Unikernels and another way of secure cloud computing
127
1/31 Unikernels and another way of secure cloud computing Motiejus Jakˇ stys [email protected] @mo kelione 2015-11-19 c 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
-
Upload
motiejus-jakstys -
Category
Engineering
-
view
227 -
download
0
Transcript of Unikernels and another way of secure cloud computing
1/31
Unikernels and another way ofsecure cloud computing
Motiejus [email protected]
@mo kelione
2015-11-19
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
2/31
Disclaimer
This presentation is intended to give a high leveloverview of the subject matter and is intended fordiscussion purposes. This presentation is notintended to provide an exhaustive analysis of thesubject matter and may differ depending onindividual use cases.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
3/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
4/31
Typical IT organizationRole What system?
Developer
I Cares only about the app.
I Familiar environment (POSIX API).
I Here’s a JAR, make this thing work.
I Hopefully prod matches dev.
Operator FredFlintstone
I Simple systems.
I Predictable systems.
I Speedy deployments and rollbacks.
Security certi-fier Mr Burns
I Auditable components.
I Least possible dependencies.
I Trades convenience for security.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy
Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy
Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy
Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy
Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy
Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy
Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
5/31
How to deploy?Deployment Developer Operations Security
Mutable, full OS.
I Ansible/Chef/Puppet
I Adhoc shell scripts
I AWS Opsworks
Unhappy Unhappy Doesn’tcare
Immutable, full OS.
I Docker
I AMI per release
Happy Unhappy Doesn’tcare
Immutable, no OS.
I Unikernels
Happy Happy Happier
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
6/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
7/31
Unikernel - Library OS
Traditional VM Unikernel
Configuration files
Application code
Language runtime
User processes
Kernel threads
File System
Network stack
Hypervisor, x86
Application code
Language runtime
Unikernel runtime
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
IntroductionRoles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examples
What’s next?Unmodified applications firstLocal demoIn Amazon EC2
Summary
Thanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
Unikernel has:
I One process, N threads.
I Haha! no context switches.
I API for doing network and IO.
I Possibly application runtime:
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
Unikernel has:
I One process, N threads.I Haha! no context switches.
I API for doing network and IO.
I Possibly application runtime:
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
Unikernel has:
I One process, N threads.I Haha! no context switches.
I API for doing network and IO.
I Possibly application runtime:
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
Unikernel has:
I One process, N threads.I Haha! no context switches.
I API for doing network and IO.
I Possibly application runtime:
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
8/31
Unikernel has:
I One process, N threads.I Haha! no context switches.
I API for doing network and IO.
I Possibly application runtime:
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
9/31
Where does performance come from?
Traditional style
NIC memory
kernel memory
interrupt
application memory
read()
Unikernel style
NIC memory
unikernel memory
interrupt
is application memory
(Developer happy)
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
IntroductionRoles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examples
What’s next?Unmodified applications firstLocal demoIn Amazon EC2
Summary
Thanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.
I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.
I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...
I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
10/31
Security
I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.
I Some: language is type-safe.
I Some: can do 1 VM per request.
Happy Mr Burns
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
11/31
Why only in 2013?
Virtualization provides uniform APIs for networkand I/O.
E.g. virtio for KVM, netfront/netback for Xen.
I Small set of drivers to implement.
I Makes it economic to create unikernels.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
11/31
Why only in 2013?
Virtualization provides uniform APIs for networkand I/O.E.g. virtio for KVM, netfront/netback for Xen.
I Small set of drivers to implement.
I Makes it economic to create unikernels.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
12/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
13/31
Classification
Niche : highly optimizedapplications/frameworks.
Generic : general-purpose applications:
Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
13/31
Classification
Niche : highly optimizedapplications/frameworks.
Generic : general-purpose applications:
Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
13/31
Classification
Niche : highly optimizedapplications/frameworks.
Generic : general-purpose applications:
Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
13/31
Classification
Niche : highly optimizedapplications/frameworks.
Generic : general-purpose applications:
Fat : yes POSIX. Compatible.
Lean : no POSIX. Needs rewrite.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
13/31
Classification
Niche : highly optimizedapplications/frameworks.
Generic : general-purpose applications:
Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
14/31
Mirage OS
Generic lean.
