Over the last 50 years, enterprise computing has evolved from session sharing on mainframes to supporting thousands of microservices using containers that run on virtual machines. Yet, virtual machines are not the last stop in this evolution. There is a new technology on the horizon, a technology that will allow for greater flexibility and more efficient use of data center hardware. That technology is the unikernel.
What Is a Unikernel?
A unikernel is a unit of binary code that runs directly on a hypervisor, very much in the same way that a virtual machine runs on a hypervisor (see Figure 1).
Figure 1: Many virtual machines can run on a single computer, thus increasing hardware efficiency
However, unlike a virtual machine, which carries its own operating system, utilities, and applications, a unikernel is much leaner, containing only the parts of an operating system that are required by a single program. Also, that single program is meant to represent a single service.
How a Unikernel Increases Operational Efficiency
One of the drawbacks of a virtual machine is that resource usage is static after the VM is created. For example, if you create a virtual machine that is allocated 4 GB of RAM from a host system that contains 12 GB of RAM, that 4 GB is dedicated to the VM for the life of the virtual machine. There is no giving the memory back. One technology that addresses this underutilization of hardware resources is containers. Containers, which are deployment units that run in an isolated process, with a distinct root level file system, share the resources of the host system. Applications and dependencies are represented as container images. Container activity is coordinated by a container manager. Docker is one of the more popular container managers (see Figure 2).
Figure 2: Container technology uses host computer technology more efficiently by using only the hardware resources needed at the moment.
The value of containers is that they are more versatile and lightweight than VMs. But, a container still has the overhead that goes with supporting a full blown operating system as well as the security issues that pertain to using container images that are made by other parties.
Unikernels are more lightweight than containers and provide more efficient use of hardware resources. As mentioned earlier, at the very elementary level, a unikernel is a compiled, binary deployment unit that sits right on top of a hypervisor, just as virtual machine does (see Figure 3).
Figure 3: Unikernel technology runs directly on the hypervisor as a very small compiled binary, using the notion of Just Enough Operating System
Instead of carrying the overhead of a complete operating system, a unikernel has only the parts of the operating system that are essential to its operation.
Applications that are best suited to run as a unikernel don't need a plethora of device drivers, file management utilities, text editors, or shell. All such an app needs are those things that are absolutely necessary to make the app work. This concept is called Just Enough Operating System, or JeOS. The result is that you get a deployment unit that is very small and fast loading. For example, a unikernel for a DNS server weighs in at around 449 KB, a web server at ~674 KB. That's right; we're talking sizes at the kilobyte level!
Because unikernels are small, you can load thousands onto a single piece of hardware. And, because they are fast loading, they lend themselves well to microservices, particularly transient microservices that have a load, operate, and unload lifetime of seconds.
Unikernels are designed to be immutable, thus there is an implicit level of security that is not present in other environments. As mentioned above, the deployment unit is a compiled binary. (Think compiling your C++ code into an exe. Now, imagine compiling your whole computing environment into something like an exe.) Thus, you cannot add and remove parts on whim. When you want to upgrade a unikernel, you need to compile new one and deploy that sole artifact. Binary code is a lot harder to penetrate then some script sitting exposed to the desires of an unwanted intruder.
Lastly, unikernels are green. Computers need electricity to run. A computer running thousands of unikernels, operating at high efficiency, is going to get a lot more work done per watt than a single machine running underutilized VMs or containers running bloated images.
However, unikernels are not presently a panacea for modern computing. Remember, please, that unikernels are meant to represent a single service. Thus, applications that are varied and meant to support multiple users are not grist for the unikernel mill.
Unikernels are going to require a different approach to programming and debugging, particularly when it comes to programming language support. Thus, there is a significant learning curve to be overcome. Unikernels might be small and fast, but until there is significant programming activity with all popular languages in the space, along with robust debuggers, the technology will be boutique.
Putting It All Together
The potential around unikernels is enormous. The technology addresses much of the shortcomings that exist in Virtual Machine and Container technologies, particularly around security. Small foot prints and fast loading times mean that the unikernels might make the promise of microservices primetime. However, the technology is still in it infancy in the general population. Once issues of programming versatility and debugging are addressed, the technology will be a formidable presence on the technical landscape.
Russell Pavlichek's Presentation on the Power of Unikernels.