LinuxKit includes tools that allow users to build custom Linux subsystems. All system services are replaceable containers, allowing users to remove anything they don’t need. This tool perfectly fits the Docker design philosophy, allowing users to replace any of the default components with other components that match user’s needs.
LinuxKit is an open source project, and Docker says that its inclusion in containers will help in building a secure, streamlined, and portable operating system.
Docker considers security to be a significant goal. It is consistent with NIST (America’s National Institute of Standards and Technology). A statement in its Application Container Security Guide advises developer community to “Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces.”
When using a specific container operating system, the number of attack surfaces is usually much smaller than a generic operating system, so fewer opportunities exist to attack and compromise a particular container's operating system.
If we design an operating system around a single use case that runs a container, this reduction can directly contribute to the security of the system. Because LinuxKit is a native container, its size is very small (just 35MB!), so users can start it up in a very short amount of time. All system services are containers, which means that users can delete or replace anything.
System services in the container are sandboxed (they only have the privileges they need). This configuration design supports container use cases. LinuxKit fits inside a flexible infrastructure so that users can build, test, and deploy it in the CI pipeline and redeploy the new version when it needs an update.
The kernel comes from Docker's collaboration with the Linux Kernel community and organizations such as the KSPP. With LinuxKit support, just a single small patch can often solve multiple problems. The process of developing Kernel security is well beyond the capabilities of any one company. It requires cooperation across the entire industry.
Besides, LinuxKit also provides room to incubate security projects that demonstrate the promise of improving Linux security. Docker has said it is actively working with external open-source projects like Wireguard, Landlock, Mirage, oKernel, and Clear Containers, and has provided a test platform for them. The next focus will be on container space innovation and production environments.
LinuxKit is portable as it supports the multi-platform Docker (it is currently running on), and it will also support more platforms in the future. As a container, it can run anywhere, whether on large or small machines, physical or virtual machines, mainframes, or other devices that use the Internet of Things (IoT) scenario.
LinuxKit is open to developers, partners, and open source enthusiasts, who can collaborate and create new things leveraging the container platform. Developers should look forward to making the most of this secure platform, and contribute back to the community.
To learn more about Docker and containers, check out the Alibaba Cloud Container Service.
Tim Chen - June 26, 2019
Alibaba Clouder - March 14, 2017
Tim Chen - June 26, 2019
Alibaba Clouder - April 18, 2017
Alibaba Clouder - April 23, 2019
GXIC - February 27, 2019
An online computing service that offers elastic and secure virtual cloud servers to cater all your cloud hosting needs.Learn More
A high-performance container manage service that provides containerized application lifecycle managementLearn More
Powerful parallel computing capabilities based on GPU technology.Learn More
Elastic Container Instance (ECI) is an agile and secure serverless container instance service. You can easily run containers without managing servers. Also you only pay for the resources that have been consumed by the containers. ECI helps you focus on your business applications instead of managing infrastructure.Learn More
More Posts by Alibaba Clouder