Professional Documents
Culture Documents
T
H E D RI VE FO Refficiency in
servers is changing the way
applications and operating
systems interact. The proc- Container Service Container
ess has accelerated in just
the past five years, as server-farm op-
Container Mounted
erators have moved on from virtual-
machine technology as a way of improv-
ing hardware utilization toward even Container Volume
more streamlined options. The work
has led as far as the operating system
and application being compiled into Host node Host node
one block of software and stripping
out any unused services to reduce both Link
memory footprint and startup times.
Speaking about a project he and
fellow researcher Anil Madhavapeddy Container Container
worked on to pursue more efficient
server software, Richard Mortier, Uni- Container Container
versity Lecturer in the University of
Cambridges Computer Laboratory, Service
says: The original motivation that Anil
and I had was that you should be able Volume
to write software for the cloud, particu-
larly for network-connected services. Host node Host node
But if we were to do that, what would
it look like? Related to that was the
idea that it should be possible to build
Cluster
software without having to worry about A container-based virtualization architecture.
what platform it was targeted for.
To a limited extent, the move to vir- Docker, removes a lot of this overhead ating system running on bare metal.
tualization provided an answer for the by sharing one operating system im- Virtualized installations imposed a
second problem. Virtualization lets age among multiple partitions. Each performance penalty for I/O-intensive
completely different operating systems container only stores the additional applications, although improvements
CHA RT BY CL AUS PAH L, F ROM CONTA INERIZATION A ND T H E PA AS CLO UD
and their associated applications share services and tasks required by the ap- in hardware support for virtualization
the same processors on a server blade. plications they hold, which can greatly have narrowed the performance gap.
A hypervisor manages and schedules reduce the memory footprint. Runtime Even as the performance gap has re-
the operating systems running within also improves because full virtualiza- duced, the growing base of support soft-
each virtual machine (VM). tion demands multiple context switch- ware that has emerged around Docker
The problem with virtualization is es whenever I/O calls are made. Not and its competitors has bolstered mar-
that each VM partition calls for a com- only does the operating system need to ket acceptance of containers. Orches-
plete installation of the operating sys- switch into a supervisor mode to handle tration software, such as Googles Ku-
tem and its support software, even if I/O, the hypervisor itself forces a switch bernetes or Apaches Mesos, has given
those partitions run the same versions to a more heavily protected mode in large users of server farms the ability to
and differ only terms of the applica- order to service the I/O request. quickly start containers and to delete
tions they or the users who own them Studies by Ericsson and IBM have them just as rapidly. Chris Aniszczyk,
utilize. The container, an approach found containers to have little more interim executive director of the Cloud
popularized by companies such as overhead than a conventional oper- Native Computing Foundation and for-
mer engineering manager at Twitter, for something that potentially can re-
a major user of Mesos, says the aver- shape how server-based computing is
age container-based workload at the Mortier says done. Docker has signaled its willing-
social-media company ran for just 10 the rapid creation ness to investigate the wider adoption
minutes of execution time. of unikernels through its purchase of
A variety of open source projects and deletion of Unikernel Systems, a spinout from re-
have emerged that build on top of or- unikernal-based search at the University of Cambridge.
chestration. Services will find the best Mortier says unikernels are unlike-
mixture of hardware for a given group systems could ly to be used in isolation, but will be
of containers and link them to data enhance security aimed at particular jobs where security
stores. Monitoring and logging servic- or performance are most important.
es ensure the containers run correctly by moving resources There is an assumption here that ev-
and trigger remedial action if things around the network. erything is networked, he adds.
go wrong. But as the layers of software An experimental installation at
around orchestration build up, they the university is divided into micro-
cause a divergence between develop- services provided by a group of net-
ment and deployment. worked processors. Conventional con-
Casey Bisson, director of product tainers host services such as Media-
management at cloud computing tem that are needed are incorporated Wiki, with unikernels used to handle
service provider Joyent, says it has into the image. Mortier says the model redirection to HTTPS addresses and the
become more difficult for develop- provides better security because the transaction-layer security (TLS) protocol
ers to emulate an orchestration envi- unikernel has a much smaller attack itself. The relatively low overhead of the
ronment that can greatly affect how surface than a full operating system unikernel software makes it possible to
containerized applications run when and its attendant libraries. create them for single transactions.
deployed to servers. We have to make Although in many cases the uniker- One 2015 experiment on a system
the orchestration software laptop nel will run on directly on the host pro- called Jitsu reduced boot time to 20ms
more friendly, he says. cessor with no intervening software, on an Intel server processor, compared
The unikernel architecture devel- proponents envision implementations to five seconds for a conventional web-
oped at the University of Cambridge where multiple unikernels share one server running on a VM. Mortier says the
aims to help solve the problem of processor using hardware-assisted vir- rapid creation and deletion of uniker-
achieving platform independence. tualization. The lack of layering and nel-based services could enhance secu-
Today, we write software that em- software duplication should make the rity by moving resources around the net-
beds assumptions about the execution installation more efficient than tradi- work. There is no stable machine that
platform. If you need to change the tional techniques. can be targeted, he claims.
platform, at best you need to recom- Bryan Cantrill, chief technology of- The rapid movement of software and
pile; worst case, it calls for a rewrite, ficer of Joyent, argues the restrictions microservices around the network cre-
Mortier says. One of the concepts be- of unikernels are too great to bear, ates its own problems. Midokura sys-
hind unikernels is that you are pushing decrying the idea as a move back to tems engineer Cynthia Thomas points
these things into the toolchain. the days of single-tasking operat- to issues such as traffic trombon-
Mortier says the unikernel borrows ing systems such as DOS. The lack of ing, in which traffic between micro-
from the library operating system and multitasking within the unikernel services and their data stores crisscross
exokernel research of the 1990s. It makes it difficult to run standard de- the network many times, making the
should be possible to do better than we bug tools, he says. Mortier points out connections look like the folded pipes
are now. If you look at how hardware it is possible to link debug and trace in a brass instrument.
resources are handled today, you have libraries into the executable, and ad- The tromboning effect not only in-
hardware thats abstracted through ditional tooling is likely to develop to creases the response time as perceived
a virtual-machine hypervisor. Then it support unikernels. by the user, but can cause the address
goes through the operating system ker- A further apparent downside of the tables in networking equipment to
nel, the language runtime, and then first generation of unikernels is that run out of space because of the larger
more libraries on top. You have four or they are designed for single languages number of live connections they need
five layers of scheduling all trying to do that use strong typing, such as Haskell to maintain between services that pre-
the same thing. It seems a bit ridicu- and OCaml. Yet unikernel projects viously would have been hosted on a
lous, he argues. such as RumpRun have opened the single machine. The support software
The unikernel bakes the applica- field to a wider range of languages and for orchestration software is evolving
tion and the operating system into one software by supporting software that hand-in-hand with virtual networking
executable image, removing most of uses the same Posix interfaces as those software to create dynamic clusters of
the layers between them. To prepare provided by operating systems such microservices that make better use of
the unikernel, a compiler analyzes the as BSD. The Cambridge group favored the underlying network hardware.
application for its dependencies so OCaml because it made sense to them Although unikernels could be im-
only those parts of the operating sys- to focus on more modern languages prove security at several levels, one po-
Milestones