project release , which allows you to create operating systems of a single application, in which the application is delivered as a self-sufficient "unikernel" capable of running without the use of operating systems, a separate OS kernel, and any layers. The application development language is OCaml. Project Code under a free ISC license.
All low-level functionality native to the operating system is implemented as a library attached to the application. An application can be developed on any OS, after which it is compiled into a specialized kernel (the concept ) that can run directly on top of Xen, KVM, BHyve, and VMM (OpenBSD) hypervisors, on mobile platforms, as a process in a POSIX-compliant environment, or on Amazon Elastic Compute Cloud and Google Compute Engine cloud environments.
The generated environment does not contain anything superfluous and interacts directly with the hypervisor without drivers and system layers, which allows to achieve a significant reduction in overhead costs and increase security. Working with MirageOS comes down to three stages: preparing a configuration with determining which ones are used in the environment , building the environment, and launching the environment. Runtime to run on top of Xen is based on a stripped-down kernel , and for other hypervisors and kernel-based systems .
Despite the fact that applications and libraries are formed in the high-level language OCaml, the resulting environments demonstrate fairly good performance and minimal size (for example, the DNS server takes only 200 KB). The maintenance of environments is also simplified, since if you need to update the program or change the configuration, it is enough to create and run a new environment. Supported in the OCaml language to perform network operations (DNS, SSH, OpenFlow, HTTP, XMPP, etc.), work with storages and provide parallel data processing.
The main changes in the new release are related to providing support for new features proposed in the toolkit (sandbox environment for running unikernel):
- Added the ability to run unikernel MirageOS in an isolated environment ("sandboxed process tender") provided by the toolkit . When using the spt backend, MirageOS kernels run in Linux user processes, which are subject to minimal isolation based on seccomp-BPF;
- Implemented support from the Solo5 project, which allows you to define multiple network adapters and storage devices attached to unikernel in isolation based on hvt, spt and muen backends (use for genode and virtio backends is currently limited to one device);
- Strengthened protection of backends based on Solo5 (hvt, spt), for example, assembly in SSP mode (Stack Smashing Protection) is provided.
Source: opennet.ru