Oreulius is a kernel designed to run isolated WASI workloads in a secure operating environment, the kernel is meant to make authority explicit, control access through capabilities on a deep level, and in simple terms, the end goal of developing this is too make sure the behaviour of the workload is incredibly easy to inspect.
Oreulius is ported to three different architecures, to varying degrees and completeness, those architectures being Aarch64, x86-64, and i686.
The i686 path is effectively the legacy boot, and its the first boot I created, and did the majority of the early phase of the developement on. Currently, the boot on x86-64 possesses alot of parity with i686, and the Aarch64 has the most work left to do
I personally recommend starting with the i686 boot. These commands will boot it with qemu for you in an easy way to test it and play with it, as its currently in the alpha phase.
brew update
brew install qemu llvm binutils coreutils nasm xorriso grub
export PATH="$(brew --prefix llvm)/bin:$PATH"sudo apt update
sudo apt install -y qemu qemu-system-x86 qemu-system-aarch64 \
gcc-aarch64-linux-gnu gcc-multilib binutils-aarch64-linux-gnu \
llvm lld clang build-essential nasm xorriso grub-pc-bincurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
rustup toolchain install nightly-2024-01-01
rustup component add rust-src --toolchain nightly-2024-01-01
rustup target add aarch64-unknown-none x86_64-unknown-none i686-unknown-none --toolchain nightly-2024-01-01cd kernel
./build.sh
./run.shcd kernel
./build-x86_64-mb2-iso.sh
./run-x86_64-mb2-grub.shqemu-system-x86_64 -cdrom target/x86_64-mb2/oreulius-x86_64-mb2.iso -serial stdiocd kernel
./build-aarch64-virt.sh
./run-aarch64-virt-image.sh# default
./run-aarch64-virt-image-virtio-blk-mmio.sh
# customize disk
BUS_SLOT=1 DISK_IMAGE=target/aarch64-virt/mydisk.img DISK_SIZE=64M ./run-aarch64-virt-image-virtio-blk-mmio.shOr alternatively; you can just try a live no install boot on the site: https://www.oreulius.com/try
There are a few demos to try in the WASM directory in the root of Oreulius, to help clarify how running a wasm workload will work in the kernel, here is step by step instructions to running one of these demos. For this instruction set lets start with the spawn_children.wat demo, this script spawns two child WASM processes and prints the respective output.
Build the demo
cd wasm
./build.sh spawn_children.watBuild the kernel (for this demo lets use the x86_64 image)
cd ../kernel
./build-x86_64-full.shPackage and bundle the kernel together with the demo into an ISO.
Do this from repo root (or inside kernel)
mkdir -p kernel/target/x86_64-mb2/iso/boot/grub kernel/target/x86_64-mb2/iso/wasm
cp kernel/target/x86_64-mb2/oreulius-kernel-x86_64 kernel/target/x86_64-mb2/iso/boot/oreulius-kernel-x86_64
cp wasm/spawn_children.wasm kernel/target/x86_64-mb2/iso/wasm/
cat > kernel/target/x86_64-mb2/iso/boot/grub/grub.cfg <<'EOF'
set timeout=0
set default=0
terminal_output console
menuentry "Oreulius x86_64 MB2" {
multiboot2 /boot/oreulius-kernel-x86_64
boot
}
EOFCreate the ISO (requires grub-mkrescue / xorriso)
grub-mkrescue -o kernel/target/x86_64-mb2/oreulius-x86_64-mb2.iso kernel/target/x86_64-mb2/iso
boot the iso with qemu to see the live iso running your WASM workload
cd kernel
./run-x86_64-mb2-grub.shInside the kernel you now have full control to run the demo, track it, with tightened temporal replay, can send it through the peer to capability peer network called capnet, and it is securely sandboxed.
(The kernel is in Alpha, so its not production ready, but that is the idea behind how this kernel works, by taking your WASM workload outside the tech-stack and your existing development environment and operating system, and giving you tight and secure control over the instance). The way a unikernel should be designed, for micro purposes. the idea behind it is to give you tighter analytical contol, and security within other secure kernels, ike sel-4, or just your tech stack, or to boost features and abilities without sacrificing the security you like of your exisitng operating system
wasm /wasm/spawn_children.wasmTo develop your own applicaitons for oreulius, the best place to develop them is in the sdk folder in the wasm folder from the root.
Located here:
cd wasm/sdk
For your sdk-based applications
cd wasm/sdk
cargo build --target wasm32-wasi --releaseOutput:
target/wasm32-wasi/release/<your_crate>.wasm
to auther tests in wat and compile run this command
cd wasm
./build.sh your.wat #application
The SDK's are compiled seperately from the kernel, and are not linked. the root wasm folder is for convienient and tiny tests, and the SDK folder is for richer rust/wasm workloads
Oreulius is source-available under the Business Source License 1.1.
The source is public for visibility, research, evaluation, and technical review. Personal use, research, education, benchmarking, and internal non-production testing are permitted under the repository license.
Production use, commercial deployment, embedded commercial products, and paid hosted services require a separate commercial license.
Oreulius is not open source at this time.
See LICENSE and COMMERCIAL.md.
Oreulius core development is currently maintained under a controlled authorship model.
The public repository exists for visibility, research, evaluation, and technical review. General public code contributions to the core kernel are not being accepted at this time.