What Are Unikernels?
Unikernels are specialised, single-address-space machine images constructed by using library operating systems.
In other words, unikernels are small, fast, secure virtual machines that lack operating systems.
其最大的卖点就是在,没有用户空间与内核空间之分,只有一个连续的地址空间。这样使得 Unikernel 中只能运行一个应用,而且对于运行的应用而言,没有硬件抽象可言,所有的逻辑,包括应用逻辑和操作硬件的逻辑,都在一个地址空间中。
Unikernel就是一个单一内存空间的内核镜像,其中只能有一个应用在运行,那这样有啥好呢,为啥值得我放弃Linux而用你这么一个看上去像是阉割版的内核呢?好处就在,小,快,安全。
Unikernel镜像都很小,由MirageOS实现的一个 DNS server 才 184KB,实现的一个 web server 674 KB,小到恐怖的程度。然后就是快,启动很快。因为镜像都很小,所以起停都在毫秒级别,比传统的kernel要快多了。最后是安全,一般来讲,小的东西相对而言比较安全。Unikernel中没有Shell可用,没有密码文件,没有多余的设备驱动,这使得Unikernel更加安全。
Unikernel架构
Unikernel在整个服务器的架构中取消了操作系统,应用直接运行在hypervisor或者硬件上。试图抹去现代操作系统带来的一些复杂性。因为“通用”的操作系统(就像任何Linux和Windows的发行版),通常会伴随着带来一些对你的应用来说并不需要的驱动、依赖包、服务、等等。
Unikernel的开发和测试
Unikernel 在真正实践中,如何开发与测试是一个值得关注的问题。在开发过程中,开发者可以假定自己在传统的操作系统上进行开发,而所有内核相关的功能,暂且由开发机的操作系统提供。
而在测试环境中,大部分Unikernel的实现会将应用代码与需要的内核模块构建成Unikernel后,再将其跑在一个传统的操作系统上,利用传统操作系统上的工具来测试Unikernel。以Rumprun为例,它可以通过KVM/QEMU来运行一个 Rumprun Unikernel VM,随后用Host OS上的GDB来对其进行调试,
更多关于调试的信息,可以查看https://news.ycombinator.com/item?id=10954132
在发布阶段,这是 Unikernel最简单的事情了。Unikernel最后的产物就是一个kernel image,可以在Hypervisor,Bare Metal等等各种环境上运行。
所以可以看到,其中Unikernel在软件过程中与传统方式最大的不同就在于调试与测试。而在发布的阶段,传统的方式可能发布的是一个应用,或者一个容器镜像,而Unikernel则是一个高度定制化的kernel。
目前的Unikernel项目:MirageOS、HaLVM、ClickOS和Rumprun等等。
The Problem: Our Fat, Insecure Clouds
When cloud computing burst on(突然出现) the scene(场景), there were all sorts of(各种各样的) promises made of a grand future. It was said that our compute farms would magically allocate resources to meet the needs of applications.
Resources would be automatically optimized to do the maximum work possible with the assets available. And compute clouds would leverage assets both in the datacenter and on the Internet, transparently to the end user.
Emphasis was placed on developing excellent cloud orchestration(编排,调度) engines that could move applications with agility(灵活,敏捷) throughout the cloud.
That(cloud orchestration engine) was an entirely appropriate(适合的) focus, as the datacenter in the time before the cloud was both immobile and slow to change. Many system administrators could walk blindfolded(vt.蒙住眼睛) through the aisles(通道) of their equipment racks(货架) and point out what each machine did for what department, stating(vt.说明) exactly what software was installed on each server. The placement of workloads on hardware was frequently laborious(费劲地) and static; changing those workloads was a slow, difficult, and arduous(费力的) task, requiring much verification and testing before even the smallest changes were made on production systems.
The advent(到来) of cloud orchestration software (OpenStack, CloudStack, openNebula, etc.) altered all that—and many of us were very grateful. The ability of these orchestration systems to adapt and change with business needs turned the IT world on its head. A new world ensued(vi.跟着发生), and the promise of the cloud seemed to be fulfilled.
Security Is a Growing Problem
However, as the cloud era(时代) dawned(vi.出现), it became evident that a good orchestration engine alone is simply not enough to make a truly effective cloud.
A quick review of industry headlines(新闻提要) over the past few years yields report after report of security breaches(breach vt.破坏, n.违反,缺口) in some of the most impressive organizations.
Major retailers(零售商), credit card companies, even federal governments(联邦政府) have reported successful attacks on their infrastructure, including possible loss of sensitive data. For example, in May 2016, the Wall Street Journal ran a story about banks in three different countries that had been recently hacked to the tune of $90 million in losses. A quick review of the graphic representation of major attacks in the past decade will take your breath away. Even the US Pentagon(五角大楼) was reportedly hacked in the summer of (夏天的时候)2011. It is no longer unusual to receive a letter in the mail stating that your credit card is being reissued(vt.重新发行) because credit card data was compromised(vt.危害) by malicious(恶意的) hackers.
to the tune of: 达…之多
take your breath away: 令人屏息
Reference
official site: http://unikernel.org/
https://www.oreilly.com/library/view/unikernels/9781492042815/
https://www.oreilly.com/library/view/unikernels/9781492042815/ch01.html
http://dockone.io/article/1379