Unikernels; A Technology Full of Promise for Mission Critical Systems

What is a Unikernel?

Virtualization technology, whereby multiple operating systems can be run on shared hardware, is extremely well understood if somewhat inefficient in its use of resources. The original virtualization architecture system was based on the implementation of a number of virtual machines (VMs). Every VM has to run its own instance of an operating system, resulting in a duplication of responsibility. It is also hard to manage such an infrastructure as there are multiple servers which are all independent virtual machines.

Containers, like Docker and Kubernetes, try to achieve the same concept as virtual machines but eliminate duplication of effort between machines. Instead of loading an entire operating system for an app, containers use the kernel of the host OS while allowing them to sideload app-specific libraries and programs. By adjusting the container and its image, it is possible to fine-tune the specific libraries and configuration your app will use. This results in performance gains without the overhead of running an entire OS.

The container-based approach has its downsides. The software has to be adapted for usage in containers (containerized), and this can get tricky, especially with legacy codebases. Containers have many more configurations for resource allocation and interop capabilities, so it is quite easy to misconfigure them.

The next logical step in the progression from VMs to containers is unikernels, which try to push the concepts of containers even further. Unikernels are effectively a set of pre-built binary libraries and do not handle resource allocation. A hypervisor handles direct hardware interoperation. All application-specific system calls are pushed as close to the app as possible. Lynx views unikernels as being able to deliver the security strengths of VM level partitioning with the speed and footprint size benefits attributed to containers.

more on Unikernel technology & our focus

Unikernels are not new. This piece written by Ericsson in 2016 illustrates the distinction between different architecture approaches. There are, however, several issues associated with unikernels which have limited their applications until now. These include:

• Debugging. Since a unikernel has no OS running whatsoever, the approach of directly connecting to its shell and investigating does not work
• Producing unikernel images is complicated and requires deep knowledge on the subject
• Current application frameworks have to adapt and produce documentation on usage in unikernels
• The lack of a safety certifiable/certified unikernel for mission critical applications