Unikernels are the emperor's new clothes: they lack the stack of services and capabilities delivered to normal system images necessary for real production use: firewalls, security, monitoring, performance measurement, backup, auditing, and fs ACLs. To skip them is to put blinders on and walk around without clothes on.
* firewalls - nanos.org is a go unikernel running on GCP and we punch holes for it to talk on https
* security - nanos supports much of the same security you'll see on linux but provides more: aslr, no stack/heap exec, rodata no exec, text no write, no null mapping; virtio-rng (for some clouds where it is supported - not everywhere it is), pledge, unveil, honestly - there's a lot here
* monitoring - plenty of apm vendors work out of the box but also things like cloudwatch, and our own custom service as well
* performance measurement - we have things like ftrace and many other tools
* backup - pretty easy to clone vms
* auditing - glad you pointed this out as this becomes much much easier; we actually analyzed a bunch of STIGs and measured the reduction for each STIG as compared to nanos - scroll down to the page here: https://nanovms.com/security - essentially if you are in a regulated industry like finance, health or defense this is a major benefit
* fs ACLs - we have unveil support and many other nanos specific things
