Isolate your containers the VM way with Intel® Clear Container technology and Cloud 66

alt

Cloud 66 joined the Intel® Cloud Builders to work closely with Intel® to bring their amazing technology in the reach of our customers.

Intel® Cloud Builders brings together industry leading solutions providers to deliver a choice of optimised software-defined infrastructure solutions. This collaboration helps lower technical barriers and accelerates innovation for Cloud 66 customers.

Docker runtimes

At Cloud 66 we have been running Docker in production for our customers since the beginning of the container era. Lots of things changed in the last four years. We now have much better security models with Docker, schedulers and the swappable network- and container-runtime drivers.

You are in control to change your (micro) service oriented architecture to another runtime models. At Cloud 66 we are providing an alternative Docker runtime to runc called Intel® Clear Containers which will secure running container images in a lightweight Virtual Machine accelerated by Intel® Virtualization Technology. This new runtime by Intel is compatible with the OCI Runtime Specification which is part of the open container initiative.

Let's talk about how we can leverage this technology with Cloud 66.

What is Intel® Clear Container technology?

Clear Containers provide an extra layer of security to Docker to protect against host kernel vulnerabilities by leveraging the isolation of virtual machine technology without compromising on along with the deployment benefits of containers. You can read more about why this extra security for Docker is important in this article on How Intel® Clear Containers protects against root kernel exploits like Dirty COW.

Key ingredients in the Clear Container model are:

  • An extremely fast and lightweight hypervisor. QEMU has been optimised to reduce memory footprint and improve startup performance.
  • Optimisations in the kernel.
  • Optimisations in systemd.
  • Utilisation of the DAX “direct access” feature of the 4.0 kernel.

This enables the page cache and VM subsystems to be bypassed entirely to allow for faster filesystem accesses (no copies!) and lower per-container memory usage.

  • Optimisation of core userspace for minimal memory consumption.

Combined, these features improve the resource utilisation efficiency significantly. The launch times are so fast that a typical user would hardly be able to see the difference. Clear Containers offer enhanced security with speeds vastly superior to traditional VM technologies.

Requirements

If you are ready to deploy a Docker stack with Cloud 66 using Intel® Clear Container technology you need to know on which hardware you can deploy. Your target hardware should support Intel® VT technology. You can use VM's provided by our supported Cloud providers if the VM is KVM based and nested virtualization is turned on, but the real power shines when you deploy your infrastructure on bare metal.

Luckily we integrate with Packet which provides bare-metal Intel® hardware as a service. If you want to bring your own server, we have the option to deploy Intel® Clear Container technology using our feature called Registered Servers. To make sure everything works, go for bare metal servers at the moment.

Deploy your containers with Intel® Clear Container and Cloud 66

Let create a new Docker stack first.

alt Give our new Docker stack a name and add some services. In this case some pre-build images.

alt

The next step is to setup the deployment to use Intel® Clear Container. Select configuration and edit the Deploy hooks.

alt

Below is an example to install Intel® Clear Container on every Docker node that you added to your cluster. The deploy hook looks like the following:

production:  
    after_docker: # Hook point
      - snippet: cloud66/clearcontainers # Hook type
        target: docker # Hook fields
        apply_during: build_only
        execute: true

alt

Let us deploy our Stack in a production environment.

alt

Because only Packet or a bare-metal server is supported. We must select Packet or deploy it on our own servers, using registered servers.

alt

We choose Packet!

alt

And we select a type 1 for testing our Clear Containers. A type-1 is 4 Physical Cores @ 3.4 GHz, 32 GB of DDR3 ECC RAM, 120 GB of SSD and 2Gbps Bonded Network.

If you want to know more what kind of hardware Packet is providing, check their offerings.

alt

After we hit deploy, Cloud 66 will do all the heavy lifting. Your nodes will be provisioned, Docker will be installed, Clear Containers will be configured, and the Cloud 66 value added features will be enabled.

alt

Check the server log to confirm that Cloud 66 installed Docker and the deploy hook installed Intel® Clear Containers.

alt

Now you can see your container is running.

alt

Take a look inside

If you SSH to your server and run the command ps aux | grep qemu you can see a separate VM instance for each clear container running. Every process is isolated using /usr/bin/qemu-lite-system-x86_64.

Summary

Using Intel® Clear Containers with Cloud 66 gives your container infrastructure the extra security of a VM at the speed of a container. With a simple deploy hook in your deployment, you can use Intel Clear Containers right out of the box. Be the first to try it out.

Final Note: Using Intel Clear Containers with Cloud 66 is still in beta stage. Test your setup first in a staging environment before migrating to production.

Have fun!

Try Cloud 66 for Free, No credit card required