updated from main (commit 952998885e)

This commit is contained in:
Canopy bot 2023-05-16 17:25:52 +00:00
parent 1fc9dd68af
commit 5d5e2aab9e
2 changed files with 33 additions and 31 deletions

View file

@ -1,7 +1,7 @@
<!DOCTYPE html> <!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Robur Reproducible Builds</title><meta charset="UTF-8"/><link rel="stylesheet" href="/static/css/style.css"/><link rel="alternate" href="/atom" title="Robur Reproducible Builds" type="application/atom+xml"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/></head><body><nav class="navbar navbar-default navbar-fixed-top"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="/Home">robur</a></div><div class="collapse navbar-collapse collapse"><ul class="nav navbar-nav navbar-right"><li><a href="/Donate"><span>Donate</span></a></li><li><a href="/Contact"><span>Contact</span></a></li><li><a href="/About Us"><span>About Us</span></a></li><li><a href="/Our Work"><span>Our Work</span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li></ul></div></div></nav><main><div class="flex-container"><div class="post"><h2>Robur Reproducible Builds</h2><span class="date">Published: 2021-11-16 (last updated: 2023-02-09)</span><article><p>In 2021 we in <a href="https://robur.coop/">Robur</a> have been working towards easing deployment of reproducible mirage applications. The work has been funded by the European Union under the <a href="https://pointer.ngi.eu/">Next Generation Internet (NGI Pointer) initiative</a>. The result is <a href="https://builds.robur.coop">online</a>.</p> <html xmlns="http://www.w3.org/1999/xhtml"><head><title>Robur Reproducible Builds</title><meta charset="UTF-8"/><link rel="stylesheet" href="/static/css/style.css"/><link rel="alternate" href="/atom" title="Robur Reproducible Builds" type="application/atom+xml"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/></head><body><nav class="navbar navbar-default navbar-fixed-top"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="/Home">robur</a></div><div class="collapse navbar-collapse collapse"><ul class="nav navbar-nav navbar-right"><li><a href="/Donate"><span>Donate</span></a></li><li><a href="/Contact"><span>Contact</span></a></li><li><a href="/About Us"><span>About Us</span></a></li><li><a href="/Our Work"><span>Our Work</span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li></ul></div></div></nav><main><div class="flex-container"><div class="post"><h2>Robur Reproducible Builds</h2><span class="date">Published: 2021-11-16 (last updated: 2023-05-16)</span><article><p>In 2021 we in <a href="https://robur.coop/">Robur</a> have been working towards easing deployment of reproducible mirage applications. The work has been funded by the European Union under the <a href="https://pointer.ngi.eu/">Next Generation Internet (NGI Pointer) initiative</a>. The result is <a href="https://builds.robur.coop">online</a>.</p>
<p>The overall goal is to push MirageOS into production in a trustworthy way. We worked on reproducible builds for <a href="https://opam.ocaml.org">Opam</a> packages and <a href="https://mirageos.org">MirageOS</a> - with the infrastructure being reproducible itself. Reproducible builds are crucial for supply chain security - everyone can reproduce the exact same binary (by using the same sources and environment), without reproducible builds we would not publish binaries.</p> <p>The overall goal is to push MirageOS into production in a trustworthy way. We worked on reproducible builds for <a href="https://opam.ocaml.org">Opam</a> packages and <a href="https://mirageos.org">MirageOS</a> - with the infrastructure being reproducible itself. Reproducible builds are crucial for supply chain security - everyone can reproduce the exact same binary (by using the same sources and environment), without reproducible builds we would not publish binaries.</p>
<p>Reproducible builds are also great for fleet management: by inspecting the hash of the binary that is executed, we can figure out which versions of which libraries are in the unikernel - and suggest updates if newer builds are available or if a used library has a security flaw -- <code>albatross-client-local update my-unikernel</code> is everything needed for an update.</p> <p>Reproducible builds are also great for fleet management: by inspecting the hash of the binary that is executed, we can figure out which versions of which libraries are in the unikernel - and suggest updates if newer builds are available or if a used library has a security flaw -- <code>albatross-client update my-unikernel</code> is everything needed for an update.</p>
