rkt - the pod-native container engine
rkt (pronounced "rock-it") is a CLI for running application containers on Linux. rkt is designed to be secure, composable, and standards-based.
Some of rkt's key features and goals include:
- Pod-native: rkt's basic unit of execution is a pod, linking together resources and user applications in a self-contained environment.
- Security: rkt is developed with a principle of "secure-by-default", and includes a number of important security features like support for SELinux, TPM measurement, and running app containers in hardware-isolated VMs.
- Composability: rkt is designed for first-class integration with init systems (like systemd, upstart) and cluster orchestration tools (like Kubernetes and Nomad), and supports swappable execution engines.
- Open standards and compatibility: rkt implements the appc specification, supports the Container Networking Interface specification, and can run Docker images and OCI images. Broader native support for OCI images and runtimes is in development.
Project status
The rkt v1.x series provides command line user interface and on-disk data structures stability for external development. Any major changes to those primary areas will be clearly communicated, and a formal deprecation process conducted for any retired features.
Check out the roadmap for more details on the future of rkt.
Trying out rkt
To get started quickly using rkt for the first time, start with the "trying out rkt" document. Also check rkt support on your Linux distribution. For an end-to-end example of building an application from scratch and running it with rkt, check out the getting started guide.
Getting help with rkt
There are a number of different avenues for seeking help and communicating with the rkt community:
- For bugs and feature requests (including documentation!), file an issue
- For general discussion about both using and developing rkt, join the rkt-dev mailing list
- For real-time discussion, join us on IRC: #rkt-dev on freenode.org
- For more details on rkt development plans, check out the GitHub milestones
Most discussion about rkt development happens on GitHub via issues and pull requests. The rkt developers also host a semi-regular community sync meeting open to the public. This sync usually features demos, updates on the roadmap, and time for anyone from the community to ask questions of the developers or share users stories with others. For more details, including how to join and recordings of previous syncs, see the sync doc on Google Docs.
Contributing to rkt
rkt is an open source project and contributions are gladly welcomed! See the Hacking Guide for more information on how to build and work on rkt. See CONTRIBUTING for details on submitting patches and the contribution workflow.
Licensing
Unless otherwise noted, all code in the rkt repository is licensed under the Apache 2.0 license. Some portions of the codebase are derived from other projects under different licenses; the appropriate information can be found in the header of those source files, as applicable.
Security disclosure
If you suspect you have found a security vulnerability in rkt, please do not file a GitHub issue, but instead email security@coreos.com with the full details, including steps to reproduce the issue. CoreOS is currently the primary sponsor of rkt development, and all reports are thoroughly investigated by CoreOS engineers. For more information, see the CoreOS security disclosure page.
Known issues
Due to limitations in the Linux kernel, using rkt's overlay support on top of an overlay filesystem requires the upperdir and workdir to support the creation of trusted.* extended attributes and valid d_type in readdir responses (see kernel/Documentation/filesystems/overlayfs.txt). When starting rkt inside rkt this means that either:
- the inner
/var/lib/rkt
directory needs to be mounted on a host volume. - the outer or inner rkt container needs to be started using
--no-overlay
.
Due to a bug in the Linux kernel, using rkt when /var/lib/rkt
is on btrfs requires Linux 4.5.2+ (#2175).
Due to a bug in the Linux kernel, using rkt's overlay support in conjunction with SELinux requires a set of patches that are only currently available on some Linux distributions (for example, CoreOS Linux). Work is ongoing to merge this work into the mainline Linux kernel (#1727).
Linux 3.18+ is required to successfully garbage collect rkt pods when system services such as udevd are in a slave mount namespace (see lazy umounts on unlinked files and directories and #1922).