ContainerDays Hamburg 2025: Unikernel Deployment Made Easy: A CRI-Compatible Runtime for Secure Cloud Deployments

Abstract

Traditional container runtimes rely on OS-level isolation, which, while efficient, raises security concerns in multi-tenant environments. To mitigate these risks, containers are often confined within VM or microVM sandboxes. This approach enhances security but comes at the cost of increased complexity, slower boot times, and higher resource consumption.

What if we could have the best of both worlds - stronger security without the overhead? The key lies in specialization. Unikernels and lightweight, single-purpose kernels tailored for a single application offer VM-grade isolation while maintaining minimal resource usage and fast boot times.

This talk introduces urunc, a novel container runtime that enables seamless execution and management of unikernels and similar technologies as containers. The session includes a technical deep dive into urunc’s architecture, a live demo of unikernels in k8s, and real-world use cases highlighting the advantages of this approach.