Unikernels and Cloud Computing
-
Upload
skordemir -
Category
Engineering
-
view
170 -
download
2
Transcript of Unikernels and Cloud Computing
Unikernels
Sinan KÖRDEMİR
AGENDA
Hypervisor Container What is Unikernel How it works Why & Why not Different Approaches of Unikernels Unikernel Security
in short terms we can define hypervisor as virtual machine manager
is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other.
Hypervisor
Hypervisor
Containers-as-a-service is a type of infrastructure-as-a-service specifically geared toward efficiently running a single application.
A container is a form of operating system virtualization that is more efficient than typical hardware virtualization. It provides the necessary computing resources to run an application as if it is the only application running in the operating system
Container
A container is an isolated process. Thus, conceptually a container is like a VM in that it thinks that it’s the only show in town.
A container leverages the operating system of the host computer. Hence, there is no mixing and matching. You cannot have a Windows host computer running a Linux container.
Container
Hypervisor vs Container
Unlike a VM, in a container you are not running a complete instance or image of an operating system, with kernels, drivers, and shared libraries.
Instead, an entire stack of containers, whether it be dozens or hundreds or even thousands are able to run on top of a single instance of the host operating system, in a tiny fraction of a footprint of a comparable VM running the same application.
in short terms we can define unikernel as library operating systems
Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels and sealed against modification when deployed to a cloud platform.
What is Unikernel
More layers tricky config Duplicaiton inefficiency Large sizes long boot
times More stuff larger attack
surface
Code you want to run+
Operating System libraries=
Standalone unikernel
What is Unikernel
A unikernel is a compiled binary that sists directly machine’s hypervisor
Unikernel compiles your source code in a custom operationg system that includes only the functionality required by your application logic. That makes it small, fast and secure.
How it works
unikernels provide all the advantages of virtual machines (VMs) and containers
unikernels are considerably lower overhead, which could lead to more agile and lower-cost cloud computing.
The small size of unikernels means that apps can be moved around faster and more cost effectively, considering that network bandwidth doesn’t come cheaply in the cloud.
What is Unikernel
Extremely fast startupMore flexible infrastructureSingle-purpose appliancesGreater latitude to respond to the needs of
the momentThere is just enough code to make the
application run
What is Unikernel
Why & Why not ?WHY
Unikernels offer significant reduction in image sizes, improved effiecency and security and should reduce operational costs reduced memory footprint Greatly reduced need for disk
space Faster load times lower
latencies reduced attack surface
WHY NOT If your application needs much
disk space and processor , unikernels won't provide you much
There are a lot of softwares for other operating systems, but if you will use unikernels, you have to write your own libraries
“shared kernel” strategy has its weakest link in that “shared kernel” itself.
DIFFERENT APPROACHES TO CONSTRUCT UNIKERNELS
There are different approaches to constructing unikernels.
Approach Name
Focus on
ClickOS Speed (boots under 30ms) (tiny agile virtual machines for network processing)
HaLVM safety and securityLING Speed (boots under 100ms)MirageOS safety and securityRump Kernels compatibility with legacy softwareOSv compatibility with legacy software
Linux, as well as Linux containers and Docker images, rely on a fairly heavyweight core OS to provide critical services. Because of this, a vulnerability in the Linux kernel affects every Linux container
unikernels only include the minimal functionality and systems needed to run an application or service, all of which makes writing an exploit to attack them much more difficult
Unikernel Security
Benefit from the strong isolation guarantees of hardware virtualization and a trusted computing base that is orders of magnitude smaller than that of container technologies.
There is no shell, you cannot exec() a new process , you don’t even need to include a full TCP stack. So there is very little exploit code can do to gain a permanent foothold in the system
Unikernel Security
Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs.
While it does take some extra work, it’s getting easier every day as more developers work on solving challenges with orchestration, logging and monitoring
Unikernel Security
THANKS