Porting Linux to Nabla Containers August 22, 2020 Container Runtime Meetup #2 @retrage

What’s Solo5 Run unikernels as user processes • A sandboxed execution environment for unikernels[9][10] • Provides only 13 public APIs for portability and reducing attack surface • Supports various hosts: • hvt, muen, genode, virtio • spt: Linux User Process (x86_64, aarch64, ppc64le) • Uses seccomp to limit syscalls

Nabla Containers • Container runtime built on the top of Solo5 • The runtime is just a wrapper • Creating a unikernel image from a container image • Setting up a network device • See the paper[1]

Nabla Containers need Linux • Unikernels ported to Nabla Containers (Solo5): • Rumprun[2]: NetBSD based • MirageOS[3]: Written in OCaml • IncludeOS[4]: Written in C++ • Unikraft[5]: Customizable unikernel • No Linux compatibility

LKL Nabla Linux Kernel Library on Nabla Containers • Porting LKL/musl to Solo5/Nabla • Provides *real* Linux compatibility to Nabla Containers • Supports several applications: • Nginx, Python3 and Redis • For more details, see: • https://dev.to/retrage/porting-linux-to-nabla-containers-j3

LKL Nabla Internals • Add Solo5 platform support • The platform code must have 24 Linux syscall style interfaces • Implement using Solo5 APIs • See: https://dev.to/retrage/ linux-kernel-library-nabla- containers-internals-55eh Frankenlibc Layers Application musl libc Linux kernel librumpuser franken platform Host

Running Python3 on LKL Nabla

Performance: Startup Time LKL Nabla is as good as NetBSD Nabla

Related Work Isolation is still matter • Unikernel Linux[6] • Replacing syscalls with normal function calls • It results performance improvement • Lupine Linux[7] • Adding unikernel features to Linux kernel • Can run unmodified Linux applications • Nabla Linux[8] • User Mode Linux + seccomp

Summary • Solo5 is a sandbox for unikernels • Nabla Containers leverage user process unikernels on the top of Solo5 • Existing Nabla unikernels do not have Linux compatibility • LKL Nabla: • Runs practical applications like Python3 • Advantages: Isolation and Linux compatibility • The performance is as good as NetBSD Nabla

Source Code and Blog Posts • Source Code: • https://github.com/retrage/frankenlibc/tree/solo5 • https://github.com/retrage/runnc/tree/lkl-musl • https://github.com/retrage/lkl-nabla-base-build • Blog Posts: • https://dev.to/retrage/porting-linux-to-nabla-containers-j3 • https://dev.to/retrage/linux-kernel-library-nabla-containers- internals-55eh

References • [1] D. Williams, R. Koller, M. Lucina, and N. Prakash, “Unikernels as Processes,” in ACM Symposium on Cloud Computing, 2018, pp. 199–211. • [2] https://github.com/rumpkernel/rumprun • [3] https://github.com/mirage/mirage • [4] https://github.com/includeos/IncludeOS • [5] https://github.com/unikraft/plat-solo5 • [6] A. Raza et al., “Unikernels : The Next Stage of Linux ’ s Dominance,” in HotOS ’19, 2019, pp. 7–13. • [7] H.Kuo et al., “A Link in unikernel clothing,” in EuroSys ’20, 2020, pp. 1-15. • [8] https://github.com/nabla-containers/nabla-linux • [9] https://github.com/Solo5/solo5 • [10] D. Williams, R. Koller, “Unikernel Monitors: Extending Minimalism Outside of the Box,” in HotCloud ’16, 2016

Appendix

frankenlibc platform Interface _exit() Mandatory kill() clock_getres() clock_gettime() clock_nanosleep() poll() getpagesize() lseek() mmap() munmap() pread()/preadv()/read()/readv() pwrite()/pwritev()/write()/writev() fcntl()/fstat()/fsync() Optional getrandom() mprotect()

Solo5 Public APIs Exit/Abort solo5_exit() solo5_abort() Thread Local Storage solo5_set_tls_base() Clock solo5_clock_monotonic() solo5_clock_wall() Yield solo5_yield() Console solo5_console_write() Network solo5_net_acquire() solo5_net_write() solo5_net_read() Block Device solo5_block_acquire() solo5_block_write() solo5_block_read()

frankenlibc platform to Solo5 API Mapping solo5_exit() solo5_abort() solo5_set_tls_base() solo5_clock_monotonic() solo5_clock_wall() solo5_yield() solo5_console_write() solo5_net_acquire() solo5_net_write() solo5_net_read() solo5_block_acquire() solo5_block_write() solo5_block_read() _exit() kill() clock_getres() clock_gettime() clock_nanosleep() poll() getpagesize() lseek() mmap() munmap() pread()/preadv()/read()/readv() pwrite()/pwritev()/write()/writev()