LinuxKit – immutable infrastructure for FaaS

LinuxKit is a set of tools for preparing immutable sets of infrastructure. It is designed to compose containers into a ready-to-use OS. Of course, an OS produced by LinuxKit is for running containers. To make an immutable and scalable infrastructure for FaaS platforms, LinuxKit is one of the best choices out there.

Here's a sample of a LinuxKit YAML file to build an immutable OS for Docker. The kernel block is saying that this OS will boot with Linux Kernel 4.14.23. The boot command, cmdline, says that the kernel will be starting with consoles on four different TTYs:

kernel:
  image: linuxkit/kernel:4.14.23
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"

The four next containers declared inside the init block are the base programs that will be unpacked directly onto the filesystem. All the init level programs include runc and containerd. Also, the CA certificates will be installed directly onto the filesystem before the programs declared in the next, onboot, block can proceed:

init:
  - linuxkit/init:b212cfeb4bb6330e0a7547d8010fe2e8489b677a
  - linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731
  - linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0
  - linuxkit/ca-certificates:v0.2

The onboot block and the mountie command will automatically mount the first available partition to /var/lib/docker. Please note that LinuxKit only allows you to mount to the directory under the /var directory:

onboot:
  - name: sysctl
    image: linuxkit/sysctl:v0.2
  - name: sysfs
    image: linuxkit/sysfs:v0.2
  - name: format
    image: linuxkit/format:v0.2
  - name: mount
    image: linuxkit/mount:v0.2
    command: ["/usr/bin/mountie", "/var/lib/docker"]

The services block declares system containers, which serve as long running services. All these services are run and maintained by containers, started by the init process in the init block.

A service declared in this block can be started in any order.

In the following example, docker is one of the services. Docker image, docker:17.09.0-ce-dind, is used for running this Docker service. This service runs on the host network. This is basically the same concept as RancherOS. This instance of dockerd run by the docker service is the user-level container management system, while containerd from the init block is the system-level container management system. Other system containers here are rngd—a random number generator daemon, dhcpd—an DHCP service, and ntpd—the OpenNTPD daemon for syncing the machine clock, for example:

services:
  - name: getty
    image: linuxkit/getty:v0.2
    env:
     - INSECURE=true
  - name: rngd
    image: linuxkit/rngd:v0.2
  - name: dhcpcd
    image: linuxkit/dhcpcd:v0.2
  - name: ntpd
    image: linuxkit/openntpd:v0.2
  - name: docker
    image: docker:17.09.0-ce-dind
    capabilities:
     - all
    net: host
    mounts:
     - type: cgroup
       options: ["rw","nosuid","noexec","nodev","relatime"]
    binds:
     - /etc/resolv.conf:/etc/resolv.conf
     - /var/lib/docker:/var/lib/docker
     - /lib/modules:/lib/modules
     - /etc/docker/daemon.json:/etc/docker/daemon.json
    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]

The file block is for declaring files or directories that we would like to have on our immutable filesystem. In the following example, we declare /var/lib/docker and create a Docker's daemon configuration /etc/docker/daemon.json with the content {"debug": true} inside it. These files are created during the image's build phase:

files:
  - path: var/lib/docker
    directory: true
  - path: etc/docker/daemon.json
    contents: '{"debug": true}'
trust:
  org:
    - linuxkit
    - library

We have another example of the files block. This is the standard way to put our public key into the filesystem image. The attribute mode is for setting the file mode when copying the file to the final image. In this example, we require the public key file to be 0600. With this configuration and the running sshd service, we will be allowed to remotely SSH into the machine:

files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
    mode: "0600"
    optional: true

Here's the step to build the LinuxKit command line:

$ go get -u github.com/linuxkit/linuxkit/src/cmd/linuxkit

If we have already installed the Go programming language using GVM, the binary will be available to run.

We'll build a Docker OS, available at https://github.com/linuxkit/linuxkit/blob/master/examples/docker.yml:

$ linuxkit build docker.yml 
Extract kernel image: linuxkit/kernel:4.14.26
Pull image: docker.io/linuxkit/kernel:4.14.26@sha256:9368a ...
...
Add files:
  var/lib/docker
  etc/docker/daemon.json
Create outputs:
  docker-kernel docker-initrd.img docker-cmdline
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset