LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)

Download as PPTX, PDF

•0 likes•1,405 views

LinuxKit is a toolkit for building secure, portable, and lean operating systems for containers. It uses Moby tooling to build system images and runs everything as containers using Containerd 1.0. In the first five months it has gained 75 contributors and support for ARM64, Windows containers, and many platforms. It also added WireGuard VPN, improved security with LSM rules and eBPF, and plans to graduate Kubernetes support. Future work includes cultivating the security community, contributing upstream, and stable releases with Containerd 1.0 integration.

Technology

What is LinuxKit?
A toolkit for building secure, portable and lean operating systems for
containers.
● uses Moby tooling to build system images
● everything is a container
● runs with Containerd 1.0 branch for over four months
● lightweight, fully customizable

Some metrics
● 75 contributors!
● first new maintainer appointed from the community
● 50 commits a week since DockerCon

Arm64 support
Thanks to Dennis Chen at ARM
● multi arch base images so system containers can be built
● signed multiarch manifests - thanks to IBM for all their work
● thanks to Packet.net for providing ARM64 machines
● ongoing work on EFI boot that works cross platform
● other architectures now easy to add

Linux Containers on Windows
● as announced at DockerCon
● LinuxKit provides build images in blueprints/lcow.yml
● ultra minimal system only 13MB
● blog post https://blog.docker.com/2017/09/preview-linux-containers-on-
windows/
● ongoing work with Microsoft on shipping this

Platform support
The community added support for so many platforms...
● Azure
● OpenStack
● VMware and vCenter
● Packet.net
● Vultr
● IBM Bluemix

Lots of smaller improvements
● TPM support
● containers to run on clean shutdown
● fully immutable images, eg CD-ROM images
● 4.10, 4.11, 4.12 kernels, 4.13 coming soon
● namespace sharing for system containers
● rewrote a lot of shell scripts in Go for better maintainability
● OCI runtime spec 1.0

WireGuard graduated from projects
● fast secure modern VPN tunnel based on Noise framework
● added to the LinuxKit kernels
● now easy to construct network tunnels between system containers
● prototype next stage of container networking

Kubernetes about to graduate from projects
● initial port contributed by Weave for DockerCon launch
● maintained since then
● also working on CRI-Containerd support, with shared system
containerd
● more work ongoing
● full testing and validation planned

Type Safe System Daemons
LinuxKit Security SIG Recap
● What if all system daemons
were rewritten in type-safe
languages?
○ examples of DNS / HTTPS in
https://github.com/linuxkit/linux
kit/tree/master/projects/mirages
dk

LandLock LSM
LinuxKit Security SIG Recap
● Robust, configurable LSM rules
● Powered by eBPF
● Exciting for container landscape

Memorizer
LinuxKit Security SIG Recap
● Dynamic kernel tracing tool
○ makes use of KASAN
○ examples:
https://github.com/linuxkit/linuxkit/
tree/master/projects/memorizer
● Goal: produce useful output
for LSMs and other higher
level policy decisions

WireGuard
LinuxKit Security SIG Recap
● Modern VPN implementing The
Noise Protocol
○ only a few thousand lines of code!
● Now included in LinuxKit
userspace and kernels

HPE okernel
LinuxKit Security SIG Recap
● Separate parts of the kernel
into more and less privileged
partitions
● Maps to containers
○ Examples:
https://github.com/linuxkit/linuxkit
/tree/master/projects/okernel

What’s next?
LinuxKit Security
● Cultivate security community and testbed
● Directly contribute to upstream Linux development
○ XPFO
○ eBPF hardening
○ Namespacing IMA

What about the next six months?
● stable releases
● Containerd 1.0
● Docker desktop and cloud editions based on LinuxKit coming soon
● containerd integration for Moby build tool, to allow building without
Docker, for easier build pipelines

More Related Content

PPTX

LinuxKit Update at the Moby SummitDocker, Inc.

PPTX

Containerd - core container runtime component Docker, Inc.

PPTX

State of Builder and Buildkit by Tonis Tiigi (Docker)Docker, Inc.

PPTX

LlinuxKit security, Security Scanning and NotaryDocker, Inc.

PDF

Introduction to LinuxKit - Docker Bangalore MeetupAjeet Singh Raina

PDF

Looking Under The Hood: containerDDocker, Inc.

PPTX

The state of containerdDocker, Inc.

