The search for the killer app of unikernels
When a radically different technology comes along it usually takes time before we figure out how to apply it. When we had steam engines running factories there was one engine in each factory with a giant driveshaft running through the whole factory. When the electric engine came along people started replacing the giant steam engine with a giant electric motor. It took time before people understood that they could deploy several small motors in different parts of the factory and connect electric cables rather than having a common driveshaft. It takes time to understand the technology and its applicability.
The situation with unikernels is similar. We have this new thing and to some extent we’re using it to replace some general purpose operating system workloads. But we’re still very much limited by how we think about operating systems and computers.
Unikernels are radically different. Naturally the question of the killer app has come up on a number of occasions. As unikernels are quite different from the dominant operating systems of today it isn’t as easy to spot what it will be. Here I’ll try to answer why it’s hard to spot the killer app.
Defining characteristics of unikernels
Let’s start Continue reading
Unikernels are secure. Here is why.
Per Buer is the CEO of IncludeOS. IncludeOS is a clean-slate unikernel written in C++ with performance and security in mind. Per Buer is the founder and previous CEO/CTO of Varnish Software.
We’ve created a video that explains this in 7 minutes, so you’ll have the option of watching it instead of reading it.
There have been put forth various arguments for why unikernels are the better choice security wise and also some contradictory opinions on why they are a disaster. I believe that from a security perspective unikernels can offer a level of security that is unprecedented in mainstream computing.
A smaller codebase
Classic operating systems are nothing if not generic. They support everything and the kitchen sink. Since they ship in their compiled form and since users cannot be expected to compile functionality as it is needed, everything needs to come prebuilt and activated. Case in point; your Windows laptop might come with various services activated (bluetooth, file sharing, name resolution, and similar services). You might not use them but they are there. Go to some random security conference and these services will likely be the attack vector that is used to break into your laptop — even Continue reading
A Unikernel eBook from O’Reilly
I am pleased to announce that my FREE unikernel eBook is now available from O’Reilly.
I have been giving talks about unikernels for the past 2 years at conferences throughout North America. This eBook is my attempt to present most of the information from these talks in a written form. It is not a technical HowTo book, but rather an introduction to the basic concept of unikernels and an explanation of their value.
I hope this eBook will be a useful tool for introducing people to the whys and wherefores of unikernels.
You can download your copy here: http://www.oreilly.com/webops-perf/free/unikernels.csp
NFV Platforms with MirageOS Unikernels
Wassim Haddad is at Ericsson Silicon Valley where he currently works on distributed cloud infrastructure. Heikki Mahkonen and Ravi Manghirmalani work at Ericsson Research at Silicon Valley in the advanced Networking and Transport labs. The Ericsson team has a diverse background in different NFV, SDN and Cloud related R&D projects.
The push towards NFV
The Network Function Virtualization (NFV) paradigm breaks away from traditional “monolithic” approaches, which normally build network functions by tightly coupling application code to the underlying hardware. Decoupling these components offers a new approach to designing and deploying network services. One that brings a high degree of flexibility in terms of separating their lifecycle management and enabling much more efficient scaling. Moreover, the move away from specialized hardware coupled with a “virtualize everything” trend is fuelling operators and service providers’ expectations of significant cost reductions. This is undoubtedly a strong motivation behind NFV adoption.
Current NFV market trends point towards two key technologies: Cloud Orchestration (e.g., OpenStack) to provision and manage workflows, and Software Defined Networking (SDN) to enable dynamic connectivity between different workflows as well as network slicing. In parallel, there is also a strong desire to migrate from virtual machines towards microservice enablers, Continue reading
CyberChaff: HaLVM unikernels protecting corporate networks
Unikernel technologies, specifically the libraries, are applicable in many ways (e.g. the recent Docker for Mac and Windows products). However, unikernels themselves can enable new categories of products. One of the most prominent products is a network security tool called CyberChaff, based on open source HaLVM unikernels. Today Formaltech, a Galois subsidiary, revealed that Reed College is one of their happy CyberChaff users!
Defending a Network With CyberChaff
CyberChaff is designed to detect one of the early and critical steps in a security breach: the point when an attacker pivots from their initial entry point to the more juicy parts of the network. This step, the pivot, typically involves scanning the network for hosts that may be better positioned, appear to have more privileges, or are running critical services.
