UnikernelsUnikernelsThe new kids on the block

Jakub Jermářjermar@avast.com

@jjermar

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 2

Original software stackOriginal software stack

Application

Hardware

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 3

Application

Kernel

Hardware

Adding non-privileged modeAdding non-privileged mode

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 4

Memory management

Scheduler

Device drivers

TCP/IP stack

File systems

Bootstrap code

Modern desktopModern desktop

Hardware

Kernel

System libraries

Application libraries

Application

Runtime environment

System libraries

Application libraries

Application

System libraries

Application libraries

Application

System libraries

Application libraries

Application

System libraries

Application libraries

Application

Runtime environment

System libraries

Application libraries

Application

Runtime environment

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 5

Memory management

Scheduler

Device drivers

Bootstrap code

Hardware

Hypervisor

VM

Modern data centerModern data center

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 6

Vertical slice of the stackVertical slice of the stack

Memory management

Scheduler

Device drivers

Bootstrap code

Hardware

Memory management

Scheduler

Device drivers

TCP / IP stack

File systems

Bootstrap code

System libraries

Application libraries

Applications

Runtime environment

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 7

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 8

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 9

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 10

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 11

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 12

Vertical slice of the stackVertical slice of the stack

Memory management

Scheduler

Device drivers

Bootstrap code

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 13

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

How many SPOFs?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 14

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

How many SPOFs?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 15

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

How many SPOFs?

When not to do this?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 16

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator | Address spaces

Threads | Processes

ATA | SATA | E1000 | RTL8169 | USB

IPv4 | IPv6 | UDP | TCP | ARP | ICMP

Ext4 | FAT | TMPS | ISO9660

Bootstrap code

System libraries

lib1 | lib2 | lib3 | lib4

bash | ssh | Nginx | MySQL

Runtime environment

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

How many SPOFs?

When not to do this?

What's left?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 17

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator

Threads

SATA | RTL8169

IPv6 | TCP

Ext4

Bootstrap code

System libraries

lib1 | lib3

Nginx

General purpose OS

Is this an overkill?

For a VM in a data center?

What parts are essential?

How many SPOFs?

When not to do this?

What's left?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 18

Memory management

Scheduler

Device drivers

Bootstrap code

Vertical slice of the stackVertical slice of the stack

Hardware

Allocator

Threads

SATA | RTL8169

IPv6 | TCP

Ext4

Bootstrap code

System libraries

lib1 | lib3

Nginx

Unikernel

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 19

Memory management

Scheduler

Device drivers

Bootstrap code

Hardware

Allocator

Threads

SATA | RTL8169

IPv6 | TCP

Ext4

Bootstrap code

System libraries

lib1 | lib3

Nginx

Unikernel

Hardware

Allocator

E1000

IPv4 | UDP

Bootstrap code

System libraries

lib1 | lib2

dhcp

Vertical slice of the stackVertical slice of the stack

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 20

Back to the rootsBack to the roots

Unikernel

Hardware

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 21

Back to the rootsBack to the roots

Hypervisor

Unikernel

Hardware

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 22

Unikernels...Unikernels...

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 23

Unikernels...Unikernels...

single purpose OS images

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 24

Unikernels...Unikernels...

include only what they need

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 25

Unikernels...Unikernels...

are quite small

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 26

Unikernels...Unikernels...

are quite small

[rumprun­packages/nginx]$ file nginx.binnginx.bin: ELF 64­bit LSB executable, x86­64, version 1 (SYSV), statically linked, not stripped[rumprun­packages/nginx]$ ls ­sh nginx.bin; strip nginx.bin; ls ­sh nginx.bin33M nginx.bin5.4M nginx.bin

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 27

Unikernels...Unikernels...

are quite small

[rumprun­packages/nginx]$ file nginx.binnginx.bin: ELF 64­bit LSB executable, x86­64, version 1 (SYSV), statically linked, not stripped[rumprun­packages/nginx]$ ls ­sh nginx.bin; strip nginx.bin; ls ­sh nginx.bin33M nginx.bin5.4M nginx.bin

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 28

Unikernels...Unikernels...

have very short boot times

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 29

Unikernels...Unikernels...

have very short boot times

[HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg ­c)Parsing config from Null.config(d80) Starting 1­CPU HaLVM(d80) init_sp: 0x00000000004ba000(d80) self:    0x00000000004b9f6e(XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames.(d80) Exit called with 0

real 0m0.154suser 0m0.026ssys 0m0.087s

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 30

Unikernels...Unikernels...

have very short boot times

DNS query start!

