0

I've been reading a lot about Docker containers and Unikernels and how to run lightweight environment with my own applications.

I understand that Linux containers and Unikernels are different things, as the first are implementations of kernel features (such as namespaces, cgroups, etc) sharing resources with the host's OS, and the later are independent specialised library operating systems built around applications.

But then I've stumbled upon Alpine linux derived images in Dockerhub. They are very lightweight and very specialized. But do they run around the same LXC/runc features?

Is it possible to run a unikernel under a hypervisor implementation using Docker?

What is the diference between Alpine images and the others?

Rogério Peixoto
  • 2,176
  • 2
  • 23
  • 31

2 Answers2

1

I am not very familar with unikernels but i can try to answer your last question:

Most of the Docker images are based on Ubuntu, the main difference is the size of the image, while a Ubuntu image has 183MB a Alpine has only 4,5MB.

Therefor the Alpine has a lower attack surface and is designed for security look here: http://www.alpinelinux.org/about/

Alpine Linux was designed with security in mind

The Alpine Linux Images run on the same LXC/runc features i think.

Botz
  • 192
  • 2
  • 10
  • 1
    For the looks of it I guess they are two distinct things. Alpine is a lightweight operating system and unikernels are single purpose library operating systems. – Rogério Peixoto Jun 27 '16 at 03:25
1

Alpine is not a unikernel. It is a linux distribution and I disagree that it was designed with security in mind.

It has had multiple issues (including no passwords for root):

https://blog.qualys.com/technology/2019/06/11/alpine-docker-image-vulnerability-cve-2019-5021-how-to-detect-and-fix

Unikernels can be characterized by the fact that they are single process by design. What this means is that you quite literally can't fork/exec a new program. Alpine being linux doesn't fit that rule.

Further - Docker is not a hypervisor. It can make use of something like HVF on osx or kvm on linux but in most cases it doesn't. Why? Because most docker containers that are pushed to production wind up living on linux vms in the public cloud. Running another vm on top of an existing one has a serious performance tax so very few people do it out of choice.

Unikernels on the other hand can be deployed as their own AMI with no underlying linux. This also separates them from small linux distributions such as Alpine.

There are many more differences (like the lack of a user, or the lack of a shell, etc.) but in general no Alpine is not a unikernel and doesn't have any of the advantage of a unikernel.

eyberg
  • 3,160
  • 5
  • 27
  • 43