Containers are the hot concept du jour and like with any emerging technology once it has gained mainstream popularity the big question becomes, “OK, but what about security?” CoreOS is partnering with Intel to address that question in its Rocket (rkt) container platform by integrating container virtualization using Intel Clear Containers.
I wrote this blog post about the security of Rocket Stage 1:
CoreOS is working with Intel to make its container platform more secure. CoreOS recently revealed that it is adding support for Intel Clear Containers to its Rocket (rkt) container environment.
Containers have taken the world by storm and the technology is transforming the way companies develop and deploy apps. One of the hurdles for containers, however, has been security. Organizations want some peace of mind that the processes and data running in one container can’t leak to or be modified by another container without permission.
A blog post from the Intel Clear Containers group back in May defined the container security dilemma.
“Many people who advocate for containers start by saying that virtual machines are expensive and slow to start, and that containers provide a more efficient alternative. The usual counterpoint is about how secure kernel containers really are against adversarial users with an arsenal of exploits in their pockets. Reasonable people can argue for hours on this topic, but the reality is that quite a few potential users of containers see this as a showstopper. There are many efforts underway to improve the security of containers and namespaces in both open-source projects and startup companies.”
Microsoft addressed the container security issue with the introduction of Hyper-V Containers. Hyper-V Containers are essentially self-contained virtualized environments which helps keep everything separate and segregated from the rest of the container environment. Intel took a similar approach with its Clear Containers. Intel Clear Containers are just stripped down Linux containers running with the protection of a virtual machine.
The Intel Clear Containers group explained, “We set out to build a system (which we call “Clear Containers”) where one can use the isolation of virtual-machine technology along with the deployment benefits of containers. As part of this, we let go of the “machine” notion traditionally associated with virtual machines; we’re not going to pretend to be a standard PC that is compatible with just about any OS on the planet.”
CoreOS has a clever naming convention based off the Rocket theme. A standard container runs with Rocket while a container built on Intel Clear Containers is called Rocket Stage 1. Rocket Stage 1 is part of 0.8.0 release of Rocket, which CoreOS made available in late August.
See the full story on ContainerJournal: CoreOS teams with Intel to make Rocket containers more secure.