unleashing the power of unikernels with unikraft€¦ · server: intel xeon e5-1630 v3 [email protected]...
TRANSCRIPT
Unleashing the Power of Unikernels with
Unikraft
Felipe Huici [email protected] Systems and Machine Learning Group NEC Laboratories GmbH, Heidelberg
EU H2020 Superfluidity
2 © NEC Corporation 2018
Who am I?
▌ Chief Researcher @ l NEC Laboratories in Heidelberg, Germany l Systems and Machine Learning Group
3 © NEC Corporation 2018
The Container Craze
▌ “Google runs all services in containers” ▌ Container-as-a-Service services: l Amazon Lambda, EC2 Container Service l Google Container Engine l Azure Container service l and so on…
4 © NEC Corporation 2018
The Container Advantage
▌ Very fast instantiation times l 100s ms ▌ Small per-instance memory footprints l 10-100 MBs ▌ High density l 100-1000 instances on same host
VMs
5 © NEC Corporation 2018
The Unsafe Container
▌ Kernel API difficult to secure, lots of exploits ▌ An unsafe container affects all other containers on host l This includes DoS/exhaustion attacks (e.g., forkbombs, etc.)
200 250 300 350 400
2002 2004 2006 2008 2010 2012 2014 2016 2018
No.
of s
ysca
lls
Linux Release Year
6 © NEC Corporation 2018
Isolating Workloads Pick Your Poison
Lightweight
Iffy isolation
Strong isolation
Heavy weight ?
Virtualization
Hardware
Hypervisor
VM
apps
GuestOS(Linux)
libs
VM
apps
GuestOSFreeBSD
libs
VM
apps
GuestOSWindows
libs
vs. Containers
Hardware
Host OS (Linux)
libs/services
apps
container
apps
container
apps
container
7 © NEC Corporation 2018
Isolating Workloads
Lightweight
Iffy isolation
Strong isolation
Heavy weight ?
Virtualization
Hardware
Hypervisor
VM
apps
GuestOS(Linux)
libs
VM
apps
GuestOSFreeBSD
libs
VM
apps
GuestOSWindows
libs
Containersvs.
Hardware
Host OS (Linux)
libs/services
apps apps apps
container container container
Dispel the myth that VMs are heavyweight
9 © NEC Corporation 2018
Standard VM: Application on Top of Distro
Kernel
User Application(s)
3rd Party Applications
Libraries
Services
10 © NEC Corporation 2018
Most of the VM not Used…
Nginx
Kernel
Services
Libraries
User Application
memcached bash 3rd Party Applications
libc
libssl
ssh
init
ext4 netfront blkfront
11 © NEC Corporation 2018
Specialization in Practice
▌ Standard OS/VM/container: lots of unnecessary code = lots of overhead (and potentially bugs/security issues)!
Nginx
Kernel
Services
Libraries
User Application
memcached bash 3rd Party Applications
libc
libssl
ssh
init
ext4 netfront blkfront
Nginx
memcached
bash
libc
libssl
ssh
init
ext4
netfront blkfront
▌ Unikernel: only what’s needed is there
Nginx
Kernel
Services
Libraries
User Application
memcached bash 3rd Party Applications
libc
libssl
ssh
init
ext4 netfront blkfront
unused!
unused!
unused!
unikernel general-purpose OS
12 © NEC Corporation 2018
Unikernels - A Few More Details
app 1
US
ER S
PA
CE
app 2
app N
driver1
driver2
GENERAL-PURPOSE OPERATING SYSTEM
(e.g., Linux, FreeBSD)
KER
NEL
SP
AC
E
driverN
Vdriver1
vdriver2
app
MINIMALISTIC OPERATING SYSTEM (e.g., MiniOS, OSv)
SIN
GLE A
DD
RES
S
SP
AC
E
13 © NEC Corporation 2018
When do I want a Unikernel?
▌ Unikernels are applicable to many domains!
