index.html

<!DOCTYPE html>
<html lang="en">
<head>

<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="google-site-verification" content="oBEColYSCRykfsZuRhgr85IbvF-04_BfZlaxOGyFCJg"/>
<meta name="description" content="A security-minded, standards-based container engine.">

<meta itemprop="name" content="rkt">
<meta itemprop="description" content="A security-minded, standards-based container engine.">
<meta itemprop="image" content="http://coreos.com/assets/images/brand/CoreOS-twitter-embed.jpg">

<meta property="og:title" content="rkt"/>
<meta property="og:image" content="http://coreos.com/assets/images/brand/CoreOS-twitter-embed.jpg"/>
<meta property="og:description" content="A security-minded, standards-based container engine."/>
<title>rkt, a security-minded, standards-based container engine</title>

<link href="https://coreos.com/dist/css/bootstrap.min.css" rel="stylesheet">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">

<link href="https://coreos.com/assets/css/pygments-manni.css" rel="stylesheet">

<meta name="ac-discovery" content="coreos.com/rkt/builder https://github.com/rkt/rkt-builder/releases/download/v{version}/rkt-builder-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/rkt/builder https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">

<meta name="ac-discovery" content="coreos.com/rkt/stage1-coreos https://github.com/rkt/rkt/releases/download/v{version}/stage1-coreos-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/rkt/stage1-coreos https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">
<meta name="ac-discovery" content="coreos.com/rkt/stage1-fly https://github.com/rkt/rkt/releases/download/v{version}/stage1-fly-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/rkt/stage1-fly https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">
<meta name="ac-discovery" content="coreos.com/rkt/stage1-kvm https://github.com/rkt/rkt/releases/download/v{version}/stage1-kvm-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/rkt/stage1-kvm https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">

<meta name="ac-discovery" content="coreos.com/etcd https://github.com/coreos/etcd/releases/download/{version}/etcd-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg">
<meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">
<meta name="ac-discovery" content="coreos.com/bootcfg https://github.com/coreos/coreos-baremetal/releases/download/{version}/bootcfg-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/bootcfg https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">
<meta name="ac-discovery" content="coreos.com/dnsmasq https://github.com/coreos/coreos-baremetal/releases/download/{version}/dnsmasq-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/dnsmasq https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">
<meta name="ac-discovery" content="coreos.com/dex https://github.com/coreos/dex/releases/download/{version}/dex-{version}-{os}-{arch}.{ext}">
<meta name="ac-discovery-pubkeys" content="coreos.com/dex https://coreos.com/dist/pubkeys/app-signing-pubkey.gpg">

<link href="https://coreos.com/assets/css/coreos.css" rel="stylesheet">

<link href="https://coreos.com/assets/css/syntax-highlight.css" rel="stylesheet">

<!--[if lt IE 9]>
  <script src="/assets/js/html5shiv.js"></script>
  <script src="/assets/js/respond.min.js"></script>
<![endif]-->
<link href="https://coreos.com/atom.xml" type="application/atom+xml" rel="alternate" title="CoreOS Blog ATOM Feed">

<link rel="apple-touch-icon-precomposed" sizes="144x144" href="www.coreos.com/assets/ico/apple-touch-icon-144-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="www.coreos.com/assets/ico/apple-touch-icon-114-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="www.coreos.com/assets/ico/apple-touch-icon-72-precomposed.png">
<link rel="apple-touch-icon-precomposed" href="www.coreos.com/assets/ico/apple-touch-icon-57-precomposed.png">
<link rel="shortcut icon" href="www.coreos.com/assets/ico/favicon.png">

<link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:200,300,400,400italic,600,700,900" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Source+Code+Pro:400,500,600,700" rel="stylesheet" type="text/css">

<link rel="search" type="application/opensearchdescription+xml" title="CoreOS" href="/opensearch.xml"/>

<style>

h2 {
color:#24c6dc;

}

h3 {
color:#24c6dc;

}

a {
color:#436ca9;

}

.co-p-masthead-nav .co-p-masthead-nav-tabs .co-p-masthead-nav-tab-active a {
color:#436ca9;


}

.co-p-rkt .co-p-rkt-quotes {

background:linear-gradient(to right, #24c6dc, #436ca9) !important;

}


</style>
<script type="text/javascript">
(function() {
  var didInit = false;
  function initMunchkin() {
    if(didInit === false) {
      didInit = true;
      Munchkin.init('231-DAD-511');
    }
  }
  var s = document.createElement('script');
  s.type = 'text/javascript';
  s.async = true;
  s.src = '//munchkin.marketo.net/munchkin-beta.js';
  s.onreadystatechange = function() {
    if (this.readyState == 'complete' || this.readyState == 'loaded') {
      initMunchkin();
    }
  };
  s.onload = initMunchkin;
  document.getElementsByTagName('head')[0].appendChild(s);
})();
</script>

<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  // Single property tracking
  // Uses the default tracker (more below)
  ga('create', 'UA-42684979-1', 'coreos.com');
  ga('require', 'displayfeatures');
  ga('send', 'pageview');

</script>

</head>
<body class="coreos-home co-m-main-nav-transparent co-p-header-large">

<noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-MMX2DX" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-MMX2DX');</script>


<div class="co-p-docs-masthead">
<div class="co-p-header-masthead co-p-header-masthead-twolevel co-p-background-hexagons" style="background: linear-gradient(to right, #24c6dc, #436ca9) !important;">




