UniK: UnikernelCompiler and

Runtime

http://calcotestudios.com/talks

Lee Calcote March 5th, 2017

http://calcotestudios.com/talks

Lee Calcote

linkedin.com/in/leecalcote

@lcalcote

blog.gingergeek.com

lee@calcotestudios.com

clouds, containers, infrastructure,applications  and their management

Show of Hands

Preview

Project

Container Network Performance Tool

@lcalcote

Contact for early access. Learn more -https://github.com/solarwinds/containers

Preview

Project

Container NetworkPerformance Tool

@lcalcote

Cluster visibility -See container network flows (current

bandwidth and direction) acrossKubernetes and Docker Swarm nodes.

Bandwidth test -Test throughput (performance) of each

type of container network (comparenetwork drivers).

Choose wisely -Be aware of the cost of overlay

convenience.

Avoid MAC address overload in underlays.

Preview

Hello. I'm new.

We hold these truths to be self-evident: 

bare metal

     AND

          virtual machines

               AND

                    containers

                         AND

                              unikernels

                                   AND

                                        functions

the future is AND not OR

@lcalcote

bare metalvirtual machinescontainersunikernelsfunctionsno one cares about they care about the application

infrastructure

@lcalcote

Current Challenges

Fat systemsApplication Configuration

Application Binary

Language Runtime

Shared Library

Docker Runtime

OS User Processes

OS Kernel

Virtual Hardware Drivers

Hypervisor

Hardware Drivers

Hardware

Application

InefficientLong startup times.

 Designed for many users, running

many processes. 

Hardware has evolved. 

Package managers pull in manyunneeded packages.

 Decades of backwards

compatibility.

Very large attack surface a  huge kernel code base.

Lots of unused applications, services and drivers lying around.

by Russell Pavlicek (free ebook)Unikernels

Security

Other Issues

@lcalcote

Lee Calcote and Idit Levine

How Unikernels Can Better Defend against DDoS Attacks

The Promise

What is a Unikernel?A library operating system

application

openGL

gtk iconv

libgmp libz

libstd++libgcclibc

kernel

libtls

application

a way of cross-compiling (existing) applications downto very small, lightweight, secure virtual machine

@lcalcote

Unikernel Landscape

Language SpecificHalVM - - (Haskell)MirageOS -  - (OCamel)LING - - (Erlang) Runtime.js - - (Javascript)IncludeOS - - (C++)Clive - -  (Go)

GeneralOSv Rumprun Drawbridge

Projects / ToolsClickOS - - (NFV)Jitsu - - (DNS)Unik - - (Build, Deploy)

unikernel.org

@lcalcote

SecurityNo multi-user support

no passwords and authorization info lying around  

Many attack vectors closed - simply not present.

only use libraries specific to your application

produce a single process, single address space image  

Security be default - not necassarily policy that will bedefined later

@lcalcote

Microservices are (intended to be) small, self-contained, single-purpose applications.

 

Unikernels cannot handle multiple processes,

so forking is not allowed.

Unikernels can handle threads.

Are single user, but who needs multiple users?

 

Can statically link data into application.

Immutable infrastructure (enforced)

@lcalcote

$avingsAccess to a high-end system for a fraction of second

 

Increase speed - smaller artifacts, which boot faster(microseconds)

 

Target multiple platforms from a single code base

 

@lcalcote

PurposeA tool for simplifying compilation and deployment ofunikernels.  Akin to how Docker builds and deploys containers.  Automates compilation of popular languages (C/C++,Golang, Java, Node.js. Python) into unikernels.  Deploys unikernels as virtual machines on manyvirtualization platforms.  Incorporates work from a number of unikernel projects.  A young project (~9 months old from announcement)

@lcalcote

Stewarded by these fine folks

http://project-unik.io

@uvgroovy @ilackarms@Idit_Levine

https://github.com/emc-advanced-dev/unik

@ProjectUniK

@lcalcote

Compilers

Java

OCaml

C++

Python, Node.js

and Go

OSv

MirageOS

IncludeOS

Rump

3 Major ComponentsProviders

Virtualbox

AWS

Google Cloud

vSphere

QEMU

UKVM

Xen

OpenStack

Photon Controller

API Server

daemon

@lcalcote

UniK Hub

a community exchange

 

Currently:

Cloud-hostedS3-backedMay be run on-premises

@lcalcote

Integrations

Processor Architectures

@lcalcote

Use Docker API to run Unikernels 

@lcalcote

Use Unik as a CloudFoundryruntime

@lcalcote

Use Unik as a Kubernetesruntime

$ kubectl run nginx --image=nginx:AWS --namespace=unik --replicas=3

multiple container runtimes AND unikernelsdocker, rkt and unik

@lcalcote

Walk-through

Getting Started1. git clone2. make3. unik

@lcalcote

setup

providers: aws: - name: aws region: us-east-1 zone: us-east-1a gcloud: [] vsphere: [] virtualbox: - name: unik-vbox adapter_name: vboxnet0 adapter_type: host_only qemu: [] photon: [] xen: [] openstack: [] ukvm: [] version: ""

unik configure

~/.unik/daemon-config.yaml

unik daemon

api serverfamiliarize w/unik

@lcalcote

Developer Workflowa familiar treadmill

1. Code app per usual

 

2. Test and debug app

 

3. Deploy

 

4. Logs

unik build --name go-calcote --path ./ --base rump --language go --provider virtualbox

unik run --instanceName=scale15x --imageName=go-calcote

fmt.Fprintf(w, "<img src='http://calcotestudios.com/talks/img/unik.jpg' />") fmt.Fprintf(w, "<p /> My first unikernel!")

unik logs --instanceName=scale15x@lcalcote

Lee Calcote

linkedin.com/in/leecalcote

@lcalcote

blog.gingergeek.com

lee@calcotestudios.com

Thank you.Questions?

clouds, containers, infrastructure,

applications  and their management

http://calcotestudios.com/ talks