Optimizing Boot Times and Enhancing Binary Compatibility for Unikernels

Chiba, Daniel Juzer

25 June 2018

Unikernels are lightweight, single-purpose virtual machines designed for the cloud. They provide enhanced security, minimal resource utilisation, fast boot times, and the ability to optimize performance for the target application. Despite their numerous advantages, unikernels face significant barriers to their widespread adoption. We identify two such obstacles as unscalable boot procedures in hypervisors and the difficulty in porting native applications to unikernel models. This work presents a solution for the first based on the popular Xen hypervisor, and demonstrates a significant performance benefit when running a large number of guest VMs. The HermiTux unikernel aims to overcome the second obstacle by providing the ability to run unmodified binaries as unikernels. This work adds to HermiTux, enabling it to retain some of the important advantages of unikernels such as fast system calls and modularity. / MS / Cloud computing provides economic benefits to users by allowing them to pay only for the resources that they use. Traditional virtual machines, so far the mainstay of cloud computing, come with a large number of features that are unnecessary for most cloud applications. Unikernels are specialised virtual machines that are compiled with only the features required to run the target application on top of a hypervisor. They have reduced memory requirements, short boot times, fast system calls, enhanced security and greater customizability. Despite these advantages, unikernels have not gained significant traction in industry. One reason is that existing hypervisors were not designed with unikernels in mind. Specifically, we show that for the Xen hypervisor, boot times rise exponentially with the number of VMs running on the system. The small size of unikernels allows us to run a much larger number of guest VMs than was previously possible, but these rising boot times present a major bottleneck. This thesis analyses the cause of this overhead and presents a solution that leads to a 4x reduction in the overall time required to boot 500 unikernels at once. Another reason for the slow adoption of unikernels is the difficulty involved in porting legacy applications to unikernel models. The HermiTux unikernel aims to remove this effort by allowing users to run unmodified, statically compiled executables compiled for Linux. In doing so, however, we lose the ability to modularise the unikernel for the application concerned, and also reintroduce a major source of overhead from regular applications - namely system calls. This thesis presents techniques based on binary analysis and binary rewriting that enable us to regain these advantages of unikernels in HermiTux.

Virtualization

Unikernel

Hypervisor

Software-defined Security for Distributed Clouds / Sécurité définie par le logiciel pour le Cloud distribué

Compastié, Maxime

18 December 2018

Dans cette thèse, nous proposons une approche pour la sécurité programmable dans le cloud distribué. Plus spécifiquement, nous montrons de quelle façon cette programmabilité peut contribuer à la protection de services cloud distribués, à travers la génération d'images unikernels fortement contraintes. Celles-ci sont instanciées sous forme de machines virtuelles légères, dont la surface d'attaque est réduite et dont la sécurité est pilotée par un orchestrateur de sécurité. Les contributions de cette thèse sont triples. Premièrement, nous présentons une architecture logique supportant la programmabilité des mécanismes de sécurité dans un contexte multi-cloud et multi-tenant. Elle permet l'alignement et le paramétrage de ces mécanismes pour des services cloud dont les ressources sont réparties auprès de différents fournisseurs et tenants. Deuxièmement, nous introduisons une méthode de génération à la volée d'images unikernels sécurisées. Celle-ci permet d'aboutir à des ressources spécifiques et contraintes, qui intègrent les mécanismes de sécurité dès la phase de construction des images. Elles peuvent être élaborées réactivement ou proactivement pour répondre à des besoins d'élasticité. Troisièmement, nous proposons d'étendre le langage d'orchestration TOSCA, afin qu'il soit possible de générer automatiquement des ressources sécurisées, selon différents niveaux de sécurité en phase avec l'orchestration. Enfin, nous détaillons un prototypage et un ensemble d'expérimentations permettant d'évaluer les bénéfices et limites de l'approche proposée / In this thesis, we propose an approach for software-defined security in distributed clouds. More specifically, we show to what extent this programmability can contribute to the protection of distributed cloud services, through the generation of secured unikernel images. These ones are instantiated in the form of lightweight virtual machines, whose attack surface is limited and whose security is driven by a security orchestrator. The contributions of this thesis are threefold. First, we present a logical architecture supporting the programmability of security mechanims in a multi-cloud and multi-tenant context. It permits to align and parameterize these mechanisms for cloud services whose resources are spread over several providers and tenants. Second, we introduce a method for generating secured unikernel images in an on-the-fly manner. This one permits to lead to specific and constrained resources, that integrate security mechanisms as soon as the image generation phase. These ones may be built in a reactive or proactive manner, in order to address elasticity requirements. Third, we propose to extend the TOSCA orchestration language, so that is is possible to generate automatically secured resources, according to different security levels in phase with the orchestration. Finally, we detail a prototyping and extensive series of experiments that are used to evaluate the benefits and limits of the proposed approach