Fast boot, migration destroy
Resource efficient
High performance
Mission critical
Minimal SW stack Reactive VNFs, Lambda Functions, …
Minimal SW stack Per-customer VNFs, IoT, MEC, …
Small code base à cheap verification Strong isolation
Automotive, Industrial-grade, …
Specialization NFV, MEC, …
15 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
Process Create
Process: 0.7ms-10ms
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
16 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
Process Create Docker Boot
Docker: 150ms-550ms
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
17 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
Docker Boot Debian Boot Debian Create
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
Debian: 2.6-82 secs
18 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
Docker Boot Debian Boot Debian Create
Traditional VMs are in fact heavy-weight
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
Debian: 2.6-82 secs
19 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
MiniOS Boot MiniOS Create
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
unikernel:, 163ms-1.4secs
20 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
MiniOS Boot MiniOS Create
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
unikernel:, 163ms-1.4secs
Unikernels can be almost as fast as containers
21 © NEC Corporation 2018
In Numbers: Instantiation Times
100
101
102
103
104
105
0 200 400 600 800 1000
Tim
e [m
s]
Number of running guests
MiniOS Boot MiniOS Create
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
unikernel:, 163ms-1.4secs
Can we make them faster?
23 © NEC Corporation 2018
Dom0 (Linux/NetBSD)
Hardware (CPU, Memory, MMU, NICs, …)
Xen Hypervisor
libxc libxs
libxl toolstack
xlNIC
drivers
block
SW switchvirt
drivers
netback
DomU 1
netfront
xenbus
OS (Linux)
apps
xenbus
Xenstore
A Quick Xen Primer
24 © NEC Corporation 2018
Creation Times – Breakdown (unikernel)
0200400600800
10001200140016001800
0 200 400 600 800 1000
Time
[ms]
Number of running guests
toolstackload
devicesxenstore
hypervisorconfig
Biggest culprits: XenStore and device creation
* Note: Spikes in graph due to XenStore’s log rotation
25 © NEC Corporation 2018
Xen Hypervisor
What’s Wrong with the XenStore?
Frontend (VM)
Backend (dom0)
xltoolstack
Xenstore
Create device x3 Notify Notify Write status Notify
x6 Notify More than 30 Xenstore entries are used per device,
resulting in hundreds of XenStore accesses.
26 © NEC Corporation 2018
LightVM Architecture
1. Chaos – specialized toolstack (xl replacement)
2. Noxs - no XenStore 3. Split toolstack 4. Xendevd – optimized
hotplug script
Dom0 (Linux/NetBSD)
chaos
NIC
drivers
block
SW switch
virt
drivers
netback
libxc
xendevd
libchaos(prepare)
chaosdaemon
libchaos(execute)
NOXS
27 © NEC Corporation 2018
1. Chaos - Specialized Toolstack
▌ Complete re-write of toolstack for paravirtualized guests l Replaces xl à chaos l Replaces libxl à libchaos
▌ Includes framework for easily plugging in different elements of a toolstack (e.g., use the XenStore or not)
28 © NEC Corporation 2018
2. NoXS – Xen without a XenStore
3
netback
dom0 NWfrontend
netfront
NWbackend
toolstack
hypervisorbackend-id event channel id grant reference
memory page
2
hype
rcal
l
hype
rcal
l 1 device create
4
NOXS
ioct
l
backend-id event channel id grant reference
29 © NEC Corporation 2018
3. Split Toolstack
▌ Insight: a significant portion of the code does not need to be executed at VM creation time l Functionality common to all VMs (e.g., mem alloc) can be pre-
executed
▌ Split toolstack into two: l Pre-create phase: run by a daemon, periodically l Run-time phase: run when VM creation commands (and others) are
issued
30 © NEC Corporation 2018
4. Xendevd – Hotplug Script
▌ Xen uses either a bash script or udevd to add virtual interfaces to software switch l Slow: 10s of milliseconds, slows creation/boot times
▌ Replace with xendevd, binary daemon l Listens to udev events from netback, execute pre-defined setup (e.g.,
add vif to OVS)
31 © NEC Corporation 2018
Evaluation – Unikernels We Used
▌ Noop unikernel: self explanatory J ▌ Daytime unikernel: TCP server that responds with current time ▌ Minipython: Port of Micropython to MiniOS ▌ TLS unikernel: TLS termination proxy ▌ Ping unikernel: also self-explanatory
