unikernels - keep it simple to the bare metal
TRANSCRIPT
Unikernels
Keep It Simple – To The Bare Metal
2
3
Agenda
● What is it?● The hypervizor● Library OS● MirageOS and IncludeOS● Making your own● Beyond experimentation● Notable examples● Questions?
4
What is Unikernel?
● Specialized OS– Serves one purpose– Compiled into small, standalone kernel– You Get Only What You Need– Created with cloud in mind
● Single address space– Single process– No kernel/user mode switch– Single ring– Doesn’t mean separation cannot be enforced– Can be immutable
● Embedded configuration
● Prepared for hypervizor
– True virtual machines
● Can be packaged into
– Binary
– Image
– ...or transpiled
5
Specialized
* Unikernels: Library Operating Systems for the Cloud, 2013, Madhavapeddy, Mortier, et al
6* ripped from IncludeOS demo
True virtualization
Hardware
Hypervizor VM1 VM2 VM3 VM4 VM5
trap
7
Library OS
Operating system is your framework.
Library OS is a set of libraries.
8
Library OS - Exokernel approach
* image source: Wikipedia
Monolithic kernel compared to exokernel
● Apps can talk to hardware directly● Libraries provide abstractions over
hardware● It is up to app designers to decide
how they want to consume hardware resources
● Small kernel manages separation of memory, CPU time, disk storage
9
MirageOS
● Follows Exokernel pattern
● Implemented in OCaml (and some C)
● Multiple backends
● Can yield great results in terms of image size, memory usage, boot time
● You write everything in OCaml
● Works with Xen
10
OCaml modules
amodule.mllet hello () = print_endline "Hello"
bmodule.mlAmodule.hello ()
Every file is a module
11
OCaml modules
amodule.mllet message = "Hello"let hello () = print_endline message;;
bmodule.mlAmodule.hello ()
Every file is a module
12
OCaml modules
amodule.mllet message = "Hello"let hello () = print_endline message;;
amodule.mlival hello : unit -> unit
Singatures
13
OCaml modules
amodule.mllet message = "Hello"let hello () = print_endline message;;
amodule.mlival hello : unit -> unit
Singatures Functors
module F (X : X_sig) = struct ...end
14
OCaml modules
amodule.mllet message = "Hello"let hello () = print_endline message;;
amodule.mlival hello : unit -> unit
Singatures Functors
module F (X : X_sig) = struct ...end
module Int_set = Set.Make (struct type t = int let compare = compare end);;
15
MirageOS – library OS realization
* Unikernels: Rise of the Virtual Library Operating System
16
IncludeOS
● C++ runtime
● You literally #include<os>
● No C layer, tru Unikernel man!
● Everything in ring0
● Single threaded, evented non-blocking I/O
17
Acorn
includeos/acorn // Serve index.html on GET /
router.on_get("/", [disk] (auto, auto res) { disk->fs().cstat("/index.html", [res] (auto err, const auto& entry) { if(err) res->send_code(http::Not_Found); else res->send_file({disk, entry}); }); });
18
Briefly about security
● No parent process● Stripped down to your needs● No shell to escape● Memory access can be immutable, sealed,
randomized● Whole application optimalization● Dead when not neaded● You rely on hypervizor● UDD
19
Your own Unikernel
● Get to know Xen● No, kernel is not the biggest challenge● It’s the protocols● (and drivers… maybe)● Understand your needs● It’s a challenge● Albeit fun one
20
Beyond experimentation
● Stability challenge● Orchestration challenge● Unikernel Systems bought by Docker
– Docker for Mac, HyperKit, VPNKit– uKVM, Solo5
● Unikernels in containers
21
Others (unikernel.org/projects)
rump kernel
● orchestration● JVM included● no bare metal
● NetBSD ABI and drivers● compiles to POSIX● bare-metal support● Xen support
ClickOS● network processing on commodity hardware● <buzzword>
● 6 MB instance image● 10 Gb/s● boot time: 30 ms● latency: 45 µs
● </buzzword>
● build & orchestration tool● language unikernel→
22
Resources
pastebin.com/3Ximjw5P
23
Questions?