Unikernels and another way of secure cloud computing

Unikernels and another way ofsecure cloud computing

Motiejus Jakstysmotiejus@amazon.com

@mo kelione

2015-11-19

Disclaimer

This presentation is intended to give a high leveloverview of the subject matter and is intended fordiscussion purposes. This presentation is notintended to provide an exhaustive analysis of thesubject matter and may differ depending onindividual use cases.

Table of ContentsIntroduction

Roles of an IT organizationHow to deploy?

Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits

Unikernel examplesWhat’s next?

Unmodified applications firstLocal demoIn Amazon EC2

Typical IT organizationRole What system?

Developer

I Cares only about the app.

I Familiar environment (POSIX API).

I Here’s a JAR, make this thing work.

I Hopefully prod matches dev.

Operator FredFlintstone

I Simple systems.

I Predictable systems.

I Speedy deployments and rollbacks.

Security certi-fier Mr Burns

I Auditable components.

I Least possible dependencies.

I Trades convenience for security.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

Developer

I Simple systems.

How to deploy?Deployment Developer Operations Security

Mutable, full OS.

I Ansible/Chef/Puppet

I Adhoc shell scripts

I AWS Opsworks

Unhappy Unhappy Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release

Happy Unhappy Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Unhappy

Unhappy Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Unhappy Unhappy

Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Unhappy Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Happy Unhappy

Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy

Happier

Mutable, full OS.

I AWS Opsworks

Immutable, full OS.

I Docker

I AMI per release

Immutable, no OS.

I Unikernels

Happy Happy Happier

Unikernel - Library OS

Traditional VM Unikernel

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime

IntroductionRoles of an IT organizationHow to deploy?

Unikernel examples

What’s next?Unmodified applications firstLocal demoIn Amazon EC2

Summary

Unikernel has:

I One process, N threads.

I Haha! no context switches.

I API for doing network and IO.

I Possibly application runtime:

Unikernel has:

I One process, N threads.I Haha! no context switches.

Unikernel has:

Where does performance come from?

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

is application memory

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

(Developer happy)

IntroductionRoles of an IT organizationHow to deploy?

Unikernel examples

What’s next?Unmodified applications firstLocal demoIn Amazon EC2

Summary

Security

I Reduced attack surface area.

I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.

I Some: language is type-safe.

I Some: can do 1 VM per request.

Happy Mr Burns

Security

I Reduced attack surface area.I No unneeded kernel modules.

I No Perl, shell...I Exploited environment is barely usable to useless.

Happy Mr Burns

Security

I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...

I Exploited environment is barely usable to useless.

Happy Mr Burns

Security

I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.

Happy Mr Burns

Security

Happy Mr Burns

Security

Happy Mr Burns

Security

Happy Mr Burns

Why only in 2013?

Virtualization provides uniform APIs for networkand I/O.

E.g. virtio for KVM, netfront/netback for Xen.

I Small set of drivers to implement.

I Makes it economic to create unikernels.

Why only in 2013?

Virtualization provides uniform APIs for networkand I/O.E.g. virtio for KVM, netfront/netback for Xen.

I Small set of drivers to implement.

I Makes it economic to create unikernels.

Classification

Niche : highly optimizedapplications/frameworks.

Generic : general-purpose applications:

Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.

Classification

Fat : yes POSIX. Compatible.

Lean : no POSIX. Needs rewrite.

Classification

Mirage OS

Generic lean.

I OCaml-only.

I ⇒ type-safe throughout the stack.

I VM boot time < 10ms

I ⇒ VM per request (inetd-like).

I ⇒ security and economy.

I Typical image sizes: 100s of KB.

Typical application: web services, data processing.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Mirage OS

Generic lean.

I OCaml-only.

Generic Fat.

I Linux ABIs.I Bonus: fast APIs.

I reported significant throughput increases onmemcached.

I Memory allocation tuning:

I JVM.I Memcached.I OOM Killer Manager!

I Subsecond boot times.

Generic Fat.

I Linux ABIs.

I Bonus: fast APIs.

Generic Fat.

I Memory allocation tuning:I JVM.

I Memcached.I OOM Killer Manager!

Generic Fat.

I Memory allocation tuning:I JVM.I Memcached.

I OOM Killer Manager!

Generic Fat.

I Memory allocation tuning:I JVM.I Memcached.I OOM Killer Manager!

Generic Fat.

ClickOS

Niche.Optimized for network middleboxes:

I Firewalls.

I Intrusion Detection Systems.

I Load Balancers.

