

Unikernels: Rise of the Virtual Library Operating System - tizoc
http://queue.acm.org/detail.cfm?ref=rss&id=2566628

======
mbreese
Is the idea that you'd compile a virtualized OS in with your application to
produce one really streamlined VM appliance? I get that you'd be able to avoid
the overhead of the OS in the VM but effectively making the VM a single
application again.

Is this any better than the Docker method of reusing the same base-OS and
compartmentalizing the applications? Is there that much to be gained in
avoiding kernel/user-space transitions?

~~~
stormbrew
I think the real problem with this sort of idea is that, in the end, you're
just reinventing processes. There's already a way to write an isolated single
purpose application and run it on a server: fork() and then exec().

If you want to bring the isolation level of that process down to just
absolutely what it needs to run we've got things like jails and cgroups. You
could probably run a Go app with no access to the filesystem since everything
is linked in statically anyways.

I think it misses the reasons people are excited about virtualization.
Reproducibility and uniformity of environment has a higher value than
isolation to most software developers. The priorities may be inverted on the
sysadmin side, but I don't think so far as to justify this kind of approach.

~~~
michaelmior
My understanding is that the goal is not isolation, but performance. You can
remove large chunks of the OS which you don't need. You also don't have any
overhead from system calls since all code runs at the same privilege level.
This is possible because (in theory) you can't execute arbitrary code. All the
executable code is baked into the kernel at compile time and the page tables
are sealed so no new code can be loaded.

You can achieve the isolation with jails and cgroups, but not the performance
improvements.

~~~
stormbrew
As mentioned in a sibling you still have the hypercalls, and you definitely
need those to still be present if you're running at ring 0 since, essentially,
direct access to the hardware is probably an opportunity to attack the whole
physical system (since hardware often has arbitrary bus access). Never mind
the need to arbitrate access between multiple VMs.

And this is what I mean when I say that taken to its conclusion you're just
reinventing processes.

I think this kind of performance claim needs to be solidly proven by something
at least vaguely like a real running application to be taken as a given.

~~~
michaelmior
Fair point. More benchmarks need to happen before it's obvious this is really
a win. A real application would be nice. I'm biased because I worked on a
similar idea myself and I've been waiting for this to come. I think it's a
potential win now for running on public clouds.

However, as Docker PaaS gains popularity, that may be a better alternative.
Only benchmarks will tell :)

~~~
justincormack
What did you work on?

~~~
michaelmior
A similar yet much simpler idea of porting some simple application code to
MiniOS. Although I never ended up with anything of value.

