We open-sourced LinuxKit in April 2017 at DockerCon in Austin. In this session, we'll take a detailed look at some advanced topics of LinuxKit ranging from the general read-only filesystem setup, multi-arch image support for x86_64 and arm64, custom network configuration, and kernel debugging and testing.

1. LinuxKit Deep Dive
Justin Cormack
Docker
Rolf Neugebauer
Docker
GH: justincormack
TW: @justincormack
GH: rn
TW: @neugebar

2. What is LinuxKit
A toolkit for building secure, portable and lean
operating systems for containers
● Uses moby tooling to build system images
● Everything is run in a container
● Running with containerd 1.0 branch for
over four months
● lightweight, fully customisable

3. LinuxKit architecture
Modern Linux kernel
Minimal init
containerD
Service
containers
on-boot
containers
shutdown
containers
kernel:
image: linuxkit/kernel:4.9.54
init:
- linuxkit/init:98e95fb67e8afcf02c09ba927e4b357fec42977a
- linuxkit/runc:991ef358ad8fc1111d64f4d8071f2009cc561f6a
- linuxkit/containerd:eaf0d615cfceb9d854408dd3c80429ee8ac4d051
onboot:
- name: dhcpcd
image: linuxkit/dhcpcd:aa685261ceb2557990dcfe9dd8824c6b9ec416e2
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:7abaf7b276c59f80891d92e9279e3e3ee8e2f512
env:
- INSECURE=true
● YAML files describes complete system
● moby tool assembles boot image &
verifies signatures
● linuxkit tool for testing/running

4. Some metrics
●
~ 1400 commits since open sourcing (April 2017)
Active community on #linuxkit community slack
80 contributors, 52 external!
Thank you!

5. Major additions
● arm64 support
● Improved Kubernetes support
● Linux Containers on Windows (LCOW) preview
● Improved platform support:
○ packet.net, Azure, AWS, GCP,
VMware, Vultr, IBM Bluemix, Hyper-V, …
○ Mainly community additions!

6. Lots of “small” improvements
● Multi-arch build system
● Fully immutable system images
● Flexible networking setup + WireGuard
● Namespace sharing
● Persistent disk support
● TPM support
● Kernels 4.9, 4.10, 4.11, 4.12, 4.13 (4.14 soon)

7. Demo

8. Multi-arch buildsystem

9. LinuxKit packages
● Small container images on hub
● Pulled and assembled using the moby tool
● Signed with notary
● Multi-arch images (x86_64 and arm64)

10. Dhcpcd package
● All core LinuxKit packages are build from
linuxkit/alpine

11. LinuxKit “base” image
● linuxkit/alpine contains a apk mirror of Alpine
packages needed to build LinuxKit packages
○ Compilers, tools, and packages
○ Recorded exact versions of packages
○ Stashed on docker hub and signed
● docker build --network=none
● Repeatable builds!

12. Multi-stage builds
(introduced in docker 17.05.0-ce)

13. Multi-stage builds (cont)
● Install in /out and then copy to scratch
● Less than 2MB in size (Thanks to Alpine!)

14. What is run
● Default Entry point

15. Container details
● Default OCI runtime configuration snippets
● E.g., dhcpcd needs CAP_NET_ADMIN

16. Package build
● Additional labels for the repository and the git
revision this was build from

17. Package tags
● Hash of all source files (git tree hash)
● The same on all architectures

18. Push to hub
● Pushed to hub with Content trust
(https://blog.mobyproject.org/sign-all-the-things-c12c2182d9f6)

19. Multi-arch build
● Create a manifest list linuxkit/dhcpcd:<hash>
● Points to linuxkit/dhcpcd:<hash>-amd64 and
linuxkit/dhcpcd:<hash>-arm64

20. Sign the manifest
● This soon will be a lot easier with:
docker manifest and docker trust

21. Summary
Repeatable, cross-platform builds from base
image to full system image with content trust
throughout
linuxkit/alpine Packages
YAML
System Image
Dockerfile

22. Custom network config

23. What is WireGuard
● fast, modern, secure VPN
● included in the LinuxKit kernels
● On the way to being upstreamed in Linux
● just appears as a network interface

24. Service namespaces
● can create namespaces and share between
system services
● can create network interfaces in desired
namespaces or move them
● restrict network access in system containers

25. WireGuard example
● secure a redis service with a VPN tunnel
● only access is one end of an encrypted
network tunnel
● no access to external network
● can only send encrypted traffic

26. WireGuard example

27. WireGuard example

28. WireGuard demo

29. Building Kubernetes

30. Kubernetes update
● continual progress on the Kubernetes work
since the original launch
● supports Kubernetes with Docker or
cri-containerd
● will ship in Docker for Mac and Windows
● will support production deployments
with InfraKit in future

31. Kubernetes setup in brief
● uses KubeAdm to configure Kubernetes
● runs Kubelet in a system container but
sharing parts of filesystem
● immutable infrastructure
● supports multiple nodes

32. Kubernetes deep dive

33. The end
● Tycho: Container-relevant Upstream Kernel Developments (after this talk)
● Phil & Michael: Docker Multi-arch All The Things (in parallel to this talk)
● John: Linux Containers on Windows: The Inside Story (Wed am)
● Natanael: Small, Simple, and Secure: Alpine Linux (Wed lunch)
● Qualcomm booth in Exhibit hall (arm64 demos)
● Moby Summit (Thursday):
○ Andrew: LinuxKit on ARM
○ Sven: RancherOS and LinuxKit
○ Stephen & Phil: containerd presentation
GH: justincormack GH: rn
TW: @justincormack TW: @neugebar

34. The end
● Tycho: Container-relevant Upstream Kernel Developments (after this talk)
● Phil & Michael: Docker Multi-arch All The Things (in parallel to this talk)
● John: Linux Containers on Windows: The Inside Story (Wed am)
● Natanael: Small, Simple, and Secure: Alpine Linux (Wed lunch)
● Moby Summit (Thursday):
○ Andrew: LinuxKit on ARM
○ Sven: RancherOS and LinuxKit
GH: justincormack GH: rn
TW: @justincormack TW: @neugebar