Virtual Machines (VM) are common and established techniques to isolate the guest from the host operating systems. They are typically designed to run common operating systems like Windows and Linux as guest operating systems. Consequently, they create a virtual PC with the support of over decades developed interfaces (e.g. PCI, ACPI). This legacy support increases the boot time and the memory foot print of such virtual machines.
Projects like Firecracker, Solo5 and Qemu’s microVM platform established minimalist machine type without any PCI or ACPI support. Such microVMs also establishes a baseline for benchmarking and optimizing both QEMU and guest operating systems, since it is optimized for both boot time and footprint. In combination with Unikernels, the overhead and the attack vector can be reduced even further. The assumption is here that less source code in the implementation of the microVM and the guest operating system reduces also the possibility of security issues.
In the meantime, container runtimes like Kata containers integrates microVMs seamless in a container ecosystem. By using such runtimes, Kubernetes is able to deploy microVMs and benefits from their stronger isolation. Our evaluation of starting 800 web-services shows that deploying microVMs doesn’t increase the overhead in comparison to common container runtimes like runc. For this evaluation, we wrote our own container runtime and combined it with a microVM. We want to use this combination as base for developing a secure edge runtime. The strong isolation reduces the possibility of security issues, while reduction of overhead increase the scalability of the IoT-NGIN framework.
Summary of benefits:
- A reduction of the memory footprint enables a high density of microVMs to be packed on each server and implicitly increases the scalability for cloud provides.
- VMs provide a stronger isolation in comparison to container technologies. In addition, microVMs based on a minimal device model that excludes all non-essential functionality and reduces the attack surface area of the VM.
- In addition to a minimal device model accelerates also the boot time of the kernel and offers new kind of event-triggered services with a small runtime. These VMs are ideal base for serverless computing.
In IoT-NGIN, we will further investigate the use of microVMs for our own unikernel RustyHermit. We assume that the combination of these technologies further takes us to the goal of enhancing today’s cloud- and edge-computing with more secure and lightweight technologies.