What is a unikernel?
NanoVMs has announced the first unikernel tool for developers that loads any Linux application as a unikernel.
But hang on… what is a unikernel?
The company says that unikernels are unique single process systems that run in a single address space.
Instead of deploying a Linux operating system and then an application on top of it… the application and the operating system become one secure isolated unit.
To run a unikernel system, a developer selects (from a modular stack) the minimal set of libraries which correspond to the OS constructs required for their application to run
These libraries are compiled with the application and configuration code to build sealed, fixed-purpose images (unikernels) which run directly without the need for an operating sysrem.
Because unikernels are a system (with no users) there is no need for usernames or passwords, which are a major contributor in the average data breach.
A system with no shells means no one can remotely log in to the system and start running random programs on it or worse enlist a lowly camera or edge device into a botnet.
NanoVMs Ops
The NanoVMs tool, called “Ops” requires no complex coding or configuration and only requires a simple command to execute.
The company claims that running an application as a unikernel is beneficial in many ways and can be superior to containers. Unikernels are faster, more secure, smaller and come provisioned as virtual machines, which gives them much greater density.
To drill into this, unikernels embrace a four-point security model:
- No Users
- No Shell
- Single Process System
- Massively Reduced Attack Surface
According to NanoVMs, the fact that unikernels are a single process system is vital to solving cyber security vulnerabilities.
“A traditional multiple process system such as Linux has the inherent capability of running multiple programs concurrently. With single process systems by design the system can only run your program not anyone else’s. This immediately stops a lot of remote code executions,” noted the company, in a press statement.
With Ops, developers need no prior experience or knowledge of how to build unikernels, so [in theory] removing the barriers that may have prevented unikernel use in the past.
Ops can be used to build and run unikernels locally on a laptop — no account needs to be created and there aren’t multiple installations to sit through, just a single download and one command.
“We have numerous software issues that are reaching critical mass – security and cloud efficiency to name a few – and moving from outdated operating system-based applications to a unikernel system could have a radical impact,” said NanoVMs CEO Ian Eyberg. “Unikernels have been challenging to deploy in the past, but with our new Ops tool any developer can immediately begin implementation and reap the benefits.”
NanoVMs will also be offering several premade Ops packages for common programs that users would run, but not necessarily code themselves, in addition to databases and webservers.
Millions of lines of code
As additional background here — a unikernel is usually measured in the tens of thousands of lines of code. Compare that to a bloated system that has hundreds of printer drivers, USB drivers, audio drivers, etc. that is never used inside a virtual machine. The Linux kernel is around 15M lines of code and 7-9M of it is all drivers… and that is just the kernel. The operating system itself can be 50M lines of code on the low end to 200M lines of code on the high end.
A unikernel at the end of the day only needs a handful of drivers – something to talk to the disk, something to talk to the network, a clock and that’s about it. The opportunities for a hacker to hide malicious code in software running a Linux operating system are almost endless, not the case for a minimalistic unikernel.