowhathasthisgottodowithContainers?

WhydidDockerbuyUnikernelSystems(Jan2016)?

Info.Q/Amir,Aug2016

UnikernelSystemsareinvolvedinMirageOS/XenUseofUnikernelsinDockerforMac

VPNKit,DataKitToprovidebuild/run/shiptoolsforUnikernels?TosecureContainerdeployments

RunningUnikernelsincontainers????Securefront-endsinhybridsolutionsmadeofunikernelsandcontainers

e.g.forOCamlMediaWiki(http2https,tls,...)

UnikernelsandContainers

@mjbright

https://www.infoq.com/interviews/chaudhry-unikernels-docker

ResourcesScoop.it

Unikernelswww.scoop.it/t/unikernels

Wikipedia en.wikipedia.org/wiki/Unikernel

unikernels.org unikernels.org

mirageos.iomirageos.io

mirage.io/docs/papers

OReilly"Unikernels"

Freedownload

@unikernel @unikernel

github.com/ocamllabs ocamllabs

github.com/mirage MirageOS

@mjbright

http://www.scoop.it/t/unikernels

https://en.wikipedia.org/wiki/Unikernel

https://unikernels.org/

https://mirageos.io/

https://mirage.io/docs/papers

http://unikernel.org/blog/2016/unikernel-ebook

https://twitter.com/unikernel

https://github.com/ocamllabs

https://github.com/mirage

ThankyouQ&A