On 15 April, the Cambridge Ring, the alumni society of the University of Cambridge Computer Laboratory, named our paper "Functional Networking for Millions of Docker Desktops" its Publication of the Year. I wrote the paper with my Cambridge colleagues Anil Madhavapeddy, Dave Scott, Patrick Ferris, and Ryan Gibb. It describes how we rebuilt Docker Desktop's networking and storage stack: a small VM and a set of host-side daemons, built on MirageOS libraries, doing the system-level plumbing that lets Linux containers reach the outside world on the developer's macOS or Windows laptop. As our 2013 ASPLOS paper was titled "Unikernels: Library Operating Systems for the Cloud", this 2025 ICFP paper could have been titled "Library Operating Systems for the Desktop". Same architecture, different vertical, same low-level libraries written in a high-level language (OCaml)!
baguette.local to building vpnkit to manage desktop networking at scale.
The library-OS idea has a pedigree at Cambridge. Nemesis came out of the Computer Lab in the 1990s. Xen, the hypervisor that provides the secure low-level runtime for such designs, followed from the same lab in the 2000s. In the 2010s, in Jon Crowcroft's group at Cambridge, we built MirageOS on top (Anil, Balraj Singh, Richard Mortier, and others) as the higher-level library OS written entirely in OCaml. We coined the term "unikernels" for these single-purpose, sealed images (the paper describing this line of research received a test-of-time award in 2025 and I wrote about that part of the story in February). In 2015, Anil, Balraj, and I spun out Unikernel Systems to bring MirageOS to production. We brought together the MirageOS team at Cambridge with the key maintainers of Rumprun, a unikernel toolchain built on NetBSD's rump kernels. Justin Cormack (who became Docker's CTO a few years later) was among them. Mosaic Ventures, who supported us very early on, put it this way: "MirageOS was a great technology, and had a number of applications. We weren't the only ones who saw its potential." Docker acquired our company a few months later, and we became the "Piñata" team inside Docker.
At Docker, we built what nobody was expecting us to build: a desktop app. I was lucky enough to manage the first releases of what would become the most-desired developer tool in every Stack Overflow Developer Survey since 2019: Docker for Mac and Docker for Windows. The beta shipped on Docker's third birthday, in March 2016. It has been downloaded hundreds of millions of times since. The launch post credited MirageOS directly: "the translator between Linux and Mac OS X networking uses the MirageOS TCP/IP implementation." That translator was vpnkit, an OCaml unikernel (running as a userspace service) built on MirageOS libraries that acts as the network proxy inside Docker Desktop.
Read the paper to know more (and find the full team credit in the acknowledgments)!