Sample sizes: • Daytime - 480KB disk, 3.4MB RAM • Minipython - 3.52MB disk, 8MB RAM • TLS – 3.58MB disk, 8MB RAM
32 © NEC Corporation 2018
In Numbers: Instantiation Times with LightVM
Server: 4 x AMD Opteron 6376 [email protected] (64 cores total), 128GB DDR3 RAM, Xen 4.8/Linux 4.8 LightVM: http://sysml.neclab.eu/projects/lightvm Guests: Noop/Unikernel and Noop Docker image / No devices
Docker: 150 ms-666ms Out of memory
Unikernel: 5.2ms-8.6ms
33 © NEC Corporation 2018
In Numbers: Instantiation Times with LightVM
Server: 4 x AMD Opteron 6376 [email protected] (64 cores total), 128GB DDR3 RAM, Xen 4.8/Linux 4.8 LightVM: http://sysml.neclab.eu/projects/lightvm Guests: Noop/Unikernel and Noop Docker image / No devices
Docker: 150 ms-666ms Out of memory
Unikernel: 5.2ms-8.6ms
Unikernels are even faster & lighter when using an optimized
hypervisor toolstack
34 © NEC Corporation 2018
Checkpointing – Daytime Unikernel
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1 2 4 8
16 32 64
128 256
0 200 400 600 800 1000
Tim
e [m
s]
Number of Running VMs
xlchaos+xenstore
LightVM 1 4
16 64
256 1024
0 200 400 600 800 1000
Tim
e [m
s]
Number of Running VMs
xlchaos [XS]
chaos [NoXS]LightVM
(a) Save (b) Restore
35 © NEC Corporation 2018
Migration – Daytime Unikernel
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1 4
16 64
256 1024 4096
0 200 400 600 800 1000
Tim
e [m
s]
Number of Running VMs
xlchaos [XS]
chaos [NoXS]LightVM
36 © NEC Corporation 2018
CPU Usage
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
0
5
10
15
20
25
0 200 400 600 800 1000
CPU
Util
izat
ion
(%)
Number of Running VMs/Containers
DebianTinyx
UnikernelDocker
37 © NEC Corporation 2018
Memory Usage
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1 4
16 64
256 1024 4096
16384 65536
0 200 400 600 800 1000
Mem
ory
Usa
ge [M
B]
VM/Container/Process #
DebianTinyx
Docker MicropythonMinipython
Micropython Process
38 © NEC Corporation 2018
Understanding LightVM’s components
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1
4
16
64
256
1024
4096
0 200 400 600 800 1000
xl
Cre
atio
n Ti
me
[ms]
Number of Running VMs
39 © NEC Corporation 2018
Understanding LightVM’s components
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1
4
16
64
256
1024
4096
0 200 400 600 800 1000
xl
chaos [XS]
Cre
atio
n Ti
me
[ms]
Number of Running VMs
40 © NEC Corporation 2018
Understanding LightVM’s components
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1
4
16
64
256
1024
4096
0 200 400 600 800 1000
xl
chaos [XS]chaos [XS+split]
Cre
atio
n Ti
me
[ms]
Number of Running VMs
41 © NEC Corporation 2018
Understanding LightVM’s components
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1
4
16
64
256
1024
4096
0 200 400 600 800 1000
xl
chaos [XS]chaos [XS+split]
chaos [NoXS]
Cre
atio
n Ti
me
[ms]
Number of Running VMs
42 © NEC Corporation 2018
Understanding LightVM’s components
Server: Intel Xeon E5-1630 v3 [email protected] (4 cores), 128GB DDR4 RAM, Xen/Linux versions 4.8
1
4
16
64
256
1024
4096
0 200 400 600 800 1000
xl
chaos [XS]chaos [XS+split]
chaos [NoXS] LightVM
Cre
atio
n Ti
me
[ms]
Number of Running VMs
Note: 2.3 ms with all optimizations and no devices
43 © NEC Corporation 2018
The Potential of Unikernels – A Summary
▌ Fast instantiation, destruction and migration time l 10s of milliseconds or less (and as little as 2.3ms)
(LigthVM [Manco SOSP 2017], Jitsu [Madhvapeddy, NSDI 2015])
▌ Low memory footprint l Few MBs of RAM or less (ClickOS [Martins NSDI 2014])
▌ High density l 8k guests on a singlex86 server (LigthVM [Manco SOSP 2017])
▌ High Performance l 10-40Gbit/s throughput with a single guest CPU
(ClickOS [Martins NSDI 2014], Elastic CDNs [Kuenzer VEE 2017])
▌ Reduced attack surface l Small trusted compute base l Strong isolation by hypervisor
45 © NEC Corporation 2018
The (Big) Downside with Unikernels
▌ Each optimized Unikernel is manually built l Building takes several months or longer l Potentially wash, rinse, repeat for each target application
47 © NEC Corporation 2018
Unikraft Goals
▌ Severely reduce development time ▌ Simultaneously target multiple platforms l Xen l KVM l Bare metal (X86_64, ARM32, etc.)
