What all you need to know about Unikernels | Characteristics, Implementation, and Benefits.

Photo by Alessio Lin on Unsplash

In today’s world, as developers, our end goal is, most of the time, to successfully run an application. We also know that container technology is helping us achieve this end goal. To run containers, we need to ship the entire user-space libraries of the respective distribution with the application. In most cases, the majority of the libraries would not be consumed by the application. Therefore, it makes sense to ship the application only with the set of user-space libraries that are needed by the application.

With unikernels, we can also select the part of the kernel needed to run with the specific application. With unikernels, we can create a single address space executable, which has both application and kernel components. The image can be deployed on VMs or bare metal, based on the unikernel’s type.

According to the unikernels website,

“Unikernels are specialised, single-address-space machine images constructed by using library operating systems”.

Let’s look into unikernels and see, how they compare against containers.

Creating Specialized VM Images

The Unikernel goes one step further than other technologies, creating specialized virtual machine images with just:

• The application code
• The configuration files of the application
• The user-space libraries needed by the application
• The application runtime (like JVM)
• The system libraries of the unikernel, which allow back and forth communication with the hypervisor.

According to the protection ring of the x86 architecture, we run the kernel on ring0 and the application on ring3, which has the least privileges. Ring0 has the most privileges, like access to hardware, and a typical OS kernel runs on that. With unikernels, a combined binary of the application and the kernel runs on ring0.

Unikernel images would run directly on top of a hypervisor like Xen or on bare metal, based on the unikernel types. The following image shows how the Mirage Compiler creates a unikernel VM image.

The Unikernel goes one step further than other technologies, creating specialized virtual machine images with just:

• The application code
• The configuration files of the application
• The user-space libraries needed by the application
• The application runtime (like JVM)
• The system libraries of the unikernel, which allow back and forth communication with the hypervisor.

According to the protection ring of the x86 architecture, we run the kernel on ring0 and the application on ring3, which has the least privileges. Ring0 has the most privileges, like access to hardware, and a typical OS kernel runs on that. With unikernels, a combined binary of the application and the kernel runs on ring0.

Unikernel images would run directly on top of a hypervisor like Xen or on bare metal, based on the unikernel types. The following image shows how the Mirage Compiler creates a unikernel VM image.

Comparison of a Traditional OS Stack and a MirageOS Unikernel
(by AmirMC/CC BY-SA 3.0, retrieved from Wikipedia)

Benefits of Unikernels

The following are key benefits of unikernels:

• A minimalistic VM image to run an application, which allows us to have more applications per host.
• A faster boot time.
• Efficient resource utilization.
• Simplified development and management model.
• A more secure application than the traditional VM, as the attack surface is reduced.
• An easily-reproducible VM environment, which can be managed through a source control system like Git.

Unikernel Implementations

There are many implementations of unikernels, and they are divided into two categories:

• Specialized and purpose-built unikernels
  They utilize all the modern features of software and hardware, without worrying about backward compatibility. They are not POSIX-compliant. Some examples of specialized and purpose-built unikernels are LING, HaLVM, MirageOS, and Clive.
• Generalized ‘fat’ unikernels
  They run unmodified applications, which make them fat. Some examples of generalized ‘fat’ unikernels are Rumprun, OSv, and Drawbridge.

Unikernels and Docker (MirageOS)

Docker acquired Unikernels to make them first-class citizens of the Docker ecosystem. Both containers and unikernels can co-exist on the same host and can be managed by the same Docker binary.

Unikernels helped Docker to run the Docker Engine on top of Alpine Linux on Mac and Windows with their default hypervisors, which are xhyve Virtual Machine and Hyper-V VM respectively.

Thanks for taking some time out to read this article. 😸

I hope it was informative, Have a great week! 🚀