Unikernels and another way of secure cloud computing

1/31

Unikernels and another way ofsecure cloud computing

Motiejus [email protected]

@mo kelione

2015-11-19

c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.

2/31

Disclaimer

This presentation is intended to give a high leveloverview of the subject matter and is intended fordiscussion purposes. This presentation is notintended to provide an exhaustive analysis of thesubject matter and may differ depending onindividual use cases.


3/31

Table of ContentsIntroduction

Roles of an IT organizationHow to deploy?

Meat of UnikernelsLook ma, no OSWhat’s in a unikernel?Performance benefitsSecurity benefits

Unikernel examplesWhat’s next?

Unmodified applications firstLocal demoIn Amazon EC2

SummaryThanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.

4/31

Typical IT organizationRole What system?

Developer

I Cares only about the app.

I Familiar environment (POSIX API).

I Here’s a JAR, make this thing work.

I Hopefully prod matches dev.

Operator FredFlintstone

I Simple systems.

I Predictable systems.

I Speedy deployments and rollbacks.

Security certi-fier Mr Burns

I Auditable components.

I Least possible dependencies.

I Trades convenience for security.


4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








4/31


Developer






I Simple systems.








5/31

How to deploy?Deployment Developer Operations Security

Mutable, full OS.

I Ansible/Chef/Puppet

I Adhoc shell scripts

I AWS Opsworks

Unhappy Unhappy Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release

Happy Unhappy Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks

Unhappy

Unhappy Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks

Unhappy Unhappy

Doesn’tcare

Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release

Happy

Unhappy Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release

Happy Unhappy

Doesn’tcare

Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy

Happy Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy

Happier


5/31


Mutable, full OS.



I AWS Opsworks


Immutable, full OS.

I Docker

I AMI per release


Immutable, no OS.

I Unikernels

Happy Happy Happier


6/31







7/31

Unikernel - Library OS

Traditional VM Unikernel

Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


7/31



Configuration files

Application code

Language runtime

User processes

Kernel threads

File System

Network stack

Hypervisor, x86

Application code

Language runtime

Unikernel runtime


8/31

IntroductionRoles of an IT organizationHow to deploy?


Unikernel examples

What’s next?Unmodified applications firstLocal demoIn Amazon EC2

Summary

Thanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.

8/31

Unikernel has:

I One process, N threads.

I Haha! no context switches.

I API for doing network and IO.

I Possibly application runtime:


8/31

Unikernel has:

I One process, N threads.I Haha! no context switches.




8/31

Unikernel has:





8/31

Unikernel has:





8/31

Unikernel has:





9/31

Where does performance come from?

Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt

is application memory

(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


9/31


Traditional style

NIC memory

kernel memory

interrupt

application memory

read()

Unikernel style

NIC memory

unikernel memory

interrupt


(Developer happy)


10/31

IntroductionRoles of an IT organizationHow to deploy?


Unikernel examples

What’s next?Unmodified applications firstLocal demoIn Amazon EC2

Summary

Thanksc© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.

10/31

Security

I Reduced attack surface area.

I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.

I Some: language is type-safe.

I Some: can do 1 VM per request.

Happy Mr Burns


10/31

Security

I Reduced attack surface area.I No unneeded kernel modules.

I No Perl, shell...I Exploited environment is barely usable to useless.



Happy Mr Burns


10/31

Security

I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...

I Exploited environment is barely usable to useless.



Happy Mr Burns


10/31

Security

I Reduced attack surface area.I No unneeded kernel modules.I No Perl, shell...I Exploited environment is barely usable to useless.



Happy Mr Burns


10/31

Security




Happy Mr Burns


10/31

Security




Happy Mr Burns


10/31

Security




Happy Mr Burns


11/31

Why only in 2013?

Virtualization provides uniform APIs for networkand I/O.

E.g. virtio for KVM, netfront/netback for Xen.

I Small set of drivers to implement.

I Makes it economic to create unikernels.


11/31

Why only in 2013?

Virtualization provides uniform APIs for networkand I/O.E.g. virtio for KVM, netfront/netback for Xen.

I Small set of drivers to implement.

I Makes it economic to create unikernels.


12/31







13/31

Classification

Niche : highly optimizedapplications/frameworks.

Generic : general-purpose applications:

Fat : yes POSIX. Compatible.Lean : no POSIX. Needs rewrite.


13/31

Classification





13/31

Classification





13/31

Classification



Fat : yes POSIX. Compatible.

Lean : no POSIX. Needs rewrite.


