linuxkit and moby, news from dockercon 2017 - austin,tx
TRANSCRIPT
LinuxKit and MobyNews from DockerCon 2017 - Austin,TX
Dieter Reuter - @Quintus23MSenior Consultant at bee42 solutions gmbh - @bee42solutions
Docker Captain - @HypriotTweets
Docker Meetup Bochum, May 11th 2017
What happened? What to expect?
Will I become a Moby Captain?
What will change?Governance?
What’s that LinuxKit?
What is LinuxKit ?
“A platform is only as secureas its weakest components„
— Solomon Hykes
“I want Docker for whateverplatform!„— Me (whenever I discover any new platform)
LinuxKita SECURE Linux subsystem
Only works with containers
- Smaller attack surface- Immutable infrastructure- Sandboxed system services- Specialized patches and
configurations
Incubator for security innovations
- Wireguard, Landlock, KSPP- MirageOS type safe system
daemons- okernel
Community-first security process
- Linux is too big for a single company to secure it
- Participate in existing Linux security efforts
LinuxKita LEAN Linux subsystem
- Minimal size, minimal boot time- All system services are containers- Everything can be removed or replaced
- Desktop, Server, IoT, Mainframe- Intel & ARM (and others)- Bare Metal & Virtualized- On-premises & in the Cloud
LinuxKita PORTABLE Linux subsystem
In LinuxKit the BluePrint is a YAML file! Example “linuxkit.yml” see: https://github.com/linuxkit/linuxkit/blob/master/linuxkit.yml
kernel:
image: "linuxkit/kernel:4.9.x"
cmdline: "console=ttyS0 console=tty0 page_poison=1"
Everything is a yaml file: kernel
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#kernel
init:
- linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
- linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
- linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
- linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
Everything is a yaml file: init
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#init
Everything is a yaml file: onbootonboot:
- name: sysctl
image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
net: host
pid: host
ipc: host
capabilities:
- CAP_SYS_ADMIN
readonly: true
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#onboot
Everything is a yaml file: servicesservices:
- name: ntpd
image: "linuxkit/openntpd:a38eabb308d0405f58894979f8b8031a6c7e1134"
capabilities:
- CAP_SYS_TIME
- CAP_SYS_NICE
- CAP_SYS_CHROOT
- CAP_SETUID
- CAP_SETGID
net: host
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#services
Everything is a yaml file: filesfiles:
- path: etc/docker/daemon.json
contents: '{"debug": true}'
Everything is a yaml file: outputoutputs:
- format: kernel+initrd
- format: iso-bios
- format: iso-efi
- format: vhd
- format: vmdk
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#output
LinuxKit - build on macOS1. Clone the GitHub repository
$ git clone https://github.com/linuxkit/linuxkit.git
$ cd linuxkit
2. Compile LinuxKit CLI tools (we need Docker4Mac and Go)
$ make clean
$ make
3. Install LinuxKit CLI tools: “moby” and “linuxkit”
$ make install
LinuxKit - use it on macOS1. Build your first LinuxKit VM
$ moby build examples/node_exporter.yml
$ ls -alh node_exporter*.img
-rw-r--r-- 1 dieter staff 36M May 11 15:44
node_exporter-initrd.img
2. Run the LinuxKit VM with HyperKit (macOS Hypervisor)
$ linuxkit run hyperkit node_exporter
# runc list
# halt
Moby Project
Production model: Open Source
Production model: Open Components
Docker is a Platform made of Components
The open components model shows its limits...
Next level: Collaborating on Components & Assemblies
“With going mainstream comes great responsibilities„— Solomon Hykes
“A framework to assemble specialized container systems without reinventing the wheel”
- Library of 80+ components- Package your own components
as containers- Reference assemblies deployed
on millions of nodes- Create your own assemblies or
start from existing ones
What Moby means for you as a:DOCKER USER
Nothing changes for you, your command line remains the same and also anything else
It’s just that now Docker can leverage the ecosystem to innovate faster for you
SYSTEM BUILDER
Moby helps you to innovate without tying you to Docker
You can build your own Container Runtime systems easier and faster
“The Moby Project is to Docker what Fedora is to Red Hat Enterprise Linux„
— Solomon Hykes
Thank You!
Dieter Reuter
@Quintus23M
Credits: original slide deck by Docker Captain Lorenzo Fontana @fntlnz