In these slides we discuss how Intel has enabled hardware based security for container use cases. We will also demonstrate Clear Containers functioning in the latest Docker release and how you can use Clear Containers today.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Accelerating the Next 10,000 Clouds by Michael Kadera, Intel
1. Unleash Tens of Thousands of New Clouds:
Intel® Clear Containers Available for Docker*
Michael
Kadera
Cloud & Data Center Manager
Intel
*Other names and brands may be
claimed as the property of others.
4. intel.com/cloudforall
Containers are...
Speedy
Fast create, update and
uninstall cycle.
Request and provision
in (milli)seconds
Manageable
Containers take the
complexity out of
bundling, distributing
and installing
applications
Easy
Simple and easy to use
and maintain
Secure?
What about security
and isolation? Can a
container include
hardware isolation like
a Virtual Machine?
5. Intel® Clear Containers
Are secure like a Virtual Machine
Deploy at the speed of a container
With a low memory footprint
Integrate with Docker*
*Other names and brands may be
claimed as the property of others.
8. intel.com/cloudforall
Server hardware
Linux Kernel
Container A
Middleware
(A)
App
Intel® VT-x
Linux* Kernel
(A)
Container B
Middleware
(shared with A)
App
Linux Kernel
(shared with A)
Container C
Middleware
(C)
App
Linux Kernel
(C)
*Other names and brands may be
claimed as the property of others.
Intel® VT-x Intel® VT-x
Intel® Clear Containers and Intel® Virtualization Technology
(Intel® VT-x)
9. intel.com/cloudforall
Intel® Clear Containers 2.0
LAUNCH A SECURED CONTAINER
WITHIN MULTI-TENANTENVIRONMENTS
IN UNDER 45MILLISECONDS†
WITH
MEMORY
OVERHEAD OF
48-50MEGBYTES†
Now available with Docker*!
*Other names and brands may be
claimed as the property of others.
† Intel® Core™ i7 processor 5557U @ 3.10GHz, 16GB DDR3 memory, 4 vCPU, Qemu-lite 2.6.0.15 x86_64, Clear Container Linux* kernel 4.5-9, Docker 1.12.0-dev, build
3d80884f3d7d60c51c0ccd6b487ebbeb98d2f7e8
(PER EACH INCREMENTAL CONTAINER)
10. intel.com/cloudforall
Intel® Clear Containers with Docker*!
1.12
Switchable runtime
in Docker 1.12
OCI
Intel® Clear
Containers are OCI
spec compatible
2.0
Intel® Clear
Containers 2.0
Available soon on
GitHub* and
clearlinux.org
*Other names and brands may be
claimed as the property of others.
11. intel.com/cloudforall
Docker* enables switchable runtime support
Docker UI/CLI
Docker Engine
containerd
Intel® Clear Containers
w/ Intel® Virtualization Technology
Container
Docker-runC
OCI Compatible
Container
*Other names and brands may be
claimed as the property of others.
12. Demo
Intel® Clear Containers with
Docker* switchable runtime
*Other names and brands may be
claimed as the property of others.
13. intel.com/cloudforall
Join our community and enable containers to be…
Speedy Manageable Easy Secure
Clearlinux.org
Join the mailing list
Check our blog for
announcements
Get the code
GitHub:
https://github.com/clearlinux
IRC on Freenode*
#clearlinux
Get involved
*Other names and brands may be
claimed as the property of others.
Key Message: Announcement: Intel initiative to make cloud technology easier to deploy and feature complete to bring all the benefits of the cloud to every data center.
Announcement: Intel initiative to make cloud technology simple to deploy and manage, accelerate deployments of highly efficient Cloud infrastructure for broad enterprises and cloud service providers.
To achieve this objective Intel will make a series of investments; these can take the form of collaborations, financial investments (M&A, Equity), standards, product launches, and major contributions to cloud stacks focused on driving customer adoption
Goals:
Drive a choice of easy to deploy solutions to the marketplace.
Targeted collaborations and investments with cloud software vendors to deliver enterprise feature rich SDI stacks that take full advantage of Intel architecture capabilities
Broad community engagement to drive standard frameworks for cloud software innovation.
