Some heralded Docker's acquisition of UK-based Unikernel Systems last week as the golden dawn of a post-container era. Others showed healthy skepticism.
One person firmly in the latter camp is Bryan Cantrill, who typed up a long blog post on why he believes unikernels are "unfit" for production. Cantrill is chief technology officer of San Francisco-based Joyent, which builds software to manage containers across whole data centers.
You might think the post was a cheeky pop at a rival technology – a container wrangler shooting down a container challenger. But don't forget that Cantrill has been at the coalface of operating system development for decades: he was one of a trio of Sun engineers who created DTrace – the undisputed Rolls-Royce of real-time software debuggers – plus worked on Solaris and QNX.
"I think I’ve been accused of trying to kill off the unikernel," Cantrill told The Reg this week. "I don't have a problem with it per se if it’s an academic exercise or a hobbyist endeavor. They have a right to exist, and it's not that they aren’t fit for any purpose, they're just not fit for production."
Cantrill's main beef with the technology is really in three parts: the first is that unikernels merge the application and the underlying operating system into one entity that shares the same virtual address space. Device drivers become libraries that either call down to a hypervisor, which takes care of controlling the hardware, or interact with the bare metal. The resulting condensed unikernel package cooperates with other unikernels running on the host for resources and processor core time.
Operating systems these days split the applications into what's called user space, and the kernel part that controls the machine (or virtual machine) into kernel space. User space isn't allowed to interfere with kernel space, so misbehaving apps can be reined in, killed, or debugged, without trashing the system. Unikernels do away with this protective separation, meaning a bug in the app logic could blow away the whole package – or the whole device – forcing it to be restarted.
Cantrill likened this lack of privilege separation to the bad old days of microcomputers that ran simple operating systems that gave full control of the hardware to software programs.
"This separation is a fundamental principle, the hallmark of a reliable and secure operating system," he told us. "We've had this technology for three decades, and it seems some are willing to give that up and send us back to the DOS era.
"When we ran DOS on our computers, mysteries happened all the time – and it's because the programs misbehaved. Those of us who lived in that era don't want progress to run backwards."
His second main problem with unikernels is related to the above: the inability to easily debug broken code because of the primitive environment in which the software is running. Cantrill blogged:
From a debugging perspective, to say this is primitive understates it: this isn’t paleolithic — it is precambrian.
As one who has spent my career developing production systems and the tooling to debug them, I find the implicit denial of debugging production systems to be galling, and symptomatic of a deeper malaise among unikernel proponents: total lack of operational empathy.
His third main beef is the lack of classic Unix processes: unikernels follow a one process, one app model, so if your program expects to
fork(), it'll have to fork off. Some unikernel implementations mitigate the aforementioned problems by requiring software to be written in type-safe languages like OCaml, Erlang or Haskell, which not everyone knows and certainly not every application is written in them.
"I'm of a generation that didn’t understand what a robust OS could be until I got to university," said Cantrill, explaining how he discovered Unix-flavored systems at college.
"That era of microcomputers was terrible. I fear we now have a generation romanticizing about that history or ignoring it, and not taking for granted the robustness they grew up on.
"My children's Chromebooks have Unix, they were born with Unix, I have Unix on my phone – and that’s amazing. It means if there's a bad application, its failures are contained, and the machine continues. I'm deeply disturbed that people are advocating discarding this protection."
The team at Unikernel Systems includes former Xen hypervisor engineers, who believe unikernels will provide fast-to-start lightweight secure services that can be managed efficiently using Docker-like tools. While welcoming Unikernel Systems to Docker, Mano Marks, director of developer relations at the container upstart, noted that "unikernels are an important part of the future of the container ecosystem." ®