2. Agenda
Introduction - bios
Unikernel Background
Developer/DevOps care about
Metric Set 1: Application lifecycle overhead
CIO cares about
Metric Set 2: Application datacenter footprint
2
3. What is a Unikernel?
A single purpose (virtual) appliance (Madhavapeddy et al.)
Specialized at compile-time into a standalone kernel
A single-process, single address-space runtime environment
No fork()
No shared memory
No IPC
Smaller attack surface (potentially) 3
fork() Shared
memory
Application
IPC
networking
sched Application
networking
thread
sched
services
vmm
vmm
4. Unikernel Background
4
Unmodified Legacy App
support
Multi-threaded App support
OSv Partial Yes (1: glibc subset, no
fork/exec)
Yes* (pthread subset)
Rumprun Yes* (no
fork/execve/sigaction/mmap)
Yes (pthread)
MirageOS No* (until non-OCAML language
bindings are available, no
fork/execve)
Green threads (event loop) only
IncludeOS No Green threads (event loop) only
5. Developer/DevOps care about
Enterprise Application Lifecycle management
Developer: Time to build app from source code, preferably unmodified
DevOps: Time to configure runtime parameters (ex: TCP port, log file
location)
DevOps: Time to deploy application
DevOps: Qualitative ease of managing+debugging long-running (weeks /
months) application 5
12. CIO cares about
Consolidation of applications on finite hardware resources
Multi-tenant security isolation amongst applications on a compute node
Multi-tenant Resource Management
Manageability, Accounting, Auditability
Infrastructure Power consumption
12
13. Metric Set 2: Data center footprint
Image Size
(MB)
VM 143 (Nginx)
447 (Tomcat, Issue 1 - Alpine musl
vs glibc)
Container 182.8 (Nginx)
357.5 (Tomcat)
Unikernel 27.8 (Nginx)
106 (Tomcat)
20. Metrics Set 3: Throughput Explanation
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Baseline: 1 thread/client
Nginx-linux (bare metal) ~600 requests/sec
Nginx-vm slightly lower: expected because the client request needs to traverse two I/O
stacks - the hypervisor’s and the Guest OS’s
Nginx-docker is close to bare metal: expected since the only thing separating the container
from the workload generator is a network bridge
Nginx-osv slightly better than bare metal: client requests still have to go through the
unikernel’s I/O stack but the I/O stack for OSV was designed to be light/lower-overhead -
influenced by a design based on Van Jacobson’s net channels
10 threads
Results get slightly more than 10X better (this is mostly because of reductions in average
latency - next graph) but the ordering remains the same 20
21. Metrics Set 3: Response Time Explanation
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Overall response times between 1ms and 2ms
Single thread case ~1.5ms, and 10 thread case < 1.5ms
Reduction in response time moving 1 to 10 threads is mostly a result of
caching and multiplexing.
With multiple threads, more work gets done per-unit time. While thread A is processing the
results of a response, thread B, which was waiting, can quickly be given a cached copy of
the static file being served.
21
22. Metric Set 3b Application Performance
(Apache Tomcat)
22
23. Summary
Many microservice tools can be deployed in a unikernel
Nginx, Tomcat, JVM, Nodejs, Redis, Memcached etc. (list is growing)
Performance is comparable
Smaller “attack” surface (no extraneous services)
Lean network-stack (e.g., OSv)
Lean OS (no kernel-userspace crossing, no context-switching, heavy mem mgt etc.,)
Opportunities in tooling to help flesh out the workflow for planning or
23
24. Acknowledgements
Thank you!
OSv: Nadav Har’El
Nirmata: Jim Bugwadia
Microservices and Cloud Native Apps Meetup
Mike Larkin, Carl Waldspurger, Anne Holler
24
Unikernels: Library Operating Systems for the Cloud - Madhavapeddy et al. (ASPLOS 2013)
Note: Mention VENOM attack
Madhuri: Add Tomcat info
Mention ukvm and lkvm work.
Owner: Rean
Note: Refer to image size and overhead for cost estimates.
Worker connections = #clients simultaneously served
Worker processes * worker connections = anticipated upper limit on reqs/sec
Workload version of Rain (git hash b0b29438)
Workload configuration files:
https://github.com/rean/rain-workload-toolkit/blob/master/config/rain.config.nginx.json (determines workload duration, warm up and warm down)
https://github.com/rean/rain-workload-toolkit/blob/master/config/profiles.config.nginx.json (controls the IP address and port, number of threads, workload generator to use)
Experiment description
* simple HTTP GET workload, run for 5 minutes (10 sec warmup before, 10 sec rampdown afterwards) x 5 repeats
* Load generator and nginx instance run on the same machine so there’s no network jitter. We’re mainly capturing I/O stack overheads/differences
* Results reported = average over 5 repeats, error bars are 95% confidence intervals
Response time results
* 1 thread/client is the baseline case
* bare metal (Nginx-linux) ~600 requests/sec, Nginx-vm slightly lower (expected because the client request needs to traverse two I/O stacks - the hypervisor’s and the Guest OS’s), Nginx-docker is close to bare metal (expected since the only thing separating the container from the workload generator is a network bridge), Nginx-osv slightly better than bare metal (client requests still have to go through the unikernel’s I/O stack but the I/O stack for OSV was designed to be light/lower-overhead - influenced by a design based on Van Jacobson’s net channels)
* General ordering is nginx-osv > nginx-linux > nginx-docker > nginx-vm
* 10 threads
* Results get slightly more than 10X better (this is mostly because of reductions in average latency - next graph) but the ordering remains the same
nginx-osv > nginx-linux > nginx-docker > nginx-vm
Response time results
* Overall response times between 1ms and 2ms
* Single thread case ~1.5ms, and 10 thread case < 1.5ms
* The reduction in response time moving 1 to 10 threads is mostly a result of caching and multiplexing. With multiple threads more work gets done per-unit time. While thread A is processing the results of a response, thread B, which was waiting, can quickly be given a cached copy of the static file being served.
Experiment description
* simple HTTP GET workload, run for 5 minutes (10 sec warmup before, 10 sec rampdown afterwards) x 5 repeats
* Load generator and nginx instance run on the same machine so there’s no network jitter. We’re mainly capturing I/O stack overheads/differences
* Results reported = average over 5 repeats, error bars are 95% confidence intervals
Owner: Rean
Summarize:
3 perspectives on what might be important (CIO, developer, customer). Measurements.