uIO: Lightweight and Extensible Unikernels

Unikernels specialize operating systems by tailoring the kernel for a specific application at compile time. While the specialized library OS approach provides a smaller OS imagethus improving the bootup process, performance, migration costs, and reliable/trusted computing base—at the same time, unikernels lack run-time extensibility, which is imperative to support “on-demand” auxiliary tasks and tools, e.g., debugging, monitoring, re-configuration, and system management and deployment in a typical cloud environment. Consequently, unikernels present a fundamental trade-off between slimness of the OS image size at the compile time vs. flexibility of supported auxiliary functionality at the run-time. This work strives to balance this trade-off by keeping the unikernel system image as minimal as possible to solely support the application functionality in the “common case”, while providing “on-demand" extensibility for auxiliary tasks at run-time. The key challenge is to support run-time extensibility through a generic interface in a safe manner. To this end, the paper presents uIO—a “safe overlay” abstraction to provide runtime extensibility in unikernels, while maintaining the unikernel benefits. In particular, uIO leverages a generic VirtIO-based interface to provide an overlay for auxiliary programs, i.e., users can load external programs into the unikernels’ address space and run them, i.e., “on-demand” extensibility through a generic file system interface. To provide safe execution within an overlay, uIO provides isolation mechanisms leveraging hardware-assisted memory isolation (MPK) and language-runtime-based execution (eBPF). We implement a prototype of uIO based on Unikraft and demonstrate its applicability to support a range of auxiliary use cases. uIO incurs negligible performance overheads for application execution in the common case while providing run-time extensibility to support auxiliary use cases.

In SoCC'24, ACM Symposium on Cloud Computing