Unikernels are unfit for production, charges the top technologist at cloud provider Joyent.
As a result, they may not be, and may never be, ready for production workloads, he argued.
Cantrill was responding to the excitement generated around Docker’s announcement of Thursday that the company had purchased Unikernel Systems.
Docker finds promise in unikernels in that they are smaller than containers, so can fit into tighter computer environs and have less of an attack surface.
Should I write the blog entry explaining why unikernels are unfit for production or just let them be their own punishment?
— Bryan Cantrill (@bcantrill) January 21, 2016
A unikernel is an application packaged to run entirely within in the microprocessor’s privileged mode. It takes on all the “hardware-interfacing responsibilities” formerly handled by the OS itself, Cantrill explained.
This approach will bring some operational issues, he warned.
All your existing apps will need to be ported to a new environment. Even worse, you will have difficulty debugging these applications.
“There are no processes in unikernels, so if your app depends on this (ubiquitous, four-decades-old) construct, you’re basically hosed,” the disbelieving technologist wrote.
“Unikernels are entirely undebuggable,” he concluded.
Cantrill himself is the author of the DTrace, a muscular debugging tool used on Joyent systems, as well as for Solaris, Mac OS X and FreeBSD machines.
Even the supposed performance and security benefits of unikernels are suspect, Cantrill warned.
Unikernels may speed performance of apps by eliminating the context jump across the user-kernel boundary though this gain is minimal with modern processors.
Unikernels may be small, but because they run as guest OSes, their host servers allocate DRAM memory to them in unalterable blocks, which engineers usually generously proportion to avoid out-of-memory errors, Cantril noted. So, at least, some of the space savings from unikernels is lost at the server.
The security benefits that come with unikernels may also be illusionary, Cantrill waged.
Unikernels “often run new or different software (and are therefore not vulnerable to the OpenSSL vuln-of-the-week) but this security-through-obscurity argument could be made for running any new, abstruse system,” Cantrill wrote.
“The security arguments also seem to whistle past the protection boundary that unikernels very much depend on: the protection boundary between guest OS’s afforded by the underlying hypervisor,” he continued.
Docker plans to do a lot of work to ready its unikernel ready for production environments, including integrating the technology into the rest of its supporting software stack, said Solomon Hykes, founder and chief technology officer for Docker, in an interview with The New Stack.
Though knowledgeable, Cantrill himself is not quite an impartial observer when it comes to unikernels, which have been positioned as an alternative to containers. Joyent itself offers a container-based infrastructure hosting, through its Triton cloud services.
In any case, Cantrill’s post immediately generated much discussion on Hacker News and other tech-oriented forums.
“Bryan may certainly be right (I neither know him nor much about unikernels), but some parts of his argument seem incredibly weak,” one Hacker News reader asserted, noting that Cantrill downplayed the possible performance gains of unikernels.
Perhaps Cantrill’s concerns will be further addressed at a Docker Online Meetup this Wednesday, January 27th when Unikernel Systems’ Amir Chaudhry and Richard Mortier will discuss their technology in further depth.
Docker and Joyent and sponsors of The New Stack
Feature image via Pixabay.