13/31

Classification





14/31

Mirage OS

Generic lean.

I OCaml-only.

I ⇒ type-safe throughout the stack.

I VM boot time < 10ms

I ⇒ VM per request (inetd-like).

I ⇒ security and economy.

I Typical image sizes: 100s of KB.

Typical application: web services, data processing.


14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








14/31

Mirage OS

Generic lean.

I OCaml-only.








15/31

OSv

Generic Fat.

I Linux ABIs.I Bonus: fast APIs.

I reported significant throughput increases onmemcached.

I Memory allocation tuning:

I JVM.I Memcached.I OOM Killer Manager!

I Subsecond boot times.



15/31

OSv

Generic Fat.

I Linux ABIs.

I Bonus: fast APIs.







15/31

OSv

Generic Fat.








15/31

OSv

Generic Fat.








15/31

OSv

Generic Fat.








15/31

OSv

Generic Fat.



I Memory allocation tuning:I JVM.

I Memcached.I OOM Killer Manager!




15/31

OSv

Generic Fat.



I Memory allocation tuning:I JVM.I Memcached.

I OOM Killer Manager!




15/31

OSv

Generic Fat.



I Memory allocation tuning:I JVM.I Memcached.I OOM Killer Manager!




15/31

OSv

Generic Fat.







15/31

OSv

Generic Fat.







16/31Image source: http://osv.io/benchmarks/c© 2015. Amazon Web Services, Inc. or its affiliates. All rights reserved.

http://osv.io/benchmarks/

17/31

ClickOS

Niche.Optimized for network middleboxes:

I Firewalls.

I Intrusion Detection Systems.

I Load Balancers.

Fun fact: Xen network optimization to the extreme.


17/31

ClickOS

Niche.

Optimized for network middleboxes:

I Firewalls.


I Load Balancers.



17/31

ClickOS


I Firewalls.


I Load Balancers.



17/31

ClickOS


I Firewalls.


I Load Balancers.



17/31

ClickOS


I Firewalls.


I Load Balancers.



17/31

ClickOS


I Firewalls.


I Load Balancers.



17/31

ClickOS


I Firewalls.


I Load Balancers.



18/31







19/31

What do we do next?

Nobody likes rewrites.

Take platforms (JVM, Erlang) and run unmodifiedapps.

I Fully immutable.

I Faster deployment and rollbacks.

I Smaller attack surface.


19/31

What do we do next?

Nobody likes rewrites.Take platforms (JVM, Erlang) and run unmodifiedapps.

I Fully immutable.




19/31

What do we do next?


I Fully immutable.




19/31

What do we do next?


I Fully immutable.




20/31

Local demo

Contents:

I Take a JVM/Spring application.

I Demo on standard Linux.

I Generate the unikernel.

I Run that unikernel locally.

Takeaways:

I Small image size.

I Trivial to implement.


20/31

Local demo

Contents:





Takeaways:

I Small image size.



20/31

Local demo

Contents:





Takeaways:

I Small image size.



20/31

Local demo

Contents:





Takeaways:

I Small image size.



20/31

Local demo

Contents:





Takeaways:

I Small image size.



20/31

Local demo

Contents:





Takeaways:

I Small image size.



20/31

Local demo

Contents:





Takeaways:

I Small image size.



21/31

Running in Amazon EC2

To create a VM image in AWS, do:

% qemu-img convert -f qcow2 -O raw 3.qemu 3.raw

% ./release-ec2.sh \

--override-image 3.raw \

--override-version 3 \

--region us-east-1


22/31

AMI in EC2


23/31

AMI in EC2


24/31

Running OSv in EC2


25/31

Try it out

I Run your unikernel in Free Tier right now.

I t2.micro - $0/month for 1 year.


25/31

Try it out

I Run your unikernel in Free Tier right now.

I t2.micro - $0/month for 1 year.


26/31







27/31

Summary

Library OS: OS embedded to your application.

I Small ⇒ scale quickly.

I Very efficient ⇒ economic.

I Reduced attack surface.

I Runs on public clouds: ⇒ try on EC2, for free.


27/31

Summary







27/31

Summary







27/31

Summary







27/31

Summary







28/31







29/31

Thanks

I Niels Brouwers (Amazon) for the right tools.

I Russel Pavlicek (Citrix) for spreading the word.


30/31

We’re hiring!

I Check out amazon.jobs

I Also, contact me at [email protected]


http://amazon.jobs

mailto:[email protected]

31/31

QA


Unikernels and another way of secure cloud computing

Engineering