Unikernels

Updated: Thu, 29 Dec 2016 by Rad

Unikernels are sometimes called Cloud Operating Systems. These minimal, bespoke unikernel operating systems can be constructed in many different ways for many different applications on many different hardware platforms. They are lightweight mechanism for implementing single-service components.


Unikernels differ from Virtual Machines as they are created for a particular application and hence only provide OS functionalities required for the particular application.

Unikernels also seem to run in a single address space. Some advantages are certainly that you have real isolation between them (unlike containers), there is no specific kernel version and feature required for the shared OS under-the-hood.

They are ideal for designers of cloud, local network, or low-level security services. Unikernels are useful for securing or rapidly deploying lightweight or security-sensitive services.

One important feature of Unikernels is excellent performance. No waste of context switches between privileged and unprivileged address space, IO, compute cycles, interrupts for unnecessary OS functionality. Highly specialised OS images can be tuned exactly for one use case and they are much smaller.

“Unikernels normally generate a singular runtime environment meant to enable single applications built solely with that environment.”

Xen Project, https://wiki.xenproject.org/wiki/Unikernels

Benefits

Unikernels have number of benefits when compared to traditional OS like Unix, Linux or Windows. These benefits lend themselves to creating systems that follow the service-oriented or microservices software architectures.

Improved security - mainly due to reduced amount of code deployed, also minimal attack surface. They also lack the variety of functions which could be normally used in the attack.

Small footprint - Unikernels have been shown to be around 4% the size of the traditional OS.

Low boot times - Unikernels have been regularly shown to boot extremely quickly, in time to respond to incoming requests before the requests time-out. Micro seconds boot time ans the same for availability. This is the heart of Unikernels and also what a lot of the container ecosystem has been hunting for.

Highly specific multi-word phrases tend to be far easier to rank well for than the more generic single keyword or double keyword phrases.

Drawbacks

Critics point out that there are some uncertainties and drawbacks with Unikernels, some even considering whole idea not suitable for production usage.

High degree of specialisation - Unikernels are unsuitable for general purpose, multi-user computing.

The idea that there is “no OS” serves to mislead; the application has taken on the hardware-interfacing responsibilities of the operating system - it is “all OS”.

There exists an argument, that they are secure mainly through the obscurity because they run different or newer software and they rely on hypervisor which can be vulnerable as well.

Unikernel mirage example
Unikernel mirage example
Credit: AmirMC, Creative Commons CC BY-SA.

Real life usage

Early adopters are using unikernel technology to run websites, critical systems infrastructure, cutting-edge research or to operate as a network appliance.

The creator of MirageOS, Anil Madhavapeddy's group is working on a new tool stack called Jitsu (Just-in-Time Summoning of Unikernels), which can start a unikernel in ~20ms in response to a network request.

Unikernel projects examples

  • MirageOS - Incubated by Xen Project, MirageOS is a clean-slate library operating system
  • Unikraft - is a comprehensive toolchain and library operating system which builds highly specialised unikernels, software bundles that consist of a target application along with just the operating system primitives and libraries features it needs to run.
  • ClickOS - a high-performance, virtualized software middle box platform based on open source virtualization
  • Clive - is an operating system designed to work in distributed and cloud computing environments.
  • HaLVM - The Haskell Lightweight Virtual Machine (HaLVM)

Traditional operating systems run multiple applications on a single machine, managing resources and isolating applications from one another. A unikernel runs a single application on a single virtual machine, relying instead on the hypervisor to isolate those virtual machines.

Unikernels - from around the web

< back to glossary