Unik Idit Levine EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 1
Virtualization Stack Application Config Application The aim is to run single Language Runtime Application with a single user on a single server Shared Libraries Docker Runtime OS User Processes OS Kernel Redundancy in the stack – e.g. Isolation Virtual HW Drivers Hypervisor Hardware Drivers Hardware EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 2
Kernel Complexity - Protection Application safe from User safe from user application Application safe from user EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 3
Inefficiency • Needless permission check, it is hard and an updated model from time sharing computer from the 50s, 60s • Microservices architecture duplicate what Linux did for us • Kernel include a lot of unnecessary drivers that not being used: floppy • Update and patches using yam bring a lot of unnecessary components EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 4
Security • Very large attack surface • A lot of exploits target linux. It is harder to attack hypervisor - not expose to the internet • Microservices architecture Sharing – Kernel, Memory, filesystem, hardware The only thing make it safe is kernel extension like: cgroup EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 5
How did we get here ? Evolution ! Unix was supported us the entire way! EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 6
Decades of backwards compatibility What can linux run on ? Anything ! What can run on linux ? Anything ! EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 7
Trade Off VS Compatibility Efficiency EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 8
Make it works. Make it right. Make it fast. EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 9
{uni-} {kernel} One; having a bridge between or consisting applications and of one. the actual data processing done at the hardware level. EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 10
Unikernel creation Application App Binary App Config App Deps Packaging Unikernel! Tool Runtime Langue runtime Virt, HW Drivers EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 11
Unikernel Stack Hypervisor • Unikernels deploy directly against the hypervisor 1 1 1 1 1 1 1 • Unikernels have their own 0 0 0 0 0 0 0 network stack . . . . . . . 1 1 1 1 1 1 1 • Unikernels have their own 0 0 0 0 0 0 0 virtualize memory . . . . . . . presented as hardware 1 1 1 1 1 1 1 . . . . . . . • Unikernel are completely 1 2 3 4 5 6 7 self contain & ideally immutable as well EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 12
Unikernel Stack Application Binary Less layer, less code, much Library OS simpler ! (Virt. HW Drivers + Language Runtime) Hypervisor Hardware Drivers Hardware EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 13
Docker Stack vs. Unikernel Stack Application Config Application Binary Application Library OS Language Runtime (Virt. HW Drivers + Shared Libraries Language Runtime) Docker Runtime OS User Processes OS Kernel Virtual HW Drivers Hypervisor Hypervisor Hardware Drivers Hardware Drivers Hardware Hardware EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 14
How can unikernels help address our problems? Application Config Application Minimized layers of Language Runtime isolation and abstraction Shared Libraries Include only what we Docker Runtime really need ! OS User Processes Less code, Less bug, OS Kernel easy to reason about Virtual HW Drivers Hypervisor Hardware Drivers Hardware EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 15
Unikernel advantages • No other users, no multi users support • No permission checks – you can utilis 100 % of your hardware • Isolation at the virtual hardware – only ! • Shared only hardware • Minimum virtual machine ~1 gb in size, minimum unikernel is tiny kb in size • Very fast boot time • A tiny custom surface of attack, less likely to be effected by a public exploit EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 16
Backward compatibility Forward compatibility POSIX compliance Language specifics EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 17
Unik Unik builds and runs unikernels on a variety of cloud providers through an easy-to-use REST API or a simple command-line tool EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 18
vagrant up –provider=aws unik target 54.209.79.227 unik push unik-demo . unik run unik-demo EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 19
Unik is NOT opinionated ! Unikernel types Cloud providers Processor architectures EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 20
Unik hub Unikernel hub: http://www.unikhub.tk EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 21
Unik integration with Docker Docker API can be used to created unilkernel via Unik EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 22
Unik integration with kubernetes Kubernetes support docker, rocket and now also unik ! EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 23
Unik with Cloud Foundry To provide the user with a seamless PaaS experience, Unik is integrated as a backend to Cloud Foundry runtime. EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 24
Vision – Internet of Things EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 25
Vision – Internet of Things A user push a unikernel application to cloud foundry. Cloud Foundry deploy the unikernel application on Raspberry PI. The application talking to a toaster and make a toast for the user to eat. Classic use case of Internet of things. EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 26
@Idit_Levine
EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY 28
Recommend
More recommend
