Unikernels

Sinan KÖRDEMİR

AGENDA

Hypervisor Container What is Unikernel How it works Why & Why not Different Approaches of Unikernels Unikernel Security

in short terms we can define hypervisor as virtual machine manager

is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other.

Hypervisor

Hypervisor

Containers-as-a-service is a type of infrastructure-as-a-service specifically geared toward efficiently running a single application.

A container is a form of operating system virtualization that is more efficient than typical hardware virtualization. It provides the necessary computing resources to run an application as if it is the only application running in the operating system

Container

A container is an isolated process. Thus, conceptually a container is like a VM in that it thinks that it’s the only show in town.

A container leverages the operating system of the host computer. Hence, there is no mixing and matching. You cannot have a Windows host computer running a Linux container.

Container

Hypervisor vs Container

Unlike a VM, in a container you are not running a complete instance or image of an operating system, with kernels, drivers, and shared libraries.

Instead, an entire stack of containers, whether it be dozens or hundreds or even thousands are able to run on top of a single instance of the host operating system, in a tiny fraction of a footprint of a comparable VM running the same application.

in short terms we can define unikernel as library operating systems

Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels and sealed against modification when deployed to a cloud platform.

What is Unikernel

More layers tricky config Duplicaiton inefficiency Large sizes long boot

times More stuff larger attack

surface

Code you want to run+

Operating System libraries=

Standalone unikernel

What is Unikernel

A unikernel is a compiled binary that sists directly machine’s hypervisor

Unikernel compiles your source code in a custom operationg system that includes only the functionality required by your application logic. That makes it small, fast and secure.

How it works

unikernels provide all the advantages of virtual machines (VMs) and containers

unikernels are considerably lower overhead, which could lead to more agile and lower-cost cloud computing.

The small size of unikernels means that apps can be moved around faster and more cost effectively, considering that network bandwidth doesn’t come cheaply in the cloud.

What is Unikernel

Extremely fast startupMore flexible infrastructureSingle-purpose appliancesGreater latitude to respond to the needs of

the momentThere is just enough code to make the

application run

What is Unikernel

Why & Why not ?WHY

Unikernels offer significant reduction in image sizes, improved effiecency and security and should reduce operational costs reduced memory footprint Greatly reduced need for disk

space Faster load times lower

latencies reduced attack surface

WHY NOT If your application needs much

disk space and processor , unikernels won't provide you much

There are a lot of softwares for other operating systems, but if you will use unikernels, you have to write your own libraries

“shared kernel” strategy has its weakest link in that “shared kernel” itself.

DIFFERENT APPROACHES TO CONSTRUCT UNIKERNELS

There are different approaches to constructing unikernels.

Approach Name

Focus on

ClickOS Speed (boots under 30ms) (tiny agile virtual machines for network processing)

HaLVM safety and securityLING Speed (boots under 100ms)MirageOS safety and securityRump Kernels compatibility with legacy softwareOSv compatibility with legacy software

Linux, as well as Linux containers and Docker images, rely on a fairly heavyweight core OS to provide critical services. Because of this, a vulnerability in the Linux kernel affects every Linux container

unikernels only include the minimal functionality and systems needed to run an application or service, all of which makes writing an exploit to attack them much more difficult

Unikernel Security

Benefit from the strong isolation guarantees of hardware virtualization and a trusted computing base that is orders of magnitude smaller than that of container technologies.

There is no shell, you cannot exec() a new process , you don’t even need to include a full TCP stack. So there is very little exploit code can do to gain a permanent foothold in the system

Unikernel Security

Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs.

While it does take some extra work, it’s getting easier every day as more developers work on solving challenges with orchestration, logging and monitoring

Unikernel Security

THANKS