Unik Idit Levine EMC CONFIDENTIALINTERNAL USE ONLY EMC - - PowerPoint PPT Presentation

1 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Idit Levine

Unik

2 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Virtualization Stack

Redundancy in the stack – e.g. Isolation

Application Config Application Language Runtime Shared Libraries Docker Runtime OS User Processes OS Kernel Virtual HW Drivers Hypervisor Hardware Drivers Hardware

The aim is to run single Application with a single user on a single server

3 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Kernel Complexity - Protection

Application safe from user Application safe from application User safe from user

4 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Inefficiency

• Needless permission check, it is hard and an updated

model from time sharing computer from the 50s, 60s

• Microservices architecture duplicate what Linux

did for us

• Kernel include a lot of unnecessary drivers that

not being used: floppy

• Update and patches using yam bring a lot of

unnecessary components

5 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Security

• Very large attack surface
• A lot of exploits target linux.

It is harder to attack hypervisor - not expose to the internet

• Microservices architecture

Sharing – Kernel, Memory, filesystem, hardware The only thing make it safe is kernel extension like: cgroup

6 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

How did we get here ? Evolution !

Unix was supported us the entire way!

7 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Decades of backwards compatibility

What can linux run on ? What can run on linux ? Anything ! Anything !

8 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Trade Off

VS Compatibility Efficiency

9 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Make it works. Make it right. Make it fast.

10 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

{uni-} {kernel}

a bridge between applications and the actual data processing done at the hardware level. One; having

• r consisting
• f one.

11 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

App Binary App Config App Deps Virt, HW Drivers Langue runtime

Application Runtime

Packaging Tool Unikernel!

Unikernel creation

12 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unikernel Stack

• Unikernels deploy directly

against the hypervisor

• Unikernels have their own

network stack

• Unikernels have their own

virtualize memory presented as hardware

• Unikernel are completely

self contain & ideally immutable as well Hypervisor 1 . 1 . 1 . 1 1 . 1 . 1 . 2 1 . 1 . 1 . 3 1 . 1 . 1 . 4 1 . 1 . 1 . 5 1 . 1 . 1 . 6 1 . 1 . 1 . 7

13 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unikernel Stack

Less layer, less code, much simpler !

Application Binary Library OS (Virt. HW Drivers + Language Runtime) Hypervisor Hardware Drivers Hardware

14 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Docker Stack vs. Unikernel Stack

Application Binary Library OS (Virt. HW Drivers + Language Runtime) Hypervisor Hardware Drivers Hardware Application Config Application Language Runtime Shared Libraries Docker Runtime OS User Processes OS Kernel Virtual HW Drivers Hypervisor Hardware Drivers Hardware

15 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

How can unikernels help address our problems?

Application Config Application Language Runtime Shared Libraries Docker Runtime OS User Processes OS Kernel Virtual HW Drivers Hypervisor Hardware Drivers Hardware

Minimized layers of isolation and abstraction Include only what we really need ! Less code, Less bug, easy to reason about

16 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unikernel advantages

• No other users, no multi users support
• No permission checks – you can utilis 100% of your hardware
• Isolation at the virtual hardware – only !
• Shared only hardware
• Minimum virtual machine ~1 gb in size, minimum unikernel is tiny

kb in size

• Very fast boot time
• A tiny custom surface of attack, less likely to be effected

by a public exploit

17 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Backward compatibility Forward compatibility POSIX compliance Language specifics

18 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik

Unik builds and runs unikernels on a variety of cloud providers through an easy-to-use REST API or a simple command-line tool

19 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

vagrant up –provider=aws unik target 54.209.79.227 unik push unik-demo . unik run unik-demo

20 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik is NOT opinionated !

Unikernel types Cloud providers Processor architectures

21 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik hub

Unikernel hub: http://www.unikhub.tk

22 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik integration with Docker

Docker API can be used to created unilkernel via Unik

23 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik integration with kubernetes

Kubernetes support docker, rocket and now also unik !

24 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Unik with Cloud Foundry

To provide the user with a seamless PaaS experience, Unik is integrated as a backend to Cloud Foundry runtime.

25 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Vision – Internet of Things

26 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY

Vision – Internet of Things

A user push a unikernel application to cloud foundry. Cloud Foundry deploy the unikernel application on Raspberry PI. The application talking to a toaster and make a toast for the user to

• eat. Classic use case of Internet of things.

@Idit_Levine

28 EMC CONFIDENTIAL—INTERNAL USE ONLY EMC CONFIDENTIAL—INTERNAL USE ONLY