unikernels: the new kids on the block
TRANSCRIPT
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 2
Original software stackOriginal software stack
Application
Hardware
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 3
Application
Kernel
Hardware
Adding non-privileged modeAdding non-privileged mode
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 4
Memory management
Scheduler
Device drivers
TCP/IP stack
File systems
Bootstrap code
Modern desktopModern desktop
Hardware
Kernel
System libraries
Application libraries
Application
Runtime environment
System libraries
Application libraries
Application
System libraries
Application libraries
Application
System libraries
Application libraries
Application
System libraries
Application libraries
Application
Runtime environment
System libraries
Application libraries
Application
Runtime environment
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 5
Memory management
Scheduler
Device drivers
Bootstrap code
Hardware
Hypervisor
VM
Modern data centerModern data center
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 6
Vertical slice of the stackVertical slice of the stack
Memory management
Scheduler
Device drivers
Bootstrap code
Hardware
Memory management
Scheduler
Device drivers
TCP / IP stack
File systems
Bootstrap code
System libraries
Application libraries
Applications
Runtime environment
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 7
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 8
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 9
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 10
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 11
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 12
Vertical slice of the stackVertical slice of the stack
Memory management
Scheduler
Device drivers
Bootstrap code
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 13
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
How many SPOFs?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 14
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
How many SPOFs?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 15
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
How many SPOFs?
When not to do this?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 16
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator | Address spaces
Threads | Processes
ATA | SATA | E1000 | RTL8169 | USB
IPv4 | IPv6 | UDP | TCP | ARP | ICMP
Ext4 | FAT | TMPS | ISO9660
Bootstrap code
System libraries
lib1 | lib2 | lib3 | lib4
bash | ssh | Nginx | MySQL
Runtime environment
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
How many SPOFs?
When not to do this?
What's left?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 17
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator
Threads
SATA | RTL8169
IPv6 | TCP
Ext4
Bootstrap code
System libraries
lib1 | lib3
Nginx
General purpose OS
Is this an overkill?
For a VM in a data center?
What parts are essential?
How many SPOFs?
When not to do this?
What's left?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 18
Memory management
Scheduler
Device drivers
Bootstrap code
Vertical slice of the stackVertical slice of the stack
Hardware
Allocator
Threads
SATA | RTL8169
IPv6 | TCP
Ext4
Bootstrap code
System libraries
lib1 | lib3
Nginx
Unikernel
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 19
Memory management
Scheduler
Device drivers
Bootstrap code
Hardware
Allocator
Threads
SATA | RTL8169
IPv6 | TCP
Ext4
Bootstrap code
System libraries
lib1 | lib3
Nginx
Unikernel
Hardware
Allocator
E1000
IPv4 | UDP
Bootstrap code
System libraries
lib1 | lib2
dhcp
Vertical slice of the stackVertical slice of the stack
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 20
Back to the rootsBack to the roots
Unikernel
Hardware
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 21
Back to the rootsBack to the roots
Hypervisor
Unikernel
Hardware
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 22
Unikernels...Unikernels...
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 23
Unikernels...Unikernels...
single purpose OS images
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 24
Unikernels...Unikernels...
include only what they need
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 25
Unikernels...Unikernels...
are quite small
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 26
Unikernels...Unikernels...
are quite small
[rumprunpackages/nginx]$ file nginx.binnginx.bin: ELF 64bit LSB executable, x8664, version 1 (SYSV), statically linked, not stripped[rumprunpackages/nginx]$ ls sh nginx.bin; strip nginx.bin; ls sh nginx.bin33M nginx.bin5.4M nginx.bin
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 27
Unikernels...Unikernels...
are quite small
[rumprunpackages/nginx]$ file nginx.binnginx.bin: ELF 64bit LSB executable, x8664, version 1 (SYSV), statically linked, not stripped[rumprunpackages/nginx]$ ls sh nginx.bin; strip nginx.bin; ls sh nginx.bin33M nginx.bin5.4M nginx.bin
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 28
Unikernels...Unikernels...
have very short boot times
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 29
Unikernels...Unikernels...
have very short boot times
[HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg c)Parsing config from Null.config(d80) Starting 1CPU HaLVM(d80) init_sp: 0x00000000004ba000(d80) self: 0x00000000004b9f6e(XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames.(d80) Exit called with 0
real 0m0.154suser 0m0.026ssys 0m0.087s
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 30
Unikernels...Unikernels...
have very short boot times
DNS query start!
donereply
request
[HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg c)Parsing config from Null.config(d80) Starting 1CPU HaLVM(d80) init_sp: 0x00000000004ba000(d80) self: 0x00000000004b9f6e(XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames.(d80) Exit called with 0
real 0m0.154suser 0m0.026ssys 0m0.087s
https://github.com/mirage/jitsu
Client
DNSserver
Microservice
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 31
Unikernels...Unikernels...
