I'm really sold on the idea: Instead of a full-blown OS, you compile your application with a thin layer of support libraries that provide the OS features that your application needs (network, I/O) and that talks to a hypervisor.
I mean, if your application runs in a virtualized environment, there's little need to SSH into the system in the first place (except for debugging purposes). Thus, why bother with a full-blown operating system? In the virtualized case, the true OS logic is in the host OS anyway, talking to the hardware. Cutting out all those superfluous layers in the app VM makes it small, start quickly, and gives less attack surface. Sounds like a win-win to me.
In contrast, FreeBSD on Firecracker is a full-blown OS, but boots in 25 milliseconds on the Firecracker hypervisor.
To be a bit more precise, what we achieved so far: apart from web servers and TLS reverse proxies (with DNS-backed let's encrypt provisioning), DNS authoritative servers, a CalDAV server, git client and servers, SMTP stack (including dkim etc.), OpenVPN implementation, archive mirror (using tar as file system), monitoring with syslog and influx, ...
> I'm really sold on the idea: Instead of a full-blown OS, you compile your application with a thin layer of support libraries that provide the OS features that your application needs
I'm really sad that unikernels never took off, even there seemed to be a lot of excitement around them a few years back.
What is the benefit over using containers, as in Docker? Whether you use a container runtime or an actual hypervisor comes down to pretty much the same thing, operationally. Both keep your self-contained services alive and distributed. From the application perspective, a container also contains only those parts of an OS the app actually needs, and defers everything else to the host. The only caveat about MirageOS seems to be that your applications need to be written in OCaml, which is a neat language and all, but certainly not mainstream…
At least for cloud deployments you'll (for almost all cases) already have a hypervisor underneath to provide strong isolation. With that in place, ideally you'd run your application (ultimately the only thing you care about) as close to that hypervisor as possible. Instead, we have hypervisor, and then inside the VM the (say Linux) kernel, user-space, the container runtime, and finally the application.
With a unikernel the stack becomes hypervisor and a VM that has a very thin layer and then the application -- as close to the application running on the hypervisor as possible. This results in lots of gains in terms of minimal cold boot times, memory usage, server density (thousands on a single server), etc.
In fact, you don't need to see containers and unikernels as an either or choice: in fact, at Unikraft (another unikernel project) for development and local deployment we have support for Docker/Dockerfiles -- and then for deployment we provide a lean unikernel as described above.
It makes no sense for a microservice that does one simple thing to run on top of 10 million lines of 90s C code. Especially since a lot of that code has to do with hardware quirks that don’t exist in a hypervised environment.
Lots of them. VPS typically are not secured at the os level, but as separate VMs. For the cloud provider it's just a matter of picking an ISO (plus a few management extensions but those are usually optional)
No, CloudCaptain is based on Linux, and tries to provide a minimal, though Linux-based, image.
Unikernels do not use Linux at all: you can always try to minimize Linux but fundamentally it is a monolithic OS and fully specializing with it would require non-negligible engineering.
Instead, unikernels are (typically) based on a modular OS that makes it easier to pick and choose modules for each target application, resulting in images that can be an order of magnitude smaller, boot much faster, etc.
The difficulty with unikernels in the past has been to (1) making them Linux API compatible, (2) making them accessible/easy to use and (3) integrating them with popular tooling ecosystems (e.g., Docker, Kubernetes, Prometheus, etc.)
It is possible to run Mirage in ARM under for example KVM or using the seccomp target.
There is as well an experimental bare-metal target for raspberry pi 4 called gilbraltar https://github.com/dinosaure/gilbraltar. A big obstacle there is the device drivers. It is very cool to run bare metal on an rpi4, but it would be cool to be able use the network interface too.
If I understood it correctly, is more like something to run inside firecracker.
Is like a toolkit to build a really small os to run a single application, that then you run on top of a hypervisor.
No, though you could use Firecracker to launch a Mirage (or any other) unikernel.
Basically from the bottom up the stack is:
1. Hypervisor (e.g., KVM, Xen, Hyper-V), runs directly on the hardware
2. Virtual Machine Monitor (e.g., QEMU, Firecracker), running on the host's user-space (say Linux) and in charge of starting/stopping/managing VMs and interacting with the hypervisor
3. Virtual machines, eg, a Linux VM running an NGINX web server.
(the above is simplified because there are differences between type-1 and type-2 hypervisors, but those diffs would make this message too long)
A unikernel is actually a virtual machine, just a very specialized one that doesn't use a general-purpose OS underneath. They tend to use library OSes, so that it's possible to choose libs that are appropriate to each app at build time.
And while we're at it :) , a MicroVM is nothing more than a standard VM (e.g., based on Linux) launched/managed via a fast/modern VMM like Firecracker.
v1ne|2 years ago
I mean, if your application runs in a virtualized environment, there's little need to SSH into the system in the first place (except for debugging purposes). Thus, why bother with a full-blown operating system? In the virtualized case, the true OS logic is in the host OS anyway, talking to the hardware. Cutting out all those superfluous layers in the app VM makes it small, start quickly, and gives less attack surface. Sounds like a win-win to me.
