Get an introduction to Intel® Clear Containers and how they're integrated with products from Intel's open source partners.
Hi, I'm Amy Leland, and I work at Intel's Open Source Technology Center. I'm the program manager for Intel's Clear Containers [sic] project. We're going to talk a little bit about what Intel® Clear Containers are and how they're available in the ecosystem today and how we integrate with open source partners.
So I'm going to start with the word, container. The word, container, is used for, really, two separate parts. There's the back-end technology of containers.
So Linux* kernel containers have been around for a really long time. They're about resource allocation and isolation. And the other side of that is the packaging and deployment of containers.
This is what's really new in the industry today, which companies like Docker* and Brockett have made container technology really easy to use. This is a basic diagram of a Linux kernel container. And as you can see, the isolation is within the namespace.
And all of the containers are sharing a Linux kernel. And while there are many benefits to container technology–so they're fast, they're agile, they're easy to use–there's still a lot of concerns around security. This slide just signifies that if there's a kernel vulnerability that seeps into one container, it can go from one container to the next container to the next container all on one host.
Again, this is due to the fact that they share a Linux kernel. And again, this leads to a lot of security concerns in the container ecosystem. And as I said, I'm talking today about Intel Clear Containers.
So, when we looked at the container ecosystem, we said, OK, so virtual machines are secure. But they're slow, harder to manage, and container technology–they've got all this speed, agility. They're very small in size. And can we get the best of both worlds?
Intel Clear Containers is a lightweight virtual machine. So it acts as fast as a container, but it has the security benefits of a virtual machine. And what we've done is use [Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and] Intel® VT-x. So we use hardware-based security to secure each container on a host.
So each container or lightweight virtual machine has its own operating system, but it's a minimal operating system. And again, we utilize Intel VT-x to secure each container on the system. I always refer back to the first part of this presentation. So again, there's the back-end technology of containers–Linux kernel containers.
And then there's the front-end application, logistics, [and] deployment. And what we're trying to do is just offer another back-end solution in the market. The reality today is that most people deploy container technology in a full-on virtual machine.
You can see this as people deploy on [Amazon Web Services*] AWS*or many other clouds. So the reality is is [sic] that people are actually deploying containers in virtual machines already. What we're doing is saying, why wouldn't we just offer a lightweight virtual machine that, again, has the benefits, the security of a full-on virtual machine, but then also all of the benefits that containers offer–size, speed, logistics, [and] all the application and deployment frameworks?
Before Intel Clear Containers, there was [sic] really only two options. There's this virtual machine–full-on virtual machine–or a container technology solution. And again, we're just offering another back-end solution into the ecosystem.
And since Intel Clear Containers is a back-end technology solution, we plug into the application and deployment tools that you're used to within the container ecosystem. We plug into Docker 1.12 and greater–I think up until 1703. We also plug into not [sic] Kubernetes. So you can use Intel Clear Containers with Kubernetes 1.5 and greater through the [Container Runtime Interface] CRI specification.
We're available for Rocket 1.0. And we just released Intel Clear Containers 2.1. It's available on GitHub*.
We currently package for multiple Linux operating systems. So this is a subset of Linux operating systems. We definitely don't package for every single Linux operating system that's out there.
But Intel Clear Containers does work with multiple different Linux distributions. And we have some requirements that are available on our website for what's required to run Intel Clear Containers. But you should be able to run them with any Linux distribution, as long as you follow those guidelines.
So there's a lot of container specifications that are out there today. And we try to work both upstream and downstream. And so I'm going to talk through that.
The Open Container Initiative, OCI, is one specification that's out there. And we are compliant with that specification. We also are compliant with [App Container] appc, which is another specification in the container ecosystem.
We are compliant with CRI, the Container Runtime Interface, what Google* and Red Hat* started. And this is the primary interface to work with Kubernetes, which I talked about earlier. We have also added support for Intel Clear Containers in the container networking space.
So there's two specifications that are out there today. There's [the Container Network Interface Specification] CNI and CNN. And we've added the ability to support lightweight virtual machines in those specifications.
So again, we're available for both CNI and CNN. And in terms of downstream proliferation, we're working with the likes of Docker, Rocket, Kubernetes to be integrated within those communities. But we also want to partner with companies–OSVs, ISVs, integrators, and CSPs–to offer go-to-market solutions.
Intel Clear Containers is an open source project that Intel is a part of. And again, we want to work with our partners to offer go-to-market solutions.
I want to thank you for spending time with me today to learn about Intel Clear Containers, what they are, and who we're working with, and how they're available in the market. And I really appreciate your time. Thank you.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.
Notice revision #20110804