<p>Several ready-to-use MirageOS unikernels are built on a daily basis - ranging from <a href="https://builds.robur.coop/job/dns-primary-git/">authoritative DNS servers</a> (<a href="https://builds.robur.coop/job/dns-secondary/">secondary</a>, <a href="https://builds.robur.coop/job/dns-letsencrypt-secondary/">let's encrypt DNS solver</a>), <a href="https://builds.robur.coop/job/dnsvizor/">DNS-and-DHCP service (similar to dnsmasq)</a>, <a href="https://builds.robur.coop/job/tlstunnel/">TLS reverse proxy</a>, <a href="https://builds.robur.coop/job/unipi/">Unipi - a web server that delivers content from a git repository</a>, <a href="https://builds.robur.coop/job/dns-resolver/">DNS resolver</a>, <a href="https://builds.robur.coop/job/caldav/">CalDAV server</a>, and of course your own MirageOS unikernel.</p> <p>Several ready-to-use MirageOS unikernels are built on a daily basis - ranging from <a href="https://builds.robur.coop/job/dns-primary-git/">authoritative DNS servers</a> (<a href="https://builds.robur.coop/job/dns-secondary/">secondary</a>, <a href="https://builds.robur.coop/job/dns-letsencrypt-secondary/">let's encrypt DNS solver</a>), <a href="https://builds.robur.coop/job/dnsvizor/">DNS-and-DHCP service (similar to dnsmasq)</a>, <a href="https://builds.robur.coop/job/tlstunnel/">TLS reverse proxy</a>, <a href="https://builds.robur.coop/job/unipi/">Unipi - a web server that delivers content from a git repository</a>, <a href="https://builds.robur.coop/job/dns-resolver/">DNS resolver</a>, <a href="https://builds.robur.coop/job/caldav/">CalDAV server</a>, and of course your own MirageOS unikernel.</p>
<h2>Brief robur and MirageOS introduction</h2> <h2>Brief robur and MirageOS introduction</h2>
<p><a href="https://mirageos.org">MirageOS</a> is an operating system, developed in OCaml, which produces unikernels. A unikernel serves a single purpose and is a single process, i.e. only has the really needed dependencies. For example, an OpenVPN endpoint does neither include persistent storage (block device, file system) nor user management. MirageOS unikernels are developed in <a href="https://ocaml.org">OCaml</a>, a statically typed and type-safe programming language - which avoids common pitfalls from the grounds up (spatial and temporal memory safety issues).</p> <p><a href="https://mirageos.org">MirageOS</a> is an operating system, developed in OCaml, which produces unikernels. A unikernel serves a single purpose and is a single process, i.e. only has the really needed dependencies. For example, an OpenVPN endpoint does neither include persistent storage (block device, file system) nor user management. MirageOS unikernels are developed in <a href="https://ocaml.org">OCaml</a>, a statically typed and type-safe programming language - which avoids common pitfalls from the grounds up (spatial and temporal memory safety issues).</p>
@ -28,16 +28,17 @@ $ pkg update
$ pkg install solo5 albatross $ pkg install solo5 albatross
</code></pre> </code></pre>
<p>For other distributions and systems we do not (yet?) provide binary packages. You can compile and install them using <a href="https://opam.ocaml.org">opam</a> (<code>opam install solo5 albatross</code>). Get in touch if you're keen on adding some other distribution to our reproducible build infrastructure.</p> <p>For other distributions and systems we do not (yet?) provide binary packages. You can compile and install them using <a href="https://opam.ocaml.org">opam</a> (<code>opam install solo5 albatross</code>). Get in touch if you're keen on adding some other distribution to our reproducible build infrastructure.</p>
<p>There is no configuration needed. Start the <code>albatross_console</code> and the <code>albatross_daemon</code> service (via <code>systemctl daemon-reload ; systemctl start albatross_daemon</code> on Linux or <code>service albatross_daemon start</code> on FreeBSD). Executing <code>albatross-client-local info </code> should return success (exit code 0) and no running unikernel. You may need to be in the albatross group, or change the permissions of the Unix domain socket (<code>/run/albatross/util/vmmd.sock</code> on Linux, <code>/var/run/albatross/util/vmmd.sock</code> on FreeBSD).</p> <p>There is no configuration needed. Start the <code>albatross_console</code> and the <code>albatross_daemon</code> service (via <code>systemctl daemon-reload ; systemctl start albatross_daemon</code> on Linux or <code>service albatross_daemon start</code> on FreeBSD). Executing <code>albatross-client info </code> should return success (exit code 0) and no running unikernel. You may need to be in the albatross group, or change the permissions of the Unix domain socket (<code>/run/albatross/util/vmmd.sock</code> on Linux, <code>/var/run/albatross/util/vmmd.sock</code> on FreeBSD).</p>
<p>To check that albatross works, get the latest hello world unikernel and run it:</p> <p>To check that albatross works, get the latest hello world unikernel and run it:</p>
<pre><code>$ wget https://builds.robur.coop/job/hello/build/latest/bin/hello.hvt <pre><code>$ wget https://builds.robur.coop/job/hello/build/latest/bin/hello.hvt
