Clear Linux Project (opens in new tab)

(clearlinux.org)

164 pointsMerkur10y ago56 comments

56 comments

Just what we need a Linux distro who's main goal is apparently to promote Intel products. The language used to describe it makes this quite clear. "The goal of Clear Linux OS, is to showcase the best of Intel Architecture technology...". This is a blatent attempt to exclude ARM who is gaining Linux market share. Whatever innovation they might bring to the table, I will avoid it purely on the basis that its aim is to benefit Intel rather than the user. Dot org my ass.

kasabali10y ago

The site is weak but you should check the LWN link given in this thread. They have done some cool stuff actually.

vidarh10y ago

I don't think they really expect you to want to use it directly. As it says, it's a showcase. But a lot of the technology might make it into other distros in more generic forms.

digi_owl10y ago

Not the first time Intel does this.

Moblin was started because MS balked at making Windows for a Intel chip that didn't offer PCI enumeration.

drewg12310y ago

One issue where "pure" containers have an advantage over VMs is IO.

For network intensive workloads, there is a choice between the efficiency of SR-IOV and the control & manageability of a virtual NIC like virtio-net. In order to get efficiency, you need to use SR-IOV, which (the last time I checked) still made lots of admins nervous when running untrusted guests. Sure, the guest could be isolated from internal resources via a vlan, but it could still be launching malicious code onto the internet, and it may be difficult to track its traffic for billing purposes, especially if you want to differentiate between external & internal traffic. SR-IOV NICs also have limited number of queues and VFs, so it is hard to over-commit servers. So in order to maintain control of guests, you end up doubling the kernel overhead by using a virtual NIC (eg, virtio-net) in the VM and a physical NIC in the hypervisor. Now you have twice the overhead, twice the packet pushing, more memory copies, VM exits, etc.

The nice thing about containers is that there is no need to choose. You get the efficiency of running just a single kernel, along with all the accounting and firewalling rules to maintain control & be able to bill the guest.

justincormack10y ago

SR-IOV should not really make you nervous, it uses the iommu. Billing might have some issues I guess.

There are higher performance virtual network setups eg see http://www.virtualopensystems.com/en/solutions/guides/snabbs...

Container networking has overheads, the virtual network pairs and the natting is not costless at all, and most people with network intensive applications are allocating physical interfaces to containers anyway.

MerkurOP10y ago

LWN got an article about it... https://lwn.net/Articles/644675/

4ad10y ago

Public link: http://lwn.net/SubscriberLink/644675/5be656c24083e53b/

zatkin10y ago

Is it bad to send an LWN Subscriber link to a large number of people? Will they get upset? They mention that they'll remove the feature if it gets abused.

3 more replies

MerkurOP10y ago

thx!

kbenson10y ago

How they purport to do packaging is interesting, but I'm not sure it will work well in the end. Having "bundles" that contain immutable sets of packages sounds good from a stability point of view, but unless they are entirely self contained, you'll undoubtedly run into a library that you need to updated for one bundle that then forces you to update another entire bundle. If each bundle is entirely self contained (allowing it to have it's own set of libraries), you're essentially recreating what's a static binary through package semantics. This comes with the usual downsides of static binaries.

I'm interested in seeing it tried though. The learning is in the doing.

drewg12310y ago

Self contained packages are not a new idea. For example, PC-BSD has been doing this for years, via their PBI package format. See the description of PBI here: http://www.pcbsd.org/en/package-management

I think PBI does de-duplication at the package manager level by manipulating hard-links to common files, rather than installing multiple copies.

derefr10y ago

> I think PBI does de-duplication at the package manager level by manipulating hard-links to common files, rather than installing multiple copies.

Which is, itself, a bad reinvention of Plan 9's Venti filesystem. Having one, or two, or a million files on disk containing the same data should take up as much space as having just one. "Hard links" are a policy-level way to express shared mutability; deduplication of backing storage, meanwhile, should be a mechanism-level implementation detail.

2 more replies

kbenson10y ago

Self contained packages are not the problem, individualized libraries shipped along with those packages are.

