Personal Containers

I've had a passion for self-hosted, decentralised computing for many years since Nick Ludlam and I set up the recoil.org collective in the late 90s. In late 2008, I'd been working on early cloud computing as part of the Xen Virtualisation project and already seeing the rapid rise of centralised data gathering in the early cloud providers. When I left Citrix in 2009, I joined Derek McCauley and Jon Crowcroft in their new Horizon Digital Economy centre to lead a charge into building more privacy-centred digital infrastructure. I had the huge privilege of receiving a strings-free 5-year postdoctoral fellowship in Cambridge. It's rare to see such long term postdoc opportunities these days, but something I am hugely supportive of for new projects.

My hacking first began with Nick Ludlam in 2008 on a prototype of a lifedb server and app, which we envisioned as a place to aggregate all the messages from disparate sources (for example, to mirror the then-new Twitter service into my IMAP email). I worked on 2010-smarte-privacybutler to add a policy engine to this prototype. While the prototype worked well enough for me, it was largely a negative result since it was just too risky to put all that private data in one location (especially aggregated).

Now back at Cambridge in 2010, I began working with Thomas Gazagnaire on a more robust implementation of data aggregation that would have stronger end-to-end security and privacy. We started coding up an implementation in OCaml to followup my Functional Internet work, and built out infrastructure like an OCaml ORM in 2010-dyntype-wgt to make it easier to work with databases. It became obvious pretty quickly that having this much data in one place required end users to become sysadmins, and so I started to lay out a new architecture for this sort of end-user managed data in 2010-bcs-visions.

Our first prototype of a personal container running as a unikernel was published in 2010-hotcloud-lamp, and would form the basis of the MirageOS project. To this day, the MirageOS community remains passionate about decentralised systems from these origins! We explored a number of directions in the early days:

• 2010-iswp-dustclouds looked into spawning tiny unikernels on public cloud infrastructure to form a "fast flux" for onion routing. This remains a pretty good idea and something I'd like to see implemented on modern public clouds!
• de10-perscon was the evolution of the lifedb into the "personal container". Although its domain name is now offline, you can still find the original perscon.net blog repository. I worked pretty hard on a perscon prototype that you can read about in Pulling together a user interface and Yurts for Digital Nomads.
• 2011-nsdi-ciel investigated what a distributed dataflow engine might look like to help with processing the vast amounts of personal data we were working with. The primary author of CIEL Derek Murray went on to develop Naiad and other influential systems in this space, but I still like CIEL's very simple model. I built a simple continuation based implementation in DataCaml - a first look at distributed dataflow programming in OCaml, and as of 2021 am continuing this work again with OCaml's multicore effects in OCaml Labs.
• From an Internet architecture perspective, another fascinating line of thought we came up with was the notion of giving every user their own domain name server that would give them fine-grained control over network connectivity. The 2012-sigcomm-signposts-demo and 2013-foci-signposts papers both lay out an architecture for a DNSSEC-based dynamic DNS server that users can control. We explored how a "polyversal TCP" might look for making p2p connections from this in 2012-conext-pvtcp-position, as well as a software Openflow switch to route data from cloud to edge devices in 2012-iccsdn-mirageflow.
• 2012-ahans-soapp was the result of my collaboration with the just-established CHERI project at the Computer Lab on compartmentalisation interfaces, another area of programming that continues to need improvement.

One of the main drivers for personal containers was to drive applications that would otherwise be too invasive from a privacy perspective. Ian M. Leslie and I worked on the "c-aware" project in 2012-mpm-caware to figure out if personal containers could help influence user behaviour to reduce carbon usage. Overall, this project taught us just how much effort it would be to deploy real-world infrastructure in corporate environments like the University of Cambridge. We also struggled to get any users to deploy our prototype servers, something explored more in user studies with colleagues in Horizon Nottingham in de13-dataware.

My work on personal data processing petered out from a research perspective in around 2013 since the underlying infrastructure I had built really started gathering steam with Unikernels and OCaml Labs. We hadn't quite cracked the problem of how to break the cloud hegemony, but (as with XenoServers and Xen), the pieces that succeeded emerged from the research questions we asked. However, I don't consider this project permanently closed by any means -- after all, I've been self hosting my email since 1997! We've been working steadily over the past decade of MirageOS (as of 2021) to build out a really solid, self-hosted protocol stack that will work as a unikernel. I am revisiting the question of decentralisation in the form of physical infrastructure in the Interspatial OS project, and you can read my early thoughts in 2018-hotpost-osmose.