$ albatross-client-local console my-hello-unikernel &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-hello-unikernel&quot; $ albatross-client console my-hello-unikernel &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-hello-unikernel&quot;
$ albatross-client-local create my-hello-unikernel hello.hvt # this returns once the unikernel image has been transmitted to the albatross daemon $ albatross-client create my-hello-unikernel hello.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ albatross-client-local create --arg='--hello=&quot;Hello,\ my\ unikernel&quot; my-hello-unikernel hello.hvt # executes the same unikernel, but passes the boot parameter &quot;--hello&quot; $ albatross-client create --arg='--hello=&quot;Hello,\ my\ unikernel&quot; my-hello-unikernel hello.hvt # executes the same unikernel, but passes the boot parameter &quot;--hello&quot;
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
</code></pre> </code></pre>
<p>Voila, we have a working albatross installation. Albatross also supports a remote client (using a TLS handshake) <code>albatross-client-bistro</code>, monitoring of unikernels (<code>albatross_stat</code> and <code>albatross_influx</code> services), and a TLS endpoint (via inetd with <code>albatross-tls-inetd</code>).</p> <p>Voila, we have a working albatross installation. Albatross also supports a remote client (using a TLS handshake) <code>albatross-client --ca &lt;ca.pem&gt; --ca-key &lt;ca.key&gt; --server-ca &lt;cacert.pem&gt; --destination &lt;myhost&gt;</code>, monitoring of unikernels (<code>albatross_stats</code> and <code>albatross_influx</code> services), and a TLS endpoint (inetd/systemd: <code>albatross-tls-endpoint</code>).</p>
<p>Please ensure to have albatross in version of at least 2.0.0 to follow this page.</p>
<h3>Network for your unikernel</h3> <h3>Network for your unikernel</h3>
<p>Next we want to setup networking for our unikernels. We use a so-called &quot;bridge&quot; interface for this, which is a virtual network switch where you connect &quot;tap&quot; interfaces (layer 2 ethernet devices). A MirageOS unikernel uses tap interfaces for communication. We give our bridge the name &quot;service&quot; (and for example for monitoring and management you may want to setup another bridge &quot;management&quot;).</p> <p>Next we want to setup networking for our unikernels. We use a so-called &quot;bridge&quot; interface for this, which is a virtual network switch where you connect &quot;tap&quot; interfaces (layer 2 ethernet devices). A MirageOS unikernel uses tap interfaces for communication. We give our bridge the name &quot;service&quot; (and for example for monitoring and management you may want to setup another bridge &quot;management&quot;).</p>
<p>If you're using a network manager that is capable of setting up bridge interfaces, use that interface.</p> <p>If you're using a network manager that is capable of setting up bridge interfaces, use that interface.</p>
@ -62,15 +63,15 @@ ifconfig_service=&quot;inet 10.0.42.1/24&quot;
<p>Afterwards either restart your system or re-run the service scripts to have the bridge setup in your running system.</p> <p>Afterwards either restart your system or re-run the service scripts to have the bridge setup in your running system.</p>
<p>To check that the networking works, get the latest static website unikernel and run it:</p> <p>To check that the networking works, get the latest static website unikernel and run it:</p>
<pre><code>$ wget https://builds.robur.coop/job/static-website/build/latest/bin/https.hvt <pre><code>$ wget https://builds.robur.coop/job/static-website/build/latest/bin/https.hvt
$ albatross-client-local console my-website &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-website&quot; $ albatross-client console my-website &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-website&quot;
$ albatross-client-local create --net=service --arg='--ipv4=10.0.42.2/24' my-website https.hvt # this returns once the unikernel image has been transmitted to the albatross daemon $ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' my-website https.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ ping 10.0.42.2 # should receive answers $ ping 10.0.42.2 # should receive answers
$ open http://10.0.42.2 # in your browser - also https://10.0.42.2 (you'll get a certificate warning) $ open http://10.0.42.2 # in your browser - also https://10.0.42.2 (you'll get a certificate warning)
$ wget http://10.0.42.2/ # should download the Hello Mirage world! $ wget http://10.0.42.2/ # should download the Hello Mirage world!
$ wget --no-check-certificate https://10.0.42.2/ # should also download the Hello Mirage world! $ wget --no-check-certificate https://10.0.42.2/ # should also download the Hello Mirage world!
