Intel and CoreOS add hardware virty support to rkt containers
Is it containers? Is it virtualization? It's both
LinuxCon 2015 Intel and CoreOS have teamed up to produce an application container runtime that supports hardware enhanced virtualization.
Version 0.8.0 of CoreOS's rkt (pronounced "rocket") container runtime was announced at the LinuxCon/CloudOpen/ContainerCon conference taking place this week in Seattle.
Among the main features of the new release is support for Intel's VT-x in-silicon virtualization technology. Intel first demonstrated the unorthodox container tech in May as part of its Clear Linux Project, dubbing it Clear Containers.
Unlike the default rkt runtime engine, which fires up containers using Linux kernel–based sandboxing technologies including cgroups and namespapces, Intel's contribution launches container images as full KVM virtual machines.
It's an approach that uses more system resources than typical Linux containers but offers the enhanced security of a hypervisor. Plus, Intel says its on-chip virty extensions minimize the performance overhead.
"By optimizing the heck out of the Linux boot process, we have shown that Linux can boot with the security normally associated with virtual machines, almost as quickly as a traditional container," Chipzilla's Arjan Van De Ven said in a blog post. "Thus we combine security rooted in hardware, via Intel Virtualization Technology (VT-x), with the development and deployment benefits which have caused application developers to gravitate to containers. Problem solved."
Intel has implemented its VT-x support as a pluggable replacement for Stage 1 of rkt's three-stage execution process. The rest of the system remains the same, making VT-x enabled rkt environments fully compatible with traditional, container-based environments.
CoreOS has been developing rkt as an alternative to the Docker container runtime, which rose rapidly over the last two years to become the de facto standard for Linux containers. CoreOS CEO Alex Polvi has criticized the design of the Docker software in the past, and particular its security model, which he has described as "broken" and "fundamentally flawed."
More recently, Docker has donated the code to its runtime to the Open Container Initiative as a standalone tool called runc, a version of which will be the reference implementation of the forthcoming Open Container Format (OCF) specification. CoreOS is also contributing to this standardization effort.
That said, on Tuesday CoreOS hastened to point out that it's dedicated to delivering a version 1.0 of rkt that's a complete implementation of its own App Container (appc) spec.
"Today rkt is an implementation of the App Container spec (appc), and in the future we hope to make rkt an implementation of the Open Container Initiative (OCI) specification," CoreOS' Brandon Philips said. "However, the OCI effort is still in its infancy and there is a lot of work left to do." ®
Sponsored: Becoming a Pragmatic Security Leader