unikernels as processes
play

Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) - PowerPoint PPT Presentation

Nov 18, 2022 •598 likes •894 views

Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) Martin Lucina (robur.io/Center for the Cultivation of Technology) Nikhil Prakash (BITS Pilani) What is a unikernel? An application linked with library OS components Run

  1. Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) Martin Lucina (robur.io/Center for the Cultivation of Technology) Nikhil Prakash (BITS Pilani)

  2. What is a unikernel? • An application linked with library OS components • Run on virtual hardware (like) abstraction VM • Language-specific • MirageOS (OCaml) • IncludeOS (C++) • Legacy-oriented • Rumprun (NetBSD-based) • Can run nginx, redis, node.js, python,etc.. 2

  3. Why unikernels? • Lightweight • Only what the application needs • Isolated VM • VM-isolation is the “gold standard” • Well suited for the cloud • Microservices • Serverless • NFV 3

  4. Virtualization is a mixed bag • Good for isolation , but… • Tooling for VMs not designed for lightweight (e.g., lightVM) • How do you debug black-box VMs? • Poor VM performance due to vmexit s • Deployment issues on already-virtualized infrastructure 4

  5. Why not run unikernels as processes? • Unikernels are a single process anyway! • Many benefits as a process Process • Better performance • Common tooling (gdb, perf, etc.) • ASLR • Memory sharing • Architecture independence • Isolation by limiting process interface to host • 98% reduction in accessible kernel functions 5

  6. Outline • Introduction • Where does unikernel isolation come from? • Unikernels as processes • Isolation evaluation • Performance evaluation • Summary 6

  7. Isolation: definitions and assumptions • Isolation : no cloud user can read/write state or modify its execution • Focus on software deficiencies in the host app • Code reachable through interface is a metric for attack surface Host Kernel • We trust HW isolation (page tables, etc.) • We do not consider covert channels, timing channels or resource starvation 7

  8. Unikernel architecture • ukvm unikernel monitor process (e.g., ukvm) monitor • Userspace process • Uses Linux/KVM • Setup and loading • Exit handling KVM Linux I/O devices VT-x 8

  9. Unikernel architecture • ukvm unikernel monitor process (e.g., ukvm) monitor Setup • Userspace process • Uses Linux/KVM • Setup and loading Set up 1 I/O fds • Exit handling KVM Linux I/O devices VT-x 9

  10. Unikernel architecture Virtual CPU context • ukvm unikernel monitor process (e.g., ukvm) monitor Setup • Userspace process • Uses Linux/KVM Load 2 unikernel • Setup and loading Set up 1 I/O fds • Exit handling KVM Linux I/O devices VT-x 10

  11. Unikernel architecture Virtual CPU context • ukvm unikernel monitor process (e.g., ukvm) monitor Setup Exit handling • Userspace process • Uses Linux/KVM Load 2 unikernel • Setup and loading Set up 1 I/O I/O fds • Exit handling KVM Linux I/O devices VT-x 11

  12. Unikernel isolation comes from the interface Hypercall • 10 hypercalls walltime puts • 6 for I/O poll blkinfo • Network: packet level blkwrite • Storage: block level blkread netinfo • vs. >350 syscalls netwrite netread halt 12

  13. Observations • Unikernels are not kernels! • No page table management after setup • No interrupt handlers: cooperative scheduling and poll • The ukvm monitor doesn’t “do” anything! • One-to-one mapping between hypercalls and system calls • Idea: maintain isolation by limiting syscalls available to process 13

  14. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process • Uses seccomp to restrict interface • Setup and loading Linux I/O devices 14

  15. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Set up 1 • Setup and loading I/O fds Linux I/O devices 15

  16. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Set up 1 • Setup and loading I/O fds Load unikernel 2 Linux I/O devices 16

  17. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup • Uses seccomp to restrict interface Configure 3 seccomp Set up 1 • Setup and loading I/O fds Load unikernel 2 Linux I/O devices 17

