Hacker News new | past | comments | ask | show | jobs | submit login
The RustyHermit Unikernel (rust-osdev.com)
125 points by adamnemecek on Jan 24, 2021 | hide | past | favorite | 28 comments

I find Unikernels fascinating, but I’m curious as to who is running unikernel based applications in production?

Game consoles, and back in the day most MS-DOS, Amiga and Atari Games that only used hardware directly with OS services could in retrospective be considered some form of unikernels.

Amiga games used to be written such that they would boot the computer from floppy.

The Amiga had a large part of its regular OS libraries in ROM, and the base OS was available directly to the bootloader on the floppy.

You could ignore it and access the hardware directly, if you wanted, and many games did, but you could also use the OS if you wanted to.

The default bootloader would basically just say "launch the default shell and tell it to load the startup shell script file".

The MirageOS people at https://mirage.io/wiki/gallery have a list titled "unikernels that are used in production"

Most RTOSes.

z/TPF is also a unikernel so Visa when processing every transaction.

Interesting, do you have any references explaining how/why z/TPF is a unikernel? Thanks!

It's from an era before ubiquitous MMUs, even in IBM mainframes. It therefore was structured as a library OS, with even less separation between it and the application code than even MSDOS and it's applications.

Transaction Processing Facility: A Guide for Application Programmers by R. Jason Martin is a decent book I'd recommend on the subject.

Did not realise Visa was using z/TPF. Do you have a link with more information?

I don't know of much public information other than their job postings.

I believe Cisco had an unikernel running on Vmware for SDN vSwitches. Makes sense: you "only" need to move packets from some vLan to another vLan/vNic after applying policies... and you can forget about supporting hardware modules alien to you.

The automotive domain definitely use them (e.g., Open Synergy and others), since their efficiency means they consume fewer resources on ECUs, and their relatively small Trusted Computing Base (TCB) not only reduces exploits but also means certification is cheaper/faster.

Most devices are not web servers.

Very interesting. As an application dev I'm curious to know what it would take to have a, let's say, Actix-web stack bundled with a unikernel, or a MeiliSearch engine bundled with a unikernel.

Both of these now live in Docker containers along with a whole Alpine system. I'm correct to believe that unikernels could change this, right?

I learned that for MirageOS it was still a long road before it's be possible to use some OCaml webframework on top of it.

Lwt [1] based web frameworks can be used on MirageOS if they provide an interface that allows someone to swap out the unix dependent pieces. One such framework is Opium [2], that provides most of its features in a unix independent code library `opium_kernel`. Its fairly straightforward to run an opium app on mirage. This example needs to be updated to the newest apis in the released version of Opium but this can provide some hints about how to run an opium app on mirage: https://github.com/anuragsoni/ocaml-opium-unikernel.

If a lower level web toolkit is sufficient then ocaml's cohttp [3] library has been available on mirage for quite some time now.

[1] https://github.com/ocsigen/lwt/

[2] https://github.com/rgrinberg/opium

[3] https://github.com/mirage/ocaml-cohttp/

Thanks for chiming in!

Sadly cohttp is (or was) performing so bad that it is kind of at odds with using it on a unikernel.

This one is quite a bit faster:


The `opium_kernel` example I linked to above is running on top of https://github.com/dinosaure/paf-le-chien which is a mirage layer for httpaf. Opium itself has also moved to using httpaf as the underlying layer.

Wow. That's great. Thanks for setting this straight.

Seems OCaml/Mirage is the pretty far ahead in typed web dev using a unikernel.

I'd be curious how long such a kernel takes to boot. There could be useful applications in container hosting.

10s of milliseconds (fig. 4)[0]

[0]: https://pub.nderjung.net/papers/emsoft20.pdf

Measured in milliseconds typically.

There was an example running on erlang-on-xen (later renamed ling) which spawned a vm per request. When not hammered by traffic from aggregator sites, it could respond in a few milliseconds.

No, it was not Jitsu. Jitsu is based on MiragOS/OCaml, Erlang-on-Xen was also a Xen-based unikernel like MirageOS but was (as you can guess) Erlang specific. I think you can now find it at https://github.com/cloudozer/ling .

A hello world unikernel was reported to take 4 ms a few years back (http://cnp.neclab.eu/projects/lightvm/lightvm.pdf). Here's a more recent project: http://www.unikraft.org/ .

There is not POSIX in a unikernel, right?

So can apps using a RustyHermit use the std lib, or should all be no_std?

I suppose the right answer is "it depends". For most unikernels the answer is no: they are highly specialized, often targeting a single application or language, and built on top of small/basic OSes. Some of them have targeted various levels of POSIX compatibility, e.g., OSv (http://osv.io/) and HermiTux (https://ssrg-vt.github.io/hermitux/) though they don't always support a large number of syscalls/applications. An older project was Rump (largely abandoned), which used the NetBSD kernel to be (mostly) POSIX compatible, though performance wasn't great and it's largely abandoned. An active project targeting at least partial POSIX compatibility is Unikraft (http://www.unikraft.org/).

So can I use Rust's std on RustyHermit?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact