Unik: Unikernel Backend to Cloud Foundry
Post on 18-Jan-2017
272 Views
Preview:
Transcript
1© Copyright 2016 EMC Corporation. All rights reserved.
UniK: A platform for automating unikernels compilation and deployment
2© Copyright 2016 EMC Corporation. All rights reserved.
VIRTUALIZATION STACK
Redundancy in the stack – e.g. Isolation
Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
The aim is to run single Application with a single user on a single server
3© Copyright 2016 EMC Corporation. All rights reserved.
KERNEL COMPLEXITY - PROTECTION
Application safe from user
Application safe from application User safe from user
4© Copyright 2016 EMC Corporation. All rights reserved.
INEFFICIENCY
• Needless permission check, it is hard and an updatedmodel from time sharing computer from the 50s, 60s
• Microservices architecture duplicate what Linux did for us
• Kernel include a lot of unnecessary drivers that not being used: floppy
• Update and patches using yum bring a lot of unnecessary components
5© Copyright 2016 EMC Corporation. All rights reserved.
SECURITY
• Very large attack surface
• A lot of exploits target linux. It is harder to attack hypervisor - not expose to the internet
• Microservices architecture
Sharing – Kernel, Memory, filesystem, hardwareThe only thing make it safe is kernel extension like: cgroup
6© Copyright 2016 EMC Corporation. All rights reserved.
LINUX KERNEL LANGUAGES
C
Assembly
C++
XML
Make
Perl
Shell Script
PythonHTML
TeX/LaTeX
AWK
Scheme
Objective-C
Autoconf
XSL Tranformation
Vim Script
Automake
7© Copyright 2016 EMC Corporation. All rights reserved.
SOURCE LINES OF CODE
Small Applications: 10Ks
Medium to large applications: 100Ks
Really huge applications: 1Ms
8© Copyright 2016 EMC Corporation. All rights reserved.
Linux kernel 2.4.2
Linux kernel 2.6.0
Linux kernel 2.6.29
Linux kernel 2.6.32
Linux kernel 2.6.35
Linux kernel 3.6 Linux kernel pre-4.2
2001 2003 2009 2009 2010 2012 2015
0
5
10
15
20
25
2.4
5.2
1112.6 13.5
15.9
22
Linux Kernel SLOC
9© Copyright 2016 EMC Corporation. All rights reserved.
Debian 2.2 Debian 3.0 Debian 3.1 Debian 4.0 Debian 5.0 Debian 7.02000 2002 2005 2007 2009 2012
0
50
100
150
200
250
300
350
400
450
59
104
215
283
324
419
Debian SLOC
11© Copyright 2016 EMC Corporation. All rights reserved.
HOW DID WE GET HERE ? EVOLUTION !
Unix was supported us the entire way!
12© Copyright 2016 EMC Corporation. All rights reserved.
DECADES OF BACKWARDS COMPATIBILITY
What can linux run on ?
What can run on linux ?
Anything !
Anything !
15© Copyright 2016 EMC Corporation. All rights reserved.
{uni-} {kernel}a bridge between applications and the actual data processing done at the hardware level.
One; having or consisting of one.
16© Copyright 2016 EMC Corporation. All rights reserved.
Application
Kernel
TRADITIONAL APPROACH
libc
libz
iconv
openGL
gtk
libgmp libtlc
Libstd++ libgcc
17© Copyright 2016 EMC Corporation. All rights reserved.
Application
Kernel
UNIKERNEL APPROACH
libc
libz
iconv
openGL
gtk
libgmp libtlc
Libstd++ libgcc
18© Copyright 2016 EMC Corporation. All rights reserved.
App Binary
App Config
App Deps
Virt, HW Drivers
Langue runtime
Appl
icatio
nRu
ntim
e
Packaging Tool Unikernel!
UNIKERNEL CREATION
20© Copyright 2016 EMC Corporation. All rights reserved.
UNIKERNEL STACK• Unikernels deploy directly
against the hypervisor
• Unikernels have their own network stack
• Unikernels have their own virtualize memory presented as hardware
• Unikernel are completely self contained & ideally immutable
Hypervisor
10.10.1.1
10.10.1.2
10.10.1.3
10.10.1.4
10.10.1.5
10.10.1.6
10.10.1.7
23© Copyright 2016 EMC Corporation. All rights reserved.
HOW CAN UNIKERNELS HELP ADDRESS OUR PROBLEMS? Application Config
Application
Language Runtime
Shared Libraries
Docker Runtime
OS User Processes
OS Kernel
Virtual HW Drivers
Hypervisor
Hardware Drivers
Hardware
Minimal layers of isolation and abstraction
Includes only what is really needed
Less code, fewer bugs, easy to reason about
24© Copyright 2016 EMC Corporation. All rights reserved.
UNIKERNEL ADVANTAGES• No other users, no multi-user support
• No permission checks – you can utilize 100% of your hardware
• Isolation at the virtual hardware – only !
• Shared only hardware
• Minimal virtual machine ~1 gb in size, minimal unikernel is tiny, kb in size
• Very short boot time
• A tiny custom surface of attack, less likely to be effected by a public exploit
25© Copyright 2016 EMC Corporation. All rights reserved.
Backward compatibility Forward compatibility
POSIX compliance
Language specifics
26© Copyright 2016 EMC Corporation. All rights reserved.
is an open-source tool written in Go for compiling applications into unikernels and deploying those unikernels across a variety of cloud providers, embedded devices (IoT), as well as a developer laptop or workstation.
27© Copyright 2016 EMC Corporation. All rights reserved.
unik daemon
unik build -v /my-volume /path-to-source my-unikernel
unik create-volume path-to-data my-volume
unik run -v my-volume:/my-volume -name my-instance my-unikernel
UNIK WORKFLOW
28© Copyright 2016 EMC Corporation. All rights reserved.
UNIK IS NOT OPINIONATED !
Unikernel types Cloud providers
Processor architectures
30© Copyright 2016 EMC Corporation. All rights reserved.
UNIK INTEGRATION WITH DOCKER
Docker API can be used to create unikernel via UniK
31© Copyright 2016 EMC Corporation. All rights reserved.
UNIK INTEGRATION WITH CLOUD FOUNDRYTo provide the user with a seamless PaaS experience, UniK is integrated as a backend to Cloud Foundry runtime.
34© Copyright 2016 EMC Corporation. All rights reserved.
INTERNET OF THINGS
UniK will Push Unikernel
To Raspberry Pi
Unikernel will communicate with the Panini toaster
Toaster will make Panini
We will eat Panini bread
WELCOME TO THE FUTURE !
36© Copyright 2016 EMC Corporation. All rights reserved.
OpenSource
top related