Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Are Unikernels Ready for Serverless on the Edge?

Felix Moebius, Tobias Pfandzelter, David Bermbach

TL;DR

The paper investigates whether Linux-compatible unikernels can serve as effective sandboxes for edge Functions-as-a-Service (FaaS) workloads by comparing Nanos and OSv against Firecracker microVMs, Docker containers, and gVisor. Through a single-node FaaS experiment harness, the study evaluates cold-start latency, burst starts, idle behavior, CPU/memory performance, network I/O, and file system performance for Go and Node.js functions. Results show unikernels offer notably faster cold starts and favorable CPU/memory trade-offs in several metrics, but suffer from stability concerns and higher idle-resource usage relative to mature Linux-based sandboxes. The findings suggest unikernels are a viable research direction for edge isolation, with practical impact in reducing footprint and startup latency, provided maturity and usability improvements accompany further optimization and language-specific adaptations.

Abstract

Function-as-a-Service (FaaS) is a promising edge computing execution model but requires secure sandboxing mechanisms to isolate workloads from multiple tenants on constrained infrastructure. Although Docker containers are lightweight and popular in open-source FaaS platforms, they are generally considered insufficient for executing untrusted code and providing sandbox isolation. Commercial cloud FaaS platforms thus rely on Linux microVMs or hardened container runtimes, which are secure but come with a higher resource footprint. Unikernels combine application code and limited operating system primitives into a single purpose appliance, reducing the footprint of an application and its sandbox while providing full Linux compatibility. In this paper, we study the suitability of unikernels as an edge FaaS execution environment using the Nanos and OSv unikernel tool chains. We compare performance along several metrics such as cold start overhead and idle footprint against sandboxes such as Firecracker Linux microVMs, Docker containers, and secure gVisor containers. We find that unikernels exhibit desirable cold start performance, yet lag behind Linux microVMs in stability. Nevertheless, we show that unikernels are a promising candidate for further research on Linux-compatible FaaS isolation.

Are Unikernels Ready for Serverless on the Edge?

TL;DR

The paper investigates whether Linux-compatible unikernels can serve as effective sandboxes for edge Functions-as-a-Service (FaaS) workloads by comparing Nanos and OSv against Firecracker microVMs, Docker containers, and gVisor. Through a single-node FaaS experiment harness, the study evaluates cold-start latency, burst starts, idle behavior, CPU/memory performance, network I/O, and file system performance for Go and Node.js functions. Results show unikernels offer notably faster cold starts and favorable CPU/memory trade-offs in several metrics, but suffer from stability concerns and higher idle-resource usage relative to mature Linux-based sandboxes. The findings suggest unikernels are a viable research direction for edge isolation, with practical impact in reducing footprint and startup latency, provided maturity and usability improvements accompany further optimization and language-specific adaptations.

Abstract

Function-as-a-Service (FaaS) is a promising edge computing execution model but requires secure sandboxing mechanisms to isolate workloads from multiple tenants on constrained infrastructure. Although Docker containers are lightweight and popular in open-source FaaS platforms, they are generally considered insufficient for executing untrusted code and providing sandbox isolation. Commercial cloud FaaS platforms thus rely on Linux microVMs or hardened container runtimes, which are secure but come with a higher resource footprint. Unikernels combine application code and limited operating system primitives into a single purpose appliance, reducing the footprint of an application and its sandbox while providing full Linux compatibility. In this paper, we study the suitability of unikernels as an edge FaaS execution environment using the Nanos and OSv unikernel tool chains. We compare performance along several metrics such as cold start overhead and idle footprint against sandboxes such as Firecracker Linux microVMs, Docker containers, and secure gVisor containers. We find that unikernels exhibit desirable cold start performance, yet lag behind Linux microVMs in stability. Nevertheless, we show that unikernels are a promising candidate for further research on Linux-compatible FaaS isolation.
Paper Structure (28 sections, 13 figures)

This paper contains 28 sections, 13 figures.

Table of Contents

  1. Introduction
  2. Background
  3. FaaS on the Edge
  4. FaaS Isolation
  5. Containers
  6. Hardened Containers
  7. microVMs
  8. Unikernels
  9. Approach and Setup
  10. Experiments and Findings
  11. Cold Start Latency
  12. Burst Cold Starts
  13. Sandbox Initiation Resource Usage
  14. Idle Resource Usage
  15. CPU Performance
  16. ...and 13 more sections

Figures (13)

  • Figure 1: Application Service Isolation Mechanisms
  • Figure 2: The FaaS sandbox experiment harness can route requests to runc, runsc, or Linux and unikernel microVM workers that are created by a dispatching component.
  • Figure 3: Mean time for single cold starts in different execution environments (whiskers show 95th percentile confidence interval)
  • Figure 4: Mean cold start time for $n$ concurrent starts
  • Figure 5: Millions of instructions executed to instantiate a function instance in different execution environments
  • ...and 8 more figures