unikernels as processes
play

Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) - PowerPoint PPT Presentation

Nov 18, 2022 •598 likes •894 views

Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) Martin Lucina (robur.io/Center for the Cultivation of Technology) Nikhil Prakash (BITS Pilani) What is a unikernel? An application linked with library OS components Run

  1. Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) Martin Lucina (robur.io/Center for the Cultivation of Technology) Nikhil Prakash (BITS Pilani)

  2. What is a unikernel? • An application linked with library OS components • Run on virtual hardware (like) abstraction VM • Language-specific • MirageOS (OCaml) • IncludeOS (C++) • Legacy-oriented • Rumprun (NetBSD-based) • Can run nginx, redis, node.js, python,etc.. 2

  3. Why unikernels? • Lightweight • Only what the application needs • Isolated VM • VM-isolation is the “gold standard” • Well suited for the cloud • Microservices • Serverless • NFV 3

  4. Virtualization is a mixed bag • Good for isolation , but… • Tooling for VMs not designed for lightweight (e.g., lightVM) • How do you debug black-box VMs? • Poor VM performance due to vmexit s • Deployment issues on already-virtualized infrastructure 4

  5. Why not run unikernels as processes? • Unikernels are a single process anyway! • Many benefits as a process Process • Better performance • Common tooling (gdb, perf, etc.) • ASLR • Memory sharing • Architecture independence • Isolation by limiting process interface to host • 98% reduction in accessible kernel functions 5

  6. Outline • Introduction • Where does unikernel isolation come from? • Unikernels as processes • Isolation evaluation • Performance evaluation • Summary 6

  7. Isolation: definitions and assumptions • Isolation : no cloud user can read/write state or modify its execution • Focus on software deficiencies in the host app • Code reachable through interface is a metric for attack surface Host Kernel • We trust HW isolation (page tables, etc.) • We do not consider covert channels, timing channels or resource starvation 7

  8. Unikernel architecture • ukvm unikernel monitor process (e.g., ukvm) monitor • Userspace process • Uses Linux/KVM • Setup and loading • Exit handling KVM Linux I/O devices VT-x 8

  9. Unikernel architecture • ukvm unikernel monitor process (e.g., ukvm) monitor Setup • Userspace process • Uses Linux/KVM • Setup and loading Set up 1 I/O fds • Exit handling KVM Linux I/O devices VT-x 9

  10. Unikernel architecture Virtual CPU context • ukvm unikernel monitor process (e.g., ukvm) monitor Setup • Userspace process • Uses Linux/KVM Load 2 unikernel • Setup and loading Set up 1 I/O fds • Exit handling KVM Linux I/O devices VT-x 10

  11. Unikernel architecture Virtual CPU context • ukvm unikernel monitor process (e.g., ukvm) monitor Setup Exit handling • Userspace process • Uses Linux/KVM Load 2 unikernel • Setup and loading Set up 1 I/O I/O fds • Exit handling KVM Linux I/O devices VT-x 11

  12. Unikernel isolation comes from the interface Hypercall • 10 hypercalls walltime puts • 6 for I/O poll blkinfo • Network: packet level blkwrite • Storage: block level blkread netinfo • vs. >350 syscalls netwrite netread halt 12

  13. Observations • Unikernels are not kernels! • No page table management after setup • No interrupt handlers: cooperative scheduling and poll • The ukvm monitor doesn’t “do” anything! • One-to-one mapping between hypercalls and system calls • Idea: maintain isolation by limiting syscalls available to process 13

  14. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process • Uses seccomp to restrict interface • Setup and loading Linux I/O devices 14

  15. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Set up 1 • Setup and loading I/O fds Linux I/O devices 15

  16. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Set up 1 • Setup and loading I/O fds Load unikernel 2 Linux I/O devices 16

  17. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Configure 3 seccomp Set up 1 • Setup and loading I/O fds Load unikernel 2 Linux I/O devices 17

  18. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup Exit handling • Uses seccomp to restrict interface Configure 3 seccomp Set up 1 I/O • Setup and loading I/O fds Load unikernel 2 • “Exit” handling Linux I/O devices 18

  19. Unikernel isolation comes from the interface Hypercall • 10 hypercalls walltime puts poll blkinfo • 6 for I/O blkwrite • Network: packet level blkread • Storage: block level netinfo netwrite netread • vs. >350 syscalls halt 19

  20. Unikernel isolation comes from the interface Hypercall System Call Resource • Direct mapping between 10 walltime clock_gettime hypercalls and system stdout puts write call/resource pairs net_fd poll ppoll blkinfo • 6 for I/O blk_fd blkwrite pwrite64 • Network: packet level blk_fd blkread pread64 • Storage: block level netinfo net_fd netwrite write net_fd netread read • vs. >350 syscalls halt exit_group 20