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
$ albatross-client-local destroy my-website # kills the unikernel $ albatross-client destroy my-website # kills the unikernel
</code></pre> </code></pre>
<p>When you reached this point, you have successfully launched a MirageOS unikernel, and are able to communicate from your computer with it. This uses the OCaml networking stack, and the host bridge interface.</p> <p>When you reached this point, you have successfully launched a MirageOS unikernel, and are able to communicate from your computer with it. This uses the OCaml networking stack, and the host bridge interface.</p>
<h2>Routing and Internet</h2> <h2>Routing and Internet</h2>
@ -110,9 +111,9 @@ On FreeBSD, add <code>ifconfig_service=&quot;addm em0&quot;</code> to <code>/etc
<h2>Unikernel execution</h2> <h2>Unikernel execution</h2>
<p>Let's test that your unikernels have access to the Internet by using the <a href="https://hannes.robur.coop/Posts/Traceroute">traceroute</a> unikernel:</p> <p>Let's test that your unikernels have access to the Internet by using the <a href="https://hannes.robur.coop/Posts/Traceroute">traceroute</a> unikernel:</p>
<pre><code>$ wget https://builds.robur.coop/job/traceroute/build/latest/bin/traceroute.hvt <pre><code>$ wget https://builds.robur.coop/job/traceroute/build/latest/bin/traceroute.hvt
$ albatross-client-local console my-traceroute &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-traceroute&quot; $ albatross-client console my-traceroute &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-traceroute&quot;
$ albatross-client-local create --net=service --arg='--ipv4=10.0.42.2/24' --arg='--ipv4-gateway=10.0.42.1' my-traceroute traceroute.hvt # the IP configuration depends on your setup, use your public IP address and actual router IP if you've set it up. $ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' --arg='--ipv4-gateway=10.0.42.1' my-traceroute traceroute.hvt # the IP configuration depends on your setup, use your public IP address and actual router IP if you've set it up.
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
</code></pre> </code></pre>
<p>That's it. Albatross has more features, such as block devices, multiple bridges (for management, private networks, ...), restart if the unikernel exited with specific exit code, assignment of a unikernel to a specific CPU. It also has remote command execution and resource limits (you can allow your friends to execute a number of unikernels with limited memory and block storage accessing only some of your bridges). There is a daemon to collect metrics and report them to Grafana (via Telegraf and Influx). MirageOS unikernels also support IPv6, you're not limited to legacy IP.</p> <p>That's it. Albatross has more features, such as block devices, multiple bridges (for management, private networks, ...), restart if the unikernel exited with specific exit code, assignment of a unikernel to a specific CPU. It also has remote command execution and resource limits (you can allow your friends to execute a number of unikernels with limited memory and block storage accessing only some of your bridges). There is a daemon to collect metrics and report them to Grafana (via Telegraf and Influx). MirageOS unikernels also support IPv6, you're not limited to legacy IP.</p>

33
atom
View file

@ -1,6 +1,6 @@
<feed xmlns="http://www.w3.org/2005/Atom"><link href="https://robur.coop//atom" rel="self"/><id>urn:uuid:8167ecfe-9676-11e7-8dc1-68f728e7bbbc</id><title type="text">robur</title><updated>2023-02-10T09:38:32-00:00</updated><entry><published>2021-11-16T15:06:35-00:00</published><link href="/Projects/Reproducible_builds" rel="alternate"/><content type="html">&lt;p&gt;In 2021 we in &lt;a href=&quot;https://robur.coop/&quot;&gt;Robur&lt;/a&gt; have been working towards easing deployment of reproducible mirage applications. The work has been funded by the European Union under the &lt;a href=&quot;https://pointer.ngi.eu/&quot;&gt;Next Generation Internet (NGI Pointer) initiative&lt;/a&gt;. The result is &lt;a href=&quot;https://builds.robur.coop&quot;&gt;online&lt;/a&gt;.&lt;/p&gt; <feed xmlns="http://www.w3.org/2005/Atom"><link href="https://robur.coop//atom" rel="self"/><id>urn:uuid:8167ecfe-9676-11e7-8dc1-68f728e7bbbc</id><title type="text">robur</title><updated>2023-05-16T17:25:50-00:00</updated><entry><published>2021-11-16T15:06:35-00:00</published><link href="/Projects/Reproducible_builds" rel="alternate"/><content type="html">&lt;p&gt;In 2021 we in &lt;a href=&quot;https://robur.coop/&quot;&gt;Robur&lt;/a&gt; have been working towards easing deployment of reproducible mirage applications. The work has been funded by the European Union under the &lt;a href=&quot;https://pointer.ngi.eu/&quot;&gt;Next Generation Internet (NGI Pointer) initiative&lt;/a&gt;. The result is &lt;a href=&quot;https://builds.robur.coop&quot;&gt;online&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The overall goal is to push MirageOS into production in a trustworthy way. We worked on reproducible builds for &lt;a href=&quot;https://opam.ocaml.org&quot;&gt;Opam&lt;/a&gt; packages and &lt;a href=&quot;https://mirageos.org&quot;&gt;MirageOS&lt;/a&gt; - with the infrastructure being reproducible itself. Reproducible builds are crucial for supply chain security - everyone can reproduce the exact same binary (by using the same sources and environment), without reproducible builds we would not publish binaries.&lt;/p&gt; &lt;p&gt;The overall goal is to push MirageOS into production in a trustworthy way. We worked on reproducible builds for &lt;a href=&quot;https://opam.ocaml.org&quot;&gt;Opam&lt;/a&gt; packages and &lt;a href=&quot;https://mirageos.org&quot;&gt;MirageOS&lt;/a&gt; - with the infrastructure being reproducible itself. Reproducible builds are crucial for supply chain security - everyone can reproduce the exact same binary (by using the same sources and environment), without reproducible builds we would not publish binaries.&lt;/p&gt;
&lt;p&gt;Reproducible builds are also great for fleet management: by inspecting the hash of the binary that is executed, we can figure out which versions of which libraries are in the unikernel - and suggest updates if newer builds are available or if a used library has a security flaw -- &lt;code&gt;albatross-client-local update my-unikernel&lt;/code&gt; is everything needed for an update.&lt;/p&gt; &lt;p&gt;Reproducible builds are also great for fleet management: by inspecting the hash of the binary that is executed, we can figure out which versions of which libraries are in the unikernel - and suggest updates if newer builds are available or if a used library has a security flaw -- &lt;code&gt;albatross-client update my-unikernel&lt;/code&gt; is everything needed for an update.&lt;/p&gt;
&lt;p&gt;Several ready-to-use MirageOS unikernels are built on a daily basis - ranging from &lt;a href=&quot;https://builds.robur.coop/job/dns-primary-git/&quot;&gt;authoritative DNS servers&lt;/a&gt; (&lt;a href=&quot;https://builds.robur.coop/job/dns-secondary/&quot;&gt;secondary&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/dns-letsencrypt-secondary/&quot;&gt;let's encrypt DNS solver&lt;/a&gt;), &lt;a href=&quot;https://builds.robur.coop/job/dnsvizor/&quot;&gt;DNS-and-DHCP service (similar to dnsmasq)&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/tlstunnel/&quot;&gt;TLS reverse proxy&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/unipi/&quot;&gt;Unipi - a web server that delivers content from a git repository&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/dns-resolver/&quot;&gt;DNS resolver&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/caldav/&quot;&gt;CalDAV server&lt;/a&gt;, and of course your own MirageOS unikernel.&lt;/p&gt; &lt;p&gt;Several ready-to-use MirageOS unikernels are built on a daily basis - ranging from &lt;a href=&quot;https://builds.robur.coop/job/dns-primary-git/&quot;&gt;authoritative DNS servers&lt;/a&gt; (&lt;a href=&quot;https://builds.robur.coop/job/dns-secondary/&quot;&gt;secondary&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/dns-letsencrypt-secondary/&quot;&gt;let's encrypt DNS solver&lt;/a&gt;), &lt;a href=&quot;https://builds.robur.coop/job/dnsvizor/&quot;&gt;DNS-and-DHCP service (similar to dnsmasq)&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/tlstunnel/&quot;&gt;TLS reverse proxy&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/unipi/&quot;&gt;Unipi - a web server that delivers content from a git repository&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/dns-resolver/&quot;&gt;DNS resolver&lt;/a&gt;, &lt;a href=&quot;https://builds.robur.coop/job/caldav/&quot;&gt;CalDAV server&lt;/a&gt;, and of course your own MirageOS unikernel.&lt;/p&gt;
&lt;h2&gt;Brief robur and MirageOS introduction&lt;/h2&gt; &lt;h2&gt;Brief robur and MirageOS introduction&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;https://mirageos.org&quot;&gt;MirageOS&lt;/a&gt; is an operating system, developed in OCaml, which produces unikernels. A unikernel serves a single purpose and is a single process, i.e. only has the really needed dependencies. For example, an OpenVPN endpoint does neither include persistent storage (block device, file system) nor user management. MirageOS unikernels are developed in &lt;a href=&quot;https://ocaml.org&quot;&gt;OCaml&lt;/a&gt;, a statically typed and type-safe programming language - which avoids common pitfalls from the grounds up (spatial and temporal memory safety issues).&lt;/p&gt; &lt;p&gt;&lt;a href=&quot;https://mirageos.org&quot;&gt;MirageOS&lt;/a&gt; is an operating system, developed in OCaml, which produces unikernels. A unikernel serves a single purpose and is a single process, i.e. only has the really needed dependencies. For example, an OpenVPN endpoint does neither include persistent storage (block device, file system) nor user management. MirageOS unikernels are developed in &lt;a href=&quot;https://ocaml.org&quot;&gt;OCaml&lt;/a&gt;, a statically typed and type-safe programming language - which avoids common pitfalls from the grounds up (spatial and temporal memory safety issues).&lt;/p&gt;
@ -27,16 +27,17 @@ $ pkg update
