Hypervisor , Container , Unikernel in cloud systems

1. Sinan KÖRDEMİR

2. AGENDA
 Hypervisor
 Container
 What is Unikernel
 How it works
 Why & Why not
 Different Approaches of Unikernels
 Unikernel Security

3.  in short terms we can define hypervisor as virtual machine manager
 is a program that allows multiple operating systems to share a single
hardware host. Each operating system appears to have the
host's processor, memory, and other resources all to itself. However, the
hypervisor is actually controlling the host processor and resources,
allocating what is needed to each operating system in turn and making
sure that the guest operating systems (called virtual machines) cannot
disrupt each other.
Hypervisor

4. Hypervisor

5.  Containers-as-a-service is a type of
infrastructure-as-a-service specifically
geared toward efficiently running a single
application.
 A container is a form of operating system
virtualization that is more efficient than
typical hardware virtualization. It provides
the necessary computing resources to run an
application as if it is the only application
running in the operating system
Container

6.  A container is an isolated process. Thus,
conceptually a container is like a VM in that it
thinks that it’s the only show in town.
 A container leverages the operating system of the
host computer. Hence, there is no mixing and
matching. You cannot have a Windows host
computer running a Linux container.
Container

7. Hypervisor vs Container
 Unlike a VM, in a container
you are not running a
complete instance or image of
an operating system, with
kernels, drivers, and shared
libraries.
Instead, an entire stack of
containers, whether it be dozens
or hundreds or even thousands
are able to run on top of a single
instance of the host operating
system, in a tiny fraction of a
footprint of a comparable VM
running the same application.

8.  in short terms we can define unikernel as
library operating systems
 Unikernels are single-purpose appliances that
are compile-time specialised into standalone
kernels and sealed against modification when
deployed to a cloud platform.
What is Unikernel
 More layers tricky config
 Duplicaiton inefficiency
 Large sizes long boot times
 More stuff larger attack surface

9. Code you want to run
+
Operating System libraries
=
Standalone unikernel
What is Unikernel
A unikernel is a compiled binary that
sists directly machine’s hypervisor
Unikernel compiles your source code in a
custom operationg system that includes
only the functionality required by your
application logic. That makes it small, fast
and secure.
How it works

10.  unikernels provide all the advantages of virtual
machines (VMs) and containers
 unikernels are considerably lower overhead, which
could lead to more agile and lower-cost cloud
computing.
 The small size of unikernels means that apps can be
moved around faster and more cost effectively,
considering that network bandwidth doesn’t come
cheaply in the cloud.
What is Unikernel

11.  Extremely fast startup
 More flexible infrastructure
 Single-purpose appliances
 Greater latitude to respond to the needs of the
moment
 There is just enough code to make the application run
What is Unikernel

12. Why & Why not ?
WHY
Unikernels offer significant reduction in
image sizes, improved effiecency and
security and should reduce operational
costs
 reduced memory footprint
 Greatly reduced need for disk space
 Faster load times lower latencies
 reduced attack surface
WHY NOT
 If your application needs much disk
space and processor , unikernels
won't provide you much
 There are a lot of softwares for other
operating systems, but if you will use
unikernels, you have to write your
own libraries
 “shared kernel” strategy has its
weakest link in that “shared kernel”
itself.

13. DIFFERENT APPROACHES TO CONSTRUCT UNIKERNELS
There are different approaches to constructing unikernels.
Approach Name Focus on
ClickOS Speed (boots under 30ms) (tiny agile virtual machines
for network processing)
HaLVM safety and security
LING Speed (boots under 100ms)
MirageOS safety and security
Rump Kernels compatibility with legacy software
OSv compatibility with legacy software

14. Linux, as well as Linux containers and Docker images,
rely on a fairly heavyweight core OS to provide critical
services. Because of this, a vulnerability in the Linux
kernel affects every Linux container
unikernels only include the minimal functionality and
systems needed to run an application or service, all of
which makes writing an exploit to attack them much
more difficult
Unikernel Security

15.  Benefit from the strong isolation guarantees of
hardware virtualization and a trusted computing base
that is orders of magnitude smaller than that of
container technologies.
 There is no shell, you cannot exec() a new process , you
don’t even need to include a full TCP stack. So there is
very little exploit code can do to gain a permanent
foothold in the system
Unikernel Security

16.  Unikernels allow for the careful management of
particularly critical portions of an organization’s data
and processing needs.
While it does take some extra work, it’s getting easier
every day as more developers work on solving challenges
with orchestration, logging and monitoring
Unikernel Security

17. THANKS