diff --git a/docs/security.md b/docs/security.md
index 8ccf098ec..4fe49fd42 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -73,9 +73,12 @@ containers unintentionally expose themselves to attack vectors, immutability of
 host attack.
 
 
+## Login
+By default, linuxkit has no login available: not on console, not via ssh, nowhere. You have the _option_ of enabling login on console using a `linuxkit/getty` service container, but it is not created by default. Similarly, a `linuxkit/sshd` service container will start a `sshd` for you. See the [getty](../examples/getty.yml) and [sshd](../examples.sshd.yml) examples.
+
 ## External Updates - Trusted Provisioning
 
-Following the principle of least privilege for immutable infrastructure, LinuxKit cannot have the ability or attack surface 
+Following the principle of least privilege for immutable infrastructure, LinuxKit cannot have the ability or attack surface
 to update itself. It is the responsibility of an external system, most commonly [infrakit](https://github.com/docker/infrakit), to provision
 and update LinuxKit nodes.
 
diff --git a/examples/getty.yml b/examples/getty.yml
new file mode 100644
index 000000000..37393c394
--- /dev/null
+++ b/examples/getty.yml
@@ -0,0 +1,29 @@
+kernel:
+  image: "linuxkit/kernel:4.9.x"
+  cmdline: "console=ttyS0 console=tty0 page_poison=1"
+init:
+  - linuxkit/init:1b8a7e394d2ec2f1fdb4d67645829d1b5bdca037
+  - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f
+  - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b
+  - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
+onboot:
+  - name: sysctl
+    image: "linuxkit/sysctl:3aa6bc663c2849ef239be7d941d3eaf3e6fcc018"
+  - name: dhcpcd
+    image: "linuxkit/dhcpcd:7d2b8aaaf20c24ad7d11a5ea2ea5b4a80dc966f1"
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+services:
+  - name: rngd
+    image: "linuxkit/rngd:1fa4de44c961bb5075647181891a3e7e7ba51c31"
+  - name: getty
+    image: "linuxkit/getty:b94cd2441cd7402a0071909b502ebf880127b1e1"
+    # to make insecure with passwordless root login, uncomment following lines
+    #env:
+    # - INSECURE=true
+files:
+  - path: etc/getty.shadow
+    # sample sets password for root to "abcdefgh" (without quotes)
+    contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
+trust:
+  org:
+    - linuxkit
diff --git a/pkg/getty/Dockerfile b/pkg/getty/Dockerfile
new file mode 100644
index 000000000..63123c911
--- /dev/null
+++ b/pkg/getty/Dockerfile
@@ -0,0 +1,20 @@
+FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    alpine-baselayout \
+    busybox \
+    musl \
+    tini \
+    util-linux \
+    && true
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT ["/sbin/tini","-s","-v","--"]
+WORKDIR /
+COPY --from=mirror /out/ /
+COPY usr/ /usr/
+COPY etc/ /etc/
+CMD ["/usr/bin/rungetty.sh"]
+LABEL org.mobyproject.config='{"pid": "host", "net":"host", "binds": ["/run:/run", "/etc:/hostroot/etc","/tmp/ctr:/tmp/ctr", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/usr/bin/dist:/usr/bin/dist", "/var:/var","/containers:/containers","/dev:/dev"], "capabilities": ["all"]}'
diff --git a/pkg/getty/Makefile b/pkg/getty/Makefile
new file mode 100644
index 000000000..bdff9c392
--- /dev/null
+++ b/pkg/getty/Makefile
@@ -0,0 +1,21 @@
+.PHONY: tag push
+default: push
+
+ORG?=linuxkit
+IMAGE=getty
+DEPS=Dockerfile usr/bin/rungetty.sh
+
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
+
+hash:
+	@echo $(HASH)
+
+tag: $(DEPS)
+	docker build --squash --no-cache --network=none -t $(ORG)/$(IMAGE):$(HASH) .
+
+test-tag:
+	docker tag $(ORG)/$(IMAGE):$(HASH) getty:test
+
+push: tag
+	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(HASH) || \
+	DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(HASH)
diff --git a/pkg/getty/README.md b/pkg/getty/README.md
new file mode 100644
index 000000000..8363cfde9
--- /dev/null
+++ b/pkg/getty/README.md
@@ -0,0 +1,86 @@
+# LinuxKit getty
+Image to create a getty on each console for a [linuxkit](https://github.com/linuxkit/linuxkit)-generated image.
+
+
+## Usage
+LinuxKit images do not create `getty` by default. If you want to be able to access a shell, you need to run a getty.
+
+If you want a console getty, add the following to your `moby.yml`:
+
+```
+services:
+  - name: getty
+    image: "linuxkit/getty:e36b5e794256c2a56c000035f73a4d46f7ffb3e6"
+```
+
+The above will launch a getty for each console defined in the cmdline, i.e. `/proc/cmdline`.
+
+
+### Login Options
+There are 3 ways to launch a getty on a linuxkit instance:
+
+1. Login disabled
+2. Password login
+3. Open access
+
+
+#### Login Disabled
+Login disabled prevents any console login. This is the most secure option and recommended for production deployments.
+
+To disable login entirely:
+
+1. Ensure you are running a version of `linuxkit/init` that has getty disabled.
+2. Do **not** add `linuxkit/getty` as a `service`
+
