dockerxenhalvmunikernel

Docker Container compared with Unikernel


I recently deployed a tiny Haskell app with docker, using "scratch-haskell" as a base image.

Then I read about Unikernels and HALVM. And I got a little confused.

My docker container is about 6MB large. A Unikernel (with the same haskell app) would be roughly the same size I guess.

The Unikernel runs directly on the Xen hypervisor, whereas the docker Image (or general LXC) runs on a normal Linux distribution, which runs on bare metal.

Now I have the "choice" of running Linux with multiple minimal containers OR a Xen machine with multiple small Unikernels.

But what are the advantages and disadvantages of those two solutions? Is one more secure than the other? And are there any significant performance differences between them?


Solution

  • from http://wiki.xenproject.org/wiki/Unikernels

    What do Unikernels Provide?

    Unikernels normally generate a singular runtime environment meant to enable single applications built solely with that environment. Generally, this environment lacks the ability to spawn subprocesses, execute shell commands, create multiple threads, or fork processes. Instead, they provide a pure incarnation of the language runtime targetted, be it OCaml, Haskell, Java, Erlang, or some other environment.

    Unikernels Versus Linux Containers

    Much has been made recently of the advantages of Linux Container solutions over traditional VMs. It is said by container advocates that their lightweight memory footprint, quick boot time, and ease of packaging makes containers the future of virtualization. While these aspects of containers are certainly notable, they do not spell the end of the world of the hypervisor. In fact, Unikernels may reduce the long-term usefulness of containers.

    Unikernels facilitate the very same desirable attributes described by the container proponents, with the addition of an absolutely splendid security story which few other solutions can match.

    So if you want just run Haskell application Unikernels may work for you, and they should have even less overhead than docker (and docker overhead is very small anyway), but if your application will need some prepared environment, need to communicate with non Unikernels software docker is a better choice. I guess it is too early to say will Unikernels be useful or widespread or not, only time will tell.