SpringOne Platform 2016 Speaker: Idit Levine; CTO, EMC Unikernel – an executable image that can run natively on a hypervisor without the need for a separate operating system – are rapidly gaining momentum. To integrate unikernels into the eco-system, cloud-computing platforms as a service are required to provide unikernels with the same services they provide for containers. Here we present Unik, an orchestration system for unikernels. Unik handles the compilation of libraries and applications for running on AWS, manages their scheduling, and ensures their health. To provide the user with a seamless PaaS experience, Unik is integrated as a backend to Cloud Foundry runtime. In the session we will cover: an overview of Unikernel, UniK and the integration with Cloud Foundry followed by a demo.

1. 1© Copyright 2016 EMC Corporation. All rights reserved.

2. 2© Copyright 2016 EMC Corporation. All rights reserved.
VIRTUALIZATION STACK
Redundancy in the stack
– e.g. Isolation
Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
The aim is to run single
Application with a single user
on a single server

3. 3© Copyright 2016 EMC Corporation. All rights reserved.
KERNEL COMPLEXITY - PROTECTION
Application safe from user
Application safe from
application User safe from user

4. 4© Copyright 2016 EMC Corporation. All rights reserved.
INEFFICIENCY
• Needless permission check, it is hard and an updated
model from time sharing computer from the 50s, 60s
• Microservices architecture duplicate what Linux
did for us
• Kernel include a lot of unnecessary drivers that
not being used: floppy
• Update and patches using yum bring a lot of
unnecessary components

5. 5© Copyright 2016 EMC Corporation. All rights reserved.
SECURITY
• Very large attack surface
• A lot of exploits target linux.
It is harder to attack
hypervisor - not expose to
the internet
• Microservices architecture
Sharing – Kernel, Memory,
filesystem, hardware
The only thing make it safe is kernel extension
like: cgroup

6. 6© Copyright 2016 EMC Corporation. All rights reserved.
LINUX KERNEL LANGUAGES

7. 7© Copyright 2016 EMC Corporation. All rights reserved.
SOURCE LINES OF CODE
Small Applications: 10Ks
Medium to large applications: 100Ks
Really huge applications: 1Ms

8. 8© Copyright 2016 EMC Corporation. All rights reserved.
2.4
5.2
11
12.6
13.5
15.9
22
0
5
10
15
20
25
Linux kernel
2.4.2
Linux kernel
2.6.0
Linux kernel
2.6.29
Linux kernel
2.6.32
Linux kernel
2.6.35
Linux kernel 3.6 Linux kernel pre-
4.2
2001 2003 2009 2009 2010 2012 2015
Linux Kernel SLOC

9. 9© Copyright 2016 EMC Corporation. All rights reserved.
59
104
215
283
324
419
0
50
100
150
200
250
300
350
400
450
Debian 2.2 Debian 3.0 Debian 3.1 Debian 4.0 Debian 5.0 Debian 7.0
2000 2002 2005 2007 2009 2012
Debian SLOC

10. 11© Copyright 2016 EMC Corporation. All rights reserved.
HOW DID WE GET HERE ? EVOLUTION !
Unix was supported us the entire way!

11. 12© Copyright 2016 EMC Corporation. All rights reserved.
DECADES OF BACKWARDS COMPATIBILITY
What can linux run on ?
What can run on linux ?
Anything !
Anything !

12. 13© Copyright 2016 EMC Corporation. All rights reserved.
TRADE OFF
VS
Compatibility Efficiency

13. 14© Copyright 2016 EMC Corporation. All rights reserved.
Make it works.
Make it right.
Make it fast.

14. 15© Copyright 2016 EMC Corporation. All rights reserved.
{uni-} {kernel}
a bridge between
applications and
the actual data
processing done
at the hardware
level.
One; having
or consisting
of one.

