How to quickly deploy, run Linux applications as unikernels

Building and deploying lightweight apps is becoming an easier and more reliable process with the emergence of unikernels. While limited in functionality, unikernals offer many advantages in terms of speed and security.

What are unikernels?

A unikernel is a very specialized single-address-space machine image that is similar to the kind of cloud applications that have come to dominate so much of the internet, but they are considerably smaller and are single-purpose. They are lightweight, providing only the resources needed. They load very quickly and are considerably more secure — having a very limited attack surface. Any drivers, I/O routines and support libraries that are required are included in the single executable. The resultant virtual image can then be booted and run without anything else being present. And they will often run 10 to 20 times faster than a container.

Would-be attackers cannot drop into a shell and try to gain control because there is no shell. They can’t try to grab the system’s /etc/passwd or /etc/shadow files because these files don’t exist. Creating a unikernel is much like turning your application into its own OS. With a unikernel, the application and the OS become a single entity. You omit what you don’t need, thereby removing vulnerabilities and improving performance many times over.

In short, unikernels:

  • Provide improved security (e.g., making shell code exploits impossible)
  • Have much smaller footprints then standard cloud apps
  • Are highly optimized
  • Boot extremely quickly

Are there any downsides to unikernels?

The only serious downside to unikernels is that you have to build them. For many developers, this has been a giant step. Trimming down applications to just what is needed and then producing a tight, smoothly running application can be complex because of the application’s low-level nature. In the past, you pretty much had to have been a systems developer or a low level programmer to generate them.

How is this changing?

Just recently (March 24, 2019) NanoVMs announced a tool that loads any Linux application as a unikernel. Using NanoVMs OPS, anyone can run a Linux application as a unikernel with no additional coding. The application will also run faster, more safely and with less cost and overhead.

What is NanoVMs OPS?

NanoVMs is a unikernel tool for developers. It allows you to run all sorts of enterprise class software yet still have extremely tight control over how it works.

Other benefits associated with OPS include:

  • Developers need no prior experience or knowledge to build unikernels.
  • The tool can be used to build and run unikernels locally on a laptop.
  • No accounts need to be created and only a single download and one command is required to execute OPS.

An intro to NanoVMs is available on NanoVMs on youtube. You can also check out the company’s LinkedIn page and can read about NanoVMs security here.

Here is some information on how to get started.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.