<!--
<div class="co-m-global-nav">

</div>

<div class="co-m-main-nav">
<div class="navbar navbar-static-top coreos-nav co-m-main-nav-container" role="navigation">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".coreos-nav-collapse">
<span class="icon-bar co-m-main-nav-hamburger"></span>
<span class="icon-bar co-m-main-nav-hamburger"></span>
<span class="icon-bar co-m-main-nav-hamburger"></span>
</button>
<a href="/" class="navbar-brand co-m-main-nav-brand" data-category="Main Navigation" data-event="Logo">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" preserveAspectRatio="xMidYMin" height="30px" viewBox="24.5 none 41.5 744 223" enable-background="new 24.5 41.5 744 223" xml:space="preserve">
<defs>
<filter id="black-glow">
<feColorMatrix type="matrix" values="0 0 0 0   0
                                 0 0 0 0   0
                                 0 0 0 0   0
                                 0 0 0 0.5 0"/>
<feGaussianBlur stdDeviation="3.5" result="coloredBlur"/>
<feMerge>
<feMergeNode in="coloredBlur"/>
<feMergeNode in="SourceGraphic"/>
</feMerge>
</filter>
</defs>
<path class="co-p-main-nav-brand-mantle" fill="#F1606D" d="M136.168,55.389c-17.283,0-31.941,27.645-37.235,66.069c-0.169,1.236-0.333,2.487-0.478,3.746
          c-0.723,6.047-1.213,12.335-1.458,18.808c-0.117,2.962-0.175,5.956-0.175,8.988c0,3.029,0.058,6.029,0.175,8.985
          c0.245,6.472,0.735,12.764,1.458,18.811c8.104,1.049,16.769,1.761,25.807,2.099c3.907,0.146,7.872,0.233,11.907,0.233
          c4.023,0,8-0.088,11.895-0.233c9.049-0.338,17.708-1.05,25.819-2.099c0.892-0.114,1.77-0.239,2.659-0.368
          c33.754-4.74,57.235-15.232,57.235-27.428C233.776,99.088,190.071,55.389,136.168,55.389z"/>
<path class="co-p-main-nav-brand-core" fill="#FFFFFF" d="M176.541,125.569c-0.979-1.428-2.029-2.796-3.148-4.11c-8.956-10.557-22.297-17.265-37.224-17.265
          c-4.839,0-9.148,7.407-11.907,18.909c-1.096,4.586-1.947,9.819-2.495,15.498c-0.432,4.551-0.665,9.391-0.665,14.399
          s0.233,9.849,0.665,14.396c4.554,0.432,9.387,0.664,14.402,0.664c5.009,0,9.842-0.232,14.396-0.664
          c10.011-0.95,18.653-2.875,24.775-5.411c6.046-2.501,9.624-5.615,9.624-8.985C184.963,142.832,181.858,133.388,176.541,125.569z"/>
<g class="co-p-main-nav-brand-text-bold">
<path fill="#231F20" d="M344.891,100.053c12.585,0,22.816,6.138,29.262,13.062l-10.064,11.326
            c-5.353-5.192-11.175-8.495-19.041-8.495c-16.839,0-28.953,14.16-28.953,37.291c0,23.448,11.169,37.608,28.32,37.608
            c9.128,0,15.895-3.775,21.717-10.228l10.067,11.169c-8.335,9.598-19.038,14.95-32.099,14.95c-26.119,0-46.731-18.88-46.731-53.025
            C297.37,120.036,318.454,100.053,344.891,100.053z"/>
<path fill="#231F20" d="M416.961,125.701c19.352,0,36.822,14.793,36.822,40.597c0,25.647-17.471,40.439-36.822,40.439
            c-19.197,0-36.66-14.792-36.66-40.439C380.301,140.494,397.764,125.701,416.961,125.701z M416.961,191.945
            c11.33,0,18.25-10.228,18.25-25.647c0-15.577-6.92-25.804-18.25-25.804s-18.094,10.227-18.094,25.804
            C398.867,181.717,405.631,191.945,416.961,191.945z"/>
<path fill="#231F20" d="M459.771,127.589h14.943l1.26,13.688h0.629c5.506-10.07,13.691-15.577,21.871-15.577
            c3.938,0,6.455,0.472,8.811,1.574l-3.148,15.734c-2.67-0.784-4.717-1.257-8.018-1.257c-6.139,0-13.539,4.245-18.256,15.893v47.203
            h-18.092L459.771,127.589L459.771,127.589z"/>
<path fill="#231F20" d="M541.121,125.701c20.928,0,31.941,15.107,31.941,36.667c0,3.458-0.314,6.604-0.787,8.495h-49.09
            c1.57,14.003,10.379,21.869,22.811,21.869c6.613,0,12.273-2.041,17.941-5.662l6.135,11.326c-7.395,4.878-16.676,8.341-26.432,8.341
            c-21.404,0-38.08-14.95-38.08-40.439C505.561,141.12,523.023,125.701,541.121,125.701z M557.326,159.376
            c0-12.277-5.189-19.671-15.732-19.671c-9.125,0-16.996,6.768-18.57,19.671H557.326z"/>
</g>
<path class="co-p-main-nav-brand-text-light" fill="#F1606D" d="M600.602,152.607c0-32.729,17.785-53.344,42.799-53.344c24.863,0,42.641,20.615,42.641,53.344
          c0,32.889-17.777,54.13-42.641,54.13C618.387,206.737,600.602,185.496,600.602,152.607z M678.49,152.607
          c0-28.639-14.158-46.731-35.09-46.731c-21.084,0-35.248,18.093-35.248,46.731c0,28.796,14.164,47.521,35.248,47.521
          C664.332,200.128,678.49,181.403,678.49,152.607z"/>
<path class="co-p-main-nav-brand-text-light" fill="#53A4D9" d="M699.738,186.125c7.557,8.495,18.412,14.003,30.529,14.003c15.732,0,25.807-8.499,25.807-20.767
          c0-12.904-8.494-17.154-18.723-21.717l-15.736-7.082c-8.969-3.936-20.934-10.385-20.934-25.808
          c0-14.947,12.904-25.492,30.059-25.492c12.588,0,22.658,5.665,28.949,12.435l-4.244,4.878c-5.982-6.452-14.32-10.7-24.705-10.7
          c-13.691,0-22.816,7.239-22.816,18.565c0,11.962,10.385,16.521,17.936,19.985l15.738,6.921
          c11.486,5.195,21.713,11.647,21.713,27.539s-13.061,27.851-33.201,27.851c-15.107,0-26.75-6.451-34.932-15.576L699.738,186.125z"/>
<path class="co-p-main-nav-brand-crust" fill="#53A3DA" d="M136.168,45.527C76.898,45.527,28.689,93.739,28.689,153c0,59.265,48.209,107.474,107.479,107.474
          c59.252,0,107.465-48.209,107.465-107.474C243.633,93.739,195.42,45.527,136.168,45.527z M176.542,180.428
          c-0.889,0.129-1.767,0.254-2.659,0.368c-8.111,1.049-16.77,1.761-25.819,2.099c-3.895,0.145-7.872,0.233-11.895,0.233
          c-4.035,0-8-0.087-11.907-0.233c-9.038-0.338-17.703-1.05-25.807-2.099c-0.723-6.047-1.213-12.339-1.458-18.811
          c-0.117-2.956-0.175-5.956-0.175-8.985c0-3.032,0.058-6.026,0.175-8.988c0.245-6.473,0.735-12.761,1.458-18.808
          c0.145-1.259,0.309-2.51,0.478-3.746c5.294-38.424,19.952-66.069,37.235-66.069c53.903,0,97.608,43.699,97.609,97.611
          C233.777,165.196,210.296,175.688,176.542,180.428z"/>
</svg>
</a>
<div class="co-m-main-nav-hint pull-right visible-xs">Menu</div>
</div>
<div class="navbar-collapse collapse coreos-nav-collapse">
<ul class="nav navbar-nav navbar-left">
<li class="dropdown co-m-dropdown co-m-main-nav-products co-p-main-nav-toplevel co-p-main-nav-toplevel">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" data-category="Main Navigation" data-event="Products: Open Dropdown">Products <span class="fa fa-angle-down"></span></a>
<ul class="dropdown-menu co-m-dropdown-menu" role="menu">
<li class="co-m-dropdown-menu-categories-category">
<ul class="co-m-dropdown-menu-categories-sublinks co-m-main-nav-products-sublink">
<li>
<a href="/tectonic/" data-category="Product Dropdown" data-event="Tectonic">Tectonic - Kubernetes</a>
</li>
<li>
<a href="/quay-enterprise" data-category="Product Dropdown" data-event="Products: Quay.io">Quay - Registry</a>
</li>
<li>
<a href="/products/container-linux-subscription/" data-category="Product Dropdown" data-event="Products: Premium Managed Linux">Container Linux Support</a>
</li>
<li>
<a href="/training/" data-category="Product Dropdown" data-event="Training: Kubernetes">Training</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="dropdown co-m-dropdown co-m-main-nav-products co-p-main-nav-toplevel co-p-main-nav-toplevel">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" data-category="Main Navigation" data-event="Products: Open Dropdown">Open Source <span class="fa fa-angle-down"></span></a>
<ul class="dropdown-menu co-m-dropdown-menu" role="menu">
<li class="co-m-dropdown-menu-categories-category">
<ul class="co-m-dropdown-menu-categories-sublinks co-m-main-nav-products-sublink">
<li>
<a href="/docs" data-category="Open Source" data-event="docs">Open Source Docs</a>
</li>
<li>
<a href="/kubernetes" data-category="Open Source" data-event="Kubernetes">Kubernetes</a>
</li>
<li>
<a href="/operators" data-category="Open Source" data-event="Operators">Operators</a>
</li>
<li>
<a href="/os/docs/latest" data-category="Open Source" data-event="CoreOS Linux">Container Linux</a>
</li>
<li>
<a href="/rkt" data-category="Open Source" data-event="rkt">rkt</a>
</li>
<li>
<a href="/etcd" data-category="Open Source" data-event="ectd">etcd</a>
</li>
<li>