$ pkg install solo5 albatross $ pkg install solo5 albatross
&lt;/code&gt;&lt;/pre&gt; &lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;For other distributions and systems we do not (yet?) provide binary packages. You can compile and install them using &lt;a href=&quot;https://opam.ocaml.org&quot;&gt;opam&lt;/a&gt; (&lt;code&gt;opam install solo5 albatross&lt;/code&gt;). Get in touch if you're keen on adding some other distribution to our reproducible build infrastructure.&lt;/p&gt; &lt;p&gt;For other distributions and systems we do not (yet?) provide binary packages. You can compile and install them using &lt;a href=&quot;https://opam.ocaml.org&quot;&gt;opam&lt;/a&gt; (&lt;code&gt;opam install solo5 albatross&lt;/code&gt;). Get in touch if you're keen on adding some other distribution to our reproducible build infrastructure.&lt;/p&gt;
&lt;p&gt;There is no configuration needed. Start the &lt;code&gt;albatross_console&lt;/code&gt; and the &lt;code&gt;albatross_daemon&lt;/code&gt; service (via &lt;code&gt;systemctl daemon-reload ; systemctl start albatross_daemon&lt;/code&gt; on Linux or &lt;code&gt;service albatross_daemon start&lt;/code&gt; on FreeBSD). Executing &lt;code&gt;albatross-client-local info &lt;/code&gt; should return success (exit code 0) and no running unikernel. You may need to be in the albatross group, or change the permissions of the Unix domain socket (&lt;code&gt;/run/albatross/util/vmmd.sock&lt;/code&gt; on Linux, &lt;code&gt;/var/run/albatross/util/vmmd.sock&lt;/code&gt; on FreeBSD).&lt;/p&gt; &lt;p&gt;There is no configuration needed. Start the &lt;code&gt;albatross_console&lt;/code&gt; and the &lt;code&gt;albatross_daemon&lt;/code&gt; service (via &lt;code&gt;systemctl daemon-reload ; systemctl start albatross_daemon&lt;/code&gt; on Linux or &lt;code&gt;service albatross_daemon start&lt;/code&gt; on FreeBSD). Executing &lt;code&gt;albatross-client info &lt;/code&gt; should return success (exit code 0) and no running unikernel. You may need to be in the albatross group, or change the permissions of the Unix domain socket (&lt;code&gt;/run/albatross/util/vmmd.sock&lt;/code&gt; on Linux, &lt;code&gt;/var/run/albatross/util/vmmd.sock&lt;/code&gt; on FreeBSD).&lt;/p&gt;
&lt;p&gt;To check that albatross works, get the latest hello world unikernel and run it:&lt;/p&gt; &lt;p&gt;To check that albatross works, get the latest hello world unikernel and run it:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/hello/build/latest/bin/hello.hvt &lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/hello/build/latest/bin/hello.hvt
$ albatross-client-local console my-hello-unikernel &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-hello-unikernel&amp;quot; $ albatross-client console my-hello-unikernel &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-hello-unikernel&amp;quot;
$ albatross-client-local create my-hello-unikernel hello.hvt # this returns once the unikernel image has been transmitted to the albatross daemon $ albatross-client create my-hello-unikernel hello.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ albatross-client-local create --arg='--hello=&amp;quot;Hello,\ my\ unikernel&amp;quot; my-hello-unikernel hello.hvt # executes the same unikernel, but passes the boot parameter &amp;quot;--hello&amp;quot; $ albatross-client create --arg='--hello=&amp;quot;Hello,\ my\ unikernel&amp;quot; my-hello-unikernel hello.hvt # executes the same unikernel, but passes the boot parameter &amp;quot;--hello&amp;quot;
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
&lt;/code&gt;&lt;/pre&gt; &lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;Voila, we have a working albatross installation. Albatross also supports a remote client (using a TLS handshake) &lt;code&gt;albatross-client-bistro&lt;/code&gt;, monitoring of unikernels (&lt;code&gt;albatross_stat&lt;/code&gt; and &lt;code&gt;albatross_influx&lt;/code&gt; services), and a TLS endpoint (via inetd with &lt;code&gt;albatross-tls-inetd&lt;/code&gt;).&lt;/p&gt; &lt;p&gt;Voila, we have a working albatross installation. Albatross also supports a remote client (using a TLS handshake) &lt;code&gt;albatross-client --ca &amp;lt;ca.pem&amp;gt; --ca-key &amp;lt;ca.key&amp;gt; --server-ca &amp;lt;cacert.pem&amp;gt; --destination &amp;lt;myhost&amp;gt;&lt;/code&gt;, monitoring of unikernels (&lt;code&gt;albatross_stats&lt;/code&gt; and &lt;code&gt;albatross_influx&lt;/code&gt; services), and a TLS endpoint (inetd/systemd: &lt;code&gt;albatross-tls-endpoint&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;Please ensure to have albatross in version of at least 2.0.0 to follow this page.&lt;/p&gt;
&lt;h3&gt;Network for your unikernel&lt;/h3&gt; &lt;h3&gt;Network for your unikernel&lt;/h3&gt;