Note on “Tens of thousands of new clouds”: ~45k companies list of stock exchanges globally in addition there are hundreds of telco’s and CSPs and each can deploy multiple clouds per organization (source of 2010 according world federation of exchanges), hence we believe “tens of thousands of new clouds” over time is a realistic goal for mature cloud adoption.
Container technology has been incredibly important over the last decade to create new usages and services for all of us. Its one of the foundational technologies that has helped transform and move more people to the cloud; and for good reason.
Insert IT example with PaaS and bundling applications. When I started working on PaaS solutions for our IT shop in 2011, it was truly amazing to see the speed and flexibility that came with the containers and the integrated solution. It was such a revelation to see this all together. So easy to use and bundle applications, upgrade and push new code. Truly transformational.
Of course it wasn’t all good in the early days we had our challenges with integration and stability
Many people who advocate for containers start by saying that virtual machines are expensive and slow to start, and that containers provide a more efficient alternative. The usual counterpoint is about how secure kernel containers really are against adversarial users with an arsenal of exploits in their pockets.
App Containers are a way of bundling, distributing and installing the App
Complex enterprise installation process turns into “just an App”
Similar to Android’s .apk and Apple’s .app
App Containers couple ease of creation with ease of deployment
Both developers and IT/ops win
Mega applications are complex and expensive to create, manage, secure and install. This one application has all information of an organization, being a prime target for malicious attackers.
Once a single mega application installation is not enough for a company, going to multiple parallel installations is an enormous endeavor
For example, installing a Microsoft Exchange server is a real big project for an IT department that takes a lot of training, planning and then the actual installation/configuration takes hours if not days.
Even doing a second or third such server in an organization is a large project. And once installed, there’s careful nurturing of the installation by a team of professionals
Compare this to Google where they instantiate a container that provides a service over 2 billion times per week.
Container technology has been essential over the last decade to create new usages and services to (end)users. Its one of the foundational technologies that make up the cloud.
Securing complex applications in a traditional container, multi-tenant environment can become challenging.
Key point: Overview of Clear Containers introduction, the Clear Linux Project and agenda topics.
The answer is yes. Clear containers leverage Intel VT-x to provide hardware assisted isolation. While it can provide this isolation similar to a VM, Clear Containers are fast to launch, do this with a low memory footprint and are fully integrated into Docker.
Today, I’ll provide an overview of Clear containers and how they work with a new Docker through a new feature called switchable runtime. I have also reserved some time in the end to share a very simple demo of Clear Containers working with the new release of Docker.
Introduction Agenda:
Describe what clear containers are and how they work
Discuss how Clear Containers work with Docker
Demo
Putting it together: A Linux kernel container includes (control groups (cgroup) for resource allocation + namespaces for separation/visibility. Traditional containers are about using control groups to manage resources and kernel namespaces to limit the visibility and reach of your container app.
Containers A, B and C are separated from each other by a security & visibility barrier enforced by namespaces and each container has a set of resources (cpu, memory, disk) allocated to it via the cgroups mechanism. All of this is enforced by a single, shared instance of the Linux Kernel. This can work just fine for application of known trust levels, but can get much more complex in a munti-tenancy environment with applications of unknown trust levels.
If you are running a multi-tenant environment with code of an unknown trust level you must take significant steps to secure your environment against a security breach.
Security: While there is separation between namespaces in terms of userspace/ring3 concepts, all namespaces share the same kernel. A kernel compromising security vulnerability allows malicious code in one namespace to compromise (and steal data from) other namespaces
Most of the concerns about container security are centered around the container running as a privileged user on the host and the root privilege in the container technically being the same as the root privilege on the host. If you are a privileged user, you may be able to break out of the container, then as the privileged user, you can take over others containers and host processes.
This security gap prevents adoption of container technology in various segments due to regulatory (financials, healthcare) or general security needs (government).
Example of google approach to securing containers by “double-bagging” containers in VMs.
But when it comes to cloud operations, "we see the VM as the only truly safe isolation. … Until we see foolproof security for containers, we will always double-bag our customers' workloads," Google's Craig McLuckie says. Source http://www.informationweek.com/cloud/infrastructure-as-a-service/google-docker-does-containers-right/d/d-id/1319146
Namespace A, B and C are separated from each other by a security & visibility barrier enforced by the Intel CPU. Intel Clear Containers have many optimizations compared to traditional VT-x usages) that reduce startup time and memory consumption to a level that it becomes close to the startup time and memory consumption of traditional containers.
