Unikraft

July 2021

Virtual machines, Containers and Unikernels

Container technology has grown exponentially in recent years. It is considered one of the best methods for packing an application so it can be run with its dependencies. Some of the reasons why developers have adopted this technology to the detriment of virtual machines are that they are lighter, require less space and are faster. But all these advantages, of course, come with a disadvantage, they do no perform so well from a security perspective, as many exploits have proven

Of course, we also have the alternative of virtual machines, they solve most of the security problems from containers having better isolation between the hypervisor and the virtual machines. But one major downside for virtual machines is that they are heavyweight, the resources provided by them are too much for a single application.

A solution to incorporate all the advantages of containers and virtual machines is using unikernels. Unikernels are single address space applications packing all required software components, including those that usually run in the operating systems. Unikernels consists of several internal libraries and the actual application running on top of those.

There are also some downsides that unikernels have, such as lack of flexibility, requires some libraries operating systems to be set up, a different package for each application. Also the lack of debugging tools, these things make them difficult to use in production.

Unikraft

There are several implementations for unikernels, but one of them is Unikraft, a Xen project. Unikraft creates an image of the application together with the internal and external libraries and runs it as a virtual machine with Xen or KVM hypervisors or in Linux user space. Unikraft has a configuration menu in which for each application you can set certain libraries, in this way you can select only what your application needs, thus minimizing the attack area.