Rawpixel - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Unikernels vs. containers: See the lightweight championship fight

The drive to minimize app hosting resources yielded unikernels and containers, the IT equivalent of a tiny house and apartment. Containing only the barest essentials, unikernels pose unique benefits and challenges.

Although they both aim to make computing more responsive and less resource-intensive, the natures of unikernels vs. containers contrast significantly.

Containers are a form of virtualization that greatly reduces overhead by encapsulating just the application and its dependencies, such as libraries and frameworks, on top of a shared host OS. In essence, containerization is virtualization lite, without multiple instances of the weighty OS.

Unikernels are akin to a shrunken container. The big difference in unikernels vs. containers is that containers require and depend on a normal OS, and unikernels do not. Instead, there is only what's necessary to achieve a specific function, namely application code, along with the minimum necessary OS functionality to run the application. This grouping of code and supporting OS components lives independently.

Unikernels are arguably the more radical direction versus containers. Containers have the IT industry's attention, but unikernels offer important advantages for some purposes. For example, this completely hermetic approach makes unikernels useful in internet of things (IoT) devices, where processing power and storage are in short supply. Therefore, it's helpful to understand the differences and strengths of each.

Adoption trend for unikernels vs. containers

Some industry watchers say that containerization makes unikernels unnecessary, due to the functional overlap. It's not so simple. Containers are probably more mature, going into 2018, and they are relatively easy to debug and deploy. However, unikernels offer more utility for specific applications.

You would think a company like [Docker] with an important acquisition would be marching toward some kind of position on the technology.
Ashish NadkarniAnalyst, IDC

Unikernels are well-suited to lightweight computing devices, where it is suboptimal to run a full OS. IoT is an archetypal example. "It's not coincidental that many major container players are not currently focusing heavily on IoT, since containers leverage an underlying host operating system," said one unikernel expert, who requested anonymity due to employer policies

"As a technology, I believe that unikernels could be promising," said Ashish Nadkarni, analyst at IDC. However, in his view, a combination of market developments is, in effect, conspiring to reduce the space available for unikernels vs. containers. Containers have enjoyed success already, and the container leaders are focused on improving that technology. Docker, one of the major forces in the container market, acquired startup Unikernel Systems in 2016. Since then, there has been silence. "You would think a company like that with an important acquisition would be marching toward some kind of position on the technology, and perhaps a product," Nadkarni said. But Docker has bigger fish to fry in an increasingly fragmented container market, he said. Given the extensive commitment already made by many organizations to containers, it may be that unikernels will be absorbed into that market as a sort of additive technology to address specific needs.

But others see an even wider potential for unikernels. "Unikernels [are] not a niche technology; it is the opposite," said Ian Eyberg, founder at DeferPanic, which offers unikernel-based cloud infrastructure. The efficiency created by essentially merging a single app and the relevant aspects of a host OS into one entity offers many practical advantages, he said, although he admits "this concept is pretty foreign to a lot of people." The push and pull between multifunctional host OSes, as for containers, and single-purpose app and OS, as for unikernels, is not new. In the 1960s and 1970s, organizations needed a way for many people to run many programs on the same expensive computer. That demand led to multiple-process OSes, a capability in all modern computers. However, Eyberg noted, in many server-oriented environments, there are performance and management advantages where the architecture isolates programs or runs them on a single instance.

In the 2010s, even a virtualized server actually represents a lot of overhead in some scenarios, with a whole toolkit of unneeded capabilities for tasks or applications. The unikernel approach, versus containers, looks for ways to get the same job done with the smallest possible amount of code, minus a traditional host machine and OS, Eyberg said. That small size is potentially more secure, thanks to a smaller attack surface. Security is also an argument made for container deployment.

The cloud deployment argument

Containers and public cloud are a natural fit, with the major cloud vendors hosting Docker and offering container orchestration services. Although some public clouds, such as Amazon Web Services (AWS), provide bare-metal server offerings, opening up the potential to host unikernels, Eyberg believes their proprietary attributes will not be a good fit. Just as critically, public cloud pricing is based on units of consumption that are oversized, such as gigabytes, by unikernel standards.

"The average unikernel volume size is just 20 MBs, which doesn't fit with the usual unit of planning in AWS," Eyberg said. And even smaller size requirements are possible -- down to the multi-kilobyte range.

Other challenges factor into slow unikernel adoption, according to Edwin Yuen, analyst at Enterprise Strategy Group. "We haven't seen significant traction in unikernels yet, primarily because there isn't a universal library to build them with," he said. Containers are more broadly applicable versus unikernels, because the user can concentrate on how to manage containers and the application inside, running on any compatible version of Linux or Windows, he said.

Containers and unikernels are certainly not mutually exclusive, Yuen said. Furthermore, they may not be the only two ways to address the problem of overhead. "VMs have room for improvement, too, and developments there could potentially reduce the need for either containers or unikernels," Yuen said. "There has been talk before about slimming down virtual machines to achieve the same performance goal," he noted. Ultimately, many existing and emerging business workloads need megabyte boot performance; this calls for seconds or milliseconds, rather than the many seconds or even minutes needed to spin up VMs with bigger images, he explained.

In a cloud world, where many enterprises choose unikernels vs. containers, the unified code and OS technological concept has less general relevance, said Stephen Hendrick, research director at Enterprise Management Associates. However, he added, "for dedicated small-footprint applications in IoT, unikernels are a perfect fit."

This was last published in February 2018

Dig Deeper on Managing Cloud-Native Applications

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Will unikernels become mainstream in the next five years?
I think the whole idea of pitting unikernels vs containers isn't fruitful. Unikernels solve a much broader set of problems as oppose to containers.

Containers are excellent at packaging up a an existing application with all its dependencies. You can then easily spin them up, down and scale out.

Unikernels, on the other hand, merge the application with the operating system kernel. You can of course merge the language runtime (python, Node) with the kernel and you could then have something akin to a container. However, the tooling needed to do this very specific task isn't there yet.

Currently, unikernels can add value in creating these small, fast and ultra-scalable services that operate further down the stack compared to a container.

So services like load balancing, firewalling, etc are perfect candidates. A unikernel firewall could be deployed with as little as 8 megabytes of memory and outperforming Linux by a significant margin. IncludeOS has production deployments in this market so we know that the technology can deliver.

We've also seen interest in CPU-based IoT, where the security model of Linux and it's significant footprint won't do it any favors. But getting traction here will naturally be hard and challenging Linux is never easy.

Down the line we could very likely see Unikernels picking up the challenge and taking on containers, adding efficiency, elasticity and security as the main selling points. But as of summer 2018 the tooling doesn't exist yet. Once it exists I think the first we'll see of the unikernels will be on the back end as a container-like service for serverless functions. The gains there are huge and with boot times in the low milliseconds they can seriously challenge containers.