Unikernels and docker from revolution to evolution — unikernels and docker from revolution to...

30
Unikernels and Docker: from Revolution to Evolution Mindy Preston

Transcript of Unikernels and docker from revolution to evolution — unikernels and docker from revolution to...

Page 1: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Unikernels and Docker: fromRevolution to Evolution

Mindy Preston

Page 2: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Mindy PrestonMember of Technical Staff at Docker, tweets @mindypreston

 

2

Page 3: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

A maintainer of

•  the MirageOS unikernel

•  VPNKit, part of Docker4Mac and Docker4Windows

3

Page 5: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Some Definitions•   "docker": you're all probably pretty solid on this :)

•   "unikernels": artifacts representing a set of software which runs in a

single address space, with no distinction between kernel and userspace

code.

•   "library operating system": a build system which can link a group of

libraries representing traditional OS functions with an application to

produce a unikernel.

5

Page 6: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact

6

Page 7: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

"nobody cares about containers unikernels"•  something which allows the execution of general application code

•  something easily described completely (you can enumerate the things it

needs)

•  something low-overhead (small in terms of binary size, cpu/mem, or

some othe resource consumption)

7

Page 8: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact is Code

application code (= source)

(intepreter & dependencies) + external app dependencies

OS + shared libraries

computer

•  a very nice way to get runtime errors

8

Page 9: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact is Instructions

application code |> compiler & dependencies |> binary

OS + shared libraries

computer

•  shared libraries are an opportunity for chaos

•  few guarantees on build environment

9

Page 10: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact is Instructions + (some)environment

app code + shared libs |> compiler + deps |> static binary

OS

computer

•  resource consumption cost

•  build environment is still not necessarily reproducible

10

Page 11: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact is Code + Build Spec

app code + base img + deps + config |> container builder |> image

container runner

OS

computer

•  [ Dockerfile ] for a more complete and repeatable description

•  (although reproducibility can be sabotaged: RUN apk add)

•  apps that need to tune system parameters (privileged mode)

11

Page 12: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Artifact is Code + OS

app code + app deps + OS deps |> unikernel builder |> unikernel

unikernel runner

computer

•  library operating systems: system dependencies on the same conceptual

level as application dependencies

•  unikernels: the artifact we generate, which doesn't need to run on a

traditional OS

•  note what's missing: build environment isn't necessarily well-specified

12

Page 13: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

build unikernels incontainers

13

Page 14: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

to follow along...get started with docker pull ocaml/opam:ubuntu or your OS of

choice

you can also try docker pull halvm/base to give the Haskell

unikernel project HaLVM a shot

14

Page 15: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

"OSDependencies"

15

Page 16: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

what has your OS done for you lately?•  timekeeping

•  networking

•  entropy/randomness

•  storage

•  logs

•  I/O: keyboard, mouse, video, sound, pancake printer, light-up bracelet...

16

Page 17: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

sidebar: rump

•  twiddling knobs in the kernel is tough

•  it's way easier if you can test things in isolation

17

Page 18: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

libraries in yourfavorite language

18

Page 19: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

you too are a systems programmer!•  most unikernel projects supply implementations for things like

networking

•  some are swappable (including MirageOS - make the types agree and

you're good to go)

•  you can write your own!

19

Page 20: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

reject the default reality and substitute yourown

•  common failure points for applications are "external" problems, which the

OS notices

•  you can stress your application easily, by providing libraries that always

have edge cases occurring

20

Page 21: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

fail gloriously, loudly, often•  network interfaces that always have new packets waiting

•  random number generators that read from a static list

•  entropy sources that always block

•  filesystems that are always full

•  block devices that are always busy

•  DNS that always sends you to

supertrustworthy.plzgivemeyourcreds.com

21

Page 22: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

OS libraries in your applications•  Docker4Mac and Docker4Windows hosts can have complicated

networking situations

•  VPNs, custom DNS, mandatory proxies

•  the Mac or Windows machine is configured to do the right thing — don't

break that!

•  if nc google.com 80 works from the terminal, it should work from a

container

•  use a unikernel networking library to reimplement an old solution to this:

22

Page 23: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

VPNKit

23

Page 24: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

VPNKit•  vpnkit is a piece of a library operating system, on your machine, right

now, as part of docker

•  let's use unikernels to make the whole stack work better!

24

Page 25: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

something more dramaticrun a unikernel with docker tools* - Martin Lucina's unikernel-runner

* (given direct access to /dev/kvm on the host)

25

Page 26: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

where we're going•  we'll have done a good job when unikernels Just Work

•  it should be just as easy to build, ship, run, and scale a unikernel as a

process or a container

•  sometimes you'll want a unikernel and sometimes you won't — we want

to let you do the right thing no matter what

26

Page 27: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Unikernel is JustAnother Target

27

Page 28: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

You Can Make It Happen!•  VPNKit - help improve libraries in Docker4Mac/Win

•  HyperKit - dig into the D4M/W hypervisor!

•  unikernel.org - find or list your favorite unikernel project!

•  MirageOS summer hack retreat - join us face-to-face to improve

MirageOS!

28

Page 29: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

special thanks to...•  my rad fellow Dockerites

•  the fantastic contributors to Docker, MirageOS, HaLVM, Rump, and myriad

other unikernel projects

•  Justin Cormack for last minute slide assistance and real good emceeing

29

Page 30: Unikernels and docker  from revolution to evolution — unikernels and docker  from revolution to evolution

Questions?•  @mindypreston

•  [email protected]

•   docker run -d -P mindypreston/dockercon2016

 

30