What Do Unikernels Mean for Containers?

In today’s Ask the Admin, I’m going to take a look at unikernels and how they could become the next big thing in virtualization.

Cloud computing has changed the IT landscape forever, and the pace of change seems giddying at times. But while we may have only just got our heads around the idea of containers, for more information see What are Windows Server Containers? on the Petri IT Knowledgebase, behind the scenes Microsoft and others have been working on unikernels, which improve virtualization density and agility beyond what is possible today with containers.

Containers use less resources than traditional VMs because they share the OS and its resources, and while there is some isolation, they don’t constitute a security boundary. Additionally, and if you’ve already experimented with containers in Windows Server 2016 TP3, you’ll know that they still consume a considerable amount of resources.

Raise up the Drawbridge

In contrast to containers, unikernels are images that contain an application and a library OS. To help understand what a unikernel is, it’s worth taking a look at Microsoft’s Drawbridge, which consists of two components: a library OS running inside a container (picoprocess) with a minimal kernel API surface.

The picoprocess is a small isolation container that communicates with the host OS via the Drawbridge ABI (application binary interface) and is implemented by the security monitor. Without going into lots of technical detail, picoprocesses reduce overhead associated with traditional hardware virtualization by surfacing threads, private virtual memory, and I/O streams instead of low-level hardware abstractions like CPUs, memory management units, and device registers.

Microsoft Drawbridge architecture (Image Credit: Microsoft Research)
Microsoft Drawbridge architecture (Image Credit: Microsoft Research)

A library OS is a stripped-down version of Windows or other OS that allows developers to choose only the required components for a given application, with all other services removed, which greatly reduces overhead and attack surface.

Because it’s not easy to isolate apps inside a library OS, and because refactored drivers are required, running library OS instances inside VMs or picoprocesses enables apps to be isolated, and interaction limited to a narrow subset of virtual hardware devices for which drivers can be easily provided and maintained.

Unikernels

As you can imagine, unikernels provide all the advantages of virtual machines (VMs) and containers, but with a considerably lower overhead, which could lead to more agile and lower-cost cloud computing. The small size of unikernels means that apps can be moved around faster and more cost effectively, considering that network bandwidth doesn’t come cheaply in the cloud.

While I’ve described Microsoft’s research prototype Drawbridge in this article, there are many other projects in the works, including MirageOS and Rumprun, which could bring the unikernel concept to the masses.

Thanks to the research conducted for Drawbridge, Microsoft has been able to bring Windows Server Containers to the table quicker than might have been expected, and hopefully with an implementation that will make containers just as viable in Windows as they are in Linux.

Going forward, although not all applications may be suitable for use with unikernels, the idea of deploying highly efficient library OS and app images in VMs or Drawbridge containers is certainly enticing, and while not a commercial reality right now, it’s good to know that Microsoft has been conducting research that will ensure Windows Server doesn’t get left behind should unikernels receive mainstream adoption.