LinuxKit, Moby push developers toward collaborative systems
Docker offers two new projects: a toolkit for building secure, lean and portable Linux subsystems and a way for developers to collaborate on interchangeable components.
AUSTIN, Texas -- Two new Docker-led projects -- LinuxKit and Moby -- are designed to advance software containerization and help developers create more secure systems with less effort.
LinuxKit, developed with the help of Microsoft, IBM, Hewlett Packard Enterprise, Intel and ARM, is a toolkit for building secure, lean and portable Linux subsystems, said Docker CTO Solomon Hykes during his keynote at the DockerCon 2017 conference here.
"Our requirements for the Linux subsystem were very specific," Hykes said. "It had to be secure, it had to be lean and it had to be very portable. So, we got together with a group of companies trying to solve this problem."
Indeed, one of the key components for building container platforms is the OS itself, he said, noting that over the past year, Docker had developed a toolkit to assemble custom Linux subsystems to create more native experiences for Windows, Mac and cloud platforms, as many of these platforms do not ship with Linux and require a Linux subsystem. LinuxKit simply turns that process out as a service for building a secure, custom OS.
"LinuxKit includes the tooling to allow building custom Linux subsystems that only include exactly the components the runtime platform requires," said Justin Cormack, an engineer at Docker, in a blog post. "All system services are containers that can be replaced, and everything that is not required can be removed. All components can be substituted with ones that match specific needs. It is a kit, very much in the Docker philosophy of batteries included, but swappable."
Microsoft lends a hand
John Gossman, an Azure lead architect at Microsoft, as well as a Linux Foundation board member, said Microsoft and Docker have been working together for more than three years because Microsoft's Windows team wanted the same Docker experience for Windows developers as Linux developers were used to.
And the Windows team developed Hyper-V isolation for containers, in which users use the same Docker commands to bring Hyper-V isolation to Linux containers running on Windows.
"Docker and Microsoft will be working together in the open source projects so that the next versions of Docker for Windows and Docker for Azure combine LinuxKit with Hyper-V isolation for the best possible experience running Linux containers on Windows," Gossman said at DockerCon.
In addition, Microsoft is committed to building support for this feature as part of the ongoing containerd project, he said.
Because LinuxKit is designed around containers, all its processes, including system daemons, run in containers, which means systems built with LinuxKit have a smaller attack surface than general-purpose systems.
"A couple of years ago, they were being dinged about the surface area they had for security," said Todd Moore, vice president of open technology at IBM. "But by doing this LinuxKit, they've locked the security issue down. The area is much smaller, much more contained to something that's very secure. And all of us getting behind it and helping them get through that process will help to make it all the more mature and more secure."
Moreover, because LinuxKit is container-native, its small, 35 MB footprint requires minimal boot time. And the product's container-native approach makes it portable to a host of environments, including desktop, server, mainframe, internet of things, bare-metal and virtualized systems, according to Docker. LinuxKit will be managed under the Linux Foundation.
Despite the promise of enhanced security, not all attendees were enamored of the LinuxKit idea. "It's difficult to see where the world needs another Linux distribution," said one conference attendee who requested anonymity.
Moby Project focuses on components
Meanwhile, Docker also announced the Moby Project, an endeavor for collaborating on interchangeable components, such as operating systems, orchestration frameworks or infrastructure management. Users can tap common components to build more specialized container systems more rapidly -- already used in millions of deployments -- while differentiating on features.
Hykes said users can choose from a library of more than 80 components derived from Docker, or they can elect to "bring your own components" packaged as containers, with the option to mix and match among all the components to create a customized container system.
"Docker is not a large company," he said. "We have 150 engineers doing all of this. We saw in the car industry there's this concept of a shared chassis, and they collaborate on common components. So, we stole that idea. We created within Docker a place where teams could collaborate on common assemblies."
This new [Moby] project will be the most important project for Docker since the beginning -- since Docker itself.
Solomon HykesCTO, Docker
Because of the current "explosion" of open source components, "this new project will be the most important project for Docker since the beginning -- since Docker itself," Hykes said.
"Essentially, anything that can be containerized can be a Moby component, providing a great opportunity for collaboration with other projects outside of Docker," Hykes said in a statement.
Charles King, principal analyst at Pund-IT, said the Moby Project appears to be aimed at simplifying how customers adopt and use containers by providing a common reference blueprint, a tooling and testing framework, and a library of containerized components.
Hykes said the Moby governance model was inspired by what Red Hat did for Linux with Fedora in the early 2000s.
Put another way by King, Docker wants "to use its commercial position to help ensure the continuing evolution and adoption of container technologies," King said.
That's an ambitious goal that also promises to solidify and grow Docker's leadership position, he added.
"I think Moby is a very savvy play for Docker in that it's giving them the opportunity to separate out their brand into two pieces," said Craig McLuckie, founder and CEO of Heptio, a Seattle-based startup whose mission is to make Kubernetes accessible to everyone. "Holding back the invaluable Docker IP for the stuff that they can make money on, and creating a release for the community to rally around a technology that is accessible to anybody to use, is a wise and clever play."
