The first release of Mirage OS back in December 2013 introduced the prototype of the unikernel concept, which realised the promise of a safe, flexible mechanism to build highly optimized software stacks purpose-built for deployment in the public cloud (see the overview of Mirage OS for some background). Since then, we’ve been hard at work using and extending Mirage for real projects and the community has been steadily growing.
Today, we’re thrilled to announce the release of Mirage OS v2.0! Over the past few weeks the team has been hard at work writing about all the new features in this latest release, which I’ve been busy co-ordinating. Below are summaries of those features and links to in-depth blog posts where you can learn more:
Thomas Leonard’s Cubieboard2
- “Introducing an ARMy of unikernels” by Thomas Leonard talks about the changes required and instructions for trying this out for yourself on your own cheap Cubieboard.
Irmin – distributed, branchable storage: Unikernels usually execute in a distributed, disconnection-prone environment (particularly with the new mobile ARM support). We therefore built the Irmin library to explicitly make synchronization easier via a Git-like persistence model that can be used to build and easily trace the operation of distributed applications across all of these diverse environments.
- “Introducing Irmin: Git-like distributed, branchable storage” by Thomas Gazagnaire describes the concepts and high-level architecture of the system.
- “Using Irmin to add fault-tolerance to the Xenstore database” by Dave Scott shows how Irmin is used in a real-world application: the security-critical Xen toolstack that manages hosts full of virtual machines (video).
OCaml TLS: The philosophy of Mirage is to construct the entire operating system in a safe programming style, from the device drivers up. This continues in this release with a comprehensive OCaml implementation of Transport Layer Security, the most widely deployed end-to-end encryption protocol on the Internet (and one that is very prone to bad security holes). The series of posts is written by Hannes Mehnert and David Kaloper.
- “OCaml-TLS: Introducing transport layer security (TLS) in pure OCaml” presents the motivation and architecture behind our clean-slate implementation of the protocol.
- “OCaml-TLS: building the nocrypto library core” talks about the cryptographic primitives that form the heart of TLS confidentiality guarantees, and how they expose safe interfaces to the rest of the stack.
- “OCaml-TLS: adventures in X.509 certificate parsing and validation” explains how authentication and chain-of-trust verification is implemented in our stack.
- “OCaml-TLS: ASN.1 and notation embedding” introduces the libraries needed for handling ASN.1 grammars, the wire representation of messages in TLS.
- “OCaml-TLS: the protocol implementation and mitigations to known attacks” concludes with the implementation of the core TLS protocol logic itself.
Modularity and communication: Mirage is built on the concept of a library operating system, and this release provides many new libraries to flexibly extend applications with new functionality.
- “Fitting the modular Mirage TCP/IP stack together” by Mindy Preston explains the rather unique modular architecture of our TCP/IP stack that lets you swap between the conventional Unix sockets API, or a complete implementation of TCP/IP in pure OCaml.
- “Vchan: low-latency inter-VM communication channels” by Jon Ludlam shows how unikernels can communicate efficiently with each other to form distributed clusters on a multicore Xen host, by establishing shared memory rings with each other.
- “Modular foreign function bindings” by Jeremy Yallop continues the march towards abstraction by expaining how to interface safely with code written in C, without having to write any unsafe C bindings! This forms the basis for allowing Xen unikernels to communicate with existing libraries that they may want to keep at arm’s length for security reasons.
All the libraries required for these new features are regularly released into the OPAM package manager, so just follow the installation instructions to give them a spin. A release this size probably introduces minor hiccups that may cause build failures, so we very much encourage bug reports on our issue tracker or questions to our mailing lists. Don’t be shy: no question is too basic, and we’d love to hear of any weird and wacky uses you put this new release to! And finally, the lifeblood of Mirage is about sharing and publishing libraries that add new functionality to the framework, so do get involved and open-source your own efforts.