Unikernel

Last updated
Comparison of a traditional OS stack and a MirageOS unikernel Unikernel mirage example.png
Comparison of a traditional OS stack and a MirageOS unikernel

A unikernel is a type of computer program that is statically linked with the operating system code on which it depends. Unikernels are built with a specialized compiler that identifies the operating system services that a program uses and links it with one or more library operating systems that provide them. Such a program requires no separate operating system and can run instead as the guest of a hypervisor. [1]

Contents

The unikernel architecture builds on concepts developed by Exokernel and Nemesis in the late 1990s.

Design

In a library operating system, protection boundaries are pushed to the lowest hardware layers, resulting in:

  1. a set of libraries that implement mechanisms such as those needed to drive hardware or talk network protocols;
  2. a set of policies that enforce access control and isolation in the application layer.

The library OS architecture has several advantages and disadvantages compared with conventional OS designs. One of the advantages is that since there is only a single address space, there is no need for repeated privilege transitions to move data between user space and kernel space. Therefore, a library OS can provide improved performance by allowing direct access to hardware without having to transition between user mode and kernel mode (on a traditional kernel this transition consists of a single TRAP instruction [2] and is not the same as a context switch [3] ). Performance gains may be realised by elimination of the need to copy data between user space and kernel space, although this is also possible with Zero-copy device drivers in traditional operating systems.

A disadvantage is that because there is no separation, trying to run multiple applications side by side in a library OS, but with strong resource isolation, can become complex. [4] In addition, device drivers are required for the specific hardware the library OS runs on. Since hardware is rapidly changing this creates the burden of regularly rewriting drivers to remain up to date.

OS virtualization can overcome some of these drawbacks on commodity hardware. A modern hypervisor provides virtual machines with CPU time and strongly isolated virtual devices. A library OS running as a virtual machine only needs to implement drivers for these stable virtual hardware devices and can depend on the hypervisor to drive the real physical hardware. However, protocol libraries are still needed to replace the services of a traditional operating system. Creating these protocol libraries is where the bulk of the work lies when implementing a modern library OS. [1] Additionally, reliance on a hypervisor may reintroduce performance overheads when switching between the unikernel and hypervisor, and when passing data to and from hypervisor virtual devices.

By reducing the amount of code deployed, unikernels necessarily reduce the likely attack surface and therefore have improved security properties. [5] [6]

An example unikernel-based messaging client has around 4% the size of the equivalent code bases using Linux. [7]

Due to the nature of their construction, it is possible to perform whole-system optimisation across device drivers and application logic, thus improving on the specialisation. [8] [9] [10] For example, off-the-shelf applications such as nginx, SQLite, and Redis running over a unikernel have shown a 1.7x-2.7x performance improvement. [11]

Unikernels have been regularly shown to boot extremely quickly, in time to respond to incoming requests before the requests time-out. [12] [13] [14]

Unikernels lend themselves to creating systems that follow the service-oriented or microservices software architectures.

Unikernels are unsuitable for the kind of general purpose, multi-user computing that traditional operating systems are used for, due to Unikernels' high degree of specialization. Adding additional functionality or altering a compiled unikernel is generally not possible and instead the approach is to compile and deploy a new unikernel with the desired changes.

See also

Related Research Articles

<span class="mw-page-title-main">Device driver</span> Software interface to attached devices

In the context of an operating system, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used.

<span class="mw-page-title-main">Microkernel</span> Kernel that provides fewer services than a traditional kernel

In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, thread management, and inter-process communication (IPC).

<span class="mw-page-title-main">Operating system</span> Software that manages computer hardware resources

An operating system (OS) is system software that manages computer hardware and software resources, and provides common services for computer programs.

<span class="mw-page-title-main">Virtual machine</span> Software that emulates an entire computer

In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here:

L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, Portable Operating System Interface (POSIX) compliant types.

<span class="mw-page-title-main">Xen</span> Type-1 hypervisor

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and EPAM Systems.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, including containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, and jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. Programs running inside a container can only see the container's contents and devices assigned to the container.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

<span class="mw-page-title-main">PikeOS</span> Real-time operating system

PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is engineered to support the creation of certifiable smart devices for the Internet of Things (IoT), ensuring compliance with industry standards for quality, safety, and security across various sectors. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.

<span class="mw-page-title-main">Desktop virtualization</span> Software technology

Desktop virtualization is a software technology that separates the desktop environment and associated application software from the physical client device that is used to access it.

<span class="mw-page-title-main">Gernot Heiser</span> Australian computer scientist

Gernot Heiser is a Scientia Professor and the John Lions Chair for operating systems at UNSW Sydney, where he leads the Trustworthy Systems group (TS).

<span class="mw-page-title-main">Virtualization</span> Methods for dividing computing resources

In computing, virtualization (v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers.

<span class="mw-page-title-main">Kernel (operating system)</span> Core of a computer operating system

A kernel is a computer program at the core of a computer's operating system that generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

An embedded hypervisor is a hypervisor that supports the requirements of embedded systems.

<span class="mw-page-title-main">Qubes OS</span> Security-focused Linux-based operating system

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

<span class="mw-page-title-main">Rump kernel</span> Software run in userspace that offers kernel functionality

The NetBSD rump kernel is the first implementation of the "anykernel" concept where drivers either can be compiled into or run in the monolithic kernel or in user space on top of a light-weight kernel. The NetBSD drivers can be used on top of the rump kernel on a wide range of POSIX operating systems, such as the Hurd, Linux, NetBSD, DragonFly BSD, Solaris kernels and even Cygwin, along with the file system utilities built with the rump libraries. The rump kernels can also run without POSIX directly on top of the Xen hypervisor, an L4 microkernel using the Genode OS Framework or even on OS-less bare metal.

