Docker LinuxKit: Secure Linux containers for Windows, macOS, and clouds

Docker introduces lightweight Linux containers for other platforms.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

At Dockercon in Austin, Texas, Docker CEO Solomon Hydes said, Docker "is a bunch of projects not a monolith." One of the newest of these projects is LinuxKit. This is a toolkit for building secure, portable, and lean operating systems for containers.

Docker Whale

With LinuxKit, Docker has both a toolkit for creating lightweight Linux containers and a tiny Linux container for operating systems, such as macOS and Windows, which don't have built-in Linux.

Specifically, it's a toolkit to assemble custom Linux subsystems with the initial intention to create a more native experience for Windows and Mac macOS desktops and cloud platforms. This program was developed with leading companies such as silicon partner ARMl infrastructure providers like HPE, as well as cloud companies including Microsoft and IBM. It is now an open source project that will be managed by The Linux Foundation.

Docker claimed LinuxKit allows users to "create very secure Linux subsystems because it is designed around containers. All of the processes, including system daemons, run in containers, enabling users to assemble a Linux subsystem with only the needed services. As a result, systems created with LinuxKit have a smaller attack surface than general purpose systems." That's all true, but it's true of any containerized operating system.

In a blog post, Justin Cormack, a Docker engineer, added: "LinuxKit includes the tooling to allow building custom Linux subsystems that only include exactly the components the runtime platform requires. All system services are containers that can be replaced, and everything that is not required can be removed. All components can be substituted with ones that match specific needs. It is a kit, very much in the Docker philosophy of batteries included but swappable."

LinuxKit enables this by bundling Linux into the Docker platform. That way users who want Linux container support on platforms without native Linux such as macOS and Windows can run on these operating systems.

The base LinuxKit Linux distribution is tiny. At its smallest, LinuxKit Linux takes up only 35MB with an extremely fast boot time to match. As you'd expect, "All system services are containers, which means that everything can be removed or replaced." It's highly portable and can work on desktops, servers, IoT, mainframes, bare metal, and virtualized systems.

If this sound familiar, well it should. Alpine is, and will remain, Docker's native Linux for containers. Alpine has many of the same features. The key difference is that LinuxKit is meant to be even more flexible and easier to customize.

In a tweet, Nathan McCauley, Docker's security director, made it explicit that "Linuxkit's roots are in Alpine. A stronger Alpine is a stronger LinuxKit. We'll continue to invest in Alpine." McCauley also said LinuxKit is "a Linux subsystem focused on security."

Is there a market for LinuxKit? Good question.

Matthew Garrett, a Google security engineer and well-known open-source developer, tweeted that while he thinks "Linuxkit is really interesting from a technical perspective," he also believes "Docker [is] going to find the same thing everyone else does -- companies with RHEL [Red Hat Enterprise Linux] contracts hate running niche Linux distributions. And, "The Windows use-case is a little confusing to me. Linuxkit is overkill for just running existing containers under HyperV."

I also notice that while you wouldn't want to run Linux servers on Ubuntu Bash on Window 10, even with Bash's new improvements in Windows 10 Creators Update, this Windows 10 feature weakens LinuxKit's case for the Windows desktop.

Want to see if it will work in your use cases? LinuxKit's code is available now on GitHub.

Related Stories:

How Docker brought containers mainstream

Editorial standards