Tuesday, 25 August 2015

(Image: Maksim Koval/iStockphoto)

CoreOS Adds Intel Container Security To Rocket

CoreOS builds greater security and speed into Rocket containers with Intel's hypervisor-based, yet speedy, Clear Containers isolation layer.


CoreOS has teamed up with Intel to add an ultra-thin virtual machine for running Linux containers to its Rocket container runtime.
The joint CoreOS and Intel effort springs from an Intel announcement earlier this year that it has been able to strip away some parts of the KVM hypervisor to produce an isolation layer, which Intel calls Clear Containers.
Under Clear Containers, Linux containers run with the stronger boundaries and many of the same protections as a virtual machine, but they start at close to the speed of a plain vanilla Linux container. The difference between a container startup, measured in milliseconds, and virtual machines, measured in multiple seconds up to minutes, is great when repeated hundreds or thousands of times.
Intel named its approach on the apparently hopeful assumption that its virtual machine layer for containers is so thin that it is practically transparent.
CoreOS calls the addition of Intel's Clear Containers embedded in its Rocket container runtime "Rocket (or rkt) Stage1." You can run containers as containers with Rocket or you can run them with the added protections found in Rocket Stage1.
Stage1 is found in the 0.8.0 release of Rocket, which became available Aug. 18.
Intel announced in May at the OpenStack Summit in Vancouver that it had looked at container security from the opposite direction of everyone else. Instead of trying to make containers more secure, it tried to make virtual machines more like containers, and let a container obtain its security protections from a virtual machine adapted to it. It dubbed the approach Clear Containers.
(Image: Maksim Koval/iStockphoto)
CoreOS competitor Docker has been emphasizing security in recent announcements, including The Update Framework's (TUF) secure key approach announced with the Docker 1.8 release Aug. 12.
CoreOS originally differentiated itself from Docker in part by using its own approach to security. It's not surprising that it's been the first container runtime producer to embrace Intel's addition of a virtual machine layer to container operations to once again show its concern for operational security.
"Since CoreOS helped found the Open Container Initiative (OCI), there has been confusion that we are no longer working on rkt," wrote Kelly Tenn, CoreOS communications manager, in an email message about the 0.8.0 release of Rocket.
[Want to learn more about the agreed upon specification for containers? See Docker, CoreOS Bury The Hatchet For Container Spec.]
"To be clear, work on rkt is healthy and continues. In order for the OCI to be successful, there needs to be alternative container runtimes and we continue to work on rkt to make it the most secure place to run containers," she said.
Brandon Philips, CoreOS CTO, posted a blog on the release of rkt 0.8.0 on Aug. 18, citing its modular structure as an enabler of Rocket adopting something like Clear Containers as a Stage1 runtime option. The default stage uses Linux cgroups and namespaces, as Docker and other container runtimes do.
Stage1, on the other hand, "utilizes virtualization technology. This means an application running under rkt using this new stage1 can be isolated from the host kernel using the same hardware features that are used in hypervisors, like Linux KVM," said Philips wrote.
"We were excited to see this [Intel] work taking place and being prototyped on top of rkt as it validated some of the early design choices we made," Philips added.
Among other things, the ability of Clear Containers to run on Rocket affirms CoreOS's design choice to map different "stages" for different operational characteristics for a container. CoreOS also implemented "pods" with its runtime. Pods allow multiple containers to function as a single logical service, even if the containers have been spread over multiple hosts in a cluster.
Intel explained in May that its Clear Containers utilize a stripped down version of the open source KVM hypervisor.
"We asked, 'What is it, really, that takes so long to start up a virtual machine,'" said Imad Sousou, vice president of the Intel Software and Services Group, in an interview with InformationWeek in May. "Among the culprits, the team zeroed in on the fact that a virtual machine tries to mimic a full x86 PC or server -- that's why we call it a virtual machine -- but there was no need for all the steps in the start-up process if you're only trying to be a good container envelope," he said.
"For the little function you need, you don't need the full QEMU layer," Sousou said, referring to the code for the emulation of a complete x86 machine that's part of a hypervisor startup. Intel stripped QEMU out of the KVM initialization process, along with multiple other minute adjustments, to take milliseconds out of the startup process.
Philips' blog on Stage1 also quoted Arjan van de Ven from Intel's Open Source Technology Center as acknowledging Intel was able to capitalize on the virtualization hooks it's built into its chips to make Clear Containers run faster: "We are excited to continue working with the rkt community to realize our vision of how we can enhance container security with hardware-embedded technology, while delivering the deployment benefits of containerized apps," Philips quoted Van de Ven as saying.
Intel is using Rocket to establish the practicality of its Clear Container approach.
CoreOS is using Intel to give Rocket containers an extra measure of security borrowed from the world of virtual machine operation. Whether it will become an argument for using containers depending on sensitive information in production remains to be seen, but Rocket Stage1 certainly ties the world of containers closer to the dominant chip supplier.