We open-sourced LinuxKit in April 2017 at DockerCon in Austin. In this session, we'll take a detailed look at some advanced topics of LinuxKit ranging from the general read-only filesystem setup, multi-arch image support for x86_64 and arm64, custom network configuration, and kernel debugging and testing.
2. What is LinuxKit
A toolkit for building secure, portable and lean
operating systems for containers
● Uses moby tooling to build system images
● Everything is run in a container
● Running with containerd 1.0 branch for
over four months
● lightweight, fully customisable
4. Some metrics
●
~ 1400 commits since open sourcing (April 2017)
Active community on #linuxkit community slack
80 contributors, 52 external!
Thank you!
5. Major additions
● arm64 support
● Improved Kubernetes support
● Linux Containers on Windows (LCOW) preview
● Improved platform support:
○ packet.net, Azure, AWS, GCP,
VMware, Vultr, IBM Bluemix, Hyper-V, …
○ Mainly community additions!
6. Lots of “small” improvements
● Multi-arch build system
● Fully immutable system images
● Flexible networking setup + WireGuard
● Namespace sharing
● Persistent disk support
● TPM support
● Kernels 4.9, 4.10, 4.11, 4.12, 4.13 (4.14 soon)
9. LinuxKit packages
● Small container images on hub
● Pulled and assembled using the moby tool
● Signed with notary
● Multi-arch images (x86_64 and arm64)
11. LinuxKit “base” image
● linuxkit/alpine contains a apk mirror of Alpine
packages needed to build LinuxKit packages
○ Compilers, tools, and packages
○ Recorded exact versions of packages
○ Stashed on docker hub and signed
● docker build --network=none
● Repeatable builds!
23. What is WireGuard
● fast, modern, secure VPN
● included in the LinuxKit kernels
● On the way to being upstreamed in Linux
● just appears as a network interface
24. Service namespaces
● can create namespaces and share between
system services
● can create network interfaces in desired
namespaces or move them
● restrict network access in system containers
25. WireGuard example
● secure a redis service with a VPN tunnel
● only access is one end of an encrypted
network tunnel
● no access to external network
● can only send encrypted traffic
30. Kubernetes update
● continual progress on the Kubernetes work
since the original launch
● supports Kubernetes with Docker or
cri-containerd
● will ship in Docker for Mac and Windows
● will support production deployments
with InfraKit in future
31. Kubernetes setup in brief
● uses KubeAdm to configure Kubernetes
● runs Kubelet in a system container but
sharing parts of filesystem
● immutable infrastructure
● supports multiple nodes
33. The end
● Tycho: Container-relevant Upstream Kernel Developments (after this talk)
● Phil & Michael: Docker Multi-arch All The Things (in parallel to this talk)
● John: Linux Containers on Windows: The Inside Story (Wed am)
● Natanael: Small, Simple, and Secure: Alpine Linux (Wed lunch)
● Qualcomm booth in Exhibit hall (arm64 demos)
● Moby Summit (Thursday):
○ Andrew: LinuxKit on ARM
○ Sven: RancherOS and LinuxKit
○ Stephen & Phil: containerd presentation
GH: justincormack GH: rn
TW: @justincormack TW: @neugebar
34. The end
● Tycho: Container-relevant Upstream Kernel Developments (after this talk)
● Phil & Michael: Docker Multi-arch All The Things (in parallel to this talk)
● John: Linux Containers on Windows: The Inside Story (Wed am)
● Natanael: Small, Simple, and Secure: Alpine Linux (Wed lunch)
● Moby Summit (Thursday):
○ Andrew: LinuxKit on ARM
○ Sven: RancherOS and LinuxKit
GH: justincormack GH: rn
TW: @justincormack TW: @neugebar