« Previous 1 2 3

Operating systems for the cloud and containers

Young Heroes

Camel Master

If you want to use MirageOS as your cloud operating system, you need to master the OCaml [33] functional programming language. Because the kernel does not need to perform many tasks handled by a traditional kernel, C or C++ are not necessarily the first choice. For kernels acting as a single-application kernel – also known as a unikernel [34] – the tendency is to use languages that are higher level, which offers a few advantages.

In the case of OCaml, the developers cite automatic memory management, type checking at build time, and a modular structure [34]. Also, the generated machine code is reputed to be fast and efficient. For hard-core C programmers, OCaml probably represents a big hurdle when switching over to MirageOS. One important tool is the OPAM [35] package manager, which the cloud operating system uses to install the required libraries when generating the unikernel (Listing 1).

Listing 1

Building MirageOS with OPAM Support

$ mirage configure --unix
Mirage      Using scanned config file: config.ml
Mirage      Processing: /home/user/mirage-skeleton/console/config.ml
Mirage      => rm -rf /home/user/mirage-skeleton/console/_build/config.*
Mirage      => cd /home/user/mirage-skeleton/console && ocamlbuild -use-ocamlfind -tags annot,bin_annot -pkg mirage config.cmxs
console     Using configuration: /home/user/mirage-skeleton/console/config.ml
console     1 job [Unikernel.Main]
console     Installing OPAM packages.
console     => opam install --yes mirage-console mirage-unix
The following actions will be performed:
 - install   mirage-unix.2.0.1
 - install   mirage-console.2.0.0
=== 2 to install ===
=-=- Synchronizing package archives -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=- Installing packages =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Building mirage-unix.2.0.1:
  make unix-build
  make unix-install PREFIX=/home/user/.opam/4.01.0
Installing mirage-unix.2.0.1.
Building mirage-console.2.0.0:
  make
  make install
Installing mirage-console.2.0.0.
console     Generating: main.ml
$

If OCaml and OPAM are already running in your development system, you can get started without delay. If not, you should refer to the installation guide [36].

Of course, a "Hello World" example is obligatory [37], as well as very educational, because it explains how essential aspects of MirageOS work. The operating system is so different. To begin, the guide explains how the application handles output to a console. Because the application is the kernel, managing devices for your own use can be difficult to outsource. The application thus needs to handle these tasks. The second lesson relates to basic disk access; these are the popular block devices in the cloud environment. The tricky stuff then starts with the network stack, including a simple web server (Figure 4).

Figure 4: A simple web server as a unikernel at MirageOS.

MirageOS allows the user to generate the application binary in two different formats. The mirage configure --unix command produces a compiled file that traditional Linux environments run as a normal process (Listing 2). With mirage configure --xen, the application is booted as a Xen kernel, in which case, you end up with a configuration file that you can process with the familiar xl commands. The MirageOS machine also produces the corresponding file in XML format.

Listing 2

Building the MirageOS Unikernel

01 $ mirage configure --unix
02 [...]
03 $
04 $ make depend
05 [...]
06 $
07 $ make
08 ocamlbuild -classic-display -use-ocamlfind -pkgs lwt.syntax,mirage-console.unix,mirage-types.lwt -tags "syntax(camlp4o),annot,bin_annot,strict_sequence,principal" -cflag -g -lflags -g,-linkpkg main.native
09 [...]
10 ln -nfs _build/main.native mir-console
11 $
12 $ file _build/main.native
13 _build/main.native: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=734e3fc7a56cd83bc5ac13d124e4a994ce39084f, not stripped

The examples on the MirageOS project website are smart and work well. Installing an existing application on this cloud operating system always requires a new implementation. In addition to writing the actual application, developers also have to worry about accessing block devices and the network, which – combined with a new programming language – is not a small price to pay.

This and That

The MirageOS approach is quite dramatic and may go somewhat beyond what many cloud operators are prepared to do. However, there is a less painful alternative: OSv [38] is another well-known representative of the unikernel camp, which includes other candidates [39].

The new lean systems (including CirrOS and Container Linux) are attracting interest among security experts. The stripped-down userspace reduces the number of potential vectors for attackers. Lean software management reduces the risk of a security hole from procedural red tape or simple technical problems during an upgrade.

Anything that works in userspace can be transferred easily to the operating system core. The easiest way would be to create a customized kernel that contains only the necessary software and configuration.

