[M95D]

I... fail to see the point of running just one process.

If it's just a PoC, then:

1) I remember seeing a linux firewall/gateway set up to run with just the kernel, without any userspace at all. Completely unhackable.

2) To print some text or run a simple program, I belive DOS without a memory manager would be even faster.

3) It takes 1s to boot linux, but an ordinary PC takes 10s to get to that linux. Even U-boot on ARM takes some seconds to load a kernel.

BTW, if anyone knows any current platform that can XiP a linux kernel, please share.

[yjftsjthsd-h]

> I remember seeing a linux firewall/gateway set up to run with just the kernel, without any userspace at all. Completely unhackable.

Do you remember any details that would let me search for it? Because that does sound cool, and even maybe useful; the thought has certainly crossed my mind that a router or VPN box doesn't really get a lot of use out of userspace... Although maybe it's worth keeping for control/configuration/debugging.

> To print some text or run a simple program, I belive DOS without a memory manager would be even faster.

Or just make your code boot directly. It's not hard to make a .efi, or use https://github.com/jart/cosmopolitan to make a binary that runs in many places including bare metal.

[M95D]

IIRC, it ran a script as init process that set up the network cards, set up iptables, etc. and then just exited. Kernel would panic (the "init was killed" panic), but the network would still be functional. Automatic reboot on panic was disabled.

To reconfigure, the admin would simply reset it and start the system with "init=/something/else" as kernel parameter that booted to a normal userspace.

[yjftsjthsd-h]

Oh, clever; I didn't know you could make Linux panic but keep running.

[M95D]

Configure it with CONFIG_PANIC_TIMEOUT=0, or add "panic=0" to kernel parameters, or "echo 0 > /proc/sys/kernel/panic".

[mikepurvis]

> control/configuration/debugging

This is one of several major arguments made against unikernels in that famous Triton rant from a decade ago:

https://tritondatacenter.com/blog/unikernels-are-unfit-for-p...

Basically, even if your application _can_ run as the kernel, and it's desirable for it to run with kernel-level permissions, do you really want production to be a world without strace and iotop and the like?

[MertsA]

That's a halted firewall setup. Normally as part of shutdown you would tear down networking in SysVinit or systemd but you don't actually have to do that. When shutting down you can choose whether to power off or just to halt. It's basically like the old Windows "It is now safe to power off your PC".

[girvo]

That beautiful orange text on a black background gives me nostalgia warm and fuzzies

[mschuster91]

> I... fail to see the point of running just one process.

It makes sense if you got some legacy piece of hardware that has extremely limited resources, both in terms of RAM and storage. Write your code in Go and you don't even need libc any more.

[SpaceNoodled]

At that point, it would seem that an RTOS would be even more efficient - and if multithreading is not necessary, then just run it on bare metal.

[a96]

> extremely limited resources, both in terms of RAM and storage

> Write your code in Go

[mschuster91]

When you ship containers or to ultra-embedded, that one actually matters. If done right you can ship a container that only contains your application's binary, not a single byte more.

[bizzletk]

> Write your code in Go

Container not even needed, there's projects like Tamago [0] that let you run your golang application without even needing an OS

[0] https://github.com/usbarmory/tamago

[kube-system]

Wouldn't this be useful for embedded types of applications where you have a very specific task you want to do and you want to do it now.... like that firewall example?

[M95D]

Yeah, but there's a problem.

Do do something actually useful, the program would have to access some data: network, disk, some sensors, etc. Network alone means scanning PCIe for the network card and configuring it, disk access needs controller also on PCIe, then scanning the ports for the drive, reading partition table, mounting the partition, etc.

All that takes a lot more than 1s. The speedup might not even be significant compared to a kernel optimized for that system (all modules built-in, nothing redundant), but full-featured, plus busybox or sysvinit alone.

[hylaride]

Embedded devices or other SoC situations, certain limited scope situations where docker is undesirable/unnecessary, etc.

[ranger_danger]

> Completely unhackable.

I don't think this could ever be true.