Unikernel

Last updated
Comparison of a traditional OS stack and a MirageOS unikernel Unikernel mirage example.png
Comparison of a traditional OS stack and a MirageOS unikernel

A unikernel is a computer program statically linked with the operating system code on which it depends. Unikernels are built with a specialized compiler that identifies the operating system services that a program uses and links it with one or more library operating systems that provide them. Such a program requires no separate operating system and can run instead as the guest of a hypervisor. [1]

Contents

The unikernel architecture builds on concepts developed by Exokernel and Nemesis in the late 1990s.

Design

In a library operating system, protection boundaries are pushed to the lowest hardware layers, resulting in:

  1. a set of libraries that implement mechanisms such as those needed to drive hardware or talk network protocols;
  2. a set of policies that enforce access control and isolation in the application layer.

The library OS architecture has several advantages and disadvantages compared with conventional OS designs. One of the advantages is that since there is only a single address space, there is no need for repeated privilege transitions to move data between user space and kernel space. Therefore, a library OS can provide improved performance by allowing direct access to hardware without having to transition between user mode and kernel mode (on a traditional kernel this transition consists of a single TRAP instruction [2] and is not the same as a context switch [3] ). Performance gains may be realised by elimination of the need to copy data between user space and kernel space, although this is also possible with Zero-copy device drivers in traditional operating systems.

A disadvantage is that because there is no separation, trying to run multiple applications side by side in a library OS, but with strong resource isolation, can become complex. [4] In addition, device drivers are required for the specific hardware the library OS runs on. Since hardware is rapidly changing this creates the burden of regularly rewriting drivers to remain up to date.

OS virtualization can overcome some of these drawbacks on commodity hardware. A modern hypervisor provides virtual machines with CPU time and strongly isolated virtual devices. A library OS running as a virtual machine only needs to implement drivers for these stable virtual hardware devices and can depend on the hypervisor to drive the real physical hardware. However, protocol libraries are still needed to replace the services of a traditional operating system. Creating these protocol libraries is where the bulk of the work lies when implementing a modern library OS. [1] Additionally, reliance on a hypervisor may reintroduce performance overheads when switching between the unikernel and hypervisor, and when passing data to and from hypervisor virtual devices.

By reducing the amount of code deployed, unikernels necessarily reduce the likely attack surface and therefore have improved security properties. [5] [6]

An example unikernel-based messaging client has around 4% the size of the equivalent code bases using Linux. [7]

Due to the nature of their construction, it is possible to perform whole-system optimisation across device drivers and application logic, thus improving on the specialisation. [8] [9] For example, off-the-shelf applications such as nginx, SQLite, and Redis running over a unikernel have shown a 1.7x-2.7x performance improvement. [10]

Unikernels have been regularly shown to boot extremely quickly, in time to respond to incoming requests before the requests time-out. [11] [12] [13]

Unikernels lend themselves to creating systems that follow the service-oriented or microservices software architectures.

The high degree of specialisation means that unikernels are unsuitable for the kind of general purpose, multi-user computing that traditional operating systems are used for. Adding additional functionality or altering a compiled unikernel is generally not possible and instead the approach is to compile and deploy a new unikernel with the desired changes.

See also

Related Research Articles

<span class="mw-page-title-main">Microkernel</span> Kernel that provides fewer services than a traditional kernel

In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, thread management, and inter-process communication (IPC).

<span class="mw-page-title-main">Operating system</span> Software that manages computer hardware resources

An operating system (OS) is system software that manages computer hardware and software resources, and provides common services for computer programs.

In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here:

L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, Portable Operating System Interface (POSIX) compliant types.

<span class="mw-page-title-main">Xen</span> Type-1 hypervisor

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and epam.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

In computing, paravirtualization or para-virtualization is a virtualization technique that presents a software interface to the virtual machines which is similar, yet not identical, to the underlying hardware–software interface.

<span class="mw-page-title-main">Architecture of Windows NT</span> Overview of the architecture of the Microsoft Windows NT line of operating systems

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

CPU modes are operating modes for the central processing unit of most computer architectures that place restrictions on the type and scope of operations that can be performed by instructions being executed by the CPU. For example, this design allows an operating system to run with more privileges than application software by running the operating systems and applications in different modes.

<span class="mw-page-title-main">PikeOS</span> Real-time operating system

PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is designed to facilitate the development of certifiable smart devices for the Internet of Things (IoT) by adhering to standards of quality, safety, and security across different industries. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.

The following is a timeline of virtualization development. In computing, virtualization is the use of a computer to simulate another computer. Through virtualization, a host simulates a guest by exposing virtual hardware devices, which may be done through software or by allowing access to a physical device connected to the machine.

<span class="mw-page-title-main">Gernot Heiser</span> Australian computer scientist

Gernot Heiser is a Scientia Professor and the John Lions Chair for operating systems at UNSW Sydney, where he leads the Trustworthy Systems group (TS).

<span class="mw-page-title-main">Kernel (operating system)</span> Core of a computer operating system

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

An embedded hypervisor is a hypervisor that supports the requirements of embedded systems.