Sécurité

Programmabilité

Cloud distribué

Orchestration

Unikernel

Security

Programmability

Distributed Cloud

Orchestration

Unikernel

005.8

Specializing a general-purpose operating system

Raza, Ali

10 September 2024

This thesis aims to address the growing disconnect between the goals general-purpose operating systems were designed to achieve and the requirements of some of today’s new workloads and use cases. General-purpose operating systems multiplex system resources between multiple non-trusting workloads and users. They have generalized code paths, designed to support diverse applications, potentially running concurrently. This generality comes at a performance cost. In contrast, many modern data center workloads are often deployed separately in single-user, and often single workload, virtual machines and require specialized behavior from the operating system for high-speed I/O. Unikernels, library operating systems, and systems that exploit kernel bypass mechanisms have been developed to provide high-speed I/O by being specialized to meet the needs of performance-critical workloads. These systems have demonstrated immense performance advantages over general-purpose operating systems but have yet to see widespread adoption. This is because, compared to general-purpose operating systems, these systems lack a battle-tested code base, a large developer community, wide application, and hardware support, and a vast ecosystem of tools, utilities, etc. This thesis explores a novel view of the design space; a generality-specialization spectrum. General-purpose operating systems like Linux lie at one end of this spectrum; they are willing to sacrifice performance to support a wide range of applications and a broad set of use cases. As we move towards the specialization end, different specializable systems like unikernels, library operating systems, and those that exploit kernel bypass mechanisms appear at different points based on how much specialization a system enables and how much application and hardware compatibility it gives up compared to general-purpose operating systems. Is it possible, at compile/configure time, to enable a system to move to different points on the generality-specialization spectrum depending on the needs of the workload? Any application would just work at the generality end, where application and hardware compatibility and the ecosystem of the general-purpose operating system are preserved. Developers can then focus on optimizing performance-critical code paths only, based on application requirements, to improve performance. With each new optimization added, the set of target applications would shrink. In other words, the system would be specialized for a class of applications, offering high performance for a potentially narrow set of use cases. If such a system could be designed, it would have the application and hardware compatibility and ecosystem of general-purpose operating systems as a starting point. Based on the target application, select code paths of this system can then be incrementally optimized to improve performance, moving the system to the specializable end of the spectrum. This would be different from previous specializable systems, which are designed to demonstrate huge performance advantages over general-purpose operating systems, but then try to retrofit application and hardware compatibility. To explore the above question, this thesis proposes Unikernel Linux (UKL), which integrates optimizations explored by specializable systems to Linux. It starts at the general-purpose end of the spectrum and, by linking an application with the kernel, kernel mode execution, and replacing system calls with function calls, offers a minimal performance advantage over Linux. This base model of UKL supports most Linux applications (after recompiling and relinking) and hardware. Further, this thesis explores common optimizations explored by specializable systems, e.g., faster transitions between application and kernel code, avoiding stack switches, run-to-completion modes, and bypassing the kernel TCP state machine to access low-level functions directly. These optimizations allow higher performance advantages over unmodified Linux but apply to a narrower set of workloads. Contributions of this thesis include proposing a novel approach to specialization, i.e., adding optimizations to a general-purpose operating system to move it along the generality-specialization spectrum, an existence proof that optimizations explored by specializable systems can be integrated into a general-purpose operating system without major changes to the invariants, assumptions, and code of that general purpose operating system, a demonstration that the resulting system can be moved on the generality-specialization spectrum, and showing that performance gains are possible.