The memory overhead is thanks to KSM https://www.kernel.org/doc/Documentation/vm/ksm.txt we are able to share the memory space for the container with each container that is launched reducing the memory footprint.
Need to point out - One copy of the middleware and one copy of the kernel. Users could add another container with a mix of Linux kernel and middleware c through Docker switchable runtime
Performance of boot time and container memory.
Clear Containers are fast and optimized for low memory consumption, use Intel Virtualization Technology (VT-x) to isolate containers and can be adopted and utilized within traditional container models
We implemented a number of optimizations in the Linux kernel as well as streamlined what the hypervisor is doing. For example, traditional VMs require emulation of hardware that is just not necessary for a container, like graphic console, so related components can be disabled, like VNC, spice, gtk.
Light weight VM like clear containers do not require most of the legacy devices and are removed, like keyboard, mice, IDE, ISA bus. We can also skip the guest BIOS for the new platform, load guest kernel and jump to guest kernel directly.
Low memory footprint:
DAX (available in Kernel 4.0 and later) enables the system to do execute-in-place of files stored there.
The memory overhead is roughly 48 to 50 MB per container running only 10 containers. The more containers running, the more opportunity to share memory thanks to KSM https://www.kernel.org/doc/Documentation/vm/ksm.txt. A second key feature to reduce memory cost is kernel same-page merging (KSM) on the host. KSM is a way to deduplicate memory within and between processes and KVM guests.
Intel® Clear Containers combine the security and isolation advantages of traditional VMs with the deployment speed of containerized apps. They provide a single, protected, fast virtual machine (VM) upon which a container can create a scaled-out scenario within a data center. They utilize Intel® virtualization technology (Intel® VT-x) embedded in the silicon to address the security concerns of traditional container solutions, reducing the opportunity for malicious code or credentials to enter into another space. In addition, they substantially decrease the load time and memory requirements of traditional VMs, allowing for more VMs per physical machine. Intel Clear Containers can be utilized within any Linux-based operating system that supports Kernel-based Virtual Machine (KVM).
Qemu-lite is on track to be upstream – Get information from Anthony
Improvements/Optimizations (1.0 notes)
A fast and light-weight hypervisor. Our first Clear Container started with “kvmtool” for this purpose and Clear Containers will use QEMU-lite for this purpose.
Optimizations in the kernel.
Optimizations in systemd.
Utilization of the DAX “direct access” feature of the 4.0 kernel.This enables the page cache and VM subsystems to be bypassed entirely, allowing for faster filesystem accesses (no copies!) and lower per-container memory usage.
Kernel same-page merging (KSM) on the host allows the KVM hypervisor to share identical memory pages among different process or virtual machines on the same server. This allows VM’s to share memory pages in a secure manner for memory that’s not already shared via DAX.
Optimization of core user space for minimal memory consumption.
Clear Containers are Open Container Initiative compatible and with Docker’s new switchable runtime available in release 1.12, integration is easy. Clear Containers 2.0 will be released soon and as you will see is fully integrated with Docker 1.12 prerelease
CC is available soon on ClearLinux.com and will announce on this site, our blog and mail list. The web site will be updated once the release is complete.
OCI - Open Container Initiative (https://www.opencontainers.org/, https://github.com/opencontainers/specs).
CC are compatible and not compliant: for example cgroups are not needed for a VM.
Docker’s new switchable runtime makes the switch from runC to an OCI compatible Container like Clear Containers easy by making a simple change in the systemd config file to invoke the alternate runtime as the default and easily switch between them. For example, you can run different Linux kernels or middleware and switch between them with the same Docker UI you have been using.
Demo notes
It is so simple and integrated
You need to look carefully to notice you are not running runC. Clear Containers are that well integrated
Clear Containers bring all the great things we love about traditional containers. They are fast with startup in just under 50 milliseconds. They are OCI compatible and are just as easy to manage and bundle your code and create new images. Easy to integrate with Docker 1.12 switchable runtimes and bring the added hardware enabled security with Intel VT-x.
To get started, all you need to do is join become part of the community. Join the mailing list, start playing with the code and talke to us on IRC at #clearlinux.