In the last few years, a number of open source projects have started to build interesting new technologies to create faster and more secure and scalable cloud applications. The name: unikernels. The goal: develop a new breed of applications (or port existing ones) for the cloud that significantly improve security, performance and scalability by reducing the traditional layer-cake application stack into a single unikernel virtual machine (VM) image. In other words, the operating system, any libraries you need and the application itself are compiled into a small unikernel image.
Traditional application stacks run in parallel within an operating system, which in turn may run in a (VM). The operating system manages resources and isolates applications from one another. In a unikernel, a single application is run in single VM, relying instead on the hypervisor to isolate those VMs. Unikernels are constructed by using “library operating systems,” from which the user selects the minimal set of services required for an application to run. In some unikernels, the compiler and linker eliminate all code that is not used and packages it into a single image that can be directly deployed to the cloud. These sealed, fixed-purpose images run directly on a hypervisor without an intervening guest OS such as Linux.
Unikernels also deliver impressive flexibility, speed and versatility for cross-platform environments, big data analytics and scale-out cloud computing. Like container-based solutions, unikernels fulfill the promise of easy deployment, but also offer an extremely tiny, specialized runtime footprint that is much less vulnerable to attack
A number of unikernel open source projects are beginning to take off, each with its own unique focus and approach. For example, MirageOS and HaLVM take a clean-slate approach and emphasize safety and security; ClickOS stresses speed; while OSv and Rump kernels aim for compatibility with existing applications. Both OSv and Rump kernels have made significant progress in porting existing applications: for example MySQL, PHP and Nginx have been ported to Rump Kernels, whereas many applications such as Tomcat, Jetty, Cassandra, OpenJDK and others have been ported to OSv. Meanwhile, MirageOS has demonstrated 1MB unikernels that serve DNS, Git and SSL web traffic with complete type safety down to the device drivers.
Here’s a closer look at this new, more secure approach for deploying cloud services.
Unikernel Applications Are Easy To Deploy
The basic development and deployment model for unikernel applications is somewhat different than your traditional application stack where an application is delivered as a set of binaries, packages or some sort of installer. Different unikernels take slightly distinct approaches, but in all cases the unikernel application is in effect a VM image, which can directly be deployed into the cloud with zero configuration. This is not all that different from the build once, deploy everywhere model in use by Docker for example.
Let’s look at two unikernels that each have a different workflow.
The typical development workflow for MirageOS is that a developer writes the unikernel application on his local machine (e.g. Mac OSX) and compiles it against a local target. The correct libraries are provisioned through the OPAM package manager and included into the test image. The rationale for not directly developing in a hypervisor is that richer development tools are available locally. After all, a unikernel image is a VM image that contains nothing else but config data and the libraries and services that are used by the application. When the application has been tested, the developer will build a VM image and deploy it into a Xen-based cloud.
Since MirageOS unikernels are so lean, they can even be checked into version-control themselves. This approach has been practiced by the MirageOS community for more than two years and has proven to be extremely flexible and agile. A recent post by Amir Chaudhry on ”Heroku for Unikernels” describes the kind of end-to-end workflows that the team is using.
In the case of OSv, Cloudius Systems developed a tool for rapidly building and running OSv applications called Capstan. “Capstan is as simple and fast as using Docker for creating containers, but the result is a complete VM image that will run on any hypervisor with OSv support,” according to Cloudius Systems.
How Unikernels Deliver Better Security
Security is a key concern as industries move toward networked, scale-out designs with new and varying workloads and data types. Adam Wick, creator of the Haskell Lightweight Virtual Machine (HaLVM) and a research lead at Galois Inc., which counts the U.S. Department of Defense and DARPA as clients, says 2015 is already turning out to be a break-out year for security.
“Cloud computing has been a hot topic for several years now, and we’ve seen a wealth of projects and technologies that take advantage of the flexibility the cloud offers,” said Wick. “At the same time though, we’ve seen record-breaking security breach after record-breaking security breach.”
The creator of MirageOS, Anil Madhavapeddy, says it’s “simply irresponsible to continue to knowingly provision code that is potentially unsafe, and especially so as we head into a year full of promise about smart cities and ubiquitous Internet of Things.”
Galois, which specializes in R&D for new technologies, says enterprises are increasingly interested in the ability to cleanly separate functionality to limit the effect of a breach to just the component affected, rather than infecting the whole system. For next-generation and in-house clouds, unikernels make it possible to run thousands of small VMs per host.
Galois, uses this capability in their CyberChaff project, which uses minimal VMs to improve intrusion detection on sensitive networks, while others have used similar mechanisms to save considerable cost in hardware, electricity, and cooling; all while reducing the attack surface exposed to malicious hackers.
Traditional application stacks running in Linux, and to a lesser degree Docker images, rely on a fairly heavyweight core OS to provide critical services. Thus, a vulnerability in the Linux kernel affects every Linux container, Wick said. In contrast, unikernels follow a an approach similar to a la carte menus: thus only minimal functionality and services needed to run the application are present within a unikernel image. Thus writing an exploit to attack a unikernel application is much more difficult than doing the same for traditional application stacks.
Cloudius Systems, which is running a private beta of OSv, which it tags the operating system for the cloud, recognizes that progress is being made on making container technologies more secure.
“Rocket is indeed an improvement over Docker, but containers aren’t a multi-tenant solution by design,” said CEO Dor Laor. “No matter how many SELinux Linux policies you throw on containers, the attack surface will still span all aspects of the kernel.”
The key takeaway for organizations worried about security is that they should treat their infrastructure in a less monolithic way. Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs. While it does take some extra work to build unikernel applications, it’s getting easier every day as more developers address orchestration, logging and monitoring challenges. At the same time, unikernels are no harder to package and deploy than Docker containers. This means unikernels are coming of age just as many developers are getting serious about security as they begin to build scale-out, distributed systems.
About the Author/Lars Kurth
Lars Kurth is the Xen Project Advisory Board Chairman. A Collaborative Project at The Linux Foundation, the Xen Project community is focused on advancing virtualization in a number of different commercial and open source market segments, including server virtualization, Infrastructure as a Services (IaaS), desktop virtualization, security applications, embedded and hardware appliances. Designed from the start for cloud computing, Xen Project members include: Amazon Web Services, AMD, ARM, Cavium, Cisco, Citrix, Google, Intel, NetApp, Oracle, Rackspace, and Verizon Terremark. For more information, please visit XenProject.org.