<a href="/clair" data-category="Open Source" data-event="Clair">Clair</a>
</li>
<li>
<a href="/flannel" data-category="Open Source" data-event="flannel">flannel</a>
</li>
<li>
<a href="/ignition" data-category="Open Source" data-event="Ignition">Ignition</a>
</li>
<li>
<a href="/matchbox" data-category="Open Source" data-event="Matchbox">Matchbox</a>
</li>
<li>
<a href="https://github.com/coreos/" data-category="Open Source" data-event="Github">90+ more on Github</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="dropdown co-m-dropdown co-m-main-nav-products co-p-main-nav-toplevel co-p-main-nav-toplevel">
<a href="/resources" data-category="Main Navigation" data-event="Resources">Resources</a>
</li>
<li class="dropdown co-m-dropdown co-m-main-nav-products co-p-main-nav-toplevel co-p-main-nav-toplevel">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" data-category="Main Navigation" data-event="Products: Open Dropdown">Company <span class="fa fa-angle-down"></span></a>
<ul class="dropdown-menu co-m-dropdown-menu" role="menu">
<li class="co-m-dropdown-menu-categories-category">
<ul class="co-m-dropdown-menu-categories-sublinks co-m-main-nav-products-sublink">
<li>
<a href="/about/" data-category="Company" data-event="About">About CoreOS</a>
</li>
<li>
<a href="/blog" data-category="Company" data-event="Blog">CoreOS Blog</a>
</li>
<li>
<a href="https://blog.quay.io/" data-category="Company" data-event="Blog">Quay Blog</a>
</li>
<li>
<a href="/community" data-category="Open Source" data-event="events">Events</a>
</li>
<li>
<a href="/careers" data-category="Company" data-event="Careers">Careers</a>
</li>
<li>
<a href="/press" data-category="Company" data-event="Press">Press</a>
</li>
<li>
<a href="/contact" data-category="Company" data-event="Contact">Contact Us</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="dropdown co-m-dropdown co-m-main-nav-products co-p-main-nav-toplevel co-p-main-nav-toplevel">
<a href="/contact" data-category="Main Navigation" data-event="Contact Us">Contact Us</a>
</li>
</ul>
<div class="navbar-right">
<a class="login-link" href="https://account.coreos.com/">Login</a>
<div class="search">
<form class="search-container" action="https://coreos.com/docs/search/">
<input id="search-box" type="text" class="search-box" name="q" placeholder="Search..."/>
<input type="submit" id="search-submit"/>
</form>
<span class="glyphicon glyphicon-search search-icon"></span>
</div>
</div>
</div>
</div>
</div>
</div>-->
<div class="container co-p-header-masthead-content co-p-header-masthead-left">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" preserveAspectRatio="xMidYMin" height="50px" viewBox="0 0 253.846 106.509" enable-background="new 0 0 253.846 106.509" xml:space="preserve">
<defs>
<filter id="black-glow">
<feColorMatrix type="matrix" values="0 0 0 0   0
                                 0 0 0 0   0
                                 0 0 0 0   0
                                 0 0 0 0.5 0"/>
<feGaussianBlur stdDeviation="3.5" result="coloredBlur"/>
<feMerge>
<feMergeNode in="coloredBlur"/>
<feMergeNode in="SourceGraphic"/>
</feMerge>
</filter>
</defs>
<g>
<path fill="#FFFFFF" style="filter:url(#black-glow)" d="M57.359,103.202c0,0,1.943-9.385,10.066-20.65c5.646-3.262,11.308-7.259,16.104-12.054
            c4.434-21.988-2.297-45.579-2.297-45.579s-23.591-6.73-45.578-2.296c-4.797,4.798-8.792,10.46-12.054,16.104
            C12.332,46.848,2.949,48.791,2.949,48.791s7.505,5.153,11.126,11c-1.542,4.448-2.267,7.314-2.267,7.314
            c0.587,2.745,2.324,5.947,4.721,9.178c-1.655,1.312-3.595,2.677-5.703,3.818c-0.252,0.139-0.51,0.272-0.767,0.402
            c1.809,5.967,9.799,13.482,15.619,15.507c0.118-0.233,0.241-0.463,0.366-0.692c1.174-2.165,2.583-4.154,3.927-5.839
            c3.261,2.366,6.448,4.129,9.074,4.861c0,0,2.869-0.724,7.316-2.266C52.206,95.696,57.359,103.202,57.359,103.202z M40.775,83.328
            c-3.347-1.45-7.792-5.02-10.822-8.052c-4.097-4.097-6.317-7.587-7.169-9.759c1.439-4.905,6.967-21.849,17.584-33.24
            c12.804-2.174,26.217,0.163,32.055,1.45c1.286,5.836,3.626,19.252,1.45,32.055C62.552,76.343,45.853,81.835,40.775,83.328z"/>
<circle fill="#FFFFFF" cx="52.002" cy="54.15" r="8.769"/>
</g>
<g>
<path fill="#FFFFFF" style="filter:url(#black-glow)" d="M114.595,33.664h8.704l0.896,11.265h0.384c4.224-7.809,10.625-12.801,17.665-12.801
            c2.688,0,4.608,0.384,6.656,1.28l-2.048,9.216c-2.048-0.64-3.456-1.024-6.016-1.024c-5.249,0-11.521,3.84-15.745,14.336v39.938
            h-10.497V33.664z"/>
<path fill="#FFFFFF" style="filter:url(#black-glow)" d="M157.009,4.735h10.368v61.699h0.384l26.497-32.77h11.648l-20.865,24.961l23.681,37.25h-11.521
            l-18.177-29.954L167.377,79.49v16.385h-10.368V4.735z"/>
<path fill="#FFFFFF" style="filter:url(#black-glow)" d="M221.37,42.241h-9.216v-7.937l9.729-0.64l1.28-17.409h8.833v17.409h16.769v8.577h-16.769v34.562
            c0,7.68,2.432,12.032,9.601,12.032c2.176,0,4.992-0.896,7.04-1.664l2.048,7.937c-3.456,1.152-7.681,2.304-11.521,2.304
            c-13.313,0-17.793-8.448-17.793-20.737V42.241z"/>
</g>
</svg>
<h2>A security-minded, standards-based container engine</h2>
<div class="co-p-masthead-nav">
<div class="container">
<ul class="row co-p-masthead-nav-tabs" id="tabs">
<li class="col-lg-3 col-md-3 col-sm-4 col-xs-12 co-p-masthead-nav-tab co-p-masthead-nav-tab-active">
<a href="/rkt/" class="btn-icon-left" data-category="rkt Masthead Tab" data-event="rkt: Overview">
<span class="fa fa-info-circle"></span>
Overview
</a>
</li>
<!--<li class="col-lg-3 col-md-3 col-sm-4 col-xs-12 co-p-masthead-nav-tab ">
<a href="https://alexcontini.github.io/rkt/docs.html" class="btn-icon-left" data-category="rkt Masthead Tab" data-event="rkt: Documentation">
<span class="fa fa-book"></span>
Documentation
</a>
</li>-->
<li class="col-lg-3 col-md-3 col-sm-4 col-xs-12 co-p-masthead-nav-tab">
<a href="https://github.com/rkt/rkt/" class="btn-icon-left" data-category="rkt Masthead Tab" data-event="Github: rkt">
<span class="fa fa-github"></span>
GitHub Project
</a>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div class="co-p-rkt">
<div class="super-container co-p-rkt-overview">
<div class="container">
<h2>Overview</h2>
<div class="row">
<div class="col-lg-7 col-md-7 col-sm-12 col-xs-12">
<p>rkt is an application container engine developed for modern production cloud-native environments. It features a pod-native approach, a pluggable execution environment, and a well-defined surface area that makes it ideal for integration with other systems. </p>
<p>The core execution unit of rkt is the <em>pod</em>, a collection of one or more applications executing in a shared context (rkt's pods are synonymous with <a href="https://kubernetes.io/docs/user-guide/pods/#what-is-a-pod" target="_blank">the concept in the Kubernetes orchestration system</a>). rkt allows users to apply different configurations (like isolation parameters) at both pod-level and at the more granular per-application level. rkt's architecture means that each pod executes directly in the classic Unix process model (i.e. there is no central daemon), in a self-contained, isolated environment. rkt implements a modern, open, standard container format, the App Container (appc) spec, but can also execute other container images, like those created with Docker.</p>
<p>Since its introduction by CoreOS in December 2014, the rkt project has greatly matured and is widely used. It is available for most major Linux distributions and every rkt release builds self-contained rpm/deb packages that users can install. These packages are also available as part of the Kubernetes repository to enable testing of the rkt + Kubernetes integration. rkt also plays a central role in how Google Container Image and CoreOS Container Linux run Kubernetes.</p>
</div>
<div class="col-lg-5 col-md-5 col-sm-12 col-xs-12">
<div class="co-p-rkt-overview-sidebar">
<div class="row">
<div class="col-lg-12 col-md-12 col-md-push-0 col-sm-6 col-sm-push-6 col-xs-12">
<div class="co-p-homepage-subnav">


