BareMetal in the Cloud

3 min read Original article ↗

BareMetal is now running inside a cloud VM, serving live traffic through an extremely compact web server. Getting it stable inside a DigitalOcean droplet required a few adjustments to the VirtIO-Net driver, but once those were sorted out the system came up fast and stayed online.

The unikernel itself includes only the components required for that hypervisor environment. As a result, the entire binary is roughly 21 KiB, and system memory consumption sits at about 4 MiB.

Binary sizes

  • Pure64 (the system loader) - 6144 bytes
  • BareMetal (the kernel) - 10240 bytes
  • http.app (the IP stack/web server) - ~4900 bytes

The typical BareMetal kernel is larger but in this case we only need to include the drivers that we know the hypervisor uses.

Memory usage

4 MiB for the kernel. Most of that footprint comes from unavoidable architectural requirements - 64-bit paging structures, ring buffers for the network drivers, packet buffers, and per-CPU stack space - not from the kernel's logic.

All remaining memory is dedicated to the application. In this case it's using ~5 KiB but has 508 MiB available to it.

Screenshot of BareMetal in Digitial Ocean configured in VGA text mode

BareMetal's role in this setup is simple: it provides a minimal abstraction layer over the hardware interfaces exposed by the hypervisor. Nothing more. No shell, no scheduler, no filesystem, no IPC framework, no POSIX legacy. The payoff is a drastically smaller attack surface, deterministic behaviour, and performance that’s limited mostly by the underlying virtual hardware.

In a cloud context, those traits matter:

  • Security through minimalism: there's nothing to exploit.
  • Performance: the system is written in Assembly, so there's no overhead. What you write as a payload is what executes.
  • Instant availability: cold-boot time is several milliseconds. A VM can come online and start serving real requests almost immediately.

A live instance is running here: baremetal.returninfinity.com

What's Next

Two major drivers are next on the list:

  1. VirtIO-SCSI:
 Both Google Cloud and DigitalOcean present block storage through VirtIO-SCSI. BareMetal currently handles NVMe (used by AWS), AHCI, and Virtio-Block, but adding a VirtIO-SCSI driver is necessary for full compatibility across providers.

  2. AWS ENA (Elastic Network Adapter):
 For high-bandwidth EC2 instances, ENA is the standard network interface. BareMetal already supports VirtIO-Net, but a proper ENA driver is required for production-grade AWS deployments.

Both of these will push BareMetal closer to being a small, sharp, cloud-focused exokernel: fast boot, predictable performance, minimal code, and the smallest realistic attack surface you can get in a networked environment.

Source

Repo is here