Intel® Clear Containers: How We Made Them Smaller and Faster Part 1

  • Overview
  • Resources
  • Transcript

Clear Containers provide the ease of use of containers while leveraging the isolation of virtual machines.

This overview talks about the technologies and optimizations used in Clear Containers across KVM, QEMU, Linux kernel and the runtime to enable the seamless integration of Clear Containers with Docker and Kubernetes using Intel VT-x, while preserving the ease of deployment, high density,  and fast launch times of Containers.

Watch the rest of the Intel® Clear Containers Overview playlist

Hi, my name is Manohar Castelino. I'm part of the Clear Containers team. And today I'd like to give you a quick overview of Clear Containers. I will give you an overview of the technology behind Clear Containers, how we make Clear Containers small, fast to boot. And I'm also going to give you a brief overview of how we integrated Clear Containers with both Docker as well as on Kubernetes. 

First of all, Clear Containers launch containers in virtual machines. But we do not have any of the downsides of virtual machines. Clear Containers launch containers in very lightweight virtual machines. We have achieved this by creating a new platform called pc-lite. This is a legacy free platform on which you can boot up a kernel without a bios. That means that the system boots up pretty quickly. And the kernel doesn't need to carry any legacy. 

Within Clear Containers, we ship a very minimal kernel that is custom configured to support just the pc-lite platform and have enough features just to launch the container workload. Furthermore, we carry a very minimal root file system, which is system dbase, which is just enough to launch the container workload. This system dbase root file system is mounted inside of the virtual machine, using a combination of virtual nonvolatile memory and DAX. 

Well, what this lets us do is it lets us reduce the file system caching overhead inside of the virtual machine. Furthermore, because both the kernel, as well as the root file system, are memory marked, it lets us leverage a feature in QVM called kernel same page merging. This allows us to transparently deduplicate memory that is read-only across the kernel and root file system of multiple containers. This reduces memory overlay. 

Lastly, the container workload itself is mounted into the virtual machine using plan manifest. That means that we do not copy the workload into the container, but we directly access the overlay file system mounted on the host. This allows Clear Containers to have a very minimal footprint, as well as boot up quickly, with the same latency of that of containers. 

Hardest Clear Containers integrate with Docker. Starting Docker 112, Docker added support for replacing the default runtime on any given host with any OCI-compliant runtime. Clear Containers is an OCI-compliant runtime. And you can install Clear Containers on any machine running Docker and set the default runtime to be Clear Containers. 

By doing this, it's transferred into the end user or to orchestrate a late swarm. The user workflow and developer workflow is unchanged. But transparently, when a container is launched on that host, it is launched within a virtual machine, which gives you higher security. 

What does it take to install Clear Containers on any given machine? Here's an example for Fedora. All you do is you install one of the packages we provide on Fedora. And you switch the default runtime in the system to unit file for Docker and set it to Clear Containers. With that, that machine from then on will run Clear Containers as the default runtime. 

Similarly, I'm going to talk about how we integrate with Kubernetes. Recent versions of Kubernetes have a specification called CRI, which can be used to launch Kubernetes with Clear Containers. Clear Containers supports CRI. 

And in this case, when you create a port in Kubernetes, the entirety of that port, all the containers that constitute that port are launched within a Clear Containers virtual machine. So the unit of isolation in the case of Kubernetes is a port, whereas the unit of isolation in the case of Docker is a container. So in the case of Kubernetes, we put the entirety of the port in a virtual machine. In case of Docker, we put an individual container inside of a virtual machine. 

In summary, in this presentation, we talked about how we make Clear Containers small and fast. We showed how it integrates with Kubernetes as well as Docker. We also showed you how easy it is to try them on any given host. We'd like you to try us out. You can find us on Github. And also we are on Freenode. We'd love feedback from you about Clear Containers. Thank you again for listening to this. And we hope to hear from you.