At DockerCon 2017 we introduced LinuxKit: A toolkit for building secure, lean and portable Linux subsystems. Here are the key principles and motivations behind the project:
- Secure defaults without compromising usability
- Everything is replaceable and customizable
- Immutable infrastructure applied to building Linux distributions
- Completely stateless, but persistent storage can be attached
- Easy tooling, with easy iteration
- Built with containers, for running containers
- Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
- Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
- Designed to be managed by external tooling, such as Infrakit or similar tools
- Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
For this Online Meetup, Docker Technical Staff member Rolf Neugebauer gave an introduction to LinuxKit, explained the rationale behind its development and gave a demo on how to get started using it.
Watch the recording and slides
You’ll find below a list of additional questions asked by attendees at the end of the online meetups:
You said the ONBOOT containers are run sequentially, does it wait for one to finish before it starts the next?
Yes, the nest ONBOOT container is only started once the previous one finished.
How do you make our own kernel to use?
How you would install other software that is not a container per say – eg sshd?
Everything apart from the init process and runc/containerd run in a container. There is an example under ./examples/sshd.yml on how to run a SSH server.
Can I load kernel modules – iptables/conntrack for example?
Yes. You can compile modules and add them to the image as described in ./docs/kernels.md. There is an open issue to allow compilation of kernel modules at run time.
Does it have to be Alpine linux – can it be say minimal Debian?
We mainly use Alpine for packages. The base rootfile system is basically busybox with a minimal init system, which we are planning to replace with a custom init program. You can create packages with Debian, if you like.
How we make data persistent like docker volumes to outside of linuxkit box?
There are examples on how to format/mount and use persistent disks, e.g., ./examples/docker.yml which uses a persistent disk to store docker images.
Bonus Talk: LinuxKit Security SIG
Last week, we also had the first meeting for the LinuxKit Security Special Interest Group (SIG) – a group dedicated to discussing exciting ongoing security projects in LinuxKit and the upstream Linux community.
The LinuxKit Security SIG meetings are open to the public and occur every other Wednesday – come join us for our next meeting on June 7th at 9am PST!
Learn more about LinuxKit and other components of the Moby Project