donereply

request

[HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg ­c)Parsing config from Null.config(d80) Starting 1­CPU HaLVM(d80) init_sp: 0x00000000004ba000(d80) self:    0x00000000004b9f6e(XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames.(d80) Exit called with 0

real 0m0.154suser 0m0.026ssys 0m0.087s

https://github.com/mirage/jitsu

Client

DNSserver

Microservice

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 31

Unikernels...Unikernels...

run in a single address space

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 32

Unikernels...Unikernels...

no privilege levels to cross

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 33

Unikernels...Unikernels...

usually target hypervisors

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 34

Unikernels...Unikernels...

usually target hypervisors

Xen PV

Unikernel domUXen PV driver frontend

dom0Xen PV driver backend

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 35

Unikernels...Unikernels...

usually target hypervisors

VirtIO PV driver backend

QEMU/KVM/VirtualBox

UnikernelVirtIO PV driver frontend

Xen PV

Unikernel domUXen PV driver frontend

dom0Xen PV driver backend

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 36

Unikernels...Unikernels...

some run on bare metal too

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 37

Unikernels...Unikernels...

and even on top of Unix

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 38

Unikernels...Unikernels...

implemented in C

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 39

Unikernels...Unikernels...

implemented in C

void quicksort(int array[], int left_begin, int right_begin){ int pivot = array[(left_begin + right_begin) / 2]; int left_index, right_index, pom; left_index = left_begin; right_index = right_begin; do { while (array[left_index] < pivot && left_index < right_begin) left_index++; while (array[right_index] > pivot && right_index > left_begin) right_index--;

if (left_index <= right_index) { pom = array[left_index]; array[left_index++] = array[right_index]; array[right_index--] = pom; } } while (left_index < right_index); if (right_index > left_begin) quicksort(array, left_begin, right_index); if (left_index < right_begin) quicksort(array, left_index, right_begin);}

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 40

Unikernels...Unikernels...

but also in high-level languages

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 41

Unikernels...Unikernels...

but also in high-level languages

quickSort :: Ord a => [a] -> [a]quickSort [] = []quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x]

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 42

Unikernels...Unikernels...

but also in high-level languages

quickSort :: Ord a => [a] -> [a]quickSort [] = []quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x]

let rec qsort = function | [] -> [] | pivot :: rest -> let is_less x = x < pivot in let left, right = List.partition is_less rest in qsort left @ [pivot] @ qsort right

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 43

The ZOOThe ZOO

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 44

Rumprun + rump kernelsRumprun + rump kernels

http://rumpkernel.org

existing POSIX applications

anykernel (NetBSD) → file systems, POSIX layer, device drivers, TCP/IP, storage stack → a rump kernel

Xen PV/QEMU/KVM

rumprun

Rump kernel

Application

Hardware

rumprun

Rump kernel

Application

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 45

MirageOSMirageOS

http://mirage.io

From-scratch implementation in OCaml

mirage-tcpip, mirage-net-xen, ocaml-cohttp, mirage-block-xen, ocaml-fat

Xen PV

Mini-OS/rumprun

Libs & OCaml runtime

Application

QEMU/KVM

Solo5/rumprun

Libs & OCaml runtime

Application

Unix

Libs & OCaml runtime

Application

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 46

HaLVMHaLVM

http://halvm.org

From-scratch implementation in Haskell

HaNS, Halfs, http-server

Xen PV

HaLVM

Application

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 47

ClickOS (C/C++)

Clive (Go)

Drawbridge (C)

IncludeOS (C++)

LING (Erlang)

OSv (C, JVM, Ruby, Node.js)

runtime.js (JavaScript)

And othersAnd others

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 48

DemoDemo

Keep your fingers crossed!

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 49

Not a moment, but a movementNot a moment, but a movement

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 50

Discussion: which architecture?Discussion: which architecture?

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 51

Discussion: which architecture?Discussion: which architecture?

Hypervisor

UnikernelLibs |TCP/IP | file system | drivers

Hardware

UnikernelLibs | file system | drivers

UnikernelLibs |TCP/IP | drivers

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 52

Discussion: which architecture?Discussion: which architecture?

Container / Zone

Hardware

KernelTCP / IP | file system | drivers

Container / Zone

MicroserviceLibs

MicroserviceLibs

MicroserviceLibs

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 53

Discussion: which architecture?Discussion: which architecture?

Hardware

Microkernel

MicroserviceLibs

MicroserviceLibs

TCP/IPLibs

File systemLibs

DriversLibs

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 54

Discussion: which architecture?Discussion: which architecture?

Your mileage may vary

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 55

Unikernels and DockerUnikernels and Docker

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 56

Unikernels and DockerUnikernels and Docker

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 57

Unikernels, meet Docker!

Unikernel Systems is now part of Docker

Unikernels and DockerUnikernels and Docker

Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 58

Q&Awww.unikernel.org

Thank you!Thank you!