Why the Unikernel Might Outpace Generic Linux for Cloud Native Ops
A unikernel is a specialized, executable image that can be executed natively on a hypervisor, without the need for a separate, complete operating system. The image contains everything necessary for a specific application to run. One of the biggest benefits of unikernels is that they use a fraction of the resources required by a full-blown operating system. Unikernels are also capable of delivering:
- Improved security.
- Smaller footprints.
- Whole-system optimization.
- Near instant boot times.
You might remember that the unikernel found its way into the spotlight a few years back. One of the biggest arguments against the unikernel was that it stripped away everything that would give administrators other options. Where was the control? What would the admin do if the service fails? The unikernel didn’t offer the standard tools for troubleshooting and recovery. The very idea that there was no operating system gave many companies pause with this new technology. That was before containers found dominance within the enterprise computing sphere. Now, we see how easily and reliably containerized applications can be deployed. With the advent of containers, it’s become clear that a unikernel could very well improve Kubernetes deployments in the area of speed, scalability, and security. Because of this, the unikernel has come back into the picture.
In their recent paper “Unikernels: The Next Stage of Linux’s Dominance,” a group of researchers from Red Hat and Boston University have found that:
“There is, in fact, evidence that the structure of the Linux kernel is problematic for a number of today’s key use cases. For one, applications that require high-performance I/O use frameworks like DPDK and SPDK to bypass the kernel and gain unimpeded access to hardware devices.The most performance sensitive of these applications are often dedicated entire machines for their deployments, for example, infrastructure components like Ceph.”
In other words, there are use-cases, where Linux is the clear choice, that would benefit from a unikernel, the paper’s authors — Ali Raza, Jonathan Appavoo, Orran Krieger, Parul Sohal, Ulrich Dreper, Renato Mancuso, James Cadden, Richard Jones, and Larry Woodman — conclude.
How Would a Unikernel Benefit Modern Businesses?
The state of modern business IT infrastructure has become one that demands remarkable speed, agility, and security. With ever-growing deployments of containers and cloud infrastructure, have we reached the point where a Linux unikernel is the best solution? To answer that question, we must understand how a unikernel would benefit modern businesses.
The single biggest benefit of the unikernel (according to Raza et al) is its ability “… to fit the needs of the target application to increase the performance of the application or to support it within a highly restricted execution domain.”
In other words, a unikernel can be so highly specialized that it better meets the performance and security demands required for a single application. With a unikernel the attack surface of an application is drastically reduced, thereby minimizing the chance a malicious hacker can do harm.
Whether you’re working with cloud infrastructure or a container cluster, one of the single most challenging aspects is orchestration. In order to successfully (and efficiently) orchestrate the deployment, management, and scaling of such infrastructure, you cannot depend on bulky, general-purpose operating systems. Such operating systems are created to encompass a wide variety of tasks. To that end, an administrator must spend a fair amount of energy on tasks that are beyond the scope of the infrastructure at hand.
Consider this: The standard Linux kernel is comprised of:
- System call interface.
- Kernel subsystem (which includes process management, memory management, filesystems, device control, networking).
- Implemented features (which includes concurrency, multitasking, virtual memory, files and directories, device access, connectivity).
- Software support (which includes arch-dependent code, memory manager, file system types, block devices, character devices, network subsystem, IF drivers).
- Hardware drivers (which include CPU, memory, disks, consoles, network interfaces).
The unikernel removes the traditional operating system layer. In this technology, on the necessary operating system functions are compiled in with the application code into a single executable. If you’re familiar with containers, this might sound somewhat familiar. The big difference is that a container requires a full operating system stack to function. Imagine a container that doesn’t require an operating system to enable functionality. Instead, that container could be deployed on top of a hypervisor. Without the added bulk of the operating system, the container would perform with tremendous speed. Along with that speed, comes an exponential increase in security.
Of course, this isn’t really a containerized kernel, but the idea is similar—truncate the necessary pieces required to run a service, roll them all into a single executable, and deploy it in seconds.
A unikernel is comprised of the following elements:
- System libraries.
- Language runtime.
- Necessary applications.
These components are compiled into a single bootable VM image that runs directly on a standard hypervisor.
The implications of unikernels are impressive. Take, for instance, the cloud. Since inception, the cloud has been hampered by slow, bloated data center operating systems. Although those systems are ideal for serving up web sites, databases, and other information, they aren’t necessarily ideal for a service that scales to the level necessary for the cloud. When billions of users need access to a service, the servers running said service must be massively scalable … something traditional operating system stacks struggle with. The images required for the cloud demand multi-gigabytes of storage and memory. In order to scale a cloud up, more hardware and resources are required. That, in turn, costs money (in some cases, significant amounts of money).
Imagine, however, that same cloud-powered by unikernels. Instead of having to roll out more and more hardware, more unikernel images could be deployed onto hypervisors. That type of scaling is not only more cost-effective, but it’s also more efficient. Why place extra demand for unnecessary services on an image, when you can use a specialized, single-purpose unikernel?
Worth a Second Look
Although the hype around unikernels died out a few years back, they have never been more relevant. Make sure to give “Unikernels: The Next Stage of Linux’s Dominance” a full read, and see if you don’t come away wanting to give this technology a second look.