From ad357c21b85aa27508c64f9fc203a43f1c50d033 Mon Sep 17 00:00:00 2001 From: Thomas Gazagnaire Date: Mon, 20 Mar 2017 14:59:49 +0100 Subject: [PATCH] mirageSDK: rename README.md into roadmap.md Signed-off-by: Thomas Gazagnaire --- projects/miragesdk/README.md | 138 +--------------------------------- projects/miragesdk/roadmap.md | 138 ++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+), 134 deletions(-) create mode 100644 projects/miragesdk/roadmap.md diff --git a/projects/miragesdk/README.md b/projects/miragesdk/README.md index d027e3a33..556c037cf 100644 --- a/projects/miragesdk/README.md +++ b/projects/miragesdk/README.md @@ -1,138 +1,8 @@ -## Unikernel System Containers +### Mirage SDK -### General Architecture +Instructions: ``` - |=================| |================| - | privileged shim | | calf | - |=================| |================| - | | | | -<-- eth0 ---> | eBPF rules | <--- network IO ---> | type-safe | - | | (data path) | network stack | - | | | | - |-----------------| |----------------| - | | | | -<-- logs ----- | | <------- logs ------ | type-safe | - | | | protocol logic | -<-- metrics -- | | <----- metrics ----- | | - | | | | - |-----------------| |----------------| - | | | | -<-- audit --- | config store | <----- KV store ---> | config store | - diagnostic | deamon | (control path) | client | - | | | | - |_________________| |________________| - | | -<-- sycalls -- | | - | | - | system handlers | -<-- config --- | | - files | | - |_________________| +../../bin/moby examples/mirage-dhcp.yaml` +../../scripts/qemu.sh mirage-dhcp-initrd.img mirage-dhcp-bzImage "$(bin/moby --cmdline mirage-dhcp.yaml)" ``` - -1. privileged shim (privileged system service) - - run in a privileged container - - can read all network traffic - - can set-up eBPF rules (or a dumb forwarder to start with) - - exposes an easily auditable KV store for configuration values - (over a simple REST/HTTP API to start with). - Expose a scoped "view" of the config store to the - calf (a different branch in a datakit store for instance) and another - unscoped "view" to the host (could be a Git log if using datakit). - - has a set of system handlers who watches for changes in the KV - store and perform privileged operations inside moby (syscalls, edit - global config files, etc). System handlers use the config store CLI - to wait for events and react. - -2. calf (sandboxed system service) - - run in a fully isolated container - - full sandbox (initially a normal Unix process, later on unielf/wasm) - - has a type-safe network stack to handle network IO - - has type-safe business logic to process network IO - - has a limited access read and write access to the config store where the - result of the business logic is output - -### DHCP client - -#### Shim - -- forward DHCP traffic only (in both directions) -- expose a simple store to the calf, with the following keys: - -``` -/ip (mandatory) -/mtu (optional) -/domain (optional) -/search (optional) -/nameserver/001 (optional) -... -/nameserver/xxx (optional) -``` - -If runs a small webserver where it exposes a simple CRUD interface -over these keys -- only the calf can see it (e.g. it opens a pipe and -share it with the calf on startup). - -- system handlers: - - if /ip change -> set IP address on moby host - - if /domain change -> set moby domain name - - if /search -> set search domain on moby host - - if /nameserver/xxx -> set DNS servers on moby - -#### Calf - -- MirageOS unikernel using charrua-client (or a fork of it). -- Has access to a Mirage_net.S interface for network traffic -- Has access to a a simple KV interface - -Internally, it uses something more typed than a KV store: - -``` -module Shim: sig - val set_ip: Ipaddr.V4.t -> unit Lwt.t - val set_domain: string -> unit Lwt.t - val set_search: string -> unit Lwt.t - val set_nameservers: Ipaddr.V4.t list Lwt.t -end -``` - -but this ends up being translated into REST/RPC calls to the shim. - -### SDK - -What the SDK should enable: -1. easily write a new calfs initially in OCaml, then Rust. - Probably not very useful on its own. -2. easily write a new shim by providing the basic blocks: - eBPF scripts, calf runner, KV store, system handlers. - Initially could be a standalone blob, but should aim for - independant and re-usable pieces that could run in a - container. -3. (later) generate shim/caft containers from a single (API?) - description. - -### Roadmap - -#### first PoC: DHCP client - -Current status: one container containing two static binaries (priv + calf), -private pipes open between the process for stdout/stderr aggregation + -raw sockets (data path). Control path is using a simple HTTP server running -in the priv container. The calf is using the dev version of mirage/charrua-core, -and is able to get a DHCP lease on boot. - -##### TODO - -- use runc to isolate the calf -- eBPF filtering -- use seccomp to isolate