Computer science

Linux

Operating system

Specializable operating systems

UKL

Unikernel

Unikernel Linux

Benchmark av Containers och Unikernels

Albaaj, Hassan, Berggren, Victor

January 2020

Purpose – The purpose of this paper is to explore the possibility to effectivize local networks and databases using unikernels and compare this to containers. This could also apply to reliability of executing programs the same way on different hardware in software development. Method – Two experiments have been performed to explore if the purpose could be realized, quantitative data have been gatheredand displayed in both cases. Python-scripts have been used to start C-scripts, acting client and server. Algorithms have been timed running in unikernels as well as in containers along with compared measurements of memory in multiple simultaneous instantiations. Findings – Intermittent response times spiked made the data hard to parse correctly. Containers had a lower average response time when running lighter algorithms. The average response times of unikernels dives below that of containers when heavier programs are simulated. Few minor bugs were discovered in Unikraft unikernels. Implications – unikernels havecharacteristics that make them more suitable for certain tasks compared to their counterpart, this is also true for containers. Unikraft unikernels are unstable which makes it seem like containers are faster during lighter simulations. Unikernels are onlyfaster and more secure if the tools used to build them does so in a manner that makes them stable. Limitations – The lack of standards, the lack of a support community together with the fact that unikernels is a small and niche field means that unikernels have a relatively high learning curve. Keywords – Unikraft, Unikernels, Docker, Container / Syfte – Syftet med denna studie är att undersöka möjligheten att effektivisera lokala nätverk och databaser med hjälp av unikernels och att jämföra denna möjlighet med containrar. Detta kan även gälla utveckling av programvara för att säkerställa att programvaran exekveras på servern på exakt samma sätt som den tidigare gjort lokalt på utvecklarens lokala dator. Metod – Två experiment utförs för att undersöka om det går besvara syftet, kvantitativa data samlas in i båda fallen, datan är även redovisad kvantitativt. Python-script används föratt starta C-script som agerar klient och server. Tidtagning på algoritmer i unikernels respektive containrar samt minnesanvändning vid multipel instansiering mättes för att analyseras och jämföras. Resultat – Intermittenta svarstids-toppar gjorde datan från unikernels svår att korrekt utvärdera. Containrar hade ett lägre medelvärde på svarstider vid mindre krävande algoritm-användning. Unikernels medelvärde dyker under container-svarstiderna när mer krävande program simuleras. Några små buggar upptäcktesi Unikraft unikernels. Implikationer – Unikernels har egenskaper som gör de mer passande för vissa uppgifter jämfört med dess motsvarighet medan detsamma gäller för Containrar. Unikraft unikernels är instabila och ger därfören bild av att containrar vidmindre processorkrävande program faktiskt är snabbare än unikernels. Unikernels är bara snabbare och säkrare i den mån verktyget som bygger dem, gör det på ett sätt att de är stabila. Begränsningar – Avsaknaden av standarder, avsaknaden av ett communitysom kan svara på frågor tillsammans med att unikernelsär ett litet och nischat fält gör att unikernels har en relativ hög inlärningskurva. Nyckelord – Unikernel, Unikraft, Container, Docker

Unikernel

Container

Docker

Unikraft

VM

Virtual Machine

Unikernel

Container

Docker

Unikraft

VM

Virtuell Dator

Engineering and Technology

Teknik och teknologier