A unikernel is an application-specialized VM image. It is constructed by linking an application and parts of LibOS required by the application at compile time. A unikernel can be executed as a VM on top of a hypervisor such as Xen, VMware ESXi, and KVM. Unikernels are characterized as specialization and single-address-space. That implies a unikernel is constructed only for one application, and the application and the kernel share a single memory address space.

This design principle brings many benefits. First, unikernels are very lightweight in terms of image size and runtime memory footprint because they only contain the application and its necessary parts of LibOS. Second, unikernels are highly isolated because hypervisors such as Xen and VMWare ESXi provide strong isolation between VMs on top of a hypervisor. Third, unikernels offer better security because they expose small attack surface. The absence of system calls and shells blinds attackers to subvert unikernels. Moreover, unikernels are written in statically-typed languages that provide memory safety guarantee. For example, MirageOS [2] is written in OCaml language. Fourth, unikernels are executed efficiently because unikernels are single-address-space and there is no context switches between the user application and the kernel in unikernels. Overall, these promising features make unikernels an ideal option for deploying micro-services and serverless applications in cloud platforms. They not only improve VM density for cloud providers [8], but also are of great benefit to cloud users for cost reduction.

However, it may be quite difficult to port legacy applications from traditional software stack to unikernels [8, 22]. First, unikernels are often constructed by linking application source code with libOS at compile time. However, some applications’ source code may be not available due to proprietary limitations. Second, because different unikernels are written in different programming languages, it may be difficult to refactor legacy applications in other languages. Third, unikernels usually only support limited OS features and libraries to achieve lightweight deployment [3, 23]. If legacy applications require certain system features and libraries that are not supported by the unikernel, the application should be modified or refactored.

Although unikernels have many promising features, the difficulty of porting legacy applications impede their wide application in the industry. One solution is to provide binary compatibility. For example, OSv [3], HermiTux [4], and X-Containers [24] provide the Linux binary compatibility and allow the Linux binaries to support unikernels. Binary compatibility can significant reduce the burden of unikernel application developers. As a result, we implement UCat based on a popular unikernel–OSv.

Virtual memory is an important concept and abstraction in modern computer systems. It brings many benefits: the ability of sharing memory between processes, enhanced security due to memory isolation, providing more memory than the available physical memory space (memory overcommitment), etc. Most virtual memory management systems use page tables to translate virtual address (VA) to physical address (PA). The address translation process is usually called page table walking. The cost of address translation is mainly determined by the levels of page tables. For x86-64 architectures, the page tables have four levels. Fig.2 illustrates the native page table walking in x86-64 architectures.

Modern CPUs usually speed up address translations by caching the most recently accessed page tables in the page table walking (PTW) cache. In addition, to avoid frequent page table walks, TLB has been widely used to store the recent VA-to-PA translations for future use. It has become a common component of the memory management unit (MMU). When 4 KB pages are used, a TLB miss leads to four memory references in a VA-to-PA translation. Thus, page table walking usually has a significant impact on application performance if the TLB miss rate is high.

In a virtualization environment, the address translation from VA to PA is divided into two stages. In the first stage, the guest OS performs a page table walk that translates guest virtual address (GVA) into guest physical address (GPA). In the second stage, the hypervisor further translates the GPA into host physical address (HPA). There are mainly two approaches to achieve the two-layer address translation: shadow page table (SPT) and hardware-assisted virtualization address translation.

Fig.3 illustrates the work process of SPT. When the SPT is used, the hypervisor maintains a separate shadow page table for each process in a VM. The SPT can directly translate a GVA into a HPA efficiently. However, when the guest page table is updated, the SPT should be modified at the same time. Therefore, the modification of the guest page table needs to be tracked by the hypervisor. To monitor the modification of guest page tables, the guest page table is set as read-only. As a result, any modification made by the guest OS would trigger a page fault and is trapped into the hypervisor. This procedure is also called VM-exit, which is rather costly for VM-resident applications. The hypervisor then modifies the guest page table and updates GVA-to-HPA mapping in the SPT. Although the SPT provides a direct mapping of GVA to HPA, it also has some limitations. First, the hypervisor needs to maintain a separate SPT for each process in a VM, resulting in non-trivial memory consumption. Second, frequent VM-exits also incur significant performance overhead. Third, the synchronization of guest page tables and SPTs also wastes a lot of CPU resource.

