CoreOS rkt is a secure, modular execution engine for app containers. It was designed to reflect the lessons of running container cluster infrastructure at scale and is released under the Apache license. Written in Go, rkt implements container isolation through a flexible and interchangeable set of “stages,” providing multiple execution regimes for a container image. At rkt’s core is a command line utility that does not invoke a long-running daemon process, making app container lifecycle management simpler and allowing loosely-coupled integrations with service management and orchestration systems like systemd and Kubernetes. This talk will review the design of rkt, outline the current state of portable container image standards, and demonstrate rkt’s operation.