  21. Implementation: nabl nabla ! • Extended Solo5 unikernel ecosystem and ukvm • Prototype supports: • MirageOS • IncludeOS • Rumprun • https://github.com/solo5/solo5 21

  22. Measuring isolation: common applications • Code reachable 1600 through interface is process functions accessed 1400 ukvm a metric for attack Unique kernel 1200 nabla surface 1000 • Used kernel ftrace 800 600 400 • Results: 200 0 • Processes: 5-6x more n n n r r e e g g o d d i i d n n i i e s s x x - - - • VMs: 2-3x more - g s e l a e e x r p t t g r e e s s 22

  23. Measuring isolation: fuzz testing • Used kernel ftrace 700 accept • Used trinity nabla Unique kernel functions 600 system call fuzzer to block 500 try to access more of 30 400 the kernel 300 0 200 0 10 • Results: 100 • Nabla policy reduces 0 by 98% over a 0 50 100 150 200 250 300 “normal” process 23

  24. Measuring performance: throughput • Applications include: 245 200% • Web servers ukvm Normalized throughput 180% nabla QEMU/KVM • Python benchmarks 160% • Redis 140% no I/O with I/O • etc. 120% 100% 80% py_tornado py_chameleon node_fib mirage_HTTP py_2to3 node_express nginx_large redis_get redis_set includeos_TCP nginx includeos_UDP • Results: • 101%-245% higher throughput than ukvm 24

  25. Measuring performance: CPU utilization 120 • vmexit s have an effect on 100 CPU % 80 instructions per cycle (a) 60 40 20 100 0 VMexits/ms 80 • Experiment with MirageOS 60 (b) 40 web server 20 0 IPC (ins/cycle) 1.5 • Results: 1 (c) • 12% reduction in cpu 0.5 nabla utilization over ukvm ukvm 0 0 5000 10000 15000 20000 Requests/sec 25

  26. Measuring performance: startup time • Startup time is important for serverless, NFV QEMU/KVM ukvm nabla process 30 30 30 Hello world 750 Hello world 20 20 20 500 500 • Results: 10 10 10 250 0 • Ukvm has 30-370% higher 0 0 0 0 200 200 200 latency than nabla 1500 1500 HTTP POST 150 150 150 HTTP Post 1000 1000 100 100 100 • Mostly due avoiding KVM 500 500 50 50 50 0 overheads 0 0 0 0 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 0 2 4 6 8 Number of cores 26

  27. Summary and Next Steps • Unikernels should run as processes! • Maintain isolation via thin interface • Improve performance, etc. Process • Next steps: can unikernels as processes be used to improve container isolation? • Nabla containers • https://nabla-containers.github.io/ 27

  28. 28

Recommend

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research Scientist, NEC Europe Ltd. Unikernels? Faster, smaller, better! 2 Unikernels? Faster, smaller, better! clip arts: clipproject.info Unikernels

1.14k views • 71 slides
Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

03/02/2019 Solo5: A sandboxed, re-targetable execution environment for unikernels Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM Research), djwillia@us.ibm.com Martin Lucina (robur.io / CCT),

679 views • 32 slides
Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a Network work-A -Attac ack-R -Resili lient t Intr In trus usion on-Tole olerant S SCADA f for or th the P Powe ower Gr r Grid Brad

677 views • 30 slides
VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies

VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies

VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies Felipe Huici, Filipe Manco, Jose Mendes, Simon Kuenzer NEC Europe Ltd. (Heidelberg) In the Beginning VM In the Beginning Tinyfied VMs

569 views • 44 slides
Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels Hannes Mehnert, https://hannes.nqsb.io 36c3, 27th December 2019, Leipzig 1 / 37 Stack Application Binary Con fi guration Files Programming language

689 views • 37 slides
A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + +

A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + +

A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + + University of Illinois at Urbana-Champaign *IBM Research Lupine Unikernels are great BUT : Unikernels lack full Linux Support App Hermitux:

531 views • 16 slides
Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker)

Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker)

Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker) with Benjamin Farinier and Thomas Gazagnaire University of Cambridge Computer Laboratory May 26, 2015 Anil Madhavapeddy (speaker) with Benjamin

586 views • 39 slides
Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application

Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application

Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application Deployment Paradigms - Past, Present, Future Why Serverless? Advantages of Event-driven Serverless Model Event-driven application: shrink

183 views • 17 slides
Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker @justincormack 3 Co-author of Docker in the Trenches: Successful Production Deployment containers 5 6 Linux containers are an

624 views • 43 slides
Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes

Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes

Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes Review: Threads 1. The process is a kernel abstraction for an independent executing program. includes at least one thread of control data also

