Introducing LinuxKit
Download as PPTX, PDF2 likes674 views
LinuxKit is an open source project that provides the components to build secure, portable, and lean container-based operating systems. It produces minimal and immutable images defined through a YAML configuration file. The project emphasizes security through limiting components, modern kernels, and container isolation with minimal privileges. It is maintained by Anthropic and supported on various platforms through integration with tools like Docker, Kubernetes, and InfraKit for managing clusters. Future work includes porting to more platforms and architectures while improving security and reliability.
Introducing LinuxKit
- 4. “In the cloud, we know exactly what we want a server to be, and if we want to change that we simply terminate it and launch a new server with a new AMI.” Netflix Building with Legos, 2011 immutable delivery
- 5. “As a system administrator, one of the scariest things I ever encounter is a server that’s been running for ages. If you absolutely know a system has been created via automation and never changed since the moment of creation, most of the problems disappear.” Chad Fowler,Trash Your Servers and Burn Your Code, 2013 immutable delivery
- 6. first desktop then cloud immutable delivery was what we needed for reliability • could not find an existing solution • iterated since 2015 • found a design that is useful for others • time to open source and get community input built for Docker Editions
- 7. • batteries included, but removable • fast to build • build whole system in your CI pipeline • fast to boot • immutable in production • designed to be managed by external tooling • container native, cloud native requirements
- 9. “A secure, portable and lean operating system built for containers” Solomon Hykes
- 10. which can be replaced The project provides the base containers to get started, with an emphasis on minimalism and security • you only need a few containers • enough to bootstrap distributed applications Secure defaults
- 12. The moby tool builds systems • Moby project is a kit of parts • LinuxKit is the first use case • designed to put together distributed systems • built from containers Moby tool
- 13. The config file defines the whole system • kernel • boot scripts • config containers • service containers Also defines what to output: ISOs, AMIs etc yaml file defines boot image
- 14. kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init - linuxkit/runc - linuxkit/containerd onboot: ... services: ... yaml config file
- 15. services: - name: nginx image: "nginx:alpine" capabilities: - CAP_NET_BIND_SERVICE - CAP_CHOWN - CAP_SETUID - CAP_SETGID - CAP_DAC_OVERRIDE net: host let us take a look...
- 17. “Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.” NIST draft Application Container Security Guide Security
- 18. • include only what you need • modern kernel, secure config • moving system services to safe languages • fuzz testing, review • containerized services, minimal privileges • testing and then shipping new security tech Security
- 19. Talk today 5.10pm Secure Substrate: Least Privilege Container Deployment Security
- 21. A toolkit for creating and managing declarative, self-healing infrastructure. • Actively ensures desired state of infrastructure • Plugin based • Plugins for pets and cattle, raft stores etc InfraKit
- 23. Alternatives to Infrakit for managing a cluster • Terraform • AWS CloudFormation • any tooling you like... Other management tools
- 25. • Kubernetes • Wireguard • Landlock eBPF LSM • Clear Containers • arm64 support, other architectures • oKernel many more... a lot around new security approaches Looking to the future Cutting edge projects
- 26. Roadmap
- 27. Best supported right now • OSX/hyperkit, VMWare, Qemu/KVM • Google Cloud, Packet.net In progress, being ported but not integrated in CLI • AWS, Azure, Windows, BlueMix, Clear Containers • Arm64 support Planned • ARM, other architectures • other cloud providers Platform support
- 28. many improvements needed • rewrite in safe languages such as Rust • blueprints for different platforms • improve security • improved APIs • reliability and testing • new use cases, new platforms lots of work to do
- 29. • chance to meet the maintainers and developers • in depth discussions of Moby Project and LinuxKit • discuss roadmap • look at new use cases • start hacking! Moby Summit on Thursday