This article is more than 1 year old
Intel wants containers to be alone again, naturally
VT-x virtualisation extensions pressed into service improving container security
Intel's taken its turn trying to advance containerisation technology by announcing a new approach to container security.
Chipzilla'ss new idea is called “Clear containers”, which rely on the VT-x extensions in its chippery to enhance security and scalability. VT-x adds virtualisation support to silicon, the better to let CPUs share their resources among virtual machines while also walling off VMs from one another.
Intel reckons that's harder to do with Linux containers as “underlying kernel still can be attacked from within the container.” That's bad because it means “all containers on the same host can be compromised, regardless of the intended isolation between them,” making multitennacy risky and therefore unlikely.
Intel thinks that by improving isolation – a trick it pulls off by delivering “one container per VM wrapped with a specially-optimized copy of the Linux OS – containers become more secure. To reach this state, one needs Intel's own Clear Linux. And of course VT-x, which exists to help virtual machines do better.
Chipzilla's approach to containerisation runs counter to the likes of CoreOS because it imagines that containers will get their own OS. Which is a little odd seeing as the thing about containerisation that initially got people so excited was the prospect of running isolated apps on one OS, thereby reducing the size of virtual machine fleets. Intel reckons its way of thinking flies because Clear Linux is very efficient. How efficient? Intel's not offering times, but is saying it can spawn a Clear Linux VM and a container inside it in the same time required to spawn a container alone on other stacks.
This all happens on KVM, for now. There's no sign of support for other hypervisors, probably because the main contenders – VMware and Microsoft – already have their own containers-in-VMs plays and nan-OSes.
That all three are now doing so is remarkable, as Chipzilla, Virtzilla and Microsoft are an immensely influential trio. How the likes of CoreOS respond will be mighty interesting to watch.
Intel's also given its Cloud Integrity Technology a 3.0 upgrade, so that its Trusted Execution Technology (TXT) and Trusted Platform Module (TPM) technology will play nice with OpenStack. TXT and TPM help apps or VMs to validate the hardware they run on. If the BIOS, physical or virtual machine configuration doesn't meet a baseline, the OS simply doesn't boot. Intel promises OpenStack extensions for version 3.0 later this year. A more secure cloud is advanced as the reason behind this move. ®