Building a Virtualized Continuum
While Linux* containers offer speed and agility advantages, they could raise security concerns. Within the typical namespace isolated and cgroup constrained container model, all containers in a given environment share the same kernel instance. If the kernel is compromised or crashes, so will all the containers running on top of it, making them potentially vulnerable to malicious software-based attacks. In terms of data and workload isolation, hypervisor-based VMs are superior to Linux containers. Hypervisors enforce data isolation in hardware, assisted by Intel® Virtualization Technology (Intel® VT), and partition resources to prevent unwanted interactions among workloads.
We will be discussing Intel’s open source project, Clear Containers, and how this technology augments the container model with a fast-booting, low-footprint VM. It provides an alternative approach which overcomes any architecture’s limitations to deliver the benefits of both by combining the hardware-assisted isolation of hypervisor-based VMs with the high performance of Linux containers. We will also talk about how we managed to have orchestration engines like Kubernetes or Swarm transparently use Clear Containers
Manohar Castelino -
Amy Leeland -
Software Program Manager,