  18. Unikernel as process architecture • Tender : modified ukvm tender process unikernel monitor • Userspace process Setup Exit handling • Uses seccomp to restrict interface Configure 3 seccomp Set up 1 I/O • Setup and loading I/O fds Load unikernel 2 • “Exit” handling Linux I/O devices 18

  19. Unikernel isolation comes from the interface Hypercall • 10 hypercalls walltime puts poll blkinfo • 6 for I/O blkwrite • Network: packet level blkread • Storage: block level netinfo netwrite netread • vs. >350 syscalls halt 19

  20. Unikernel isolation comes from the interface Hypercall System Call Resource • Direct mapping between 10 walltime clock_gettime hypercalls and system stdout puts write call/resource pairs net_fd poll ppoll blkinfo • 6 for I/O blk_fd blkwrite pwrite64 • Network: packet level blk_fd blkread pread64 • Storage: block level netinfo net_fd netwrite write net_fd netread read • vs. >350 syscalls halt exit_group 20

  21. Implementation: nabl nabla ! • Extended Solo5 unikernel ecosystem and ukvm • Prototype supports: • MirageOS • IncludeOS • Rumprun • https://github.com/solo5/solo5 21

  22. Measuring isolation: common applications • Code reachable 1600 through interface is process functions accessed 1400 ukvm a metric for attack Unique kernel 1200 nabla surface 1000 • Used kernel ftrace 800 600 400 • Results: 200 0 • Processes: 5-6x more n n n r r e e g g o d d i i d n n i i e s s x x - - - • VMs: 2-3x more - g s e l a e e x r p t t g r e e s s 22

  23. Measuring isolation: fuzz testing • Used kernel ftrace 700 accept • Used trinity nabla Unique kernel functions 600 system call fuzzer to block 500 try to access more of 30 400 the kernel 300 0 200 0 10 • Results: 100 • Nabla policy reduces 0 by 98% over a 0 50 100 150 200 250 300 “normal” process 23

  24. Measuring performance: throughput • Applications include: 245 200% • Web servers ukvm Normalized throughput 180% nabla QEMU/KVM • Python benchmarks 160% • Redis 140% no I/O with I/O • etc. 120% 100% 80% py_tornado py_chameleon node_fib mirage_HTTP py_2to3 node_express nginx_large redis_get redis_set includeos_TCP nginx includeos_UDP • Results: • 101%-245% higher throughput than ukvm 24

  25. Measuring performance: CPU utilization 120 • vmexit s have an effect on 100 CPU % 80 instructions per cycle (a) 60 40 20 100 0 VMexits/ms 80 • Experiment with MirageOS 60 (b) 40 web server 20 0 IPC (ins/cycle) 1.5 • Results: 1 (c) • 12% reduction in cpu 0.5 nabla utilization over ukvm ukvm 0 0 5000 10000 15000 20000 Requests/sec 25

  26. Measuring performance: startup time • Startup time is important for serverless, NFV QEMU/KVM ukvm nabla process 30 30 30 Hello world 750 Hello world 20 20 20 500 500 • Results: 10 10 10 250 0 • Ukvm has 30-370% higher 0 0 0 0 200 200 200 latency than nabla 1500 1500 HTTP POST 150 150 150 HTTP Post 1000 1000 100 100 100 • Mostly due avoiding KVM 500 500 50 50 50 0 overheads 0 0 0 0 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 2 4 6 8 10 12 14 16 0 2 4 6 8 Number of cores 26

  27. Summary and Next Steps • Unikernels should run as processes! • Maintain isolation via thin interface • Improve performance, etc. Process • Next steps: can unikernels as processes be used to improve container isolation? • Nabla containers • https://nabla-containers.github.io/ 27

  28. 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research Scientist, NEC Europe Ltd. Unikernels? Faster, smaller, better! 2 Unikernels? Faster, smaller, better! clip arts: clipproject.info Unikernels

