cif16: unikernels, meet docker! containing unikernels (richard mortier, anil madhavapeddy - docker...

Unikernels,MeetDocker!ContainingUnikernels

RichardMor7er

Microservices:TipoftheIceberg

•  Thehorrorsofthedeep– Microservicesrelyonmillionsoflinesofunnecessary,unsafecode

–  ACacksurface•  Soverymuchsystemscode

2

Codeyouwanttorun

CodeyourOSinsistsyouneed!

SystemsProgramming

•  Overdecades,systemsprogramminghasbecomedis7nctfromappprogramming– ConfinedtoC– Specialkerneltooling– LiClecodereusewithapplica7ons– Poordebuggingsupport– Monoliths

•  Butreally,it’sjustprogramming…

3

It’sChanging!

Rust•  zero-costabstrac7ons• memorysafety•  threadswithoutdataraces•  typeinference• minimal/norun7me

•  FromthePlan9heritage• Memorysafety•  Simple,predictablerun7me•  Strongdistributedsystemslibraries

Go

•  Safefunc7onallanguage•  Fast,na7vecodecompila7on• Highlyportableandembeddable•  FullnetworkstackfromTCPtoSSL

...plusHaskell,Lua/LuaJIT,Elixir,JavaScript,Nim,D...

4

Con7nuum

5

Demo:DockerandUnikernels

•  UseDockertobuildaunikernelmicroservice,andrunaclusterofthemtodriveawebapplica7onwithdatabase,webandPHPcode– Buildsystemiswrappedinaneasy-to-useDockerfile

– Eachmicroserviceisturnedintoaspecialisedunikernel

– EachunikernelrunsinitsownKVMvirtualmachinewithhardwareprotec7on

6

Demo:DockerandUnikernels

•  DockernowmanagestheunikernelcontainersjustlikeLinuxcontainers– Thisincludesnetworking!– Unikernelscanrunalongsideconven7onalLinuxcontainers

7

TurnsunikernelsintoanawesomebackendforaDockerdeployment,reusing

orchestraEonandmanagement

WhatJustHappened?

•  TheunikernelsthatrantheLAMPstackwere:–  Small,secure,OSimageswithnocrucincludedexceptpulledinbytheapp

–  2—6MBimagesaretypicalforthefullkernel+app

–  Low-latencyboot7mesof<1sarecomparabletoLinuxcontainers

•  Perfectforspecialisedmicroservicesthatperformonetask(Web,DB,TLS)

nginx mysqld php

2.2MB 4.51MB 4.56MB

8

Outcome

•  UnikernelscanbemanagedbyDocker!– WemapthecontainerAPItounikernelconcepts–  Imagemanagement,networking,storageallprovidedbyDocker

– “Containers”withstrongisola7on,simplemanagement

•  Movingforwards…

9

HighlyPortableModel?

•  Selectlibrariesforacloudbackend

•  Buildapplica7ontorundirectlyonXenorKVM–  …orbuildaLinuxbinarytoruninacontainer

–  …or...•  Needtodevelop

communitystandardstosupportunikernels

10

ContainerBackend?

11

•  Onebinaryforyourapplica7on,noshell

•  CanruninsideVMforsandbox

•  Languageguaranteesliketypesafety

•  Sandboxingviaseccomp,etc.

•  Idealforembeddedandcloudsystems

DistributedContainers?

•  Distributedfromthestart

•  PreCydifficulttobuild“fat”servicessoscalingiseasier

•  Noforkorprocessesinaunikernel

•  Reuseexis7ngcoordina7oncodesonotwo-levelscheduling

12

Cross-Linking?

•  BitcoinPinātahCp://ownme.ipredator.se/

•  TransparentbaitforaCackers–  Bothclientandserversideexposed

–  PrivateBTCkeywhenauthen7cated

•  ManyaCackssinceFeb15–  Over20,000goodpackettraces

13

Conclusion

•  UnikernelsareatthestagewhereLinuxcontainerswerebeforeDocker– Fewusers– Hardtobuild– Hardtoship– Hardtorun

•  ThisiswhatweareaddressingrightnowwithagrowingcommunityathCp://unikernel.org– …and,goingforwards,withDockerJ

14

Ques7ons!http://mort.io/

@mort___

richard.mortier@cl.cam.ac.uk

richard.mortier@docker.com http://unikernel.org/ http://rumpkernel.org/ https://mirage.io/

15