Thanks for the response. Please find my comment inline blue in trailing
Also, As per this <https://lwn.net/Articles/644675/>
article, I understand
that your team is able to spin up clear containers in less than 150 msec.
Is it still the same or else is there been any additional optimization done
on this as of date? (I know, it is going to way less in sometime soon :) )
On Wed, Oct 12, 2016 at 9:31 AM, Arjan van de Ven <arjan(a)linux.intel.com>
On 10/11/2016 11:55 PM, Manideep Konakandla wrote:
> Hey Team,
> This is Manideep from Carnegie Mellon University. I am doing research on
> container security from quite some time (results about which will be
> published sometime mid-March
> or later). I came across clear containers recently and started exploring
> more on that. Would need some confirmations from your side so that I can
> proceed exploring more and
> include about your work in my research. Please let me know if I get any
> of the below statements wrong.
> 1. When I use clear containers, there will be no necessity for namespaces
> and cgroups anymore.
technically not, but we use some of them in our solution anyway for
optimal compatibility with the traditional docker model
* - If cgroups and namespaces are not being used for isolation.
are they being used for?. Can you please help me in understanding
little more on this? (So, If I remove namespaces and cgroups support from
my Linux, will clear containers still work as fast as now?)*
> 2. Clear containers will have their own kernel which is clear linux's
> kernel. They get it as a part of clear containers installation. Though it
> is solving the core security
> problem of shared kernel in containers environment , the concept of space
> wastage (having multiple) kernels on the same host is still in place.
do you mean disk space? yes some disk space is wasted. 20 megabytes or
disks are like 1Tb or so nowadays.....
(if you meant memory, then most of this memory is shared between the
various containers, and is not very big either, we did quite a bit of work
to minimize this to a relatively small number)
*- Memory shared? I am confused. Aren't clear containers using
and are using hardware level isolation to achieve additional security
(including memory hardware-level) isolation? Where is the concept of
sharing coming here in picture? Do you mean sharing for general non
security tasks (If yes, how is segregation of these tasks done) ? Can you
please clarify more on this?*
> 3. Do the concept of KGT etc. comes in-built with Clear Linux?
KGT? - *Yes (Kernel Guard Technology). As referenced in this
> Also, I am assuming that TPM/TCB for containers (where docker daemon
> is also included in the process of boot verification process) is just an
> extension to already
> existing TPM chip and has no relation to clear linux project. TPM
> can be used to further enhance the security of Clear Linux.
> 4. It would be of great help if you can let me know what all packages
> does Clear Linux comes up with? Does it trim most of the packages from
> Ubuntu or else keeps all of
> them and then highly optimizes them? How does it work?
Clear Linux (as in, the mini OS inside the clear container to bootstrap)
is not based on Ubuntu, but is its own linux distribution. We've spent
quite a bit of time
to get that to be a very minimal install so that it starts fast and does
not take up a lot of space.
* - Whats the size of the clear linux OS? 20 MB? So, I am assuming that it
would not be having many(or any) packages at all as it is very optimized
one. (P.S: I am actually setting up environment to check more details on
clear linux and clear containers)*
> *Manideep K*
> *www.manideepk.com <http://www.manideepk.com>*
> Dev mailing list