As the cloud-native ecosystem evolves, it is beginning to appear as if a challenger to containerization has emerged. In this blog post, I'm going to dive into what unikernels are, and why I think they will be the most likely candidate to replace container-based infrastructure. Introduction While there is no doubt that containers have changed the landscape in a positive way, they are not the promised DevOps silver bullet. On the other hand, are an emerging software infrastructure paradigm that seek to fulfill the DevOps manifesto by providing specialized, single-address-space machine images. unikernels A unikernel is made of the following components: System libraries Language runtime Necessary applications These components are compiled into a single bootable VM image that runs directly on a standard hypervisor. Containers ≠ DevOps is the fact that the former still differentiates between the (op)erators who manage the applications, and the (dev)elopers who code the application. One of the key things you have to look at when comparing containers and unikernels In contrast, unikernels fulfill the DevOps promise by removing this barrier and forcing the development team to bundle everything they want into the deployment unit. Furthermore, deploying unikernel applications requires completely rebuilding the VM, so using configuration tools like Terraform and Jenkins is out of the question. Unikernels avoid vendor lock-in Another major advantage to using unikernels in your infrastructure is added agility by avoiding the trap of vendor lock in. Because a unikernel is a VM at it's core, it is inherently cross platform and cloud-agnostic. Because a unikernel's basic unit of compute is a VM, it is easy to shuttle it from one cloud platform to another. Unikernels also exchange the idea of "servers" for a more serverless approach. There is still a server, but for the most part it is self-sustaining and does not need the oversight of an operations team. Containers are still too complex Although they have solved a lot of problems in the DevOps space, containers as a paradigm were . The complexity involved with running containers is often very time-consuming for teams, and those teams often find out that the hyped up tools have a lot of quirks that cause issues in production. not the prophesized toolset that was supposed to take us to operations-free pastures It often requires an entire ops team to manage and deploy a Kubernetes based application, while deploying a unikernel to Google Cloud with today via is merely a series of two commands and it will be running within two minutes. ops Unikernels are secure One of the biggest selling points for The architecture has many features that either prevents or disables certain attacks altogether. Let's look at a few of them! unikernels is their security when compared to containers. No shell access Most remote code execution attacks invoke to modify the system they are attacking. Since unikernels lack a shell, the attacker doesn’t have this opportunity. /bin/sh No Syscalls On Linux systems, syscalls are often used to invoke the OS and attack computer systems. Because they lack an OS, unikernels don’t have these system calls. They only have function calls. For an attacker this means they’ll have to know the exact memory layout of your application in order to invoke the operating system. No access to Ring 0 A common criticism raised against unikernels is that the whole application runs in “kernel space” and has root privileges. Currently, this is true, however this is because unikernels need to manage virtual hardware and page tables to run. However, if the hypervisor can set up the VM before it is booted and provide para-virtualized interfaces to the hardware, access to ring 0 is unnecessary. Conclusion Containers will fade into obscurity. I can't say for certain when it will happen or what form it will take, but all technological paradigms come and go as the industry evolves. Do you think my predictions are correct and we're about to see the dawn of the unikernel? Or do you think it's just another overhyped tool?

Google

Hire my agency to write for you!

Read My Stories

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Docker is dead. Long live the Unikernel.

Too Long; Didn't Read

Company Mentioned

James D. Bohrman

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Docker is dead. Long live the Unikernel.

Too Long; Didn't Read

Company Mentioned

James D. Bohrman

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES