Most technologists have heard about software containers (or simply “containers”) – a technology that became popularized by Docker, which is an open platform for building, shipping and running distributed applications through containers. Containers use shared operating systems to create a capsule, of sorts, to contain your application.
They are increasingly popular, but are not the panacea able to solve all the new challenges cloud computing presents. Problems mainly pertaining to security tend to hinder this technology. However, a new technology on the rise — unikernels — holds great promise for the next generation of cloud infrastructure.
For this slideshow, the Xen Project provides background on what this new technology is, how it fits within the greater cloud infrastructure ecosystem, why it’s well-suited to the future of cloud computing, how it compares with containers, and how to choose between the unikernels and containers to best support the needs of specific IT environments.
Unikernels vs. Containers
Click through for more on unikernels and how they may change the cloud as we know it, as identified by the Xen Project.
The New Needs of the Cloud
At its inception, cloud computing was focused on services and orchestration. Now that this goal has been accomplished, the needs of cloud computing have shifted to create workloads that are better suited to the cloud: workloads that are lightweight and agile, yet just as powerful and more secure than their predecessors. This has given rise to technologies like containers and unikernels, whose purpose is to make the packaging and distribution of applications lighter, faster and more efficient. But where do they fall short in this goal and what types of environments might work best for one over the other?
What Is a Unikernel?
A unikernel is an entire application stack — from operating environment to the application — rolled into a single executable. There is no actual operating system, no general-purpose utilities, no assortment of device drivers; just a single program that sits bare and alone in a virtual machine. The result is a tiny, agile, and secure package, which is ideal for the cloud. The unikernel concept has long been used in the embedded systems area, where a standalone program is embedded into chips in an intelligent device. But, the concept of creating cloud-ready unikernels to populate workloads in the data center is entirely new. From web servers to network function virtualization (NFV) to databases, the unikernel concept can revolutionize the cloud as we know it.
Unikernels: A Perfect Fit for Cloud
Elasticity and agility are both key concepts in the cloud. Traditional data center workloads are large and slow, requiring lots of resources and taking time to start and stop as needed. Unikernels take those same workloads and make them much smaller and much quicker. By stripping away the unneeded parts of the application stack, many tasks can be reduced to a fraction of their traditional size into tiny VMs, which can be created in less than a second. This has given rise to transient microservices or services that are born when a need appears and then die as soon as it disappears. This becomes a theoretical backplane to concepts like the Internet of Things (IoT), in which millions, billions, or even trillions of devices will need to register every button pushed and every switch flipped. We don’t need millions of VMs sitting idle taking up valuable resources waiting for something to happen; we need transient microservices that appear the instant the button is pushed and disappear the moment the job is done. IoT is just one of new ideas that will benefit from unikernel technology.
A Deeper Look at Containers
Unlike traditional hypervisors, containers use shared operating systems that allow them to rest upon a single Linux instance to help create a small capsule that you can contain and then use to deploy applications. There has been some debate in the community on whether containers will take over the role of the hypervisor, but this is a moot point given the issue of security in the cloud. It’s become absolutely clear in recent times that the cloud needs more security. Containers are working to improve their security, but hypervisors already have the isolation needed for true multi-tenant solutions. The combination of hypervisors with unikernels helps raise the bar for cloud security.
Unikernels Compared to Containers
Unikernels facilitate the very same desirable attributes described by container proponents, with the addition of impressive security, which few other solutions can match. They deliver impressive flexibility, speed and versatility for cross-platform environments. And, like container-based solutions, unikernels are easy to deploy. They also retain the rich hypervisor ecosystem and enable isolation, live migration and robust SLA. Additionally, unikernels provide container-like properties such as sub-second boot time, density and simplicity. They also offer an extremely tiny, specialized runtime footprint much less vulnerable to attack.
The Best Environment for Unikernels
Unikernels are poised to become the core of a new form of cloud computing, where a single hypervisor instance can support hundreds or even thousands of VMs. Network protection services, network routing, or software-defined networking are great places for unikernels. Early adopters are also using them to run websites, critical systems infrastructure, and cutting-edge research. One example is HaLVM, which provides a reliable, secure VPN solution for laptops or to implement a variety of network services, including encryption nodes, random number generators, and network sensors. Anyone needing a lightweight, single-service component that can be brought up and down quickly or massive scalability should consider this new technology.
The Best Environment for Containers
Again containers are lightweight and there are some instances where they might be a good strategy, but it would have to be an environment where security is not a top concern, e.g., inside an organization where you don’t have a big internal security risk factor.
Using Unikernels and Containers Together
These two technologies can coexist nicely in the same environment. If you are using applications that are deployed in a low security situation, like internally at an organization or within a local lab where the users are considered trustworthy, one can leverage container technology. It is very easy to create and deploy. If you have an application that needs to withstand the less secure Internet world, then unikernels would be a good choice. Most organizations have a variety of each of these applications, so the two technologies pair nicely together. As cloud orchestration software is expanded to handle both Docker-based containers and unikernels, it will become even easier to have both technologies coexisting in a single data center.