To impair this step of the attack, CyberChaff introduces hundreds (or thousands) of false, lightweight nodes on the network. These hosts are indistinguishable from real hosts when scanned by the attacker, and are each implemented as their own HaLVM unikernel. See the diagram below where green nodes are the real hosts and the orange nodes are HaLVM CyberChaff nodes. This means that an attacker is faced with a huge Continue reading
Unikernel Systems joins Docker
Today, Unikernel Systems announced that it is joining Docker. Please read the main notice posted at unikernel.com and the Docker blog post at http://blog.docker.com/2016/01/unikernel/.
An important part of the work of Unikernel Systems is to support the growing unikernel movement, which includes contributing to a number of open source projects as well as supporting this community website, unikernel.org. The Unikernel Systems team will continue this work.
Through further interaction with the Docker project and community, the open source unikernel community will receive increased visibility and contributions which will accelerate the adoption of unikernels.
Links:
Discuss this on devel.unikernel.org
IncludeOS is now free and open source!
Alfred Bratterud is Assistant Professor and PhD scholar at Oslo and Akershus University College of Applied Science where he is currently working full time leading the development of IncludeOS at the NetSys research group.
We’ve finally lifted the lid on IncludeOS, just in time for the IEEE CloudCom paper presentation recently. A preprint of the paper is available from our repo. However, we’ve done quite a lot of work since the paper was written, so here’s an update on what IncludeOS is now, and what you can expect in the near future.
It’s a bit like a JVM, but for x86 C++
A Java Virtual Machine is a portable language runtime environment. Java is portable across hardware architectures and operating systems because it uses a common instruction set. Once you’ve started a Java program, you can’t log into it (unless your program itself provides the facilities), and you can’t boot up any other programs inside it.
IncludeOS is like a safe language runtime for C++ programs, compiled into the x86 instruction set. This has the obvious advantage of removing one layer of abstraction, compared to Java: with hardware virtualization the code will execute directly on the CPU. Like with Continue reading
Contain Your Unikernels!
After DockerCon EU in Barcelona several people asked me: “Is this for real?”. Yes it is, and today we are releasing the code for the entire “Unikernels, meet Docker!” demo on GitHub.
To get started, clone the DockerConEU2015-demo repository and follow the instructions in README.md. You will need a Linux host with Docker and KVM installed.
Apart from the MySQL, Nginx and PHP with Nibbleblog unikernels shown in the demo, the repository also contains some simpler examples to get you started that we did not have time to show live in the short time-slot. There’s also an in-progress MirageOS/KVM port, so stay tuned for a future post on that.
Presented as a ‘cool hack’ in the closing session of the conference, this demo is just a taste of what is possible. Next, I’m going to work with the wider unikernel and Docker developer community on a production quality version of this demo. The goal is to make unikernel technology easily accessible to as many developers as possible!
Personally, I would like to thank Amir Chaudhry, Justin Cormack, Anil Madhavapeddy, Richard Mortier, Mindy Preston and Jeremy Yallop for helping me put the demo Continue reading
Unikernels, meet Docker!
Today, unikernels took to the stage at DockerCon EU in Barcelona!
As part of the Cool Hacks session in the closing keynote, Anil Madhavapeddy (MirageOS project lead), showed how unikernels can be treated as any other container. He first used Docker to build a unikernel microservice and then followed up by deploying a real web application with database, webserver and PHP code all running as distinct unikernel microservices built using Rump Kernels. Docker managed the unikernels just like Linux containers but without needing to deploy a traditional operating system!
This kind of integration helps put unikernels into the hands of developers everywhere and combines the familiar tooling and real-world workflows of the container ecosystem with the improved security, efficiency and specialisation of unikernels. We’ll finish off this post with details of how you can get involved — but first, before we go into Anil’s demonstration in more detail, some background about why unikernels matter, and why it makes sense to use Docker this way.
Why Unikernels?
As companies have moved to using the cloud, there’s been a growing trend towards single-purpose machine images, but it’s clear that there is significant room for improvement. At present, every VM has to Continue reading
A community site for Unikernels
Word about unikernels is spreading and more people are trying to learn about this new approach to programming the cloud. This community site aims to collate information about the various projects and provide a focal point for early adopters to understand more about the technology and become involved in the projects themselves.
Image Credit: Blake Thomson from Noun Project