Debunking Unikernel Criticisms
The security and tooling worries around unikernels are vastly exaggerated, asserted Idit Levine, creator of the Unik, a unikernel compilation tool, as well as a cloud chief technology officer at Dell EMC.
A relatively new concept, Unikernels could be thought of as stripped-down containers with only the functionality needed to run the specific workload at hand. They could offer gains in saved storage and faster performance, but they are anything but a proven technology.
A few months back, a then-EMC colleague of Levine’s charged that unikernels are fundamentally unsecurable as they provided the deepest, “Ring 0” access to an operating system. And a few months prior to that, the chief technology officer of Joyent was also quick to point out another problem of unikernels: lack of tooling.
In this latest edition of The New Stack Makers podcast, Levine concisely answers both of these criticisms, as well as discusses the first possible use case for unikernels, namely to power edge devices on the Internet of Things. The interview was conducted by TNS founder Alex Williams and managing editor Joab Jackson at Cloud Foundry Summit Frankfurt.
On the security question, Levine noted that unikernels aren’t designed to run on bare metal. Instead, they will run within virtual machines, which offer the security needed. “What I will argue is that unikernel is more secure. The hypervisor is giving us hardware isolation, and it’s better than what you’re getting from the Linux operating system.”
“Why do we have multi-user spaces? The reason we have that is to protect processes. If yours is in trouble, I want to make sure it won’t influence mine,” she pointed out.
As for tooling, that will come along as the community forms around the technology, Levine pointed out. It was the community as a whole that Levine noted banded together to create the new tooling required to address security concerns when containers first were being utilized.
Among the many potential use cases for unikernels are embedded devices, which have seen growing community interest with events such as a recent hackathon for the unikernel-based MirageOS, a Raspberry Pi library operating system running on the Xen hypervisor. The MirageOS community is currently working on its version 3.0 release slated for the month, adding support for IBM Solo5 unikernel.
IoT devices such as Raspberry Pi boards present opportunities for developers to iterate and experiment with unikernels. “Running on IoT, you usually don’t have a lot of space, and want things to be small. If running only one process, you will get much more performance, security, and memory to run unikernels. Embedded systems are definitely going to be a use case for unikernels later,” Levin explained.
With EMC’s recently announced Unik-Hub, users are also able to create and share unikernels in a similar fashion to the Docker Hub.
The Cloud Foundry Foundation is a sponsor of The New Stack.