Unikraft's Vision for Universalizing Unikernels
If you're a developer or IT engineer, you probably like containers because you can start containerized apps in seconds and run dozens on a single host.
Now, imagine how great your life would be if you could start apps in milliseconds and deploy a thousand or more on one server.
In the past, this might have seemed like a dream. But it's now possible thanks to KraftCloud, a next generation cloud platform where cold boots are a few milliseconds, as are scale to 0 and autoscale – all powered by years of research into unikernels and the Linux Foundation’s Unikraft project.
Here's why this new platform and tech are a big deal, and how the Unikraft team spent the past several years conquering the many barriers standing between the dream behind unikernels and the reality of actually putting them into real-world production environments.
What's a unikernel, anyway?
A unikernel is a specialized virtual machine that contains everything necessary to execute an app – nothing more, nothing less. That means that not just the application logic, but also the specific parts of libraries and operating system components that the app needs to operate, are packaged into an image that runs in a single address space.
Using this approach, unikernels make it possible to unlock some pretty neat benefits that wouldn't be feasible using other application packaging and deployment techniques. For one, thanks to the fact that unikernels include only the specific components needed to run an app, they can achieve cold start times on the order of 4-20 milliseconds, according to Felipe Huici, the CEO and co-founder of Unikraft.
For another, unikernels consume minimal resources. The unikernel version of NGINX, for example, weighs in at barely over a megabyte, about one-tenth the size of an equivalent Docker image, and it uses about ten times less memory when it runs. (For a deeper dive into how unikernels stack up performance-wise against other approaches to application deployment, check out Unikraft's performance data.)
The fact that each unikernel runs essentially as an independent operating system is also an advantage because it provides strong, hardware-level isolation between apps – they are, after all, virtual machines. Unlike containers, which share kernel resources, unikernels virtually eliminate the risk of a security breach in one app spilling over into another. And each unikernel itself is default off (nothing runs if the app doesn’t need it) and any unneeded code doesn’t even make it into deployment.
In short, unikernels give teams a level of speed and performance that containers can't match, providing the security benefits of OS-level isolation, while still making it possible to build them via Dockerfiles – it's the best of all possible worlds.
"A good implementation"
The concept behind unikernels has been around for many years, but it has only been within the past year or two that Unikraft's team has matured a unikernel toolkit to the point where it’s ready for real-world use.
The reason why it took so long to bring the unikernel vision to reality, Huici says, is that unikernels are simply very challenging to implement well, and there are no shortcuts. "Everyone realizes that it doesn't make much sense to include lots of stuff in an OS that your application doesn't actually need," he explains. "But you need a good, fully modular, OS/unikernel implementation" if you want to be able to strip out the unnecessary bits, and until Unikraft came along, no one had invested the years of time and effort necessary to create such an implementation.
Making unikernels practical also requires a unikernel toolkit that is dynamic enough to support applications developed in multiple languages, without requiring developers to make major changes to application source code to deploy apps as unikernels.
Huici, who has a Ph.D. in computer science and comes from a research background, began working with his team on Unikraft, a Linux Foundation project, to solve these challenges about five years ago. At the time, he says, "there was a big gap between unikernel prototypes and running real-world payloads with real stability." Proof-of-concept unikernels existed, but "we wanted to do more than create one-trick ponies that could run a single app or a single programming language the way we were doing in the research space."
It took a long time to bridge that gap, but starting about a year ago, Huici says, everything finally began clicking on the technical front for Unikraft. "We started realizing that more and more apps were just running more or less out of the box," opening the door for the platform to support what Huici calls "the usual suspects" of widely used open source apps and languages – such as NGINX, Redis and the Python runtime.
Bringing unikernels to the cloud
Not content with building a unikernel framework that is ready for primetime, Huici and his team have also created a cloud-based hosting environment, KraftCloud, to make it easy for anyone to launch unikernels. KraftCloud provides pre-provisioned infrastructure where users can get unikernels up and running in milliseconds ("death to cold boots" is one of its taglines) without having to set up their own infrastructure or environment.
The infrastructure is provided by Equinix Metal, which Unikraft chose above all for the ultra-low latency that its data centers can deliver. "When you support cold boot times of 20 milliseconds, you don't want your packets to have a round trip time of 100 milliseconds," Huici explains.
Metal was also compelling for Huici and his team because provisioning servers to run Unifkraft's custom stack happens very fast. "With Equinix it takes just one minute," whereas with bare-metal instances in the public cloud, the provisioning process "can last long enough for you to order a pizza," Huici says.
He adds that Equinix support staff are very accessible – which is important when you're running a cutting-edge technology platform and need expert help to support it. "Getting in touch with people who can help us with the Metal APIs is easy," he says.