PDF

Innovating Out In The Open - OSCON 2016Phil Estes

LinuxKit Update at the Moby SummitDocker, Inc.

Containerd - core container runtime component Docker, Inc.

State of Builder and Buildkit by Tonis Tiigi (Docker)Docker, Inc.

LlinuxKit security, Security Scanning and NotaryDocker, Inc.

Introduction to LinuxKit - Docker Bangalore MeetupAjeet Singh Raina

Looking Under The Hood: containerDDocker, Inc.

The state of containerdDocker, Inc.

Innovating Out In The Open - OSCON 2016Phil Estes

What's hot (20)

PDF

Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.

PPTX

Introducing LinuxKitDocker, Inc.

PDF

Kubernetes with dockerDocker, Inc.

PPTX

LinuxKitMoby Project

PDF

Introduction of Docker and Docker ComposeDr. Ketan Parmar

PDF

containerd summit - Deep Dive into containerdDocker, Inc.

PDF

LinuxKit and Moby, news from DockerCon 2017 - Austin,TXDieter Reuter

PDF

Kubernetes in DockerDocker, Inc.

PDF

Online Meetup: Intro to LinuxKitDocker, Inc.

PDF

Leveraging the Power of containerd Events - Evan HazlettDocker, Inc.

PPTX

Windows Server Containers- How we hot here and architecture deep diveDocker, Inc.

PDF

Bucketbench: Benchmarking Container Runtime PerformancePhil Estes

PDF

Container Runtimes: Comparing and Contrasting Today's EnginesPhil Estes

PDF

Developer workflow with dockerLalatendu Mohanty

PDF

Online Meetup: What's new in docker 1.13.0 Docker, Inc.

PDF

Android Meets DockerDocker, Inc.

PDF

Mobycraft:Docker in 8-bit (Meetup at Docker HQ 4/7)Docker, Inc.

PPTX

Kubernetes CRI containerd integration by Lantao Liu (Google)Docker, Inc.

PDF

LinuxKit Deep DiveDocker, Inc.

PPTX

Docker presentationWes Eklund

Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonDocker, Inc.

Introducing LinuxKitDocker, Inc.

Kubernetes with dockerDocker, Inc.

LinuxKitMoby Project

Introduction of Docker and Docker ComposeDr. Ketan Parmar

containerd summit - Deep Dive into containerdDocker, Inc.

LinuxKit and Moby, news from DockerCon 2017 - Austin,TXDieter Reuter

Kubernetes in DockerDocker, Inc.

Online Meetup: Intro to LinuxKitDocker, Inc.

Leveraging the Power of containerd Events - Evan HazlettDocker, Inc.

Windows Server Containers- How we hot here and architecture deep diveDocker, Inc.

Bucketbench: Benchmarking Container Runtime PerformancePhil Estes

Container Runtimes: Comparing and Contrasting Today's EnginesPhil Estes

Developer workflow with dockerLalatendu Mohanty

Online Meetup: What's new in docker 1.13.0 Docker, Inc.

Android Meets DockerDocker, Inc.

Mobycraft:Docker in 8-bit (Meetup at Docker HQ 4/7)Docker, Inc.

Kubernetes CRI containerd integration by Lantao Liu (Google)Docker, Inc.

LinuxKit Deep DiveDocker, Inc.

Docker presentationWes Eklund

Similar to LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker) (20)

PPTX

Moby Open Source Summit North America 2017Patrick Chanezon

PDF

LinuxKit & Moby - The next level of the container ecosystemPatrick Kleindienst

PPTX

Central Iowa Linux Users Group: November Meeting -- Container showdownAndrew Denner

PDF

Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker, Inc.

PDF

OSCON: Advanced Docker developer workflows on Mac OS and WindowsDocker, Inc.

PDF

Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy

PPTX

Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon

PDF

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex

PDF

Evolution of containers to kubernetesKrishna-Kumar

PPTX

Being a Moby maintainerAkihiro Suda

PDF

Unikernels: Rise of the Library HypervisorAnil Madhavapeddy

PDF

ACM_Intro_Containers_Cloud.pdf Cloud.pdfTrevor Roberts Jr.

PDF

2014 11-05 hpcac-kniep_christian_dockermpiQNIB Solutions

PDF

VASCAN - Docker and SecurityMichael Irwin

PPTX

Docker Meetup 08 03-2016Docker

PDF

Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud

PDF

Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.