We are a Cloud Native Computing Foundation member&nbsp;project.</a><br>
<a href="cncf.io"><img src="https://www.cncf.io/wp-content/uploads/sites/2/2016/09/logo_cncf.png" style="width:60%"></a>

</div>
</div>
<div class="col-lg-12 col-md-12 col-md-pull-0 col-sm-6 col-sm-pull-6 col-xs-12">
<div class="co-p-homepage-subnav">
<h4>More Information</h4>
<a href="https://github.com/coreos/rkt/releases" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Download">Download</a>
<a href="#features" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Features">Features</a>
<a href="#security" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Security">Security</a>
<a href="#devops" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Dev and Ops">Dev &amp; Ops</a>
<a href="#technical" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Command Line Examples">Command Line Examples</a>
<a href="#build" class="co-p-homepage-subnav-item" data-category="rkt Subnav" data-event="rkt: Build">Building Images</a>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="row co-p-rkt-overview-actions">
<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
<div class="co-p-rkt-overview-primary">

<div class="co-p-rkt-distros">
<p style="margin-left:15px">rkt ships in:</p>
<div class="co-p-rkt-distro"><img src="https://coreos.com/assets/images/partners/archlinux-logo-dark.svg"/></div>
<div class="co-p-rkt-distro"><img src="https://coreos.com/assets/images/brand/coreos-wordmark-horiz-color.svg"/></div>
<div class="co-p-rkt-distro"><img src="https://coreos.com/assets/images/partners/fedora_logo.svg"/></div>
<div class="co-p-rkt-distro"><img src="https://coreos.com/assets/images/partners/nixos-hires.png"/></div>
<p>+&nbsp;&nbsp;&nbsp; <a href="/rkt/docs/latest/">other distros</a>
</div>
</div>
</div>
</div>
</div>
<div class="super-container co-p-rkt-features" id="features">
<div class="container">
<div class="row co-m-feature-block co-m-feature-block-center">
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
<div class="co-m-feature-block-illustration co-p-rkt-illustration">
<img src="https://coreos.com/assets/images/media/rkt-init.svg" alt="rkt init system integration">
</div>
<h3>Composable</h3>
<p class="co-p-rkt-illustration-desc">Following the unix tools philosophy, rkt is a single binary that integrates with init systems, scripts, and complex devops pipelines. Containers take their correct place in the PID hierachy and can be managed with standard utilities.</p>
</div>
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
<div class="co-m-feature-block-illustration co-p-rkt-illustration">
<img src="https://coreos.com/assets/images/media/rkt-isolation.svg" alt="customizable isolation in rkt">
</div>
<h3>Customizable Isolation</h3>
<p class="co-p-rkt-illustration-desc">Use containers as a standard, secure deployment object, and choose the appropriate level of isolation using rkt’s pluggable runtime architecture, <a href="/rkt/docs/latest/devel/architecture.html" data-category="rkt Overview" data-event="rkt Docs: Architecture">known as <strong>stages</strong></a>.</p>
</div>
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
<div class="co-m-feature-block-illustration co-p-rkt-illustration">
<img src="https://coreos.com/assets/images/media/rkt-pod.svg" alt="rkt has pods built-in">
</div>
<h3>Pods Built-In</h3>
<p class="co-p-rkt-illustration-desc">The atomic unit in rkt is <a href="/rkt/docs/latest/app-container.html#pods" data-category="rkt Features" data-event="rkt Docs: Pods">the pod</a>, a group of related containers that share resources. This allows for easy stacking of related components, and maps directly to cluster management concepts.</p>
</div>
</div>
<div class="co-p-rkt-isolation" id="isolation">
<div class="co-p-rkt-isolation-dotted"></div>
<div class="co-p-rkt-isolation-solid"></div>
<div class="co-p-rkt-isolation-levels">
<div class="co-p-rkt-isolation-level">
<div class="co-p-rkt-isolation-circle">
<div class="co-p-rkt-isolation-inner co-p-rkt-isolation-small"></div>
</div>
<h4>Privileged</h4>
<p>Specialized, trusted processes can run like a traditional chroot.</p>
<a href="/rkt/docs/latest/running-fly-stage1.html" data-category="rkt Isolation" data-event="rkt Docs: Fly">Read about rkt fly</a>
</div>
<div class="co-p-rkt-isolation-level">
<div class="co-p-rkt-isolation-circle">
<div class="co-p-rkt-isolation-inner co-p-rkt-isolation-medium"></div>
</div>
<h4>Container/cgroup</h4>
<p>Normal namespacing and cgroup isolation enforced by software above a shared kernel.</p>
<a href="/rkt/docs/latest/devel/architecture.html" data-category="rkt Isolation" data-event="rkt Docs: Architecture">Design thinking of rkt</a>
</div>
<div class="co-p-rkt-isolation-level">
<div class="co-p-rkt-isolation-circle">
<div class="co-p-rkt-isolation-inner co-p-rkt-isolation-large"></div>
</div>
<h4>Virtual Machine</h4>
<p>Full hardware virtualization for running certain high-performance or high-security workloads.</p>
<a href="/rkt/docs/latest/running-lkvm-stage1.html" data-category="rkt Isolation" data-event="rkt Docs: LKVM">Running with LKVM</a>
</div>
</div>
<div class="co-p-rkt-isolation-message">Benefit from standard packaging, signing and distribution at all isolation levels.</div>
</div>
</div>
</div>
<div class="super-container co-p-rkt-quotes">
<div class="container">
<div class="co-p-rkt-quotes-subheader">Industry leaders support the design philsophy of rkt</div>
<div class="row co-p-rkt-quotes-container">
<div class="col-lg-6 col-md-6 col-sm-12 col-xs-12 co-p-rkt-quote">
<div class="co-m-customer-quote" id="xoom">
<div class="co-m-customer-quote-body co-m-customer-triangle-sw">
<div class="co-m-customer-triangle"></div>
<div class="co-m-customer-quote-open">&ldquo;</div>
<div class="co-m-customer-quote-content">
<p>We find CoreOS’s rkt a compelling <a href="https://coreos.com/rkt/docs/latest/using-rkt-with-kubernetes.html">container engine in Kubernetes</a> because of how rkt composes with underlying systemd.</p>
<p>The rkt runtime assumes only the responsibility it needs to, then delegates to other system services where appropriate. This separation of concerns is important to us.</p>
</div>
<div class="co-m-customer-quote-close">&rdquo;</div>
</div>
<div>
<div class="co-m-customer-quote-picture">
<img src="https://coreos.com/assets/images/photos/mark.petrovic.png">
</div>
<div class="co-m-customer-quote-name">
<strong>Mark Petrovic</strong><br/>
senior MTS and architect
</div>
<div class="co-m-customer-quote-logo">
<img src="https://coreos.com/assets/images/partners/xoom-logo.svg"/>
</div>
</div>
</div>
</div>
<div class="col-lg-6 col-md-6 col-sm-12 col-xs-12 co-p-rkt-quote">
