The Clear Linux Project for Intel Architecture, or Clear Linux for short [1], is one of the latest challengers to swell the ranks of distributions for cloud computing. Some better known representatives include Ubuntu Snappy, CoreOS [2], and Red Hat Atomic Host [3]. Among the also-rans, you'll find systems such as RancherOS [4], the unikernel project MirageOS [5], and VMware Photon [6]. All these distributions are small in terms of scope and are intended to let containers run close to the kernel with as little operating system ballast as possible. The Docker-optimized RancherOS runs on a footprint of just 20MB.
When a semiconductor manufacturer such as Intel launches its own operating system, the result is naturally more than just a me-too distribution. Clear Linux is a flagship project optimized for Intel's processors (Figure 1). According to the manufacturer, Clear Linux ideally requires a fourth-generation Intel Core processor or an Intel Xeon E5 v3. In other words, all Intel CPUs since "Haswell" are ideal for Clear Linux. The distribution comes with ingredients such as OpenStack [7], but it does without a GUI and the ability to print.
Out the box, Intel's operating system for the cloud works as a stateless system. This principle simplifies the handling of the installation, configuration, and updates for large numbers of machines. Stateless systems do not require a fixed configuration and can do without the /etc and /var directories.
That said, "stateless" is not a precisely defined condition: These systems range from "hardened" variants in the embedded area, through versions with a read-only filesystem, to hybrid models where a modified filesystem causes a lack of state on a conventional Linux. Clear Linux masters the balancing act between the two types: The installation can be converted from a stateless system to a normal active filesystem. (See the "Clear Linux as a Virtual Machine" box for more.)
Clear Linux as a Virtual Machine
Because Clear Linux is intended as a container OS, the project does not provide an ISO image for creating an optical data medium or a USB stick (Figure 2). However, you can easily transform the IMG file into a virtual machine for a virtualization tool like KVM, VirtualBox, or VMware. Intel provides a detailed guide to virtualization in the Clear Linux online documentation [12].
Clear Linux also introduces its own Clear Container format [8], developed on the basis of Rkt and Docker. The Clear Container format contains a tailor-made security concept, based on Intel Virtualization Technology (VT-x). The primary concern is security: Intel is looking to combine the isolation offered by traditional virtual machines with speed benefits when rolling out working environments, as well as the ease and flexibility of containers.
To do so, the manufacturer offers an optimized kernel and a modified systemd, spiced with the KVMtool to be able to create a container on a "Haswell" system with an SSD in less than 150 milliseconds (Figure 3). During operation, the containers need about 20MB RAM; in other words, more than 3500 of them could run on a system with 128GB main memory. Start times may be longer than for Docker containers, but Intel's variant offers better security. Thanks to KVMtool [9], you get KVM without the underlying QEMU, which is not necessary in this scenario. The container boots directly at kernel level without a BIOS or UEFI.
Clear Containers is also available for Debian, Ubuntu, CentOS, Scientific Linux, Fedora, openSUSE, Tumbleweed, and SUSE Linux Enterprise. The intent is for the Clear Container solution to be incorporated into the Linux Foundation's Open Container initiative. If you want to deepen your knowledge of Clear Containers and their technologies, check out the article by kernel developer and Clear Linux lead developer, Arjan van de Ven on LWN [10].
Clear Linux OS also does its own thing when it comes to updating the system: The package management is somewhere between a traditional package manager and "atomic updates" of all packages. Although Intel uses the RPM format for binary packages, it meaningfully groups these packages into bundles that update the system all at once. Intel has announced – but not yet implemented – a Remixer tool that lets you build your own bundles.
To reduce RAM usage per container, Clear Linux makes intensive use of the Direct Access (DAX) feature introduced in kernel 4.0. In line with the zero-copy approach, the system does not load files requested by applications into memory in the usual way; instead, it bypasses the kernel page cache to access the virtual memory subsystem and perform read and write operations directly in non-volatile memory (NVM).
Support for the function multiversioning (FMV) compiler option offers further optimization potential for the various Intel architectures; this option lets you build code for multiple platforms and then let the software opt at runtime to harness, for example, the AVX2 plugin for enhanced vector computation [11] on a system with a "Haswell" CPU. FMV usually means speed gains for applications that are still not optimized for multiple command sets.
A telemetry function collects information about error events on the system, but it does not collect any that could be traced back to users. The function can be disabled, if necessary, or you can set it up on your own system. You can download the operating system from the project server, but note that it is exclusively available for the IA64 architecture as a live image, an installer, a KVM image, or in Intel's own container format.
Infos