5. Project
Container Network
Performance Tool
@lcalcote
Cluster visibility -
See container network flows (current
bandwidth and direction) across
Kubernetes and Docker Swarm nodes.
Bandwidth test -
Test throughput (performance) of each
type of container network (compare
network drivers).
Choose wisely -
Be aware of the cost of overlay
convenience.
Avoid MAC address overload in underlays.
Preview
7. We hold these truths to be self-evident:
bare metal
AND
virtual machines
AND
containers
AND
unikernels
AND
functions
the future is AND not OR
@lcalcote
10. Fat systems
Application Configuration
Application Binary
Language Runtime
Shared Library
Docker Runtime
OS User Processes
OS Kernel
Virtual Hardware Drivers
Hypervisor
Hardware Drivers
Hardware
Application
Inefficient
Long startup times.
Designed for many users, running
many processes.
Hardware has evolved.
Package managers pull in many
unneeded packages.
Decades of backwards
compatibility.
11. Very large attack surface a huge kernel code base.
Lots of unused applications, services and drivers lying around.
by Russell Pavlicek (free ebook)Unikernels
Security
Other Issues
@lcalcote
Lee Calcote and Idit Levine
How Unikernels Can Better Defend against DDoS Attacks
13. What is a Unikernel?
A library operating system
application
openGL
gtk iconv
libgmp libz
libstd++libgcclibc
kernel
libtls
application
a way of cross-compiling (existing) applications down
to very small, lightweight, secure virtual machine
@lcalcote
15. Security
No multi-user support
no passwords and authorization info lying around
Many attack vectors closed - simply not present.
only use libraries specific to your application
produce a single process, single address space image
Security be default - not necassarily policy that will be
defined later
@lcalcote
16. Microservices are (intended to be) small, self-contained, single-
purpose applications.
Unikernels cannot handle multiple processes,
so forking is not allowed.
Unikernels can handle threads.
Are single user, but who needs multiple users?
Can statically link data into application.
Immutable infrastructure
(enforced)
@lcalcote
17. $avings
Access to a high-end system for a fraction of second
Increase speed - smaller artifacts, which boot faster
(microseconds)
Target multiple platforms from a single code base
@lcalcote
18.
19. Purpose
A tool for simplifying compilation and deployment of
unikernels.
Akin to how Docker builds and deploys containers.
Automates compilation of popular languages (C/C++,
Golang, Java, Node.js. Python) into unikernels.
Deploys unikernels as virtual machines on many
virtualization platforms.
Incorporates work from a number of unikernel projects.
A young project (~9 months old from announcement)
@lcalcote
20. Stewarded by these fine folks
http://project-unik.io
@uvgroovy @ilackarms
@Idit_Levine
https://github.com/emc-advanced-dev/unik
@ProjectUniK
@lcalcote
26. Use Unik as a Kubernetes
runtime
$ kubectl run nginx --image=nginx:AWS --namespace=unik --replicas=3
multiple container runtimes AND unikernels
docker, rkt and unik
@lcalcote