I just wanna say the Dagger shell syntax is incredibly cool and I look forward to playing with it. I would not complain if you posted such self-promotional comments on any thread where it’s relevant because it goes to show the flexibility of the thing.
I saw your announcement post / many contentious HN comments, but wanted to chime in here with a supportive take, because I think time will reveal this design to be very compelling.
I actually agonized over whether to include this particular one-liner, because of the risk of perceived self-promotion. In the end I decided to include it, because I actually used it, and I found it actually useful for anyone who wants to try Kernel with a one-liner. I made sure to not include a link to my project, to keep my karma in balance :)
I've been a fan of unikernels for a long time (we acquired the original Unikernel company at Docker), and I have to say applying it to browsers is genius. Now I'm surprised the unikernel community hasn't focused on this application sooner.
> I'm surprised the unikernel community hasn't focused on this application sooner.
There just wasn’t a compelling usecase before agents to need a serverless browser. And Chromium is basically an OS-in-a-box already, and Unikraft has now matured enough to supply the unikernel scaffolding to link it all together (coordinated by Dagger, it seems!)
The big motivation we had for trying to do this on a unikernel is actually the session pause/resume. The fast cold restart is a nice addition (or put the other way, a super slow restart would prohibit session pause/resume from being useful)
> How hard would it be to boot a computer to this as an OS?
Unikernels aren't meant to run as a bare metal OS on a standard computer like a PC. Instead they are applications wrapped in thin libraries that allow them to boot in hardware VM's provided by Intel vmx or AMD svm, etc. A hypervisor provides mechanisms for communication with hardware and other resources. They boot fast because the underlying system and hardware is already initialized and running.
The main idea of unikernels is to get rid of costly system calls like brk/sbrk called by malloc, open/read/write, etc. between the OS and application. The system never has to switch protection rings which saves a lot of time. This gives the application full control of its compute and memory resources with the possibility of direct hardware access depending on the host hardware and hypervisor. So you can attach things like NVM storage directly to the VM and let the application handle the disk and fs operations.
So to answer your original question of using such a wrapper to boot chrome on a PC: you will need a much, much bigger wrapper library which adds in all the hardware access which is a LOT of code (The GPU code alone is scary enough). You must also realize the fast boot time will be obliterated by hardware init which usually takes time as you have to jiggle certain hardware registers to wait, then probe again to see if things are working as advertised. This can take several seconds or more. In the end, you save nothing.
If you wanted an OS based on a hypervisor which boots unikernel applications you are at the mercy of the hardware to multiplex access or delegate that to a hypervisor adding more overhead. Again, you saved nothing.
In the end, your OS is really a CPU multiplexer and does a great job of providing all the primitives and resources in a generalized, uniform manner. I highly recommend reading this book: https://pages.cs.wisc.edu/~remzi/OSTEP/
> Unikernels aren't meant to run as a bare metal OS on a standard computer like a PC.
Originally this absolutely was one of the selling points. NetBSD's rumpkernel, for example, clearly was intended to support bare metal. In practice, though, unikernels are typically run within VMs, for the reason you hinted at--you usually still want a regular OS to multiplex your hardware and (unikernel-based) applications.
Depends on the application. These unikernel applications are best suited for short lived compute for web applications that need to fire up fast and live for the duration of the users session. Though perhaps it could be beneficial in situations where it could provide determinism with direct hardware access. Security wise I believe you're better off with an OS, better mechanisms and tested security models.
You would have to add support for the peripherals in the kernel, and have some kind of init system. You would also need a filesystem supported to boot the computer.
I was doing something similar for the entire OS a few years ago: cosmopolinux, a distribution of cosmopolitan binaries: https://github.com/csdvrx/cosmopolinux
My idea was to replace the WSL binaries to have a Linux distribution living on C:\, but that could also be booted baremetal if you didn't want to use Windows
I had to put together a multi stage init system for that: if you get the ISO, you can put in on a thumbdrive and boot it: https://gitlab.com/csdvrx/cosmopolinux
The only difference between them is the kernel and the filesystem: the github NTFS has a firecracker linux kernel, the gitlab ISO has a regular kernel with many modules.
I wanted to do a full NTFS solution but I couldn't find a bootloader I liked that would support booting from a NTFS partition.
> I wanted to do a full NTFS solution but I couldn't find a bootloader I liked that would support booting from a NTFS partition.
