Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Unikernels Meet NFVs: Architecture, Performance and Challenges (Wassim Haddad, Heikki Mahkonen & Ravi Manghirmalani, Ericsson)


Published on

In this talk, we describe our ongoing initiative to re-architect “network function virtualization (NFVs)” using the Unikernel concept as the main building block. A quick look at current telco and IT markets trends reveals two main intertwined technologies. On one side, and in order to reduce complexities and drawbacks inherited from creating multiple instances of the operating system, there is a strong desire to migrate from virtual machines towards micro-services enablers, namely containers (e.g., Docker). On the other side, it is becoming evident that none of these virtualization techniques would be viable in a real world deployment without an efficient “stitching” technique which would enable intelligent traffic steering between different VMs and/or containers. For this particular purpose, SDN technology is considered as leading candidate to address the “services chaining” problem.
There are multiple advantages behind adopting containers in terms of memory footprint resulting in higher density, single operating system, faster start/shutdown, etc. However, security concerns (e.g., ever- growing kernel complexities, apps isolation, etc), OS limitation (i.e., apps confined to one host should all run on a particular kernel), distributed storage, underlying networking infrastructure have been frequently cited as hurdles towards wide adoption.
Our proposed architecture departs from current market trends as it explores using Unikernel concept as the building block for NFVs and also, embedding “traffic steering” capabilities underlying the designated set of NFVs. Leveraging unikernel features enable operators to provide more granular, highly secure, on- demand services (e.g., per user and/or per device and/or per service) and a better use of their datacenter infrastructure. In our talk, we discuss challenges, performance and ways forward to speed up unikernel adoption.

Published in: Technology
  • Be the first to comment

Unikernels Meet NFVs: Architecture, Performance and Challenges (Wassim Haddad, Heikki Mahkonen & Ravi Manghirmalani, Ericsson)

