Unikernels and DockerAmir ChaudhryRichard MortierMartin Lucina

OverviewIntroduction to unikernels

Unikernel workflow

Unikernels and Docker

Demo!

Q&A

Introduction to unikernels

Traditional ApproachOperating systems have a lot of code

Linux: over 25 million lines of code

Debian 5.0: 65 million lines of code

OS X 10.4: 85 million lines of code

Traditional Approach

Traditional Approach

Traditional ApproachLeads to problems

Traditional ApproachLeads to problems

Unnecessary system complexity with large amounts of (now) unused code

Lack of portability since applications are deeply intertwined with system APIs

Unnecessary system complexityBuilding applications for a current OS involves:

- Forcing a choice of distribution and version- Managing ad hoc application configuration

- Dealing with wider system configuration details,e.g., firewalls

Current operating systems are designed for many users to run multiple applications, simultaneously.

Modern architecture patterns, like single-purpose microservices, don’t require such features.

Traditional systems programming meant building services in one environment.

However, a modern programmer deals with diverse targets:

Lack of portability

Lack of portability● Cloud services with unpredictable traffic

spikes and failures● Smartphone programming on ARM/x86

with power budgets● JavaScript user interfaces with

asynchronous web clients● Internet of Things devices that have little

ARM M0 processors● Kernel modules to extend operating

system functionality

Code reuse is difficult across environments

Traditional Approach - SummaryApplications currently rely on a software stack of 100M+ lines of code.

Code reuse is difficult between environments, especially new contexts.

Difficult to get the maximum benefit of modern architecture patterns.

It's great that we can engineer software to make all this work…but can we do better?

Can we do better? How?We need to disentangle applications from the operating system:

Break up operating system functionality into modular libraries

Link only the system functionality your application needs

Target alternative platforms from a single codebase

Unikernels, unikernels, unikernels!Concepts derived from library OS technology from the 1990s

- Make OS components available as a collection of libraries- Link application code together with system libraries at build time- Only use the libraries specifically required for the application- Produce a single process, single address space image- Retarget that image simply by switching out system libraries during build

Reduced complexity:Static linking of only required libraries: removes unnecessary services.

Increased speed: Can boot inside a TCP connection setup or packet RTT.Fewer layers means lower latency and more predictable performance.

Efficient resource usage:e.g. a typical stateless MirageOS app is ~10MB of RAM.e.g. can create a MirageOS DNS server that comes in at ~200kB.

Benefits

Unikernels facilitate new design patterns:

Microservices

- Small, self-contained, single-purpose applications

Immutable Infrastructure

- Can statically link data into application: reduces dependency on external components- Store outputs in Git: introducing new models for update, upgrade, triage- Can be sealed: can even enable hardware memory-protection so image is really immutable

Benefits

Unikernel workflow

1. Build an application as you normally would on your dev machine● Use libraries for OS components● Avoid dependencies on traditional host OS

2. Test and measure● Can use familiar tools

3. Build as a unikernel● Change system libraries to retarget the unikernel

4. Deploy

Familiar development cycle...

All the familiar software development tools are available, including:

- Continuous Integration systems- gdb- profilers- linters- dtrace

Interesting side-effect of libraries: Everything is in userspace so all the usual tools apply. No boundary between userspace and kernel means everything is just function calls.

… using familiar tools

Lots of open source software!

Projects make different trade offs

- Clean slate involving bespoke protocol implementations (MirageOS, HaLVM)

- Code reuse by using rump kernels and

components from battle-tested NetBSD (Rumprun unikernel)

So we see the need for unikernelsand the range of activity

Many implementations!

Traditional approaches give limited benefits.Unikernels offer a new way to create and deploy applications.

There are barriers to adoption:

- Developers must adapt to new and varied toolchains to access this tech- Multiple projects means multiple toolchains- Deployments are not always straightforward

Must make unikernels more accessible to developers and easier to deploy.

Enter Docker!

Unikernels are a new technology!

Unikernels and Docker

Docker aims to make it easy to Build, Ship, Run software

- Built a well known and widely used toolchain and ecosystem- Traditionally Linux Containers but can also be for Windows containers

Unikernels need more tooling. Docker has tooling and broad ecosystem. Clearly the two go together!

Can increase unikernel adoption by bringing them into the Docker ecosystem

Docker helps you Build, Ship, Run software

- Use Docker to build a unikernel microservice, and run a cluster of them to drive a web application with database, web and PHP code

- Build system is wrapped in an easy-to-use Dockerfile- Each microservice is turned into a specialised unikernel- Each unikernel runs in its own KVM virtual machine with hardware protection

Demo: Docker and Unikernels

Docker now manages the unikernels just like Linux containers

This includes networking!

Turns unikernels into an awesome backend for a Docker deployment, reusing orchestration and management

Demo: Docker and Unikernels

Demo!

The unikernels that ran the LAMP stack were:

- Small, secure, OS images with only the functionality required- 2—6MB images are typical for the full kernel+app

Low-latency boot times of <1s are comparable to Linux containers

What just happened?

Perfect for specialised microservices that perform one task (Web, DB)

- Unikernels and containers sit on a continuum

- Both can be run alongside each other

Unikernels

Unikernels are a new way to develop apps (libraries all the way down)

This reduces complexity and improves portability

Unikernels can be managed by Docker!

Image management, networking and storage configuration all provided by Docker

Early days and more work to come!

Summary

Q&AVisit devel.unikernel.org for more info