Unikernels: injecting the OS into the application

The idea is to inject lightweight, simple applications with a compact, tailored operating system (the unikernel) that provides just enough functionality. By eliminating the need for a separate operating system (OS), the application can be run directly on a virtual computer.

The problem with a generic-purpose OS such as Linux or Windows is that it is usually quite heavy - the average OS size is around 2 GB. These OSs were built to support many different applications. Running an application on top of an OS therefore always means that you have tons of idle software functions doing nothing but wasting resources.

For cloud applications these wasted resources translate into needs for more hardware, more electricity, more cooling and more maintenance - all of which make running your data center for expensive. Furthermore, the large size of those applications means they take longer to load and start up, so you lose agility. All this erodes two of cloud’s major benefits: efficiency and flexibility.

By contrast, with unikernels the OS injected into an application corresponds exactly to its specific and essential needs. No other resources are wasted. Consequently, unikernel applications are comparatively lightweight and require fewer hosting servers, less processing power, storage and memory space. They are also much faster to get up and running.

Unikernels can also significantly improve application security. Due to their static, watertight nature and spare use of code, a unikernel’s behavior is very difficult to change. Put simply, unikernel applications are vastly harder to hack into than others.

Unikernels are ideal for load balancing and firewalls

A unikernel’s tiny size, which averages around 8 MBs, makes it suitable only for lightweight application. An ideal scenario is a data center that runs a virtual network on top of it with load balancing and firewalls. In most setups like this, the two applications (or functions) must be executed in various different parts of the network.

Today, these applications are mostly virtualized, which means they still require an OS. This only comes as part of a hypervisor, or virtual machine monitor (VMM) to run the virtual machines.

How unikernels differ from containers

Containers such as Docker create an abstraction that allows you “to contain” an application within it. They are excellent at packaging up an existing application with all of its dependencies. You can then easily spin them up, down and scale out. However, all containers running on the same host share the same OS kernel on top of the hypervisor. In other words, despite being virtual, the traditional stack consisting of application and OS is merely replicated, with all its downsides, security and performance implications.