[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] Unikernels on docker, I missed something

Hi Guillaume,

On Wednesday, 25.01.2017 at 09:11, Guillaume wrote:
> After reading more articles about Docker and MirageOS I think that
> what I missed is the fact that docker is used to provide an
> environment for building Unikernels, not to run them. I'm a little
> confused so any informations about how Mirage OS is used with docker
> is welcome.

"Build" and "run" are two different stories.

For "build", we have pre-built Docker images[1] which contain a complete
OCaml build environment with OPAM pre-installed. This makes building
MirageOS applications in Docker containers as easy as:

    docker pull ocaml/opam
    docker run -ti ocaml/opam bash
    opam depext -i mirage
    (Check out your source and run your build commands here)

There is no need to install OCaml and OPAM locally on your development
machine, which is especially useful for Mac or Windows users with Docker
for Mac / Docker for Windows[2].

For "run", I have developed docker-unikernel-runner[3]. This is an
experimental "shim" which lets you run MirageOS unikernels (targetted to
Solo5[4] targets or the unix target) as Docker containers.

To elaborate on what "running unikernels {as, in} containers" means:

Starting with the simplest example, a MirageOS unikernel built for the
"unix" target runs as a normal process on the host machine. Therefore,
running this in a container brings all the existing advantages of
containers (better isolation) and Docker (images, registry, content trust,

For Solo5 targets the story gets even more interesting. In a classic
KVM-based setup guests are run as VMs and virtualization is implemented
by a kernel-mode portion (/dev/kvm and the KVM module) and a user-mode
monitor process (QEMU) running on the host OS.

Running a Solo5-based MirageOS unikernel in a container thus gets you two
separate layers of isolation:

1) The user-mode monitor process is run in a container on the host OS.
2) The unikernel is run in a VM inside of the monitor process.

Further, with Solo5 we have developed a new monitor dubbed "ukvm" which is
tiny compared to QEMU, thus light-weight, easy to audit and more secure.

So, to summarize, running unikernels in [Docker] containers gives you all
the existing advantages of containers and unikernels *plus* defence in
depth with multiple layers of isolation.

In my opinion this combination is much more secure than classic KVM+QEMU
and comparable with the security/isolation of MirageOS on Xen.



[1] Pre-built OCaml+OPAM images: https://hub.docker.com/r/ocaml/opam/
[2] Docker for Mac/Windows: https://www.docker.com/products/docker
[3] Unikernel runner: https://github.com/mato/docker-unikernel-runner
[4] Solo5 (will be released with MirageOS 3.0 "real soon now"):

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.