Upload
michael-bright
View
165
Download
0
Embed Size (px)
Citation preview
OverviewWhatareUnikernels?
Whydoweneedthem?Domainsofapplication
Unikernelimplementations
Clean-slateorlegacyTooling
ContainersandUnikernels
Demo
Conclusions
Unikernels
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
@mjbright
Whythistalk?Curiosityabout
WhatwecanexpecttoseefromUnikernels(andDocker...)Whotheplayersare
1990's:Firstunikernels-ExokernelandNemesis(Univ.Cambr)
In2017?
MirageOS3willbereleasedDockerConUSandEU
@mjbright
WhatareUnikernels?"LibraryOS"ApplicationsbuiltwithonlytheOScomponentstheyactuallyrequire,e.g.TCP
Stack,DNS,DHCP,NAT,F/w,Diskaccess.
@mjbright
WhatareUnikernels?"LibraryOS"ApplicationsbuiltwithonlytheOScomponentstheyactuallyrequire,e.g.TCP
Stack,DNS,DHCP,NAT,F/w,Diskaccess.
Singleprocess(*)applications(nothreads,forkingormulti-user)(*)
Smallsize(fewlinesofcode)andveryfasttoboot
Smallattacksurface(potentiallysecure)
Highperformance-nocontextswitches!
Noshell
@mjbright
WhyareUnikernelsneeded?Thinkforamoment-WhatOSdoyourun?
Onwhathardware?
ModernOSprovideamazingbackwardscompatibilityandfeatures
@mjbright
WhyareUnikernelsneeded?Thinkforamoment-WhatOSdoyourun?
Onwhathardware?
ModernOSprovideamazingbackwardscompatibilityandfeatures
Butanappusesatinyfractionofthosefeaturesconsumingresources,increasingtheattacksurface(linuxkernel~25MLOC)
@mjbright
WhyareUnikernelsneeded?Thinkforamoment-WhatOSdoyourun?
Onwhathardware?
ModernOSprovideamazingbackwardscompatibilityandfeatures
Butanappusesatinyfractionofthosefeaturesconsumingresources,increasingtheattacksurface(linuxkernel~25MLOC)
@mjbright
WhyareUnikernelsneeded?Thinkforamoment-WhatOSdoyourun?
Onwhathardware?
ModernOSprovideamazingbackwardscompatibilityandfeatures
Butanappusesatinyfractionofthosefeaturesconsumingresources,increasingtheattacksurface(linuxkernel~25MLOC)
Unikernelsprovideanalternative
Butaretheyapanacea?
@mjbright
Inwhatdomainsmighttheybeused?CloudComputing
Small(kB/MB)immutableentitieswithfastboottimes(100'sms).
Possibilityofon-demandservers,µ-services
Potentiallygreatersecurity(<LOC)
@mjbright
Inwhatdomainsmighttheybeused?CloudComputing
Small(kB/MB)immutableentitieswithfastboottimes(100'sms).
Possibilityofon-demandservers,µ-services
Potentiallygreatersecurity(<LOC)
NFV(NetworkFunctionalVirtualization)
Ascloudbutstricterrequirementsonresponsetimes,servicechaining
UnikernelsmeetNFV;EricssonResearchBlog;Unikernels.orgBlog
@mjbright
Inwhatdomainsmighttheybeused?CloudComputing
Small(kB/MB)immutableentitieswithfastboottimes(100'sms).
Possibilityofon-demandservers,µ-services
Potentiallygreatersecurity(<LOC)
NFV(NetworkFunctionalVirtualization)
Ascloudbutstricterrequirementsonresponsetimes,servicechaining
UnikernelsmeetNFV;EricssonResearchBlog;Unikernels.orgBlog
IoT/Embedded
Forlow-resource,potentiallysecureelements(baremetalorµ-vmm?)Buildupthe"app"insteadofstrippingdownthe"OS"
@mjbright
Inwhatdomainsmighttheybeused?CloudComputing
Small(kB/MB)immutableentitieswithfastboottimes(100'sms).