&lt;p&gt;Next we want to setup networking for our unikernels. We use a so-called &amp;quot;bridge&amp;quot; interface for this, which is a virtual network switch where you connect &amp;quot;tap&amp;quot; interfaces (layer 2 ethernet devices). A MirageOS unikernel uses tap interfaces for communication. We give our bridge the name &amp;quot;service&amp;quot; (and for example for monitoring and management you may want to setup another bridge &amp;quot;management&amp;quot;).&lt;/p&gt; &lt;p&gt;Next we want to setup networking for our unikernels. We use a so-called &amp;quot;bridge&amp;quot; interface for this, which is a virtual network switch where you connect &amp;quot;tap&amp;quot; interfaces (layer 2 ethernet devices). A MirageOS unikernel uses tap interfaces for communication. We give our bridge the name &amp;quot;service&amp;quot; (and for example for monitoring and management you may want to setup another bridge &amp;quot;management&amp;quot;).&lt;/p&gt;
&lt;p&gt;If you're using a network manager that is capable of setting up bridge interfaces, use that interface.&lt;/p&gt; &lt;p&gt;If you're using a network manager that is capable of setting up bridge interfaces, use that interface.&lt;/p&gt;
@ -61,15 +62,15 @@ ifconfig_service=&amp;quot;inet 10.0.42.1/24&amp;quot;
&lt;p&gt;Afterwards either restart your system or re-run the service scripts to have the bridge setup in your running system.&lt;/p&gt; &lt;p&gt;Afterwards either restart your system or re-run the service scripts to have the bridge setup in your running system.&lt;/p&gt;
&lt;p&gt;To check that the networking works, get the latest static website unikernel and run it:&lt;/p&gt; &lt;p&gt;To check that the networking works, get the latest static website unikernel and run it:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/static-website/build/latest/bin/https.hvt &lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/static-website/build/latest/bin/https.hvt
$ albatross-client-local console my-website &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-website&amp;quot; $ albatross-client console my-website &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-website&amp;quot;
$ albatross-client-local create --net=service --arg='--ipv4=10.0.42.2/24' my-website https.hvt # this returns once the unikernel image has been transmitted to the albatross daemon $ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' my-website https.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ ping 10.0.42.2 # should receive answers $ ping 10.0.42.2 # should receive answers
$ open http://10.0.42.2 # in your browser - also https://10.0.42.2 (you'll get a certificate warning) $ open http://10.0.42.2 # in your browser - also https://10.0.42.2 (you'll get a certificate warning)
$ wget http://10.0.42.2/ # should download the Hello Mirage world! $ wget http://10.0.42.2/ # should download the Hello Mirage world!
$ wget --no-check-certificate https://10.0.42.2/ # should also download the Hello Mirage world! $ wget --no-check-certificate https://10.0.42.2/ # should also download the Hello Mirage world!
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
$ albatross-client-local destroy my-website # kills the unikernel $ albatross-client destroy my-website # kills the unikernel
&lt;/code&gt;&lt;/pre&gt; &lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;When you reached this point, you have successfully launched a MirageOS unikernel, and are able to communicate from your computer with it. This uses the OCaml networking stack, and the host bridge interface.&lt;/p&gt; &lt;p&gt;When you reached this point, you have successfully launched a MirageOS unikernel, and are able to communicate from your computer with it. This uses the OCaml networking stack, and the host bridge interface.&lt;/p&gt;
&lt;h2&gt;Routing and Internet&lt;/h2&gt; &lt;h2&gt;Routing and Internet&lt;/h2&gt;
@ -109,13 +110,13 @@ On FreeBSD, add &lt;code&gt;ifconfig_service=&amp;quot;addm em0&amp;quot;&lt;/co
&lt;h2&gt;Unikernel execution&lt;/h2&gt; &lt;h2&gt;Unikernel execution&lt;/h2&gt;
&lt;p&gt;Let's test that your unikernels have access to the Internet by using the &lt;a href=&quot;https://hannes.robur.coop/Posts/Traceroute&quot;&gt;traceroute&lt;/a&gt; unikernel:&lt;/p&gt; &lt;p&gt;Let's test that your unikernels have access to the Internet by using the &lt;a href=&quot;https://hannes.robur.coop/Posts/Traceroute&quot;&gt;traceroute&lt;/a&gt; unikernel:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/traceroute/build/latest/bin/traceroute.hvt &lt;pre&gt;&lt;code&gt;$ wget https://builds.robur.coop/job/traceroute/build/latest/bin/traceroute.hvt
$ albatross-client-local console my-traceroute &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-traceroute&amp;quot; $ albatross-client console my-traceroute &amp;amp; # this is sent to the background since it waits and displays the console of the unikernel named &amp;quot;my-traceroute&amp;quot;
$ albatross-client-local create --net=service --arg='--ipv4=10.0.42.2/24' --arg='--ipv4-gateway=10.0.42.1' my-traceroute traceroute.hvt # the IP configuration depends on your setup, use your public IP address and actual router IP if you've set it up. $ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' --arg='--ipv4-gateway=10.0.42.1' my-traceroute traceroute.hvt # the IP configuration depends on your setup, use your public IP address and actual router IP if you've set it up.
