Justin Cormack

Announcing LinuxKit: A Toolkit for building Secure, Lean and Portable Linux Subsystems

linuxKit
 

Last year, one of the most common requests we heard from our users was to bring a Docker-native experience to their platforms. These platforms were many and varied: from cloud platforms such as AWS, Azure, Google Cloud, to server platforms such as Windows Server, desktop platforms that their developers used such as OSX and Windows 10, to mainframes and IoT platforms –  the list went on.

We started working on support for these platforms, and we initially shipped Docker for Mac and Docker for Windows, followed by Docker for AWS and Docker for Azure. Most recently, we announced the beta of Docker for GCP. The customizations we applied to make Docker native for each platform have furthered the adoption of the Docker editions.

One of the issues we encountered was that for many of these platforms, the users wanted Linuxcontainer support but the platform itself did not ship with Linux included. Mac OS and Windows are two obvious examples, but cloud platforms do not ship with a standard Linux either. So it made sense for us to bundle Linux into the Docker platform to run in these places.

What we needed to bundle was a secure, lean and portable Linux subsystem that can provide Linux container functionality as a component of a container platform. As it turned out, this is what many other people working with containers wanted as well; secure, lean and portable Linux subsystem for the container movement, So, we partnered with several companies and the Linux Foundation to build this component. These companies include HPE, Intel, ARM, IBM and Microsoft – all of whom are interested in bringing Linux container functionality to new and varied platforms, from IoT to mainframes.

LinuxKit includes the tooling to allow building custom Linux subsystems that only include exactly the components the runtime platform requires. All system services are containers that can be replaced, and everything that is not required can be removed. All components can be substituted with ones that match specific needs. It is a kit, very much in the Docker philosophy of batteries included but swappable.  Today, onstage at Dockercon 2017 we opensourced LinuxKit at https://github.com/linuxkit/linuxkit.

To achieve our goals of a secure, lean and portable OS,we built it from containers, for containers.  Security is a top-level objective and aligns with NIST stating, in their draft Application Container Security Guide: “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.”

The leanness directly helps with security by removing parts not needed if the OS is designed around the single use case of running containers. Because LinuxKit is container-native, it has a very minimal size – 35MB with a very minimal boot time.  All system services are containers, which means that everything can be removed or replaced.

System services are sandboxed in containers, with only the privileges they need. The configuration is designed for the container use case. The whole system is built to be used as immutable infrastructure, so it can be built and tested in your CI pipeline, deployed, and new versions are redeployed when you wish to upgrade.

The kernel comes from our collaboration with the Linux kernel community, participating in the process and work with groups such as the Kernel Self Protection Project (KSPP), while shipping recent kernels with only the minimal patches needed to fix issues with the platforms LinuxKit supports. The kernel security process is too big for a single company to try to develop on their own therefore a broad industry collaboration is necessary.

In addition LinuxKit provides a space to incubate security projects that show promise for improving Linux security. We are working with external open source projects such as Wireguard, Landlock, Mirage, oKernel, Clear Containers and more to provide a testbed and focus for innovation in the container space, and a route to production.

LinuxKit is portable, as it was built for the many platforms Docker runs on now, and with a view to making it run on far more.. Whether they are large or small machines, bare metal or virtualized, mainframes or the kind of devices that are used in Internet of Things scenarios as containers reach into every area of computing.

For the launch we invited John Gossman from Microsoft onto the stage. We have a long history of collaboration with Microsoft, on Docker for Windows Server, Docker for Windows and Docker for Azure. Part of that collaboration has been work on the Linux subsystem in Docker for Windows and Docker for Azure, and working on Hyper-V integration with LinuxKit on those platforms. The next step in that collaboration announced today is that all Windows Server and Windows 10 customers will get access to Linux containers and we will be working together on how to integrate linuxKit with Hyper-V isolation.

Today we open up LinuxKit to partners and open source enthusiasts to build new things with Linux and to expand the container platform. We look forward to seeing what you make from it and contribute back to the community.

Learn More about Linuxkit:

 

,

Justin Cormack

Announcing LinuxKit: A Toolkit for building Secure, Lean and Portable Linux Subsystems


8 Responses to “Announcing LinuxKit: A Toolkit for building Secure, Lean and Portable Linux Subsystems”

  1. Tal

    Hi Justin, how exactly one get supported when using LinuxKit? if i LinuxKit a RHEL distort or an Ubuntu Distro and using your + community kernel, neither RHEL or ubuntu will support such a Linux OS.
    Commercial Linux Distributions such as RHEL insists that the kernel comes from Red hat. that you did not modify a single bit if you want support, and that RHEL supports only thier own glibc + thier kernel. What is the value if LinuxKit when ISVs need to provide end to end support in specific industries – lets say Telecom industry…. Thanks.

    Reply
  2. Sudhir Babu

    Awesome news. I have been looking into similar alternatives with little to no success in achieving it.
    Need to give it a try asap.. thank you for heeding to the community and the need of many.

    Reply
  3. Ashish Barot

    This is really great idea by Docker Team. Now every Operating system can use Docker easily and speed up their process to build new container based Apps.

    Congratulations Docker "LinuxKit" team.

    Regards,
    Ashish Barot.

    Reply
  4. Frank Geck

    I understand that Linuxkit does not currently work with DDC. Any idea when it might?

    Reply
  5. codergr

    "… Perhaps LinuxKit is more important than I initially thought it reminds me of old good docker days … "

    Reply
  6. Jack

    Does this mean Windows 10 Home (non-Pro) PCs will get all necessary Hyper-V for running Docker containers at kernel level? Or will Windows 10 Pro still be required? This is a great difference as Windows Professional might have worse availability on the market than Macs, esp. if Microsoft is planing to charge more for that SKU.

    Reply
  7. Rigon

    What I really love to see is running Linux containers natively on Windows! That would be really great. It will not require a Virtual Machine (and 2GB of RAM by default and 1GB minimum) to run containers. All resources available in the machine could be used by containers.

    I think some steps were already taken towards this goal with Windows Subsystem for Linux by mapping Linux calls to Windows kernel. But a lot more needs to be done.
    And plus, it will not require to switch between Linux containers and Windows containers, because Windows, in this case, can understand both systems!!

    I hope to see some news, soon!

    Reply

Leave a Reply to Rigon

Click here to cancel reply.

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.