Linuxkit: A Toolkit for building secure, lean and portable Linux subsystems

For a long time, users have been waiting for developers to bring a Docker-native interface to the various platforms as well as cloud such as AWS, Azure, and Google Cloud. To bridge this gap, Linuxkit is released.

Linuxkit is developed by Docker to assemble custom Linux subsystem to bring more native experience to its desktop and cloud platforms. Of late, users were trying to bring Linux container to platforms but the platform did not allow with the Linux included.

To overcome these flaws, Docker came up with solution to create a bundle secure and portable enough that can provide Linux container on any type of platform. The Linuxkit supports the tool to allow building of custom Linux subsystems that include runtime platform components. The system services in the containers can be replaced and also removed. And the components substituted with the ones that match the required criteria.

As for security, the NIST in their Application Container Security Guide explains: “ Use container-specific OSes instead of general-purpose ones to reduce attack surfaces. When using a container-specific OS, attack surfaces are typically much smaller than they would be with a general-purpose OS, so there are fewer opportunities to attack and compromise a container-specific OS.”

The Linuxkit is lean because when combined with security the user can remove parts that are not needed when the OS is designed around single use of running containers. Which means all the containers can be removed by the user. It is only around 35MB with minimal boot time.

It is also portable as it was mainly built for running on many platforms and also now designed with Docker it runs on many more platforms.

The Next step is to run the Linuxkit on Hyper-v isolation. This toolkit may become big with the right kind of contribution from the open source community.

Tag : Linux
FAQ
Q
How do I test my client application?
A
During client development, the registrar will have access to the OT&E environment. In the OT&E environment, the registrar may test the operation of their software to verify the correct handling of EPP commands and their responses. Operations performed in the OT&E environment will not be charged and will not have any impacts on the live Shared Registry System.
Q
How can I detect if my site's been broken into?
A
For Unix systems, the tripwire program periodically scans your system and detects if any system files or programs have been modified.
Q
Q5: Can I make my site completely safe by running the server in a "chroot" environment?
A
You can't make your server completely safe, but you can increase its security significantly in a Unix environment by running it in a chroot environment. The chroot system command places the server in a "silver bubble" in such a way that it can't see any part of the file system beyond a directory tree that you have set aside for it. The directory you designate becomes the server's new root "/" directory. Anything above this directory is inaccessible.
Q
Why not use systemd?
A
In order to keep the system minimal, systemd did not seem appropriate, as it brings in a lot of dependencies and functionality that we do not need. At present we are using the busybox init process, and a small set of minimal scripts, but we expect to replace that with a small standalone init process and a small piece of code to bring up the system containers where the real work takes place.
Q
What do I need to build LinuxKit?
A
We have tried to make this as simple as possible, by using containers for the build process, so you should be able to build LinuxKit on any OSX or Linux laptop; we should have Windows build support soon.