A Brief Introduction to LinuxKit

What is LinuxKit?

LinuxKit includes tools that allow users to build custom Linux subsystems. All system services are replaceable containers, allowing users to remove anything they don’t need. This tool perfectly fits the Docker design philosophy, allowing users to replace any of the default components with other components that match user’s needs.

Security is Docker’s Most Important Goal

Image for post
Image for post

LinuxKit is an open source project, and Docker says that its inclusion in containers will help in building a secure, streamlined, and portable operating system.

Docker considers security to be a significant goal. It is consistent with NIST (America’s National Institute of Standards and Technology). A statement in its Application Container Security Guide advises developer community to “Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces.”

When using a specific container operating system, the number of attack surfaces is usually much smaller than a generic operating system, so fewer opportunities exist to attack and compromise a particular container’s operating system.

Technical Details of LinuxKit

If we design an operating system around a single use case that runs a container, this reduction can directly contribute to the security of the system. Because LinuxKit is a native container, its size is very small (just 35MB!), so users can start it up in a very short amount of time. All system services are containers, which means that users can delete or replace anything.

System services in the container are sandboxed (they only have the privileges they need). This configuration design supports container use cases. LinuxKit fits inside a flexible infrastructure so that users can build, test, and deploy it in the CI pipeline and redeploy the new version when it needs an update.

The kernel comes from Docker’s collaboration with the Linux Kernel community and organizations such as the KSPP. With LinuxKit support, just a single small patch can often solve multiple problems. The process of developing Kernel security is well beyond the capabilities of any one company. It requires cooperation across the entire industry.

Besides, LinuxKit also provides room to incubate security projects that demonstrate the promise of improving Linux security. Docker has said it is actively working with external open-source projects like Wireguard, Landlock, Mirage, oKernel, and Clear Containers, and has provided a test platform for them. The next focus will be on container space innovation and production environments.

LinuxKit is portable as it supports the multi-platform Docker (it is currently running on), and it will also support more platforms in the future. As a container, it can run anywhere, whether on large or small machines, physical or virtual machines, mainframes, or other devices that use the Internet of Things (IoT) scenario.

Conclusion

LinuxKit is open to developers, partners, and open source enthusiasts, who can collaborate and create new things leveraging the container platform. Developers should look forward to making the most of this secure platform, and contribute back to the community.

To learn more about Docker and containers, check out the Alibaba Cloud Container Service.

Reference:

https://www.alibabacloud.com/blog/a-brief-introduction-to-linuxkit_591700?spm=a2c41.11539763.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store