ukukhululwa kwephrojekthi , okuvumela ukuthi udale izinhlelo zokusebenza zohlelo lokusebenza olulodwa, lapho isicelo sihanjiswa njenge-"unikernel" yokuzimela ekwazi ukusebenza ngaphandle kokusebenzisa izinhlelo zokusebenza, i-kernel ye-OS ehlukile, nanoma yiziphi izendlalelo. Ulimi lokuthuthukisa uhlelo lokusebenza yi-OCaml. Ikhodi Yephrojekthi ngaphansi kwelayisensi ye-ISC yamahhala.
Yonke imisebenzi yezinga eliphansi yomdabu kusistimu yokusebenza isetshenziswa njengelabhulali enamathiselwe kuhlelo lokusebenza. Uhlelo lokusebenza lungathuthukiswa kunoma iyiphi i-OS, ngemuva kwalokho luhlanganiswe lube yi-kernel ekhethekile (umqondo ) engasebenza ngokuqondile phezu kwama-hypervisors e-Xen, KVM, BHyve, kanye ne-VMM (OpenBSD), kumapulatifomu eselula, njengenqubo esendaweni ehambisana ne-POSIX, noma ezindaweni zamafu ze-Amazon Elastic Compute Cloud kanye ne-Google Compute Engine.
Imvelo ekhiqiziwe ayiqukethe lutho olungadingekile futhi isebenzisana ngokuqondile ne-hypervisor ngaphandle kwezishayeli nezendlalelo zesistimu, okuvumela ukufeza ukuncipha okuphawulekayo kwezindleko eziphezulu nokwandisa ukuphepha. Ukusebenza ne-MirageOS kwehlela ezigabeni ezintathu: ukulungisa ukucushwa nokunquma ukuthi yiziphi ezisetshenziswa endaweni ezungezile. , ukwakha imvelo, nokwethula imvelo. Isikhathi sokusebenza esizosebenza phezu kwe-Xen sisekelwe ku-kernel ehlutshiwe , kanye namanye ama-hypervisors namasistimu asekelwe ku-kernel .
Naphezu kweqiniso lokuthi izinhlelo zokusebenza nemitapo yolwazi kwakhiwa ngolimi lwezinga eliphezulu i-OCaml, izindawo eziwumphumela zibonisa ukusebenza okuhle ngokufanele kanye nosayizi omncane (isibonelo, iseva ye-DNS ithatha kuphela u-200 KB). Ukugcinwa kwezindawo nakho kwenziwa lula, ngoba uma udinga ukubuyekeza uhlelo noma ushintshe ukucushwa, kwanele ukudala nokusebenzisa indawo entsha. Isekelwe ngolimi lwe-OCaml ukwenza imisebenzi yenethiwekhi (i-DNS, i-SSH, i-OpenFlow, i-HTTP, i-XMPP, njll.), sebenza ngesitoreji futhi unikeze ukucutshungulwa kwedatha okufanayo.
Izinguquko eziyinhloko ekukhishweni okusha zihlobene nokuhlinzeka ngosekelo lwezici ezintsha ezihlongozwayo kukhithi yamathuluzi (indawo ye-sandbox yokusebenzisa i-unikernel):
- Kwengezwe amandla okusebenzisa i-MirageOS ye-unikernel endaweni engayodwa ("ithenda yenqubo ye-sandboxed") inikezwe yikhithi yamathuluzi . Uma usebenzisa i-spt backend, izinhlamvu ze-MirageOS zisebenza ezinqubweni zabasebenzisi be-Linux, ezingaphansi kokuhlukaniswa okuncane okusekelwe ku-seccomp-BPF;
- Ukwesekwa okusetshenzisiwe kusukela kuphrojekthi ye-Solo5, ekuvumela ukuthi uchaze ama-adaptha enethiwekhi amaningi kanye namadivayisi okugcina anamathiselwe ku-unikernel ngokuhlukaniswa ngokusekelwe ku-hvt, spt kanye ne-muen backends (ukusetshenziswa kwe-genode kanye ne-virtio backends okwamanje kukhawulelwe kudivayisi eyodwa);
- Ukuvikelwa okuqinisiwe kwama-backends okusekelwe ku-Solo5 (hvt, spt), isibonelo, ukuhlanganisa ngemodi ye-SSP (I-Stack Smashing Protection) inikezwa.
Source: opennet.ru