  1. 1. e UNIKERNELS MEET NFVS W. Haddad, H. Mahkonen,R. Manghirmalani
  2. 2. Ericsson Internal | 2011-10-19 | Page 2 MOTIVATION › The advent of distributed NFVs is highlighting the need for a more granular services chaining: – tight coordination between cloud orchestration, SDN controller and storage – metadata to enable flow control per user and/or per device and/or per app – OVS enables re-routing traffic between different NFVs › Containerization simplifies the “virtualization” stack and allows running more apps on a particular host, – constrains apps to run on the same kernel – “light” security makes it difficult for cloud providers to embrace “multi-tenancy” with containers only › Both containers and VM run on a full bloated kernel – large amount of dead code => large “attack surface” => systems vulnerabilities on the rise! – long time to boot => always “on” => no “zero footprint” => high power consumption › Operators are moving towards highly distributed small datacenters (e.g., AT&T NGCO, Orange NGPoP) – limited number of CPUs – Mainly to run operator NFVs for fixed and mobile broadband
  3. 3. Ericsson Internal | 2011-10-19 | Page 3 Hypervisor Operating System Runtime & Libraries Application App in a VM Operating System Runtime & Libraries Application App in Container Hypervisor Host OS Runtime & Libraries Application Secure App in Container Hypervisor Unikernel App Unikernel Unikernel: Single-purpose Appliance designed to run in cloud environment § Unikernels are compiled from the modular stack of application code, system libraries and configuration § Not designed to run on HW => lacks bloat & complexity of dealing with drivers § Not meant to be multi-user nor multi-process => single thread which runs only one specific application § “Zero-footprint cloud” => No instance is running “waiting” for requests UNIKERNEL AT A GLANCE… A full application may consist of one or many unikernels running together as a distributed System, e.g., within the same box
  4. 4. Ericsson Internal | 2011-10-19 | Page 4 Slide title 44 pt Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt Characters for Embedded font: !"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdef ghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨©ª«¬®¯°±²³ ´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞ ßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ ăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃ ńŅņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲų ŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡•…‰‹›⁄ €™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶ ĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰ ŲŲŴŴŶŶŹŹŻŻȘș−≤≥fifl ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰ αβγδεζηθικλνξορςΣΤΥΦΧΨ¬ΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦ ЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐә Ẁ ẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Ericsson Internal | 2011-10-19 | Page 14 Specialized VirtualAppliances Source Code Object Files Network Libraries Device Library Boot Library Whole system linking Config File XEN Cloud Appliance Linker Each app embeds own “personalized” kernel Each App embeds its own “personalized” kernel UNIKERNELS AT A GLANCE… APPLIANCE EMBEDS OWN “PERSONALIZED” KERNEL Current Virtual Appliance Ericsson Internal | 2011-10-19 | Page 13 Current Virtual Appliances Source Code Object Files Userland Binaries Network Stack Device Drivers Virtual Memory I/O Scheduler compiler stops at userspace Syscalls to call to different modules Library Runtime Each app embeds own “personalized” kernel Kernel Application Code Mirage runtime
  5. 5. Ericsson Internal | 2011-10-19 | Page 5 › Move beyond current VM and container technologies by introducing much smaller, specialized, secure and scalable NFVs – slice “infrastructure” per user/device/app – respond to network traffic in real time UNIKERNELS MEET NFVS BEYOND VM & CONTAINER › Integrate automation, orchestration and SDN control – NFVs are created only when needed – NFVs are autiomatically stitched together – NFVs are removed when demand is fulfilled => dedicated slice resources are free › Enable “In-Network” processing cloud – host 3rd party NFVs – NFV acceleration – low latency services To synthetize specialized on-demand NFVs to stream into our next-gen cloud appliances
  6. 6. Ericsson Internal | 2011-10-19 | Page 6 slice on LTE slice on Fixed BB slice for IoT Internet APPDPI BNG APP NAT EPGFWDPIDNS DHCP Edge Edge UNIKERNELS MEET NFVS BEYOND VM & CONTAINER › Integrate automation, orchestration and SDN control – NFVs are created only when needed – NFVs are automatically stitched together – NFVs are removed when demand is fulfilled => dedicated slice resources are free BNGFWDPI APP
  7. 7. Ericsson Internal | 2011-10-19 | Page 7 Virtual Backplane … › What – Modular virtual router – High performance and scale – Elastic architecture – Designed for cloud and NFV era › Why – Carrier grade virtual router › Control plane redundancy › Data plane resiliency › Seamless scale-up / scale-out ERICSSON VIRTUAL ROUTER (EVR) Redundant Control Plane Virtual Backplane Distributed Elastic Data Plane
  8. 8. Ericsson Internal | 2011-10-19 | Page 8 Current server • CPU, Disc, Ram and NIC (>80% of server cost) on same card in same chassis • Server has a fixed configuration – need to fit all workloads • Whole server need to be changed at the same time even though different components have different lifecycles Future server • CPU, Disc, RAM and NIC on different sleds • CPU, Disc, RAM, and NIC can be changed according to individual lifecycles • HW can be configured dynamically for better utilization and performance Hyperscale Datacenter system key technology: hw disaggregation
  9. 9. Ericsson Internal | 2011-10-19 | Page 9 Subscription & Policy Location optimizer Performance monitoring Connectivity monitoring Configuration DC Orch. Network Setup DPI/Charg Security URL Instantiatio n Service Level Orchestration SDN WIFI Small Cell WIFI RG BNG / PGW SDN Switch-1 HW/SW Switch Fixed Self-Care Portal Admin Subscriber and application aware chaining UP Application QoS & Flow steering PE Fixed Leased line Mobile M2M corp. B corp.Bcorp.A corp. A Simplified home GW Extended lifecycle / reduce truck rolls Service agility Fixed & mobile aligned per subscriber session model UNIKERNELS MEET NFVS “TODAY” SERVICE CHAINING
  10. 10. Ericsson Internal | 2011-10-19 | Page 10 UNIKERNELS MEET NFVS “TODAY” SERVICE CHAINING vBNG vEPG AAA • Authentication • Accounting • Lawful Intercept • Line QoS • Quotas DPI/Charg Security URL SDN-enabled service chaining (e.g., vCPE) vNAT SDN CTL SDN Service Chaining • Dynamic flow service chaining • Per User, Destination, Application service chaining
  11. 11. Ericsson Internal | 2011-10-19 | Page 11 UNIKERNELS MEET NFVS EVOLVING SERVICE CHAINING (1) › Within one host, let’s assume user traffic is allocated service chain { VM1 => VM2 => VM3 => VM4 } – Traffic will “bounce” on OVS – SDN controller configures OVS Hypervisor + OVS VM VM VM VM Hypervisor + OVS VM VM VM VM Hypervisor + OVS VM VM VM VM OS Kernel User Processes Parallel Threads Language Runtime Application Binary Configuration files Application Code Mirage runtime VM1 EVR/OVS VM2 VM3 VM4 Unikernel SDN AAA
  12. 12. Ericsson Internal | 2011-10-19 | Page 12 › Setting up User A service chain requires instantiating and coordinating a dedicated set of unikernels – unikernel lacks user/kernel space division allows them to link directly in device driver as normal libraries – uses an abstraction over shared memory communication protocol built on top of Xen vchan › establishes shared-memory pages for zero-copy communications between different unikernels specific to one particular service chain Shared MemoryPacketPacket Unikernel1 Unikernel2 Unikernel3 Unikernel4 Packet User A service chain: NFVs stack to process incoming packets in “bottom-up” order General concept 1 2 3 4 5 6 Unikernel1 Unikernel2 Unikernel3 Unikernel4 UNIKERNELS MEET NFVS EVOLVING SERVICE CHAINING (2)
  13. 13. Ericsson Internal | 2011-10-19 | Page 13 › In “ring” mode, one dedicated unikernel (U0) is tasked with exchanging data packets with the physical NIC – U0 pulls the packet from NIC queue into a shared memory segment then notifies Unikernel1 (U1) to process the packet – Upon finishing its task, each unikernel signals to its successor so it can process the packet (e.g., U1 à U2 à ….) – When unikernel4 finishes its task it notifies U0 to send the packet and pull the next one into shared memory Shared MemoryPacketPacket Unikernel0 Unikernel2 Unikernel3 Unikernel4 Packet Inter-NFV stack signaling in “ring” mode + Unikernel4Unikernel3Unikernel2Unikernel1U0 “Rx queue” physical NIC “Tx queue” physical NIC Unikernel1 NIC à DomainX (e.g., U0) à SR-IOV NIC à Domain0 (used for mgment, control) UNIKERNELS MEET NFVS EVOLVING SERVICE CHAINING (3)
  14. 14. Ericsson Internal | 2011-10-19 | Page 14 Irmin “Lightning” Pkt I/O AAA • Authentication • Accounting • Lawful Intercept • Line QoS • Quotas DHCP NAT FW • Receives sensors credentials from AAA • Communicates with Xen modules XenStore One dedicated chain per subscriber UNIKERNELS MEET NFVS EVOLVING SERVICE CHAINING (4)
  15. 15. Ericsson Internal | 2011-10-19 | Page 15 XEN LIGHTNING Irmin XS Network IO Shared memory Xenstore config DHCP Subscriber IP DHCP NAT FW PKIO DomU Dom0 UNIKERNELS MEET NFVS PROTOTYPE ARCHITECTURE