Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Unikernels: The new kids on the block

4,337 views

Published on

Slides from my Avast TechTalk on Unikernels, from the perspective of a microkernel guy.

Published in: Technology
  • Be the first to comment

Unikernels: The new kids on the block

  1. 1. UnikernelsUnikernels The new kids on the block Jakub Jermář jermar@avast.com @jjermar
  2. 2. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 2 Original software stackOriginal software stack Application Hardware
  3. 3. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 3 Application Kernel Hardware Adding non-privileged modeAdding non-privileged mode
  4. 4. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 4 Memory management Scheduler Device drivers TCP/IP stack File systems Bootstrap code Modern desktopModern desktop Hardware Kernel System libraries Application libraries Application Runtime environment System libraries Application libraries Application System libraries Application libraries Application System libraries Application libraries Application System libraries Application libraries Application Runtime environment System libraries Application libraries Application Runtime environment
  5. 5. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 5 Memory management Scheduler Device drivers Bootstrap code Hardware Hypervisor VM Modern data centerModern data center
  6. 6. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 6 Vertical slice of the stackVertical slice of the stack Memory management Scheduler Device drivers Bootstrap code Hardware Memory management Scheduler Device drivers TCP / IP stack File systems Bootstrap code System libraries Application libraries Applications Runtime environment
  7. 7. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 7 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment
  8. 8. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 8 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS
  9. 9. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 9 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill?
  10. 10. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 10 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center?
  11. 11. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 11 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential?
  12. 12. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 12 Vertical slice of the stackVertical slice of the stack Memory management Scheduler Device drivers Bootstrap code Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential?
  13. 13. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 13 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential? How many SPOFs?
  14. 14. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 14 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential? How many SPOFs?
  15. 15. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 15 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential? How many SPOFs? When not to do this?
  16. 16. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 16 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator | Address spaces Threads | Processes ATA | SATA | E1000 | RTL8169 | USB IPv4 | IPv6 | UDP | TCP | ARP | ICMP Ext4 | FAT | TMPS | ISO9660 Bootstrap code System libraries lib1 | lib2 | lib3 | lib4 bash | ssh | Nginx | MySQL Runtime environment General purpose OS Is this an overkill? For a VM in a data center? What parts are essential? How many SPOFs? When not to do this? What's left?
  17. 17. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 17 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator Threads SATA | RTL8169 IPv6 | TCP Ext4 Bootstrap code System libraries lib1 | lib3 Nginx General purpose OS Is this an overkill? For a VM in a data center? What parts are essential? How many SPOFs? When not to do this? What's left?
  18. 18. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 18 Memory management Scheduler Device drivers Bootstrap code Vertical slice of the stackVertical slice of the stack Hardware Allocator Threads SATA | RTL8169 IPv6 | TCP Ext4 Bootstrap code System libraries lib1 | lib3 Nginx Unikernel
  19. 19. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 19 Memory management Scheduler Device drivers Bootstrap code Hardware Allocator Threads SATA | RTL8169 IPv6 | TCP Ext4 Bootstrap code System libraries lib1 | lib3 Nginx Unikernel Hardware Allocator E1000 IPv4 | UDP Bootstrap code System libraries lib1 | lib2 dhcp Vertical slice of the stackVertical slice of the stack
  20. 20. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 20 Back to the rootsBack to the roots Unikernel Hardware
  21. 21. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 21 Back to the rootsBack to the roots Hypervisor Unikernel Hardware
  22. 22. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 22 Unikernels...Unikernels...
  23. 23. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 23 Unikernels...Unikernels... single purpose OS images
  24. 24. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 24 Unikernels...Unikernels... include only what they need
  25. 25. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 25 Unikernels...Unikernels... are quite small
  26. 26. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 26 Unikernels...Unikernels... are quite small [rumprun­packages/nginx]$ file nginx.bin nginx.bin: ELF 64­bit LSB executable, x86­64, version 1 (SYSV), statically linked, not  stripped [rumprun­packages/nginx]$ ls ­sh nginx.bin; strip nginx.bin; ls ­sh nginx.bin 33M nginx.bin 5.4M nginx.bin
  27. 27. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 27 Unikernels...Unikernels... are quite small [rumprun­packages/nginx]$ file nginx.bin nginx.bin: ELF 64­bit LSB executable, x86­64, version 1 (SYSV), statically linked, not  stripped [rumprun­packages/nginx]$ ls ­sh nginx.bin; strip nginx.bin; ls ­sh nginx.bin 33M nginx.bin 5.4M nginx.bin
  28. 28. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 28 Unikernels...Unikernels... have very short boot times
  29. 29. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 29 Unikernels...Unikernels... have very short boot times [HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg ­c) Parsing config from Null.config (d80) Starting 1­CPU HaLVM (d80) init_sp: 0x00000000004ba000 (d80) self:    0x00000000004b9f6e (XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames. (d80) Exit called with 0 real 0m0.154s user 0m0.026s sys 0m0.087s