I OCaml-only.
I ⇒ type-safe throughout the stack.
I VM boot time < 10ms
I ⇒ VM per request (inetd-like).
I ⇒ security and economy.
I Typical image sizes: 100s of KB.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:
I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.
I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:
I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:
I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:
I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:
I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:I JVM.
I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:I JVM.I Memcached.
I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
15/31
OSv
Generic Fat.
I Linux ABIs.I Bonus: fast APIs.
I reported significant throughput increases onmemcached.
I Memory allocation tuning:I JVM.I Memcached.I OOM Killer Manager!
I Subsecond boot times.
Typical application: web services, data processing.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
16/31Image source: http://osv.io/benchmarks/c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.
Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
17/31
ClickOS
Niche.Optimized for network middleboxes:
I Firewalls.
I Intrusion Detection Systems.
I Load Balancers.
Fun fact: Xen network optimization to the extreme.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
18/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
19/31
What do we do next?
Nobody likes rewrites.
Take platforms (JVM, Erlang) and run unmodifiedapps.
I Fully immutable.
I Faster deployment and rollbacks.
I Smaller attack surface.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
19/31
What do we do next?
Nobody likes rewrites.Take platforms (JVM, Erlang) and run unmodifiedapps.
I Fully immutable.
I Faster deployment and rollbacks.
I Smaller attack surface.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
19/31
What do we do next?
Nobody likes rewrites.Take platforms (JVM, Erlang) and run unmodifiedapps.
I Fully immutable.
I Faster deployment and rollbacks.
I Smaller attack surface.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
19/31
What do we do next?
Nobody likes rewrites.Take platforms (JVM, Erlang) and run unmodifiedapps.
I Fully immutable.
I Faster deployment and rollbacks.
I Smaller attack surface.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
20/31
Local demo
Contents:
I Take a JVM/Spring application.
I Demo on standard Linux.
I Generate the unikernel.
I Run that unikernel locally.
Takeaways:
I Small image size.
I Trivial to implement.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
21/31
Running in Amazon EC2
To create a VM image in AWS, do:
% qemu-img convert -f qcow2 -O raw 3.qemu 3.raw
% ./release-ec2.sh \
--override-image 3.raw \
--override-version 3 \
--region us-east-1
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
22/31
AMI in EC2
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
23/31
AMI in EC2
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
24/31
Running OSv in EC2
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
25/31
Try it out
I Run your unikernel in Free Tier right now.
I t2.micro - $0/month for 1 year.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
25/31
Try it out
I Run your unikernel in Free Tier right now.
I t2.micro - $0/month for 1 year.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
26/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
27/31
Summary
Library OS: OS embedded to your application.
I Small ⇒ scale quickly.
I Very efficient ⇒ economic.
I Reduced attack surface.
I Runs on public clouds: ⇒ try on EC2, for free.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
27/31
Summary
Library OS: OS embedded to your application.
I Small ⇒ scale quickly.
I Very efficient ⇒ economic.
I Reduced attack surface.
I Runs on public clouds: ⇒ try on EC2, for free.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
27/31
Summary
Library OS: OS embedded to your application.
I Small ⇒ scale quickly.
I Very efficient ⇒ economic.
I Reduced attack surface.
I Runs on public clouds: ⇒ try on EC2, for free.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
27/31
Summary
Library OS: OS embedded to your application.
I Small ⇒ scale quickly.
I Very efficient ⇒ economic.
I Reduced attack surface.
I Runs on public clouds: ⇒ try on EC2, for free.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
27/31
Summary
Library OS: OS embedded to your application.
I Small ⇒ scale quickly.
I Very efficient ⇒ economic.
I Reduced attack surface.
I Runs on public clouds: ⇒ try on EC2, for free.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
28/31
Table of ContentsIntroduction
Roles of an IT organizationHow to deploy?
Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits
Unikernel examplesWhat’s next?
Unmodified applications firstLocal demoIn Amazon EC2
SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
29/31
Thanks
I Niels Brouwers (Amazon) for the right tools.
I Russel Pavlicek (Citrix) for spreading the word.
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
30/31
We’re hiring!
I Check out amazon.jobs
I Also, contact me at [email protected]
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
31/31
QA
c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.
