A Binary Compatible Unikernel Pierre Olivier*, Daniel Chiba*, Stefan Lankes+, Changwoo Min*, Binoy Ravidnran* *Virginia Tech, +RWTH Aachen University VEE’19 - 04/14/2019 Unikernels Presentation Full-fledged Virtual Machine Linux distribution Application Libraries OS interface Linux used Kernel Hypervisor Hardware 2/11 Unikernels Presentation Full-fledged Virtual Machine Linux Legend : distribution Useful software Software bloat Application Libraries OS interface Linux used Kernel Hypervisor Hardware 2/11 Unikernels Presentation Full-fledged Virtual Machine Linux Legend : distribution Useful software Software bloat Application Unikernel Libraries Application OS interface Linux Libraries used Kernel OS Layer Hypervisor Hardware 2/11 I single-* I Single purpose: run 1 application I Single process I Single binary and single address space for application + kernel I No user/kernel protection needed I Lightweight virtualization, alternative to containers I Security advantage: small attack surface and high isolation I Per-application tailored kernel I LibOS/Exokernel model I Reduced OS noise, increased performance I Low system call latency I App + kernel in ring 0, system calls are function calls Unikernels Presentation (2) Unikernel: application + dependencies + thin OS compiled as a static binary running on top of a hypervisor 3/11 I Lightweight virtualization, alternative to containers I Security advantage: small attack surface and high isolation I Per-application tailored kernel I LibOS/Exokernel model I Reduced OS noise, increased performance I Low system call latency I App + kernel in ring 0, system calls are function calls Unikernels Presentation (2) Unikernel: application + dependencies + thin OS compiled as a static binary running on top of a hypervisor I single-* I Single purpose: run 1 application I Single process I Single binary and single address space for application + kernel I No user/kernel protection needed 3/11 I Per-application tailored kernel I LibOS/Exokernel model I Reduced OS noise, increased performance I Low system call latency I App + kernel in ring 0, system calls are function calls Unikernels Presentation (2) Unikernel: application + dependencies + thin OS compiled as a static binary running on top of a hypervisor I single-* I Single purpose: run 1 application I Single process I Single binary and single address space for application + kernel I No user/kernel protection needed I Lightweight virtualization, alternative to containers I Security advantage: small attack surface and high isolation 3/11 I Reduced OS noise, increased performance I Low system call latency I App + kernel in ring 0, system calls are function calls Unikernels Presentation (2) Unikernel: application + dependencies + thin OS compiled as a static binary running on top of a hypervisor I single-* I Single purpose: run 1 application I Single process I Single binary and single address space for application + kernel I No user/kernel protection needed I Lightweight virtualization, alternative to containers I Security advantage: small attack surface and high isolation I Per-application tailored kernel I LibOS/Exokernel model 3/11 Unikernels Presentation (2) Unikernel: application + dependencies + thin OS compiled as a static binary running on top of a hypervisor I single-* I Single purpose: run 1 application I Single process I Single binary and single address space for application + kernel I No user/kernel protection needed I Lightweight virtualization, alternative to containers I Security advantage: small attack surface and high isolation I Per-application tailored kernel I LibOS/Exokernel model I Reduced OS noise, increased performance I Low system call latency I App + kernel in ring 0, system calls are function calls 3/11 Because it is hard to port existing applications! Unikernels The Issue I Unikernels have plenty of benefits to bring I Unikernels have plenty of application domains I They are very popular in academia . I . but why (nearly) nobody uses them in the industry? 4/11 Unikernels The Issue I Unikernels have plenty of benefits to bring I Unikernels have plenty of application domains I They are very popular in academia . I . but why (nearly) nobody uses them in the industry? Because it is hard to port existing applications! 4/11 I Proprietary software ! source code not available I Incompatible language I Unsupported features I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Build Unikernel (compile, binary Unikernel & link, etc.) libraries src 5/11 I Incompatible language I Unsupported features I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Build Unikernel (compile, binary Unikernel & link, etc.) libraries src I Proprietary software ! source code not available 5/11 I Unsupported features I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Build Unikernel (compile, binary Unikernel & link, etc.) libraries src I Proprietary software ! source code not available I Incompatible language 5/11 I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Build Unikernel (compile, binary Unikernel & link, etc.) libraries src I Proprietary software ! source code not available I Incompatible language I Unsupported features 5/11 I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Build Unikernel (compile, binary Unikernel & link, etc.) libraries src I Proprietary software ! source code not available I Incompatible language I Unsupported features I Porting is hard, needs knowledge about both application and unikernel 5/11 HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now Unikernels The Issue: Porting to Unikernels Application Execution src Unikernel Build binary Unikernel & (compile, libraries src link, etc.) I Proprietary software ! source code not available I Incompatible language I Unsupported features I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains 5/11 Unikernels The Issue: Porting to Unikernels I Proprietary software ! source code not available I Incompatible language I Unsupported features I Porting is hard, needs knowledge about both application and unikernel I Complex build toolchains HermiTux Solution I A unikernel binary-compatible with Linux I For x86-64 for now 5/11 I ELF loader convention I Load-time Stack layout I Syscalls I Kernel adapted from HermitCore I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: 6/11 I Syscalls I Kernel adapted from HermitCore I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention I Load-time Stack layout 6/11 I Kernel adapted from HermitCore I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention I Load-time Stack layout I Syscalls 6/11 I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention I Load-time Stack layout I Syscalls I Kernel adapted Hypervisor: uHyve from HermitCore Host: Linux kernel KVM 6/11 I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention I Load-time Stack t layout Single-address space VM s e I Syscalls u G I Kernel adapted t Hypervisor: uHyve s from HermitCore o H Host: Linux kernel KVM 6/11 I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention Native I Load-time Stack t layout Linux s e I Syscalls App. u G Load I Kernel adapted t Hypervisor: uHyve s from HermitCore o H Host: Linux kernel KVM 6/11 I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: I ELF loader convention Native I Load-time Stack t layout Linux s Hermitux e I Syscalls kernel App. u G Load I Kernel adapted t Hypervisor: uHyve s from HermitCore o H Host: Linux kernel KVM 6/11 I Complete/partial support for 80+ syscalls I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: Init. stack and jump to entry point I ELF loader convention Native I Load-time Stack t layout Linux s Hermitux e I Syscalls kernel App. u G Load I Kernel adapted t Hypervisor: uHyve s from HermitCore o H Host: Linux kernel KVM 6/11 I How to maintain unikernel benefits without access to the application sources? I Fast system calls and modularity Unikernels Overview I Linux ABI convention: Init. stack and jump to entry point I ELF loader convention handler Native I Load-time Stack Syscall t layout Linux s Hermitux e I Syscalls App.