by Brandon Knitter | Technical Consultant at Taos
As anyone in the tech industry knows, the pace of innovation is incredibly high. I spend more time acquiring knowledge than I do applying it. That pace has no sign of slowing down.
With advancements in software hosting solutions in the past 20 years we’ve seen options expand when delivering software to your customer. From commoditized hardware, to virtualization, to containers. And now we have another option: unikernels.
A unikernel is similar to a container in that the their designs strives to create encapsulation of distinct functionality, trading this containment for instance sprawl. In many cases full deployment patterns such as microservices have become common due to the ease of deploying many instances of each component of a larger interconnected system.
While containers such as those provided by the wildly popular Docker are becoming more common, and an entire industry has evolved around this new deployment mechanism, there is still work to be done. Containers, an incredible step forward, still suffer from many of the issues their predecessors have namely those of insecurity.
Unikernel research is still evolving but much of the design is to provide both a secure and low-overhead solution. A unikernel provides only the basics required for your application and remove many of the threat vectors which are inherent of modern security attacks. For example, the most recent DirtyCOW security threat, a vulnerability that goes back nearly 25 years and one based on extremely old hardware drivers no longer required, solutions must evolve to address these issues by decreasing the threat surface.
Modern solutions, such as hypervisors and containers, function similarly to the unikernel design to provide fully instanced physical or virtual machine operating systems. An operating system is booted with a set of common tools such as SSH, syslog, a network stack, ancillary monitoring daemons and a wide array of hardware support drivers, many of which are rarely used. This is where the issues start, the operating system itself comes with so much capability (read: bloat) that the threat surface is quite large.
What if there was a way to produce a bootable image, with only the components required, that still allow an application to function? In nearly all cases this is exactly what a unikernel strives to solve, providing a bootable image which removes much of the typical operating system components that are unused and not required.
Because a unikernel removes many of the operating system components typically included in industry standard deployments, the boot time can go from seconds to milliseconds, enabling a much faster rate of elasticity for applications that thrive in a dynamically scaled environment. This both increases responsiveness to customer demand as well as reduces cost by allowing instances to grow and shrink much more rapidly.
Along with the reduced boot time, the lower overhead of a unikernel enables the booted instance to use far less memory when compared to similar virtualized or containerized deployments. This can allow for greater horizontal scaling, again at a reduced cost due to the size of the instance required.
To address security concerns (something Docker has recently been under audit for) unikernels run a single process on top of virtual, or less commonly physical, hardware. This single process ensures that a single memory space is addressed and buffer overflows cannot exist. In addition, without a privileged user this consequently removes the need for permissions escalation, thus disallowing yet another security threat vector.
The immutable server trend became popular in part by containerization, and unikernels take it one step further. Even something as simple as application configuration is commonly compiled directly into the unikernel. A change to code, configuration, or dependency requires rebuilding and redeploying the entire unikernel bootable image.
So with all of this goodness, are unikernels the next greatest thing? Docker certainly thinks so! Docker recently acquired Unikernel Systems, a UK-based startup focused on unikernels. This shows that even the most popular container software on the market believes this might be something to get involved with.
EMC Advanced Development is also getting in on the movement, providing the unikernel build system UniK (pronounced “you-neek”) for common deployments such as Java, Node.JS, Python, C++ and Go. Using this suite to build unikernels significantly reduces the barrier to entry.
There is no silver bullet, though. Both the way we deploy our applications and the way we operate large systems must change for this new model. While many of the ways we think about software deployments may have changed in recent years there is still much work to be done to make unikernels the next platform.
This is an evolving space, but I think we will see much more come from unikernels in 2017. Watch for additional base OS images as well as base application images, an expanded toolset, and development pipeline integrations. Perhaps even more importantly, be on the lookout for system management tools because without them there is no way to administer the sprawl.
Unikernels: Rethinking Cloud Infrastructure
An entire site dedicated to the topic.
A list of projects supporting unikernels.
Unikernels: Rise of the Virtual Library Operating System
A great history of unikernels, going back many years. This background focuses on the why as much as the how for the MirageOS library operating system that is used for building many unikernels.
Local MirageOS development with Xen and Virtualbox
A quick start guide for getting a unikernel built and running locally.
UniK: The Unikernel Compilation and Deployment Platform
A tool suite for building unikernels for modern programming technologies across multiple unikernel types.
The Comparison and Context of Unikernels and Containers
Good information on the comparison of unikernels to containers. Light on details, but opinionated and thoughtful.
Considering Docker? Consider Security First
One of many articles outlining some of the security concerns that Docker does not address.
Docker Acquires Unikernel Systems As It Looks Beyond Containers
Announcement of the Docker acquisition in the unikernel space.
After Docker: Unikernels and Immutable Infrastructure
More discussion on unikernels going beyond what a container can do for security and low-overhead.
Details and description of the wide-spread long-existing vulnerability.
An excellent video explaining how the DirtyCOW exploit functions, and is resolved.
More details including the attempted fix around 2005 (almost 12 years ago)
Linux Kernel Security and Bugs
Detailed analysis of the lifetime of bugs and how quickly they are patched