It's often been mentioned in this column that containers are — or at least are perceived to be — less secure than virtual machines. Why? Because they offer less isolation from the underlying host operating system. But LinuxKit changes the calculus significantly. Here's why.
But first, a quick detour: what is LinuxKit? Well, it was something that was announced by Docker back in April, and its purpose is to allow platforms such as Windows to run Linux containers. Essentially, it is a "lean and portable Linux subsystem that can provide Linux container functionality as a component of a container platform," as Docker describes it, and it was developed by a group of companies that includes HPE, Intel, Microsoft and IBM, along with the Linux Foundation.
What's clever about LinuxKit is that it is highly modular: it contains a tool for building custom Linux subsystems for platforms such as Windows that only includes the components of Linux that the runtime platform needs.
"All components can be substituted with ones that match specific needs. It is a kit, very much in the Docker philosophy of batteries included but swappable," explains Justin Cormack, a Docker software engineer. "To achieve our goals of a secure, lean and portable OS, we built it from containers, for containers."
Of course, cloud platforms, and even Windows (with the Windows subsystem for Linux), have resources that can allow Linux apps to run in containers, but what LinuxKit does is provide an environment that is standardized and cross-platform. That means there should be no need (or perhaps much less need) to make changes to containers or applications before they can be moved from, say, Windows to Azure, or Linux to MacOS.
So what's all that got to do with the isolation offered by containers compared to virtual machines? The answer is that because LinuxKit puts some of the Linux OS into the container, there is less need for an application running in a container to access the system resources of the host machine.
Of course the extent to which that is true depends on the modules included in LinuxKit, and in the underlying host operating system. Nonetheless, the result is a an application running in a container that is more like a virtual machine than, well, a container.
Will LinuxKit Make Linux Apps Running in a Container More Secure than in a VM?
The big question is whether this actually makes a Linux application running in a container using LinuxKit on, say Windows, more secure than a virtual machine running the same application?
And there are a few things to puzzle over here. For one thing, there might be a security weakness in LinuxKit. In fact it might be surprising if there wasn't.
The problem is that if the security weakness can be exploited it could leave any application vulnerable, regardless of the host OS it is running on. But since LinuxKit is modular, the potential for vulnerabilities is reduced.
That's because an exploit can't rely on certain resources actually being present in the modules that are included — beyond the kernel itself, and a few other vital ones.
On the other hand, there could be a weakness in a particular OS that could allow hackers to compromise an application running in a container on it. So what if organizations leverage the portability that LinuxKit enables to run the same application on a number of different host operating systems?
This would mean that at least some of them would be safe if a hacker could compromise one OS. And if a vulnerability in one OS is discovered, it would at least make it easier to move containers over to another OS until the vulnerable one is fixed.
So the best we can say at this point is that LinuxKit changes things significantly. Does it make containerized applications more secure? On that crucial question, the jury is still out.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.