Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

devs: there's too much complexity! security is impossible!

also devs: let's add just one more layer on top of linux -> docker -> k8s

godspeed to the nanos team for trying to simplify the stack




This seems designed to run inside virtual machines so there's a similar flavour. But I guess if you are running containers inside VMs you could substract one layer by reimplementing your application into a OS component.


A unikernel application is a VM. It's like a container, but without needing docker + linux to run on.

I was running a web application written in ruby, distributed in a container, running in docker on linux in a VM. That could become a unikernel running directly instead of the VM. Saves quite some layers i'd say :)


What do you mean by "directly"? I'm not familiar with Nanos internals, but after skimming their FAQ[0] it seems that Nanos is kind of VM that can't run on bare metal and still requires hypervisor (presumably Linux, unless your CTO plays a lot of golf with MS salespeople):

Nanos is a single process operating system designed to run as a virtual machine and has no support to run on hardware.

[0]: https://nanos.org/faq


It seems you are right. The OPS documentation mentions that you can deploy it on bare metal, but this is a recent comment [0] that contradicts that .

    right now we don't have any plans to support bare metal
    installs like this as that would imply a bunch of other
    mgmt related tooling that would not be present 
    (eg: start/stop the server, configure networking, 
    deploy a new one, access rights, etc.) it also breaks 
    the assumptions we have that it is only being deployed 
    as a vm which means having to support a ton of random 
    hardware drivers, nanos is intended to always be ran on
    top of a hypervisor of some kind - whether it's public
    cloud or something under your own control 
    (eg: proxmox/vsphere/etc.)
It seems like they make some distinction between true bare metal and somewhat bare metal, which is highly confusing.

___

[0]: https://github.com/nanovms/ops/issues/1522


It's bare metal in the sense that it's self-bootstrapping but the "metal" it supports is only a paravirtualized system. This is what they mean when they say that they don't want to support tons of random hardware drivers: they've written support for KVM paravirt devices (which are nearly universally available on VMs), and that allows the kernel to run on most hosting providers.


So (if I understand correctly):

It minimizes the software stack (and with that: attack surface) that application sits on, inside a VM.

It does not (nor is it expected to) help to minimize said application.

And it does not minimize the software stack that runs the VM.


exactly. its an adpater that provides a short path between the applications expectations and what the VM provides.


Unikernels and virtualization are orthogonal, you can run eg on-prem appliances with unikernels on bare iron. Eg sounds like Netapp ONTAP is/was like this at some point.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: