IncludeOS: Cloud platform, IoT OS or container replacement ?

1. includeOS
Cloud Platform, IoT OS or Network Appliance?

2. A short history of computing

3. Mainstream time sharing systems.
Kind of virtualisation. Multi-user and multi-process.

4. OS Kernel
Userspace
Multi-user OS design

5. OS Kernel
Userspace
Multi-user OS design

7. These are not multiuser systems

8. neither is this

9. includeOS

11. IP Stack
vmxnet3
virtio
Memory mgmt
Firewall
LiveUpdate

13. Application

14. Application

15. IncludeOS strategic direction
• We’re the pragmatic unikernel
• Happy to support multi-core
• Multiple address spaces? We don’t mind.
• Security, compatibility and performance

16. Killer feature: Live update
• In place update mechanism for IncludeOS Applications
• Stateful upgrade of running application
• No downtime - Interrupts ignored for 8ms+
• Allows for state replication, suspend/resume and migration of
workload

17. Current artefact
Memory

18. Current artefact
Memory
Connection to master established

19. Current artefact Update
Memory
Downloading update into high memory

20. Current artefact Update
Memory
Store state

21. Current artefact Update State
Memory
Reboot into new kernel

22. Current artefact Update State
Memory
Restore state and resume execution

23. Current artefact Update State
Memory

24. Current artefact Update State
Memory
Discard old application if successful

25. Update
Memory
Success!

26. Unikernel deployment
• Always immutable
• Heavy weight build systems - cross compiled images
• Configuration management is different
• You can debug (native GDB support in Qemu)

27. 2018 Development efforts
• IPv6 (done in Q3)
• Resumable TLS (end of June)
• POSIX —> Lua. Python. Node.

28. How can we make Unikernels a
success?

29. Unikernels in the press
• Seen as a replacement for containers
• Containers are trying to be a platform for generic compute
• Is this really relevant?

30. Where can IncludeOS be applied?
Strong cases for Unikernels

31. Network Function Virtualisation

32. The Piranha Project
• NFVs on IncludeOS
• Small, nimble virtual machines
• Keep change-to-deployment under 10s
• Load balancing, firewall, dhcpd and potentially others

33. The Piranha Project
• NFVs on IncludeOS
• Small, nimble virtual machines
• Keep change-to-deployment under 10s
• Load balancing, firewall, dhcpd and potentially others
I can reboot in
milliseconds!

34. What does a IncludeOS firewall look
like?
• IncludeOS merges configuration and code
• Code is redeployed on every change
• Since we have to rebuild, why not take advantage of this

35. 1
2
3
4
TCP, port = 80, accept
TCP, port = 443, accept
UDP, port = 53, accept
TCP, port = 53, accept
5deny
Traditional
Firewall
Design

36. Read rule
Evaluate
Action
Traditional
Firewall
Design

37. NaCl simple example
allowed_ports: [ http, https, ssh ]
nice_hosts: [ 129.240.0.0/16, 158.38.0.0/16]
if (ip.saddr in nice_hosts) {
if (tcp.dport in allowed_ports) { accept }
}

39. Achievements to date in NFV
• In production since Dec 2017
• Amazing feedback so far

40. CPU based IoT

41. IncludeOS on IoT devices
• Small images
• Minimal memory- and disk footprint
• Secure
• Real time characteristics
• Multicore

42. IncludeOS on ARM64
• Efforts starting in 2019
• ARM64, likely on rPi 3B+ as reference platfor
• We’ll likely skip ARM32 due to limitations in Musl
• More ethernet, Wifi, USB, BT, GPIO, LTE
• Done in 2020. Test-deployments in late 2019.

43. Ultra-low latency

44. IncludeOS for ULL
• Real time operating systems are slow - predictably
• They depend on pre-emption to give guarantees (slow)
• Linux can’t give any guarantees, is fast but jittery
• Must be deployed on bare metal or using Bareflank

45. Function as a Service

46. FaaS
• Short boot times increases elasticity
• With Ukvm we can boot, run and shutdown >10ms
• No need to keep vm around when there is no load
• Need a big platform to leverage the advantage
• What language runtimes do you need? Node, python?

47. Thanks!