Docker Moves Beyond Containers With Unikernel Systems Purchase

joabj writes: Earlier today, Docker announced that it had purchased the Cambridge, U.K.-based Unikernel Systems, makers of the OCaml-based MirageOS, a unikernel or "virtual library-based operating system." Unikernels go beyond containers in stripping virtualization down to the bare essentials in that they only include the specific OS functionality that the application actually needs. Their design builds on decades of research into modular OS design. Although unikernels can be complex to deploy for developers, Docker aims to make the process as standardized as possible, for easier deployment.

Re:Complicated

[jiriw]

Virtualization is 'expensive', as each virtual server running on the host operating system has it's own operating system, each running their own kernel, having their own generic support libraries, doing its own memory management, hardware access and interrupt management (to/on virtual devices emulated by the host operating system), etc.

Chroot is 'inexpensive', but it only offers a thin veneer of file system separation.

Docker lies somewhere in between. It has its self contained file system with all the generic support libraries (user land) needed for the application, but hardware resources are managed by the single kernel of the host operating system. This does give rise to a restriction not present for true virtual machines; all Docker containers on one host system must use the same kernel (interfaces): those of the kernel of the host system. Actually, the kernel has some special modified interfaces to make certain the applications in the docker container can't access (data or processes of) other docker containers (unless permitted) or the host operating system, and for those applications it still 'feels' like they are running their own copy of the operating system. But, for example, all processes running in all Docker containers on one host system are part of the processes list of the host kernel, there is only one memory manager; that of the host system, etc.

Now there is that newfangled Unikernel kid... What I understand of it is that, in comparison with a Docker container, the support libraries / userland is stripped bare so only the symbols/functions remain that are actually in use by the applications that run in it. But the 'kernel' bit in Unikernel would suggest also parts of kernel functionality is transferred to the container and I would suspect parts not in use by the actual applications in there would not be included. The question is, how much of the host kernel can you transfer to the containers? Certain things should be done 'at the top', if only to prevent containers from hogging critical system resources and such and still being able to do certain system diagnostics at the host os level...

I should read more about it. It seems to be interesting stuff.

Re:Complicated

[Shane_Optima]

The layers add abstraction, compartmentalization, portability and the ability to roll back snapshots without rebooting. If you understand virtualization then I'm sure you can understand how this can greatly increase security and robustness in general, at least in principle.

Now, if you don't understand why someone would use an LXC-based solution like Docker instead of a fully virtualized HVM machine then you probably haven't seen them in practice. They are native speed, and you don't have to mess around with inefficient memory allocation. The performance difference is critical in many cases and even when it isn't, it's still damn nice to have everything being as smooth as normal. Unikernel is a different approach, but offers similar performance advantages over traditional HVMs.

As I mention below, paravirtualization is also pretty damn fast and is more secure and flexible compared to LXC solutions since the kernel isn't being shared, although for that reason you are stuck with potentially inefficient RAM allocation issues.

Oz the Wise and Powerful

[Required+Snark]

Yep, unikernels will solve all you system problems. It will be just as wonderful as living in the Emerald City in the Land of Oz.

A unikernel, therefore, is an indivisible unit of computing logic. As a microservice, it carries the promise of unlimited scalability. ... And as an architecture, there’s a certain elegance in unity.

Not only will it solve your deployment problems, provide scalability for free, and eliminate all system security issues, it will do your shopping, wash your car, clothes and dishes, pay your bills and taxes, balance your checkbook, and walk the dog, even if you don'thave a dog!

Overhype much?

Re:Complicated

[Shane_Optima]

I don't doubt it. There should be a mandatory "Reinventing the Wheel" course for all CS majors. Chapter 1, The Amiga. Chapter 2, Lisp. Etcetera.

Re:Complicated

[dns_server]

This is something different.
Take the linux kernel, split it into modules such as tcp/ip stack etc.
Now you can create a binary that includes the part of the os that you need that you can include with your binary.
You then link the kernel and your application so you have one binary with the bits of the os you need as well as your program and nothing else.
No init system, no other processes just the os.
You can then run this inside xen as the target so you don't need the hardware support.

Re:Complicated

[greenfruitsalad]

Docker actually makes things simpler!
Since you understand virtualization, then think of docker as lightweight virtualization.

how is adding stuff on top of LXC making things simpler? i followed docker from its inception and to me and my colleagues, they are the microsoft of os-level virtualisation.

Re:Market size?

[omfgnosis]

They promise security

No they don't.