<div class="co-m-customer-quote" id="blablacar">
<div class="co-m-customer-quote-body co-m-customer-triangle-sw">
<div class="co-m-customer-triangle"></div>
<div class="co-m-customer-quote-open">&ldquo;</div>
<div class="co-m-customer-quote-content">
<p>We have been impressed by the stability and the flexibility of rkt even in very early versions.</p>
<p>We are <a href="http://blablatech.com/blog/why-and-how-blablacar-went-full-containers">migrating all our services</a> to rkt and CoreOS. As of today, 90 percent of our product already runs on this platform.</p>
</div>
<div class="co-m-customer-quote-close">&rdquo;</div>
</div>
<div>
<div class="co-m-customer-quote-picture">
<img src="https://coreos.com/assets/images/photos/simon-lallemand.png">
</div>
<div class="co-m-customer-quote-name">
<strong>Simon Lallemand</strong><br/>
system engineer
</div>
<div class="co-m-customer-quote-logo">
<img src="https://coreos.com/assets/images/partners/blablacar.png"/>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="super-container co-p-rkt-security" id="security">
<div class="container">
<h2 class="text-center">A Security-minded Container Engine</h2>
<div class="row">
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Turn isolation up or down per container</h3>
<p class="co-p-rkt-security-desc">Use KVM for VM-based isolation when required.</p>
<div class="co-p-rkt-security-links">
<a href="https://coreos.com/rkt/docs/latest/running-lkvm-stage1.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="rkt Docs: LKVM"><span class="co-p-rkt-security-link-type">Doc</span>Running a container with LKVM</a>
</div>
</div>
</div>
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Integrated with SELinux</h3>
<p class="co-p-rkt-security-desc">Support for SVirt in addition to a default SELinux policy</p>
<div class="co-p-rkt-security-links">
<a href="https://coreos.com/rkt/docs/latest/selinux.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="rkt Docs: SELinux"><span class="co-p-rkt-security-link-type">Doc</span>Using SELinux + rkt</a>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Enforces seccomp filtering on containers in pods</h3>
<p class="co-p-rkt-security-desc">rkt leverages systemd seccomp features to strengthen container isolation by denying unsafe system calls and privilege escalation</p>
</div>
</div>
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Containers are signed &amp; verified by default</h3>
<p class="co-p-rkt-security-desc">Operations team can control granular trust permissions</p>
<div class="co-p-rkt-security-links">
<a href="https://coreos.com/rkt/docs/latest/subcommands/trust.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="rkt Docs: trust"><span class="co-p-rkt-security-link-type">Doc</span>The rkt trust Command</a>
<a href="https://coreos.com/rkt/docs/latest/signing-and-verification-guide.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="rkt Docs: Sign and Verify"><span class="co-p-rkt-security-link-type">Doc</span>Signing and Verifying Images</a>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Fetch containers as non-root user</h3>
<p class="co-p-rkt-security-desc">A safer way to download app container images from the internet</p>
<div class="co-p-rkt-security-links">
<a href="https://coreos.com/rkt/docs/latest/subcommands/fetch.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="rkt Docs: Fetch"><span class="co-p-rkt-security-link-type">Doc</span>Overview of rkt fetch</a>
</div>
</div>
</div>
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
<div class="co-p-rkt-security-item">
<h3 class="co-p-rkt-security-title">Leverage the TPM for container security</h3>
<p class="co-p-rkt-security-desc">Ensure only trusted containers run on your machines</p>
<div class="co-p-rkt-security-links">
<a href="https://tectonic.com/trusted-computing/" class="co-p-rkt-security-link" data-category="rkt Security" data-event="Tectonic: Whitepaper"><span class="co-p-rkt-security-link-type">Doc</span>Distributed Trusted Computing Whitepaper</a>
<a href="https://coreos.com/blog/coreos-trusted-computing.html" class="co-p-rkt-security-link" data-category="rkt Security" data-event="Blog: Trusted Computing"><span class="co-p-rkt-security-link-type">Blog</span>Trusted Computing with CoreOS & rkt</a>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="super-container co-p-rkt-security" id="devops">
<div class="container">
<h2 class="text-center">The Container Engine for Dev and Ops</h2>
<div class="row">
<div class="col-lg-5 col-lg-offset-1 col-md-6 col-sm-6 col-xs-12">
<h3>Dev: Use your existing Docker images</h3>
<p>rkt can fetch, convert and execute Docker containers. Use your current registry, or <a href="https://quay.io/" data-category="rkt DevOps" data-event="quay.io">Quay.io</a>.</p>
</div>
<div class="col-lg-5 col-md-6 col-sm-6 col-xs-12">
<h3>Ops: Practical Security Built-in</h3>
<p>rkt treats practical security as a first principle of its design. It embodies everyday best practices and helps enforce them in your cluster.</p>
</div>
</div>
<div class="co-p-rkt-comparison">
<table>
<tr>
<td class="co-p-rkt-comparison-header co-p-rkt-compare-label">&nbsp;</td>
<td class="co-p-rkt-comparison-header co-p-rkt-compare-rkt"><img src="https://coreos.com/assets/images/media/rkt-horizontal-color.png" alt="CoreOS rkt"></td>
<td class="co-p-rkt-comparison-header co-p-rkt-compare-docker"><img src="https://coreos.com/assets/images/partners/docker.png" alt="Docker"></td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Runs Docker images</td>
<td><span class="fa fa-check co-p-rkt-comparison-positive"></span>Yes</td>
<td><span class="fa fa-check co-p-rkt-comparison-positive"></span>Yes</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Image Signing</td>
<td>Verifies signatures by default</td>
<td>Client based; signature validation not enforced in Docker daemon</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Privilege Separation</td>
<td>Fetch, verify, validate signatures as unprivileged user</td>
<td>All operations conducted by Docker daemon running as root</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Composability</td>
<td>Proper unix process model, manage processes with systemd, standard sysv init, runit, etc.</td>
<td>Requires <a href="https://github.com/Yelp/dumb-init/">custom in-container init systems</a> to manage child processes</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Pluggable Isolation</td>
<td>Multiple stage1 isolation environments, from chroot to cgroups to KVM - or roll your own</td>
<td>Isolation only in terms of docker daemon options for network bridge or full privileged mode</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Image Creation</td>