To improve the performance of address translations, Intel and AMD proposed Extended Page Table (EPT) [25] and Nested Page Tables (NPT) [26], respectively. As these two technologies are similar, in the following we take Intel's EPT as an example to illustrate the process of address translations. The EPT eliminates the dependency between the GVA-to-GPA translation and the GPA-to-HPA translation. If a page fault occurs in the guest OS, it can be handled directly by the guest OS without a VM-exit. When the GVA is translated into GPA by the guest OS, the EPT then translates GPA to HPA. This process is similar to the native x86-64 address translation. Since only one EPT is needed for a VM, the memory consumption due to address translation is greatly reduced.

Fig.4 depicts the two-dimensional EPT-supported page table walk in virtualization environments. When both the guest OS and the host OS are mapped using 4 KB pages, each level of translation in the guest page table requires an EPT walk which requires four memory references. Thus, a TLB miss in a VM leads to total (num_of_ page_dir + num_of_ page) × accesses_ per_ EPT_walk − final_ page_ access memory references for the GPA-to-HPA translation. Thus, total (4+1)\times 5-1=24 memory references are required for accessing a page with 4 KB upon a TLB miss. Large pages (such as 2 MB pages) can be exploited to speed up the address translation in virtualization environments. As shown in Fig.2, using 2 MB pages in a bare-metal machine can reduce one memory reference. When 2 MB pages are used in both the guest OS and the host OS, total (3+1)\times 4-1=15 memory references are required. Thus, 24-15=9 memory references are reduced in the two-dimensional page table walks when the page size is changed from 4 KB to 2 MB. As a result, using 2 MB large pages can significantly reduce the number of memory references for a GPA-to-HPA translation [25, 27].

Fig.6 depicts the architecture of UCat. Intel Optane DC Persistent Memory Module (PMM) can be used in two operation modes: Memory Mode and App Direct Mode. We use the App Direct Mode so that the Optane DC PMMs and DRAM are visible to the host OS.

Although DRAM and Intel Optane Persistent Memory can be placed in different NUMA nodes in a physical host, NUMA accesses may degrade the performance of applications [14], especially for unikernels that usually run only one single program in the VM. Since Linux can manage NVM in a contiguous physical memory space through a pmem namespace, it is potential to manage NVM and DRAM through different namespaces separately, as shown in Fig.6. In this way, the unikernel can simply distinguish NVM and DRAM by mapping two continuous memory regions to the DRAM and NVM namespaces managed by the host server.

To use heterogeneous memories, OSv should be aware of the capacity and region of DRAM and NVM. In UCat, each OSv divides its main memory space into a DRAM region and a NVM region, and then informs the memory boundary (called heterogeneous_memory_boundary) to the KVM hypervisor via quick emulator (QEMU). When KVM obtains the memory boundary, it can map the OSv’s DRAM and NVM address space to the corresponding namespaces. As shown in Fig.6, the DRAM region in OSv is mapped to namespace 0, and the NVM region is mapped to namespace 1. Upon a page fault, the page fault address (fault_addr) is stored in the CR2 register. By comparing the fault_addr and the heterogeneous_memory_boundary, KVM can determine the type of memory required by OSv and apply for memory from namespace 0 or namespace 1 accordingly. In addition, to reduce the two-layer address translation overhead and the internal memory fragmentation, we combine large pages and different slab classes to manage the heterogeneous memories in a multi-grained manner.

OSv needs to perceive the heterogeneity of the underlying physical memory to allocate DRAM and NVM in OSv. A simple way is to manage the physical DRAM and NVM in two namespaces separately, and then the OSv can map two memory regions to the underlying different namespaces in the host.