416 views • 12 slides
Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems

Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems

Virtual machines, Containers, Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems When en disks sks wer ere e flopp ppy.. .. WTH? Portland State University CS 430P/530 Internet, Web &

917 views • 54 slides
Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1 / 8 So many Kernels, what are they? Monolithic kernel, Microkernel: standard stuff. Rump kernel: an existing monolithic kernel componentized into

215 views • 8 slides
Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death processes Biarth and death processes Bo Friis Nielsen 1 Limiting behaviour of birth and death processes Next week 1 DTU Informatics Finite state

309 views • 7 slides
Processes Variables What makes up a process? program code Stack machine registers

Processes Variables What makes up a process? program code Stack machine registers

Unix processes and threads Processes fork() CSCE 515: wait() & waitpid() Computer Network Programming ------ Processes vs. Threads Threads threads vs. processes Wenyuan Xu synchronization Department of Computer

354 views • 11 slides
Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads

Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads

Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads Scheduling Interprocess communication Classical IPC problems Chapter 2 CMPS 111, UC Santa Cruz 2 What is a process? Code, data, and

1.15k views • 68 slides
Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n

Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n

Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n Scheduling n Interprocess communication n Classical IPC problems CS 1550, cs.pitt.edu 2 Chapter 2 (originaly modified by Ethan What is a process? n

814 views • 42 slides
Engineering L4:Processes and SPL L4:Processes and SPL Economics People Structures Planning O

Engineering L4:Processes and SPL L4:Processes and SPL Economics People Structures Planning O

Software Product Line Engineering L4:Processes and SPL L4:Processes and SPL Economics People Structures Planning O rganisati B usiness Strategy on Techn. A rchitect ure L4 P rocess Roles Relationships Responsibilities Processes

411 views • 19 slides
1 Implementing processes Primitives of Processes Os needs to keep track of all processes

1 Implementing processes Primitives of Processes Os needs to keep track of all processes

An aside on concurrency Timing and sequence of events are key concurrency issues Processes and We will study classical OS concurrency issues, including implementation and use of classic OS mechanisms to support Non-Preemptive Scheduling

535 views • 7 slides
1 Unstructured data for injection molding* Finding information with CES File Edit View

1 Unstructured data for injection molding* Finding information with CES File Edit View

Process Selection Manufacturing processes Processes and their attributes The text book classified manufacturing processes into three broad categories Screening by attributes Shaping Selecting shape-forming processes Joining

531 views • 7 slides
Programs, Processes, and Threads Programs, Processes, and Threads (Chapter 2) Processes

Programs, Processes, and Threads Programs, Processes, and Threads (Chapter 2) Processes

CPSC 313: Intro to Computer Systems Programs, Processes, Threads Programs, Processes, and Threads Programs, Processes, and Threads (Chapter 2) Processes in UNIX (Chapter 3) Programs, Processes, and Threads Programs, Processes, and

386 views • 11 slides
Renewal Processes Renewal Processes Today: Renewal phenomena Bo Friis Nielsen 1 Next week

Renewal Processes Renewal Processes Today: Renewal phenomena Bo Friis Nielsen 1 Next week

Renewal Processes Renewal Processes Today: Renewal phenomena Bo Friis Nielsen 1 Next week Markov Decision Processes 1 DTU Informatics Three weeks from now Brownian Motion 02407 Stochastic Processes 8, October 27 2020 Bo Friis

568 views • 7 slides
Module 4: Processes Process Concept Process Scheduling Operation on Processes

Module 4: Processes Process Concept Process Scheduling Operation on Processes

' $ Module 4: Processes Process Concept Process Scheduling Operation on Processes Cooperating Processes Threads Interprocess Communication & % Operating System Concepts 4.1 Silberschatz and Galvin c 1998 ' $

384 views • 14 slides
The age of rocks The rate of geological processes Different processes, different timescales:

The age of rocks The rate of geological processes Different processes, different timescales:

FUNDAMENTALS OF EARTH SCIENCE I FALL SEMESTER 2018 The age of rocks The rate of geological processes Different processes, different timescales: A few minutes or less Earthquakes, meteorite impacts Hours to days Floods, typhoons,

611 views • 40 slides
Renewal Processes Bo Friis Nielsen 1 1 DTU Informatics 02407 Stochastic Processes 8, October 27

Renewal Processes Bo Friis Nielsen 1 1 DTU Informatics 02407 Stochastic Processes 8, October 27

Renewal Processes Bo Friis Nielsen 1 1 DTU Informatics 02407 Stochastic Processes 8, October 27 2020 Bo Friis Nielsen Renewal Processes Renewal Processes Today: Renewal phenomena Next week Markov Decision Processes Three weeks from

586 views • 25 slides

More recommend