Frankenlibc is designed to make it easy to run rump unikernels in userspace; it is a work in progress.
https://github.com/justincormack/frankenlibc.git Architectures supported: as well as previous i386, x86_64 and arm support, there is now support for powerpc64 and mips (o32 ABI), powerpc32 has some build issues but works, arm64 boots part way at present. Arm and mips both work with soft and hard float. Security model: there is a rexec script to execute the unikernel code that will open host files, set up sandboxing and then exec the unikernel. For Linux this uses seccomp type 2 (if built with ./build.sh seccomp, off by default) syscall filtering to heavily limit what can be done, while for FreeBSD (built by default) it uses Capsicum. So the unikernel cannot open new files, or execute almost all syscalls other than read/write on the open descriptors and the other necessary ones. Access to files and devices: any regular files opened by the rexec script will be available as opened files in the running application; this also includes stdin, stdout, stderr which means you can write command line programs, see tests/cat.c for a simple example. The first block device in the command line (if any) will be used as the root file system (ffs or ext2); currently further block devices are not mounted, this will be fixed later. Tap and macvtap devices will be used as network devices, and autoconfigured with ipv4/dhcp and ipv6/slaac if those are compiled in. There are no manual configuration options other than what to open and whether they are read only or read/write; mac addresses are set from the interface address. Command line options are passed through, so you can do the following to exec nginx with a macvtap interface /dev/tap14 and a root file system on /dev/loop0 mounted read only and pass the other arguments to nginx. ~/frankenlibc/rump/bin/rexec nginx/objs/nginx /dev/tap14 -ro /dev/loop0 -- -c /data/conf/nginx.conf The FreeBSD and NetBSD platforms are slightly behind Linux at the moment, so networking, block devices may not all be working yet, will be soon. Performance, tested with Nginx from a remote machine using macvtap is about 10% lower than Linux performance on a similar setup (about 11.5k req/s). However the only NetBSD function that takes a lot of time is rumpns_in_pcblookup_connect which seems to take up 15% of CPU time, which seems excessive and could probably do with some more detailed profiling (I have been using perf under Linux). Other than that, a large amount of overhead is through the Linux stack, network driver, tap, and write, although some of that runs on a different CPU so might not be visible in the performance results. It does look like a direct PCI interface might be more performant though than going through tap devices, or using the dpdk or Snabb drivers. It is noticeably slower using ipv6, but I havent looked to see where, and my test setup needs improving. There are now no git submodules, everything in one repo, as using subtree for buildrump, commits from cvs for NetBSD src. Not yet supported: pthreads, c++, both should be added soon. No current plans to support TLS in userspace. Documentation is limited at present, will work on it, plus ways to set things up more simply, I have a few ways to build root filesystems that need packaging up.
