Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil Madhavapeddy - Docker Inc)

Unikernels are a burgeoning technology, ripe for deployment in a range of situations, from cloud-hosted microservices to Internet-of-Things platforms. By compiling and linking only the required code, they offer a range of benefits over traditional OS-hosted deployments, notably efficiency and, through smaller attack surfaces, security. While increasing in maturity, to date they have remained something of a technologists' choice: technically compelling but requiring considerable effort to build, deploy and use.
To address this, some in the community have spent time trying to integrate unikernel management with the popular Docker container management stack. By enabling unikernels to be managed using the standard Docker command line tools, we bring all the ease-of-use and common understandings of that toolchain to bear on this exciting technology.
After giving some context to the challenges faced, we will demonstrate building and running a simple LAMP-like stack using Docker to build and manage Rumprun and MirageOS Unikernels.
Thanks to Amir Chaudhry, Justin Cormack, Martin Lucina, Mindy Preston and Jeremy Yallop for assistance in building this demo!

  • Be the first to comment

  • Be the first to like this

CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil Madhavapeddy - Docker Inc)

  1. 1. Unikernels, Meet Docker! Containing Unikernels Richard Mor7er
  2. 2. Microservices: Tip of the Iceberg •  The horrors of the deep –  Microservices rely on millions of lines of unnecessary, unsafe code –  ACack surface •  So very much systems code 2 Code you want to run Code your OS insists you need!
  3. 3. Systems Programming •  Over decades, systems programming has become dis7nct from app programming – Confined to C – Special kernel tooling – LiCle code reuse with applica7ons – Poor debugging support – Monoliths •  But really, it’s just programming… 3
  4. 4. It’s Changing! Rust •  zero-cost abstrac7ons •  memory safety •  threads without data races •  type inference •  minimal/no run7me •  From the Plan9 heritage •  Memory safety •  Simple, predictable run7me •  Strong distributed systems libraries Go •  Safe func7onal language •  Fast, na7ve code compila7on •  Highly portable and embeddable •  Full network stack from TCP to SSL ...plus Haskell, Lua/LuaJIT, Elixir, JavaScript, Nim, D... 4
  5. 5. Con7nuum 5
  6. 6. Demo: Docker and Unikernels •  Use Docker to build a unikernel microservice, and run a cluster of them to drive a web applica7on with database, web and PHP code – Build system is wrapped in an easy-to-use Dockerfile – Each microservice is turned into a specialised unikernel – Each unikernel runs in its own KVM virtual machine with hardware protec7on 6
  7. 7. Demo: Docker and Unikernels •  Docker now manages the unikernel containers just like Linux containers – This includes networking! – Unikernels can run alongside conven7onal Linux containers 7 Turns unikernels into an awesome backend for a Docker deployment, reusing orchestraEon and management
  8. 8. What Just Happened? •  The unikernels that ran the LAMP stack were: –  Small, secure, OS images with no cruc included except pulled in by the app –  2—6MB images are typical for the full kernel+app –  Low-latency boot 7mes of <1s are comparable to Linux containers •  Perfect for specialised microservices that perform one task (Web, DB, TLS) nginx mysqld php 2.2MB 4.51MB 4.56MB 8
  9. 9. Outcome •  Unikernels can be managed by Docker! – We map the container API to unikernel concepts – Image management, networking, storage all provided by Docker – “Containers” with strong isola7on, simple management •  Moving forwards… 9
  10. 10. Highly Portable Model? •  Select libraries for a cloud backend •  Build applica7on to run directly on Xen or KVM –  … or build a Linux binary to run in a container –  …or ... •  Need to develop community standards to support unikernels 10
  11. 11. Container Backend? 11 •  One binary for your applica7on, no shell •  Can run inside VM for sandbox •  Language guarantees like type safety •  Sandboxing via seccomp, etc. •  Ideal for embedded and cloud systems
  12. 12. Distributed Containers? •  Distributed from the start •  PreCy difficult to build “fat” services so scaling is easier •  No fork or processes in a unikernel •  Reuse exis7ng coordina7on code so no two-level scheduling 12
  13. 13. Cross-Linking? •  Bitcoin Pināta hCp://ownme.ipredator.se/ •  Transparent bait for aCackers –  Both client and server side exposed –  Private BTC key when authen7cated •  Many aCacks since Feb 15 –  Over 20,000 good packet traces 13
  14. 14. Conclusion •  Unikernels are at the stage where Linux containers were before Docker – Few users – Hard to build – Hard to ship – Hard to run •  This is what we are addressing right now with a growing community at hCp://unikernel.org – …and, going forwards, with Docker J 14
  15. 15. Ques7ons! http://mort.io/ @mort___ richard.mortier@cl.cam.ac.uk richard.mortier@docker.com http://unikernel.org/ http://rumpkernel.org/ https://mirage.io/ 15

×