Fostering New Data Center Usages with Clear Containers

By Imad Sousou

Innovation is key to unlocking the full potential of OpenStack. At Intel, we see tremendous opportunity to drive growth in the data center. To achieve this growth the industry as a whole must enable new usage models, develop more robust security solutions, and help ensure that new features and technologies are easy to adopt.

In my keynote at the OpenStack Summit Vancouver today, I highlighted two requirements critical to our shared success. The first is for the developer community to focus on removing barriers to adoption including ease of deployment, rolling upgrades, and high availability of services and tenants. The second is for everyone to embrace the spirit of innovation necessary to drive new usages and adoptions while moving OpenStack forward.

As industry leaders, we all have this responsibility. Today I shared one of the innovations Intel released as part of our Clear Linux* Project for Intel® architecture, called Intel® Clear Containers. While standard Linux containers are an effective way to spin up an app in a trusted environment, with this approach the underlying kernel still can be attacked from within the container. In turn, all containers on the same host can be compromised, regardless of the intended isolation between them. This has largely limited their use to in-house applications or single-tenant hosts to date.

Intel Clear Containers address security concerns surrounding the popular container model for application deployment. Intel’s approach with these containers offers enhanced protection using security rooted in hardware. By using virtualization technology features (VT-x) embedded in the silicon, we can deliver improved security and isolation advantages of virtualization technology for a containerized application. Intel Clear Containers provide a secure, fast Virtual Machine (VM) with a small memory footprint, allowing for more VMs per physical machine.

One of the key challenges this solution addresses is boot time. Containers spin up very quickly, on the order of a hundred milliseconds or so. Our goal was to create a Linux environment that boots up as a guest at speeds comparable to a standard container. By focusing on the needs of the application container and optimizing the Linux boot process, we achieved this goal. As a result, containers can now reside in multi-tenant environments with very little performance overhead.

This new feature and the entire Intel Clear Linux Project are available on We fully expect this extra security for containers, rooted in hardware, to drive new usages. Innovation is up to all of us. And we invite you to join in.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others