Possibilityofon-demandservers,µ-services
Potentiallygreatersecurity(<LOC)
NFV(NetworkFunctionalVirtualization)
Ascloudbutstricterrequirementsonresponsetimes,servicechaining
UnikernelsmeetNFV;EricssonResearchBlog;Unikernels.orgBlog
IoT/Embedded
Forlow-resource,potentiallysecureelements(baremetalorµ-vmm?)Buildupthe"app"insteadofstrippingdownthe"OS"
HPC
Greaterperformancepossible(butmaybehardwork)@mjbright
UnikernelImplementations-2familiesThereare2mainclassesofUnikernels
TheClean-Slateapproachemphasizessafetyandsecurity.SamelanguageforapplicationandLibraryOScomponents.
MirageOS(Ocaml)HalVM(Haskell)LING(Erlang)
UnikernelImplementations-2familiesThereare2mainclassesofUnikernels
TheClean-Slateapproachemphasizessafetyandsecurity.SamelanguageforapplicationandLibraryOScomponents.
MirageOS(Ocaml)HalVM(Haskell)LING(Erlang)
TheLegacyapproachfavoursbackwardcompatibilityofexistingapplicationsbasedonPOSIX-compatibilities.
Manyapplicationshavebeenported
OSv(Tomcat,Jetty,Cassandra,OpenJDK,...)Rumprun(MySQL,PHP,Nginx)RuntimejsClive(Go)
UnikernelImplementationsTechnology Description
ClickOScnp.neclab.eu
Forembeddednetworkh/w.~5MBimages,boots<20ms,45μsdelay,100VMs=>10Gbps
Clivelsub.org
WritteninGo.Fordistributedandcloud.
DrawbridgeMS
Researchprototype.Picoprocess/containerwithminimalkernelAPIsurface,andWindowslibraryOS.
Graphenegraphene
Securing"multi-process"legacyapps-addsIPC.
HaLVMgalois.com
PortofGHC(GlasgowHaskellCompiler)suite.WriteappsinHaskelltorunonXen.
IncludeOSincludeos.org
ResearchprojectforC++codeonvirtualhardware.
LINGerlangonxen.org
Erlang/OTPrunsonXen.
MirageOSmirage.io
Clean-slatelibraryOSforsecure,high-perfnetworkapps.Morethan100MirageOSlibrariesplusOCamlecosystem.
OSvosv.ioCloudius
RunLinuxbinaries(w.limitations),supportsC/C++,JVM,Ruby,Node.js
RumprunFreeBSD-RunsPOSIXs/wonBMorVM(Xen).
@mjbright
Clean-Slate
https://mirage.io/
OCaml-Based
MirageOS"LibraryOS"componentsarewritteninOcaml.
ML-derivedlanguagesarebestknownfortheirstatictypesystemsandtype-inferringcompilers.
OCamlunifiesfunctional,imperative,andobject-orientedprogrammingunderanML-liketypesystem.
OCamlhasextensivelibrariesavailable
(Unisonutility)
Unikernelimplementations-MirageOS/Ocaml
Clean-Slate
https://mirage.io/
OCaml-Based
MirageOSUnikernelsarebasedontheMirage-OSUnikernelbase(OSlibrary).
ThemiragetoolisusedtobuildUnikernelsforvariousbackends:
XenHypervisor(PV)Unix(LinuxorOS/Xbinaries)Browser(viaOcaml->JScompiler!!)MirageOS3(/Solo5)willsupportkvm(/ukvm)EvenanexperimentalBMbackendforRaspberryPi
Unikernelimplementations-MirageOS-2
@mjbright
Clean-Slate
https://mirage.io/
OCaml-Based
MirageOSUnikernelsarebasedontheMirage-OSUnikernelbase(OSlibrary).
