cif16: solo5: building a unikernel base from scratch (dan williams, ibm)

Building a unikernel base from scratch Dan Williams, IBM Research 2016 Unikernels and More: Cloud Innovators Forum January 22, 2016, Pasadena, CA

Solo5

©2016 IBM Corporation 2 20 January 2016

§ For the purposes of this talk, think of MirageOS unikernels – Are tiny VMs running on Xen – Run one program (no more, no less) – Are written in OCaml

§ Many potential benefits – Security – Performance – Ops

Unikernels are great

Xen-based Cloud

OCaml Program


Inside a unikernel

Unikernel

application code

libraries and runtime

unikernel base

OC

aml

C

Hypervisor


§ Low-level hypervisor-interfacing code

§ Example: Mini-OS – Demonstrates Xen PV interface – Used by MirageOS, ClickOS,

HalVM, LING, etc.

Inside a unikernel

Unikernel

application code


unikernel base

OC

aml

C

Hypervisor


§ Built from scratch

§ Available on Github – https://github.com/djwillia/solo5

Solo5: a new unikernel base

Unikernel

application code


Solo5

OC

aml

C

Hypervisor


§ Where a unikernel can run

§ How fast a unikernel can boot

§ What higher layers can do

Why focus on the unikernel base?

Unikernel

application code


unikernel base

OC

aml

C

Hypervisor


§  Different hypervisors expose different abstractions –  Full virtualization (e.g., KVM/QEMU) –  Paravirtualization (e.g., Xen PV) – Mini-OS was designed for Xen PV

§  Device interfaces –  PV device access (Xen, virtio) –  Physical device access (SR-IOV)

§  Defined by interaction between hypervisor and unikernel base

Where a unikernel can run

Mini-OS

Xen PV

Solo5

KVM/QEMU


§  20ms boot time – ClickOS and Jitsu – Both built on mini-OS

§  Is PV essential?

§ What is the role of the hypervisor toolstack vs. the unikernel base?

How fast a unikernel can boot

Image from: https://github.com/mirage/jitsu

§  Defined by interaction between hypervisor and unikernel base


§ Base for language runtime – MirageOS (OCaml), LING (Erlang), HalVM (Haskell), etc.

§ Base for native applications – ClickOS (Click router), etc.

§ Exposing primitives – Memory protection or tracing – Address space layout randomization – Support for thread/event model

What higher layers can do


§  The unikernel base is fundamentally important!

§  The best way to really understand (and then innovate on) this layer is to build one (Solo5)

§  But hopefully it can be useful to others – Ensure existing higher layers still work à MirageOS – Broaden where MirageOS can run à KVM/QEMU

§  Solo5 runs MirageOS on KVM/QEMU

Summary


§ Why focus on the unikernel base?

§ How to build a unikernel base (Solo5) from scratch

§ How you can try it out

Roadmap


MirageOS in a bit more detail

§ Application (OCaml) Config

files App

Code



§ Application (OCaml)

§ OCaml libraries TCP/IP HTTP

serving Lwt FS Config files

App Code




§ OCaml libraries

§ Platform bindings – OCaml runtime – Calls out to a subset

of libc– Calls out to some

Xen-specific functions

TCP/IP HTTP serving Lwt FS Config

files App

Code

mirage-platform bindings





§ Platform bindings

§ Drivers – Written in OCaml – Xen PV split model – Call out to platform


files App

Code

mirage-net-xen

mirage-blk-xen

mirage-console-xen




Mini-OS kernel

Low-level Xen PV primitives




§ Drivers

§ Unikernel base – Contains some libc– Low-level Xen info


files App

Code

Xen PV

mirage-net-xen

mirage-blk-xen

mirage-console-xen




Mini-OS kernel





§ Drivers

§ Unikernel base

§ Tooling

VM


files App

Code

Xen PV

mirage-net-xen

mirage-blk-xen

mirage-console-xen



MirageOS on Solo5

Mini-OS kernel


§ Application (OCaml) TCP/IP HTTP

serving Lwt FS Config files

App Code

mirage-net-xen

mirage-blk-xen

mirage-console-xen



MirageOS on Solo5

Mini-OS kernel



§ OCaml libraries – No changes!


files App

Code

mirage-net-xen

mirage-blk-xen

mirage-console-xen



MirageOS on Solo5

Mini-OS kernel




§ Platform bindings – OCaml runtime – Calls out to a subset

of libc– Rewrite Xen-specific

functions


files App

Code

mirage-net-xen

mirage-blk-xen

mirage-console-xen



MirageOS on Solo5

Mini-OS kernel






§ Drivers – virtio instead of Xen – Access PCI bus – Solo5 drivers do most

of the work in C with wrappers in OCaml


files App

Code

mirage-net-solo5

mirage-blk-solo5

mirage-console-solo5

virtio net driver

virtio blk driver console driver


MirageOS on Solo5

Solo5 kernel

Low-level HW primitives





§ Drivers

§ Unikernel base – Some libc– HW initialization – Memory, Interrupts – No threads, address

spaces


files App

Code

mirage-net-solo5

mirage-blk-solo5


virtio net driver


KVM/QEMU


MirageOS on Solo5




§ Drivers

§ Unikernel base

§ Tooling – mirage tool – Makefile

VM


files App

Code

mirage-net-solo5

mirage-blk-solo5



Solo5 kernel virtio net driver


Low-level HW primitives

KVM/QEMU


§ Why focus on the unikernel base?

§ How to build a unikernel base (Solo5) from scratch

§ How you can try it out

Roadmap


§  On a Linux host with the KVM module

§  Build and run from a Docker container –  Fetch the image

–  Start a privileged container

–  Enter the container

–  Build and run!

How you can try it out

dockerpulldjwillia/solo5-mirage

dockerrun–dprivileged–namesolo5-mirage–tdjwillia/solo5-mirage

dockerexec–itsolo5-mirage/bin/bash-l

cd~/solo5makeconfig_consolemakekvm


§ Boot time investigation – A bootable iso in KVM/QEMU will be too slow – What about KVM/lkvm?

§ How much of Solo5 can be pushed: – Down into the hypervisor? – Up into MirageOS (OCaml)?

§ What should the hypervisor/unikernel base interface be?

Next steps with Solo5


§ Bare unikernel base to build from – https://github.com/djwillia/solo5

§ MirageOS on Solo5 on KVM/QEMU – https://github.com/djwillia/solo5/tree/mirage

§ Contact me! – [email protected]

Thank you!

|___|__|_\|_\__\\__\(||(|)|____/\___/_|\___/____/helloworld

cif16: solo5: building a unikernel base from scratch (dan williams, ibm)

Technology