rkt

Containerization is a relatively new paradigm for unix-like kernels, such as Linux. Linux was not built with containerization in mind, so many parts of it are intrinsically monolithic. Unlike Virtual Machines, which can have very strong isolation from the host system, containerization on Linux tends to have a larger attack surface, and so a larger number of vulnerabilities.

Docker is the most well-known container software. Instead, we chose to use rkt, a more recent container manager built with security in mind. Read the rkt overview for some of its advantages over Docker.

One example of a security issue is that Docker requires a root-privileged daemon that manages the entire process container creation, running the risk of a flaw in the container creation process letting an attacker get root access. rkt runs certain phases of creation (such as downloading and verifying images) outside of root, decreasing the attack surface that could get root access.

rkt (pronounced 'rocket') also uses a multi-stage process to launch containers, which allows the exact kind of isolation to be switched out. The rkt stage0 launches a stage1 container that includes the specific kind of isolation, which then launches the actual user container as stage2.

Stage1 container variants include:

• systemd/nspawn: the standard kind of container isolation -- less than a virtual machine, but not nontrivial
• kvm: isolation by using a lightweight virtual machine layer -- nearly as secure as a virtual machine, but lighter weight
• fly: a simple chroot jail, which provides less isolation than standard containers, but is even more lightweight

Other possibilities include, for example, Xen-based isolation. (Xen is a virtual machine hypervisor, like KVM.)

You can read more about the rkt architecture on the official website.

[insert more stuff about why rkt is awesome here]