container network flows (current bandwidth and direction) across Kubernetes and Docker Swarm nodes. Bandwidth test - Test throughput (performance) of each type of container network (compare network drivers). Choose wisely - Be aware of the cost of overlay convenience. Avoid MAC address overload in underlays. Preview
Docker Runtime OS User Processes OS Kernel Virtual Hardware Drivers Hypervisor Hardware Drivers Hardware Application Inefficient Long startup times. Designed for many users, running many processes. Hardware has evolved. Package managers pull in many unneeded packages. Decades of backwards compatibility.
of unused applications, services and drivers lying around. by Russell Pavlicek (free ebook) Unikernels Security Other Issues @lcalcote Lee Calcote and Idit Levine How Unikernels Can Better Defend against DDoS Attacks
gtk iconv libgmp libz libstd++ libgcc libc kernel libtls application a way of cross-compiling (existing) applications down to very small, lightweight, secure virtual machine @lcalcote
around Many attack vectors closed - simply not present. only use libraries specific to your application produce a single process, single address space image Security be default - not necassarily policy that will be defined later @lcalcote
Unikernels cannot handle multiple processes, so forking is not allowed. Unikernels can handle threads. Are single user, but who needs multiple users? Can statically link data into application. Immutable infrastructure (enforced) @lcalcote
Akin to how Docker builds and deploys containers. Automates compilation of popular languages (C/C++, Golang, Java, Node.js. Python) into unikernels. Deploys unikernels as virtual machines on many virtualization platforms. Incorporates work from a number of unikernel projects. A young project (~9 months old from announcement) @lcalcote