Hacker News new | past | comments | ask | show | jobs | submit login

I'd like to point out that there is a unikernel called IBM's TPF which is something everybody is interacting with daily. It's used in the payment card network by Visa, as well as the airline and hotel industry for reservations. This is typically run under the hypervisors z/VM or PRSM. https://en.wikipedia.org/wiki/Transaction_Processing_Facilit...

A few years ago someone trying to spin container technology did a lot of damage to other attempts at unikernels with marketing dogma, not reality. Claims of non-debugability and other FUD. It's long been standard operating procedure to trace and debug systems from outside the system's view. This is how people do bringup of new chips as well as OS ports. On hardware there is usually a dedicated debug and trace facility as part of the CPU or board support package or a firmware monitor. In a virtualized environment like a unikernel this is way easier because you can run code above the guest's ring 0 supervisor privilege against its RAM/pagetable root. Modern systems like POWER even allow debugging from the BMC, with a plan to allow full gdb sessions over that out of band interface https://github.com/open-power/pdbg.

There's nothing implicitly wrong with unikernels, or other systems software ideas like microkernels, just because they are less popular technology at the moment. I'd encourage people to continue exploring this space.




That FUD was from Bryan Cantrill (https://news.ycombinator.com/item?id=10953766) making aggressively resolute, but also easily falsifiable claims about the production-worthiness of unikernels.

From the perspective of someone who'd debugged and traced unikernels from both inside the runtime (LING) and outside the runtime (xentrace), and who worked in the domain of the very z/TPF system you referenced above, the indictment seemed at-best strangely misguided and at-worst intentionally duplicitous.

As you can imagine the indictment wasn't at all persuasive to me, and thus I keep exploring the space in bits and pieces where applicable.


While acknowledging that your claims about his claims may well be 100% correct, I find it hard to believe that Bryan Cantrill would be "intentionally duplicitous". People, even very smart people, can occasionally be very wrong (btw, I'm not making a claim either way here), and that doesn't mean there is an agenda/intent that is malicious in nature.


Totally unbiased for sure, https://www.joyent.com/smartos


Cantrill is a smart guy. But he has always had a big mouth. And the fact is his post was written with ZERO experience with Unikernels. Zero. He was just assuming they act the way he imagined and attacked that image.

Which is fine if you're upfront about it. He wasn't.


I appreciate the kind words, but let's give me a tad more credit in the experience department, please: I have been doing production OS kernel development for over two decades, and have done non-trivial work in essentially every privileged subsystem across several different microprocessor and OS architectures. If you want to say that I have gobs of experience in kernel development (and more generally at the hardware/software interface), but no experience with unikernels per se, then fine, I guess -- but at the same time, let's acknowledge that you are the CEO of a unikernel company who very much has a dog in the fight?


Absolutely. I would rank you in the very top of developers with experience in development of traditional operating systems. In particular DTrace stands out as an excellent piece of work. It's one of those fundamental advances that serves as inspiration for others.

Now, I'm not sure I agree that I have a horse in the race. I don't necessary believe that there is a race. I've never really been a proponent of the schism between Unikernels and Containers. I struggle to see how Unikernels can offer the same flexibility and ease of deployment as containers. We're likely won't be able to support the vast amounts of runtimes and infrastructure needed to replace something like Docker. Perhaps there could be very specific uses where something like the paper described could be used, but I'm not betting on it.

As a software project IncludeOS has a much narrower target than what people traditionally have thought when thinking of Unikernels. And as a result of of this we're not in the business of replacing neither containers not general purpose operating systems(GPOS). We're aiming to carve out a few niches where we are confident that a GPOS isn't the answer. We're only going to address those needs where we're pretty certain we can actually add some value. Basically we're think we can improve on security in addition to adding real time capability whilst still remaining source-code compatible with Linux (mostly thanks to musl).

My grief is singularly with the myths you helped create that Unikernels are something where you are forces to work with stone age tools and hardly without any tools, except printf, for debugging. We've had to spend a lot of time dispelling these. There are a few other things I believe you where wrong about at the time but I'll spare you the details. Better suited discussions over a beer of coffee.


You never disappoint me in your recorded presentations or now apparently timely HN comments. I am starting to like you just as much as tptacek here bc if someone invokes your name I will expect a witty, if not only informative, rebuttal!


Which we shouldn't forget isn't unbiased given that they have a VM/Container business to sell.


Is LING still alive? Haven't seen much project activity in a while.


Not really, insofar as I can tell, but it was slightly less inactive back then.

It's not the corner of the sandbox that I play in any longer.


What about your view on ultra restrictive OS libraries, like geonode? These take much of the useful optimizations inside unikernals and give a bigger framework to work from.


The Genode project is wonderful. The write-ups they did about integrating their framework with seL4 were unbelievably helpful in my earlier explorations of how to build interesting things atop seL4.

That said, I never really considered Genode in contrast to unikernels to be honest. Something to chew on certainly.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: