Intel® Clear Containers Overview

  • Overview
  • Resources
  • Transcript

Intel® Clear Containers provide the ease of use of containers while leveraging the isolation of virtual machines. It is a back-end technology that plugs into Docker, Kubernetes and Rocket, and is packaged for multiple Linux* distributions, including Ubuntu, Centos, CoreOs, and Fedora. To support upstream proliferation, Intel Clear Containers supports specifications including OCI, AppC, CRI-O, CNI, and CNM. Downstream, Intel is working with Docker, Kubernetes, OSVs, ISVs, Integrators, and CSVs. Clear Containers is an open source project available on GitHub.

Watch the rest of the Intel® Clear Containers Overview playlist

Hi, I'm Amy Leland, and I work at Intel's Open Source Technology Center. I'm the program manager for Intel's Clear Containers Project. We're going to talk a little bit about what Intel Clear Containers are and how they're available in the ecosystem today and how we integrate with open source partners. 

So I'm going to start with the word container. The word container is used for, really, two separate parts. There's the back end technology of containers. 

So Linux kernel containers have been around for a really long time. They're about resource allocation and isolation. And the other side of that is the packaging and deployment of containers. 

This is what's really new in the industry today, which companies like Docker and Brockett have made container technology really easy to use. This is a basic diagram of a Linux kernel container. And as you can see, the isolation is within the name-space. 

And all of the containers are sharing a Linux kernel. And while there are many benefits to container technology-- so they're fast, they're agile, they're easy to use-- there's still a lot of concerns around security. This slide just signifies that if there's a kernel vulnerability that seeps into one container, it can go from one container to the next container to the next container all on one host. 

Again this is due to the fact that they share a Linux kernel. And again, this leads to a lot of security concerns in the container ecosystem. And as I said, I'm talking today about Intel Clear Containers. 

So when we looked at the container ecosystem, we said, OK, so virtual machines are secure. But they're slow, harder to manage, and container technology-- they've got all this speed, agility. They're very small in size. And can we get the best of both worlds? 

Intel Clear Containers is a lightweight virtual machine. So it acts as fast as a container, but it has the security benefits of a virtual machine. And what we've done is use Intel VTX. So we use hardware-based security to secure each container on a host. 

So each container or lightweight virtual machine has its own operating system, but it's a minimal operating system. And again, we utilize Intel VTX to secure each container on the system. I always refer back to the first part of this presentation. So again, there's the back end technology of containers-- Linux kernel containers. 

And then there's the front end application, logistics, deployment. And what we're trying to do is just offer another back end solution in the market. The reality today is that most people deploy container technology in a full-on virtual machine. 

You can see this as people deploy on AWS or many other clouds. So the reality is is that people are actually deploying containers in virtual machines already. What we're doing is saying, why wouldn't we just offer a lightweight virtual machine that, again, has the benefits, the security of a full-on virtual machine, but then also all of the benefits that containers offer-- size, speed, logistics, all the application and deployment frameworks. 

Before Intel Clear Containers, there was really only two options. There's this virtual machine-- full-on virtual machine-- or a container technology solution. And again, we're just offering another back end solution into the ecosystem. 

And since Intel Clear Containers is a back end technology solution, we plug into the application and deployment tools that you're used to within the container ecosystem. We plug into Docker 1.12 and greater-- I think up until 1703. We also plug into not Kubernetes. So you can use Intel Clear Containers with Kubernetes 1.5 and greater through the CRI specification. 

We're available for Rocket 1.0. And we just released Intel Clear Containers 2.1. It's available on Github. 

We currently package for multiple Linux operating systems. So this is a subset of Linux operating systems. We definitely don't package for every single Linux operating system that's out there. 

But Intel Clear Containers does work with multiple different Linux distributions. And we have some requirements that are available on our website for what's required to run Intel Clear Containers. But you should be able to run them with any Linux distribution, as long as you follow those guidelines. 

So there's a lot of container specifications that are out there today. And we try to work both upstream and downstream. And so I'm going to talk through that. 

The Open Container Initiative-- OCI-- is one specification that's out there. And we are compliant with that specification. We also are compliant with APPC, which is another specification in the container ecosystem. 

We are compliant with CRI-- the Container Runtime Interface-- that Google and Red Hat started. And this is the primary interface to work with Kubernetes, which I talked about earlier. We have also added support for Intel Clear Containers in the container networking space. 

So there's two specifications that are out there today. There's CNI and CNN. And we've added the ability to support lightweight virtual machines in those specifications. 

So again, we're available for both CNI and CNN. And in terms of downstream proliferation, we're working with the likes of Docker, Rocket, Kubernetes to be integrated within those communities. But we also want to partner with companies-- OSV's, ISV's, Integrators, and CSP's-- to offer go-to-market solutions. 

Intel Clear Containers is an open source project that Intel is a part of. And again, we want to work with our partners to offer go-to-market solutions. 

I want to thank you for spending time with me today to learn about Intel Clear Containers, what they are, and who we're working with, and how they're available in the market. And I really appreciate your time. Thank you.