Abstract
We present unikernels, a new approach to deploying cloud services via applications written in high-level source code. Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels, and sealed against modification when deployed to a cloud platform. In return they offer significant reduction in image sizes, improved efficiency and security, and should reduce operational costs. Our Mirage prototype compiles OCaml code into unikernels that run on commodity clouds and offer an order of magnitude reduction in code size without significant performance penalty. The architecture combines static type-safety with a single address-space layout that can be made immutable via a hypervisor extension. Mirage contributes a suite of type-safe protocol libraries, and our results demonstrate that the hypervisor is a platform that overcomes the hardware compatibility issues that have made past library operating systems impractical to deploy in the real-world.
- D. R. Engler, M. F. Kaashoek, and J. O'Toole, Jr. Exokernel: an operating system architecture for application-level resource management. In Proc. 15th ACM Symposium on Operating Systems Principles (SOSP), pages 251--266, Copper Mountain, CO, USA, December 3-6 1995. Google Scholar
Digital Library
- Ian M. Leslie, Derek McAuley, Richard Black, Timothy Roscoe, Paul T. Barham, David Evers, Robin Fairbairns, and Eoin Hyden. The design and implementation of an operating system to support distributed multimedia applications. IEEE Journal of Selected Areas in Communications, 14(7):1280--1297, 1996. Google Scholar
Digital Library
- Donald E. Porter, Silas Boyd-Wickizer, Jon Howell, Reuben Olinsky, and Galen C. Hunt. Rethinking the library OS from the top down. In Proc. 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 291--304, Newport Beach, CA, USA, March 5-11 201. Google Scholar
Digital Library
- Galen C. Hunt and James R. Larus. Singularity: rethinking the software stack. SIGOPS Operating Systems Review, 41(2):37--49, 2007. Google Scholar
Digital Library
- Glenn Ammons, Jonathan Appavoo, Maria Butrico, Dilma Da Silva, David Grove, Kiyokuni Kawachiya, Orran Krieger, Bryan Rosenburg, Eric Van Hensbergen, and Robert W. Wisniewski. Libra: a library operating system for a JVM in a virtualized execution environment. In Proc. 3rd International Conf. on Virtual Execution Environments (VEE), pages 44--54, San Diego, CA, USA, June 13-15 2007. ACM. Google Scholar
Digital Library
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the Art of Virtualization. In Proc. 19th ACM Symposium on Operating Systems Principles (SOSP), pages 164--177, Bolton Landing, NY, USA, October 19-22 2003. Google Scholar
Digital Library
- US-CERT/NIST. CVE-2012-1182, February 2012.Google Scholar
- US-CERT/NIST. CVE-2012-2110, April 2012.Google Scholar
- Eelco Dolstra, Andres LOh, and Nicolas Pierron. Nixos: A purely functional Linux distribution. J. Funct. Program., 20(5-6):577--615, November 2010. Google Scholar
Digital Library
- Galen Hunt, Mark Aiken, Manuel Fähndrich, Chris Hawblitzel, Orion Hodson, James Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber. Sealing OS processes to improve dependability and safety. SIGOPS Operating Systems Review, 41(3):341--354, March 2007. Google Scholar
Digital Library
- Theo De Raadt. Exploit mitigation techniques. http://www.openbsd.org/papers/auug04, 2004.Google Scholar
- David Scott, Richard Sharp, Thomas Gazagnaire, and Anil Madhavapeddy. Using functional programming within an industrial product group: perspectives and perceptions. In Proc. 15th ACM SIGPLAN International Conference on Functional Programming (ICFP), pages 87--92, Baltimore, Maryland, USA, September 27-29 2010. Google Scholar
Digital Library
- Thomas Gazagnaire and Vincent Hanquez. Oxenstored: an efficient hierarchical and transactional database using functional programming with reference cell comparisons. SIGPLAN Notices, 44(9):203--214, August 2009. Google Scholar
Digital Library
- Patrick Colp, Mihir Nanavati, Jun Zhu,William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Warfield. Breaking up is hard to do: security and functionality in a commodity hypervisor. In Proc. 23rd ACM Symposium on Operating Systems Principles (SOSP), pages 189--202, Cascais, Portugal, October 23-26 2011. Google Scholar
Digital Library
- A. Baumann, P. Barham, P. Dagand, T. Harris, R. Isaacs, S. Peter, T. Roscoe, A. Schupbach, and A. Singhania. The multikernel: a new OS architecture for scalable multicore systems. In Proc. 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 29--44, Big Sky, MT, USA, October 11-14 2009. Google Scholar
