Unikernels: Library Operating Systems for the Cloud
Operating system virtualization has revolutionised the economics of large-scale computing by providing a platform on which customers rent resources to host virtual machines (VMs).
Each VM presents as a self-contained computer, booting a standard OS kernel and running unmodified application processes. Each VM is usually specialised to a particular role, e.g., a database, a webserver, and scaling out involves cloning VMs from a template image. Despite this shift from applications running on multi-user operating systems to provisioning many instances of single-purpose VMs, there is little actual specialisation that occurs in the image that is deployed to the cloud.
We take an extreme position on specialisation, treating the final VM image as a single-purpose appliance rather than a general-purpose system by stripping away functionality at compile-time. Specifically, our contributions are: the unikernel approach to providing sealed single-purpose appliances, particularly suitable for providing cloud services; evaluation of a complete implementation of these techniques using a functional programming language (OCaml), showing that the benefits of type-safety need not damage performance; and libraries and language extensions supporting systems programming in OCaml.
The unikernel approach builds on past work in library OSs.
- The entire software stack of system libraries, language runtime, and applications is compiled into a single bootable VM image that runs directly on a standard hypervisor.
- By targeting a standard hypervisor, unikernels avoid the hardware compatibility problems encountered by traditional library OSs such as Exokernel and Nemesis.
- By eschewing backward compatibility, in contrast to Drawbridge, unikernels address cloud services rather than desktop applications.
- By targeting the commodity cloud with a library OS, unikernels can provide greater performance and improved security compared to Singularity.
- Finally, in contrast to Libra which provides a libOS abstraction for the JVM over Xen but relies on a separate Linux VM instance to provide networking and storage, unikernels are more highly-specialised single-purpose appliance VMs that directly integrate communication protocols.
We describe a complete unikernel prototype in the form of our OCaml-based Mirage implementation. We evaluate it via micro-benchmarks and appliances providing DNS, OpenFlow, and HTTP. We find sacrificing source-level backward compatibility allows us to increase performance while significantly improving the security of external-facing cloud services. We retain compatibility with external systems via standard network protocols such as TCP/IP, rather than attempting to support POSIX or other conventional standards for application construction. For example, the Mirage DNS server outperforms both BIND 9 (by 45%) and the highperformance NSD server, while using very much smaller VM images: our unikernel appliance image was just 200 kB while the BIND appliance was over 400 MB.
We conclude by discussing our experiences building Mirage and its position within the state of the art, and concluding.