To support heterogeneous memory allocation in OSv, we propose a simple-yet-efficient mechanism called front-end/back-end cooperative address space mapping, as shown in Fig.7. The front-end and back-end refer to the OSv-based VM and the underlying hypervisor (QEMU/KVM), respectively. We map the DRAM region in OSv to namesapce 0, and the NVM region to namesapce 1. To achieve this goal, we modify the OSv startup module and the OS initialization module to support heterogeneous memory allocation during the OSv booting. Specifically, the OSv startup module should be aware of the DRAM and NVM sizes. These two parameters are stored in a special location of the OSv image before the VM is started.

First, we construct a QEMU command including the DRAM and NVM sizes to start a VM. QEMU parses the two memory regions assigned to the VM and creates a memory boundary parameter, which is stored in the VM-related meta-data structure. At this time, the KVM hypervisor can obtain the memory boundary between the DRAM region and the NVM region in OSv, and then maps the two memory regions to different namesapces.

Second, when the VM starts, the OSv initialization module parses the parameters of DRAM and NVM sizes from the OSv image, and stores the memory boundary as a global variable in the VM at runtime. Therefore, the memory management subsystem of OSv can recognize the type of memory requested by the application. At this time, both the front-end (OSv) and the back-end (QEMU/KVM) is aware of the memory boundary between DRAM and NVM regions. For each memory request, KVM can allocate different physical memories to upper VMs according to the memory boundary exposed by each OSv. As shown in Fig.7, if the virtual memory requested by OSv locates in the DRAM region, KVM allocates DRAM from namesapce 0. Otherwise, KVM allocates NVM from namesapce 1.

With the collaboration between front-end and back-end, we establish the memory address mapping between OSv and KVM in a simple yet efficient way. Our mechanism is also applicable to other unikernels to support heterogeneous memories.

Since OSv still uses four-level page tables for address translation, it still suffers the high cost of the two-layer address translation. On the other hand, OSv only supports a limited number of page sizes, and thus may waste a considerable amount of memory resource. To mitigate internal memory fragmentation, a simple approach is to split a large page into 4 KB pages when the utilization of the large page is low. In contrast, when the number of continuous 4 KB pages exceeds a given threshold, they can be merged into a large page to reduce the cost of address translation of these small pages. Although large pages splitting and promotion [18, 27, 29, 30] have been long explored in the past decades, unfortunately there is not a real implementation in modern computers because of its high complexity in software/hardware.

Our multi-grained memory allocation mechanism takes the advantage of both large pages and slab allocation to speed up the GVA-to-HPA address translation while still retaining a low degree of internal memory fragmentation. Since there are two-layer address translations in a virtualization environment, a TLB miss can result in 24 memory references during the two-layer page table walking when both VMs and the host OS all use 4 KB pages. In UCat, we use 2 MB large pages to reduce the cost of two-layer address translations. On the one hand, large pages can significantly improve the TLB coverage, and thus reduce the TLB miss rate. On the other hand, using large pages can further reduce the number of memory references from 24 to 15 (37.5% reduction) upon a TLB miss in OSv.

Moreover, to reduce the waste of memory resource, we exploit slab allocation to support fine-grained memory allocation. Specifically, we logically split 2 MB large pages into different slab classes ( 2^0,2^1,...,2^{20}) to satisfy multi-grained memory requests. As shown in Fig.8, for the slab class t, a 2 MB large page can be split into multiple slabs of 2^t bytes. In the beginning of each slab class, there is a slab header recording the address offset of each slab. Generally, a 2 MB large page can satisfy (2MB-h)/2^t memory requests, where t denotes the size of a slab, and h denotes the space consumed by the slab header. We note that the address translation of these slabs still relies on TLBs and page tables of large pages. When the large page address of a slab is translated, the slab allocator should first consult the slab header to get the address offset of the requested slab, and then access the data. In this way, UCat can manage memory in fine-grained slab classes while still benefiting the performance advantages of large pages for address translation.

We modify the memory allocation strategy in OSv to support fine-grained memory allocation. When a memory request is greater than or equal to 2 MB, UCat directly allocates memory from the free_ page_ranges. For memory requests less than 2 MB, we exploit the slab allocator to find the best-fit slab class, and then return the address offset of the available slab to the object. Since UCat initializes different slab classes for allocation when a OSv-based VM is created, the slab allocator can always find a slab class that best fits for the memory request with the least memory waste. If there is a free slab available in a slab class, the memory allocation can be completed quickly. Otherwise, Ucat should first apply for a large page from the free_ page_ranges, and then append it to an existing slab class. On the other hand, if one slab class contains a large amount of free slabs for a long time, this slab class can be reclaimed and reassigned to another slab class with few free slabs.