Fun fact: Xen network optimization to the extreme.

ClickOS

Niche.

Optimized for network middleboxes:

I Firewalls.

I Load Balancers.

ClickOS

I Firewalls.

I Load Balancers.

ClickOS

I Firewalls.

I Load Balancers.

ClickOS

I Firewalls.

I Load Balancers.

ClickOS

I Firewalls.

I Load Balancers.

ClickOS

I Firewalls.

I Load Balancers.

What do we do next?

Nobody likes rewrites.

Take platforms (JVM, Erlang) and run unmodifiedapps.

I Fully immutable.

I Faster deployment and rollbacks.

I Smaller attack surface.

What do we do next?

Nobody likes rewrites.Take platforms (JVM, Erlang) and run unmodifiedapps.

I Fully immutable.

What do we do next?

I Fully immutable.

What do we do next?

I Fully immutable.

Local demo

Contents:

I Take a JVM/Spring application.

I Demo on standard Linux.

I Generate the unikernel.

I Run that unikernel locally.

Takeaways:

I Small image size.

I Trivial to implement.

Local demo

Contents:

Takeaways:

I Small image size.

Local demo

Contents:

Takeaways:

I Small image size.

Local demo

Contents:

Takeaways:

I Small image size.

Local demo

Contents:

Takeaways:

I Small image size.

Local demo

Contents:

Takeaways:

I Small image size.

Local demo

Contents:

Takeaways:

I Small image size.

Running in Amazon EC2

To create a VM image in AWS, do:

% qemu-img convert -f qcow2 -O raw 3.qemu 3.raw

% ./release-ec2.sh \

--override-image 3.raw \

--override-version 3 \

--region us-east-1

AMI in EC2

Running OSv in EC2

Try it out

I Run your unikernel in Free Tier right now.

I t2.micro - $0/month for 1 year.

Try it out

I Run your unikernel in Free Tier right now.

I t2.micro - $0/month for 1 year.

Summary

Library OS: OS embedded to your application.

I Small ⇒ scale quickly.

I Very efficient ⇒ economic.

I Reduced attack surface.

I Runs on public clouds: ⇒ try on EC2, for free.

Summary

Thanks

I Niels Brouwers (Amazon) for the right tools.

I Russel Pavlicek (Citrix) for spreading the word.

We’re hiring!

I Check out amazon.jobs

I Also, contact me at motiejus@amazon.com

Unikernels and another way of secure cloud computing

Engineering

Transcript of Unikernels and another way of secure cloud computing

IT 341: Introduction to System AdministrationWhen you install ssh, you also get scp, a secure copy for doing secure cp procedures from one machine to another (actually, it is a secure

Lightning talk unikernels

NCP Secure Enterprise Server · From Windows Server 2008 onwards, ... When re-connecting a Client to another gateway in the Load Balancing network, ... NCP Secure Enterprise VPN Server,

Virtual machines, Containers, Microservices, Unikernels

JWIG: Yet Another Framework for Maintainable and Secure ... · JWIG: Yet Another Framework for Maintainable and Secure Web Applications Anders Møller and Mathias Schwarz Department

Another Satisfied IPIN Global Secure Exit Strategy Investor

XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois

CIF16: Tor in Haskell, or How To Write Programs For Unikernels (Adam Wick, Galois Inc.)

Microservices in Unikernels

Unikernels: Rise of the Virtual Library Operating System · The MirageOS architecture—dubbed unikernels—is outlined in figure 1. Unikernels are specialized OS kernels that are

Unikernels: Library Operating Systems for the Cloudanil.recoil.org/papers/2013-asplos-mirage.pdf · Unikernels: Library Operating Systems for the Cloud ... whole-system optimisation

OSCON: Unikernels and Docker: From revolution to evolution

Unikernels - Keep It Simple to the Bare Metal

Virtual Machines vs. Containers vs. Unikernels: The … ID: #RSAC Samir Saklikar Virtual Machines vs. Containers vs. Unikernels: The Security Face-Offs CCS-T08 Technical Lead, Office

Cisco AnyConnect Secure Mobility Client VPN User … AnyConnect Secure Mobility Client VPN User Messages, Release 3.0 Another user has logged into your computer locally, and only one

64-bit ARM Unikernels on uKVM - events.static.linuxfound.org · 64-bit ARM Unikernels on uKVM Wei Chen Tokyo / Open Source Summit Japan 2017 ... container

CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)

CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)

Nebuchadnezzar has another dream. How secure is his throne?

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.