Deploying MirageOS Unikernels


MirageOS is a library operating system – each service, also called unikernel, can be run as a separate virtual machine[1]. Only the required libraries ends up in a unikernel – e.g. an authoritative DNS server does not include a file system, a shell, or user management, neither process management.

It is all developed in the functional programming language OCaml from the bottom up, and open source under permissive licenses. The security – in contrast to contemporary Unix based services – is vastly improved: not only is the lines of code reduced by two orders of magnitude (leading to a reduced attack surface), also usage of the memory-safe programming language excludes several attack vectors from the beginning. The carbon footprint of each service is drastically reduced compared to general purpose operating systems, since less code is executed.

This talk will focus on the deployment and monitoring of MirageOS unikernelsRobur developed the orchestration system albatross, a tiny code base, and established reproducible builds of unikernels – so now your trustworthy setup can be done without having to compile OCaml source code. For monitoring unikernels we use syslog and grafana dashboards. Services provided by MirageOS span over authoritative DNS servers, Let’s Encrypt SSL certificate provisioning, DNS resolver, reverse TLS proxy, CalDAV server, eMail services, OpenVPN router, etc…

Parts of this work was sponsored by the EU Next Generation Internet (NGI) program.

  1. using various virtualization technologies: KVM/Xen/seccomp hardened process/virtio/muen separation kernel/… ↩︎


@hannes could you please upload your slides?

I’m going through the related pad and I see mentions of screenshots to be added from your deck. :slight_smile:

To whomever asked during the session, apparently Debian has compiled OCaml for mipsel and other architectures.


Here are the slides I presented: talk.pdf (3.6 MB)