CoreOS is working with Intel to make its container platform more secure. CoreOS recently revealed that it is adding support for Intel Clear Containers to its Rocket (rkt) container environment.
Containers have taken the world by storm and the technology is transforming the way companies develop and deploy apps. One of the hurdles for containers, however, has been security. Organizations want some peace of mind that the processes and data running in one container can’t leak to or be modified by another container without permission.
A blog post from the Intel Clear Containers group back in May defined the container security dilemma.
Many people who advocate for containers start by saying that virtual machines are expensive and slow to start, and that containers provide a more efficient alternative. The usual counterpoint is about how secure kernel containers really are against adversarial users with an arsenal of exploits in their pockets. Reasonable people can argue for hours on this topic, but the reality is that quite a few potential users of containers see this as a showstopper. There are many efforts underway to improve the security of containers and namespaces in both open-source projects and startup companies.
Microsoft addressed the container security issue with the introduction of Hyper-V Containers. Hyper-V Containers are essentially self-contained virtualized environments which helps keep everything separate and segregated from the rest of the container environment. Intel took a similar approach with its Clear Containers. Intel Clear Containers are just stripped down Linux containers running with the protection of a virtual machine.
The Intel Clear Containers group explained, “We set out to build a system (which we call “Clear Containers”) where one can use the isolation of virtual-machine technology along with the deployment benefits of containers. As part of this, we let go of the “machine” notion traditionally associated with virtual machines; we’re not going to pretend to be a standard PC that is compatible with just about any OS on the planet.”
CoreOS has a clever naming convention based off the Rocket theme. A standard container runs with Rocket while a container built on Intel Clear Containers is called Rocket Stage 1. Rocket Stage 1 is part of 0.8.0 release of Rocket, which CoreOS made available in late August.
Brandon Philips, CTO of CoreOS, described the Intel Clear Containers integration. “With the help of engineers at Intel, we have added a new rkt stage1 runtime that utilizes virtualization technology. This means an application running under rkt using this new stage1 can be isolated from the host kernel using the same hardware features that are used in hypervisors like Linux KVM.
“Work on rkt is healthy and continues,” said Brandon Philips, CTO of CoreOS. “This rkt 0.8 release includes new security features, including initial support for user namespaces and enhanced container isolation using hardware virtualization. We will continue working on more features to ensure the future rkt 1.0 is the most efficient, secure and composable container runtime for production environments.”
Mainstream adoption of containers continues to accelerate and the various efforts to make container technology more secure—like integrating Intel Clear Containers into Rocket—will drive even wider acceptance. The increased security of containers and the cooperation of the major players through the Open Container Project to ensure container technologies or more less standardized will help businesses use containers with confidence.