linuxkitnow is just for interact with linuxkit kernel images, push things to awsmobytool producing disk images- Currently moby tool calls out to linuxkit to do the build
- moby tool was initially just for building linux images but now it supports docker and other formats
- Could make
moby buildinto a library and other tools like Infrakit could use it PR opened - Currently Infrakit shells out to Moby tool
- kvm/qemu
- Intel bare metal - trying to build Open Switch.
- How boots? Facebook switches has standardized on bootloader ONIE. Microsoft and Cisco are pushing it too, all the networking vendors support. MaaS at Ubuntu does too.
- ONIE is EFI based
- ONIE has set of standard for how you want to partition drive
- ONIE actually has a small linux kernel itself, like a first stage bootloader
- ONIE came from Cumulus
- Looks like Linuxkit should support it
- Tiny VMs - eg Intel Clear Containers
- Linuxkit project underway to support Clear Containers, but it’s the other way around (for running inside the VM not on the bare metal) The way industry is going right now (e.g., in Open Switch) is to not pollute the kernel with drivers and instead run in userspace (dpdk) Everyone is debating right now for whether to use BMC or other standard (forgot name)
- Just trying to see how they can build Open Switches in Linuxkit
- Open Switch right now has all the hardware vendor support, abstracts hardware
- Rolf: right now Linuxkit is targeting clouds, but Open Switch is more embedded. But it is still x86
- Some are running Mesos masters from TOR switches. So, they are almost like compute nodes.
- What about non-x86 archs? Justin: yes work on ARM64. Main issue is that we need to convert everything to use multi-arch images.
- Ubuntu is what you build your app on. Linuxkit is the thing that will be on the hypervisor/host.
- Example: Linuxkit is read-only, whereas Ubuntu could never make that decision.
- We haven’t tried on Toolbox and no one has written a Virtualbox driver yet. But someone will probably write one soon.
- people are more familiar with Docker. Would help to have infographic showing what is in Docker and what is in Moby.
- Like what is the mapping between Docker components and Moby components?
- Moby project is about making it possible to assemble something like Docker from components
- Yes, understand that, but people don’t understand what the mapping between Docker<->Moby components is.
- People are still working on it. D4Mac has quite a bit of that tech in it.
- Short term focus is replacing standard system daemons with unikernel style components.
- dhcpd is now being split up into OCaml components (some of which can run in de-privileged container, which communicates over a small channel)
- If you run Linuxkit on bare metal, you can isolate individual components in small VMs. Solo5 and ukvm projects with IBM.
- Also looking at providing generic HTTPS service proxy
- What is “type safe language”? Mostly OCaml, Rust coming soon. Means languages you can’t break out of the type system to have side effects, which you can have in Go or with unsafe pointers in Rust.
- Entitlements is our solution to this
- auditd is supposed to watch every CAP the app tried to access, so you can see why your app is failing to work
- we will add auditd support
- Looks like a really good lightweight VPN for containers
- Linuxkit: what’s our process of deciding that we as a community do want to carry these patches?
- If Docker has been shipping a patch in our products for 2-3 months, may help get things into the Linux kernel
- Also, Wireguard is much more mature vs something like ShiftFS
- Currently taking out most of the module drivers and compiling them as hardware drivers
- Problem is that when you compile these drivers in, they slow down boot time because they spend 20 seconds probing for hardware that is not there
- 4.9 really. We have 4.4 kernel still but we have not been using this in production recently.