|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] Qns about Unikernels/hypervisors/baremetal/security
Hi Michael; On 4 February 2017 at 17:29, Michael Bright <mjbrightfr@xxxxxxxxx> wrote: > ... > I understand that runnings unikernels above a hypervisor such as Xen removes > the need to include h/w device drivers in the unikernel itself. Not just Xen -- the upcoming Mirage3 release will support KVM via Solo5. > For embedded/IoT applications this will be feasible for nodes which have > sufficient compute power to run a hypervisor but I think there is > significant interest in being able to use Unikernels, especially "clean > slate" unikernels on the smaller devices (where I guess you'd have to deal > with manually installed unikernels rather than being able to push images). Cool! If you know of specific cases that have arisen, it would be great if you could provide pointers / details :) > How feasible is running on BareMetal without a hypervisor - for clean-slate, > for legacy unikernels? > If a manufacturer expects to sell 100k devices of a webcam for example, > economies of scale might make writing the necessary drivers for the > associated hardware worthwhile. > Are there examples of baremetal implementations? > Are "legacy" unikernels (rumpkernel, OSv etc) more appropriate for this? > > Mirage can create a linux binary or a Xen compatible VM. > How would you create a bootable image for BM (would you wrap up the "Xen > compatible VM" in some way?) > I guess this wouldn't actually run on any hardware due to lack of drivers, > but they could be provided as Ocaml libraries. In principle, one could provide such a backend for Mirage. I don't believe there are any such currently, though Daniel Buenzli did a PoC demo back in 2015 of booting directly into OCaml on an rPI (B) that might be of interest-- https://github.com/dbuenzli/rpi-boot-ocaml > How can we be sure about the Hypervisor security. > Are there any comparisons of security between Xen, kvm, hyper-v, esxi ? > > I understand that Xen is being optimized to be able to run 1000's of VMs. > How does Xen currently compare with other hypervisors I don't have a direct pointer to any myself, but I'd be surprised if there wasn't literature out there about that sort of thing. > I see we talk about "potential" security improvements - due to less LOC, due > to easier to understand code (because of less LOC). > Are there any studies/figures to support this position? Not that I know of. We did some simplistic numbers for one of the Mirage papers at one point (just using the cloc tool and looking at CVE databases) but I don't think they ever made it into a published paper. It's hard to measure security... Note that some of the security benefits we claim come also from the features of the OCaml language (type-safety etc), not just from the reduction in LOC count. > What Unikernels are actually used in production today? > (deferpanic has a IaaS) I know the Docker-for-{Mac,Windows} products use Mirage unikernel libraries in them; and of course https://mirage.io has been served out of a unikernel for many years now. Others on the list are probably better placed to talk about larger-scale production uses though! Thanks! -- Richard Mortier richard.mortier@xxxxxxxxxxxx _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |