[ANN] First release of paf, a simple MirageOS layer for HTTP/AF

I’m glad to announce the first release of paf, a simple MirageOS layer for http/af with a TLS support. Two simple unikernels exist into the distribution to show how to use paf with MirageOS.

$ cd unikernel/client
$ mirage configure
$ make depends
$ mirage build
$ ./minipaf -u https://discuss.ocaml.org/

Unikernel, abstraction, HTTP & TLS

About MirageOS, the main problem about the building of an unikernel is the constraint about the full abstraction. Indeed, the same piece of code should work for UNIX (as a simple executable) and for Solo5 (to be able to virtualize the operating system with KVM or Xen). MirageOS did the choice to use functors to abstract underlying pieces of the operating system such as the TCP/IP stack, the DNS resolver or the TLS stack.

HTTP is a good example as a mix of several stacks where the choice of them depends on:

  • static values such as the target (UNIX or Solo5)
  • dynamic values such as http or https (depends on the given Uri.t)

paf is a little library which focus on the possibility to use http/af on MirageOS in the easiest way as a server and a client for any targets. Static choices are handled by functoria which does the resolution about the implementation of the underlying TCP/IP according to your target:

  • for Unix, we will use the host’s TCP/IP stack
  • for Solo5, we will use the mirage-tcpip implementation

Dynamic choices are handled by mimic which invokes the TLS stack (with ocaml-tls) or not - depending on the given Uri.t.

Let’s encrypt challenge

With all of that and some side improvements about ocaml-tls/ca-certs and letsencrypt, we are able to provide a simple unikernel which does the let’s encrypt challenge at the boot and initiate then an HTTP (with TLS) server (and your valid own certificate).

The distribution provides a simple unikernel which does this job if the user wants to provide an HTTPS service (with rock, a sub-library of opium):

$ cd unikernel/server
$ mirage configure
$ make depends
$ mirage build
$ ./minipaf --production=false --hostname www.x25519.net --https

CoHTTP layer (client part)

For a better use, paf provides a not fully-implemented compatible layer with CoHTTP (with another definition of the ctx, the Mimic.ctx).

Production ready

Even if the release still is a beta, I used such implementation for a long time about my unikernels (which are down but for some others reasons…) and I did not get any errors (for ~ 1 year). The distribution comes with a test which stress-test the implementation with parallel and concurrent processes.

I hope that will help people to play a bit with MirageOS!

17 Likes