The Time for Unikernels is Now


In this episode of The View With Vizard, NanoVM CEO Ian Eyberg explains why the time to employ unikernels to make IT more secure has arrived. The video is below, followed by a transcript of the conversation.

[Intro music playing]

Announcer: This is Digital Anarchist.

Michael Vizard: Hey, guys, thanks for the throw. We’re here with Ian Eyberg, who’s the CEO of NanoVMs. We’re talking about unikernels and container security and all kinds of new technologies. Ian, welcome to the show.

Ian Eyberg: Hey, thanks for having us.

Vizard: I’m not sure everybody knows exactly what a unikernel is, and I’m not sure even those who think they know what it is got it right. So can you just explained what is a unikernel and where does it fit in the landscape of things?

Eyberg: For sure, and that quip about not even knowing if they think they know, it’s pretty true. So yeah, a unikernel, at the end of the day, it’s just a way of packaging and delivering software as one single unit. So we take one single application and deploy it as a virtual machine. That virtual machine is only running that one piece of software. There’s literally nothing else on it. There’s no Linux. There’s no Kubernetes. There’s no containers, nothing of that sort. So the end result is that it runs a lot faster and it runs a lot safer, not just containers but also just Linux by itself. It runs faster, so.

Vizard: We’ve been talking about unikernels for a while. What do you think is the big challenge in getting people to wrap their brains around it to actually implement it? And why aren’t we seeing more of it?

Eyberg: Yeah, so you’re right. There’s been a lot of – you know, back in maybe 2013, 2014 there was a lot of academic papers that came out. They’ve still been coming out, by the way. And you know, back then, all the way for, you know, maybe a year or two ago, the tooling around them was just way too brittle to handle. So if you weren’t like a kernel engineer, you basically weren’t going to be able to play with them because you had to be at that level to kind of work with them. So tooling has long been kind of a challenge, but you know, that’s something that we’ve been working on with some of the opensource that we work with.

But the other thing is just market awareness. I mean, I can walk down the street of San Francisco and find somebody wearing a black hoodie and ask them, “Hey, have you heard the term unikernel?” and chances are they might not have even ever heard of it before. So market awareness is definitely another key issue.

Vizard: So what exactly do you guys do in this landscape? What exactly are you providing? If I engage with you as an enterprise, what do I get?

Eyberg: Sure. So we work on Nanos, which is a unikernel. So there’s like ten different unikernel implementations out there. Some of them have corporate backing, but most of them remain in the realm of research and academia. And so that’s one reason why they don’t get a ton of adoption, ’cause there’s really nobody that you can pay to, like, work on it. So – which turns out to be, you know, a challenge. If you’re gonna adopt some new technology and you don’t even really know much about it, let alone how do you fix a bug or something, you need to be able to turn to somebody. And so that’s what we do, is we provide support plans for using it. The software itself is opensource, though. So like Nanos you can find at Ops is another opensource project that we have. And so you can use that to your heart’s content. It’s free as in beer and free as in free speech, so.

Vizard: And who drives this conversation? Is it the developers or is it the ops people or the security people that are showing up going, “Hey, we should be playing with unikernels a little bit more”?

Eyberg: So our end users are DevOps, SREs, that kind of category, sys admins, you know, depending on your age. So yeah, those are the end users, developers to a degree but usually it’s the people that are deploying software, managing the software, you know, doing the monitoring, doing all that sort of stuff.

Vizard: Hmm. And do you think that – we’ve seen a rash of security issues lately. They are countless. There’s misconfigurations. There’s all kinds of headaches going on. Do you think that that’s creating something of a moment in time where people are thinking about, hey, maybe we need another approach?

Eyberg: Yeah. Well, I mean, you know, security is – you’d think with the amount of money that’s sloshing around in the cybersecurity sector that computer security would actually get better, but it seems to just be getting worse. You know, we can’t go a single day or week without some new data breach or ransomware attack or, you know, crypto-jacking or – I mean, it’s insane. I mean, well, two weeks ago the BOA CEO said that they spend over a billion dollars on cybersecurity each year, like a billion dollars by one company. And then that exact same week that the CEO said that, McDonald’s was hacked. [Laughter] So it was – I mean, it’s a mess. And you know, people talk about DevSecOps and so forth, but you know, there’s still a lot out there that is just not being touched at all.

I mean, speaking of DevSecOps, you know, if you look at Linux security in particular, a lot of that ransomware stuff is traversing on Windows systems, you know, desktops and stuff like that. But when you go look at the Linux world where, like, all the server code is residing, there’s really almost nothing security-wise out there, which is kind of interesting.

Vizard: Speaking of DevSecOps, is it realistic to train developers to learn all this security stuff and hope that they’re gonna solve all our problems? Or do we need some way to automate this in a way that doesn’t require every developer to be perfect every time?

Eyberg: Yeah. So I’m definitely in that latter camp. [Laughter] You know, developers make mistake. They do – you know, they write bugs all the time. You know, it’s just a fact of code. I mean, like, we’re human. We write bugs. And so you’re never really going to get these nice little milestones just by packing on more and more people into your SOC or things of that nature. I think that’s the completely wrong approach. In my opinion, the underlying infrastructure, the underlying software needs to be hardened in a better manner than it’s been done. And so there’s fundamental changes, I think, that need to happen.

You know, if you – and this isn’t like a new idea either. You know, you can go back to the mid-90s and the L0pht was saying – you know, a famous hacker group was saying the exact same thing. They were saying the underlying software has got to be fixed; otherwise the stuff will continue to happen. And, you know, they’re right, and it’s now 25 years later and same thing, so.

Vizard: We see a lot of containers these days. Do you think people have a false sense of security around containers ’cause they’re like –

Eyberg: Absolutely!

Vizard: _____ _____ running for a little bit of time and no one will find it.

Eyberg: Absolutely. Just the name itself, contain, gives people this impression that it’s somehow a security primitive, and it has no security primitives. And in my view, it actually makes some security worse than, say, just a plain vanilla Linux VM because on that, you know, the VM is a very well-defined security boundary. You know, if I pop a root shell on a Ubuntu box and now I have access to that server, but I don’t have access to another server immediately. Now I’m going to have to figure out how to hack that other server.

Containers completely break this, because if I own a container in like your Kubernetes cluster that spans multiple servers, now I have access to everything. And so that’s a really, really big problem because it’s just fundamentally broken that barrier that used to exist. So that’s my opinion.

Vizard: It seems like the bad guys have figured out how to jailbreak containers and get into the whole host system as well, and maybe that’s gonna force a bigger conversation. We’re just waiting for some disaster to happen.

Eyberg: Well, I mean, we already have disasters happening. [Laughter] So it’s – you know, I mentioned crypto-jacking. That’s probably the most favorite of attackers that want to do stuff. You know, you look at the rise of the cryptocurrencies and their…


Read More:The Time for Unikernels is Now