Container Network Performance Tool
Contact for early access. Learn more -
Cluster visibility -
See container network ﬂows (current
bandwidth and direction) across
Kubernetes and Docker Swarm nodes.
Bandwidth test -
Test throughput (performance) of each
type of container network (compare
Choose wisely -
Be aware of the cost of overlay
Avoid MAC address overload in underlays.
OS User Processes
Virtual Hardware Drivers
Long startup times.
Designed for many users, running
Hardware has evolved.
Package managers pull in many
Decades of backwards
Very large attack surface a huge kernel code base.
Lots of unused applications, services and drivers lying around.
by Russell Pavlicek (free ebook)Unikernels
Lee Calcote and Idit Levine
How Unikernels Can Better Defend against DDoS Attacks
What is a Unikernel?
A library operating system
a way of cross-compiling (existing) applications down
to very small, lightweight, secure virtual machine
No multi-user support
no passwords and authorization info lying around
Many attack vectors closed - simply not present.
only use libraries speciﬁc to your application
produce a single process, single address space image
Security be default - not necassarily policy that will be
Microservices are (intended to be) small, self-contained, single-
Unikernels cannot handle multiple processes,
so forking is not allowed.
Unikernels can handle threads.
Are single user, but who needs multiple users?
Can statically link data into application.
Access to a high-end system for a fraction of second
Increase speed - smaller artifacts, which boot faster
Target multiple platforms from a single code base
A tool for simplifying compilation and deployment of
Akin to how Docker builds and deploys containers.
Automates compilation of popular languages (C/C++,
Golang, Java, Node.js. Python) into unikernels.
Deploys unikernels as virtual machines on many
Incorporates work from a number of unikernel projects.
A young project (~9 months old from announcement)
Stewarded by these fine folks
3 Major Components
a community exchange
May be run on-premises