Unikernel – an executable image that can run natively on a hypervisor without the need for a separate operating system – are rapidly gaining momentum. To integrate unikernels into the echo-system, cloud-computing platforms as a service are required to provide unikernels with the same services they provide for constrainers. Here we present Unik, a open source (goo.gl/iEesqK) orchestration system for unikernels. Unik handles the compilation of libraries and applications for running on verity of cloud providers, manages their scheduling, and ensures their health. To provide the user with a seamless PaaS experience, Unik is integrated as a backend to Docker, Kubernetes & Cloud Foundry runtime.
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Unik Slides
1. 1
A PLATFORM FOR AUTOMATING
UNIKERNELS COMPILATION AND
DEPLOYMENT
UNIK
2. 2
VIRTUALIZATION STACK
Redundancy in the stack
– e.g. Isolation
Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
The aim is to run single
Application with a single user
on a single server
3. 3
KERNEL COMPLEXITY - PROTECTION
Application safe from user
Application safe from
application User safe from user
4. 4
INEFFICIENCY
• Needless permission check, it is hard and an updated
model from time sharing computer from the 50s, 60s
• Microservices architecture duplicate what Linux
did for us
• Kernel include a lot of unnecessary drivers that
not being used: floppy, USB …
• Update and patches using yum bring a lot of
unnecessary components
5. 5
SECURITY
• Very large attack surface
• A lot of exploits target linux.
It is harder to attack
hypervisor - not expose to
the internet
• Microservices architecture
Sharing – Kernel, Memory,
filesystem, hardware
The only thing make it safe is kernel extension
like: cgroup
14. 14
Or is it ?
But how ?
What can we do to make it better ?
Rewrite ?
does it make sense to write one from scratch ?
Probably not – it is too much work !
15. 15
True, linux is monolithic, and I agree that microkernels are
nicer... As has been noted (not only by me), the linux kernel
is a minuscule part of a complete system: Full sources for
linux currently runs to about 200kB compressed. And all of
that source is portable, except for this tiny kernel that you
can (provably: I did it) re-write totally from scratch in less
than a year without having /any/ prior knowledge.
– Linus Torvalds, 1992
16. 16
{uni-} {kernel}
a bridge between
applications and
the actual data
processing done
at the hardware
level.
One; having
or consisting
of one.
19. 19
• Based on library OS
• Contains only what is needed
• Single process (micro services architecture)
• Single address space
• No virtual memory isolation
• No context switching
• No usermode/kernelmode
• Real immutable infrastructure
UNIKERNELS
22. 22
HOW CAN UNIKERNELS HELP ADDRESS OUR
PROBLEMS? Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
Minimal layers of isolation
and abstraction
Includes only what is really
needed
Less code, fewer bugs, easy
to reason about
23. 23
DOCKER STACK VS. UNIKERNEL STACK
Application Binary
+ Library OS
Hypervisor
Hardware Drivers
Hardware
Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
24. 24
DOCKER STACK VS. UNIKERNEL STACK
Application Binary
+ Library OS
Hypervisor
Hardware Drivers
Hardware
Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Hardware Drivers
Hardware
Hardware isolation
25. 25
UNIKERNEL ADVANTAGES
• No other users, no multi-user support
• No permission checks – you can utilize 100% of your hardware
• Isolation at the virtual hardware – only ! share only hardware
• Minimal virtual machine ~1 gb in size, minimal unikernel is
tiny, kb in size
• Very short boot time
• A tiny custom surface of attack, less likely to be effected by
a public exploit
• Real immutable infrastructure – perfect fit to micro services architecture
29. 31
is an open-source
tool written in Go for compiling
applications into unikernels and
deploying those unikernels across a
variety of cloud providers,
embedded devices (IoT), as well as
a developer laptop or workstation.
34. 36
UNIK INTEGRATION WITH KUBERNETES
Unikernels support was added to Kubernetes by the UniK team by adding UniK as a
container runtime to K8s - in the same way that Docker and rkt are container
runtimes, UniK is now also available as a "container" runtime for k8s.
38. 42
INTERNET OF THINGS
UniK will Push
Unikernel
To Raspberry Pi
Unikernel will
communicate with
the Panini toaster
Toaster will make
Panini
We will eat Panini
bread
39. 43
WORRIED ABOUT IOT DDOS?
THINK UNIKERNELS
Could such attacks be prevented
if IoT devices were running bare
metal unikernels?
Read our blog !