LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
2. Overview and Comparison
Ubuntu
2GB Image size
3-5 min provision
5 minutes setup time
Runtime Package
Updates
Base security
LinuxKit
190MB Image size
1.5-3 min provision
1 minute setup time
Build-time Package
Updates
Built-in Security
•Swarm nodes on Ubuntu
•LinuxKit Investigation and Future
3. LinuxKit Swarm Node Architecture
Linux Kernel 4.9.x
init runc containerd ca-certs
Kernel
Init
sysctlOnboot
Services
rngd
docker ssh
syslog
sysfs mount metadata
ntpd
getty
nfs
logrotate
iptables
dns
4. Scenarios
•Synchronization
Need access to NFS to store/retrieve infrakit files
prior to starting docker
•Serviceability
Need to keep system and audit logs for diagnostics
Administrator needs command line access
8. Data Flow - Initial Configuration
docker
metadata
nfs
Cloud-init Drive
/dev/xvdh
SCOPE=docker sh userdata.sh
...
if [ "$SCOPE" == "docker" ]; then
/configure-docker.sh
fi
SCOPE=nfs sh userdata.sh
...
if [ "$SCOPE" == "nfs" ]; then
/nfs.sh $NFS_MOUNTPOINT $LOCAL_MOUNTPOINT
fi
Each service container runs their own portion of
the configuration script
9. Data Flow - Synchronization
docker
metadata
nfs
if [ -f /etc/nfs/nfslock ]; then
echo "NFS locked, waiting for NFS."
while true; do
grep "0" /etc/nfs/nfslock
if [ $? -ne 0 ]; then
echo "NFS ready, continuing."
break
fi
echo "NFS not ready, waiting."
sleep 2
done
fi
if [ "$NFS" == "1" ]; then
echo "0" > /etc/nfs/nfslock
fi
/sbin/rpcbind -d
if [ -f $USERDATA_FILE ]; then
"SCOPE=nfs sh $USERDATA_FILE
fi
./nfs.sh $MOUNT_POINT $LOCAL_MOUNTPOINT
# Finished mounting NFS.
echo "Unlocking NFS."
echo "1" > /etc/nfs/nfslock
Metadata initializes lock for NFS
Docker waits on NFS lock before continuing
10. 25GB
</dev/xvda1>
/var
mount
syslog
logrotate
Serviceability - Logging and Auditing
Persistent storage volume mounted at boot
All on-boot and service containers log to /var/log
Container logs to /var/lib/docker/...
Syslog captures kernel output, boot logs
Logrotate keeps file sizes in check
docker
11. Serviceability - Administration
SSH container with public-key
access
Console (Getty) container
available for private network
access only
ssh
Console
Internet
Private 10.x.x.x
Network
12. Serviceability - Network Overrides
Provide ability to respond to external network
failures
dnsmasq service with hosts file
InternetSwarm
DNS
HTTP Service