unikernel

In a library operating system, protection boundaries are pushed to the lowest hardware layers, resulting in:

1. a set of libraries that implement mechanisms such as those needed to drive hardware or talk network protocols;
2. a set of policies that enforce access control and isolation in the application layer.

The library OS architecture has several advantages and disadvantages compared with conventional OS designs. One of the advantages is that since there is only a single address space, there is no need for repeated privilege transitions to move data between user space and kernel space. Therefore, a library OS can provide improved performance by allowing direct access to hardware without having to transition between user mode and kernel mode (on a traditional kernel this transition consists of a single TRAP instruction{{cite book |last= Tanenbaum|first=Andrew S.|author-link=Andrew S. Tanenbaum |title=Modern Operating Systems |url= https://archive.org/details/modernoperatings00tane_822|url-access= limited|edition=3rd |year=2008 |publisher=Prentice Hall |isbn=978-0-13-600663-3 |pages=[https://archive.org/details/modernoperatings00tane_822/page/n73 50]–51 |quote=. . . nearly all system calls [are] invoked from C programs by calling a library procedure . . . The library procedure . . . executes a TRAP instruction to switch from user mode to kernel mode and start execution . . . }} and is not the same as a context switchContext switch#User and kernel mode switching). Performance gains may be realised by elimination of the need to copy data between user space and kernel space, although this is also possible with Zero-copy device drivers in traditional operating systems.

A disadvantage is that because there is no separation, trying to run multiple applications side by side in a library OS, but with strong resource isolation, can become complex.{{cite book |last1=Chia-Che |first1=Tsai |last2=Arora |first2=Kumar-Saurabh |last3=Bandi |first3=Nehal |last4=Jain |first4=Bhushan |last5=Jannen |first5=William |last6=John |first6=Jitin |last7=Kalodner |first7=Harry |last8=Kulkarni |first8=Vrushali |last9=Oliviera |first9=Daniela |last10=Porter |first10=Donald E. |title=Proceedings of the Ninth European Conference on Computer Systems |chapter=Cooperation and security isolation of library OSes for multi-process applications |date=2014 |pages=1–14 |doi=10.1145/2592798.2592812 |url=http://www3.cs.stonybrook.edu/~porter/pubs/tsai14graphene.pdf |isbn=9781450327046 |citeseerx=10.1.1.589.1837 |s2cid=13771821 |access-date=2015-08-31 |archive-date=2016-03-04 |archive-url=https://web.archive.org/web/20160304072634/http://www3.cs.stonybrook.edu/~porter/pubs/tsai14graphene.pdf |url-status=dead }} In addition, device drivers are required for the specific hardware the library OS runs on. Since hardware is rapidly changing this creates the burden of regularly rewriting drivers to remain up to date.

OS virtualization can overcome some of these drawbacks on commodity hardware. A modern hypervisor provides virtual machines with CPU time and strongly isolated virtual devices. A library OS running as a virtual machine only needs to implement drivers for these stable virtual hardware devices and can depend on the hypervisor to drive the real physical hardware. However, protocol libraries are still needed to replace the services of a traditional operating system. Creating these protocol libraries is where the bulk of the work lies when implementing a modern library OS. Additionally, reliance on a hypervisor may reintroduce performance overheads when switching between the unikernel and hypervisor, and when passing data to and from hypervisor virtual devices.

By reducing the amount of code deployed, unikernels necessarily reduce the likely attack surface and therefore have improved security properties.{{cite web|title=Why Unikernels Can Improve Internet Security|url=http://www.linux.com/news/enterprise/cloud-computing/820669-why-unikernels-improve-internet-security|access-date=31 August 2015|date=April 2015}}{{cite journal|last1=Madhavapeddy|first1=Anil|last2=Mortier|first2=Richard|last3=Charalampos|first3=Rotsos|last4=Scott|first4=David|last5=Singh|first5=Balraj|last6=Gazagnaire|first6=Thomas|last7=Smith|first7=Steven|last8=Hand|first8=Steven|last9=Crowcroft|first9=Jon|title=Unikernels: Library Operating Systems for the Cloud|journal=SIGPLAN Notices (ASPLOS 13)|volume=48|pages=461|number=4|date=March 2013|doi=10.1145/2499368.2451167|url=http://anil.recoil.org/papers/2013-asplos-mirage.pdf}}

An example unikernel-based messaging client has around 4% the size of the equivalent code bases using Linux.{{cite journal|last1=Kaloper-Meršinjak |first1=David |last2=Mehnert |first2=Hannes |last3=Madhavapeddy |first3=Anil |last4=Sewell |first4=Peter |date=2015 |title=Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation |journal=Proceedings of the 24th USENIX Security Symposium (USENIX Security 15) |url=https://usenix15.nqsb.io}}

