At the April 25, 2017 Weave Online User Group, Justin Cormack from Docker was our guest speaker and he talked about “Docker Linux Distributions that work with Kubernetes: LinuxKit”.

Justin gave an overview of LinuxKit, which was introduced and open sourced at DockerCon 2017.

Background & History

LinuxKit started as a Docker Inc. internal project a few years ago when Justin Cormack was working on the “Docker for MacOS Desktop edition.” Initially available to Docker employees only, it was eventually launched outside of the company and made generally available to all Docker users. 

Linuxkit provides a Docker-native experience in IT infrastructures that include a variety of OS’s which are not bundled with a native version of Linux. Providing a standard version of Linux where-ever users ran Docker containers is a one of the primary motivations behind the development of LinuxKit. 

Requirements

These were the requirements identified for LinuxKit:

Being able to provide immutable delivery tops the list in importance and was a key requirement since the project’s inception. Solomon Hykes, founder of Docker Inc., summarized LinuxKit as “A secure, portable and lean OS built for containers” in his DockerCon 2017 keynote.

Secure

According to Justin, “Security is built-in for LinuxKit. Docker has been working on security aspects of this project right from the beginning.” 

LinuxKit follows the NIST Application Container Security Guide where it suggests using a container-specific OS instead of general-purpose ones so that there are fewer opportunities for attacks that can compromise the OS.

This slide pointed out some of the ways how LinuxKit handles security:

Portable

LinuxKit has a rich set of contributors that include IBM, Microsoft, Intel and many others. The wide range of contributors adds to its portability and helps achieve LinuxKit’s main goal which is to have a Linux system that runs on platforms that don’t include Linux. 

Here are some of the contributors: 

Lean

The footprint for an OS built with LinuxKit is small which minimizes the attack surface. The main idea behind LinuxKit is to build containers with containers. An OS built with LinuxKit is a minimal Linux system that is just enough to get started and is just large enough to run the required application or service.

Build Tool and Demo

LinuxKit is also closely tied to the new open source build system, Moby and its build system Moby Tool which uses YAML files that define the boot images similar to Docker Compose. 

Here is the sample build YAML file that Justin used for the demo:

kernel:
  image: "linuxkit/kernel:4.9.x"
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
init:
  - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f
  - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
  - linuxkit/ca-certificates:e091a05fbf7c5e16f18b23602febd45dd690ba2f
onboot:
  - name: sysctl
    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
    net: host
    pid: host
    ipc: host
    capabilities:
     - CAP_SYS_ADMIN
    readonly: true
  - name: binfmt
    image: "linuxkit/binfmt:c7e69ebd918a237dd086a5c58dd888df772746bd"
    binds:
     - /proc/sys/fs/binfmt_misc:/binfmt_misc
    readonly: true
  - name: dhcpcd
    image: "linuxkit/dhcpcd:48e249ebef6a521eed886b3bce032db69fbb4afa"
    binds:
     - /var:/var
     - /tmp/etc:/etc
    capabilities:
     - CAP_NET_ADMIN
     - CAP_NET_BIND_SERVICE
     - CAP_NET_RAW
    net: host
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
  - name: rngd
    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
    readonly: true
  - name: nginx
    image: "nginx:alpine"
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
     - CAP_SETUID
     - CAP_SETGID
     - CAP_DAC_OVERRIDE
    net: host
files:
  - path: etc/docker/daemon.json
    contents: '{"debug": true}'
trust:
  image:
    - linuxkit/kernel
    - linuxkit/binfmt
    - linuxkit/rngd
outputs:
  - format: kernel+initrd
  - format: iso-bios
  - format: iso-efi

And finally we can see that containerd is managing the container lifecycle within the demo linuxkit binary:

The status output shows nginx and rngd running. These services were specified in the services section of the linuxkit.yml file:

services:
  - name: rngd
    image: "linuxkit/rngd:c42fd499690b2cb6e4e6cb99e41dfafca1cf5b14"
    capabilities:
     - CAP_SYS_ADMIN
    oomScoreAdj: -800
    readonly: true
  - name: nginx
    image: "nginx:alpine"
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
     - CAP_SETUID
     - CAP_SETGID
     - CAP_DAC_OVERRIDE
    net: host

Managing the Cluster

InfraKit is one cluster management tool that can be used to manage any infrastructure created by LinuxKit:

As stated in the slide, InfraKit is declarative, which means that users only specify the desirable state of the infrastructure. InfraKit runs the infrastructure as it was specified. For example,  if a container terminated, it spins up another one. 

This slide displays an architectural diagram for InfraKit:

  • InfraKit and LinuxKit complement each other, share tooling, and can also handle rolling updates of containers. 
  • LinuxKit also supports other cluster management tools, such as Terraform, and AWS CloudFormation.

Looking Ahead

Future work will focus on different projects that can build with LinuxKit:

Support for different platforms is another area that needs further development:

For more information check out the  LinuxKit project on Github

LinuxKit for Kubernetes

Next up Ilya Dmitrichenko of Weaveworks introduced a project in the linuxkit tree on GitHub. He stated 3 advantages of using LinuxKit for Kubernetes:

The biggest advantage of using LinuxKit for Kubernetes is that it eliminates the cloud provider-specific base images variance or lock-in to a specific Linux distribution. With a from-scratch model to generate the base image, the cluster can run identically on different on-premise or cloud platforms.

Ilya then followed up with a demo based on the instructions on LinuxKit for Kubernetes. He spun up a Kubernetes master and a few worker nodes: 

And logged into the Kubernetes master to check the status of the Kubernetes cluster:

After the watching to ensure that all of the pods successfully joined the cluster, Ilya went over the kube-master.yml file that defined the build parameters for LinuxKit. To speed up the demo these two containers were added to the YAML file:

- name: kubernetes-image-cache-common
    image: "linuxkit/kubernetes:latest-image-cache-common"
    binds:
      - /var/run:/var/run
  - name: kubernetes-image-cache-control-plane
    image: "linuxkit/kubernetes:latest-image-cache-control-plane"
    binds:
      - /var/run:/var/run

Ilya as part of the Weaveworks’ DX team was also a central contributor to this project. He assisted in demonstrating how LinuxKit can be used with Kubernetes, which he also presented at DockerCon 2017 in Austin with Justin Cormack.

See the video of the talk here: 


Thank you for reading our blog. We build Weave Cloud, which is a hosted add-on to your clusters. It helps you iterate faster on microservices with continuous delivery, visualization & debugging, and Prometheus monitoring to improve observability.

Try it out, join our online user group for free talks & trainings, and come and hang out with us on Slack.