MirageOS v2.0: a recap of the new features
This work funded in part by the EU FP7 User-Centric Networking project, Grant No. 611001.
The first release of MirageOS back in December 2013 introduced the prototype of the unikernel concept, which realised the promise of a safe, flexible mechanism to build highly optimized software stacks purpose-built for deployment in the public cloud (more background on this). Since then, we've been hard at work using and extending MirageOS for real projects and the community has been steadily growing.
We're thrilled to announce the release of MirageOS v2.0 today! Over the past few weeks the team has been hard at work blogging about all the new features in this latest release, coordinated by the tireless Amir Chaudhry:
- ARM device support: While the first version of MirageOS was specialised towards conventional x86 clouds, the code generation and boot libraries have now been made portable enough to operate on low-power embedded ARM devices such as the Cubieboard 2. This is a key part of our efforts to build a safe, unified mutiscale programming model for both cloud and mobile workloads as part of the Nymote project. We also upstreamed the changes required to the Xen Project so that other unikernel efforts such as HalVM or ClickOS can benefit.
- "Introducing an ARMy of unikernels" by Thomas Leonard talks about the changes required and instructions for trying this out for yourself on your own cheap Cubieboard.
- Irmin distributed, branchable storage: Unikernels usually execute in a distributed, disconnection-prone environment (particularly with the new mobile ARM support). We therefore built the Irmin library to explicitly make synchronization easier via a Git-like persistence model that can be used to build and easily trace the operation of distributed applications across all of these diverse environments.
- "Introducing Irmin: Git-like distributed, branchable storage" by Thomas Gazagnaire describes the concepts and high-level architecture of the system.
- "Using Irmin to add fault-tolerance to the Xenstore database" by Dave Scott shows how Irmin is used in a real-world application: the security-critical Xen toolstack that manages hosts full of virtual machines (video).
- OCaml TLS: The philosophy of MirageOS is to construct the entire operating system in a safe programming style, from the device drivers up. This continues in this release with a comprehensive OCaml implementation of Transport Level Security, the most widely deployed end-to-end encryption protocol on the Internet (and one that is very prone to bad security holes). The blog series is written by Hannes Mehnert and David Kaloper.
- "OCaml-TLS: Introducing transport layer security (TLS) in pure OCaml" presents the motivation and architecture behind our clean-slate implementation of the protocol.
- "OCaml-TLS: building the nocrypto library core" talks about the cryptographic primitives that form the heart of TLS confidentiality guarantees, and how they expose safe interfaces to the rest of the stack.
- "OCaml-TLS: adventures in X.509 certificate parsing and validation" explains how authentication and chain-of-trust verification is implemented in our stack.
- "OCaml-TLS: ASN.1 and notation embedding" introduces the libraries needed for handling ASN.1 grammars, the wire representation of messages in TLS.
- "OCaml-TLS: the protocol implementation and mitigations to known attacks" concludes with the implementation of the core TLS protocol logic itself.
- Modularity and communication: MirageOS is built on the concept of a library operating system, and this release provides many new libraries to flexibly extend applications with new functionality.
- "Fitting the modular MirageOS TCP/IP stack together" by Mindy Preston explains the rather unique modular architecture of our TCP/IP stack that lets you swap between the conventional Unix sockets API, or a complete implementation of TCP/IP in pure OCaml.
- "Vchan: low-latency inter-VM communication channels" by Jon Ludlam shows how unikernels can communicate efficiently with each other to form distributed clusters on a multicore Xen host, by establishing shared memory rings with each other.
- "Modular foreign function bindings" by Jeremy Yallop continues the march towards abstraction by expaining how to interface safely with code written in C, without having to write any unsafe C bindings! This forms the basis for allowing Xen unikernels to communicate with existing libraries that they may want to keep at arm's length for security reasons.
All the libraries required for these new features are regularly released into the OPAM package manager, so just follow the installation instructions to give them a spin. A release this size probably introduces minor hiccups that may cause build failures, so we very much encourage bug reports on our issue tracker or questions to our mailing lists. Don't be shy: no question is too basic, and we'd love to hear of any weird and wacky uses you put this new release to! And finally, the lifeblood of MirageOS is about sharing and publishing libraries that add new functionality to the framework, so do get involved and open-source your own efforts.
Breaking news: Richard Mortier and I will be speaking at OSCON this week on Thursday morning about the new features in F150 in the Cloud Track. Come along if you are in rainy Portland at the moment!