This post is a follow up of this post. In Previous Post, we discussed about Virtual Machines & Containers architecture. In this post, we will discuss about Micro VMs & Unikernels.
Micro VMs are light weight VMs which provide isolation by Hardware Virtualization & improved security. Micro VM have a minified kernel, it looks like Container & behaves like a VM. This might be confusing, there is a difference Micro VMs provide Hardware backed isolation and Containers are Operating System based Isolation.
Firecracker is a Virtual Machine Monitor a.k.a Hypervisor which create & manage microVMs using KVM solution. As we discussed in the previous post, KVM uses QEMU to provide Hardware Emulation for I/O Operations.
Firecracker is written in Rust (one of the memory safe language). Currently, AWS Lambda is backed by Firecracker. It intercepts the user request, first spins up a Micro VM & then creates the function to serve requests.
Firecracker provides strong isolation by hardware virtualization. It jails every Micro VMs using a Jailer program, acts as a second line of defense making it more robust.
Its start up time is 125ms which can be reduced when started from a snapshot (4 ms).
In 2014, AWS Lambda is supported by EC2, where an EC2 instance is instantiated for every customer. Then in 2018, Firecracker was introduced to reduce this overhead, it is designed for short lived processes, super powerful when creating a lot of instances (imagine the same with having a full blown VM for every instance). With this lambda serves, around 1.4 trillion request per month.
Reference: https://firecracker-microvm.github.io/
Unikernels are designed to run a single process/application with an immutable OS. It holds a minified version of OS, that is required to run a specific process. It is similar to Container but can run only ONE process. It supports multi-threading, there is no multiple process support hence process scheduler is not required here.
Unikernels runs in the kernel space with single address space model. This is the main difference between VM and Unikernels. VM has Kernel Address Space & User Address Space model, user address Space (where user applications run) are translated/mapped to kernel address space for executing instructions (this prevents the kernel failure due to user application).
Application is compiled to build Unikernel image whose size will be between 500 KB - 32 MB. Unikernels do not have shell & SYSCALLs (since it directly runs on kernel), only function calls are possible which is based on memory address (hard for a attracker to track memory addresses).
Unikernels provide increased security with immutable images & reduced attack surface, faster boot time & more optimization
Reference: http://unikernel.org/blog/2017/unikernels-are-secure
There are various flavours of Unikernels available, Include OS (C++), Mirage OS, Click OS.
OSv is an Operating System specifically designed to run single application in VM. It supports Java, Node, C, C++ applications.
UniK is a compilation & orchestration tool for Unikernel which supports Golang, Java, Nodejs applications.
Firecracker supports both OSv & UniK images.
Reference: https://www.mikelangelo-project.eu/technology/universal-unikernel-osv/

 





