Lee Calcote
March 5th, 2017
clouds, containers, infrastructure, applications and their management
Contact for early access. Learn more -
Cluster visibility -
See container network flows (current bandwidth and direction) across Kubernetes and Docker Swarm nodes.
Bandwidth test -
Test throughput (performance) of each type of container network (compare network drivers).
Choose wisely -
Be aware of the cost of overlay convenience.
Avoid MAC address overload in underlays.
bare metal
AND
virtual machines
AND
containers
AND
unikernels
AND
functions
they care about the application
Application Configuration
Application Binary
Language Runtime
Shared Library
Docker Runtime
OS User Processes
OS Kernel
Virtual Hardware Drivers
Hypervisor
Hardware Drivers
Hardware
Application
Long startup times.
Designed for many users, running many processes.
Hardware has evolved.
Package managers pull in many unneeded packages.
Decades of backwards compatibility.
Very large attack surface a huge kernel code base.
Lots of unused applications, services and drivers lying around.
Unikernels by Russell Pavlicek (free ebook)
How Unikernels Can Better Defend against DDoS Attacks
Lee Calcote and Idit Levine
A library operating system
application
openGL
gtk
iconv
libgmp
libz
libstd++
libgcc
libc
kernel
libtls
application
a way of cross-compiling (existing) applications down to very small, lightweight, secure virtual machine
Language Specific
General
Projects / Tools
Many attack vectors closed - simply not present.
​​only use libraries specific to your application
Security be default - not necassarily policy that will be defined later
Microservices are (intended to be) small, self-contained, single-purpose applications.
Unikernels cannot handle multiple processes,
so forking is not allowed.
Unikernels can handle threads.
Are single user, but who needs multiple users?
Can statically link data into application.
Access to a high-end system for a fraction of second
Increase speed - smaller artifacts, which boot faster (microseconds)​
Target multiple platforms from a single code base
Providers
API Server
daemon
a community exchange
Currently:
$ kubectl run nginx --image=nginx:AWS --namespace=unik --replicas=3
multiple container runtimes AND unikernels
docker, rkt and unik
setup
providers:
aws:
- name: aws
region: us-east-1
zone: us-east-1a
gcloud: []
vsphere: []
virtualbox:
- name: unik-vbox
adapter_name: vboxnet0
adapter_type: host_only
qemu: []
photon: []
xen: []
openstack: []
ukvm: []
version: ""
unik configure
~/.unik/daemon-config.yaml
unik daemon
api server
familiarize w/unik
a familiar treadmill
unik build --name go-calcote --path ./ --base rump --language go --provider virtualbox
unik run --instanceName=scale15x --imageName=go-calcote
fmt.Fprintf(w, "<img src='http://calcotestudios.com/talks/img/unik.jpg' />")
fmt.Fprintf(w, "<p /> My first unikernel!")
unik logs --instanceName=scale15x
clouds, containers, infrastructure,
applications and their management