Achieving high serverless deployment density while ensuring strong multi-tenant isolation and application performance remains challenging. This work proposes a multi-kernel operating system architecture that innovatively decouples microkernels—executing within lightweight user virtual machines—from a shared macrokernel running in a system-wide virtual machine, thereby separating tenants’ transient execution states from their persistent states. This design enables strong cross-tenant isolation, minimizes intra-tenant resource contention, and substantially reduces cold-start latency. Experimental evaluation demonstrates that, under replayed production workloads, the proposed approach requires only 1/20 to 1/100 of the server count compared to existing systems, achieves an order-of-magnitude reduction in application startup time, and maintains manageable I/O overhead.

Serverless providers strive for high resource utilization by optimizing deployment density: how many applications can be deployed per host server. However, achieving high deployment density without compromising application performance or isolation remains an open challenge. High density can be achieved by sharing components across applications, yet applications from different tenants must be strongly isolated from each other due to the risk of side-channel attacks. Sharing components across applications from the same tenant, if done naively, can introduce contention on host resources thus negatively affecting application performance. We describe Nanvix, a new multikernel OS that disaggregates ephemeral execution state, unique per application invocation, from long-lived persistent state, shared among invocations from the same tenant. Applications in Nanvix execute inside a lightweight user VM running a micro-kernel that implements threads and memory, and forwards all I/O requests to a system VM. The system VM runs a macro-kernel with a rich set of device drivers and is shared among all invocations from the same tenant. Nanvix' split design achieves strong hypervisor isolation across tenants without sacrificing application performance, and reduces same-tenant contention by multiplexing all I/O requests to the system VM. Thanks to a system-wide co-design, Nanvix achieves order-of-magnitude lower application start up times with moderate I/O overheads. When replaying a production trace, Nanvix needs 20-100x fewer host servers compared to state-of-the-art systems, improving deployment density