LinuxKit and Moby are new projects from Docker that aim to improve security, portability, and customization of container systems. LinuxKit creates a lean Linux subsystem optimized for containers by running all system services as containers. It defines systems as code using YAML files. Moby is a framework for assembling specialized container systems using reusable open source components, allowing innovation while leveraging an ecosystem of 80+ components. It provides benefits for Docker users by allowing Docker to innovate faster, and for system builders by making it easier to customize or build their own container runtime systems independent of Docker.

1. LinuxKit and Moby
News from DockerCon 2017 - Austin,TX
Dieter Reuter - @Quintus23M
Senior Consultant at bee42 solutions gmbh - @bee42solutions
Docker Captain - @HypriotTweets
Docker Meetup Bochum, May 11th 2017

2. What happened? What to expect?
Will I become a Moby Captain?
What will change?Governance?
What’s that LinuxKit?

3. What is LinuxKit ?

4. “A platform is only as secure
as its weakest components„
— Solomon Hykes

5. “I want Docker for whateverplatform!„— Me (whenever I discover any new platform)

6. LinuxKit
a SECURE Linux subsystem
Only works with containers
- Smaller attack surface
- Immutable infrastructure
- Sandboxed system services
- Specialized patches and
configurations
Incubator for security
innovations
- Wireguard, Landlock, KSPP
- MirageOS type safe system
daemons
- okernel
Community-first security
process
- Linux is too big for a single
company to secure it
- Participate in existing Linux
security efforts

7. LinuxKit
a LEAN Linux subsystem
- Minimal size, minimal boot time
- All system services are containers
- Everything can be removed or replaced

8. - Desktop, Server, IoT, Mainframe
- Intel & ARM (and others)
- Bare Metal & Virtualized
- On-premises & in the Cloud
LinuxKit
a PORTABLE Linux subsystem

9. In LinuxKit the BluePrint is a YAML file!
Example “linuxkit.yml” see: https://github.com/linuxkit/linuxkit/blob/master/linuxkit.yml

10. kernel:
image: "linuxkit/kernel:4.9.x"
cmdline: "console=ttyS0 console=tty0 page_poison=1"
Everything is a yaml file: kernel
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#kernel

11. init:
- linuxkit/init:63eed9ca7a09d2ce4c0c5e7238ac005fa44f564b
- linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38
- linuxkit/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
- linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288
Everything is a yaml file: init
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#init

12. Everything is a yaml file: onboot
onboot:
- name: sysctl
image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
net: host
pid: host
ipc: host
capabilities:
- CAP_SYS_ADMIN
readonly: true
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#onboot

13. Everything is a yaml file: services
services:
- name: ntpd
image: "linuxkit/openntpd:a38eabb308d0405f58894979f8b8031a6c7e1134"
capabilities:
- CAP_SYS_TIME
- CAP_SYS_NICE
- CAP_SYS_CHROOT
- CAP_SETUID
- CAP_SETGID
net: host
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#services

14. Everything is a yaml file: files
files:
- path: etc/docker/daemon.json
contents: '{"debug": true}'

15. Everything is a yaml file: output
outputs:
- format: kernel+initrd
- format: iso-bios
- format: iso-efi
- format: vhd
- format: vmdk
see: https://github.com/linuxkit/linuxkit/blob/master/docs/yaml.md#output

17. LinuxKit - build on macOS
1. Clone the GitHub repository
$ git clone https://github.com/linuxkit/linuxkit.git
$ cd linuxkit
2. Compile LinuxKit CLI tools (we need Docker4Mac and Go)
$ make clean
$ make
3. Install LinuxKit CLI tools: “moby” and “linuxkit”
$ make install

18. LinuxKit - use it on macOS
1. Build your first LinuxKit VM
$ moby build examples/node_exporter.yml
$ ls -alh node_exporter*.img
-rw-r--r-- 1 dieter staff 36M May 11 15:44
node_exporter-initrd.img
2. Run the LinuxKit VM with HyperKit (macOS Hypervisor)
$ linuxkit run hyperkit node_exporter
# runc list
# halt

19. Moby Project

20. Production model: Open Source

21. Production model: Open Components

22. Docker is a Platform made of Components

23. The open components model shows its limits...

24. Next level: Collaborating on Components & Assemblies

25. “With going mainstream comes great responsibilities„
— Solomon Hykes

28. “A framework to assemble
specialized container
systems without reinventing
the wheel”
- Library of 80+ components
- Package your own components
as containers
- Reference assemblies deployed
on millions of nodes
- Create your own assemblies or
start from existing ones

29. What Moby means for you as a:
DOCKER USER
Nothing changes for you, your command line
remains the same and also anything else
It’s just that now Docker can leverage the
ecosystem to innovate faster for you
SYSTEM BUILDER
Moby helps you to innovate without tying you to
Docker
You can build your own Container Runtime
systems easier and faster

30. “The Moby Project is to Docker what
Fedora is to Red Hat Enterprise Linux„
— Solomon Hykes

32. Thank You!
Dieter Reuter
@Quintus23M
Credits: original slide deck by Docker Captain Lorenzo Fontana @fntlnz