Linux, Unikernel, LinuxKit: towards redefining the cloud stack.

IDIT LEVINE

Problem

Cloud Stack Application Configuration

Application

Language Runtime

Shared Libraries

Docker Runtime

OS User Processes

OS Kernel

Virtual HW Drivers

Hypervisor

Hardware Drivers

Hardware

The aim is to run single Application with a single user on a single server

Linux Kernel

Linux Kernel

Memory Management Protection Rings

Device Management

Linux Kernel

Driver management

Memory management

Security

https://github.com/cf-unik/unik/wiki/Worried-about-IoT-DDoS%3F-Think-Unikernels

Linux kernel languages

C

Assembly

C++

XML

Make

Perl

Shell Script

Python

HTML

TeX/LaTeX

AWK

Scheme

Objective-C

Autoconf

XSL Tranformation

Vim Script

Automake

SOURCE lines of code

Small Applications: 10Ks

Medium to large applications: 100Ks

Really huge applications: 1Ms

2.4

5.2

11

12.613.5

15.9

22

0

5

10

15

20

25

Linux kernel 2.4.2 Linux kernel 2.6.0 Linux kernel 2.6.29 Linux kernel 2.6.32 Linux kernel 2.6.35 Linux kernel 3.6 Linux kernel pre-4.2

2001 2003 2009 2009 2010 2012 2015

Linux Kernel SLOC

59

104

215

283

324

419

0

50

100

150

200

250

300

350

400

450

Debian 2.2 Debian 3.0 Debian 3.1 Debian 4.0 Debian 5.0 Debian 7.0

2000 2002 2005 2007 2009 2012

Debian SLOC

How did we get here ? Evolution !

Unix was supported us the entire way!

Decades of backwards compatibility

What can linux run on ?

What can run on linux ?

Anything !

Anything !

Trade Off

VS

Compatibility Efficiency

Solution LINUXKIT

LinuxKit announcement DockerCon

Solution UNIKERNELS

Traditional approach

Application

Kernel

libc

libz

iconv

openGL

gtk

libgmp libtlc

Libstd++ libgcc

Traditional approach

Application

Kernel

libc

libz

iconv

openGL

gtk

libgmp libtlc

Libstd++ libgcc

Unikernels

Design decision: support only single process & single user

The aim is to run single Application with a single user on a single server

Protection RingsMemory Management

Unikernels Creation

App Binary

App Config

App Deps

Virt, HW Drivers

Langue runtime

Ap

plic

ati

on

Ru

nti

me

Packaging Tool Unikernel!

How can unikernels help address our problems?

Application Config

Application

Language Runtime

Shared Libraries

Docker Runtime

OS User Processes

OS Kernel

Virtual HW Drivers

Hypervisor

Hardware Drivers

Hardware

Minimal layers of isolation and abstraction

Includes only what is really needed

Less code, fewer bugs, easy to reason about

Application Binary+ Library OS

Hypervisor

Hardware Drivers

Hardware

Application Config

Application

Language Runtime

Shared Libraries

Docker Runtime

OS User Processes

OS Kernel

Virtual HW Drivers

Hypervisor

Hardware Drivers

Hardware

Application Binary+ Library OS

Hypervisor

Hardware Drivers

Hardware

Application Config

Application

Language Runtime

Shared Libraries

Docker Runtime

OS User Processes

OS Kernel

Hardware Drivers

Hardware

Hardware isolation provide by the hypervisor

Unikernel advantages

• No permission checks – you can utilize 100% of your hardware

• Isolation at the virtual hardware – only ! share only hardware

• Minimal virtual machine ~1 gb in size, minimal unikernel is tiny, kb in size

• Very short boot time

• A tiny custom surface of attack, less likely to be effected by a public exploit

• Real immutable infrastructure – perfect fit to micro services architecture

Benchmark

unik build --path example-app/ --base unikernel-type --language language --provider provider-name --name image-name

unik run --instanceName instance-name –imageName image-name

UniK

UniK is an open-source tool written in Go for compiling applications into unikernels and deploying those unikernels across a variety of cloud providers, embedded devices (IoT), as well as a developer laptop or workstation.

Build anything run everywhere

Unikernel types Cloud providers

Processor architectures

DemoUniK

Unik integration with kubernetes

Unikernels support was added to Kubernetes by the UniK team by adding UniK as a container runtime to K8s - in the same way that Docker and rkt are container runtimes, UniK is now also available as a "container" runtime for k8s.

Unik kubernetes architecture

unikernels

Now one can deploy a unikernel apps alongside regular kubernetescontainerized apps.

Next integration refactor: Container Runtime Interface (CRI) will be used.

DemoKubernetes

Unik integration with Cloud Foundry

To provide the user with a seamless PaaS experience, UniK is integrated as a backend to Cloud Foundry runtime.

Next integration integration via Garden.

Unik tooling: unik hub

Unik tooling: Debug

Microservices tooling: Debug

• The most primitive form of debugging, we all do it! • However, extremely difficult to capture all state, and thus can be used only for small bugs

Won’t it be a good idea to seamlessly integrate existence debugger to leading platforms and leverage them to debug microservices applications ?

squash: distributed debugger

squash

platformsdebuggers IDEs

Demosquash

Benefits of Unikernels TO the internet of things

L ITE ON ENERGYSECURITY EFFICIENCY

USECASESWORRIED ABOUT IOT DDOS? THINK UNIKERNELS

DemoIoT Security

Unik in the open source community

Follow me: @Idit_Levine

Follow solo.io: @GetSoloIO