Like the fabled unicorn, there’s an air of mystery around unikernels. When Docker acquired Unikernel Systems in 2016, it was as if unikernel technology materialized from nowhere into the spotlight, only to disappear again as quickly. In a world dominated by containerization and virtualization, the unikernel is wrongly overlooked. Unikernels can help make data centers hum by slashing processing power and storage requirements. Let’s take a closer look.

Containers
– Thinkstock / Bugphai

Unikernels: injecting the OS into the application

The idea is to inject lightweight, simple applications with a compact, tailored operating system (the unikernel) that provides just enough functionality. By eliminating the need for a separate operating system (OS), the application can be run directly on a virtual computer.

The problem with a generic-purpose OS such as Linux or Windows is that it is usually quite heavy - the average OS size is around 2 GB. These OSs were built to support many different applications. Running an application on top of an OS therefore always means that you have tons of idle software functions doing nothing but wasting resources.

For cloud applications these wasted resources translate into needs for more hardware, more electricity, more cooling and more maintenance - all of which make running your data center for expensive. Furthermore, the large size of those applications means they take longer to load and start up, so you lose agility. All this erodes two of cloud’s major benefits: efficiency and flexibility.

By contrast, with unikernels the OS injected into an application corresponds exactly to its specific and essential needs. No other resources are wasted. Consequently, unikernel applications are comparatively lightweight and require fewer hosting servers, less processing power, storage and memory space. They are also much faster to get up and running.

Unikernels can also significantly improve application security. Due to their static, watertight nature and spare use of code, a unikernel’s behavior is very difficult to change. Put simply, unikernel applications are vastly harder to hack into than others.

Unikernels are ideal for load balancing and firewalls

A unikernel’s tiny size, which averages around 8 MBs, makes it suitable only for lightweight application. An ideal scenario is a data center that runs a virtual network on top of it with load balancing and firewalls. In most setups like this, the two applications (or functions) must be executed in various different parts of the network.

Today, these applications are mostly virtualized, which means they still require an OS. This only comes as part of a hypervisor, or virtual machine monitor (VMM) to run the virtual machines.

How unikernels differ from containers

Containers such as Docker create an abstraction that allows you “to contain” an application within it. They are excellent at packaging up an existing application with all of its dependencies. You can then easily spin them up, down and scale out. However, all containers running on the same host share the same OS kernel on top of the hypervisor. In other words, despite being virtual, the traditional stack consisting of application and OS is merely replicated, with all its downsides, security and performance implications.

Unikernels VS containers
– IncludeOS

As we mentioned above, unikernels work by merging the OS with the application, and they typically run on a hypervisor. The app running inside the unikernel doesn’t share any code with what is running inside the virtual machine. Currently, unikernels can add value in creating these small, fast and ultra-scalable services that operate further down the stack, when compared to a container. The following use case from Basefarm shows how this looks in practice.

Basefarm uses unikernels for load balancing and firewall

Basefarm, a managed IT service provider for hundreds of customers across Europe, turned to IncludeOS to substitute its load balancing and firewall functions with unikernels.

Basefarm has a large, complex network of thousands of Windows- and Linux-based virtual machines spread across several data centers. Today, most of their machines are virtualized, running on several different hypervisors, with VMware’s vCenter dominant.

Compared to Linux-based virtual machines, IncludeOS unikernels are tiny. Depending on workload, instances can be deployed with as little as 64 MB of memory and about 10 MB of storage. Experiments have shown that IncludeOS requires five to 20 percent less processor usage than Linux in a classic virtual machine to perform the same task.

With this unikernel approach, Basefarm can use its server resources more efficiently than before. Its CPU performance and memory allocation is improving. As it runs thousands of instances, the savings become more significant. This also allows Basefarm to choose the network topology without having to optimize for cost. Since a unikernel instance requires only around 1/32th of the memory, they can be placed wherever it makes sense, network-wise.

As the project is in its infancy, it’s too early to quantify the savings. However, as Sverre Støkken, lead architect at Basefarm, stated: “if development continues along the same track and grows in functionality, we expect a large-scale implementation of IncludeOS to provide big savings for Basefarm”.

Basefarm’s initial results reflect similar experiences from other companies adopting unikernels. They demonstrate that unikernels are a technology worth considering, especially for data centers running a virtual network on top of their infrastructure. Though not suitable for every type of application, they can be a major cost and resource saver for basic functions such as load balancing, routing and firewalls.

Though not as hyped as containers, unikernels are worthy of greater attention. There is undoubtedly a place for unikernels in the data center. Given their small size, the added performance, efficiency savings and security they provide means that they definitely punch above their weight.

Per Buer is CEO of IncludeOS