Since there is significant performance gap between DRAM and NVM, we bind the memory used by the OSv kernel to DRAM for high performance. Because applications may have a very large memory footprint, we can allocate DRAM and NVM alternately to applications according to a pre-defined ratio. Since a unikernel is built by compiling the source code of the application with the LibOS together, the programmer can specify the ratio in advance of the compiling. However, the value of the ratio is usually hard to determine in practice because the memory usage of an application may dynamically change at runtime. Thus, we simply allocate DRAM and NVM to the application alternately according to the DRAM-to-NVM ratio in the unikernel. The guest kernel still uses the vanilla memory allocation mechanism in OSv, while the application uses our multi-grained memory allocation mechanism for higher performance and less memory waste according to the DRAM-to-NVM ratio in the unikernel. Fig.9 depicts the execution flow of our memory allocation mechanism in UCat. For the application, if the requested memory can be offered by a slab class, a free slab is returned immediately, and thus the latency of slab allocation is very low. However, if the requested slab class is not available or there is no free space, the slab allocator should first determines which kinds of memory should be allocated according to the memory boundary, and then apply for a 2 MB large page. At last, it constructs the slab-related data structure for allocation. This process usually leads to a rather long tail latency of memory allocation.

Experiment setup In our experiments, the host server is equipped with dual-socket Intel Xeon Gold 6230 2.10 GHz 20-core processors, 128 GB of DRAM, and 1 TB of Intel Optane DC Persist Memory Module (DCPMM). We organize DRAM and DCPMM in two namespaces using ndctl and daxctl tools [31, 32], and use Optane DCPMMs in App Direct Mode. The host server runs Ubuntu 19.10, the KVM hypervisor with Linux kernel version 5.1.1, and QEMU 2.11.50. The guest VM is a unikernel running modified OSv 0.54.

We compare our multi-grained memory allocation mechanism with the OSv memory management mechanism. If not specified otherwise, they are all deployed on the host with the same settings and run Memcached [33], which is a high-performance, distributed in-memory key-value object caching system for accelerating database queries.

Real-world workloads We use memslap [34] and YCSB [35] benchmarks to evaluate the performance of Memcached deployed in OSv. Memslap is a load generation and benchmark tool for Memcached. It can generate different workloads with configurable parameters such as threads, concurrency, and execution time. If not specified in the benchmark, we use the default parameter settings. For example, the ratio of gets to sets is 9:1, and the task window size of each concurrency is 10K. YCSB is a general-purpose performance benchmark tool, which can evaluate the performance of various non-relational databases. YCSB includes six types of workloads representing different application scenarios, as shown in Tab.2.

Micro-benchmarks We develop a micro-benchmark to evaluate the performance of OSv and UCat in detail. The workload of this application is to allocate memory at first, update the memory, and release the memory finally. We can configure the number of memory allocations and the size of memory requested to generate different memory access intensity.

To validate the effectiveness of our front-end/back-end address mapping mechanism, we place the data in Memcached in DRAM and NVM with different ratios, and run memslap benchmark to evaluate the performance. We also evaluate the performance in DRAM-only and NVM-only scenarios for reference. We use UDP protocol for network transmission. We set the number of threads to 8, the concurrency to 128, and total execution time to 30 seconds. Fig.10 shows the transactions per second (TPS) under different DRAM-to-NVM allocation ratios, all normalized to the NVM-only configuration. When the proportion of data distributed in DRAM increases (from 1:16 to 1:1), the throughput of OSv becomes higher accordingly because the performance of DRAM is much higher than NVM. These results demonstrates that the heterogeneous memory resources are visible to the application, and our address mapping mechanism can map the virtual DRAM/NVM regions to different host namespaces effectively.

In the following, we conduct a set of experiments to evaluate the performance of our multi-grained memory allocation mechanism.