Using Virtual Machines to Improve Container Security with Rkt v0.8.0

37 points by preillyme 9 years ago | 10 comments
  • eloff 9 years ago
    A good intro to clear containers here, it's really fascinating reading: http://lwn.net/Articles/644675/
    • thinkingkong 9 years ago
      This might be viewed as slightly OT but this entire container security thing always reminds me how important it is to build on the right ecosystem.

      This technology has been available for years on other platforms in a stable fashion. The fact that they never get used for different reasons is always sobering

      • edwintorok 9 years ago
        Although the article says Intel VT-x, the demo successfully runs on an AMD CPU with SVM although with this warning:

          [    0.000000] KERNEL supported cpus:
  [    0.000000]   Intel GenuineIntel
  [    0.000000] CPU: vendor_id 'AuthenticAMD' unknown, using generic init.
  [    0.000000] CPU: Your system may be unstable.
        • 9 years ago
          • preillyme 9 years ago
            I also think it's worth mentioning that IntelĀ® Clear Containers now supports Docker as well.
            • preillyme 9 years ago
              Arjan van de Ven (from Intel) can share more context.
              • eloff 9 years ago
                It's fantastic that you've reduced the startup and memory overhead to the point where it's almost negligible. That's quite an achievement!

                One thing that was not discussed is the impact hypervisor-based virtualization has on runtime. I've seen plenty of benchmarks where AWS EC2 instances perform much more poorly than a bare-metal machine with a similar processor. Do you have any idea what the overhead might be for clear containers vs standard linux namespace-based containers?

            • tristanz 9 years ago
              Where is this documented?
            • josephjacks 9 years ago
              Disclaimer: I work for Kismatic.

              It's exciting to see further investment in IntelĀ® Clear Containers. At Kismatic, we have been fans (0) of Clear Containers since the beginning!

              (0): https://kismatic.com/technical/quickstart-intel-clear-linux-...