<td>Container build tool based on shell scripting, leveraging familiar unix tools</td>
<td>Build defined in Dockerfile, built by Docker daemon (as root)</td>
</tr>
<tr>
<td class="co-p-rkt-comparison-label">Container Distribution</td>
<td>Container images are plain tarballs, served over common HTTPS<br/><br/>
DNS discovery of custom namespaces & signatures</td>
<td>Docker registry<br/><br/>
Restrictive default namespace (docker.com)</td>
</tr>
</table>
</div>
</div>
</div>
<div class="super-container co-p-rkt-tech" id="technical">
<div class="container">
<h2 class="text-center">Command Line Examples</h2>
<div class="co-m-tabbed-content co-p-rkt-technicals">
<div class="row">
<div class="col-lg-3 col-md-4 col-sm-4 col-xs-4">
<ul class="nav nav-pills nav-stacked co-m-tabbed-content-tabs" role="tablist">
<li role="presentation" class="active co-m-tabbed-content-tab">
<a href="#unprivileged" aria-controls="unprivileged" role="tab" data-toggle="tab">Unprivileged rkt fetch</a>
</li>
<li role="presentation" class="co-m-tabbed-content-tab">
<a href="#systemd" aria-controls="systemd" role="tab" data-toggle="tab">systemd integration</a>
</li>
<li role="presentation"class="co-m-tabbed-content-tab">
              <a href="#longrunning" aria-controls="longrunning" role="tab" data-toggle="tab">Long running services</a>
            </li>
            <li role="presentation"class="co-m-tabbed-content-tab">
              <a href="#docker" aria-controls="docker" role="tab" data-toggle="tab">Running Docker containers</a>
            </li>
            <li role="presentation"class="co-m-tabbed-content-tab">
              <a href="#gc" aria-controls="gc" role="tab" data-toggle="tab">Garbage-collecting containers</a>
            </li>
          </ul>
        </div>
        <div class="col-lg-9 col-md-8 col-sm-8 col-xs-8">
          <div class="tab-content co-m-tabbed-content-main">
            <div role="tabpanel" class="tab-pane active" id="unprivileged">
              <p>rkt can discover, retrieve, verify, and store images without root privileges. This capability means that you're not downloading content from the internet as root.</p>
              <p>Here is the command to fetch an Alpine Linux image:</p>
              <pre><code>core@core-01 ~ $ rkt fetch quay.io/coreos/alpine-sh
rkt: searching for app image quay.io/coreos/alpine-sh
rkt: remote fetching from URL "https://quay.io/c1/aci/quay.io/coreos/alpine-sh/latest/aci/linux/amd64/"
prefix: "quay.io/coreos/alpine-sh"
key: "https://quay.io/aci-signing-key"
gpg key fingerprint is: BFF3 13CD AA56 0B16 A898  7B8F 72AB F5F6 799D 33BC
  Quay.io ACI Converter (ACI conversion signing key) <support@quay.io>
Key "https://quay.io/aci-signing-key" already in the keystore
rkt: downloading signature from https://quay.io/c1/aci/quay.io/coreos/alpine-sh/latest/aci.asc/linux/amd64/
Downloading signature: [=======================================] 473 B/473 B
Downloading ACI: [=============================================] 2.65 MB/2.65 MB
rkt: signature verified:
  Quay.io ACI Converter (ACI conversion signing key) <support@quay.io>
sha512-a2fb8f390702d3d9b00d2ebd93e7dd1c
core@core-01 ~ $</code></pre>
              <p>After the image is located in the local image store, we can run it:</p>
              <pre><code>core@core-01 ~ $ sudo rkt run --interactive quay.io/coreos/alpine-sh -- /bin/sh
rkt: using image from file /usr/share/rkt/stage1-coreos.aci
rkt: using image from local store for image name quay.io/coreos/alpine-sh
/ # ps
PID   USER     TIME   COMMAND
    1 root       0:00 /usr/lib/systemd/systemd --default-standard-output=tty --
    2 root       0:00 /usr/lib/systemd/systemd-journald
    4 root       0:00 /bin/sh -c /bin/sh /bin/sh
    5 root       0:00 /bin/sh
    6 root       0:00 ps
/ # ls /
bin      etc      lib      media    proc     run      sys      usr
dev      home     linuxrc  mnt      root     sbin     tmp      var
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.2.3
PRETTY_NAME="Alpine Linux v3.2"
HOME_URL="http://alpinelinux.org"
BUG_REPORT_URL="http://bugs.alpinelinux.org"
/ #</code></pre>
              <p>From inside the container, <code>ps</code> and <code>ls</code> show the isolated process namespace and container filesystem. The <code>os-release</code> file shows the container's OS personality.</p>
            </div>
            <div role="tabpanel" class="tab-pane" id="systemd">
              <p>Outside the container, the host <code>systemd</code> can monitor and arrange logging and other lifecycle management for rkt pods.</p>
              <p>Printing system-wide status shows systemd managing the pod's execution as a system service, and the container's isolation within a <code>cgroups</code> machine slice, including the nested systemd governing process lifecycles inside the container:</p>
              <pre><code>core@core-02 ~ $ systemctl status
● core-02
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Tue 2016-02-02 19:35:01 UTC; 10h ago
   CGroup: /
           ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 2
           ├─machine.slice
           │ └─machine-rkt\x2dcd642877\x2d8ef5\x2d4b0a\x2d8202\x2d2c6c9415b9cf.s
           │   ├─1857 /usr/lib/systemd/systemd --default-standard-output=tty --l
           │   └─system.slice
           │     ├─systemd-journald.service
           │     │ └─1860 /usr/lib/systemd/systemd-journald
           │     └─alpine-sh.service
           │       ├─1864 /bin/sh -c /bin/sh /bin/sh
           │       └─1866 /bin/sh
           └─system.slice
             ├─dbus.service
             │ └─643 /usr/bin/dbus-daemon --system --address=systemd: --nofork -
             ├─update-engine.service
             │ └─649 /usr/sbin/update_engine -foreground -logtostderr
             ├─system-sshd.slice
             │ ├─sshd@0-10.0.2.15:22-10.0.2.2:64676.service
             │ │ ├─ 819 sshd: core [priv]
core@core-02 ~ $</code></pre>
              <p>Since this is a view into the entire CoreOS machine, two default services, <code>sshd</code>, and the <code>update-engine</code> that handles CoreOS software updates, are visible as well. This illustrates the identical management interface for both system-level and containerized applications enabled by the rkt process model.</p>
              <p><code>machinectl</code> is systemd's tool for viewing VMs and containers running under its control. The command reveals the transient name assigned to our rkt instance, which is a container in this instance:</p>
              <pre><code>core@core-02 ~ $ machinectl list
MACHINE                                  CLASS     SERVICE
rkt-cd642877-8ef5-4b0a-8202-2c6c9415b9cf container nspawn

