Setting up rkt

// Brian Hicks // rkt

So you want to try rkt, but a package isn’t available for your distribution. Ideally, you could just run yum install rkt, but the packages are a ways off from being ready for CentOS and Fedora. Frustrating. So what do we do? Install ourselves!

The installation process is actually pretty simple. Rkt is written in Go, and has no other dependencies than a relatively recent kernel. In fact, on CentOS, the setup can be reduced to a handful of steps:

Download rkt

The first thing we’ll need to do is download the most recent rkt release (1.1.0 at the time of this writing.) We’ll also want to copy the binary out as our first step:

curl -L | tar -xzv
cp rkt-v1.1.0/rkt /usr/bin/

You cant test that this is working by running rkt version. We’ll need to a do a few more things before we can create containers though. Do note that most of these commands either need to be run as root or using sudo.

Create Data Directory

rkt expects it’s data directory to be owned by the rkt group, so we’ll need to add that:

groupadd rkt

Next, we’ll want to add any local users we want to be able to fetch images and see status to the group. Unlike adding users to the docker group, this does not allow all actions, only image management and status.

gpasswd -a $YOUR_USER_HERE rkt && newgrp rkt

Now that we have our group all set up, we can create the data directories. Fortunately, rkt ships with a script to accomplish this for us:


This will set up your data dir in /var/lib/rkt. If you want to locate it elsewhere, just pass your desired location as the first argument to the script. This does require further configuration work, however, and the default should work fine for most installations.

Install Stage1 Images

Next we’ll need to install our stage1 images. These are the basis for all other images, and rkt currently ships with three:

These are some solid options, but we need rkt to be able to find them. Future versions of rkt will be configured to look in /usr/lib/rkt/stage1-images, so we’ll put the images there.

mkdir -p /usr/lib/rkt/stage1-images
cp rkt-1.1.0/*.aci /usr/lib/rkt/stage1-images/

Install systemd Service Files

Next, we want to install the service files located at rkt-v1.1.0/init/systemd:

cp rkt-1.1.0/init/systemd/tmpfiles.d/rkt.conf /usr/lib/tmpfiles.d/
cp rkt-1.1.0/init/systemd/rkt-metadata.* /usr/lib/systemd/system/
cp rkt-1.1.0/init/systemd/rkt-gc.* /usr/lib/systemd/system/
systemctl daemon-reload

If you’re on CentOS, you may want to avoid installing the rkt-gc.* services, as there’s a nasty bug related to GC. It’s currently slated to be fixed in rkt 1.2, so keep your eye on that.


The last hurdle we need to clear before we have a working system is SELinux. CentOS’ current SELinux policy blocks loading a shared library that rkt requires at runtime, so we’ll have to turn it off. If you’re reading this after 1.1.0, please try the test command below before you do this to make sure it’s still necessary (and you may want to follow the upstream bug report):

If you run a container and get this:

$ rkt run --exec=/bin/echo -- 'Hello, rkt!'
/usr/lib/systemd/systemd: error while loading shared libraries: cannot open shared object file: Permission denied

You’ll need these steps:

sed -i'' 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
setenforce Permissive

Do be aware that this disables SELinux for the entire system. If this is a dealbreaker for you, wait until the bug is fixed. Alternatively, you can use Ubuntu or CoreOS, where this bug does not come up.

Run Some Containers!

Great job, everybody! Now let’s run a container to prove to ourselves that we’ve set things up correctly:

rkt run --exec=/bin/echo -- 'Hello, rkt!'

After some informational messages and trusting the signing key, you should see “Hello, rkt!” in your terminal, which means we’ve arrived at our destination!

Want More Sleep?

Is your deployment keeping you up a night? Is it secure? Reliable? We'll help you keep the lights on with timely tutorials and tips to give you peace of mind that your cluster is running how it's supposed to.