Intel Clear Containers are more secure than other containers because they're not containers. They're virtual machines. That's perfectly clear, isn't it?
Intel unveiled Clear Containers at the OpenStack Summit in Vancouver this month. Intel hopes to quell enterprise IT's security concerns about running Linux containers by putting them in a lightweight VM, while addressing the objections to using VMs, including:
- Virtual machines are slow to start.
- They require a full copy of the operating system.
- They occupy a lot of memory on the server.
Instead of directly solving the container security problem, Intel decided to look at the problem from the opposite direction. Why not solve the problem of virtual machine overhead and get VMs to perform more like containers? In attacking the problem from that direction, it has made the virtual machine almost as thin as the container itself -- an almost transparent wrapper of a containerized workload.
Intel's Clear Container approach can get a virtual machine up and running in 100-200 milliseconds, or in one-tenth to two-tenths of a second, a few milliseconds slower than the speed at which a Linux container starts up but much faster than the many seconds to minutes it normally takes to get a virtual machine running.
[Want to learn more about Linux container operating systems? See Linux Container Operating systems: Thin Is In.]
The Clear Container (actually a stripped down, KVM virtual machine) will occupy a small footprint on the server, about 20 MB. About 3,500 of them can run side by side on a server with 128 GB of RAM, again making the Intel-engineered virtual machine (that is, a Clear Container) look a lot like a container.
A Clear Container uses Intel's minimalist version of Linux, known as Clear Linux OS, so the VM doesn't need to load a big, bulky version of Linux. Clear OS looks more like CoreOS Inc.'s CoreOS, Red Hat's Atomic Host, or Ubuntu's Snappy than a standard, 6,000-package version of Linux. Those are around one-twentieth of the size of the usual virtual machine operating system.
At the same time, a Clear Container maintains the harder boundaries of a defined virtual machine with its own operating system, giving it an advantage over Linux containers when it comes to secure operations. When Intel unveiled Clear Containers at the OpenStack Summit, it touted their "enhanced protection using security rooted in hardware," wrote Imad Sousou, VP of the Software and Services Group at Intel, in a blog post on the Intel website.
Hooks In The Hardware
Ten years ago, Intel and AMD added virtualization awareness or virtual machine "hooks" into their Xeon and Opteron chips when virtual machines started to sweep through enterprise data centers. Among other things, the virtualization hooks in the chip allowed a virtual machine to directly call for the execution of device driver instruction by the hardware without going through the operating system. That saves time.
That and other moves drastically reduced the overhead of running virtual machines and improved their performance. VMs' remaining overhead drag had more to do with their slow speed of initialization, or scaling out a running system on more nodes of the cluster. Containers, on the other hand, solved the scale-out problem but introduced new operational security concerns.
Plain vanilla Linux containers isolate one application from another with just a few logical boundaries, making for efficient use of server resources and dense computing on the server. But Sousou noted in the same May 19 blog that, in standard Linux containers, "the underlying kernel still can be attacked from within the container. In turn, all containers on the same host can be compromised, regardless of the intended isolation between them." It's the possibility of hundreds or thousands of containers on the host being corrupted at the same time that keeps enterprise users from adopting large scale use of containers in production.
Intel thinks it has found a solution based on its previous experience in making virtual machine more practical. Clear Containers grew out of the Clear Linux Project, also at Intel, which produced the Clear Linux OS.
"We asked, 'What is it, really, that takes so long to start up a virtual machine,'" Sousou said in an interview with InformationWeek. Among the culprits, the team zeroed in on the fact that a virtual machine tries to mimic a full x86 PC or server -- that's why we call it a virtual machine -- but there was no need for all the steps in the start-up process if you're only trying to be a good container envelope.
"For the little function you need, you don't need the full QEMU layer," Sousou said, referring to the code for the emulation of a complete x86 machine that's part of a hypervisor startup. Intel stripped QEMU out of the KVM initialization process, along with multiple other minute adjustments, to take milliseconds out of the startup process.
This stripping out would be a drawback for a user who hoped to launch Windows 98 or an older version of Solaris, but most modern, containerized applications aren't trying to do that.
Another step stripped out: the BIOS checking in a virtual machine for various attached hardware devices to core computer. "Why should the BIOS in a VM have to check for the presence of a floppy disk?" asked Mike Richmond, former Intel evangelist and now executive director of the Open Interconnect Consortium, in an Intel blog. Skipping that check and others makes the Clear OS operating system boot fast, which in turn speeds initialization of the Clear Container.
"We took the Clear OS boot down to 50-55 milliseconds," said Sousou.
The Clear Containers must run on hardware that uses at least 2011 vintage Intel chips with the advanced VT or Virtualization Technology. There's a drawback but, again, not a very serious one.
"Intel Clear Containers provide a secure, fast virtual machine with a small memory footprint, allowing for more VMs per physical machine," Imad wrote.
So think of Clear Containers as Linux containers with a thin, nearly transparent KVM hypervisor wrapper.