Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Tecnología

Unikraft and unikernels: the promise that returns

11 min read 63 reads
Unikraft and unikernels: the promise that returns
Table of contents
  1. Key takeaways
  2. What exactly is a unikernel
  3. Why the first wave failed
  4. What Unikraft does differently
  5. Real numbers
  6. Where it fits and where it does not
  7. Conclusion

Actualizado: 2026-05-03

Unikernels are one of those ideas that periodically come back, promise a lot, and then fade. The first wave was around 2015 with MirageOS, IncludeOS, and HaLVM; the promise was running applications as specialized kernels of a few megabytes that booted in milliseconds with minimal attack surface. Interest diluted once Docker and Kubernetes ate the deployment world. Ten years later, Unikraft has spent a couple of years approaching the same terrain with a different pitch. With its stable release published, it is time to check whether the idea lands this time.

Key takeaways

  • A unikernel is application + libraries + OS parts compiled together as a single binary that boots directly on KVM or Xen.
  • Unikraft differs from the first wave in three aspects: modular architecture, a Docker-style kraft tool, and a catalog of ported applications.
  • Real numbers: boot in 30-50 ms (vs. 400-800 ms for a container nginx), 2 MB image size.
  • Fits three niches: serverless platforms, workloads needing strong isolation, and edge computing with extreme resource constraints.
  • Does not fit typical enterprise applications with many dependencies and fast development cycles.

What exactly is a unikernel

A unikernel is an executable image that bundles into a single binary the application, the libraries it needs, and the operating-system parts the application uses. There is no generic kernel; there is a kernel built specifically for that application, with only the drivers and subsystems it requires. The result boots directly on a hypervisor like KVM or Xen, without going through an intermediate operating system.

The comparison with familiar models helps understand the saving:

  • Minimal Linux VM: hundreds of megabytes, thousands of processes, drivers, and services the application never uses.
  • Container: lighter because it shares the kernel with the host, but still requires user space with libraries, tools, and sometimes an init system.
  • Unikernel: solely the application and what it needs, compiled together as a single artifact.

The consequences are concrete:

  • Boot times drop to tens of milliseconds.
  • Minimal attack surface: no shell, no users, no installed packages that may hide vulnerabilities.
  • Image size of one to ten megabytes for a simple application.
  • Potentially better performance because application and kernel are compiled together.

Why the first wave failed

What sank MirageOS and company was not technical but practical. The problems were:

  • Language dependency: MirageOS served only OCaml, HaLVM Haskell, IncludeOS C++. If your team used none of those, there was no path.
  • Complex compilation: required deep knowledge of how the host hypervisor worked, and debugging meant reading raw memory traces.
  • Operational ecosystem not ready: deploying in production required dropping abstraction down to the hypervisor, which few cloud providers made easy. Orchestrators did not understand the model.

Meanwhile, Docker solved 80% of what unikernels targeted at a fraction of the adoption cost. Unikernels stayed as an academic curiosity.

What Unikraft does differently

Unikraft started in 2017 inside the Xen Project and moved to the Linux Foundation in 2023 with the explicit intent to take it to production. The value proposition differs in three concrete points:

  1. Modular architecture. Unikraft does not pick a language or specific library: it is a build framework where you combine a POSIX compatibility layer, a C standard library, drivers, a scheduler, and the application as interchangeable pieces. A C, Python, Go, or JavaScript application can be compiled as a Unikraft unikernel by adding the right layers.
  2. The kraft tool. Offers a Docker-like command-line experience. With kraft run you boot a unikernel on local KVM in seconds, with environment variables, networks, and volumes declaratively configured.
  3. Catalog of ported applications. The official catalog ships redis, nginx, node, python, mongodb, and several dozen more, already packaged as ready-to-run unikernels. That was unthinkable with MirageOS and eases first contact.

Real numbers

In my lab, the measurements are:

Metric nginx unikernel nginx container
Boot time 30-50 ms 400-800 ms
Image size 2 MB 50 MB
Minimum memory 32 MB ~25 MB
Throughput (small responses) +10-20% baseline

Boot is an order of magnitude better. Memory is comparable. Network performance is slightly better for small responses because the network stack lacks usual abstraction layers; for large responses the difference dilutes.

On security, the structural argument is clear: no shell, no package manager, no processes beyond the application. A vulnerability in the application remains exploitable, but post-compromise escalation is much harder because there are no native tools for an attacker.

Where it fits and where it does not

Unikraft fits particularly well in three scenarios:

  • Serverless platforms where fast boot is a differentiator. Booting in fifty milliseconds enables scaling patterns not viable with containers.
  • Highly specialized workloads with short lifecycles: running third-party code, sandboxing for autonomous agents, ephemeral data processing functions. Strong isolation combined with fast boot and tiny footprint solves several problems at once.
  • Edge computing with extreme resource constraints: devices with 128 MB of RAM can run several Unikraft unikernels where a full VM would not fit.

Where Unikraft does not fit:

  • Typical enterprise applications with many dependencies and fast development cycles.
  • Teams already running Kubernetes with containers and no boot or density problems.

Conclusion

Unikraft is the most serious attempt to date to bring unikernels to production, and the experience is significantly better than MirageOS a decade ago. Unikernels will remain niche technology, but that niche is bigger now: the explosion of serverless platforms, the interest in running untrusted code with strong isolation, and the need for efficiency at the edge create use cases where they have real advantage. For anyone designing a new platform with serverless patterns or strong isolation as a requirement, Unikraft deserves a serious proof of concept; for those operating classic infrastructure, better to follow the project closely before investing adoption time.

Was this useful?
[Total: 13 · Average: 4.5]
Post Views: 63

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 35K Reads Rating

Related posts

Industria 4.0

Collaborative robotics on the factory floor: 2026 balance sheet

Los cobots llevan casi quince años prometiendo la fábrica donde humanos y robots comparten espacio sin vallas. En 2026, con un mercado camino de los once mil millones y el 70% de los pedidos llegando desde fuera del automóvil, conviene revisar qué ha cumplido y qué sigue pendiente.

82 12 min 4.4