Containers share kernel space with the other containers on a physical hypervisor. Generally, unikernels do not. All the functional differences are basically manifestations of that root difference.
Containers have a larger kernel space attack surface, for instance, because a container's kernel is general purpose: any application can run in any container of the right OS. A unikernel is customized to only contain the subsystems needed by the running application -- only that application can run in the appropriate unikernel, thus the unikernel has a radically smaller attack surface.
Also, unikernels have more direct access to the underlying hardware -- thus they're more efficient than containers (also as a result of the slimmer kernel size, although that depends a lot on how many containers or unikernels run on a particular hypervisor). Also, unikernels traditionally (this is changing) can only run one process, so forking isn't an option for applications running in traditional unikernels.
So, unikernels are more secure and faster; but more custom fit, thus less general purpose. They're meant to be used for any workflow that prioritizes efficiency and security over OS repurposing and standardization.
Containers share kernel space with the other containers on a physical hypervisor. Generally, unikernels do not. All the functional differences are basically manifestations of that root difference.
Containers have a larger kernel space attack surface, for instance, because a container's kernel is general purpose: any application can run in any container of the right OS. A unikernel is customized to only contain the subsystems needed by the running application -- only that application can run in the appropriate unikernel, thus the unikernel has a radically smaller attack surface.
Also, unikernels have more direct access to the underlying hardware -- thus they're more efficient than containers (also as a result of the slimmer kernel size, although that depends a lot on how many containers or unikernels run on a particular hypervisor). Also, unikernels traditionally (this is changing) can only run one process, so forking isn't an option for applications running in traditional unikernels.
So, unikernels are more secure and faster; but more custom fit, thus less general purpose. They're meant to be used for any workflow that prioritizes efficiency and security over OS repurposing and standardization.