Digital Library
- Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Proc. 11th ACM Conference on Computer and Communications Security (CCS), pages 298--307, Washington DC, USA, October 25-29 2004. Google Scholar
Digital Library
- Keir Fraser, Steven Hand, Rolf Neugebauer, Ian Pratt, Andrew Warfield, and Mark Williamson. Safe hardware access with the Xen virtual machine monitor. In Proc. 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), Boston, MA, USA, October 7--13 2004.Google Scholar
- Jerome Vouillon. Lwt: a cooperative thread library. In Proc. 2008 ACM SIGPLAN workshop on ML, pages 3--12, Victoria, BC, Canada, September 21 2008. Google Scholar
Digital Library
- Anil Madhavapeddy, Richard Mortier, Ripduman Sohan, Thomas Gazagnaire, Steven Hand, Tim Deegan, Derek McAuley, and Jon Crowcroft. Turning down the LAMP: Software specialisation for the cloud. In 2nd USENIX Workshop on Hot Topics in Cloud Computing, June 2010. Google Scholar
Digital Library
- Andrew Warfield, Keir Fraser, Steven Hand, and Tim Deegan. Facilitating the development of soft devices. In Proc. USENIX Annual Technical Conference, pages 379--382, April 10--15 2005. Google Scholar
Digital Library
- Edoardo Biagioni. A Structured TCP in Standard ML. In Proc. ACM SIGCOMM, pages 36--45, London, UK, Aug. 31--Sep. 02 1994. Google Scholar
Digital Library
- Anil Madhavapeddy, Alex Ho, Tim Deegan, David Scott, and Ripduman Sohan. Melange: creating a "functional" Internet. SIGOPS Operating Systems Review, 41(3):101--114, 2007. Google Scholar
Digital Library
- Oleg Kiselyov. Iteratee IO: safe, practical, declarative input processing. http://okmij.org/ftp/Streams.html, 2008.Google Scholar
- Chuck Silvers. UBC: an efficient unified I/O and memory caching subsystem for NetBSD. In Proc. USENIX Annual Technical Conference, pages 285--290, San Diego, CA, USA, June 18--23 2000. Google Scholar
Digital Library
- Steven M. Hand. Self-paging in the Nemesis operating system. In Proc. 3rd USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 73--86, February 22--25 1999. Google Scholar
Digital Library
- President's Council of Advisors on Science and Technology. Report to the President and Congress: Designing a Digital Future: Federally Funded R&D in Networking and IT, December 2010.Google Scholar
- OpenFlow Consortium. OpenFlow. http://openflow.org/.Google Scholar
- Charalampos Rotsos, Nadi Sarrar, Steve Uhlig, Rob Sherwood, and Andrew W. Moore. OFLOPS: An open framework for OpenFlow switch evaluation. In Proc. Passive and Active Measurements Conference (PAM), Vienna, Austria, March 12--14 2012. Google Scholar
Digital Library
- Zheng Cai, Alan L. Cox, and T. S. Eugene Ng. Maestro: A system for scalable OpenFlow control. Technical Report TR-10-11, Rice University.Google Scholar
- N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: towards an operating system for networks. SIGCOMM Computer Communications Review, 38:105--110, July 2008. Google Scholar
Digital Library
- Derek Gordon Murray, Grzegorz Milos, and Steven Hand. Improving Xen security through disaggregation. In Proc. 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), pages 151--160, Seattle,WA, USA, March 5--7 2008. Google Scholar
Digital Library
- B. Vaugon, Philippe Wang, and Emmanuel Chailloux. Les microcontr oleurs pic programmes en Objective Caml. In Vingt-deuxiemes Journees Francophones des Langages Applicatifs (JFLA 2011), volume Studia Informatica Universalis, pages 177--207. Hermann, 2011.Google Scholar
- T. Hallgren, M. P. Jones, R. Leslie, and A. Tolmach. A Principled Approach to Operating System construction in Haskell. SIGPLAN Notices, 40(9):116--128, 2005. Google Scholar
Digital Library
- Galois Inc. HalVM. http://halvm.org/.Google Scholar
- Oracle. GuestVM. http://labs.oracle.com/projects/guestvm/shared/guestvm/guestvm/index.html.Google Scholar
- B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility, safety and performance in the SPIN operating system. SIGOPS Operating Systems Review, 29(5):267--283, December 1995. Google Scholar
Digital Library
- David Mosberger and Larry L. Peterson. Making paths explicit in the Scout operating system. In Proc. 2nd USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 153--167, Seattle, WA, United States, October 28-31 1996. Google Scholar
Digital Library
- F. Kaashoek, D. Engler, G. Ganger, H. Brice no, R. Hunt, D. Mazieres, T. Pinckney, R. Grimm, J. Jannotti, and K. Mackenzie. Application performance and flexibility on exokernel systems. In Proc. 16th ACM Symposium on Operating Systems Principles (SOSP), pages 52--65, Saint Malo, France, October 5--8 1997. Google Scholar
