Beyond Containers: Unikernels and the Future of Secure, Efficient Services
When operating web services, one immediately thinks of containers. Their isolation allows you to run dozens of different instances on a single host without issue. You can allocate resources and assign permissions. Compared to classic VMs, this is a tremendous gain: the overhead is significantly lower, even though the isolation is simpler. Unfortunately, there have been repeated incidents where attackers managed to escape the container context.
A VM offers significantly more security here – but is more heavyweight because an entire operating system has to be fully booted. This means higher resource requirements and limited scalability. Yet there are scenarios today where VMs make sense again. With a particular approach, they even become scalable.
The Best of Both Worlds?
We want the resource-efficient scaling of containers, combined with the strong isolation of a VM. One answer could be MicroVMs: everything unnecessary in hardware emulation is stripped out to save resources and minimize the attack surface. But I want to delve deeper into something that fits perfectly into such a MicroVM: Unikernels.
Unikernels: The Application as the Kernel
With Unikernels, you forgo a classic operating system and integrate the application directly into the kernel. A Unikernel benefits from a MicroVM, for example, but can be used independently of one. It only provides the features the application actually needs – from the filesystem to the network. A kernel, tailored to the application. This even eliminates syscalls for deeper operations, because the application is now part of the kernel itself.
A very exciting tool for this is Unikraft:
Unikraft is a fast, secure and open-source Unikernel Development Kit.
Unikraft powers the next-generation of cloud native applications by enabling you to radically customize and build custom OS/kernels, unlocking best-in-class performance, security primitives and efficiency savings.
A Simple Start with Unikraft
With a Dockerfile, taking the first steps with Unikernels is child’s play. Thanks to the app-elfloader, “Linux ELFs”
can run directly via the syscall shim. With a
statically compiled Go binary, it’s a breeze. In fact, in a minimalistic test I even achieved slightly higher
performance on my WSL2 than with Docker.
And to seamlessly integrate Unikernels into familiar environments, there’s the OCI runtime
runu. Container managers can run
Unikernels with it as if they were completely normal containers. Unikraft is something like what Docker was for
containers: a super simple entry point and at the same time an enormously powerful tool – for both development and
operations.
State and Viability
Regarding maturity: Unikraft is now production-ready, actively developed, and already used in real deployments, but it remains a specialized approach – not the first tool of choice for every application.
Also worth mentioning are MirageOS (A programming framework for building type-safe, modular systems) and Firecracker (Secure and fast microVMs for serverless computing).
Unikraft makes Unikernels tangible and shows how performance, security, and efficiency can be taken to a new level. Anyone curious should simply get started – the barrier to entry has never been lower.
Further Explorations
- Getting Started with Unikraft: The official guide for your first steps.
- Unikraft’s GitHub Repository: Explore the source code, examples, and the active development.
- MirageOS Documentation: Dive into the OCaml-based framework for building unikernels.
- Firecracker’s Getting Started Guide: Learn how to deploy secure microVMs.
- The Unikraft Blog: Follow updates, tutorials, and deep dives.