1.14k views • 71 slides
Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM

03/02/2019 Solo5: A sandboxed, re-targetable execution environment for unikernels Solo5: A sandboxed, re-targetable execution environment for unikernels Dan Williams (IBM Research), djwillia@us.ibm.com Martin Lucina (robur.io / CCT),

679 views • 32 slides
Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a Network work-A -Attac ack-R -Resili lient t Intr In trus usion on-Tole olerant S SCADA f for or th the P Powe ower Gr r Grid Brad

677 views • 30 slides
VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies

VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies

VMs, Unikernels and Containers: Experiences on the Performance of Virtualiza=on Technologies Felipe Huici, Filipe Manco, Jose Mendes, Simon Kuenzer NEC Europe Ltd. (Heidelberg) In the Beginning VM In the Beginning Tinyfied VMs

569 views • 44 slides
Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels Hannes Mehnert, https://hannes.nqsb.io 36c3, 27th December 2019, Leipzig 1 / 37 Stack Application Binary Con fi guration Files Programming language

689 views • 37 slides
A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + +

A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + +

A Linux in Unikernel Clothing Hsuan-Chi Kuo + , Dan Williams*, Ricardo Koller* and Sibin Mohan + + University of Illinois at Urbana-Champaign *IBM Research Lupine Unikernels are great BUT : Unikernels lack full Linux Support App Hermitux:

531 views • 16 slides
Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker)

Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker)

Immutable Distributed Infrastructure for Unikernels WG2.8, Greece Anil Madhavapeddy (speaker) with Benjamin Farinier and Thomas Gazagnaire University of Cambridge Computer Laboratory May 26, 2015 Anil Madhavapeddy (speaker) with Benjamin

586 views • 39 slides
Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application

Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application

Unikernels and Event-driven Serverless Platforms Madhuri Yechuri Agenda Bio Application Deployment Paradigms - Past, Present, Future Why Serverless? Advantages of Event-driven Serverless Model Event-driven application: shrink

183 views • 17 slides
Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker @justincormack 3 Co-author of Docker in the Trenches: Successful Production Deployment containers 5 6 Linux containers are an

624 views • 43 slides
Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes

Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes

Implementing Processes Implementing Processes Review: Threads vs vs. Processes . Processes Review: Threads 1. The process is a kernel abstraction for an independent executing program. includes at least one thread of control data also

415 views • 12 slides
Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems

Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems

Virtual machines, Containers, Microservices, Unikernels Portland State University CS 430P/530 Internet, Web & Cloud Systems When en disks sks wer ere e flopp ppy.. .. WTH? Portland State University CS 430P/530 Internet, Web &

917 views • 54 slides
Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1 / 8 So many Kernels, what are they? Monolithic kernel, Microkernel: standard stuff. Rump kernel: an existing monolithic kernel componentized into

215 views • 8 slides
Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death

Birth and Death Processes Today: Birth processes Birth and Death Processes Death processes Biarth and death processes Bo Friis Nielsen 1 Limiting behaviour of birth and death processes Next week 1 DTU Informatics Finite state

309 views • 7 slides
Processes Variables What makes up a process? program code Stack machine registers

Processes Variables What makes up a process? program code Stack machine registers

Unix processes and threads Processes fork() CSCE 515: wait() & waitpid() Computer Network Programming ------ Processes vs. Threads Threads threads vs. processes Wenyuan Xu synchronization Department of Computer

354 views • 11 slides
Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads

Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads

Chapter 2: Processes & Threads Chapter 2 Processes and threads Processes Threads Scheduling Interprocess communication Classical IPC problems Chapter 2 CMPS 111, UC Santa Cruz 2 What is a process? Code, data, and

1.15k views • 68 slides
Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n

Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n

Chapter 2: Processes & Threads Chapter 2 Processes and threads n Processes n Threads n Scheduling n Interprocess communication n Classical IPC problems CS 1550, cs.pitt.edu 2 Chapter 2 (originaly modified by Ethan What is a process? n

814 views • 42 slides
Processes Focus: Process model Process management case study: Unix/Linux/Mac OS X (Windows is a

Processes Focus: Process model Process management case study: Unix/Linux/Mac OS X (Windows is a

Processes Focus: Process model Process management case study: Unix/Linux/Mac OS X (Windows is a little different.) Operating Systems Problem: unwieldy hardware resources Solution: operating system Operating Systems , a 240 view Focus: key

539 views • 16 slides
Processes and Threads Chi Zhang czhang@cs.fiu.edu 1 Process Concept Process a program

Processes and Threads Chi Zhang czhang@cs.fiu.edu 1 Process Concept Process a program

COP 4225 Advanced Unix Programming Processes and Threads Chi Zhang czhang@cs.fiu.edu 1 Process Concept Process a program in execution; process execution must progress in sequential fashion. A process includes program counter

500 views • 27 slides
StreamBox: Modern Stream Processing on a Multicore Machine Hongyu Miao and Heejin Park, Purdue

StreamBox: Modern Stream Processing on a Multicore Machine Hongyu Miao and Heejin Park, Purdue

StreamBox: Modern Stream Processing on a Multicore Machine Hongyu Miao and Heejin Park, Purdue ECE; Myeongjae Jeon and Gennady Pekhimenko, Microsoft Research; Kathryn S. McKinley, Google; Felix Xiaozhu Lin, Purdue ECE http://xsel.rocks/p/streambox

1.25k views • 65 slides
r -Process Nucleosynthesis of the heavy elements Sean Burcher What is r -Process Rapid

r -Process Nucleosynthesis of the heavy elements Sean Burcher What is r -Process Rapid

r -Process Nucleosynthesis of the heavy elements Sean Burcher What is r -Process Rapid neutron capture The dominant process through which elements heavier than iron are formed (also s-process or slow neutron capture) The exact site of

483 views • 14 slides
Advanced Mac OS X Rootkits Dino Dai Zovi Chief Scientist Endgame Systems Overview

Advanced Mac OS X Rootkits Dino Dai Zovi Chief Scientist Endgame Systems Overview

Advanced Mac OS X Rootkits Dino Dai Zovi Chief Scientist Endgame Systems Overview MacOSXandMach WhyuseMachforrootkits? UsermodeMachrootkittechniques

423 views • 30 slides
Shared Segmentation of Natural Scenes using Dependent Pitman-Yor Processes Erik Sudderth &

Shared Segmentation of Natural Scenes using Dependent Pitman-Yor Processes Erik Sudderth &

Shared Segmentation of Natural Scenes using Dependent Pitman-Yor Processes Erik Sudderth & Michael Jordan University of California, Berkeley bell dome Parsing Visual Scenes temple sky skyscraper trees buildings sky Are Images Bags

1.03k views • 35 slides
Representing Process Variation by Means of a Process Family Borislava I. Simidchieva, Leon J.

Representing Process Variation by Means of a Process Family Borislava I. Simidchieva, Leon J.

Representing Process Variation by Means of a Process Family Borislava I. Simidchieva, Leon J. Osterweil, Lori A. Clarke Laboratory for Advanced Software Engineering Research University of Massachusetts, Amherst Department of Computer Science

923 views • 18 slides
Optimal Communication Logics in Networked Control Systems Yonggang Xu Joo P. Hespanha Center

Optimal Communication Logics in Networked Control Systems Yonggang Xu Joo P. Hespanha Center

Optimal Communication Logics in Networked Control Systems Yonggang Xu Joo P. Hespanha Center for Control Engineering and Computation University of California Santa Barbara Typo in proceedings paper { eq. (22) and eq. above (11) } Please

235 views • 10 slides

More recommend