Go Tip: Run Go apps securely and efficiently with Unikraft

Containers are great for deploying apps, aren't they? A containerized app comes with its own environment — system libraries, helper tools, and whatnot — to run everywhere in a reproducible fashion. Say goodbye to but-it-works-on-my-machine apps. What about security? Containerized apps are isolated from each other… welllll, sort of. They still share the same OS kernel and other OS resources, only separated by a handful of kernel namespaces (and a chroot).

More isolation means… VM?

If you want to have more isolation, you need to run your app inside a complete virtual machine (VM) that provides a dedicated kernel to the apps it runs. VMs, however, are quite bulky compared to containers, as they come with a full OS, including a kernel, that they must boot in order to run apps. Spawning a resource-hungry VM only for running a modest Go app seems overkill.

Security + lightness = unikernel

If you want both security and lightness… you can actually have it! Unikernels are super lightweight virtual machines featuring a radically trimmed down kernel that's tailored for running a single application. Even the separation between kernel and user address space is removed, for much faster execution. Isolation from other processes happens entirely through hardware primitives, which is much more secure than OS-level isolation.

Unikernel-based VMs excel in situations where you want to quickly spawn an app to run a singular task and exit. When the app is not needed, it should not consume any resources. (This is typically called “scale to zero”.) And when the app receives a request, the unikernel can boot up so fast that the user would barely notice the tiny, milliseconds-level delay.

Go-powered unikernels

I bet you are now curious to try running a Go app in a unikernel. Tip: check out Unikraft. Unikraft is an open-source unikernel development kit powered by a versatile CLI tool written in Go. I came across Unikraft recently because they announced the beta program of their new cloud service Unikraft.cloud. I launched a pre-configured Hugo server in no time by calling kraft run --rm -p 1314:1313 --plat qemu --arch x86_64 -M 512M . in the Unikraft-Hugo project directory. Sooo easy.

What I read in the docs is exciting and makes me want to further dig into the features and possibilities of Unikraft, with a keen focus on running Go apps with utmost resource efficiency. Think “Green Software”. Or, at least, think about your wallet drained by the hyperscalers charging for idling apps. Indeed, this is one of the rare occasions where saving the climate and saving money can go hand-in-hand!