dear @bramford, I suffered from this as well (running atm 11 different virtual machines and shell-scripting deployment didn’t scale anymore).
From your example unikernel platform, albatross (please read Albatross - provisioning, deploying, managing, and monitoring virtual machines first) is WIP and does not attempt to compile anything. Albatross is a family of processes running on the hypervisor:
- vmmd (executing under root privileges at the moment, able to create and destroy virtual machines)
- vmm_console keeps a ring buffer of the console output (which is redirected to a fifo) of each unikernel
- vmm_log is a global event log
- vmm_stats monitors
getrusage,ifdata, andbhyvectl --get-stats
authentication is done via X.509 certificates and policies encoded in there, a client is not able to overprovision their running unikernels (atm the pages allocated by ukvm-bin are not accounted for). at the moment, vmmd also accepts tls communcation (but this will soon be a separate process). vmmd also creates tap devices (and attaches them to the specific bridges) dynamically. there’s no “restart on crash” feature implemented, neither a “persist this unikernel (i.e. start when albatross boots)”. the code is tested on FreeBSD only.
in the current security model, I try to protect anyone who has a valid CA certificate to access any L2 (bridge) they don’t have access to - or to starve host system resources (such as file descriptors, tap devices, … ← kernel memory), each unikernel is pinned to a single CPU (the set of available CPUs are written in the CA certificate, as is memory, bridges, and number of VMs). there’s still plenty of room for improvement, including L3 routing in the hypervisor L3 routing to the hypervisor with BGP, and real block device support.
I’m convinced that albatross is very much WIP, and that we should have a good integration story of MirageOS unikernels with Kubenetes etc. as well. Once the TLS bits are moved into a separate process, I plan to investigate how to run albatross via startup scripts (and start a set of persistent unikernel upon boot).