Could you stick the Linux kernel and initramfs on the EFI boot partition as a UKI, and then just tell it about its rootfs being on the NTFS C drive? You don't really need any bootloader except the firmware's UEFI implementation on most modern PCs, and Linux supports NTFS.
> Could you stick the Linux kernel and initramfs on the EFI boot partition as a UKI
I considered that, even if it would go against the idea of having everything inside the Windows partition. I'd rather have had a shim in the EFI, with the UKI in C:\
The difficulty was bitlocker: my approach was a UKI with a small kernel and a few binaries to open the bitlocker volume and kexec the bigger kernel.
I was also exploring how to mark part of the NTFS volume as unusable to stick a different payload there.
The "ISO on a thumbdrive" was done to get baremetal boot working and out of the way, to see if I needed deeper changes to what had started as a 2 stages boot process, or if it was good enough as-as.
> Linux supports NTFS.
The kernel module is great!
I wish there was a linux distribution that could be run from either WSL or baremetal, to get more people familiar with baremetal linux.
I wanted to limit the space needed on the EFI, and keep as much as possible on the Windows partition because there's also the question of where the bitlocker key would go.
With something like a chainloader using a special part of the NTFS partition posing as bad blocks, Windows could "remove" this access easily, without having to touch the EFI partition or the boot variables.
Yeah, this is mostly just an OSS implementation for self-hosting! I'm not entirely sure what any of those companies use under the hood, in theory they could use this implementation if they wanted to gain the fast boot times, session reuse etc.
This is super cool. We’ve been looking into infra for AI agents. As others have noted, the difference in speed alone between docker and this is a huge win. Having our clients wait around for five seconds really adds up.
Awesome tech, excited to dig deeper for healthcare
Cool (and congrats on the demo)! Sounds like a promising approach. I work on browser use agents and one of the most difficult problems now is bot detection.
Curious if you know how this impacts bot detection/fingerprinting?
Thank you! Yeah, the current implementation basically performs the same as a Docker container (i.e. not much). The interface is the same, so you can use BU/Playwright/Puppeteer's header configs to change as needed.
We did notice the unikernel cloud instances don't run into bot detection as often as our hosted docker instances, but I think that's mostly because Cloudflare haven't flagged Unikraft Cloud's IPs yet, hah.
This is awesome stuff. I think the biggest thing holding back a bunch agentic use cases is great infra and this is a a great step in the right direction. Love how fast it boots!
Interesting work. It immediately brought boot2gecko to my mind. If I understand unikernels correctly - do you think it would be viable to run this on real HW?
I'm assuming the low latency cold starts are from a paused state, considering chrome itself takes a few seconds to boot? Or have you found some clever way to snapshot a running chrome and fork that?
Is that safe? I was under the impression that snapshot/resume of ex. anything running crypto libraries was a minefield of duplicate keys and reused nonces.
Haven't tried on a Lambda. Would be curious to know the results if you do!
It took us 8gb to get it up - maybe could be slimmed down if you took out the Anthropic Computer Use components, but browsers generally are pretty heavy.
why is the price bracket so weird? pro/10 gives each user less than half what individual plans would. It's almost like an attempt to dissuade pro purchases. Are there additional tooling you are not mentioning in the comparison?
I used this one-liner to run an instance directly from remote source:
Be aware that the initial docker build is quite long... But caching kicks in for subsequent runs.I look forward to playing with this!
I saw your announcement post / many contentious HN comments, but wanted to chime in here with a supportive take, because I think time will reveal this design to be very compelling.
I actually agonized over whether to include this particular one-liner, because of the risk of perceived self-promotion. In the end I decided to include it, because I actually used it, and I found it actually useful for anyone who wants to try Kernel with a one-liner. I made sure to not include a link to my project, to keep my karma in balance :)
I've been a fan of unikernels for a long time (we acquired the original Unikernel company at Docker), and I have to say applying it to browsers is genius. Now I'm surprised the unikernel community hasn't focused on this application sooner.
> I'm surprised the unikernel community hasn't focused on this application sooner.
There just wasn’t a compelling usecase before agents to need a serverless browser. And Chromium is basically an OS-in-a-box already, and Unikraft has now matured enough to supply the unikernel scaffolding to link it all together (coordinated by Dagger, it seems!)
- Mounting persistent storage for file i/o
- Replacing noVNC with a faster alternative
Would love feedback, especially if you’ve worked on fast-cold-start systems or unikernel-based infra.