Due to the nature of their construction, it is possible to perform whole-system optimisation across device drivers and application logic, thus improving on the specialisation.{{cite conference|last1=Thibault|first1=Samuel|last2=Deegan|first2=Tim|title=Improving Performance by Embedding HPC Applications in Lightweight Xen Domains|book-title=2nd Workshop on System-level Virtualization for High Performance Computing (HPCVIRT'08)|date=2008|url=https://inria.hal.science/inria-00329969/file/final.pdf|doi=10.1145/1435452.1435454}}{{cite journal|last1=Madhavapeddy|first1=Anil|last2=Mortier|first2=Richard|last3=Sohan|first3=Ripduman|last4=Gazagnaire|first4=Thomas|last5=Hand|first5=Steven|last6=Deegan|first6=Tim|last7=McAuley|first7=Derek|last8=Crowcroft|first8=Jon|title=Turning Down the LAMP: Software Specialisation for the Cloud|journal=Proceedings of the 2nd USENIX Conference on Hot Topics in Cloud Computing|date=2010|url=http://anil.recoil.org/papers/2010-hotcloud-lamp.pdf}}{{cite book|last1=Martins|first1=Joao|last2=Mohamed|first2=Ahmed|last3=Raiciu|first3=Costin|last4=Huici|first4=Felipe|title=Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking |chapter=Enabling fast, dynamic network processing with clickOS |pages=67–72|url=http://nets.cs.pub.ro/~costin/files/hotsdn13.pdf|date=2013|doi=10.1145/2491185.2491195|isbn=9781450321785|s2cid=12514038 }} For example, off-the-shelf applications such as nginx, SQLite, and Redis running over a unikernel have shown a 1.7x-2.7x performance improvement.{{Cite book|last1=Kuenzer|first1=Simon|last2=Bădoiu|first2=Vlad-Andrei|last3=Lefeuvre|first3=Hugo|last4=Santhanam|first4=Sharan|last5=Jung|first5=Alexander|last6=Gain|first6=Gaulthier|last7=Soldani|first7=Cyril|last8=Lupu|first8=Costin|last9=Teodorescu|first9=Ştefan|last10=Răducanu|first10=Costi|last11=Banu|first11=Cristian|title=Proceedings of the Sixteenth European Conference on Computer Systems |chapter=Unikraft: fast, specialized unikernels the easy way|date=2021-04-21|chapter-url=https://dl.acm.org/doi/10.1145/3447786.3456248|language=en|location=Online Event United Kingdom|publisher=ACM|pages=376–394|doi=10.1145/3447786.3456248|isbn=978-1-4503-8334-9|arxiv=2104.12721|s2cid=241528818 }}

Unikernels have been regularly shown to boot extremely quickly, in time to respond to incoming requests before the requests time-out.{{cite web|title=Just-in-Time Summoning of Unikernels (v0.2)|url=http://www.skjegstad.com/blog/2015/08/17/jitsu-v02/|website=Magnus Skjegstad|access-date=30 August 2015}}{{cite web|title=Zerg|url=http://zerg.erlangonxen.org/|website=Zerg — an instance per request demo|access-date=30 August 2015}}{{cite conference|last1=Madhavapeddy|first1=Anil|last2=Leonard|first2=Thomas|last3=Skjegstad|first3=Magnus|last4=Gazagnaire|first4=Thomas|last5=Sheets|first5=David|last6=Scott|first6=David|last7=Mortier|first7=Richard|last8=Chaudhry|first8=Amir|last9=Singh|first9=Balraj|last10=Ludlam|first10=Jon|last11=Crowcroft|first11=Jon|last12=Leslie|first12=Ian|title=Jitsu: Just-In-Time Summoning of Unikernels|book-title=The 12th USENIX Conference on Networked Systems Design and Implementation (NSDI)|date=2015|isbn=978-1-931971-218|url=http://anil.recoil.org/papers/2015-nsdi-jitsu.pdf}}

Unikernels lend themselves to creating systems that follow the service-oriented or microservices software architectures.

Unikernels are unsuitable for the kind of general purpose, multi-user computing that traditional operating systems are used for, due to Unikernels' high degree of specialization. Adding additional functionality or altering a compiled unikernel is generally not possible and instead the approach is to compile and deploy a new unikernel with the desired changes.

• Microkernel
• Container (virtualization)
• Rump kernel
• IncludeOS

{{reflist}}

• [https://lwn.net/Articles/728682/ History and business model; coverage of IncludeOS]. (LWN.net)

{{Operating system}}

Category:Operating system kernels