1 machines listed.</code></pre>
              <p>Given the pod's machine name, we can stop the pod with the machinectl tool:</p>
              <pre><code>core@core-02 ~ $ sudo machinectl poweroff rkt-cd642877-8ef5-4b0a-8202-2c6c9415b9cf
core@core-02 ~ $ machinectl list
MACHINE CLASS SERVICE

0 machines listed.
core@core-02 ~ $</code></pre>
            </div>
            <div role="tabpanel" class="tab-pane" id="longrunning">
              <p>Long-running rkt pods can be managed as systemd services, with standard tools and practices. An automatic nested systemd manages process lifecycles inside the container. Container apps can be inspected with familiar tools, and even integrated with local management scripts.</p>
              <p>In this quick example, we're constructing an on-the-fly service with <code>systemd-run</code>. The <code>status</code> command lists the PID tree as well as the first few lines of logs.</p>
              <p>In this example, running <code>journalctl -u run-1907.service</code> would yield the full log stream.</p>
              <pre><code>core@core-02 ~ $ sudo systemd-run --slice=machine rkt run --net=host quay.io/josh_wood/caddy
Running as unit run-1907.service.
core@core-02 ~ $ systemctl status run-1907.service
● rkt-caddy.service - /bin/rkt run --net=host quay.io/josh_wood/caddy
   Loaded: loaded (/run/systemd/system/run-1907.service; static; vendor preset: disabled)
  Drop-In: /run/systemd/system/run-1907.service.d
           └─50-Description.conf, 50-ExecStart.conf, 50-Slice.conf
   Active: active (running) since Wed 2016-02-03 06:37:48 UTC; 24s ago
 Main PID: 1908 (ld-linux-x86-64)
   CGroup: /machine.slice/run-1907.service
           ├─1908 stage1/rootfs/usr/lib/ld-linux-x86-64.so.2 stage1/rootfs/us...
           ├─1928 /usr/lib/systemd/systemd --default-standard-output=tty --lo...
           └─system.slice
             ├─caddy.service
             │ └─1933 /bin/caddy
             └─systemd-journald.service
               └─1929 /usr/lib/systemd/systemd-journald

Feb 03 06:37:50 core-02 rkt[1908]: Downloading signature:  473 B/473 B
Feb 03 06:37:51 core-02 rkt[1908]: Downloading ACI:  0 B/4.54 MB
Feb 03 06:37:51 core-02 rkt[1908]: Downloading ACI:  16.4 KB/4.54 MB
Feb 03 06:37:52 core-02 rkt[1908]: Downloading ACI:  819 KB/4.54 MB
Feb 03 06:37:53 core-02 rkt[1908]: Downloading ACI:  2.96 MB/4.54 MB
Feb 03 06:37:54 core-02 rkt[1908]: Downloading ACI:  4.54 MB/4.54 MB
Feb 03 06:37:54 core-02 rkt[1908]: rkt: signature verified:
Feb 03 06:37:54 core-02 rkt[1908]: Quay.io ACI Converter (ACI conversion si...o>
Feb 03 06:37:55 core-02 rkt[1908]: [38154.032938] caddy[4]: Activating priv...e.
Feb 03 06:37:55 core-02 rkt[1908]: [38154.035398] caddy[4]: :2015
Hint: Some lines were ellipsized, use -l to show in full.
core@core-02 ~ $ sudo systemctl stop run-1907.service</code></pre>
            </div>
            <div role="tabpanel" class="tab-pane" id="docker">
              <p>rkt can fetch Docker images from common Docker registries, and convert and execute them on the fly. To simplify this example, we direct rkt to skip image signature verification.</p>
              <pre><code>core@core-02 ~ $ sudo rkt run --insecure-options=image --interactive docker://busybox -- /bin/sh
rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.16.0
rkt: remote fetching from URL "docker://busybox"
Downloading sha256:eeee0535bf3: [==============================] 676 KB/676 KB
Downloading sha256:a3ed95caeb0: [==============================] 32 B/32 B
/ # ps
PID   USER     TIME   COMMAND
    1 root       0:00 /usr/lib/systemd/systemd --default-standard-output=tty --
    2 root       0:00 /usr/lib/systemd/systemd-journald
    4 root       0:00 /bin/sh -c "sh" /bin/sh
    5 root       0:00 sh
    7 root       0:00 ps
/ # ls /
bin   dev   etc   home  proc  root  sys   tmp   usr   var
/ # uname -a
Linux rkt-a6470cfe-7b6c-498c-917d-a254a312f0aa 4.4.0-coreos-r2 #2 SMP Fri Jan 29 22:00:35 UTC 2016 x86_64 GNU/Linux
~ #</code></pre>
            <p>Running Docker images with rkt gains you better integration with your init system while preserving your existing build process.</p>
            </div>
            <div role="tabpanel" class="tab-pane" id="gc">
              <p>Trying out all the features available in rkt can leave a lot of experimental pods lying around. The <code>rkt gc</code> command reaps exited pods and container images from the local store after a configurable grace period. This is easy to automate with a periodic schedule to keep the rkt store tidy:</p>
              <pre><code>core@core-02 ~ $ sudo rkt list
UUID    APP   IMAGE NAME          STATE NETWORKS
81627cc6  caddy   quay.io/josh_wood/caddy:latest      exited
cd642877  alpine-sh quay.io/coreos/alpine-sh:latest     exited
d65abad6  alpine-sh quay.io/coreos/alpine-sh:latest     exited
core@core-02 ~ $ sudo rkt gc
Moving pod "81627cc6-6d19-48db-8a29-d2e043d060f7" to garbage
Moving pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf" to garbage
Moving pod "d65abad6-2951-4c5a-a32d-c851145d3320" to garbage
Pod "81627cc6-6d19-48db-8a29-d2e043d060f7" not removed: still within grace period (30m0s)
Pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf" not removed: still within grace period (30m0s)
Pod "d65abad6-2951-4c5a-a32d-c851145d3320" not removed: still within grace period (30m0s)</code></pre>
              <p>Three containers have exited, with all of their processes terminated, but remain in the rkt management list until inactive longer than the garbage collection grace period &mdash; 30 minutes by default.</p>
              <p>To remove these immediately, reduce the grace period to zero:</p>
              <pre><code>core@core-02 ~ $ sudo rkt gc --grace-period=0
Garbage collecting pod "81627cc6-6d19-48db-8a29-d2e043d060f7"
Garbage collecting pod "cd642877-8ef5-4b0a-8202-2c6c9415b9cf"
Garbage collecting pod "d65abad6-2951-4c5a-a32d-c851145d3320"
core@core-02 ~ $ sudo rkt list
UUID  APP IMAGE NAME  STATE NETWORKS
core@core-02 ~ $</code></pre>
              <p>All exited containers have been removed. Images can be garbage-collected after a configurable grace period in the same manner. Both storage and general system resource consumption are kept trim and tidy.</p>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div>
</div>

<div class="super-container co-p-rkt-build" id="build">
  <div class="container">
    <h2 class="text-center">Familiar Tools for Building Container Images</h2>
    <div class="row">
      <div class="col-lg-5 col-md-5 col-sm-12 col-xs-12">
        <div class="co-p-rkt-build-content">
          <p>The <a href="https://github.com/appc/acbuild/">acbuild tool</a> is a simple unix utility for constructing ACI manifests and container filesystems. <code>acbuild</code> presents options for mapping ports, mounting filesystems, and specifying the base containers <code>FROM</code> which higher-level images are built &mdash; a <code>dep</code>, or dependency, in <code>acbuild</code> parlance.</p>
          <h4>No Custom DSL</h4>
          <p>Rather than implementing its own DSL for container construction, <code>acbuild</code> leverages the command line environment to enable familiar shell scripting and even Makefile-driven build pipelines.</p>
          <p>This example <code>acbuild</code> <code>bash</code> script constructs an Nginx webserver app container.</p>
          <h4>Distribute Over HTTPS</h4>
          <p>After a completed build, the container is ready to be served to users over HTTPS, without any specialized registry software.</p>
          <p>Using <a href="https://github.com/appc/spec/blob/master/spec/discovery.md">DNS discovery</a>, this container can be hosted on cloud storage, but referred to as <code>coreos.com/nginx:latest</code> across your infrastructure.</p>
        </div>
      </div>
      <div class="col-lg-7 col-md-7 col-sm-12 col-xs-12">
        <pre><code class="language-sh" data-lang="sh"><span class="c1">#!/usr/bin/env bash</span>
set -e

if [ <span class="s">"$EUID"</span> -ne 0 ]; then
    echo <span class="s">"This script uses functionality which requires root privileges"</span>
    exit 1
fi

