Our great sponsors
-
unikraft
A next-generation cloud native kernel designed to unlock best-in-class performance, security primitives and efficiency savings.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
unikraft
FlexOS is a Unikraft-based OS allowing users to easily specialize the safety and isolation strategy at compilation time. (by project-flexos)
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
You can think of unikernels as a single-process VM, there's nothing else running other than the application. Unikraft just facilitates the runtime of the application to be able to run as a VM or on baremetal. There's no shell, so you can't instantiate another program from disk. If the application wishes to read and write from an attached storage, it can, but it can't start another process. Starting another process is a bit tricker since there is no fork to execute another process. Interesting work is being done to enable multi-threading across cores via SMP[0] however and to provide fork like ability but with regard to the application's logic[1] and not a wider multi-processing environment. I hope this clarifies things.
[0]: https://github.com/unikraft/unikraft/pull/244
[1]: https://xen2021.sched.com/event/jAME/cloning-unikernels-on-x...
It's possible to create an IPSec + firewall based on the Click Modular Router[0] and run this on top of Unikraft[1].
[0]: https://github.com/kohler/click/wiki/IPsecEncap (and other IPSec* elements)
[1]: https://github.com/unikraft/app-click
It could make for an interesting tutorial with a full Click-based IPSec router though! :)
It's possible to create an IPSec + firewall based on the Click Modular Router[0] and run this on top of Unikraft[1].
[0]: https://github.com/kohler/click/wiki/IPsecEncap (and other IPSec* elements)
[1]: https://github.com/unikraft/app-click
It could make for an interesting tutorial with a full Click-based IPSec router though! :)
Thanks for the feedback, we're in the process of adding a security section[0] which will detail more on the on-goings, but we'll work on adding more highlights on the main page.
I need to highlight we have separate research[1][2] which will make its way upstream soon which aims to provide hardening between internal libraries (e.g. isolating the network stack or scheduler) using gates like Intel MPK or separate hardware-accelerated services.
[0]: https://github.com/unikraft/docs/pull/32
[1]: https://project-flexos.github.io/
[2]: https://github.com/project-flexos/unikraft
Thanks for the feedback, we're in the process of adding a security section[0] which will detail more on the on-goings, but we'll work on adding more highlights on the main page.
I need to highlight we have separate research[1][2] which will make its way upstream soon which aims to provide hardening between internal libraries (e.g. isolating the network stack or scheduler) using gates like Intel MPK or separate hardware-accelerated services.
[0]: https://github.com/unikraft/docs/pull/32
[1]: https://project-flexos.github.io/
[2]: https://github.com/project-flexos/unikraft
1. We build unikernels using the 'kraft container' which is Docker/OCI image[0][1] which has the necessary build tools to build Unikraft unikernels. We plug this into Concourse which builds thousands of combinations of Unikernels[2] as part of our code review process[3]. In addition to this, we have on-going research and tooling to help automatically discover permutations of Unikernel builds[4].
2. Really great question, but mostly you can expect the same functionality of an application when it runs as a unikernel because the application "thinks" it's still running in a traditional OS environment -- as it should be. Check out this documentation[5] (after step 7) about porting, it has snippets about where the boundary sometimes breaks.
3. Well, general-purposes are not suited for deployment environments. Installing Gentoo (or Ubuntu, Debian, for that matter) is a waste of resources if you only SSH in once to install your desired application.
[0]: https://unikraft.org/docs/usage/install/#docker
[1]: https://github.com/unikraft/kraft/tree/staging/package/docke...
[2]: https://builds.unikraft.io
[3]: https://unikraft.org/docs/contributing/review-process/#stage...
[4]: https://github.com/lancs-net/wayfinder
[5]: https://unikraft.org/docs/develop/porting/#providing-build-f...
1. We build unikernels using the 'kraft container' which is Docker/OCI image[0][1] which has the necessary build tools to build Unikraft unikernels. We plug this into Concourse which builds thousands of combinations of Unikernels[2] as part of our code review process[3]. In addition to this, we have on-going research and tooling to help automatically discover permutations of Unikernel builds[4].
2. Really great question, but mostly you can expect the same functionality of an application when it runs as a unikernel because the application "thinks" it's still running in a traditional OS environment -- as it should be. Check out this documentation[5] (after step 7) about porting, it has snippets about where the boundary sometimes breaks.
3. Well, general-purposes are not suited for deployment environments. Installing Gentoo (or Ubuntu, Debian, for that matter) is a waste of resources if you only SSH in once to install your desired application.
[0]: https://unikraft.org/docs/usage/install/#docker
[1]: https://github.com/unikraft/kraft/tree/staging/package/docke...
[2]: https://builds.unikraft.io
[3]: https://unikraft.org/docs/contributing/review-process/#stage...
[4]: https://github.com/lancs-net/wayfinder
[5]: https://unikraft.org/docs/develop/porting/#providing-build-f...
Have a look at Seastar http://seastar.io/
Running the server in the same address space as the (uni)kernel can have major impact on performance for I/O bound apps, cutting off system calls and task switching overhead.
