unikernels meet nfvs: architecture, performance and challenges (wassim haddad, heikki mahkonen &...

subtitle

UNIKERNELS MEET NFVS

W. Haddad, H. Mahkonen, R. Manghirmalani

Ericsson Internal | 2011-10-19 |

MOTIVATION

› The advent of distributed NFVs is highlighting the need for a more granular services chaining:– tight coordination between cloud orchestration, SDN controller and storage – metadata to enable flow control per user and/or per device and/or per app– OVS enables re-routing traffic between different NFVs

› Containerization simplifies the “virtualization” stack and allows running more apps on a particular host,

– constrains apps to run on the same kernel– “light” security makes it difficult for cloud providers to embrace “multi-tenancy” with containers only

› Both containers and VM run on a full bloated kernel– large amount of dead code => large “attack surface” => systems vulnerabilities on the rise! – long time to boot => always “on” => no “zero footprint” => high power consumption

› Operators are moving towards highly distributed small datacenters (e.g., AT&T NGCO, Orange NGPoP)

– limited number of CPUs– Mainly to run operator NFVs for fixed and mobile broadband


Hypervisor

Operating System

Runtime & Libraries

Application

App in a VM

Operating System

Runtime & Libraries

Application

App in Container

Hypervisor

Host OS

Runtime & Libraries

Application

Secure App in Container

Hypervisor

Unikernel App

Unikernel

Unikernel: Single-purpose Appliance designed to run in cloud environment

§ Unikernels are compiled from the modular stack of application code, system libraries and configuration§ Not designed to run on HW => lacks bloat & complexity of dealing with drivers§ Not meant to be multi-user nor multi-process => single thread which runs only one specific application§ “Zero-footprint cloud” => No instance is running “waiting” for requests

UNIKERNEL AT A GLANCE…

A full application may consist of one or many unikernels running together as a distributed System, e.g., within the same box


Slide title 44 pt

Text and bullet level 1 minimum 24 pt

Bullets level 2-5 minimum 20 pt

Characters for Embedded font: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fifl

ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨ¬ΪΫΌΎΏ

ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐә�ẀẁẂẃẄẅỲỳ№

Do not add objects or text in the footer area

Ericsson Internal | 2011-10-19 | Page 14

Specialized Virtual Appliances

Source Code Object Files Network Libraries

Device Library

Boot Library

Whole system linking

Config File

XEN Cloud Appliance

Linker

Each app embeds own “personalized” kernel

Each App embeds its own “personalized” kernel

UNIKERNELS AT A GLANCE…APPLIANCE EMBEDS OWN “PERSONALIZED” KERNEL

Current Virtual Appliance

Slide title 44 pt

Text and bullet level 1 minimum 24 pt

Bullets level 2-5 minimum 20 pt

Characters for Embedded font: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fifl

ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨ¬ΪΫΌΎΏ

ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐә�ẀẁẂẃẄẅỲỳ№

Do not add objects or text in the footer area

Ericsson Internal | 2011-10-19 | Page 13

Current Virtual Appliances

Source Code Object Files Userland Binaries

Network Stack

Device Drivers

Virtual Memory

I/O Scheduler

compiler stops at userspace

Syscalls to call to different modules

Library Runtime

Each app embeds own “personalized” kernel

Kernel

Application Code

Mirage runtime


› Move beyond current VM and container technologies by introducing much smaller, specialized, secure and scalable NFVs

– slice “infrastructure” per user/device/app – respond to network traffic in real time

UNIKERNELS MEET NFVSBEYOND VM & CONTAINER

› Integrate automation, orchestration and SDN control – NFVs are created only when needed– NFVs are autiomatically stitched together– NFVs are removed when demand is fulfilled => dedicated slice resources are free

› Enable “In-Network” processing cloud– host 3rd party NFVs – NFV acceleration– low latency services

To synthetize specialized on-demand NFVs to stream into our next-gen cloud appliances


slice on LTE

slice on Fixed BB

slice for IoT

Internet

APPDPI BNG APP

NAT EPGFWDPIDNS DHCP

Edge

Edge

UNIKERNELS MEET NFVSBEYOND VM & CONTAINER

› Integrate automation, orchestration and SDN control – NFVs are created only when needed– NFVs are automatically stitched together– NFVs are removed when demand is fulfilled => dedicated slice resources are free

BNGFWDPI APP


Virtual Backplane

…

› What– Modular virtual router– High performance and scale– Elastic architecture– Designed for cloud and NFV era