<span class="c1"># Start the build with an empty ACI</span>
acbuild --debug begin

<span class="c1"># In the event of the script exiting, end the build</span>
acbuildEnd() {
    export EXIT=$?
    acbuild --debug end && exit $EXIT
}
trap acbuildEnd EXIT

<span class="c1"># Name the ACI</span>
acbuild --debug set-name example.com/nginx

<span class="c1"># Based on alpine</span>
acbuild --debug dep add quay.io/coreos/alpine-sh

<span class="c1"># Install nginx</span>
acbuild --debug run apk update
acbuild --debug run apk add nginx

<span class="c1"># Add a port for http traffic over port 80</span>
acbuild --debug port add http tcp 80

<span class="c1"># Add a mount point for files to serve</span>
acbuild --debug mount add html /usr/share/nginx/html

<span class="c1"># Run nginx in the foreground</span>
acbuild --debug set-exec -- /usr/sbin/nginx -g <span class="s">"daemon off;"</span>

<span class="c1"># Save the ACI</span>
acbuild --debug write --overwrite nginx-latest-linux-amd64.aci</code></pre>
      </div>
    </div>
  </div>
</div>

</div>

<!--
    <div class="co-m-footer footer-dark">
    <div class="container">
    <div class="row co-m-footer-top">
      <h2 class="footer-title">Self-Driving Container Infrastructure</h2>
      <div class="footer-cta">
        <a class="btn" href="/tectonic/" data-category="Footer" data-event="Footer: Get Tectonic">Get Tectonic for Kubernetes</a>
        <div class="cta-text">
          <p>Available for cloud and bare metal. <br>First 10 nodes are free.</p>
        </div>
      </div>
    </div>
    <div class="row">
      <div class="col-lg-12 col-md-12 col-sm-12 col-sx-12">
      <hr>
        <div class="co-m-footer-group">
          <h4>Company</h4>
          <ul>
            <li><a href="/about/" data-category="Footer" data-event="Footer: About">About</a></li>
            <li><a href="/blog/" data-category="Footer" data-event="Blog: Post List">Blog</a></li>
            <li><a href="/press/" data-category="Footer" data-event="Press">Press</a></li>
            <li><a href="/careers/" data-category="Footer" data-event="Careers">Careers</a></li>
            <li><a href="/security/" data-category="Footer" data-event="Footer: Security">Security</a></li>
            <li><a href="/legal/privacy/" data-category="Footer" data-event="Footer: Privacy Policy">Privacy Policy</a></li>
          </ul>
        </div>
        <div class="co-m-footer-group">
          <h4>Products</h4>
          <ul>
            <li><a href="/tectonic/" data-category="Footer" data-event="Tectonic: Enterprise">Tectonic Enterprise</a></li>
            <li><a href="/products/container-linux-subscription/" data-category="Footer" data-event="Products: Managed Linux">Premium Managed Linux</a></li>
            <li><a href="https://tectonic.com/quay-enterprise/" data-category="Footer" data-event="Products: Quay Enterprise">Quay Enterprise</a></li>
            <li><a href="/training/" data-category="Footer" data-event="Training: Overview">Training Classes</a></li>
            <li><a href="/products/coreupdate/" data-category="Footer" data-event="Products: CoreUpdate">CoreUpdate</a></li>
          </ul>
        </div>
        <div class="co-m-footer-group">
          <h4>Contact &amp; Support</h4>
          <ul>
            <li><a href="/contact" data-category="Footer" data-event="Footer: Contact Us">Contact Us</a></li>
            <li><a href="/support" data-category="Footer" data-event="Footer: Support">Support</a></li>
            <li><a href="https://groups.google.com/forum/#!forum/coreos-user" data-category="Footer" data-event="Footer: User Newsletter">General Mailing List</a></li>
            <li><a href="https://groups.google.com/forum/#!forum/coreos-dev" data-category="Footer" data-event="Footer: Dev Newsletter">Developer Mailing List</a></li>
            <li><a href="irc://irc.freenode.org:6667/#coreos" data-category="Footer" data-event="Footer: IRC">IRC #coreos</a></li>
            <li><a href="https://twitter.com/coreos/" data-category="Footer" data-event="Footer: Twitter">@CoreOS</a></li>
          </ul>
        </div>
        <div class="co-m-footer-group">
          <h4>Project Docs</h4>
          <ul>
            <li><a href="/os/docs/latest/" data-category="Footer" data-event="CoreOS: Docs">Container Linux</a></li>
            <li><a href="/etcd/docs/latest/" data-category="Footer" data-event="etcd: Docs">etcd</a></li>
            <li><a href="/rkt/docs/latest/" data-category="Footer" data-event="rkt: Docs">rkt</a></li>
            <li><a href="/flannel/docs/latest/" data-category="Footer" data-event="flannel: Docs">flannel</a></li>
          </ul>-->
        </div>
        <div class="co-m-footer-group hidden-sm">
          <h4 style="width:80%;text-align:center;font-size:13px;font-weight:light;margin-left:10%;line-height:18px">© 2017 The rkt Authors<br>
Documentation Distributed under CC BY 4.0
Copyright © 2017 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.<br> For a list of trademarks of The Linux Foundation please see our <a href="https://www.linuxfoundation.org/trademark-usage">Trademark Usage page.</a></h4>

        </div>
      </div>
    </div>
    <!-- <hr> -->
    <!-- <div class="col-lg-12 col-md-12 col-sm-12 hidden-xs">
      <div id="wish">
        <span id="wish-text">I wish this page</span>
        <input type="text" id="wish-value" placeholder="focused more on security" autocomplete="off">
      </div>
    </div> -->
  </div><!--/.container-->

</div><!--/.coreos-footer-->

<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="/assets/js/jquery.js"></script>
<script src="/dist/js/bootstrap.min.js"></script>

<script src="/assets/js/holder.js"></script>

<script src="/assets/js/application.js"></script>

<!-- Dependencies for docs.js -->
<script src="/assets/js/jquery-ui-1.11.4.custom.js"></script>
<script src="/assets/js/tocbot.min.js"></script>

<!-- Activate tooltips -->
<script type="text/javascript">
  $(document).ready(function() {
    $('[data-toggle=tooltip]').tooltip();
  });
</script>



















<!-- Google Site Search -->
<script>
  (function() {
    var cx = '006443145124420588374:-hswgjadnry';
    var gcse = document.createElement('script');
    gcse.type = 'text/javascript';
    gcse.async = true;
    gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
        '//www.google.com/cse/cse.js?cx=' + cx;
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(gcse, s);
  })();
</script>

<script type="text/javascript">
  $('.search-icon').on('click', function() {
    $('#search-box').toggleClass('expanded-search');
    if ($('#search-box').hasClass('expanded-search')) {
      $('#search-box').focus();
    } else {
      $('#search-box').blur();
    }
    $(this).toggleClass('expand');
  });
  $('#search-box').on('blur', function() {
    $(this).toggleClass('expaned-search');
  });
</script>



<!-- Event Tracking/Submission -->
<script type="text/javascript" src="/assets/js/events.js"></script>



  </body>
</html>