Chris Hickman speculates about the future of containers in his blog this week with a nominal and partial tour of virtualization directions. He touches on my favorite concept of unikernels in containers. I have a different point of view from Chris' but I think his ideas are more mainstream.
Why Unikernels? (The application is the container!)
I am very passionate about elegance and simplicity in Software Design and in software service security, I believe there is no attack surface like no attack surface. That is, If you remove everything from your container that can be attacked, you are more likely to be secure than if you bring all of the attack surfaces of a full-blown kernel and operating system. And even if you are compromised, other microservices should be protecting themselves from you (authentication, parameter checking). Further, there is almost nothing in your unikernel the attacker can use to attack the rest of your microservices ecosystem.
Obviously it is more difficult to debug complex microservices to discover why they are failing in production if there are no helper tools and capabilities in the container. But an instrumented services mesh can enable "playback" payloads and traffic for a non-production version of your microservice to diagnose your problem. And, removing complex components can prevent these useless resource wasting elements from interfering with your service; so bugs frequently become shallower (all of the bugs are yours).
However, coders are lazy and will prefer to have convenient shell access to their containers running in production so that they can debug under live traffic circumstances. And, most developers prefer to bolt on convenient tools, libraries, deep stacks, and monolithic resource hogging pieces to their run-time environment because they perceive it is faster and easier to copy/paste a few annotations or changes into a larger software monolith. Therefore I am pessimistic we shall see a rise in Unikernels outside of environments where security is important and leadership understands the value of simplicity.
No comments:
Post a Comment