Porting Linux to Nabla Containers

Transcript

1. Porting Linux to Nabla Containers August 22, 2020 Container Runtime

   Meetup #2 @retrage

2. What’s Solo5 Run unikernels as user processes • A sandboxed

   execution environment for unikernels[9][10] • Provides only 13 public APIs for portability and reducing attack surface • Supports various hosts: • hvt, muen, genode, virtio • spt: Linux User Process (x86_64, aarch64, ppc64le) • Uses seccomp to limit syscalls

3. Nabla Containers • Container runtime built on the top of

   Solo5 • The runtime is just a wrapper • Creating a unikernel image from a container image • Setting up a network device • See the paper[1]

4. Nabla Containers need Linux • Unikernels ported to Nabla Containers

   (Solo5): • Rumprun[2]: NetBSD based • MirageOS[3]: Written in OCaml • IncludeOS[4]: Written in C++ • Unikraft[5]: Customizable unikernel • No Linux compatibility

5. LKL Nabla Linux Kernel Library on Nabla Containers • Porting

   LKL/musl to Solo5/Nabla • Provides *real* Linux compatibility to Nabla Containers • Supports several applications: • Nginx, Python3 and Redis • For more details, see: • https://dev.to/retrage/porting-linux-to-nabla-containers-j3

6. LKL Nabla Internals • Add Solo5 platform support • The

   platform code must have 24 Linux syscall style interfaces • Implement using Solo5 APIs • See: https://dev.to/retrage/ linux-kernel-library-nabla- containers-internals-55eh Frankenlibc Layers Application musl libc Linux kernel librumpuser franken platform Host

7. Running Python3 on LKL Nabla

8. Performance: Startup Time LKL Nabla is as good as NetBSD

   Nabla

9. Related Work Isolation is still matter • Unikernel Linux[6] •

   Replacing syscalls with normal function calls • It results performance improvement • Lupine Linux[7] • Adding unikernel features to Linux kernel • Can run unmodified Linux applications • Nabla Linux[8] • User Mode Linux + seccomp

10. Summary • Solo5 is a sandbox for unikernels • Nabla

    Containers leverage user process unikernels on the top of Solo5 • Existing Nabla unikernels do not have Linux compatibility • LKL Nabla: • Runs practical applications like Python3 • Advantages: Isolation and Linux compatibility • The performance is as good as NetBSD Nabla

11. Source Code and Blog Posts • Source Code: • https://github.com/retrage/frankenlibc/tree/solo5

    • https://github.com/retrage/runnc/tree/lkl-musl • https://github.com/retrage/lkl-nabla-base-build • Blog Posts: • https://dev.to/retrage/porting-linux-to-nabla-containers-j3 • https://dev.to/retrage/linux-kernel-library-nabla-containers- internals-55eh

12. References • [1] D. Williams, R. Koller, M. Lucina, and

    N. Prakash, “Unikernels as Processes,” in ACM Symposium on Cloud Computing, 2018, pp. 199–211. • [2] https://github.com/rumpkernel/rumprun • [3] https://github.com/mirage/mirage • [4] https://github.com/includeos/IncludeOS • [5] https://github.com/unikraft/plat-solo5 • [6] A. Raza et al., “Unikernels : The Next Stage of Linux ’ s Dominance,” in HotOS ’19, 2019, pp. 7–13. • [7] H.Kuo et al., “A Link in unikernel clothing,” in EuroSys ’20, 2020, pp. 1-15. • [8] https://github.com/nabla-containers/nabla-linux • [9] https://github.com/Solo5/solo5 • [10] D. Williams, R. Koller, “Unikernel Monitors: Extending Minimalism Outside of the Box,” in HotCloud ’16, 2016

13. Appendix

14. frankenlibc platform Interface _exit() Mandatory kill() clock_getres() clock_gettime() clock_nanosleep() poll()

    getpagesize() lseek() mmap() munmap() pread()/preadv()/read()/readv() pwrite()/pwritev()/write()/writev() fcntl()/fstat()/fsync() Optional getrandom() mprotect()

15. Solo5 Public APIs Exit/Abort solo5_exit() solo5_abort() Thread Local Storage solo5_set_tls_base()

    Clock solo5_clock_monotonic() solo5_clock_wall() Yield solo5_yield() Console solo5_console_write() Network solo5_net_acquire() solo5_net_write() solo5_net_read() Block Device solo5_block_acquire() solo5_block_write() solo5_block_read()

16. frankenlibc platform to Solo5 API Mapping solo5_exit() solo5_abort() solo5_set_tls_base() solo5_clock_monotonic()

    solo5_clock_wall() solo5_yield() solo5_console_write() solo5_net_acquire() solo5_net_write() solo5_net_read() solo5_block_acquire() solo5_block_write() solo5_block_read() _exit() kill() clock_getres() clock_gettime() clock_nanosleep() poll() getpagesize() lseek() mmap() munmap() pread()/preadv()/read()/readv() pwrite()/pwritev()/write()/writev()