MirageOS

mirage-header4

Introduction

MirageOS is a new and rising trend when it comes to talking about cloud computing. More and more services are being relocated into modern cloud infrastructures, due to a lot of advantages like i.e. reduced costs, maximum flexibility and high performance. Todays services normally depend on big virtual machines (like i.e. Ubuntu Xenial with a size of ~1,5 GB) with a lot of software on it. The service which is running on these virtual machine only needs a very small subpart of the whole software and dependencies which are installed. Also the unneeded additional software running on the virtual machines offers a huge attack surface for hackers. Since data often is a highly valuable asset for a company and exposing it would lead to a huge profit collapse, security gains more and more importance. MirageOS is a minimalistic approach to kick out all unneeded layers and dependencies and deploy as less code as possible. This approach is highly efficient and fits in perfectly in modern microservice-architectures. If MirageOS will be accepted by users in the future, it could possibly replace modern approaches like i.e. Docker or classic virtual machines in the context of cloud-environments.

What is MirageOS?

MirageOS is a library operating system that is used to create so called unikernels. These unikernels are able to run directly on the Xen Hypervisor, which allows them to be used in a lot of different cloud platforms. The main programming language for MirageOS and the resulting unikernels is OCaml, which claims and partially proved to be secure and high-performance. It offers a complete toolchain to create, test and deploy unikernels in different environments, like i.e. a development- and test-environment on the local machine. To create a fully functional and deployable  unikernel for production use, you just need to switch a single CLI-parameter. MirageOS already offers a lot of low-level implementations of the most common protocols, like i.e. TCP / IP, VNC, HTTP or the Xen Device Drivers. The initial version 1.0 was released in December 2013, since then the team worked hard on implementing more and more protocols and making the development-process as easy and convenient as possible.

What do I need it for?

If you run a monolithic webshop for example and want to switch to an efficient micro-service architecture, you should consider using MirageOS. You can split your webshop into small components and implement them one by one. Each component would be a single unikernel and could be spawned on demand, there is no need to keep the components running all the time. The initial effort to switch to MirageOS and OCaml is high, but the security and performance benefits will be huge, so it will turn for account in the future.

Xen Hypervisor

The Xen Hypervisor is a virtual machine monitor (VMM) which runs directly on the hardware and offers an abstraction for the virtual machines which run on it. A virtual machine which runs on the Xen Hypervisor is called domain. Xen Hypervisor allows to run multiple domains on a single physical system and shares the hardware between these domains. The domains are completely isolated to each other, except the first spawned domain (Dom0), which is used to control all other domains. All modern cloud systems like AWS or Google Compute Engine use the Xen Hypervisor.

Unikernels

A unikernel is a complete application (or component) and its dependencies bundled into a single kernel-image, which is able to run on the Xen Hypervisor. It contains a small bootloader and doesn’t differentiate between a user and a kernel mode – everything runs in the same address space. Compared to the classic virtual machine approach a unikernel is a lot smaller, faster and more secure. The unikernel requires little drivers, since it only needs to run on a Xen Hypervisor. Due to its small size it has a very small memory footprint, which allows the kernel to boot really fast (in about 100ms). If the application experiences high load, the managing software (i.e. Jitsu) can easily spawn new instances on-demand, which work off the requests and shutdown afterwards. There is no need to run the application all the time – due to its small boot-up-time it’s available instantly. The unikernels are very secure since they have a very small attack surface, only the needed dependencies are bundled. If a unikernel gets “hacked” (i.e. using a bug in the application) there are no common tools like a shell or user-management for the hacker to gain more privileges or persist himself.

Development

If you want to develop a unikernel you can work in a standard Unix environment. Your write your code in OCaml and let the MirageOS compiler do the rest. The workflow has three stages:

1.) Development on Unix. The compiler automatically links against Unix libraries and can integrate a debugger like GDB as needed. The code runs directly on Unix without building a complete unikernel each time you want to test your code.

2.) Testing: the compiler creates a complete unikernel including the bootloader, which then again runs directly on Unix.

3.) Deployment on a production environment. You just need to switch a single CLI parameter compared to development or testing to create a complete unikernel, which can directly be deployed on the Xen Hypervisor.

Unikernel meets docker

In January 2016 Docker Inc. acquired Unikernel Systems, which was responsible for developing and maintaining MirageOS. They did not talk a lot about their plans using MirageOS in the future, but they already started to integrate it into their new native Docker for Mac and Docker for Windows releases. Maybe Docker sees its future not only in container technologies, but in smaller and more compact unikernels.

Additional unikernel projects

There are several other projects which all have a different approach to create unikernels:

  • HaLVM: Haskell
  • LING: Erlang on Xen
  • ClickOS: C++
  • OSv: Multiple languages
  • Rumprun kernel: Multiple languages

Conclusion

MirageOS is a new smart way to build your microservice architectures. It offers a fast and secure way to distribute your application into the cloud. But there is a big downside: the learning curve at the beginning is high, since OCaml is not widely known. Maybe big companies like Twitter or Facebook are going to discover MirageOS in the future and start building their applications using OCaml. Docker already did the first step by purchasing the company behind it, starting to integrate the unikernel concept into its own toolchain. This could lead to a bigger acceptance in the developer community.

Further questions

Some questions which came into my mind while researching about MirageOS:

  • Is MirageOS useful for bigger projects regarding the effort and costs ? (Economical, costs for developers, …)
  • How big is the learning-curve compared to other programing languages?
  • Is the unikernel concept mature enough to build a stable base for big software projects?
  • Does the future lie in the combination of docker and unikernels or will MirageOS completely replace the containter concept?
  • Which influence will unikernels have on current clouds ecosystems? Will they reduce the load in big data centers and make them more efficient?
  • Which influence will unikernels have on IT departments? Will there be specialized OCaml developers or is every developer able to learn OCaml easily?
  • Which influence will unikernels have on the microservice trend? Will it push its acceptance?

Sources

  • https://mirage.io
  • http://www.xenproject.org/developers/teams/mirage-os.html
  • http://www.heise.de/developer/meldung/Jenseits-von-Containern-Docker-uebernimmt-Unikernel-Systems-3081268.html
  • http://www.xenproject.org/developers/teams/hypervisor.html
  • http://unikernel.org
  • https://github.com/mirage/jitsu
  • http://unikernel.org/projects/