I am delighted to announce the release of Solo5.0.11.0. This release is significant as it marks the start of performance improvements for our unikernels in OCaml.
Although the project is written in C, it is a cornerstone of unikernel development. OCaml support is provided via ocaml-solo5 (which tracks the OCaml compiler versions). Here is a simple example of a Solo5 (hvt) unikernel with OCaml:
$ opam install ocaml-solo5
$ eval $(opam env)
$ cat >startup.c<<EOF
#include "solo5.h"
#include <caml/callback.h>
static char *argv[] = { "unikernel", NULL };
void _nolibc_init(uintptr_t, size_t);
int solo5_app_main(const struct solo5_start_info *si) {
_nolibc_init(si->heap_start, si->heap_size);
caml_startup(argv);
return (0);
}
EOF
$ cat >manifest.json<<EOF
{
"type": "solo5.manifest",
"version": 1,
"devices": []
}
EOF
$ cat >main.ml<<EOF
let () = print_endline "Hello World!"
EOF
$ solo5-elftool gen-manifest manifest.json manifest.c
$ ocamlfind -toolchain solo5 opt \
manifest.c startup.c main.ml \
-cclib "-z solo5-abi=hvt" -o main.hvt
$ solo5-hvt -- main.hvt
| ___|
__| _ \ | _ \ __ \
\__ \ ( | | ( | ) |
____/\___/ _|\___/____/
Solo5: Bindings version v0.11.0
Solo5: Memory map: 512 MB addressable:
Solo5: reserved @ (0x0 - 0xfffff)
Solo5: text @ (0x100000 - 0x14efff)
Solo5: rodata @ (0x14f000 - 0x166fff)
Solo5: data @ (0x167000 - 0x371fff)
Solo5: heap >= 0x372000 < stack < 0x20000000
Hello World!
Solo5: solo5_exit(0) called
If you’d like to find out more about developing unikernels in OCaml, we recommend reading our slide (at the last MirageOS retreat) or tutorial on mnet, available here.
What is Solo5?
Solo5 is both a C framework and a set of tools for creating and running programmes within a sandbox that, initially, allows only 5 interactions with the outside world:
- reading and writing Ethernet frames to a net device
- reading and writing pages to a block device
- exit
All the functions available in the sandboxed environment are described in this header.
What is notable about Solo5 is that this API works with VirtIO, Xen (and QubesOS) and our minimalist hypervisor hvt (which runs on KVM, BHyve and VMM). This means that a Solo5 application can be deployed across a wide range of platforms. On Ubuntu, you can install Solo5 via:
$ curl -fsSL https://apt.robur.coop/gpg.pub | \
gpg --dearmor > /etc/apt/trusted.gpg.d/apt.robur.coop.gpg
$ echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.robur.coop.gpg] https://apt.robur.coop ubuntu-24.04 main" > /etc/apt/sources.list.d/robur.list
$ apt update
$ apt install solo5
hvt unikernels
At Robur, we prefer to build hvt unikernels. These unikernels only require the solo5-hvt “tender” (~200 KB) to run, which is available on Linux, FreeBSD and OpenBSD (WSL supports what is known as nested virtualisation, so it is also possible to run a unikernel on WSL!).
The advantage of hvt is its minimalism (a hallmark of Solo5 in general). This latest release completes the sandboxing on Linux by using libseccomp to retain privileges only for what is necessary to run the unikernel (which amounts to 18 system calls in total). This sandboxing was already available for FreeBSD with Capsicum and OpenBSD with pledge(2).
This release also marks an improvement in throughput when writing Ethernet frames to a tap interface on Linux, achieved through the use of eventfd(2) and a parallel thread that writes directly to the tap interface. This allows us to use fewer costly VM exits.
To this end, we ran a benchmark using iperf3 (and a unikernel implementing this protocol with mnet) to demonstrate the improvement in throughput.
| solo5.0.10.1 | solo5.0.11.0 |
|---|---|
| ~700 Mbits/sec | ~2.15 Gbits/sec |
Deploy unikernels
At Robur, we aim to make deploying unikernels as straightforward as possible. That is why we have developed a suite of software and unikernels designed to deploy a range of services:
- Albatross is a project (also installable via
apt) that allows you to run a daemon capable of launching and monitoringhvtunikernels. The advantage is that this service was specifically designed forhvtunikernels (although, more recently, we have been able to deploy systems). - dnsvizor is one of our unikernels that resolves the issue of IP addressing and DNS resolution. The idea is to launch such a unikernel and have subsequent ones configure their networks in relation to it.
- Finally, we are actively developing mollymawk, a unikernel that provides a web interface for Albatross to enable the deployment of new unikernels (in the simplest way possible).
We have also developed aussi (still very much in the experimental stage), which is an OCI runtime for our unikernels. Among other things, this allows us to use Docker to build and deploy our unikernels. An example using our unikernels annuaire is available here.
Develop unikernels
Finally, there is the other aspect of unikernels and their development. At Robur, we are therefore trying to develop libraries (particularly protocols and formats) to help potential new users develop new unikernels themselves (so that there is a sense of ownership).
So please do not hesitate to ask us any questions on this subject!
In this regard, for several years now we have been developing a number of libraries that enable the development of standard unikernels:
- we are continuing to develop Miou as our scheduler for our unikernels (as well as our services)
- we are developing
mnetandutcp, which is our new TCP/IP stack for our unikernels mfat, a FAT32 file system for unikernels, is also available- and finally
vifu, a web framework for developing your website as a unikernel, is also available - and many other projects that we have been maintaining for several years now!
Conclusion
This release gives us the opportunity to provide a comprehensive (and accessible) overview of our cooperative’s work. This work essentially involves creating the necessary components for the development and deployment of unikernels in OCaml, whilst embracing the idea of reclaiming control over the means of communication and production.
Happy hacking!