A Brief Introduction to LinuxKit

简介: The LinuxKit makes it possible for users to utilize the container platform with secure, lean, and portable Linux subsystems.

What is LinuxKit?

LinuxKit includes tools that allow users to build custom Linux subsystems. All system services are replaceable containers, allowing users to remove anything they don’t need. This tool perfectly fits the Docker design philosophy, allowing users to replace any of the default components with other components that match user’s needs.

Security is Docker's Most Important Goal

11

LinuxKit is an open source project, and Docker says that its inclusion in containers will help in building a secure, streamlined, and portable operating system.

Docker considers security to be a significant goal. It is consistent with NIST (America’s National Institute of Standards and Technology). A statement in its Application Container Security Guide advises developer community to “Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces.”

When using a specific container operating system, the number of attack surfaces is usually much smaller than a generic operating system, so fewer opportunities exist to attack and compromise a particular container's operating system.

Technical Details of LinuxKit

Small Memory Consumption and Short Startup Time

If we design an operating system around a single use case that runs a container, this reduction can directly contribute to the security of the system. Because LinuxKit is a native container, its size is very small (just 35MB!), so users can start it up in a very short amount of time. All system services are containers, which means that users can delete or replace anything.

System services in the container are sandboxed (they only have the privileges they need). This configuration design supports container use cases. LinuxKit fits inside a flexible infrastructure so that users can build, test, and deploy it in the CI pipeline and redeploy the new version when it needs an update.

Kernel Comes From Industry Cooperation

The kernel comes from Docker's collaboration with the Linux Kernel community and organizations such as the KSPP. With LinuxKit support, just a single small patch can often solve multiple problems. The process of developing Kernel security is well beyond the capabilities of any one company. It requires cooperation across the entire industry.

Besides, LinuxKit also provides room to incubate security projects that demonstrate the promise of improving Linux security. Docker has said it is actively working with external open-source projects like Wireguard, Landlock, Mirage, oKernel, and Clear Containers, and has provided a test platform for them. The next focus will be on container space innovation and production environments.

LinuxKit is Portable

LinuxKit is portable as it supports the multi-platform Docker (it is currently running on), and it will also support more platforms in the future. As a container, it can run anywhere, whether on large or small machines, physical or virtual machines, mainframes, or other devices that use the Internet of Things (IoT) scenario.

Conclusion

LinuxKit is open to developers, partners, and open source enthusiasts, who can collaborate and create new things leveraging the container platform. Developers should look forward to making the most of this secure platform, and contribute back to the community.

To learn more about Docker and containers, check out the Alibaba Cloud Container Service.

目录
相关文章
|
安全 内存技术
读书笔记系列 - Operating Systems: Three Easy Pieces - Intro
读书笔记系列 - Operating Systems: Three Easy Pieces - Intro
93 0
|
机器学习/深度学习 运维 算法
an introduction|学习笔记
快速学习 an introduction
97 0
an introduction|学习笔记
《Nature》 和 《 Science》 的区别是什么?
《Nature》 和 《 Science》 的区别是什么?
398 0
《Nature》 和 《 Science》 的区别是什么?
|
Linux Windows
6 Effective Methods to Learn New Technologies Faster
Technology is always evolving, and developers need to learn new products and languages faster to cope with these changes.
6255 0
6 Effective Methods to Learn New Technologies Faster
|
机器学习/深度学习 算法 网络架构
论文笔记系列-Simple And Efficient Architecture Search For Neural Networks
摘要 本文提出了一种新方法,可以基于简单的爬山过程自动搜索性能良好的CNN架构,该算法运算符应用网络态射,然后通过余弦退火进行短期优化运行。 令人惊讶的是,这种简单的方法产生了有竞争力的结果,尽管只需要与训练单个网络相同数量级的资源。
1698 0
|
Shell PHP 开发工具
|
Shell PHP 开发工具
|
Ubuntu Linux Unix