Are Unikernels Ready for Serverless on the Edge?

TL;DR

This paper evaluates unikernels as a secure, lightweight execution environment for serverless functions at the edge, comparing their performance and stability to other sandboxing methods like microVMs and containers.

Contribution

It provides a comparative analysis of unikernels versus microVMs and containers for edge FaaS, highlighting their performance benefits and current limitations.

Findings

Unikernels have fast cold start times suitable for serverless.

Unikernels are less stable than Linux microVMs.

Unikernels show promise for Linux-compatible FaaS isolation.

Abstract

Function-as-a-Service (FaaS) is a promising edge computing execution model but requires secure sandboxing mechanisms to isolate workloads from multiple tenants on constrained infrastructure. Although Docker containers are lightweight and popular in open-source FaaS platforms, they are generally considered insufficient for executing untrusted code and providing sandbox isolation. Commercial cloud FaaS platforms thus rely on Linux microVMs or hardened container runtimes, which are secure but come with a higher resource footprint. Unikernels combine application code and limited operating system primitives into a single purpose appliance, reducing the footprint of an application and its sandbox while providing full Linux compatibility. In this paper, we study the suitability of unikernels as an edge FaaS execution environment using the Nanos and OSv unikernel tool chains. We compare performance along several metrics such as cold start overhead and idle footprint against sandboxes such as Firecracker Linux microVMs, Docker containers, and secure gVisor containers. We find that unikernels exhibit desirable cold start performance, yet lag behind Linux microVMs in stability. Nevertheless, we show that unikernels are a promising candidate for further research on Linux-compatible FaaS isolation.