SwarmKit, as a kit, will run clusters not only of containers, but also unikernels, we said.

What are unikernels and why are they so fantastic?

If you use Docker For Mac, you're already using unikernels. They are the core of these systems. On Mac, xhyve, a port of the FreeBSD virtualization system (bhyve), runs a Docker host in unikernel mode.

We all love containers, because they are small and fast, but the security implications of having a mechanism abstracting the kernel and make its components (containers) to share system resources, libraries, binaries, are really a concern. Just look for CVEs bulletins regarding containers security on any search engine. That's a serious issue.

Unikernels promise a reassessment of software architecture at the highest level. This is quickly explained here. There is an efficient way to guarantee maximum security and because of their nature they run at a very very tiny size. In a world where we speak of Terabytes, Petabytes, and beyond, it will surprise you to know that a unikernel implementation of KVM like ukvm can fit in 67Kb (Kilobytes), web server binaries in 300Kb, or operating system images in order of some Megabytes.

This is possible because unikernels basically don't expose all the system calls to the stack, but those calls are included into the binary itself. A ping binary does not require any system call to access the disk, use cryptographic functions or manage system processes. So just why not cut off these calls to ping, and provide it with the minimal it requires? That's the main idea behind unikernels. A ping command will be compiled with inside some network I/O, raw sockets, and that's all.

With unikernels, there is no distinction between kernel and user space, as the address table is unified. This means that the address table is continuous. As explained earlier, this is possible because unikernel binaries are compiled embedding the system functions they need, such as I/O operations, memory management or shared libraries, inside the binary. In the traditional operating systems model, applications look and use the system calls at runtime, while with unikernels, these system calls are statically linked at compile time.

This can look strange at first sight but it's a tremendous advance in terms of process isolation and security. Even if someone is able to fraudulently introduce into some system running unikernel stuff, it's almost impossible for her to find any security breach. The attack surface is so minimal that it's highly improbable that there will be any exploitable unused system call or features, apart from the ones in use, possibly already hardened. There is no shell to invoke, there are no external utility libraries or scripts, there are no configuration or password files, there are no extra ports bind.

So what about unikernels and Docker?

At the DockerConEU 15 in Barcelona, some folks jump to the stage to show how to integrate Docker with unikernels, and later eventually Docker Inc. acquired the company, signing between the other things the birth of Docker For Mac.

At the Docker Summit 16 in Berlin, someone mentioned about unikernels running alongside with containers in SwarmKit. A future of integration is coming.