Intel Looks to Secure Containers
The world's largest chipmaker is entering the application container fray this week with the introduction of Intel Clear Containers, an outgrowth of its lightweight Linux operating system development effort that is fine-tuned to the Intel processor architecture.
Imad Sousou, vice president of Intel's Software and Services Group as well as general manager of Intel's Open Source Technology Center, described Clear Containers in an interview as a "fast-booting, low [memory]-footprint virtual machine" that would add security and reliability to the growing application container ecosystem.
Sousou announced the Clear Container initiative during this week's OpenStack Summit in Vancouver.
Clear Containers are the latest feature arising from the chipmaker's Clear Linux Project for Intel Architecture that seeks to develop a Linux OS distribution for different cloud use cases. Intel claims to be the largest contributor to the OpenStack Linux kernel. It has been focusing on embedded security for applications like the Internet of Things and enterprise cloud deployments, Sousou said.
"A lot of our focus on OpenStack has been on figuring out what the gaps are," Sousou noted. "One problem we hear a lot from customers is that containers need more security." Hence, Intel's focus on bullet-proofing the Linux kernel. "If someone gets to your kernel, you're done!" warned Sousou, who also sits on the OpenStack Foundation's board.
Intel also stresses that it is focused on plugging gaps in the application container ecosystem currently built around Docker containers and a stripped down variant promoted by CoreOS called Rocket. Securing Linux containers "will take a village," Sousou said.
Intel's Imad Sousou
Not surprisingly, Intel's approach is to embed security in its x86 hardware. Specifically, it proposes to improve container security by leveraging its VT-x virtualization technology. VT-x has become a standard feature in Intel processors through its Xeon family. It has also promoted the technology as a way to boost server virtualization performance and security in datacenters.
Addressing the slow transition of application containers to production environments, Intel is positioning Clear Containers as more secure than traditional Linux containers "because security is embedded in Intel silicon." Sousou went further, calling its Clear Linux technology "Container 2.0, or container security in the cloud."
"We're not trying to reinvent the wheel," Sousou stressed, adding that Clear Containers could run both Docker- and Rocket-packaged applications. The impetus for the container effort is to embed security using VT-x technology as a way to "make containers viable [in] datacenters and enterprises," the Intel software chief said.
Sousou said as many as 40 OpenStack members are now focusing on container reliability, stability and other gaps in container deployment. In a separate blog post, he added, "We fully expect this extra security for containers, rooted in hardware, to drive new usages."
Along with reducing memory overhead, Intel's Clear Linux Project sought to reduce boot time. "Containers spin up very quickly, on the order of a hundred milliseconds or so. Our goal was to create a Linux environment that boots up as a guest at speeds comparable to a standard container. By focusing on the needs of the application container and optimizing the Linux boot process, we achieved this goal," Sousou claimed.
Also during the OpenStack Summit, Intel announced the latest version of its "cloud integrity" software designed to promote what it calls "workload transparency" and control in OpenStack environments. In a separate blog post, Intel said its software leverages security features in its Xeon processors so that "applications running in the cloud run on trusted servers and virtual machines whose configurations have not been altered." Intel said it worked within OpenStack to ensure that when VMs are booted or migrated to new hardware, "the integrity of virtualized and non-virtualized Intel x86 servers and workloads is verified remotely" via Xeon security features.