▌ Allow simple customization of the unikernel without having to tweak the actual code
48 © NEC Corporation 2018
The Unikraft Way
Decompose OSes and libraries into primitives Recompose them to meet the needs of particular applications
profiling
memory allocator scheduler
drivers
timers
filesystem network stack
Application(s)
49 © NEC Corporation 2018
The Unikraft Way
profiling
memory allocator scheduler
drivers
timers
filesystem network stack
Application(s)
Once decomposed, we can pick and choose which parts/libraries we actually need for our application
Decompose OSes and libraries into primitives Recompose them to meet the needs of particular applications
50 © NEC Corporation 2018
architecture libs
main libs
platform libs
libarm32arch.o libx86_64arch.o
Libdockerplat.o
Unikernels unicore_docker_x86_64 unicore_bare_x86_64
unicore_bare_ARM32
unicore_bare_MIPS
unicore_xen_x86_64
unicore_xen_ARM32
unicore_xen_MIPS
unicore_kvm_x86_64
unicore_kvm_ARM32
unicore_kvm_MIPS
drivers libconsole.o
libixgbe.o libnetfront.o
network stack liblwip.o libtcpip.o libhttp.o
memory allocators libbuddy.o libheap.o libmempool.o
filesystems libvfs.o libfat.o libext3.o
runtimes libocaml.o libpython.o liberlang.o
schedulers libcoop.o libpreempt.o
librt.o
debug&profiling libgdb.o libucdebug.o
libperf.o
standard libs libc.o
libnewlibc.o libopenssl.o
Unikraft Overview – Everything as a Library
libbaremetalplat.o Libkvmplat.o
libmipsarch.o
libxenplat.o
myapp
SEL
ECT
AP
P
1
SEL
ECT&
CO
NFI
G L
IBS
2
B
UIL
D
3
RU
N
4
51 © NEC Corporation 2018
Two Library Types
▌ Built-in: functionality specific to Unikraft (e.g., ukboot, ukschedpreempt, etc.)
▌ External: software projects external to Unikraft (e.g., lwip, micropython, etc.)
52 © NEC Corporation 2018
Putting Things Together – The Unikraft Build Tool
▌ Kconfig/Makefile based ▌ Type “make menuconfig” ▌ Choose options in the menu that you want for your application ▌ Choose your target platform(s) l Xen, KVM, bare-metal, Linux
▌ Save your config and type “make”
.config
53 © NEC Corporation 2018
Example System
▌ Python Unikernel for KVM on x86_64
liballocbuddy.o
libkvmplat.o libx86_64arch.o
libconsole.o
libfilesystem.o
liblwip.o
libschedcoop.o
apppython.o
Unikernel
54 © NEC Corporation 2018
Example System
▌ VNF Unikernel for KVM on x86_64
liballocbuddy.o
libkvmlat.o libx86_64arch.o
libconsole.o
libfilesystem.o libschedcoop.o
libdpdk.o
unikernel
56 © NEC Corporation 2018
Repo Structure
▌ Clone the main Unikraft repo ▌ Clone any external library repos ▌ Create repo for the actual application
!"" unikraft!"" unikraft-apps│ └── helloworld!"" unikraft-libs│ !"" axtls│ !"" lwip│ !"" micropython│ !"" newlib│ !"" python│ !"" toybox
Unikraft repo (+ built-in libs)
application repo(s)
external libraries repos
57 © NEC Corporation 2018
Hello World – Four Required Files (I)
UK_ROOT ?= $(PWD)/../../unikraft
UK_LIBS ?= $(PWD)/../../unikraft-libs
LIBS := $(UK_LIBS)/newlib
all:
@make -C $(UK_ROOT) A=$(PWD) L=$(LIBS)
$(MAKECMDGOALS):
@make -C $(UK_ROOT) A=$(PWD) L=$(LIBS) $(MAKECMDGOALS)
path to unikraft repo path to external libs external libs needed
Makefile: specify where the main Unikraft repo is, as well as repos for external libraries
58 © NEC Corporation 2018
Hello World – Four Required Files (II)
$(eval $(call addlib,apphelloworld))
APPHELLOWORLD_SRCS-y += $(APPHELLOWORLD_BASE)/main.c
register app with uk Build system
Add main.c to build
Makefile.uk: specifies the sources to build for the application
59 © NEC Corporation 2018
Hello World – Four Required Files (III)
### Invisible option for dependenciesconfig APPHELLOWORLD_DEPENDENCIES bool default y select LIBNOLIBC if !HAVE_LIBC
### App configurationconfig APPHELLOWORLD_PRINTARGS bool "Print arguments" default y help Prints argument list (argv) to stdout
Config.uk: to populate Unikraft’s menu with application-specific option
60 © NEC Corporation 2018
Hello World – Four Required Files (IV)
#include <stdio.h>
/* Import user configuration: */
#include <uk/config.h>
