Pancake Crop Deli

PCD is a distribution of Linux designed to run containers in Docker in the most secure way possible. PCD only defines opinions about the container runtime and the fewest possible supporting components.

Why

After learning about CoreOS, and then Rancher, I had different opinions about what is needed to support Docker containers. I didn't want to be tied to the opinions of any other minimal container operating system.

Architecture

The base system is build to run entirely from RAM. The drives in the system are only persistent data from containers and booting.

The first partition on the system is 200MB. This partition is marked bootable and has the grub bootloader installed. This should leave room for a primary and backup kernel and allow future room for expansion.

The second partition is used for Docker images, containers, and any shared directories. This partition is automatically expanded at boot if needed.

Goals

Cloud provider and hardware agnostic. No dependencies on anything provided by a particular vendor, cloud or hardware.

Easy upgrades. Currently, this is simply running the installer again.

Minimal components to run Docker. Only the absolute necessary components are used. There is no glibc, openssl, bash, or openssh. In fact, the only SSL implementation used is the implementation from Go in the Docker Engine itself.

Design Decisions

The common use case is as a turn-key docker-engine. There's a number of design features that are different than traditional GNU/Linux systems that could be confusing to people that aren't expecting them.

No /usr or /sbin

There's no /usr directory. With the understanding that the /usr directory is for utilities and services that aren't essential to the booting of the system, and the understanding that the system is successful only when it's running the Docker Engine, there's just not a need for /usr anymore. Also, in the same vein, if the system only runs a few services, all as the root user, and humans aren't even suppose to obtain login shells to the system, there's no difference remaining between /sbin and /bin. Therefore, there's no /sbin either. More here: TODO

No dynamic binaries

Dynamic binaries do a great job of only depending on a common interface, an ABI, with the libraries they use. This is great when a system is upgraded over time, a library here, a library there. When the system is meant to be upgraded as a whole, this benefit goes unrealized. When the libraries aren't upgraded separate from the binaries that use them, they just take up extra bloat, with extra functions and features uncalled. Compiling binaries statically only imports the needed functions from libraries, leaving dead code behind.

Busybox

In order to stay as light weight as possible, and without the requirement of abstract flexibility, busybox was chosen to fill the role of coreutils, init system, and logging. There's only a few services on the system where busybox isn't used.

Using

ISO

Perhaps the easiest usage is with the official ISO distribution. Simply boot this and run.

Kernel

The more versatile distribution is the raw kernel image with included initramfs. This is the only file needed for PXE booting.

Vagrant box

There is a Vagrantfile included with the source project that can be used as-is, or as a base for other vagrant projects.