rkt (pronounced "rock-it") is a CLI for running app containers on Linux. rkt is designed to be secure, composable, and standards-based.
Some of rkt's key features and goals include:
- Security: rkt is developed with a principle of "secure-by-default", and includes a number of important security features like support for SELinux, TPM measurement, and running app containers in hardware-isolated VMs.
- Composability: rkt is designed for first-class integration with init systems (systemd, upstart) and cluster orchestration tools (fleet, Kubernetes, Nomad), and supports swappable execution engines.
- Open standards and compatibility: rkt implements the appc specification, supports the Container Networking Interface specification, can also run Docker images, and OCI images via docker2aci. Native OCI image support is in development.
For more on the background and motivation behind rkt, read the original launch announcement.
rkt's version 1.0 release marks the command line user interface and on-disk data structures as stable and reliable for external development. Any major changes to those primary areas will be clearly communicated, and a formal deprecation process conducted for any retired features. The (optional) API for pod inspection is not yet completely stabilized, but is quite usable, and an excellent area for testing and participation as it matures.
Check out the roadmap for more details on the future of rkt.
To get started quickly using rkt for the first time, start with the "trying out rkt" document. Also check rkt support on your Linux distribution. For an end-to-end example of building an application from scratch and running it with rkt, check out the getting started guide.
There are a number of different avenues for seeking help and communicating with the rkt community:
- For bugs and feature requests (including documentation!), file an issue
- For general discussion about both using and developing rkt, join the rkt-dev mailing list
- For real-time discussion, join us on IRC: #rkt-dev on freenode.org
- For more details on rkt development plans, check out the GitHub milestones
Most discussion about rkt development happens on GitHub via issues and pull requests. The rkt developers also host a semi-regular community sync meeting open to the public. This sync usually features demos, updates on the roadmap, and time for anyone from the community to ask questions of the developers or share users stories with others. For more details, including how to join and recordings of previous syncs, see the sync doc on Google Docs.
rkt is an open source project and contributions are gladly welcomed! See the Hacking Guide for more information on how to build and work on rkt. See CONTRIBUTING for details on submitting patches and the contribution workflow.
Unless otherwise noted, all code in the rkt repository is licensed under the Apache 2.0 license. Some portions of the codebase are derived from other projects under different licenses; the appropriate information can be found in the header of those source files, as applicable.
If you suspect you have found a security vulnerability in rkt, please do not file a GitHub issue, but instead email security@coreos.com with the full details, including steps to reproduce the issue. CoreOS is currently the primary sponsor of rkt development, and all reports are thoroughly investigated by CoreOS engineers. For more information, see the CoreOS security disclosure page.
Due to limitations in the Linux kernel, using rkt's overlay support on top of an overlay filesystem requires the upperdir and workdir to support the creation of trusted.* extended attributes and valid d_type in readdir responses (see kernel/Documentation/filesystems/overlayfs.txt). When starting rkt inside rkt this means that either:
- the inner
/var/lib/rkt
directory needs to be mounted on a host volume. - the outer or inner rkt container needs to be started using
--no-overlay
.
Due to a bug in the Linux kernel, using rkt when /var/lib/rkt
is on btrfs requires Linux 4.5.2+ (#2175).
Due to a bug in the Linux kernel, using rkt's overlay support in conjunction with SELinux requires a set of patches that are only currently available on some Linux distributions (for example, CoreOS Linux). Work is ongoing to merge this work into the mainline Linux kernel (#1727).
Linux 3.18+ is required to successfully garbage collect rkt pods when system services such as udevd are in a slave mount namespace (see lazy umounts on unlinked files and directories and #1922).