In contrast, FreeBSD on Firecracker is a full-blown OS, but boots in 25 milliseconds on the Firecracker hypervisor.
hannesm|2 years ago
A big milestone was binary releases and deployment instructions, see https://robur.coop/Projects/Reproducible_builds
see more at https://blog.robur.coop https://hannes.robur.coop https://blog.osau.re/ https://reyn.ir/archive.html
If you're curious how/what to integrate MirageOS into your infrastructure, please reach out (best via email).
rapsey|2 years ago
Pretty big except though.
This concept has been done multiple times and has always failed. It's solving a problem that few care about.
datadeft|2 years ago
You mean you are sold on the idea of going back to the 80s. We used to have an operating system with every game released[1].
1. https://youtu.be/kZRE7HIO3vk?t=1114
troupo|2 years ago
I'm really sad that unikernels never took off, even there seemed to be a lot of excitement around them a few years back.
Osiris|2 years ago
lazzlazzlazz|2 years ago
BrittonR|2 years ago
sprobertson|2 years ago
ReleaseCandidat|2 years ago
crabmusket|2 years ago
https://signalsandthreads.com/what-is-an-operating-system/
9dev|2 years ago
fhuici|2 years ago
With a unikernel the stack becomes hypervisor and a VM that has a very thin layer and then the application -- as close to the application running on the hypervisor as possible. This results in lots of gains in terms of minimal cold boot times, memory usage, server density (thousands on a single server), etc.
In fact, you don't need to see containers and unikernels as an either or choice: in fact, at Unikraft (another unikernel project) for development and local deployment we have support for Docker/Dockerfiles -- and then for deployment we provide a lean unikernel as described above.
Hope this clarifies things somewhat.
trenchgun|2 years ago
gizmo|2 years ago
pjmlp|2 years ago
https://mirage.io/blog/2022-04-06.vpnkit
rwmj|2 years ago
goy|2 years ago
[0] https://github.com/GaloisInc/HaLVM
fhuici|2 years ago
dinosaure|2 years ago
skgough|2 years ago
PhilipRoman|2 years ago
hannesm|2 years ago
jezovuk|2 years ago
https://cloudcaptain.sh/
fhuici|2 years ago
Unikernels do not use Linux at all: you can always try to minimize Linux but fundamentally it is a monolithic OS and fully specializing with it would require non-negligible engineering.
Instead, unikernels are (typically) based on a modular OS that makes it easier to pick and choose modules for each target application, resulting in images that can be an order of magnitude smaller, boot much faster, etc.
The difficulty with unikernels in the past has been to (1) making them Linux API compatible, (2) making them accessible/easy to use and (3) integrating them with popular tooling ecosystems (e.g., Docker, Kubernetes, Prometheus, etc.)
mkarliner|2 years ago
reycharles|2 years ago
There is as well an experimental bare-metal target for raspberry pi 4 called gilbraltar https://github.com/dinosaure/gilbraltar. A big obstacle there is the device drivers. It is very cool to run bare metal on an rpi4, but it would be cool to be able use the network interface too.
mk89|2 years ago
EDIT: here as well: https://mirage.io/docs/install maybe you need a Solo5 backend that can run on ARM; and finally: https://github.com/Solo5/solo5/blob/v0.6.3/docs/building.md#...
xlii|2 years ago
> (…) They should build on any modern UNIX (or macOS) system with OCaml and OPAM installed. (…)
I just checked. MacOS Sonoma is STILL UNIX certified, and I get that wording “any modern UNIX” would not be clear this minor error annoys me.
s/or MacOS/including MacOS/
ReleaseCandidat|2 years ago
cmrdporcupine|2 years ago
Though last I looked it wasn't nearly as mature as MirageOS.
aerzen|2 years ago
ekianjo|2 years ago
hexmiles|2 years ago
datadeft|2 years ago
https://dev.l1x.be/posts/2020/11/22/getting-started-with-fir...
fhuici|2 years ago
Basically from the bottom up the stack is:
1. Hypervisor (e.g., KVM, Xen, Hyper-V), runs directly on the hardware 2. Virtual Machine Monitor (e.g., QEMU, Firecracker), running on the host's user-space (say Linux) and in charge of starting/stopping/managing VMs and interacting with the hypervisor 3. Virtual machines, eg, a Linux VM running an NGINX web server.
(the above is simplified because there are differences between type-1 and type-2 hypervisors, but those diffs would make this message too long)
A unikernel is actually a virtual machine, just a very specialized one that doesn't use a general-purpose OS underneath. They tend to use library OSes, so that it's possible to choose libs that are appropriate to each app at build time.
And while we're at it :) , a MicroVM is nothing more than a standard VM (e.g., based on Linux) launched/managed via a fast/modern VMM like Firecracker.
Opert34|2 years ago
[deleted]