What is a unikernel?
Asked Answered
G

4

5

I am new to unikernels and the following links didn't help me much to understand them:

  1. When is it better to use a unikernel?
  2. How is a unikernel smaller than a microkernel in terms of code size?
Gluteus answered 18/10, 2017 at 5:50 Comment(1)
oreilly.com/webops-perf/free/files/unikernels.pdf ebook might be useful.Gluteus
G
2

In one line, (application + unikernel) called a workload running on hypervisor(cloud) is equivalent to a standalone application running on bare metal in embedded world.

Unikernel in cloud is better when app(workload) dont use most of the OS & device driver services.

Unikernel is compiled with only the used features of kernel NOT with necessary features as in microkernel, hence size is small.

Gluteus answered 18/10, 2017 at 8:18 Comment(0)
H
12

The terms "unikernel" and "microkernel" mean different things and are not two really two opposites or two choices you need to choose from:

"microkernel" is an older term, and is a type of kernel design, contrasting with a monolithic kernel. In a monolithic kernel, as its name says, the entire kernel is a single program, which implements the kernel APIs which the user's applications needs (e.g., Unix system calls, threads, processes, file system, etc.). Contrasting with that, in a microkernel design, we have a "microkernel", a very small kernel which implements a small API (e.g., a very basic concept of threads of execution, permissions, and message passing), and on top of it sits a much larger piece of the kernel which implements the full APIs that the applications need - the actual filesystem, processes that behave like Unix processes, system calls, and so on. In the early 1990s there was an academic understanding that writing monolithic kernels has become too hard and too bug-prone, and microkernels are the way of the future, but then came Linux (which is a monolithic kernel) and made this conclusion into a joke. Today, you shouldn't choose a kernel depending a whether it uses a microkernel or a monolithic kernel. This is an implementation detail that users will rarely care about.

"unikernel" is a newer concept. Traditional kernels took pride in being able to multiplex many different users and applications on the same physical machines. The famous 1974 paper about Unix was called "The UNIX time-sharing system", because time-sharing (i.e., multiplexing multiple users and applications) was one of the most important goals of the OS. But today, with a focus on virtual machines instead of physical machines, there is a different way (namely, a hypervisor) in which a physical machine can be split to different virtual machines. So very often, each virtual machine only runs a single application belonging to a single owner. This presents an opportunity to run a trimmed-down kernel which doesn't need to support a lot of the things which traditional kernels supported: No need to support isolation between different users; No need to support thousands of drivers (there is a tiny set that all known hypervisors need); No need to support isolation between different processes.

Trimming all that unnecessary stuff makes the kernel smaller which is a great benefit for the quick deployment of new VMs, lowers memory use, and can also improve performance. For example, you may have heard that recently, the Linux kernel was patched to fix the "Meltdown" vulnerability in contemporary CPUs. The fix slows down system calls and context switches on Linux, and was needed because without it one process could read the memory of other processes. But if we know that there is NO other process - there is just one application running on the VM - we don't care. So a unikernel does not need to slow itself down with meltdown workarounds. System calls can be as quick as function calls, context switches are much faster, etc.

Some unikernels like OSv for example, did the above, and provided a kernel which mimics to the application a traditional kernel (i.e., Linux) but without the unsupported features such as multiple users or multiple isolated processes (though un-isolated threads are supported). Other unikernels went even further in the quest to trim down the kernel, and provide a different kernel build to each application, which includes exactly the specific features that this specific application needs. For example, to run a TCP application you can use a kernel which only supports the TCP protocol, but not UDP. You can look at this as if the kernel and the application are linked together to form one unified kernel-application, which is run directly on the hypervisor.

When, and why, to use a unikernel (of any of the variants described above) is an open question. Certainly, if using tiny amounts of disk or memory is a concern, a unikernel is a good option to consider. If you're worried about security and plan to audit your code, a unikernel has much less code to audit. In applications that need to start very quickly (e.g., implementing a "function as a service"), unikernels allow very quick boot, significantly less than 1 second, because the boot does far fewer "generic" stuff and focuses on what your application really needs. These examples can also tell you when you shouldn't bother to consider a unikernel: If your application anyway uses huge amounts of disk and memory (e.g., a database application), reducing a bit from the size of the kernel won't help much. If your application runs for hours, quick boot is not important. If your application uses a lot of OS features, many of the more specialized unikernels I described above may not provide all the features which your application needs.

Headrest answered 27/12, 2018 at 8:38 Comment(2)
Your answer is very insightful, however there are some points left unclear, such as: 1. in the meltdown scenario, you said if there was only one app running on the VM, no inter-process cache leak was to be worried about, but how about kernel to application leak? i.e. application reads otherwise unavailable info via sidechannel from kernel? 2. in your arguments about benefits of unikernel, what are some other security benefit other than less code to audit?Exodontics
1. When the kernel is running just one application, the kernel has no data to leak to the application - the kernel has no data which the application shouldn't have. 2. If you compare a host running multiple VMs each running a unikernel, to a host running multiple processes (i.e., "containers"), the former is more secure because the boundary is much smaller. There have been a huge number of privilege escalation bugs in Linux in the past, but only a handful of similar bugs for hypervisors.Choler
G
2

In one line, (application + unikernel) called a workload running on hypervisor(cloud) is equivalent to a standalone application running on bare metal in embedded world.

Unikernel in cloud is better when app(workload) dont use most of the OS & device driver services.

Unikernel is compiled with only the used features of kernel NOT with necessary features as in microkernel, hence size is small.

Gluteus answered 18/10, 2017 at 8:18 Comment(0)
R
1

Unikernels are simple single application operating systems. Instead of deploying our software on top of linux unikernels create an operating system out of our application and run only that app – nothing else.

There’s no concept of usernames/passwords or sshin’g into the application as it is only running one application. Traditionally unikernels have been hard to work with as they used to require expert level of systems knowledge.

More on : https://bootsity.com/php/running-php-unikernels-on-google-cloud

Rubinstein answered 22/5, 2019 at 11:52 Comment(0)
A
0

In fact (as it was mentioned), it is your application and unikernel built as a single image. They use a single address space (on monolithic kernels, this is usually divided into user space and kernel space)

Pros:

  • better security
  • small image size
  • higher isolation from host
  • higher speed of execution and/or boot time (not sure about it, still discussable)

Cons:

  • can be issues with debugging and deployment
  • can be issues with support of multiple process and/or threads
  • usualy they support only single user

If you want to deep in more details, I would like to share some links:

  1. I like this book Unikernels by Russell Pavlicek
  2. and you can also look through this article: Unikernels
Anemone answered 8/6, 2023 at 13:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.