Amir Chaudhry

28 April 2016

Notes on my Craft Conf Talk

These are the slides from my talk at Craft Conf today. If you’re reading this at the conference now, please do follow the link at the end of my talk to rate it and give me feedback!

Some of the specific items I mention are below, with links to more detail. You can find more information and resources about unikernels over at unikernel.org.

Build the MirageOS website with Docker for Mac

I quickly showed people how to build and serve the MirageOS website from a container on my Mac. I used the Docker for Mac beta (beta 8) for this, together with a prepared Docker image. Bear in mind that things change across beta releases so if the following doesn’t work, please tweet me.

To follow my steps in the demo:

# On your terminal
$ docker run -it -p 80:80 amirmc/demo-craft bash

# Inside the container
$ cd mirage-www/src
$ mirage configure --unix --net socket
$ make
$ sudo ./mir-www

You should be able to see the site by pointing your browser to localhost! Congrats, you just built MirageOS! You can read the hello world guide on the website to understand more about the configure flags we used.

The above image (amirmc/demo-craft) is one I made just for the conference, so that I didn’t have to wait for additional downloads. To do it ‘properly’, it’s better to use the unikernel/mirage images, since those are maintained. The mirage tool within the container will then pull down the required dependencies based on the mirage configure step.

# Clone the repo on your machine
$ git clone https://github.com/mirage/mirage-www.git
$ cd mirage-www

# Pull and run the maintained image, mount
# the local directory, and set up the ports
$ docker run -it -v `pwd`:/src -p 80:80 unikernel/mirage bash

# Now that you're in the container
$ cd src
$ mirage configure --unix --net socket # installs packages
$ make
$ sudo ./mir-www

Then point your browser at localhost.

Using Docker for Mac makes all of the above much easier, especially if you don’t have (or don’t want) a local OCaml environment set up.

The Bitcoin Piñata

This is a unikernel, built using the TLS stack, which holds the private key to some bitcoin. If you manage to break in then you can simply transfer the bitcoin away. The model itself is a novel way to run a bounty programme, since a successful breach leads directly to the reward — though the main benefit is to stress-test the whole stack in the wild. In the talk, I describe how the unikernel is about 4% the size of its equivalent in a traditional OS and you can read the article for more detail about that (and much more).

• Article on the TLS stack, “Not-quite-so-broken TLS”
• Some background to the Bitcoin Pinata, “The Bitcoin Piñata!”
• The Pinata itself “You have reached the BTC Piñata”
• Looking over the attempts “Reviewing the Bitcoin Piñata”

Other resources

• I mentioned Containers as a Service and you can find out more about Docker Products.
• The Docker Desktops beta, which uses a number of the MirageOS libraries.
• The MirageOS website, https://mirage.io.
  • The mirage-skeleton repo, which has a number of examples
• The Nymote site, http://nymote.org.
  • *The Introductory post is a useful place to start.

To get involved in the development work, please do join the unikernel forum, the MirageOS devel list, and try out some of the examples for yourselves!