the privileged container -- use the DHCP results to actually update the system -- add metrics aggregation (using prometheus) -- better logging aggregation (using syslog) -- IPv6 support -- tests, tests, tests (especially against non compliant RFC servers) - -### Second iteration: NTP - -TODO \ No newline at end of file diff --git a/projects/miragesdk/roadmap.md b/projects/miragesdk/roadmap.md new file mode 100644 index 000000000..d027e3a33 --- /dev/null +++ b/projects/miragesdk/roadmap.md @@ -0,0 +1,138 @@ +## Unikernel System Containers + +### General Architecture + +``` + |=================| |================| + | privileged shim | | calf | + |=================| |================| + | | | | +<-- eth0 ---> | eBPF rules | <--- network IO ---> | type-safe | + | | (data path) | network stack | + | | | | + |-----------------| |----------------| + | | | | +<-- logs ----- | | <------- logs ------ | type-safe | + | | | protocol logic | +<-- metrics -- | | <----- metrics ----- | | + | | | | + |-----------------| |----------------| + | | | | +<-- audit --- | config store | <----- KV store ---> | config store | + diagnostic | deamon | (control path) | client | + | | | | + |_________________| |________________| + | | +<-- sycalls -- | | + | | + | system handlers | +<-- config --- | | + files | | + |_________________| +``` + +1. privileged shim (privileged system service) + - run in a privileged container + - can read all network traffic + - can set-up eBPF rules (or a dumb forwarder to start with) + - exposes an easily auditable KV store for configuration values + (over a simple REST/HTTP API to start with). + Expose a scoped "view" of the config store to the + calf (a different branch in a datakit store for instance) and another + unscoped "view" to the host (could be a Git log if using datakit). + - has a set of system handlers who watches for changes in the KV + store and perform privileged operations inside moby (syscalls, edit + global config files, etc). System handlers use the config store CLI + to wait for events and react. + +2. calf (sandboxed system service) + - run in a fully isolated container + - full sandbox (initially a normal Unix process, later on unielf/wasm) + - has a type-safe network stack to handle network IO + - has type-safe business logic to process network IO + - has a limited access read and write access to the config store where the + result of the business logic is output + +### DHCP client + +#### Shim + +- forward DHCP traffic only (in both directions) +- expose a simple store to the calf, with the following keys: + +``` +/ip (mandatory) +/mtu (optional) +/domain (optional) +/search (optional) +/nameserver/001 (optional) +... +/nameserver/xxx (optional) +``` + +If runs a small webserver where it exposes a simple CRUD interface +over these keys -- only the calf can see it (e.g. it opens a pipe and +share it with the calf on startup). + +- system handlers: + - if /ip change -> set IP address on moby host + - if /domain change -> set moby domain name + - if /search -> set search domain on moby host + - if /nameserver/xxx -> set DNS servers on moby + +#### Calf + +- MirageOS unikernel using charrua-client (or a fork of it). +- Has access to a Mirage_net.S interface for network traffic +- Has access to a a simple KV interface + +Internally, it uses something more typed than a KV store: + +``` +module Shim: sig + val set_ip: Ipaddr.V4.t -> unit Lwt.t + val set_domain: string -> unit Lwt.t + val set_search: string -> unit Lwt.t + val set_nameservers: Ipaddr.V4.t list Lwt.t +end +``` + +but this ends up being translated into REST/RPC calls to the shim. + +### SDK + +What the SDK should enable: +1. easily write a new calfs initially in OCaml, then Rust. + Probably not very useful on its own. +2. easily write a new shim by providing the basic blocks: + eBPF scripts, calf runner, KV store, system handlers. + Initially could be a standalone blob, but should aim for + independant and re-usable pieces that could run in a + container. +3. (later) generate shim/caft containers from a single (API?) + description. + +### Roadmap + +#### first PoC: DHCP client + +Current status: one container containing two static binaries (priv + calf), +private pipes open between the process for stdout/stderr aggregation + +raw sockets (data path). Control path is using a simple HTTP server running +in the priv container. The calf is using the dev version of mirage/charrua-core, +and is able to get a DHCP lease on boot. + +##### TODO + +- use runc to isolate the calf +- eBPF filtering +- use seccomp to isolate the privileged container +- use the DHCP results to actually update the system +- add metrics aggregation (using prometheus) +- better logging aggregation (using syslog) +- IPv6 support +- tests, tests, tests (especially against non compliant RFC servers) + +### Second iteration: NTP + +TODO \ No newline at end of file