LinuxKit and Moby, news from DockerCon 2017 - Austin,TX

LinuxKit and MobyNews from DockerCon 2017 - Austin,TX

Dieter Reuter - @Quintus23MSenior Consultant at bee42 solutions gmbh - @bee42solutions

Docker Captain - @HypriotTweets

Docker Meetup Bochum, May 11th 2017

What happened? What to expect?

Will I become a Moby Captain?

What will change?Governance?

What’s that LinuxKit?

What is LinuxKit ?

“A platform is only as secureas its weakest components„

— Solomon Hykes

“I want Docker for whateverplatform!„— Me (whenever I discover any new platform)

LinuxKita SECURE Linux subsystem

Only works with containers

- Smaller attack surface- Immutable infrastructure- Sandboxed system services- Specialized patches and

configurations

Incubator for security innovations

- Wireguard, Landlock, KSPP- MirageOS type safe system

daemons- okernel

Community-first security process

- Linux is too big for a single company to secure it

- Participate in existing Linux security efforts

LinuxKita LEAN Linux subsystem

- Minimal size, minimal boot time- All system services are containers- Everything can be removed or replaced

- Desktop, Server, IoT, Mainframe- Intel & ARM (and others)- Bare Metal & Virtualized- On-premises & in the Cloud

LinuxKita PORTABLE Linux subsystem

In LinuxKit the BluePrint is a YAML file! Example “linuxkit.yml” see: https://github.com/linuxkit/linuxkit/blob/master/linuxkit.yml

kernel:

image: "linuxkit/kernel:4.9.x"

cmdline: "console=ttyS0 console=tty0 page_poison=1"

Everything is a yaml file: kernel

see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#kernel

init:

- linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b

- linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38

- linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b

- linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288

Everything is a yaml file: init

see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#init

Everything is a yaml file: onbootonboot:

- name: sysctl

image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"

net: host

pid: host

ipc: host

capabilities:

- CAP_SYS_ADMIN

readonly: true

see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#onboot

Everything is a yaml file: servicesservices:

- name: ntpd

image: "linuxkit/openntpd:a38eabb308d0405f58894979f8b8031a6c7e1134"

capabilities:

- CAP_SYS_TIME

- CAP_SYS_NICE

- CAP_SYS_CHROOT

- CAP_SETUID

- CAP_SETGID

net: host

see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#services

Everything is a yaml file: filesfiles:

- path: etc/docker/daemon.json

contents: '{"debug": true}'

Everything is a yaml file: outputoutputs:

- format: kernel+initrd

- format: iso-bios

- format: iso-efi

- format: vhd

- format: vmdk

see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#output

LinuxKit - build on macOS1. Clone the GitHub repository

$ git clone https://github.com/linuxkit/linuxkit.git

$ cd linuxkit

2. Compile LinuxKit CLI tools (we need Docker4Mac and Go)

$ make clean

$ make

3. Install LinuxKit CLI tools: “moby” and “linuxkit”

$ make install

LinuxKit - use it on macOS1. Build your first LinuxKit VM

$ moby build examples/node_exporter.yml

$ ls -alh node_exporter*.img

-rw-r--r-- 1 dieter staff 36M May 11 15:44

node_exporter-initrd.img

2. Run the LinuxKit VM with HyperKit (macOS Hypervisor)

$ linuxkit run hyperkit node_exporter

# runc list

# halt

Moby Project

Production model: Open Source

Production model: Open Components

Docker is a Platform made of Components

The open components model shows its limits...

Next level: Collaborating on Components & Assemblies

“With going mainstream comes great responsibilities„— Solomon Hykes

“A framework to assemble specialized container systems without reinventing the wheel”

- Library of 80+ components- Package your own components

as containers- Reference assemblies deployed

on millions of nodes- Create your own assemblies or

start from existing ones

What Moby means for you as a:DOCKER USER

Nothing changes for you, your command line remains the same and also anything else

It’s just that now Docker can leverage the ecosystem to innovate faster for you

SYSTEM BUILDER

Moby helps you to innovate without tying you to Docker

You can build your own Container Runtime systems easier and faster

“The Moby Project is to Docker what Fedora is to Red Hat Enterprise Linux„

— Solomon Hykes

Thank You!

Dieter Reuter

@Quintus23M

Credits: original slide deck by Docker Captain Lorenzo Fontana @fntlnz