[eru]

> Is the idea that a single unikernel is equivalent to a single process?

Yes.

A unikernel is equivalent to a process in a more traditional system. We usually don't secure parts of a process against other parts of the same process. We just start more processes.

> Surely we're getting into realms of serious performance issues if that's the case?

Why?

[lolo_]

> Why?

Are you suggesting running an entire virtualised kernel in place of a process is not going to introduce a performance penalty?

There might also be latencies introduced in IPC.

[eru]

If you ran an virtualized version of an entire traditional kernel, you'd have a hard time with performance. So that's not what you would be doing.

Go, read the old exokernel papers (see https://en.wikipedia.org/wiki/Exokernel#Bibliography, especially http://pdos.csail.mit.edu/exo/theses/engler/thesis.ps). They got nice performance improvements out of running their equivalent of unikernels. It's exactly because they can cut through all the layers of one-size-fits-all abstraction.

They also address IPC.

(This reminds me, I should go and re-read how they actually did IPC.)