<span class="mw-page-title-main">Qubes OS</span> Security-focused Linux-based operating system

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

<span class="mw-page-title-main">Rump kernel</span> Software run in userspace that offers kernel functionality

The NetBSD rump kernel is the first implementation of the "anykernel" concept where drivers either can be compiled into or run in the monolithic kernel or in user space on top of a light-weight kernel. The NetBSD drivers can be used on top of the rump kernel on a wide range of POSIX operating systems, such as the Hurd, Linux, NetBSD, DragonFly BSD, Solaris kernels and even Cygwin, along with the file system utilities built with the rump libraries. The rump kernels can also run without POSIX directly on top of the Xen hypervisor, an L4 microkernel using the Genode OS Framework or even on "OS-less" bare metal.

OSv is a cloud computing focused computer operating system released on September 16, 2013. It is a special-purpose operating system built to run as a guest on top of a virtual machine, thus it does not include drivers for bare-metal hardware. It is a unikernel, designed to run a single Linux executable or an application written in one of the supported runtime environments. For this reason, it does not support a notion of users or processes - everything runs in the kernel address space. Using a single address space removes some of the time-consuming operations associated with context switching. It uses large amounts of code from the FreeBSD operating system, in particular the network stack and the ZFS file system. OSv can be managed using a REST Management API and an optional command-line interface written in Lua.

<span class="mw-page-title-main">Anil Madhavapeddy</span> Irish computer scientist

Anil Madhavapeddy is the Professor of Planetary Computing at the Department of Computer Science and Technology in the University of Cambridge, a Fellow of Pembroke College, Cambridge, and a J M Keynes Fellow. He is the Founding Director of the Cambridge Centre for Carbon Credits, aiming to distribute funds raised through the sale of carbon credits in a verifiable manner.

References

  1. 1 2 "Unikernels: Rise of the Virtual Library Operating System" . Retrieved 31 August 2015.
  2. Tanenbaum, Andrew S. (2008). Modern Operating Systems (3rd ed.). Prentice Hall. pp.  50–51. ISBN   978-0-13-600663-3. . . . nearly all system calls [are] invoked from C programs by calling a library procedure . . . The library procedure . . . executes a TRAP instruction to switch from user mode to kernel mode and start execution . . .
  3. Context switch#User and kernel mode switching
  4. Chia-Che, Tsai; Arora, Kumar-Saurabh; Bandi, Nehal; Jain, Bhushan; Jannen, William; John, Jitin; Kalodner, Harry; Kulkarni, Vrushali; Oliviera, Daniela; Porter, Donald E. (2014). "Cooperation and security isolation of library OSes for multi-process applications". Proceedings of the Ninth European Conference on Computer Systems (PDF). pp. 1–14. CiteSeerX   10.1.1.589.1837 . doi:10.1145/2592798.2592812. ISBN   9781450327046. S2CID   13771821. Archived from the original (PDF) on 2016-03-04. Retrieved 2015-08-31.
  5. "Why Unikernels Can Improve Internet Security". April 2015. Retrieved 31 August 2015.
  6. Madhavapeddy, Anil; Mortier, Richard; Charalampos, Rotsos; Scott, David; Singh, Balraj; Gazagnaire, Thomas; Smith, Steven; Hand, Steven; Crowcroft, Jon (March 2013). "Unikernels: Library Operating Systems for the Cloud" (PDF). SIGPLAN Notices (ASPLOS 13). 48 (4): 461. doi:10.1145/2499368.2451167.
  7. Kaloper-Meršinjak, David; Mehnert, Hannes; Madhavapeddy, Anil; Sewell, Peter (2015). "Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation". Proceedings of the 24th USENIX Security Symposium (USENIX Security 15).
  8. Madhavapeddy, Anil; Mortier, Richard; Sohan, Ripduman; Gazagnaire, Thomas; Hand, Steven; Deegan, Tim; McAuley, Derek; Crowcroft, Jon (2010). "Turning Down the LAMP: Software Specialisation for the Cloud" (PDF). Proceedings of the 2nd USENIX Conference on Hot Topics in Cloud Computing.
  9. Martins, Joao; Mohamed, Ahmed; Raiciu, Costin; Huici, Felipe (2013). "Enabling fast, dynamic network processing with clickOS". Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking (PDF). pp. 67–72. doi:10.1145/2491185.2491195. ISBN   9781450321785. S2CID   12514038.
  10. Kuenzer, Simon; Bădoiu, Vlad-Andrei; Lefeuvre, Hugo; Santhanam, Sharan; Jung, Alexander; Gain, Gaulthier; Soldani, Cyril; Lupu, Costin; Teodorescu, Ştefan; Răducanu, Costi; Banu, Cristian (2021-04-21). "Unikraft: fast, specialized unikernels the easy way". Proceedings of the Sixteenth European Conference on Computer Systems. Online Event United Kingdom: ACM. pp. 376–394. arXiv: 2104.12721 . doi:10.1145/3447786.3456248. ISBN   978-1-4503-8334-9. S2CID   241528818.
  11. "Just-in-Time Summoning of Unikernels (v0.2)". Magnus Skjegstad. Retrieved 30 August 2015.
  12. "Zerg". Zerg — an instance per request demo. Retrieved 30 August 2015.
  13. Madhavapeddy, Anil; Leonard, Thomas; Skjegstad, Magnus; Gazagnaire, Thomas; Sheets, David; Scott, David; Mortier, Richard; Chaudhry, Amir; Singh, Balraj; Ludlam, Jon; Crowcroft, Jon; Leslie, Ian (2015). Jitsu: Just-In-Time Summoning of Unikernels (PDF). ISBN   978-1-931971-218.{{cite book}}: |journal= ignored (help)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.