OSv is a cloud computing focused computer operating system released on September 16, 2013. It is a special-purpose operating system built to run as a guest on top of a virtual machine, thus it does not include drivers for bare-metal hardware.

<span class="mw-page-title-main">Anil Madhavapeddy</span> Irish computer scientist

Anil Madhavapeddy is the Professor of Planetary Computing at the Department of Computer Science and Technology in the University of Cambridge, a Fellow of Pembroke College, Cambridge, and a J M Keynes Fellow. He is the Founding Director of the Cambridge Centre for Carbon Credits, aiming to distribute funds raised through the sale of carbon credits in a verifiable manner.

HarmonyOS Kernel, sometimes referred to as the Harmony kernel, is a computer operating system (OS) kernel developed by Huawei since August 2023. It is used in the HarmonyOS 5 version of the proprietary HarmonyOS distributed operating system, replacing previous versions that utilized the AOSP compatibility layer, the Linux kernel, and the LiteOS kernel.

References

  1. 1 2 "Unikernels: Rise of the Virtual Library Operating System" . Retrieved 31 August 2015.
  2. Tanenbaum, Andrew S. (2008). Modern Operating Systems (3rd ed.). Prentice Hall. pp.  50–51. ISBN   978-0-13-600663-3. . . . nearly all system calls [are] invoked from C programs by calling a library procedure . . . The library procedure . . . executes a TRAP instruction to switch from user mode to kernel mode and start execution . . .
  3. Context switch#User and kernel mode switching
  4. Chia-Che, Tsai; Arora, Kumar-Saurabh; Bandi, Nehal; Jain, Bhushan; Jannen, William; John, Jitin; Kalodner, Harry; Kulkarni, Vrushali; Oliviera, Daniela; Porter, Donald E. (2014). "Cooperation and security isolation of library OSes for multi-process applications". Proceedings of the Ninth European Conference on Computer Systems (PDF). pp. 1–14. CiteSeerX   10.1.1.589.1837 . doi:10.1145/2592798.2592812. ISBN   9781450327046. S2CID   13771821. Archived from the original (PDF) on 2016-03-04. Retrieved 2015-08-31.
  5. "Why Unikernels Can Improve Internet Security". April 2015. Retrieved 31 August 2015.
  6. Madhavapeddy, Anil; Mortier, Richard; Charalampos, Rotsos; Scott, David; Singh, Balraj; Gazagnaire, Thomas; Smith, Steven; Hand, Steven; Crowcroft, Jon (March 2013). "Unikernels: Library Operating Systems for the Cloud" (PDF). SIGPLAN Notices (ASPLOS 13). 48 (4): 461. doi:10.1145/2499368.2451167.
  7. Kaloper-Meršinjak, David; Mehnert, Hannes; Madhavapeddy, Anil; Sewell, Peter (2015). "Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation". Proceedings of the 24th USENIX Security Symposium (USENIX Security 15).
  8. Thibault, Samuel; Deegan, Tim (2008). "Improving Performance by Embedding HPC Applications in Lightweight Xen Domains" (PDF). 2nd Workshop on System-level Virtualization for High Performance Computing (HPCVIRT'08). doi:10.1145/1435452.1435454.
  9. Madhavapeddy, Anil; Mortier, Richard; Sohan, Ripduman; Gazagnaire, Thomas; Hand, Steven; Deegan, Tim; McAuley, Derek; Crowcroft, Jon (2010). "Turning Down the LAMP: Software Specialisation for the Cloud" (PDF). Proceedings of the 2nd USENIX Conference on Hot Topics in Cloud Computing.
  10. Martins, Joao; Mohamed, Ahmed; Raiciu, Costin; Huici, Felipe (2013). "Enabling fast, dynamic network processing with clickOS". Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking (PDF). pp. 67–72. doi:10.1145/2491185.2491195. ISBN   9781450321785. S2CID   12514038.
  11. Kuenzer, Simon; Bădoiu, Vlad-Andrei; Lefeuvre, Hugo; Santhanam, Sharan; Jung, Alexander; Gain, Gaulthier; Soldani, Cyril; Lupu, Costin; Teodorescu, Ştefan; Răducanu, Costi; Banu, Cristian (2021-04-21). "Unikraft: fast, specialized unikernels the easy way". Proceedings of the Sixteenth European Conference on Computer Systems. Online Event United Kingdom: ACM. pp. 376–394. arXiv: 2104.12721 . doi:10.1145/3447786.3456248. ISBN   978-1-4503-8334-9. S2CID   241528818.
  12. "Just-in-Time Summoning of Unikernels (v0.2)". Magnus Skjegstad. Retrieved 30 August 2015.
  13. "Zerg". Zerg — an instance per request demo. Retrieved 30 August 2015.
  14. Madhavapeddy, Anil; Leonard, Thomas; Skjegstad, Magnus; Gazagnaire, Thomas; Sheets, David; Scott, David; Mortier, Richard; Chaudhry, Amir; Singh, Balraj; Ludlam, Jon; Crowcroft, Jon; Leslie, Ian (2015). "Jitsu: Just-In-Time Summoning of Unikernels" (PDF). The 12th USENIX Conference on Networked Systems Design and Implementation (NSDI). ISBN   978-1-931971-218.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.