Intel and CoreOS add hardware virty support to rkt containers

Is it containers? Is it virtualization? It's both

LinuxCon 2015 Intel and CoreOS have teamed up to produce an application container runtime that supports hardware enhanced virtualization.

Version 0.8.0 of CoreOS's rkt (pronounced "rocket") container runtime was announced at the LinuxCon/CloudOpen/ContainerCon conference taking place this week in Seattle.

Among the main features of the new release is support for Intel's VT-x in-silicon virtualization technology. Intel first demonstrated the unorthodox container tech in May as part of its Clear Linux Project, dubbing it Clear Containers.

Unlike the default rkt runtime engine, which fires up containers using Linux kernel–based sandboxing technologies including cgroups and namespapces, Intel's contribution launches container images as full KVM virtual machines.

It's an approach that uses more system resources than typical Linux containers but offers the enhanced security of a hypervisor. Plus, Intel says its on-chip virty extensions minimize the performance overhead.

"By optimizing the heck out of the Linux boot process, we have shown that Linux can boot with the security normally associated with virtual machines, almost as quickly as a traditional container," Chipzilla's Arjan Van De Ven said in a blog post. "Thus we combine security rooted in hardware, via Intel Virtualization Technology (VT-x), with the development and deployment benefits which have caused application developers to gravitate to containers. Problem solved."

Intel has implemented its VT-x support as a pluggable replacement for Stage 1 of rkt's three-stage execution process. The rest of the system remains the same, making VT-x enabled rkt environments fully compatible with traditional, container-based environments.

CoreOS has been developing rkt as an alternative to the Docker container runtime, which rose rapidly over the last two years to become the de facto standard for Linux containers. CoreOS CEO Alex Polvi has criticized the design of the Docker software in the past, and particular its security model, which he has described as "broken" and "fundamentally flawed."

More recently, Docker has donated the code to its runtime to the Open Container Initiative as a standalone tool called runc, a version of which will be the reference implementation of the forthcoming Open Container Format (OCF) specification. CoreOS is also contributing to this standardization effort.

That said, on Tuesday CoreOS hastened to point out that it's dedicated to delivering a version 1.0 of rkt that's a complete implementation of its own App Container (appc) spec.

"Today rkt is an implementation of the App Container spec (appc), and in the future we hope to make rkt an implementation of the Open Container Initiative (OCI) specification," CoreOS' Brandon Philips said. "However, the OCI effort is still in its infancy and there is a lot of work left to do." ®

Other stories you might like

  • Apple offers improved Linux support in macOS Ventura
    Penguin fans will be able to use Rosetta 2 to run x86 binaries in forthcoming update

    Apple is extending support for its Rosetta 2 x86-64-to-Arm binary translator to Linux VMs running under the forthcoming macOS 13, codenamed Ventura.

    The next version of macOS was announced at Apple's World Wide Developer Conference on Monday, and the new release has a number of changes that will be significant to Linux users. The company has disclosed the system requirements for the beta OS, which you can read on the preview page.

    One level of Linux relevance is that macOS 13 still supports Intel-based Macs, but only recent ones, made in 2017 and later. So owners of older machines – including the author – will soon be cut off. Some will run Windows on them via Bootcamp, but others will, of course, turn to Linux.

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading
  • Intel offers GPU management tool ahead of Ponte Vecchio debut
    It's even open source, so someone may actually use it

    With Intel poised to enter the datacenter GPU market, the chipmaker this week showed off a software platform mean to simplify management of these devices at scale at the International Supercomputing Conference in Hamburg, Germany.

    The open-source software, dubbed Intel XPU Manager, is an in-band remote management service for upgrading firmware, monitoring system utilization, and administering GPUs at the individual node level. The code is an important step as Intel prepares to compete against Nvidia, which has a mature software stack for GPUs with AMD working hard to get its software straight for GPU and CPU.

    XPU Manager is a low-level management interface that runs in Kubernetes and is designed to be integrated into existing cluster management and schedulers using RESTful APIs. It also supports local management via the CLI and is validated for use on Ubuntu 20.04 or Red Hat Enterprise Linux 8.4.

    Continue reading
  • Linux Lite 6.0: It's quite pretty, but 'lite' it is not
    We took the popular Ubuntu-based Windows replacement for a test drive

    Linux Lite has been around since 2012 and version 6, codenamed "Fluorite", is one of the first Ubuntu-based distros to offer a version built on Ubuntu 22.04 "Jammy Jellyfish", released just last month.

    This is unapologetically a distro aimed at Windows users. For instance, unlike some distros, there are no difficult questions of what desktop you want – you get Xfce 4.16, with a trendy flat theme, but a somewhat retro default layout that reminds us of Windows XP. The Start button and window buttons have text labels, for instance. We liked that: it's simple, efficient, and welcome, but Zorin OS 16 manages a more modern Windows look.

    Linux Lite also isn't bashful about including non-open-source freeware: the default web browser is Google Chrome. The very long and rather rambling release announcement says this is because Ubuntu distributes Firefox as a Snap package and that the developers wanted to shield users from too many package managers. That's fair enough.

    Continue reading

Biting the hand that feeds IT © 1998–2022