run in a single address space
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 32
Unikernels...Unikernels...
no privilege levels to cross
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 33
Unikernels...Unikernels...
usually target hypervisors
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 34
Unikernels...Unikernels...
usually target hypervisors
Xen PV
Unikernel domUXen PV driver frontend
dom0Xen PV driver backend
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 35
Unikernels...Unikernels...
usually target hypervisors
VirtIO PV driver backend
QEMU/KVM/VirtualBox
UnikernelVirtIO PV driver frontend
Xen PV
Unikernel domUXen PV driver frontend
dom0Xen PV driver backend
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 36
Unikernels...Unikernels...
some run on bare metal too
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 37
Unikernels...Unikernels...
and even on top of Unix
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 38
Unikernels...Unikernels...
implemented in C
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 39
Unikernels...Unikernels...
implemented in C
void quicksort(int array[], int left_begin, int right_begin){ int pivot = array[(left_begin + right_begin) / 2]; int left_index, right_index, pom; left_index = left_begin; right_index = right_begin; do { while (array[left_index] < pivot && left_index < right_begin) left_index++; while (array[right_index] > pivot && right_index > left_begin) right_index--;
if (left_index <= right_index) { pom = array[left_index]; array[left_index++] = array[right_index]; array[right_index--] = pom; } } while (left_index < right_index); if (right_index > left_begin) quicksort(array, left_begin, right_index); if (left_index < right_begin) quicksort(array, left_index, right_begin);}
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 40
Unikernels...Unikernels...
but also in high-level languages
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 41
Unikernels...Unikernels...
but also in high-level languages
quickSort :: Ord a => [a] -> [a]quickSort [] = []quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x]
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 42
Unikernels...Unikernels...
but also in high-level languages
quickSort :: Ord a => [a] -> [a]quickSort [] = []quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x]
let rec qsort = function | [] -> [] | pivot :: rest -> let is_less x = x < pivot in let left, right = List.partition is_less rest in qsort left @ [pivot] @ qsort right
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 43
The ZOOThe ZOO
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 44
Rumprun + rump kernelsRumprun + rump kernels
http://rumpkernel.org
existing POSIX applications
anykernel (NetBSD) → file systems, POSIX layer, device drivers, TCP/IP, storage stack → a rump kernel
Xen PV/QEMU/KVM
rumprun
Rump kernel
Application
Hardware
rumprun
Rump kernel
Application
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 45
MirageOSMirageOS
http://mirage.io
From-scratch implementation in OCaml
mirage-tcpip, mirage-net-xen, ocaml-cohttp, mirage-block-xen, ocaml-fat
Xen PV
Mini-OS/rumprun
Libs & OCaml runtime
Application
QEMU/KVM
Solo5/rumprun
Libs & OCaml runtime
Application
Unix
Libs & OCaml runtime
Application
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 46
HaLVMHaLVM
http://halvm.org
From-scratch implementation in Haskell
HaNS, Halfs, http-server
Xen PV
HaLVM
Application
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 47
ClickOS (C/C++)
Clive (Go)
Drawbridge (C)
IncludeOS (C++)
LING (Erlang)
OSv (C, JVM, Ruby, Node.js)
runtime.js (JavaScript)
And othersAnd others
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 48
DemoDemo
Keep your fingers crossed!
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 49
Not a moment, but a movementNot a moment, but a movement
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 50
Discussion: which architecture?Discussion: which architecture?
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 51
Discussion: which architecture?Discussion: which architecture?
Hypervisor
UnikernelLibs |TCP/IP | file system | drivers
Hardware
UnikernelLibs | file system | drivers
UnikernelLibs |TCP/IP | drivers
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 52
Discussion: which architecture?Discussion: which architecture?
Container / Zone
Hardware
KernelTCP / IP | file system | drivers
Container / Zone
MicroserviceLibs
MicroserviceLibs
MicroserviceLibs
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 53
Discussion: which architecture?Discussion: which architecture?
Hardware
Microkernel
MicroserviceLibs
MicroserviceLibs
TCP/IPLibs
File systemLibs
DriversLibs
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 54
Discussion: which architecture?Discussion: which architecture?
Your mileage may vary
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 55
Unikernels and DockerUnikernels and Docker
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 56
Unikernels and DockerUnikernels and Docker
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 57
Unikernels, meet Docker!
Unikernel Systems is now part of Docker
Unikernels and DockerUnikernels and Docker
Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 58
Q&Awww.unikernel.org
Thank you!Thank you!