4. “In the cloud, we know exactly what we want a server to be, and if
we want to change that we simply terminate it and launch a new
server with a new AMI.”
Netflix Building with Legos, 2011
immutable delivery
5. “As a system administrator, one of the scariest things I ever
encounter is a server that’s been running for ages.
If you absolutely know a system has been created via automation
and never changed since the moment of creation, most of the
problems disappear.”
Chad Fowler,Trash Your Servers and Burn Your Code, 2013
immutable delivery
6. first desktop then cloud
immutable delivery was what we needed for reliability
• could not find an existing solution
• iterated since 2015
• found a design that is useful for others
• time to open source and get community input
built for Docker Editions
7. • batteries included, but removable
• fast to build
• build whole system in your CI pipeline
• fast to boot
• immutable in production
• designed to be managed by external tooling
• container native, cloud native
requirements
9. “A secure, portable and
lean operating system
built for containers”
Solomon Hykes
10. which can be replaced
The project provides the base containers to get started, with an
emphasis on minimalism and security
• you only need a few containers
• enough to bootstrap distributed applications
Secure defaults
12. The moby tool builds systems
• Moby project is a kit of parts
• LinuxKit is the first use case
• designed to put together distributed systems
• built from containers
Moby tool
13. The config file defines the whole system
• kernel
• boot scripts
• config containers
• service containers
Also defines what to output: ISOs, AMIs etc
yaml file defines boot image
17. “Use container-specific OSes instead of general-purpose ones to
reduce attack surfaces. When using a container-specific OS,
attack surfaces are typically much smaller than they would be with
a general-purpose OS, so there are fewer opportunities to attack
and compromise a container-specific OS.”
NIST draft Application Container Security Guide
Security
18. • include only what you need
• modern kernel, secure config
• moving system services to safe languages
• fuzz testing, review
• containerized services, minimal privileges
• testing and then shipping new security tech
Security
21. A toolkit for creating and managing declarative, self-healing
infrastructure.
• Actively ensures desired state of infrastructure
• Plugin based
• Plugins for pets and cattle, raft stores etc
InfraKit
22.
23. Alternatives to Infrakit for managing a cluster
• Terraform
• AWS CloudFormation
• any tooling you like...
Other management tools
25. • Kubernetes
• Wireguard
• Landlock eBPF LSM
• Clear Containers
• arm64 support, other architectures
• oKernel
many more... a lot around new security approaches
Looking to the future
Cutting edge projects
27. Best supported right now
• OSX/hyperkit, VMWare, Qemu/KVM
• Google Cloud, Packet.net
In progress, being ported but not integrated in CLI
• AWS, Azure, Windows, BlueMix, Clear Containers
• Arm64 support
Planned
• ARM, other architectures
• other cloud providers
Platform support
28. many improvements needed
• rewrite in safe languages such as Rust
• blueprints for different platforms
• improve security
• improved APIs
• reliability and testing
• new use cases, new platforms
lots of work to do
29. • chance to meet the maintainers and developers
• in depth discussions of Moby Project and LinuxKit
• discuss roadmap
• look at new use cases
• start hacking!
Moby Summit on Thursday