Look Ma, no OS!

An introduction to unikernels and their applications

Matt Bajor

Rally Software

Denver Colorado
matt@notevenremotelydorky.com

slides.com/technolo-g
github.com/technolo-g
twitter.com/mattbajor
linkedin.com/in/mattbajor

UnnecessaryComplexity Problems

Too many supporting layers

Title: The Hindu Earth; Date: 1876; Source: Popular Science Monthly Volume 10;

Over Generalized

Systems

(That run a single specific app)

Image Source: http://historysdumpster.blogspot.com/2012/08/generic-products-of-80s.html

...like users and other users.

Image Source: http://memegenerator.net/instance2/1970331

Needless permission checks

Image Source:http://huffingtonpost.com/2013/07/12/tsa-randomizers-screening-security-lines_n_3586157.html

Image Source: http://wondergressive.com/20-biggest-wastes-money/

Efficiency & Duplication Problems

Storage + Ram

...for all of the things we are not using.

Maintenance of non-used software

Image Source: The Simpsons

Configuration

In-memory

Storage

Disk Storage

Process

Mgmt

Worker

Processes

Full duplication of *nix architecture?

Security Problems

Very large attack surface

Image Source: http://theweek.com/articles/466628/what-take-secure-usmexico-border

Image Source: http://www.kovair.com/blog/the-battle-dev-vs-ops/

Security patching is done by a separate team.

Exploits generally target Linux

Bad Sharing :(

• Kernel
• Memory
• Filesystem
• Hardware

Decades of backwards compatibility!

What can Linux run on?

vs.

Compatibility over Efficiency

Make it work.

Make it right.

Make it fast.

simplify!

{uni-} {kernel}

one; having or consisting of one.

a bridge between applications and the actual data processing done at the hardware level.

Application

Runtime

Unicorn Image Source: https://medium.com/@iefserge/runtime-js-javascript-library-os-823ada1cc3c

Unikernels are deployed directly against the hypervisor

Unicorn Image Source: https://medium.com/@iefserge/runtime-js-javascript-library-os-823ada1cc3c

Docker Container Stack vs Unikernels

UnnecessaryComplexity Problems

Minimized layers of isolation and abstraction

Significantly shrunken & specialized runtimes

No other users == No multi-user support

Image Source: https://eyebeforee.wordpress.com/tag/human/

Image Source:
http://www.designrulz.com/architecture/2012/05/palm-islands-an-artificial-archipelago-in-dubai/

Isolation at the (virtual) hardware layer only

App1

App2

App3

App4

App5

App6

App7

App8

Image Source: http://wondergressive.com/20-biggest-wastes-money/

Efficiency Problems

Unikernel Resource Usage

Linux Resource Usage

Microservice Infrastructure is like Linux, but inside-out

Image Source:
http://www.wearenotmartha.com/2010/09/mango-ginger-smoothie-at-the-boston-center-for-adult-education/

No permissions checks!

Image Source:
http://blog.privatefly.com/5-flights-we-flew-this-week

Security Problems

Image Source: https://www.etsy.com/listing/77231483/vintage-1950s-tiny-mite-toy-bank-safe

A tiny (custom) attack surface

Less likely to be affected by a public exploit

Image Source:
http://scientificbrains.com/positive-thinking-scientifically-proven-to-alter-brain-structure/

Dev teams manage their own patching

Image Source:
http://www.forbes.com/sites/benkepes/2015/06/17/shippable-delivers-docker-devops-without-the-devops/

Essentially the only thing shared is the hardware 

Image Source: http://www.google.com/about/datacenters/gallery/#/tech/1

MirageOS

https://mirage.io/

Rumprun

https://github.com/rumpkernel/rumprun

RuntimeJS

http://runtimejs.org/

LING

(Erlang on Xen | Project L)

http://erlangonxen.org/

HaLVM

(Haskell Lightweight VM)

https://github.com/GaloisInc/HaLVM

MS Drawbridge

http://research.microsoft.com/en-us/projects/drawbridge/

OSv

http://osv.io

Clive

http://lsub.org/ls/clive.html

ClickOS

http://cnp.neclab.eu/clickos/