How hard would it be to boot a computer to this as an OS?
Unikernels aren't meant to run as a bare metal OS on a standard computer like a PC. Instead they are applications wrapped in thin libraries that allow them to boot in hardware VM's provided by Intel vmx or AMD svm, etc. A hypervisor provides mechanisms for communication with hardware and other resources. They boot fast because the underlying system and hardware is already initialized and running.
The main idea of unikernels is to get rid of costly system calls like brk/sbrk called by malloc, open/read/write, etc. between the OS and application. The system never has to switch protection rings which saves a lot of time. This gives the application full control of its compute and memory resources with the possibility of direct hardware access depending on the host hardware and hypervisor. So you can attach things like NVM storage directly to the VM and let the application handle the disk and fs operations.
So to answer your original question of using such a wrapper to boot chrome on a PC: you will need a much, much bigger wrapper library which adds in all the hardware access which is a LOT of code (The GPU code alone is scary enough). You must also realize the fast boot time will be obliterated by hardware init which usually takes time as you have to jiggle certain hardware registers to wait, then probe again to see if things are working as advertised. This can take several seconds or more. In the end, you save nothing.
If you wanted an OS based on a hypervisor which boots unikernel applications you are at the mercy of the hardware to multiplex access or delegate that to a hypervisor adding more overhead. Again, you saved nothing.
In the end, your OS is really a CPU multiplexer and does a great job of providing all the primitives and resources in a generalized, uniform manner. I highly recommend reading this book: https://pages.cs.wisc.edu/~remzi/OSTEP/
Originally this absolutely was one of the selling points. NetBSD's rumpkernel, for example, clearly was intended to support bare metal. In practice, though, unikernels are typically run within VMs, for the reason you hinted at--you usually still want a regular OS to multiplex your hardware and (unikernel-based) applications.
I was doing something similar for the entire OS a few years ago: cosmopolinux, a distribution of cosmopolitan binaries: https://github.com/csdvrx/cosmopolinux
My idea was to replace the WSL binaries to have a Linux distribution living on C:\, but that could also be booted baremetal if you didn't want to use Windows
I had to put together a multi stage init system for that: if you get the ISO, you can put in on a thumbdrive and boot it: https://gitlab.com/csdvrx/cosmopolinux
The only difference between them is the kernel and the filesystem: the github NTFS has a firecracker linux kernel, the gitlab ISO has a regular kernel with many modules.
I wanted to do a full NTFS solution but I couldn't find a bootloader I liked that would support booting from a NTFS partition.
Booting from an ISO was simpler and faster.
Could you stick the Linux kernel and initramfs on the EFI boot partition as a UKI, and then just tell it about its rootfs being on the NTFS C drive? You don't really need any bootloader except the firmware's UEFI implementation on most modern PCs, and Linux supports NTFS.
I considered that, even if it would go against the idea of having everything inside the Windows partition. I'd rather have had a shim in the EFI, with the UKI in C:\
The difficulty was bitlocker: my approach was a UKI with a small kernel and a few binaries to open the bitlocker volume and kexec the bigger kernel.
I was also exploring how to mark part of the NTFS volume as unusable to stick a different payload there.
The "ISO on a thumbdrive" was done to get baremetal boot working and out of the way, to see if I needed deeper changes to what had started as a 2 stages boot process, or if it was good enough as-as.
> Linux supports NTFS.
The kernel module is great!
I wish there was a linux distribution that could be run from either WSL or baremetal, to get more people familiar with baremetal linux.
Why not do that from the initramfs with the real kernel? I'm pretty sure that's how it works on a normal encrypted root Linux install
With something like a chainloader using a special part of the NTFS partition posing as bad blocks, Windows could "remove" this access easily, without having to touch the EFI partition or the boot variables.
Obviously since this is open source, then I can self host it. What other reasons?
Just curious!
Awesome tech, excited to dig deeper for healthcare
We did notice the unikernel cloud instances don't run into bot detection as often as our hosted docker instances, but I think that's mostly because Cloudflare haven't flagged Unikraft Cloud's IPs yet, hah.
Either way thanks for sharing.
Maybe you can clarify that this is actually running a stripped down linux as unikraft does not have the support to run chrome itself.
Looking forward to one that'll run on my local machine, if I read this correctly?
Can this run inside a Lambda?
It took us 8gb to get it up - maybe could be slimmed down if you took out the Anthropic Computer Use components, but browsers generally are pretty heavy.