A group of researchers from Virginia Polytechnic University (USA), Qualcomm and Aachen Rhine-Westphalia Technical University (Germany) they are developing the lightweight core Hermitux, corresponding to the unikernel paradigm.
HermiTux is intended to allow running applications directly on the hypervisor without the need for additional layers, which provides binary compatibility with Linux applications at the ABI level.
The HermiTux code It is written in the C programming language and it is distributed under the BSD license.
HermiTux provides a minimal operating system environment with its own kernel (unikernel), which consumes much less resources than when creating environments based on a normal Linux kernel.
With it this allows you to quickly launch applications on the hypervisor: start-up time does not exceed 0,1 seconds.
In HermiTux performance tests, approximately 3% lagged in environments with a regular Linux kernel, due to overhead of I / O forwarding to the host side.
The memory consumption in the test environment was 9 MB, which is 10 times less than when using the Linux kernel (Docker consumption was about 2MB due to using a common kernel with the host environment without using full virtualization).
About HermiTux
Hermitux stands out as being intended to have the ability to run unmodified applications created for Linux, this is done through support for the ELF format, the implementation of Linux system calls and the emulation of virtual file systems.
At the current stage of HermiTux development, this implements 83 system calls. In total, the Linux kernel provides more than 350 system calls, but only a small part of them is used in real applications (to cover 90% of the programs of regular distributions, it is enough to implement 200 system calls) .
To reduce delays during the processing of system calls, an optional mechanism is implemented to redefine (rewrite) the system calls to call typical kernel functions.
For statically related applications, it is possible to replace syscall statements with function calls in an executable file.
For dynamically related applications, replacement is done at the standard library level.
In addition, tools have been prepared to analyze the system calls involved in executable files that allow you to collect a minimal image of HermiTux that includes only the code necessary to process only the system calls used in the application.
HermiTux Features
Hermitux uses a lightweight KVM-based hypervisor that loads the Linux binary along with a minimal layer of the operating system within a single address space virtual machine. At runtime, the system calls made by the application are captured by the HermiTux kernel.
Optionally, HermiTux provides a mechanism to rewrite the invocation of system calls on common kernel function calls, significantly reducing system call latency.
From the point of view of protection, said modularity allows, andInstead of filtering, unused system calls (for example, via seccomp) to exclude them completely from the kernel.
The application runs in a shared address space (HermiTux is designed to run on top of a single application hypervisor).
Basic threading support (Pthreads Embedded) is provided.
As file system, MiniFS is proposed, in which files are placed in RAM (RAM disk) and some elements of virtual file systems (/ dev / zero, proc / cpuinfo, etc.) are emulated.
The TCP / IP stack is based on the LWIP project, and a modified version of the Musl project is used as a standard C library.
HermiTux does not require any reassembly of applications and allows you to run both compiled executable files (statically and dynamically related) and applications in interpreted languages (Python, Lua, etc.).