UniK: Unikernel Compiler and Runtime

Lee Calcote
March 5th, 2017

Lee Calcote

clouds, containers, infrastructure, applications  and their management

Show of Hands

Project

Container Network Performance Tool

Contact for early access. Learn more -

https://github.com/solarwinds/containers​

Preview

Project

Container Network Performance Tool

Cluster visibility -

See container network flows (current bandwidth and direction) across Kubernetes and Docker Swarm nodes.

Bandwidth test -

Test throughput (performance) of each type of container network (compare network drivers).

Choose wisely -

Be aware of the cost of overlay convenience.

Avoid MAC address overload in underlays.

Preview

Hello. I'm new.

We hold these truths to be self-evident:

 

bare metal

     AND

          virtual machines

               AND

                    containers

                         AND

                              unikernels

                                   AND

                                        functions

the future is AND not OR

no one cares about 

they care about the application

unikernels

containers

virtual machines

bare metal

functions

infrastructure

Current Challenges

Fat systems

Application Configuration


Application Binary


Language Runtime


Shared Library


Docker Runtime


OS User Processes


OS Kernel


Virtual Hardware Drivers


Hypervisor


Hardware Drivers


Hardware

Application

Inefficient

Long startup times.

 

Designed for many users, running many processes.

 

Hardware has evolved.

 

Package managers pull in many unneeded packages.

 

Decades of backwards compatibility.

Very large attack surface a  huge kernel code base.

Lots of unused applications, services and drivers lying around.

Unikernels by Russell Pavlicek (free ebook)

Security

Other Issues

The Promise

What is a Unikernel?

A library operating system

application

openGL

gtk

iconv

libgmp

libz

libstd++

libgcc

libc

kernel

libtls

application

a way of cross-compiling (existing) applications down to very small, lightweight, secure virtual machine

Unikernel Landscape

Language Specific

  • HalVM - - (Haskell)
  • MirageOS -  - (OCamel)
  • LING - - (Erlang) 
  • Runtime.js - - (Javascript)
  • IncludeOS - - (C++)
  • Clive - -  (Go)

General

  • OSv 
  • Rumprun 
  • Drawbridge

Projects / Tools

  • ClickOS - - (NFV)
  • Jitsu - - (DNS)
  • Unik - - (Build, Deploy)

Security

  • No multi-user support
    • no passwords and authorization info lying around
       
  • Many attack vectors closed - simply not present.

    • ​only use libraries specific to your application

    • produce a single process, single address space image
       
  • Security be default - not necassarily policy that will be defined later

Microservices are (intended to be) small, self-contained, single-purpose applications.

 

Unikernels cannot handle multiple processes,

so forking is not allowed.


Unikernels can handle threads.

Are single user, but who needs multiple users?

 

Can statically link data into application.

Immutable infrastructure
(enforced)

$avings

Access to a high-end system for a fraction of second

 

Increase speed - smaller artifacts, which boot faster (microseconds)​

 

Target multiple platforms from a single code base

 

Purpose

  • A tool for simplifying compilation and deployment of unikernels.
     
  • Akin to how Docker builds and deploys containers.
     
  • Automates compilation of popular languages (C/C++, Golang, Java, Node.js. Python) into unikernels.
     
  • Deploys unikernels as virtual machines on many virtualization platforms.
     
  • Incorporates work from a number of unikernel projects.
     
  • A young project (~9 months old from announcement)

Stewarded by these fine folks

3 Major Components

Compilers

API Server

daemon

a community exchange

 

Currently:

  • Cloud-hosted
  • S3-backed
  • May be run on-premises

Integrations

Processor Architectures

Use Docker API to run Unikernels 

Use Unik as a CloudFoundry runtime

Use Unik as a Kubernetes runtime

$ kubectl run nginx --image=nginx:AWS --namespace=unik --replicas=3

multiple container runtimes AND unikernels

docker, rkt and unik

Walk-through

Getting Started

  1. git clone
  2. make
  3. unik

setup

providers:
  aws:
  - name: aws
    region: us-east-1
    zone: us-east-1a
  gcloud: []
  vsphere: []
  virtualbox:
  - name: unik-vbox
    adapter_name: vboxnet0
    adapter_type: host_only
  qemu: []
  photon: []
  xen: []
  openstack: []
  ukvm: []
version: ""
unik configure

~/.unik/daemon-config.yaml

unik daemon

api server

familiarize w/unik

Developer Workflow

a familiar treadmill

  1. Code app per usual
     
  2. Test and debug app
     
  3. Deploy
     
  4. Logs
unik build --name  go-calcote --path ./ --base rump --language go --provider virtualbox
unik run --instanceName=scale15x --imageName=go-calcote
    fmt.Fprintf(w, "<img src='http://calcotestudios.com/talks/img/unik.jpg' />")
    fmt.Fprintf(w, "<p /> My first unikernel!")
unik logs --instanceName=scale15x

Lee Calcote

Thank you. Questions?

clouds, containers, infrastructure,

applications  and their management