cif16: unikernels, meet docker! containing unikernels (richard mortier, anil madhavapeddy - docker...
TRANSCRIPT
Unikernels,MeetDocker!ContainingUnikernels
RichardMor7er
Microservices:TipoftheIceberg
• Thehorrorsofthedeep– Microservicesrelyonmillionsoflinesofunnecessary,unsafecode
– ACacksurface• Soverymuchsystemscode
2
Codeyouwanttorun
CodeyourOSinsistsyouneed!
SystemsProgramming
• Overdecades,systemsprogramminghasbecomedis7nctfromappprogramming– ConfinedtoC– Specialkerneltooling– LiClecodereusewithapplica7ons– Poordebuggingsupport– Monoliths
• Butreally,it’sjustprogramming…
3
It’sChanging!
Rust• zero-costabstrac7ons• memorysafety• threadswithoutdataraces• typeinference• minimal/norun7me
• FromthePlan9heritage• Memorysafety• Simple,predictablerun7me• Strongdistributedsystemslibraries
Go
• Safefunc7onallanguage• Fast,na7vecodecompila7on• Highlyportableandembeddable• FullnetworkstackfromTCPtoSSL
...plusHaskell,Lua/LuaJIT,Elixir,JavaScript,Nim,D...
4
Con7nuum
5
Demo:DockerandUnikernels
• UseDockertobuildaunikernelmicroservice,andrunaclusterofthemtodriveawebapplica7onwithdatabase,webandPHPcode– Buildsystemiswrappedinaneasy-to-useDockerfile
– Eachmicroserviceisturnedintoaspecialisedunikernel
– EachunikernelrunsinitsownKVMvirtualmachinewithhardwareprotec7on
6
Demo:DockerandUnikernels
• DockernowmanagestheunikernelcontainersjustlikeLinuxcontainers– Thisincludesnetworking!– Unikernelscanrunalongsideconven7onalLinuxcontainers
7
TurnsunikernelsintoanawesomebackendforaDockerdeployment,reusing
orchestraEonandmanagement
WhatJustHappened?
• TheunikernelsthatrantheLAMPstackwere:– Small,secure,OSimageswithnocrucincludedexceptpulledinbytheapp
– 2—6MBimagesaretypicalforthefullkernel+app
– Low-latencyboot7mesof<1sarecomparabletoLinuxcontainers
• Perfectforspecialisedmicroservicesthatperformonetask(Web,DB,TLS)
nginx mysqld php
2.2MB 4.51MB 4.56MB
8
Outcome
• UnikernelscanbemanagedbyDocker!– WemapthecontainerAPItounikernelconcepts– Imagemanagement,networking,storageallprovidedbyDocker
– “Containers”withstrongisola7on,simplemanagement
• Movingforwards…
9
HighlyPortableModel?
• Selectlibrariesforacloudbackend
• Buildapplica7ontorundirectlyonXenorKVM– …orbuildaLinuxbinarytoruninacontainer
– …or...• Needtodevelop
communitystandardstosupportunikernels
10
ContainerBackend?
11
• Onebinaryforyourapplica7on,noshell
• CanruninsideVMforsandbox
• Languageguaranteesliketypesafety
• Sandboxingviaseccomp,etc.
• Idealforembeddedandcloudsystems
DistributedContainers?
• Distributedfromthestart
• PreCydifficulttobuild“fat”servicessoscalingiseasier
• Noforkorprocessesinaunikernel
• Reuseexis7ngcoordina7oncodesonotwo-levelscheduling
12
Cross-Linking?
• BitcoinPinātahCp://ownme.ipredator.se/
• TransparentbaitforaCackers– Bothclientandserversideexposed
– PrivateBTCkeywhenauthen7cated
• ManyaCackssinceFeb15– Over20,000goodpackettraces
13
Conclusion
• UnikernelsareatthestagewhereLinuxcontainerswerebeforeDocker– Fewusers– Hardtobuild– Hardtoship– Hardtorun
• ThisiswhatweareaddressingrightnowwithagrowingcommunityathCp://unikernel.org– …and,goingforwards,withDockerJ
14
Ques7ons!http://mort.io/
@mort___
[email protected] http://unikernel.org/ http://rumpkernel.org/ https://mirage.io/
15