› Why– Carrier grade virtual router

› Control plane redundancy› Data plane resiliency› Seamless scale-up / scale-out

ERICSSON VIRTUALROUTER (EVR)

Redundant Control Plane

Virtual Backplane

Distributed Elastic Data Plane


Current server

• CPU, Disc, Ram and NIC (>80% of server cost) on same card in same chassis

• Server has a fixed configuration – need to fit all workloads

• Whole server need to be changed at the same time even though different components have different lifecycles

Future server

• CPU, Disc, RAM and NIC on differentsleds

• CPU, Disc, RAM, and NIC can be changed according to individual lifecycles

• HW can be configured dynamically for better utilization and performance

Hyperscale Datacenter systemkey technology: hw disaggregation


Subscription & Policy

Locationoptimizer

Performancemonitoring

Connectivitymonitoring

Configuration

DCOrch.

Network Setup

DPI/Charg Security URL

Instantiation

Service Level Orchestration

SDN

WIFI Small Cell

WIFI RG

BNG / PGW

SDNSwitch-1

HW/SW Switch

Fixed

Self-CarePortal

Admin

Subscriber and application aware chaining

UP Application QoS & Flow steering

PEFixed

Leased line

Mobile

M2M

corp. B

corp. Bcorp. Acorp. A

Simplified home GW

Extended lifecycle / reduce truck rolls

Service agility

Fixed & mobile aligned per subscriber session model

UNIKERNELS MEET NFVS“TODAY” SERVICE CHAINING


UNIKERNELS MEET NFVS“TODAY” SERVICE CHAINING

vBNGvEPG

AAA

• Authentication• Accounting• Lawful Intercept• Line QoS• Quotas

DPI/Charg Security URL

SDN-enabled service chaining (e.g., vCPE)

vNAT

SDN CTL

SDN Service Chaining

• Dynamic flow service chaining

• Per User, Destination, Application service chaining


UNIKERNELS MEET NFVSEVOLVING SERVICE CHAINING (1)

› Within one host, let’s assume user traffic is allocated service chain { VM1 => VM2 => VM3 => VM4 }– Traffic will “bounce” on OVS– SDN controller configures OVS

Hypervisor + OVS

VM VM VM VM

Hypervisor + OVS

VM VM VM VM

Hypervisor + OVS

VM VM VM VM

OS Kernel

User Processes

Parallel Threads

Language Runtime

Application Binary

Configuration files

Application Code

Mirage runtime

VM1

EVR/OVS

VM2 VM3 VM4

Unikernel

SDN AAA


› Setting up User A service chain requires instantiating and coordinating a dedicated set of unikernels– unikernel lacks user/kernel space division allows them to link directly in device driver as normal libraries – uses an abstraction over shared memory communication protocol built on top of Xen vchan

› establishes shared-memory pages for zero-copy communications between different unikernels specific to one particular service chain

Shared MemoryPacketPacket

Unikernel1

Unikernel2

Unikernel3

Unikernel4

Packet

User A service chain: NFVs stack to process incoming packets in “bottom-up” order

General concept

1

23

45

6

Unikernel1 Unikernel2 Unikernel3 Unikernel4



› In “ring” mode, one dedicated unikernel (U0) is tasked with exchanging data packets with the physical NIC – U0 pulls the packet from NIC queue into a shared memory segment then notifies Unikernel1 (U1) to process the packet – Upon finishing its task, each unikernel signals to its successor so it can process the packet (e.g., U1 à U2 à ….)– When unikernel4 finishes its task it notifies U0 to send the packet and pull the next one into shared memory

Shared MemoryPacketPacket

Unikernel0

Unikernel2

Unikernel3

Unikernel4

Packet

Inter-NFV stack signaling in “ring” mode +

Unikernel4Unikernel3Unikernel2Unikernel1U0

“Rx queue” physical NIC “Tx queue” physical NIC

Unikernel1

NIC à DomainX (e.g., U0) à SR-IOV

NIC à Domain0 (used for mgment, control)



Irmin

“Lightning”

Pkt I/O

AAA

• Authentication• Accounting• Lawful Intercept• Line QoS• Quotas DHCP NAT FW

• Receives sensors credentials from AAA• Communicates with Xen modules

XenStore

One dedicated chain per subscriber



XEN

LIGHTNING

Irmin XS

Network IO

Shared memory

Xenstore configDHCP

Subscriber

IP

DHCP NAT FW

PKIO

DomU

Dom0

UNIKERNELS MEET NFVSPROTOTYPE ARCHITECTURE

unikernels meet nfvs: architecture, performance and challenges (wassim haddad, heikki mahkonen &...

Technology