$ fg # back to albatross-client-local console $ fg # back to albatross-client console
$ Ctrl-C # kill that process $ Ctrl-C # kill that process
&lt;/code&gt;&lt;/pre&gt; &lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;That's it. Albatross has more features, such as block devices, multiple bridges (for management, private networks, ...), restart if the unikernel exited with specific exit code, assignment of a unikernel to a specific CPU. It also has remote command execution and resource limits (you can allow your friends to execute a number of unikernels with limited memory and block storage accessing only some of your bridges). There is a daemon to collect metrics and report them to Grafana (via Telegraf and Influx). MirageOS unikernels also support IPv6, you're not limited to legacy IP.&lt;/p&gt; &lt;p&gt;That's it. Albatross has more features, such as block devices, multiple bridges (for management, private networks, ...), restart if the unikernel exited with specific exit code, assignment of a unikernel to a specific CPU. It also has remote command execution and resource limits (you can allow your friends to execute a number of unikernels with limited memory and block storage accessing only some of your bridges). There is a daemon to collect metrics and report them to Grafana (via Telegraf and Influx). MirageOS unikernels also support IPv6, you're not limited to legacy IP.&lt;/p&gt;
</content><id>urn:uuid:a225bf44-9230-569f-8852-1b5d2132a749</id><title type="text">Robur Reproducible Builds</title><updated>2023-02-09T09:25:33-00:00</updated><author><name>canopy</name></author></entry><entry><published>2019-09-10T19:40:14-00:00</published><link href="/Our%20Work/Technology-Employed" rel="alternate"/><content type="html">&lt;h1&gt;MirageOS&lt;/h1&gt; </content><id>urn:uuid:a225bf44-9230-569f-8852-1b5d2132a749</id><title type="text">Robur Reproducible Builds</title><updated>2023-05-16T17:25:50-00:00</updated><author><name>canopy</name></author></entry><entry><published>2019-09-10T19:40:14-00:00</published><link href="/Our%20Work/Technology-Employed" rel="alternate"/><content type="html">&lt;h1&gt;MirageOS&lt;/h1&gt;
&lt;p&gt;MirageOS is a software suite to build custom-tailored operating systems from (mostly open source) small individual libraries. It has been developed since 2009 at the University of Cambridge, UK and is written in the programming language &lt;a href=&quot;/Our%20Work/Technology-Employed#OCaml&quot;&gt;OCaml&lt;/a&gt;.&lt;/p&gt; &lt;p&gt;MirageOS is a software suite to build custom-tailored operating systems from (mostly open source) small individual libraries. It has been developed since 2009 at the University of Cambridge, UK and is written in the programming language &lt;a href=&quot;/Our%20Work/Technology-Employed#OCaml&quot;&gt;OCaml&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;It compiles the necessary OCaml libraries into a unikernel - a small operating system, each built for a certain purpose. For each unikernel we can pick from hundreds of permissively licensed open source libraries which implement network protocols, storage on block devices, or interfaces to network devices via the hypervisor or host operating system. As we only put into each one exactly what is needed, each unikernel is fast; instantly booting and, as there is less code base, it is easier to maintain and keep secure.&lt;/p&gt; &lt;p&gt;It compiles the necessary OCaml libraries into a unikernel - a small operating system, each built for a certain purpose. For each unikernel we can pick from hundreds of permissively licensed open source libraries which implement network protocols, storage on block devices, or interfaces to network devices via the hypervisor or host operating system. As we only put into each one exactly what is needed, each unikernel is fast; instantly booting and, as there is less code base, it is easier to maintain and keep secure.&lt;/p&gt;
&lt;p&gt;As an example to see how lines of code compare, here are the number of lines of code needed for different elements of our &lt;a href=&quot;/Our%20Work/Projects#Bitcoin%20Pinata&quot;&gt;Bitcoin Pinata&lt;/a&gt;, measured in thousands of lines of code:&lt;/p&gt; &lt;p&gt;As an example to see how lines of code compare, here are the number of lines of code needed for different elements of our &lt;a href=&quot;/Our%20Work/Projects#Bitcoin%20Pinata&quot;&gt;Bitcoin Pinata&lt;/a&gt;, measured in thousands of lines of code:&lt;/p&gt;