ThemiragetoolisusedtobuildUnikernelsforvariousbackends:
XenHypervisor(PV)Unix(LinuxorOS/Xbinaries)Browser(viaOcaml->JScompiler!!)MirageOS3(/Solo5)willsupportkvm(/ukvm)EvenanexperimentalBMbackendforRaspberryPi
Buildingapplicationsforunixorxen
mirageconfigure-tunixmake./mir-console
mirageconfigure-txenmake****xencreate./mir-console.xen
Unikernelimplementations-MirageOS-2
@mjbright
Clean-Slate
https://mirage.io/
BNCPinata:http://ownme.ipredator.se/
Networkingapplications
e.g.CyberChaff"falsenetworkhosts"
PayGarden,SeanGrove
"Babystepstounikernelsinproduction"
Toopainfultocreate/configureAMIimagesonAWSSolo5allowstocreateKVMimagesdeployableonGCE
Unikernelimplementations-MirageOS-UseCases
@mjbright
Unik[EMC-Dell]:"TheUnikernelCompilationandDeploymentPlatform"(+imagehub)
rumprun:Python,Node.jsandGoOSv:Java,Node.js,CandC++IncludeOS:C++MirageOS:OCaml
Solo5[IBM]:Analternativeunikernel-baseforMirageOS
Providesqemu/KVMsupportforMirageOSIscurrentlybeingintegratedintoMirageOS3beta
ukvm[IBM]:AnalternativeVMMonitor
a"libraryhypervisor"
capstan:OSvbuildtool(+imagehub)
UnikernelTooling
@mjbright
UnikernelToolingMirageOSjitsu:"Just-In-TimeSummoningofUnikernels"
ADNSserverthatstartsunikernelsondemand.
TestedwithMirageOSandRumprununikernels.
https://github.com/mirage/jitsu
@mjbright
UnikernelsandContainers:Myguess...SowhataboutContainers?...andwhydidDockerbuyUnikernelSystems?
@mjbright
UnikernelsandContainers:Myguess...SowhataboutContainers?...andwhydidDockerbuyUnikernelSystems?
UnikernelSystemsareinvolvedinMirageOS/Xen
Unikernelsalreadyusedasspecificfunctionsin"DockerforMac"
@mjbright
UnikernelsandContainers:Myguess...SowhataboutContainers?...andwhydidDockerbuyUnikernelSystems?
UnikernelSystemsareinvolvedinMirageOS/Xen
Unikernelsalreadyusedasspecificfunctionsin"DockerforMac"
No-brainer:Providebuild/ship/runtoolsforUnikernels
build:toolstofacilitatebuildingUnikernelstest:runUnikernelsincontainerstofaciltatetestinghttps://github.com/mato/docker-unikernel-runner
ship:DockerregistryextendedtoprovideUnikernelimagesrun:DockerSwarmorchestratestasksincl.Unikernels
@mjbright
UnikernelsandContainers:Myguess...SowhataboutContainers?...andwhydidDockerbuyUnikernelSystems?
UnikernelSystemsareinvolvedinMirageOS/Xen
Unikernelsalreadyusedasspecificfunctionsin"DockerforMac"
No-brainer:Providebuild/ship/runtoolsforUnikernels
build:toolstofacilitatebuildingUnikernelstest:runUnikernelsincontainerstofaciltatetestinghttps://github.com/mato/docker-unikernel-runner
ship:DockerregistryextendedtoprovideUnikernelimagesrun:DockerSwarmorchestratestasksincl.Unikernels
SecureContainerdeploymentsthroughhybridsolutions
Securefront-endsmadeofunikernelse.g.forOCamlMediaWiki(http2https,tlstunnel,...)
Containersforbackend
Surprises?...@mjbright@mjbright
Demo
DeferPanic-UnikernelIaaS-https://deferpanic.com/
runtime.js-Node.jsUnikernel-https://github.com/runtimejs/example-web-server
4unikerneldemos-LookMa,noOS!-https://github.com/technolo-g/lookma
ConclusionsMuchworkneedstobedone
tomakethemeasytobuild,deploy,debugWewillseeeasiertousesolutions
WhateverDockerplantosurpriseuswithUnikwillfacilitatebuilding,deployingmultipletechnologiesSolo5willallowmixingoftechnologies
Severaldisparatetechnologiestoday
butsomeeffortstosynergize
Unikernelsareaninterestingcomplimentarytechnologytocontainers
Wecanexpecthybridsolutions
2017willbeaninterestingyearforUnikernels
@mjbright
ResourcesScoop.it
Unikernelswww.scoop.it/t/unikernels
YoutubePlaylist
youtube.com/.../unikernels
Wikipedia en.wikipedia.org/wiki/Unikernel
unikernels.org unikernels.org
mirageos.iomirageos.io
mirage.io/docs/papers
OReilly"Unikernels"
Freedownload
@unikernel @unikernel
github.com/ocamllabs ocamllabs
github.com/mirage MirageOS
@mjbright