int main(int argc, char *argv[])
{
printf("Hello world!\n");
#if APPHELLOWORLD_PRINTARGS
int i;
printf("Arguments: ");
for (i=0; i<argc; ++i)
printf(" \"%s\"", argv[i]);
printf("\n");
#endif
}
main.c: source file to provide (at least) a main() function
Unikernel entry point after boot
defined by Config.uk
62 © NEC Corporation 2018
How To Port an External Library
▌ Most of the work revolves around ensuring Unikraft supports your lib’s dependencies à we’re working on this! J
▌ Write Makefile.uk and add the external library source files to it ▌ Sometimes a bit of glue code is needed l E.g., in newlib to link POSIX thread creation to Unikraft’s thread library
63 © NEC Corporation 2018
How To Port an External Library – Makefile.uk
################################################################################# Library registration################################################################################$(eval $(call addlib_s,libaxtls,$(LIBAXTLS)))
################################################################################# Sources################################################################################# Nothing here: sources are small and included directly in the uk library repo# Note: sources are from axTLS-2.1.4.tar.gz .
################################################################################# Library includes################################################################################CINCLUDES-y += -I$(LIBAXTLS_BASE)/include \ -I$(LIBAXTLS_BASE)/crypto \ -I$(LIBAXTLS_BASE)/ssl
################################################################################# sources################################################################################LIBAXTLS_SRCS-y += $(LIBAXTLS_BASE)/crypto/aes.cLIBAXTLS_SRCS-y += $(LIBAXTLS_BASE)/crypto/bigint.c…LIBAXTLS_SRCS-y += $(LIBAXTLS_BASE)/crypto/sha512.c
65 © NEC Corporation 2018
Available Libraries
▌ Main Libraries l libfdt • Flat device tree parser
l libnolibc • A tiny libC replacement
l libnewlib (external) • Porting ongoing
l libukalloc • Memory allocator abstraction
l libukallocbbuddy • Binary buddy allocator for libukalloc
l libukargparse • Argument parser library
l libukboot • Unikraft bootstrapping
l libukdebug • Debug and kernel printing • Assertions, hexdump
l libuksched • Scheduler abstraction
l libukschedcoop • Cooperative scheduler for libsched
▌ Architecture Libraries l libarmmath • 64bit arithmetic on ARMv7
▌ Platform Libraries l libxenplat • Xen (PV) • X86_64, ARMv7
l libkvmplat • X86_64
l liblinuxu • Linux userspace • X86_64, ARMv7
66 © NEC Corporation 2018
Coming Soon
More on the way!
l libukschedpreempt • Pre-emptive scheduler
l libukswrand • Software random number generator
l libukvirtio • Virtio driver
l liblwip (external) • Network stack
l libclick (external) • The Click modular router (e.g., for NFV)
l libmicropython (external) • Micropython (Python for embedded devices)
l libcpython (external) • Standard Python
l libaxtls (external) • TLS support for embedded devices
67 © NEC Corporation 2018
A Baseline Example…
▌ Xen PV x86_64 binary
▌ Boots and prints messages to debug console (with min. 208kB RAM)
libnolibc.o
libukboot.o
libukdebug.o
libxenplat.o
unikraft_xen-x86_64.o (50,2kB)
unikraft_xen-x86_64 (32,7kB)
Final linking
69 © NEC Corporation 2018
▌ Recently: Unikraft got released as Xen incubator project l OpenSource development under Xen and LinuxFoundation umbrella
▌ Have look on the Xen Pages and Wiki l https://www.xenproject.org/developers/teams/unikraft.html l https://wiki.xenproject.org/
▌ Drop us an mail l [email protected]
▌ Join our IRC channel l #unikraft on Freenode
▌ We have plenty of open topics, get in touch with us! l http://sysml.neclab.eu
It’s Open Source – Join Us!
This work has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement no. 671566 (“Superfluidity”). This work reflects only the author’s views and the European Commission is not responsible for any use that may be made of the information it contains.