So in the recent Dockercon announcements, a little dated by the time I wrote this (I move slow it seems), I was very intrigued to hear about Linuxkit. In the blog post announcing LinuxKit, Engineer Justin Cormack said that LinuxKit came about because “users wanted Linuxcontainer support but the platform itself did not ship with Linux included.” Docker was released on Mac OS and Windows, but the need was still there to have a Linux subystem as part of the container system.
What does that mean? Well Docker runs on Linux, configure your Docker containers on your Linux system, and get going. But not everyone in the world uses Linux, and to bring Docker to the Windows and Mac platform, Docker had to build a system to allow them to run the Linux subsystem parts they needed on the non-Linux platforms. That is, if you’re running Docker on Windows or Mac, you’re still running on Linux. Thus, LinuxKit was born. Swapnil Bhartiya said in is CIO Article – “LinuxKit…allows organizations to build their own containerized operating systems that are secure, lean, modular and portable.”
Docker partnered with some big names to make this happen, companies like HPE, Intel, IBM and Microsoft, and of course the Linux Foundation. It’s as architecture compatible as possible, bare metal, Virtual Machine, x86, ARM, LinuxKit allows you to run the subsystem you need for your containers wherever you need.
With LinuxKit, here’s the ability to build a custom subsystem, with only the needs in place that the run time needs, with sizedown to 35MB with the minimal boot-time, and of course, it’s OpenSource. Docker started with the barest of the bare essentials to get this down in size, the kernel, the system libraries, it’s all as small as it can be.
Docker was security minded about this, and in today’s fast paced world, security is paramount. With a read only root filesystem, among other features, container specific OSes remove points of attack, instead of a general purpose OS. Cormack says – “All system services are containers, which means that everything can be removed or replaced.” This means that services are sandboxed, only given the permissions they need.