15. 16© Copyright 2016 EMC Corporation. All rights reserved.
Application
Kernel
TRADITIONAL APPROACH
libc
libz
iconv
openGL
gtk
libgmp libtlc
Libstd++ libgcc

16. 17© Copyright 2016 EMC Corporation. All rights reserved.
Application
Kernel
UNIKERNEL APPROACH
libc
libz
iconv
openGL
gtk
libgmp libtlc
Libstd++ libgcc

17. 18© Copyright 2016 EMC Corporation. All rights reserved.
App Binary
App Config
App Deps
Virt, HW Drivers
Langue runtime
ApplicationRuntime
Packaging Tool Unikernel!
UNIKERNEL CREATION

18. 20© Copyright 2016 EMC Corporation. All rights reserved.
UNIKERNEL STACK
• Unikernels deploy directly
against the hypervisor
• Unikernels have their own
network stack
• Unikernels have their own
virtualize memory presented
as hardware
• Unikernel are completely self
contained & ideally
immutable
Hypervisor
1
0
.
1
0
.
1
.
1
1
0
.
1
0
.
1
.
2
1
0
.
1
0
.
1
.
3
1
0
.
1
0
.
1
.
4
1
0
.
1
0
.
1
.
5
1
0
.
1
0
.
1
.
6
1
0
.
1
0
.
1
.
7

19. 23© Copyright 2016 EMC Corporation. All rights reserved.
HOW CAN UNIKERNELS HELP ADDRESS OUR
PROBLEMS? Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
Minimal layers of isolation
and abstraction
Includes only what is really
needed
Less code, fewer bugs, easy
to reason about

20. 24© Copyright 2016 EMC Corporation. All rights reserved.
UNIKERNEL ADVANTAGES
• No other users, no multi-user support
• No permission checks – you can utilize 100% of your hardware
• Isolation at the virtual hardware – only !
• Shared only hardware
• Minimal virtual machine ~1 gb in size, minimal unikernel is
tiny, kb in size
• Very short boot time
• A tiny custom surface of attack, less likely to be effected by
a public exploit

21. 25© Copyright 2016 EMC Corporation. All rights reserved.
Backward compatibility Forward compatibility
POSIX compliance
Language specifics

22. 26© Copyright 2016 EMC Corporation. All rights reserved.
is an open-
source tool written in Go for
compiling applications into
unikernels and deploying
those unikernels across a
variety of cloud providers,
embedded devices (IoT), as
well as a developer laptop or
workstation.

23. 27© Copyright 2016 EMC Corporation. All rights reserved.
unik daemon
unik build -v /my-volume /path-to-source my-unikernel
unik create-volume path-to-data my-volume
unik run -v my-volume:/my-volume -name my-instance my-unikernel
UNIK WORKFLOW

24. 28© Copyright 2016 EMC Corporation. All rights reserved.
UNIK IS NOT OPINIONATED !
Unikernel types Cloud providers
Processor architectures

25. 29© Copyright 2016 EMC Corporation. All rights reserved.

26. 30© Copyright 2016 EMC Corporation. All rights reserved.
UNIK INTEGRATION WITH DOCKER
Docker API can be used to create unikernel via UniK

27. 31© Copyright 2016 EMC Corporation. All rights reserved.
UNIK INTEGRATION WITH CLOUD FOUNDRY
To provide the user with a seamless PaaS experience,
UniK is integrated as a backend to Cloud Foundry
runtime.

28. 32© Copyright 2016 EMC Corporation. All rights reserved.

29. 33© Copyright 2016 EMC Corporation. All rights reserved.

30. 34© Copyright 2016 EMC Corporation. All rights reserved.
INTERNET OF THINGS
UniK will Push
Unikernel
To Raspberry Pi
Unikernel will
communicate with
the Panini toaster
Toaster will make
Panini
We will eat Panini
bread

31. 35© Copyright 2016 EMC Corporation. All rights reserved.

32. 36© Copyright 2016 EMC Corporation. All rights reserved.
OpenSource

33. @Idit_Levine

34. 38© Copyright 2016 EMC Corporation. All rights reserved.