From TFA: "At best, unikernels amount to security theater, and at worst, a security nightmare."
As a security engineer, that's a good one sentence summary from my point of view of unikernels, since, forever.
I think the reason why unikernels are being developed is due mostly to ignorance, and if any of them is successful, it will morph into an OS that is closer to Mesos, Singularity, or even Plan9. That's faster, safer, more logical, etc.
I'm not sure how this is different from containers security. Provided you strip it down properly and not "my container is whole system + my binary", how is the exposure different exactly?
Both will prevent persistence, both are restricted outside, not internally. If anything I'd say that reduced number of devices give you lower attack surface over hypercalls (unikernels) than having direct access to all the syscalls (container).
What's the huge difference and where's the theater?
If you look at proper OS virtualization implementations (like Zones and jails), where syscalls that aren't safe just don't work, then the difference is more apparent.
As a security engineer, that's a good one sentence summary from my point of view of unikernels, since, forever.
I think the reason why unikernels are being developed is due mostly to ignorance, and if any of them is successful, it will morph into an OS that is closer to Mesos, Singularity, or even Plan9. That's faster, safer, more logical, etc.