Clear Thoughts on Cloudy Subjects
Musings about the Xen Project, Clouds, virtualization, Open Source, and everything else that piques my technical interest.
The Next Generation Cloud: Behold the Rise of the Unikernel!
The First Generation Cloud Dealt with Orchestration; The Next Generation Will Deal with Applications
During the past decade, the world of the cloud has been consumed with orchestration: How can we make an infrastructure which can adapt to the needs of the enterprise? Words like automation, flexibility, and control have ruled the world of the cloud to date.
But now that a number of cloud orchestration projects have begun to mature, it's time to take a look at the applications themselves. Until now, the applications which dwell in clouds look suspiciously like the applications which inhabited the traditional datacenter. And while they may function pretty well, they are not really designed with an agile infrastructure in mind.
Make It Small, Make It Fast
In the world of the cloud, it would make sense to have small applications which are lightweight and nimble. They should be quick to start and stop. They should do what they need to do and then get out of the way so that valuable compute resources can be focused on applications which require compute power -- like databases, for instance.
Docker has made inroads in this area by using container technology to share the operating system space between many applications. Virtual machines contain a full operating system for each instance, which requires lots of disk space, lots of memory, and prolonged startup and shutdown times. Docker-type solutions keep memory usage down, make startups and shutdowns lightning quick, and create application bundles which are easy to deploy.
But shared resources can mean that an exploit of the base operating system can cause the compromise of dozens or even hundreds of applications resident on that host. It also means that multi-tenant situations are difficult to achieve, as shared resources could mean increased ability to see your neighbor's work. If you don't trust your neighbor, you want a wall between the two applications which makes them invisible to each other, just like the solutions already extant in the world of hypervisors.
A more efficient solution would be something even smaller which actually reduces the attack plane of malicious crackers. It should provide the benefits of container technologies, while providing the isolation and security of hypervisors.
Behold the Unikernel
The solution to this situation could be the Unikernel. Sometimes called, "library operating systems," these solutions generate applications which run on a traditional hypervisor, but omit the full, multi-user operating system for the VM. Instead, it replaces the guest OS with a bare-bones environment which contains just enough operating system functions to make the application run. Unneeded functionality (like multi-user capabilities and an array of general utilities) are eliminated.
The result is a package which is incredibly lightweight -- many network devices come in at less than a megabyte in size -- and yet more secure than their traditional counterparts. With a very small attack surface and a lack of tools to exploit, these tiny applications are fit for use in that security-conscious world of the cloud.
Want to Know More?
There are several Unikernel talks coming up in the next 2 months, including conferences like O'Reilly Software Architecture (Boston, MA) and Linuxfest Northwest (Bellingham, WA). There are also talks at the University of California Berkeley Swarm Lab and the East Bay Linux User's Group (San Francisco CA).
Can't make one of them? Watch the recorded session from SCALE 13x from February 2015 to hear about the world of unikernels: