Unikernels and Cloud Computing
Download as PPTX, PDF0 likes887 views
This document provides an overview of unikernels including definitions, how they work, advantages, approaches and security aspects. A unikernel is defined as a library operating system that compiles an application and required OS libraries into a single standalone executable. It provides the benefits of containers and VMs but with lower overhead through a minimized attack surface and footprint. Different approaches focus on speed, safety or compatibility. Unikernel security is enhanced through strong isolation, a small trusted computing base and limiting what executable code can do.
Unikernels and Cloud Computing
- 2. AGENDA Hypervisor Container What is Unikernel How it works Why & Why not Different Approaches of Unikernels Unikernel Security
- 3. in short terms we can define hypervisor as virtual machine manager is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other. Hypervisor
- 4. Hypervisor
- 5. Containers-as-a-service is a type of infrastructure-as-a-service specifically geared toward efficiently running a single application. A container is a form of operating system virtualization that is more efficient than typical hardware virtualization. It provides the necessary computing resources to run an application as if it is the only application running in the operating system Container
- 6. A container is an isolated process. Thus, conceptually a container is like a VM in that it thinks that it’s the only show in town. A container leverages the operating system of the host computer. Hence, there is no mixing and matching. You cannot have a Windows host computer running a Linux container. Container
- 7. Hypervisor vs Container Unlike a VM, in a container you are not running a complete instance or image of an operating system, with kernels, drivers, and shared libraries. Instead, an entire stack of containers, whether it be dozens or hundreds or even thousands are able to run on top of a single instance of the host operating system, in a tiny fraction of a footprint of a comparable VM running the same application.
- 8. in short terms we can define unikernel as library operating systems Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels and sealed against modification when deployed to a cloud platform. What is Unikernel More layers tricky config Duplicaiton inefficiency Large sizes long boot times More stuff larger attack surface
- 9. Code you want to run + Operating System libraries = Standalone unikernel What is Unikernel A unikernel is a compiled binary that sists directly machine’s hypervisor Unikernel compiles your source code in a custom operationg system that includes only the functionality required by your application logic. That makes it small, fast and secure. How it works
- 10. unikernels provide all the advantages of virtual machines (VMs) and containers unikernels are considerably lower overhead, which could lead to more agile and lower-cost cloud computing. The small size of unikernels means that apps can be moved around faster and more cost effectively, considering that network bandwidth doesn’t come cheaply in the cloud. What is Unikernel
- 11. Extremely fast startup More flexible infrastructure Single-purpose appliances Greater latitude to respond to the needs of the moment There is just enough code to make the application run What is Unikernel
- 12. Why & Why not ? WHY Unikernels offer significant reduction in image sizes, improved effiecency and security and should reduce operational costs reduced memory footprint Greatly reduced need for disk space Faster load times lower latencies reduced attack surface WHY NOT If your application needs much disk space and processor , unikernels won't provide you much There are a lot of softwares for other operating systems, but if you will use unikernels, you have to write your own libraries “shared kernel” strategy has its weakest link in that “shared kernel” itself.
- 13. DIFFERENT APPROACHES TO CONSTRUCT UNIKERNELS There are different approaches to constructing unikernels. Approach Name Focus on ClickOS Speed (boots under 30ms) (tiny agile virtual machines for network processing) HaLVM safety and security LING Speed (boots under 100ms) MirageOS safety and security Rump Kernels compatibility with legacy software OSv compatibility with legacy software
- 14. Linux, as well as Linux containers and Docker images, rely on a fairly heavyweight core OS to provide critical services. Because of this, a vulnerability in the Linux kernel affects every Linux container unikernels only include the minimal functionality and systems needed to run an application or service, all of which makes writing an exploit to attack them much more difficult Unikernel Security
- 15. Benefit from the strong isolation guarantees of hardware virtualization and a trusted computing base that is orders of magnitude smaller than that of container technologies. There is no shell, you cannot exec() a new process , you don’t even need to include a full TCP stack. So there is very little exploit code can do to gain a permanent foothold in the system Unikernel Security
- 16. Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs. While it does take some extra work, it’s getting easier every day as more developers work on solving challenges with orchestration, logging and monitoring Unikernel Security
- 17. THANKS