PDF

Unikernels: the rise of the library hypervisor in MirageOSDocker, Inc.

PDF

Evolution of Linux Containerization WSO2

PDF

Evoluation of Linux Container VirtualizationImesh Gunaratne

Moby Open Source Summit North America 2017Patrick Chanezon

LinuxKit & Moby - The next level of the container ecosystemPatrick Kleindienst

Central Iowa Linux Users Group: November Meeting -- Container showdownAndrew Denner

Docker for Mac and Windows: The Insider's Guide by Justin CormackDocker, Inc.

OSCON: Advanced Docker developer workflows on Mac OS and WindowsDocker, Inc.

Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy

Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon

"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex

Evolution of containers to kubernetesKrishna-Kumar

Being a Moby maintainerAkihiro Suda

Unikernels: Rise of the Library HypervisorAnil Madhavapeddy

ACM_Intro_Containers_Cloud.pdf Cloud.pdfTrevor Roberts Jr.

2014 11-05 hpcac-kniep_christian_dockermpiQNIB Solutions

VASCAN - Docker and SecurityMichael Irwin

Docker Meetup 08 03-2016Docker

Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud

Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.

Unikernels: the rise of the library hypervisor in MirageOSDocker, Inc.

Evolution of Linux Containerization WSO2

Evoluation of Linux Container VirtualizationImesh Gunaratne

More from Docker, Inc. (20)

PDF

Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.

PDF

How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.

PDF

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

PDF

Securing Your Containerized Applications with NGINXDocker, Inc.

PDF

How To Build and Run Node Apps with Docker and ComposeDocker, Inc.

PDF

Hands-on Helm Docker, Inc.

PDF

Distributed Deep Learning with Docker at SalesforceDocker, Inc.

PDF

The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.

PDF

Monitoring in a Microservices WorldDocker, Inc.

PDF

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.

PDF

Predicting Space Weather with DockerDocker, Inc.

PDF

Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.

PDF

How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.

PDF

Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.

PDF

Kubernetes at Datadog ScaleDocker, Inc.

PDF

Labels, Labels, Labels Docker, Inc.

PDF

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.

PDF

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

PDF

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.

PDF

Developing with Docker for the Arm ArchitectureDocker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.

How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

Securing Your Containerized Applications with NGINXDocker, Inc.

How To Build and Run Node Apps with Docker and ComposeDocker, Inc.

Hands-on Helm Docker, Inc.

Distributed Deep Learning with Docker at SalesforceDocker, Inc.

The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.

Monitoring in a Microservices WorldDocker, Inc.

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.

Predicting Space Weather with DockerDocker, Inc.

Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.

How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.

Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.

Kubernetes at Datadog ScaleDocker, Inc.

Labels, Labels, Labels Docker, Inc.

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.

Developing with Docker for the Arm ArchitectureDocker, Inc.

Recently uploaded (20)

PDF

AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...Sandesh Rao

PDF

Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdfSandesh Rao

PDF

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

PDF

Orbitly Pitch Deck｜A Mission-Driven Platform for Side Project Collaboration (...zz41354899

PDF

MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdfNeo4j

PPTX

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

PPTX

The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptxsujalchauhan1305

PDF

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

PDF

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

PDF

Software Development Methodologies in 2025KodekX

PPTX

IT Runs Better with ThousandEyes AI-driven AssuranceThousandEyes

PDF

Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...Sandesh Rao

PDF

Trying to figure out MCP by actually building an app from scratch with open s...Julien SIMON

PPTX

Applied-Statistics-Mastering-Data-Driven-Decisions.pptxparmaryashparmaryash

PDF

The Future of Mobile Is Context-Aware—Are You Ready?iProgrammer Solutions Private Limited

PDF

Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdfCA Suvidha Chaplot

PDF

Automating ArcGIS Content Discovery with FME: A Real World Use CaseSafe Software

PPTX

Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...AgileNetwork

PPTX

AI in Daily Life: How Artificial Intelligence Helps Us Every Dayvanshrpatil7

PDF

A Strategic Analysis of the MVNO Wave in Emerging Markets.pdfIPLOOK Networks

AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...Sandesh Rao

Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdfSandesh Rao

Google I/O Extended 2025 Baku - all pptsHusseinMalikMammadli

Orbitly Pitch Deck｜A Mission-Driven Platform for Side Project Collaboration (...zz41354899

MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdfNeo4j

Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...AgileNetwork

The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptxsujalchauhan1305

Using Anchore and DefectDojo to Stand Up Your DevSecOps FunctionAnchore

Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...Sandesh Rao

Software Development Methodologies in 2025KodekX

IT Runs Better with ThousandEyes AI-driven AssuranceThousandEyes

Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...Sandesh Rao

Trying to figure out MCP by actually building an app from scratch with open s...Julien SIMON

Applied-Statistics-Mastering-Data-Driven-Decisions.pptxparmaryashparmaryash

The Future of Mobile Is Context-Aware—Are You Ready?iProgrammer Solutions Private Limited

Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdfCA Suvidha Chaplot

Automating ArcGIS Content Discovery with FME: A Real World Use CaseSafe Software

Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...AgileNetwork

AI in Daily Life: How Artificial Intelligence Helps Us Every Dayvanshrpatil7

A Strategic Analysis of the MVNO Wave in Emerging Markets.pdfIPLOOK Networks

LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)

1. LinuxKit: the first five months

2. What is LinuxKit? A toolkit for building secure, portable and lean operating systems for containers. ● uses Moby tooling to build system images ● everything is a container ● runs with Containerd 1.0 branch for over four months ● lightweight, fully customizable

3. Some metrics ● 75 contributors! ● first new maintainer appointed from the community ● 50 commits a week since DockerCon

4. Arm64 support Thanks to Dennis Chen at ARM ● multi arch base images so system containers can be built ● signed multiarch manifests - thanks to IBM for all their work ● thanks to Packet.net for providing ARM64 machines ● ongoing work on EFI boot that works cross platform ● other architectures now easy to add

5. Linux Containers on Windows ● as announced at DockerCon ● LinuxKit provides build images in blueprints/lcow.yml ● ultra minimal system only 13MB ● blog post https://blog.docker.com/2017/09/preview-linux-containers-on- windows/ ● ongoing work with Microsoft on shipping this

6. Platform support The community added support for so many platforms... ● Azure ● OpenStack ● VMware and vCenter ● Packet.net ● Vultr ● IBM Bluemix

7. Lots of smaller improvements ● TPM support ● containers to run on clean shutdown ● fully immutable images, eg CD-ROM images ● 4.10, 4.11, 4.12 kernels, 4.13 coming soon ● namespace sharing for system containers ● rewrote a lot of shell scripts in Go for better maintainability ● OCI runtime spec 1.0

8. WireGuard graduated from projects ● fast secure modern VPN tunnel based on Noise framework ● added to the LinuxKit kernels ● now easy to construct network tunnels between system containers ● prototype next stage of container networking

9. Kubernetes about to graduate from projects ● initial port contributed by Weave for DockerCon launch ● maintained since then ● also working on CRI-Containerd support, with shared system containerd ● more work ongoing ● full testing and validation planned

10. LinuxKit Security SIG

11. Type Safe System Daemons LinuxKit Security SIG Recap ● What if all system daemons were rewritten in type-safe languages? ○ examples of DNS / HTTPS in https://github.com/linuxkit/linux kit/tree/master/projects/mirages dk

12. LandLock LSM LinuxKit Security SIG Recap ● Robust, configurable LSM rules ● Powered by eBPF ● Exciting for container landscape

13. Memorizer LinuxKit Security SIG Recap ● Dynamic kernel tracing tool ○ makes use of KASAN ○ examples: https://github.com/linuxkit/linuxkit/ tree/master/projects/memorizer ● Goal: produce useful output for LSMs and other higher level policy decisions

14. WireGuard LinuxKit Security SIG Recap ● Modern VPN implementing The Noise Protocol ○ only a few thousand lines of code! ● Now included in LinuxKit userspace and kernels

15. HPE okernel LinuxKit Security SIG Recap ● Separate parts of the kernel into more and less privileged partitions ● Maps to containers ○ Examples: https://github.com/linuxkit/linuxkit /tree/master/projects/okernel

16. What’s next? LinuxKit Security ● Cultivate security community and testbed ● Directly contribute to upstream Linux development ○ XPFO ○ eBPF hardening ○ Namespacing IMA

17. Demos

18. What about the next six months? ● stable releases ● Containerd 1.0 ● Docker desktop and cloud editions based on LinuxKit coming soon ● containerd integration for Moby build tool, to allow building without Docker, for easier build pipelines

19. @justincormack @riyazdfThank you!