Unikernels as Processes

Size: px

Start display at page:

Download "Unikernels as Processes"

Brent Benson
5 years ago
Views:

1 Unikernels as Processes Dan Williams, Ricardo Koller (IBM Research) Martin Lucina (robur.io/center for the Cultivation of Technology) Nikhil Prakash (BITS Pilani)

2 What is a unikernel? An application linked with library OS components Run on virtual hardware (like) abstraction VM Language-specific MirageOS (OCaml) IncludeOS (C++) Legacy-oriented Rumprun (NetBSD-based) Can run nginx, redis, node.js, python,etc.. 2

3 Why unikernels? Lightweight Only what the application needs Isolated VM-isolation is the gold standard Well suited for the cloud Microservices Serverless NFV VM 3

4 Virtualization is a mixed bag Good for isolation, but Tooling for VMs not designed for lightweight (e.g., lightvm) How do you debug black-box VMs? Poor VM performance due to vmexits Deployment issues on already-virtualized infrastructure 4

5 Why not run unikernels as processes? Unikernels are a single process anyway! Many benefits as a process Better performance Common tooling (gdb, perf, etc.) ASLR Memory sharing Architecture independence Isolation by limiting process interface to host 98% reduction in accessible kernel functions Process 5

6 Outline Introduction Where does unikernel isolation come from? Unikernels as processes Isolation evaluation Performance evaluation Summary 6

7 Isolation: definitions and assumptions Isolation: no cloud user can read/write state or modify its execution Focus on software deficiencies in the host Code reachable through interface is a metric for attack surface app We trust HW isolation (page tables, etc.) Host Kernel We do not consider covert channels, timing channels or resource starvation 7

8 Unikernel architecture ukvm unikernel monitor Userspace process Uses Linux/KVM monitor process (e.g., ukvm) Setup and loading Exit handling KVM Linux I/O devices VT-x 8

9 Unikernel architecture ukvm unikernel monitor Userspace process Uses Linux/KVM monitor process (e.g., ukvm) Setup Setup and loading Exit handling 1 Set up I/O fds KVM Linux I/O devices VT-x 9

10 Unikernel architecture Virtual CPU context ukvm unikernel monitor Userspace process Uses Linux/KVM monitor process (e.g., ukvm) Setup Setup and loading Exit handling 1 Set up I/O fds 2 Load unikernel KVM Linux I/O devices VT-x 1

11 Unikernel architecture Virtual CPU context ukvm unikernel monitor Userspace process Uses Linux/KVM monitor process (e.g., ukvm) Setup Exit handling Setup and loading Exit handling 1 Set up I/O fds 2 Load unikernel I/O KVM Linux I/O devices VT-x 11

12 Unikernel isolation comes from the interface 1 hypercalls 6 for I/O Network: packet level Storage: block level vs. >35 syscalls Hypercall walltime puts poll blkinfo blkwrite blkread netinfo netwrite netread halt 12

13 Observations Unikernels are not kernels! No page table management after setup No interrupt handlers: cooperative scheduling and poll The ukvm monitor doesn t do anything! One-to-one mapping between hypercalls and system calls Idea: maintain isolation by limiting syscalls available to process 13

14 Unikernel as process architecture Tender: modified ukvm unikernel monitor Userspace process Uses seccomp to restrict interface tender process Setup and loading Linux I/O devices 14

15 Unikernel as process architecture Tender: modified ukvm unikernel monitor Userspace process Uses seccomp to restrict interface tender process Setup Setup and loading 1 Set up I/O fds Linux I/O devices 15

16 Unikernel as process architecture Tender: modified ukvm unikernel monitor Userspace process Uses seccomp to restrict interface tender process Setup Setup and loading 1 Set up I/O fds 2 Load unikernel Linux I/O devices 16

17 Unikernel as process architecture Tender: modified ukvm unikernel monitor Userspace process Uses seccomp to restrict interface Setup and loading tender process 1 Set up I/O fds Setup 2 3 Configure seccomp Load unikernel Linux I/O devices 17

18 Unikernel as process architecture Tender: modified ukvm unikernel monitor Userspace process Uses seccomp to restrict interface Setup and loading Exit handling tender process 1 Set up I/O fds Setup 2 3 Load unikernel Exit handling Configure seccomp I/O Linux I/O devices 18

19 Unikernel isolation comes from the interface 1 hypercalls 6 for I/O Network: packet level Storage: block level vs. >35 syscalls Hypercall walltime puts poll blkinfo blkwrite blkread netinfo netwrite netread halt 19

20 Unikernel isolation comes from the interface Direct mapping between 1 hypercalls and system call/resource pairs Hypercall walltime puts poll System Call clock_gettime write ppoll Resource stdout net_fd 6 for I/O Network: packet level Storage: block level blkinfo blkwrite blkread netinfo netwrite pwrite64 pread64 write blk_fd blk_fd net_fd vs. >35 syscalls netread halt read exit_group net_fd 2

21 Implementation: nabla! Extended Solo5 unikernel ecosystem and ukvm Prototype supports: MirageOS IncludeOS Rumprun 21

22 Measuring isolation: common applications Code reachable through interface is a metric for attack surface Used kernel ftrace Results: Processes: 5-6x more VMs: 2-3x more Unique kernel functions accessed nginx nginx-large process ukvm nabla node-express redis-get redis-set 22

23 Measuring isolation: fuzz testing Used kernel ftrace Used trinity system call fuzzer to try to access more of the kernel Results: Nabla policy reduces by 98% over a normal process Unique kernel functions accept nabla block

24 Measuring performance: throughput Applications include: Web servers Python benchmarks Redis etc. Normalized throughput 2% 18% 16% 14% 12% 1% no I/O ukvm nabla QEMU/KVM with I/O 245 Results: 11%-245% higher throughput than ukvm 8% py_tornado py_chameleon node_fib mirage_http py_2to3 node_express nginx_large redis_get redis_set includeos_tcp nginx includeos_udp 24

25 Measuring performance: CPU utilization vmexits have an effect on instructions per cycle Experiment with MirageOS web server Results: 12% reduction in cpu utilization over ukvm (a) CPU % (b) VMexits/ms (c) IPC (ins/cycle) Requests/sec nabla ukvm 25

26 Measuring performance: startup time Startup time is important for serverless, NFV Results: Hello world Ukvm has 3-37% higher latency than nabla 15 1 QEMU/KVM 5 Mostly due avoiding KVM overheads HTTP POST Hello world HTTP Post ukvm nabla Number of cores process

27 Summary and Next Steps Unikernels should run as processes! Maintain isolation via thin interface Improve performance, etc. Process Next steps: can unikernels as processes be used to improve container isolation? Nabla containers 27

28 28

@amirmc UNIKERNELS WHERE ARE THEY NOW? AMIR CHAUDHRY. Open Source Summit NA 13 Sep 2017

@amirmc UNIKERNELS WHERE ARE THEY NOW? AMIR CHAUDHRY Open Source Summit NA 13 Sep 2017 OVERVIEW Unikernel refresher Status updates: MirageOS, IncludeOS, HaLVM, Solo5 Summary Questions? REFRESHER UNIKERNEL