+Conversely, you can include `linuxkit/getty` as a `service`, but do not map in an `/etc/shadow` file. Since the default root password is blocked, this, too, will prevent login. However, we strongly recommend simply not enabling `linuxkit/getty` if you desire to block login.
+
+
+#### Password Login
+Password login is like traditional login. At the console, you get a prompt, and enter your username and password.
+
+To enable password login, you must provide getty with the root password. You do so by creating a file `/etc/getty.shadow` in the linuxkit host. For example:
+
+```yml
+files:
+  - path: etc/getty.shadow
+    # sample sets password for root to "abcdefgh" (without quotes)
+    contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
+```
+
+Note that `/etc/shadow` is sensitive to having a carriage return at the end of each line. To be safe, the `getty` container will add a newline at the end of a mapped shadow file.
+
+The `linuxkit/getty` container already is set up to map `/etc/getty.shadow` to `/etc/shadow`.
+
+The existing `/etc/password` has a single line with `root` as UID `0`; your `/etc/shadow` should match that.
+
+If no `/etc/shadow` os provided, the login will be unusable, as the default `root` user has a blocked password.
+
+#### Open Access
+With open access, no password is required. Any user accessing the console will immediately get a root login shell.
+
+To enable open access, you must tell getty explicitly that you wish to have insecure access by setting the environment variable `INSECURE=true` for the container.
+
+## Example
+An example yml file is included in [examples/getty.yml](../../examples/getty.yml). The sample uses a custom root password, and comments describing how to make it insecure instead.
+
+
+## LinuxKit Debug
+In addition to the usual getty shell, it is possible that you have a LinuxKit build that is failing, to the point where even `containerd` is not starting correctly, or not launching services. In such a case, `getty` will not run, since `containerd` launches it. This leaves you with no ability to log onto the system and debug it.
+
+In that case, you can make `linuxkit/getty` an `init:` level container. This will lead to a `sh` running on the console.
+
+**This is highly insecure and should not be used except to debug system startup where containerd will not start itself or services. In all other cases, use getty only via services.**
+
+To use it this way:
+
+```yml
+kernel:
+  image: "linuxkit/kernel:4.9.x"
+  cmdline: "console=ttyS0 console=tty0 page_poison=1"
+init:
+  - linuxkit/init:1b8a7e394d2ec2f1fdb4d67645829d1b5bdca037
+  - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f
+  - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b
+  - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
+  - linuxkit/getty:8305d9a564bfbe38b7ea6d6f5bccd95ae59b03d2
+```
diff --git a/pkg/getty/etc/init.d/001-getty b/pkg/getty/etc/init.d/001-getty
new file mode 100755
index 000000000..a36c70590
--- /dev/null
+++ b/pkg/getty/etc/init.d/001-getty
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# if we are here, then we need to debug a linuxkit build
+# so we always run in INSECURE mode
+INSECURE=true /usr/bin/rungetty.sh
diff --git a/pkg/getty/etc/motd b/pkg/getty/etc/motd
new file mode 100644
index 000000000..8132011ca
--- /dev/null
+++ b/pkg/getty/etc/motd
@@ -0,0 +1 @@
+Welcome to LinuxKit 
diff --git a/pkg/getty/etc/passwd b/pkg/getty/etc/passwd
new file mode 100644
index 000000000..eb85a552a
--- /dev/null
+++ b/pkg/getty/etc/passwd
@@ -0,0 +1 @@
+root:x:0:0:root:/root:/bin/sh
diff --git a/pkg/getty/etc/shadow b/pkg/getty/etc/shadow
new file mode 100644
index 000000000..7b6c96445
--- /dev/null
+++ b/pkg/getty/etc/shadow
@@ -0,0 +1 @@
+root:*::0:::::
diff --git a/pkg/getty/usr/bin/rungetty.sh b/pkg/getty/usr/bin/rungetty.sh
new file mode 100755
index 000000000..c01581e43
--- /dev/null
+++ b/pkg/getty/usr/bin/rungetty.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -x
+
+infinite_loop() {
+	while true; do
+		$@
+	done
+}
+
+# run getty on all known consoles - except those already in inittab
+start_getty() {
+	tty=${1%,*}
+	speed=${1#*,}
+	inittab="$2"
+	securetty="$3"
+	line=
+	term="linux"
+	[ "$speed" = "$1" ] && speed=115200
+
+	case "$tty" in
+	ttyS*|ttyAMA*|ttyUSB*|ttyMFD*)
+		line="-L"
+		term="vt100"
+		;;
+	tty?)
+		line=""
+		speed="38400"
+		term=""
+		;;
+	esac
+
+	# are we secure or insecure?
+	loginargs=
+	if [ "$INSECURE" == "true" ]; then
+		loginargs="-n -l /bin/sh"
+	fi
+
+	if ! grep -q -w "$tty" "$securetty"; then
+		echo "$tty" >> "$securetty"
+	fi
+	# respawn forever
+	infinite_loop setsid -w /sbin/getty $loginargs $line $speed $tty $term &
+}
+
+# check if we have /etc/getty.shadow
+ROOTSHADOW=/hostroot/etc/getty.shadow
+if [ -f $ROOTSHADOW ]; then
+	cp $ROOTSHADOW /etc/shadow
+	# just in case someone forgot a newline
+	echo >> /etc/shadow
+fi
+
+for opt in $(cat /proc/cmdline); do
+	case "$opt" in
+	console=*)
+		start_getty ${opt#console=} /etc/inittab /etc/securetty
+	esac
+done
+
+# wait for all our child process to exit; tini will handle subreaping, if necessary
+wait