First prototype: Unikernels as a stage in the evolution of Linux
In early July, a group of engineers from Red Hat and Boston University released a whitepaper in which they proposed changing the monolithic Linux kernel to unikernels architecture. We decided to understand the material and discuss the reaction of the IT community to this proposal.
Photo - Eamonn Maguire - Unsplash
Linux is known to use a monolithic kernel . It manages processes, network functions, peripherals, and file system access. However, as the authors of the article from Red Hat and Boston University write ( page 1 ), such a structure has its drawbacks. In particular, high-performance applications are forced to use frameworks like DPDK and SPDK to gain unhindered access to I / O devices bypassing the kernel.
Certain difficulties arise in the cloud. For greater security, enterprise applications are deployed on separate virtual machines. Each VM is under the control of a full-fledged operating system. As a result, the computing resources of servers are not spent in the most optimal way.
The resources of such a system are spent more efficiently. Unikernels also have higher performance than the monolithic core architecture. The reason is the simplification of IO paths, since all data and files are located in a single address space. Also, there is no need to switch context between user space and kernel space.
A team of engineers from Boston University and Red Hat developed a Linux prototype based on unikernels. The operating system is called Unikernel Linux (UKL).
According to the developers ( p. 3 ), they changed only eleven and added twenty new lines of code to Linux kernel v5.0.5 and glibc . The "classic" kernel has remained operational - the user can choose the method of assembly (UKL or not).
The authors created a small UKL library in which they placed special βstubsβ that mask unused system calls. They also modified the kernel linker to define a new type of segments, for example TLS (thread local storage) from ELF binaries. The build process was also modified, which now combines the application code, glibc and the UKL library into one binary file.
Engineers are working on a number of shortcomings. For example, they plan to move TLS memory from kernel space and abandon vmalloc when managing memory allocation to simplify the system.
Red Hat developers say that UKL can be a full-fledged alternative for running processes that work directly with hardware (bypassing the kernel). The authors of the original article state ( p. 2 ) that memcached caching service under unikernels works 200% faster than under Linux.
Photos - Jack Young - Unsplash
One of the residents of Hacker News even proposed a radical solution - to rewrite the Linux kernel under unikernels from scratch to Rust. According to him, the language will solve the problem with a large number of bugs related to memory security. Another user called the idea good, but suggested waiting a few years for the language developers to deal with library instabilities. Although one enthusiast is already writing his operating system in Rust. Sources can be found on GitHub .
UKL is not the only implementation of the unikernels-based operating system. For example, a similar solution is being developed by a team of engineers from the Polytechnic University of Virginia, Qualcomm, and the Rhine-Westphalian Technical University of Aachen in Germany. Their lightweight core is called HermiTux . It allows you to quickly launch applications on top of the hypervisor - according to the authors, the download time does not exceed 0.1 seconds. The memory consumption in the test environment is 9 MB, which is ten times less than the classic Linux kernel.
It also makes sense to mention the MirageOS OS developed on OCaml. The kernel can run on top of Xen, KVM, BHyve, and VMM (OpenBSD) hypervisors, as well as on mobile platforms. The system supports several dozens of OCaml libraries for performing network operations (DNS, SSH, OpenFlow, HTTP, XMPP), working with storages and parallel data processing. We can say that MirageOS is one of the first successful unikernels projects. Interestingly, his blog site is also implemented as unikernel.
These operating systems are already used in production environments by many organizations - for example, Cambridge University , IBM, Ericsson and Docker . It is likely that soon a new one will join these OSs - Unikernel Linux.
What we write about in a corporate blog:
Photo - Eamonn Maguire - Unsplash
Unikernels as an alternative
Linux is known to use a monolithic kernel . It manages processes, network functions, peripherals, and file system access. However, as the authors of the article from Red Hat and Boston University write ( page 1 ), such a structure has its drawbacks. In particular, high-performance applications are forced to use frameworks like DPDK and SPDK to gain unhindered access to I / O devices bypassing the kernel.
Certain difficulties arise in the cloud. For greater security, enterprise applications are deployed on separate virtual machines. Each VM is under the control of a full-fledged operating system. As a result, the computing resources of servers are not spent in the most optimal way.
An alternative approach can improve the situation - unikernels. The following idea is to link the application with the necessary libraries of the operating system and compile them into one binary file. After that, this βbinaryβ can be used to boot the system. This approach makes it possible to specialize the functionality of the OS for the needs of a particular application.
The resources of such a system are spent more efficiently. Unikernels also have higher performance than the monolithic core architecture. The reason is the simplification of IO paths, since all data and files are located in a single address space. Also, there is no need to switch context between user space and kernel space.
A team of engineers from Boston University and Red Hat developed a Linux prototype based on unikernels. The operating system is called Unikernel Linux (UKL).
What did the engineers do
According to the developers ( p. 3 ), they changed only eleven and added twenty new lines of code to Linux kernel v5.0.5 and glibc . The "classic" kernel has remained operational - the user can choose the method of assembly (UKL or not).
The authors created a small UKL library in which they placed special βstubsβ that mask unused system calls. They also modified the kernel linker to define a new type of segments, for example TLS (thread local storage) from ELF binaries. The build process was also modified, which now combines the application code, glibc and the UKL library into one binary file.
Engineers are working on a number of shortcomings. For example, they plan to move TLS memory from kernel space and abandon vmalloc when managing memory allocation to simplify the system.
Opinions
Red Hat developers say that UKL can be a full-fledged alternative for running processes that work directly with hardware (bypassing the kernel). The authors of the original article state ( p. 2 ) that memcached caching service under unikernels works 200% faster than under Linux.
In general, the IT community responded positively to the initiative of the authors of the original article. Residents of Hacker News noted that unikernels architecture will significantly increase the security of the software environment. In case of hacking the application, the hacker will get access only to his binary.
Photos - Jack Young - Unsplash
One of the residents of Hacker News even proposed a radical solution - to rewrite the Linux kernel under unikernels from scratch to Rust. According to him, the language will solve the problem with a large number of bugs related to memory security. Another user called the idea good, but suggested waiting a few years for the language developers to deal with library instabilities. Although one enthusiast is already writing his operating system in Rust. Sources can be found on GitHub .
Other implementations
UKL is not the only implementation of the unikernels-based operating system. For example, a similar solution is being developed by a team of engineers from the Polytechnic University of Virginia, Qualcomm, and the Rhine-Westphalian Technical University of Aachen in Germany. Their lightweight core is called HermiTux . It allows you to quickly launch applications on top of the hypervisor - according to the authors, the download time does not exceed 0.1 seconds. The memory consumption in the test environment is 9 MB, which is ten times less than the classic Linux kernel.
It also makes sense to mention the MirageOS OS developed on OCaml. The kernel can run on top of Xen, KVM, BHyve, and VMM (OpenBSD) hypervisors, as well as on mobile platforms. The system supports several dozens of OCaml libraries for performing network operations (DNS, SSH, OpenFlow, HTTP, XMPP), working with storages and parallel data processing. We can say that MirageOS is one of the first successful unikernels projects. Interestingly, his blog site is also implemented as unikernel.
These operating systems are already used in production environments by many organizations - for example, Cambridge University , IBM, Ericsson and Docker . It is likely that soon a new one will join these OSs - Unikernel Linux.
What we write about in a corporate blog:
All Articles