Defining a Unikernel and How it Works
The first generation of cloud focused on orchestration: how to take an existing workload and make it agile. That made perfect sense. We already had fully functional, complex application stacks from the time before cloud; we just needed to fit these applications into the new world of the cloud.
However, the next generation of cloud needs to create workloads which are efficient, fast, and secure. The current workloads use full machine images, from a general purpose operating system with supporting libraries and utilities up to the application layer. They have large memory footprints, can use gigabytes of disk space just on the operating system level, and can take minutes to start up. They also suffer from potentially large attack surfaces, as full operating system layer with utilities can be fertile ground for malevolent crackers to plant their weeds in your IT garden.
What Are Unikernels and How Do They Work?
Unikernels, sometimes called library operating systems, implement the bare minimum of the traditional operating system functions; just enough to enable the application it powers.
By removing the traditional operating system layer, unikernels remove the unneeded bulk of standard operating system environments, along with their associated attack service.
The needed operating system functions are compiled with the application code into a single executable, which contains everything needed for the workload to function on top of a hypervisor. The result is a much smaller payload which can be deployed quickly, in high density, and with a greatly improved security footprint.
In actuality, the unikernel concept is nothing new. It essentially takes the established concepts found in embedded programming and applies them to the datacenter. But where these principles in the embedded world allow a workload to execute on a small device, the unikernel concept creates entirely new use cases for the cloud.
What Impact Will They Have on the Cloud?
Most cloud orchestration systems today launch services before they are needed. These services are inspected and tested for health, expanded when insufficient, contracted when excessive, and shut down when someone decides they are no longer needed. While unikernels can work in that manner, they also enable the concept called transient microservices: services that are born when the need appears and die as soon as the need disappears. Some of these transient microservices may have lifespans measured in seconds, or even fractions of a second. They are truly just-in-time computing services which exist only when there is work to do, allowing you to maximize the use of your computing infrastructure.
Compute power no longer needs to be preallocated to tasks which are not currently needed, so maximum resources can be allocated to the tasks of the moment, without neglecting the tasks which you know you will need to do in the future.
The transient nature of these services will be challenging for most cloud orchestration systems. Most of these systems cannot deal with the concept of services which rise and fall in seconds, driven by the need of the moment rather than by the decision of an operator. So the concept of transient microservices will force cloud orchestration systems to grow in new ways.
And Then There is Security …
The 800 pound gorilla in the cloud room has always been security. Ever since the birth of the cloud concept, people have asked, “How can we protect our data when it’s in the cloud? We have enough problems protecting our data when we have it locked in our datacenter.” Security is the key to success in the cloud. And anything which is a key needs to be addressed seriously.
Unikernels provide exactly the serious solution which the cloud needs.
Unikernel-based payloads don’t have command shells to exploit. They don’t have utilities which can be subverted. And they don’t have full operating systems with documented risks which can be compromised. Unikernels are not impenetrable, but they are serious as a heart attack when it comes to security. It is this heightened security focus which makes unikernels the technology to watch for the future of the cloud.
Docker is a sponsor of The New Stack.
Feature image: “Painting by LIU Wei 刘韡 (劉韡): Truth Dimension No 7, 2013 (oil on canvas)” by See-ming Lee is licensed under CC BY 2.0.