  30. 30. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 30 Unikernels...Unikernels... have very short boot times DNS query start! donereply request [HaLVM/examples/Core/Null]$ time (sudo xl create Null.config; sudo xl dmesg ­c) Parsing config from Null.config (d80) Starting 1­CPU HaLVM (d80) init_sp: 0x00000000004ba000 (d80) self:    0x00000000004b9f6e (XEN) grant_table.c:1249:d80 Expanding dom (80) grant table from (4) to (32) frames. (d80) Exit called with 0 real 0m0.154s user 0m0.026s sys 0m0.087s https://github.com/mirage/jitsu Client DNS server Micro service
  31. 31. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 31 Unikernels...Unikernels... run in a single address space
  32. 32. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 32 Unikernels...Unikernels... no privilege levels to cross
  33. 33. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 33 Unikernels...Unikernels... usually target hypervisors
  34. 34. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 34 Unikernels...Unikernels... usually target hypervisors Xen PV Unikernel domU Xen PV driver frontend dom0 Xen PV driver backend
  35. 35. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 35 Unikernels...Unikernels... usually target hypervisors VirtIO PV driver backend QEMU/KVM/VirtualBox Unikernel VirtIO PV driver frontend Xen PV Unikernel domU Xen PV driver frontend dom0 Xen PV driver backend
  36. 36. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 36 Unikernels...Unikernels... some run on bare metal too
  37. 37. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 37 Unikernels...Unikernels... and even on top of Unix
  38. 38. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 38 Unikernels...Unikernels... implemented in C
  39. 39. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 39 Unikernels...Unikernels... implemented in C void quicksort(int array[], int left_begin, int right_begin) { int pivot = array[(left_begin + right_begin) / 2]; int left_index, right_index, pom; left_index = left_begin; right_index = right_begin; do { while (array[left_index] < pivot && left_index < right_begin) left_index++; while (array[right_index] > pivot && right_index > left_begin) right_index--; if (left_index <= right_index) { pom = array[left_index]; array[left_index++] = array[right_index]; array[right_index--] = pom; } } while (left_index < right_index); if (right_index > left_begin) quicksort(array, left_begin, right_index); if (left_index < right_begin) quicksort(array, left_index, right_begin); }
  40. 40. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 40 Unikernels...Unikernels... but also in high-level languages
  41. 41. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 41 Unikernels...Unikernels... but also in high-level languages quickSort :: Ord a => [a] -> [a] quickSort [] = [] quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x]
  42. 42. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 42 Unikernels...Unikernels... but also in high-level languages quickSort :: Ord a => [a] -> [a] quickSort [] = [] quickSort (x:xs) = quickSort [a | a <- xs, a < x] ++ [x] ++ quickSort [a | a <- xs, a >= x] let rec qsort = function | [] -> [] | pivot :: rest -> let is_less x = x < pivot in let left, right = List.partition is_less rest in qsort left @ [pivot] @ qsort right
  43. 43. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 43 The ZOOThe ZOO
  44. 44. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 44 Rumprun + rump kernelsRumprun + rump kernels http://rumpkernel.org existing POSIX applications anykernel (NetBSD) → file systems, POSIX layer, device drivers, TCP/IP, storage stack → a rump kernel Xen PV/QEMU/KVM rumprun Rump kernel Application Hardware rumprun Rump kernel Application
  45. 45. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 45 MirageOSMirageOS http://mirage.io From-scratch implementation in OCaml mirage-tcpip, mirage-net-xen, ocaml-cohttp, mirage-block-xen, ocaml-fat Xen PV Mini-OS/rumprun Libs & OCaml runtime Application QEMU/KVM Solo5/rumprun Libs & OCaml runtime Application Unix Libs & OCaml runtime Application
  46. 46. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 46 HaLVMHaLVM http://halvm.org From-scratch implementation in Haskell HaNS, Halfs, http-server Xen PV HaLVM Application
  47. 47. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 47 ClickOS (C/C++) Clive (Go) Drawbridge (C) IncludeOS (C++) LING (Erlang) OSv (C, JVM, Ruby, Node.js) runtime.js (JavaScript) And othersAnd others
  48. 48. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 48 DemoDemo Keep your fingers crossed!
  49. 49. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 49 Not a moment, but a movementNot a moment, but a movement
  50. 50. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 50 Discussion: which architecture?Discussion: which architecture?
  51. 51. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 51 Discussion: which architecture?Discussion: which architecture? Hypervisor Unikernel Libs |TCP/IP | file system | drivers Hardware Unikernel Libs | file system | drivers Unikernel Libs |TCP/IP | drivers
  52. 52. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 52 Discussion: which architecture?Discussion: which architecture? Container / Zone Hardware Kernel TCP / IP | file system | drivers Container / Zone Microservice Libs Microservice Libs Microservice Libs
  53. 53. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 53 Discussion: which architecture?Discussion: which architecture? Hardware Microkernel Microservice Libs Microservice Libs TCP/IP Libs File system Libs Drivers Libs
  54. 54. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 54 Discussion: which architecture?Discussion: which architecture? Your mileage may vary
  55. 55. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 55 Unikernels and DockerUnikernels and Docker
  56. 56. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 56 Unikernels and DockerUnikernels and Docker
  57. 57. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 57 Unikernels, meet Docker! Unikernel Systems is now part of Docker Unikernels and DockerUnikernels and Docker
  58. 58. Unikernels: The new kids on the block, Jakub Jermář, Avast TechTalk, March 4, 2016 58 Q&A www.unikernel.org Thank you!Thank you!

×