4. “A platform is only as secure
as its weakest components„
— Solomon Hykes
5. “I want Docker for whateverplatform!„— Me (whenever I discover any new platform)
6. LinuxKit
a SECURE Linux subsystem
Only works with containers
- Smaller attack surface
- Immutable infrastructure
- Sandboxed system services
- Specialized patches and
configurations
Incubator for security
innovations
- Wireguard, Landlock, KSPP
- MirageOS type safe system
daemons
- okernel
Community-first security
process
- Linux is too big for a single
company to secure it
- Participate in existing Linux
security efforts
7. LinuxKit
a LEAN Linux subsystem
- Minimal size, minimal boot time
- All system services are containers
- Everything can be removed or replaced
8. - Desktop, Server, IoT, Mainframe
- Intel & ARM (and others)
- Bare Metal & Virtualized
- On-premises & in the Cloud
LinuxKit
a PORTABLE Linux subsystem
9. In LinuxKit the BluePrint is a YAML file!
Example “linuxkit.yml” see: https://github.com/linuxkit/linuxkit/blob/master/linuxkit.yml
17. LinuxKit - build on macOS
1. Clone the GitHub repository
$ git clone https://github.com/linuxkit/linuxkit.git
$ cd linuxkit
2. Compile LinuxKit CLI tools (we need Docker4Mac and Go)
$ make clean
$ make
3. Install LinuxKit CLI tools: “moby” and “linuxkit”
$ make install
18. LinuxKit - use it on macOS
1. Build your first LinuxKit VM
$ moby build examples/node_exporter.yml
$ ls -alh node_exporter*.img
-rw-r--r-- 1 dieter staff 36M May 11 15:44
node_exporter-initrd.img
2. Run the LinuxKit VM with HyperKit (macOS Hypervisor)
$ linuxkit run hyperkit node_exporter
# runc list
# halt
28. “A framework to assemble
specialized container
systems without reinventing
the wheel”
- Library of 80+ components
- Package your own components
as containers
- Reference assemblies deployed
on millions of nodes
- Create your own assemblies or
start from existing ones
29. What Moby means for you as a:
DOCKER USER
Nothing changes for you, your command line
remains the same and also anything else
It’s just that now Docker can leverage the
ecosystem to innovate faster for you
SYSTEM BUILDER
Moby helps you to innovate without tying you to
Docker
You can build your own Container Runtime
systems easier and faster
30. “The Moby Project is to Docker what
Fedora is to Red Hat Enterprise Linux„
— Solomon Hykes