However, unikernels take it one step further by questioning even the ingredients and the recipe for building a kernel. Some people point out that exotic systems are less vulnerable because they have fewer tools and because people lack the necessary knowledge to wreak havoc, but it's a double-edged sword: With fewer users and experts, the risk of an undiscovered vulnerability is also greater. The relevant points are the reduced attack surface, fewer active functions, and simplified software management.

Conclusions

Clouds and containers have given rise to demand for more new open source operating systems. Some are quite close to the classic Linux, whereas others started life in a green field and openly ignore any historical ballast. CirrOS and Container Linux are two candidates from the first camp. MirageOS (and OSv) are representatives of the green field, "start from scratch" generation.

No general recommendations can be made for IT environments, but the more recent operating systems clearly show that the playing field has changed. Studying implementations of CirrOS, Container Linux, or MirageOS can deliver ideas and new approaches.

Infos

  1. CirrOS: http://launchpad.net/cirros
  2. Alpine Linux: http://alpinelinux.org
  3. JeOS: https://www.suse.com/products/server/jeos//
  4. CoreOS (Container Linux): http://coreos.com/os/docs/latest
  5. Buildroot: http://buildroot.uclibc.org
  6. Scott Moser: http://launchpad.net/~smoser/+related-projects
  7. No 64-bit support: http://bugs.launchpad.net/cirros/+bug/1321935
  8. OpenStack test systems: https://docs.openstack.org/image-guide/obtain-images.html
  9. cloud-init: http://launchpad.net/cloud-init
  10. Local launch: http://cloudinit.readthedocs.org/en/latest/topics/datasources.html
  11. BusyBox: http://www.busybox.net
  12. Dropbear: http://matt.ucc.asn.au/dropbear/dropbear.html
  13. Project Atomic: http://www.projectatomic.io
  14. Red Hat Atomic Host: http://www.redhat.com/en/resources/red-hat-enterprise-linux-atomic-host
  15. Snappy Ubuntu Core: http://www.ubuntu.com/core
  16. SUSE CaaS: http://www.suse.com/communities/blog/rise-caas-platform/
  17. SLE MicroOS: http://www.suse.com/communities/blog/introducing-suse-containers-service-platform/
  18. Container Linux: http://coreos.com/blog/tectonic-self-driving.html
  19. Chrome OS: http://www.chromium.org/chromium-os
  20. Docker: http://docs.docker.com/engine/
  21. Rkt: http://coreos.com/rkt/
  22. etcd: http://github.com/coreos/etcd
  23. Kubernetes: http://kubernetes.io
  24. Farewell to Fleet: https://coreos.com/blog/migrating-from-fleet-to-kubernetes.html
  25. Versioning of Container Linux: http://github.com/coreos/manifest/releases/tag/v94.0.0
  26. MirageOS: http://www.openmirage.org
  27. Engler, D. R., M. F. Kaashoek, and J. O'Toole, Jr., "Exokernel: an operating system architecture for application-level resource management." In : M. B. Jones, ed. Proceedings of 15th ACM Symposium on Operating Systems Principles (SOSP) (ACM, 1995), pp. 251-266, https://pdos.csail.mit.edu/6.828/2011/readings/engler95exokernel.pdf
  28. Leslie, I. M., D. McAuley, R. Black, T. Roscoe, P. T. Barham, D. Evers, R. Fairbairns, and E. Hyden, The design and implementation of an operating system to support distributed multimedia applications. IEEE Journal of Selected Areas in Communications , 1996; 14(7):1280-1297
  29. Xen: http://www.xenproject.org
  30. KVM: http://www.linux-kvm.org
  31. ISC license: https://opensource.org/licenses/ISC
  32. Xen association: http://wiki.xen.org/wiki/Mirage_Incubation_Project_Proposal
  33. OCaml: http://ocaml.org
  34. MirageOS unikernel: http://www.openmirage.org/wiki/technical-background
  35. OPAM: http://opam.ocaml.org
  36. MirageOS installation: http://openmirage.org/wiki/install
  37. "Hello World" in OCaml: http://www.openmirage.org/wiki/hello-world
  38. OSv: http://osv.io
  39. Unikernel systems: http://unikernel.org/projects/

The Author

Udo Seidel is a math and physics teacher and has been a Linux and open source fan since 1996. After graduating, he worked as a Linux/Unix trainer, system administrator, and senior solutions engineer. Today, he works as a digital evangelist and architect at Amadeus Data Processing GmbH in Erding, Germany.

« Previous 1 2 3

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus