Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)

1 082 vues

Publié le

LinuxKit was launched five months ago, and has received a huge number of contributions from the Moby community. This talk will cover some of the large number of areas the community has contributed to, including: ARM64 support, bare metal support, containerd-cri integration with system containers and Kubernetes running on the same containerd and Wireguard for encrypted networking.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)

  1. 1. LinuxKit: the first five months
  2. 2. What is LinuxKit? A toolkit for building secure, portable and lean operating systems for containers. ● uses Moby tooling to build system images ● everything is a container ● runs with Containerd 1.0 branch for over four months ● lightweight, fully customizable
  3. 3. Some metrics ● 75 contributors! ● first new maintainer appointed from the community ● 50 commits a week since DockerCon
  4. 4. Arm64 support Thanks to Dennis Chen at ARM ● multi arch base images so system containers can be built ● signed multiarch manifests - thanks to IBM for all their work ● thanks to Packet.net for providing ARM64 machines ● ongoing work on EFI boot that works cross platform ● other architectures now easy to add
  5. 5. Linux Containers on Windows ● as announced at DockerCon ● LinuxKit provides build images in blueprints/lcow.yml ● ultra minimal system only 13MB ● blog post https://blog.docker.com/2017/09/preview-linux-containers-on- windows/ ● ongoing work with Microsoft on shipping this
  6. 6. Platform support The community added support for so many platforms... ● Azure ● OpenStack ● VMware and vCenter ● Packet.net ● Vultr ● IBM Bluemix
  7. 7. Lots of smaller improvements ● TPM support ● containers to run on clean shutdown ● fully immutable images, eg CD-ROM images ● 4.10, 4.11, 4.12 kernels, 4.13 coming soon ● namespace sharing for system containers ● rewrote a lot of shell scripts in Go for better maintainability ● OCI runtime spec 1.0
  8. 8. WireGuard graduated from projects ● fast secure modern VPN tunnel based on Noise framework ● added to the LinuxKit kernels ● now easy to construct network tunnels between system containers ● prototype next stage of container networking
  9. 9. Kubernetes about to graduate from projects ● initial port contributed by Weave for DockerCon launch ● maintained since then ● also working on CRI-Containerd support, with shared system containerd ● more work ongoing ● full testing and validation planned
  10. 10. LinuxKit Security SIG
  11. 11. Type Safe System Daemons LinuxKit Security SIG Recap ● What if all system daemons were rewritten in type-safe languages? ○ examples of DNS / HTTPS in https://github.com/linuxkit/linux kit/tree/master/projects/mirages dk
  12. 12. LandLock LSM LinuxKit Security SIG Recap ● Robust, configurable LSM rules ● Powered by eBPF ● Exciting for container landscape
  13. 13. Memorizer LinuxKit Security SIG Recap ● Dynamic kernel tracing tool ○ makes use of KASAN ○ examples: https://github.com/linuxkit/linuxkit/ tree/master/projects/memorizer ● Goal: produce useful output for LSMs and other higher level policy decisions
  14. 14. WireGuard LinuxKit Security SIG Recap ● Modern VPN implementing The Noise Protocol ○ only a few thousand lines of code! ● Now included in LinuxKit userspace and kernels
  15. 15. HPE okernel LinuxKit Security SIG Recap ● Separate parts of the kernel into more and less privileged partitions ● Maps to containers ○ Examples: https://github.com/linuxkit/linuxkit /tree/master/projects/okernel
  16. 16. What’s next? LinuxKit Security ● Cultivate security community and testbed ● Directly contribute to upstream Linux development ○ XPFO ○ eBPF hardening ○ Namespacing IMA
  17. 17. Demos
  18. 18. What about the next six months? ● stable releases ● Containerd 1.0 ● Docker desktop and cloud editions based on LinuxKit coming soon ● containerd integration for Moby build tool, to allow building without Docker, for easier build pipelines
  19. 19. @justincormack @riyazdfThank you!

×