Digital Library
- Bryan Ford, Godmar Back, Greg Benson, Jay Lepreau, Albert Lin, and Olin Shivers. The Flux OSKit: a substrate for kernel and language research. In Proc. 16th ACM Symposium on Operating Systems Principles (SOSP), pages 38--51, Saint Malo, France, October 5--8 1997. Google Scholar
Digital Library
- The OpenSSL Project. OpenSSL. http://openssl.org/.Google Scholar
- Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proc. 19th ACM Conference on Computer and Communications Security (CCS), pages 38--49, Raleigh, NC, USA, October 16--18 2012. Google Scholar
Digital Library
- George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In Proc. 11th International Conference on Compiler Construction (CC), LNCS 2304, pages 213--228, Grenoble, France, April 8--12 2002. Google Scholar
Digital Library
- George C. Necula, Scott McPeak, andWestleyWeimer. Ccured: typesafe retrofitting of legacy code. In Proc. 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 128--139, January 16--18 2002. Google Scholar
Digital Library
- Facebook. HipHop for PHP. https://github.com/facebook/hiphop-php/wiki/, February 2010.Google Scholar
- Jeffrey Dean and Sanjay Ghemawat. MapReduce: simplified data processing on large clusters. In Proc. 6th USENIX Symposium on Operating Systems Design & Implementation (OSDI), pages 137--150, San Francisco, CA, USA, December 6--8 2004. Google Scholar
Digital Library
- Apache. Hadoop. http://hadoop.apache.org, April 2012.Google Scholar
- Michael Isard, Mihai Budiu, Yuan Yu, Andrew Birrell, and Dennis Fetterly. Dryad: distributed data-parallel programs from sequential building blocks. In Proc. 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys), pages 59--72, Lisbon, Portugal, March 21--23 2007. Google Scholar
Digital Library
- Niels Provos, Markus Friedl, and Peter Honeyman. Preventing privilege escalation. In Proc. 12th USENIX Security Symposium (SSYM), pages 231--242, Washington DC, USA, August 4--8 2003. Google Scholar
Digital Library
- Bill Childers. Build your own cloud with Eucalyptus. Linux J., 2010(195), July 2010. Google Scholar
Digital Library
- Jeff Lewis. Cryptol: specification, implementation and verification of high-grade cryptographic applications. In Proc. ACM Workshop on Formal Methods in Security Engineering (FMSE), page 41, Fairfax, Virginia, USA, November 2 2007. Google Scholar
Digital Library
- Reynald Affeldt, David Nowak, and Yutaka Oiwa. Formal network packet processing with minimal fuss: invertible syntax descriptions at work. In Proc. 6th Workshop on Programming Languages meets Program Verification (PLPV), pages 27--36, January 24 2012. Google Scholar
Digital Library
- Nicolas Oury. Observational equivalence and program extraction in the Coq proof assistant. In Proc. 6th International Conference on Typed Lambda Calculi and Applications (TLCA), LNCS 2701, pages 271--285, Valencia, Spain, June 10--12 2003. Google Scholar
Digital Library
- Xavier Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In Proc. 33rd ACM Symposium on Principles of Programming Languages (POPL), pages 42--54, Charleston, SC, USA, January 11--13 2006. Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an OS kernel. In Proc. 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 207--220, Big Sky, MT, USA, October 11--14 2009. Google Scholar
Digital Library
Index Terms
Unikernels: library operating systems for the cloud
Recommendations
Unikernels as Processes
SoCC '18: Proceedings of the ACM Symposium on Cloud ComputingSystem virtualization (e.g., the virtual machine abstraction) has been established as the de facto standard form of isolation in multi-tenant clouds. More recently, unikernels have emerged as a way to reuse VM isolation while also being lightweight by ...
Unikernels: library operating systems for the cloud
ASPLOS '13We present unikernels, a new approach to deploying cloud services via applications written in high-level source code. Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels, and sealed against modification ...
Unikernels: library operating systems for the cloud
ASPLOS '13: Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systemsWe present unikernels, a new approach to deploying cloud services via applications written in high-level source code. Unikernels are single-purpose appliances that are compile-time specialised into standalone kernels, and sealed against modification ...







Comments