What's New in MirageOS 4!

by Thomas Gazagnaire on Apr 14th, 2022

MirageOS 4.0 Release Week

Tarides is thrilled to see the great responses to MirageOS 4.0 and the excitement that’s building across the community. We’re proud to have played an important part in its development and release, bringing great tools and opportunities to OCaml developers. If you haven’t kept up with what’s been going on since the release, here is a summary of several articles posted by various OCaml users.


The MirageOS 4.0 update brings with it a major change in its build system to support the Dune build system. Tarides has been working on this feature since 2019, iterating on various design solutions in the mirage tool with mirage/mirage/#, mirage/mirage#979, mirage/mirage/#1020, mirage/mirage#1024, mirage/mirage#1153, and finally miarge/mirage#1226. This incremental process resulted in making several contributions to upstream OCaml for features and tools required to support the flexible building of MirageOS libraries: for instance, adding support for virtual library and variants in Dune with ocaml/dune#1900, ocaml/dune#2098, and ocaml/dune#2169; or the development or a new opam plugin to manage mono-repositories. We are happy to see it released to all with Mirage 4.0.

What makes Dune a great option to build MirageOS is that it allows for customisable cross-compilation flags to compile MirageOS to different architectures. Using Dune also enables developers to use the Merlin tool to access a rich set of IDE features when writing applications. It unlocks a new development workflow based on opam-monorepo, which downloads all the unikernel dependencies into a single Dune workspace. Having a single workspace containing all of the unikernel’s code lets developers edit code anywhere in the stack, which makes work like debugging libraries and improving APIs a faster and more enjoyable experience. In his excellent article on build contexts in MirageOS 4.0, Lucas Pluvinage goes into detail about how to use the new cross-compilation features to build MirageOS unikernels for new architectures.

Email in OCaml & Mr. MIME

Mr. MIME is an OCaml library that aims to give its users peace of mind when it comes to the security of their email communications. Mr. MIME is built on unikernels and deploys them to handle email traffic. At Tarides, we got a grant from NGI DAPSI to work on this project, and several of our engineers have been busy working hard to make it happen.

Several other libraries support the Mr. MIME library and enable it to transform an email into an OCaml value, then create an email from it again. An amazing thing about Mr. MIME is its reliability. Using the hamlet tool, which proposes a large corpus of emails for Mr. MIME to parse and re-encode, the team can prove that Mr. MIME doesn’t alter anything in the message between the parser and the encoder.

The team behind Mr. MIME has also created the library Colombe that implements the foundations of an SMTP protocol with the ability to upgrade its flow to TLS, giving its users an extra layer of security. A goal for the future is to provide a full SMTP stack that’s able to send and receive emails.

Mr. MIME also allows its users to manipulate emails through the use of CLI tools, including ocaml-dkim, a tool to verify and sign an email, and spamtacus, a tool which analyses the incoming email to determine if it’s spam or not. The ptt repo contains several more as well.

If you want to find out more information about Mr. MIME, including details about its architecture, please read Romain Calascibetta’s article.

MirageOS in Production

The use of MirageOS benefits not only Tarides, but it also enables several other companies to make their products better. Below are a couple of examples from Docker and Robur on how they use MirageOS to their advantage.


Docker Desktop is a tool that enables its users to build and share containerised or isolated applications in either a Mac or Windows environment. Its main challenge is that running Docker on macOS or Windows is difficult in terms of compatibility, as Linux primitives are unavailable on those platforms.

This is where VPN Kit comes in; it uses MirageOS to bridge the gap between Linux primitives and macOS or Windows by reading the raw ethernet frames coming out of the Linux VM and translating them into macOS or Windows high-level syscalls. In this way, MirageOS networking libraries transparently handle the traffic of millions of containers every day.

To find out more go read the article “How MirageOS Powers Docker Desktop” on mirage.io or on docker.com.

Robur Projects

Robur uses MirageOS for several of their projects, including OpenVPN, DNS Projects, and CalDAV. All of these projects are written in OCaml and are deployed as MirageOS unikernels.

The DNS Projects include the ‘Let’s Encrypt’-Certified DNS solver, a DNS resolver, and an authoritative DNS server. Robur’s DNS server ensures that the internet user gets to the right IP address, whilst its DNS resolver finds the exact server to handle the user’s request. Only strictly necessary elements are included in order to keep the codebase as small as possible for security and simplicity.

CalDAV is the most recent unikernel released by Robur. As the name implies, CalDAV is a protocol used to synchronise calendars. Its minimal codebase comes with significant security benefits.

To find out more go read the article “MirageOS Unikernels at Robur” on mirage.io.

To learn more about MirageOS, take a look at some recent articles at mirage.io. If you’re interested in working with Tarides or incorporating MirageOS tools in your project, please contact us via our website.