How does PBI handle minor library version differences then? If one package provides and uses mylib-1.3.1 and another provides and uses mylib-1.3.5, how is that distinguished as the core library level (the plain .so file)? My understanding of what Clear Linux is attempting allows this level of granularity to ensure a package (really an amalgamation of individual packages in the sense of most current unixy distros) is functional and updated as a whole.

1 more reply

tbronchain10y ago

If they are micro-vms, container-style, I don't think they will have such need to share any library? -in theory, at least- ..

I mean, it is possible to completely isolate them, all.

It may end-up very heavy though, but, and I can be wrong on this, with the constant growth of storage capacities, network bandwidth, RAM capacity, and the progress made to lighten "containers", I don't think this "heavy" downside I see of immutable infrastructures will be a real issue in the future.

kbenson10y ago

No, but identifying which of your 20 micro-VMs is susceptible to the next OpenSSL exploit, and rolling out the fixes may be. It's both simpler in some aspects and more complex in others to lave local library versions for every app/service. Managing service prerequisites becomes easy and managing service feature updates becomes easier than it was, but managing service security updates becomes more complex. Juggling these different needs and capabilities is where it gets interesting.

1 more reply

zobzu10y ago

I just tried it. it is fast.

its a VM really, but packaged like a container. On my laptop, it starts about as fast as a Docker container, ie less than a second.

This is quite impressive.

zymhan10y ago

I'm not so sure that running a container is directly analagous to using it in a VM.

stephen-mw10y ago

When using something like LXD I can barely tell the difference.

zobzu10y ago

While namespacing allows you to do various things, most container setups are vm-replacements, running either full OS or not, they're used for the same purpose in the end (ie resources separation)

1 more reply

dbbolton10y ago

After reading the overview and features, I'm left wondering:

* what tangible benefits would I get from using Clear Linux over my own heavily customized/handrolled linux server?

* how does the update system handle breakage/conflicts?

* are any of Intel's changes likely to make it into other existing distros or kernels?

ramidarigaz10y ago

This was linked elsewhere in the comments. I think it answers some of your questions:

http://lwn.net/SubscriberLink/644675/5be656c24083e53b/

Thaxll10y ago

I just tried on my desktop, woot it's super fast!

[ 0.000000] KERNEL supported cpus:

[ 0.000000] Intel GenuineIntel

[ 0.000000] e820: BIOS-provided physical RAM map:

...

[ 1.245851] calling fuse_init+0x0/0x1b6 [fuse] @ 1

[ 1.245853] fuse init (API version 7.23)

[ 1.246299] initcall fuse_init+0x0/0x1b6 [fuse] returned 0 after 431 usecs

n3mes1s10y ago

read the hypervisor part of the lwn article: https://lwn.net/SubscriberLink/644675/5be656c24083e53b/

quote: "With kvmtool, we no longer need a BIOS or UEFI; instead we can jump directly into the Linux kernel. Kvmtool is not cost-free, of course; starting kvmtool and creating the CPU contexts takes approximately 30 milliseconds."

voltagex_10y ago

Anyone know what they might be doing for the speed increase?

graycoder10y ago

Seeing as it's Intel I might guess that they either have extra instructions in the instruction set they know about or other optimizations that they know to look for. Seeing as they only support 4th generation and E5 v3... it wouldn't surprise me.

mbrzusto10y ago

i wonder if it builds with icc? seems like a matter of pride they should get that working.

pyvpx10y ago

that was my first guess at "how'd they make it faster?" icc is sometimes a shockingly better (read: compiled code that is faster) compiler.

Meai10y ago

I dont quite understand what this is: Is it a linux distribution that can have a graphical interface like Gnome 3? My question is essentially: Is it more like Ubuntu or more like Docker?

oldsj10y ago

More like CoreOS

rgborn10y ago

Would very much like to see a comparison of Clear Containers and LXD. Would also like to know why Intel decided to do their own thing and not just help with the LXD project.

lqdc1310y ago

Unless I am not getting something, are the developers expected to manually compile everything that isn't in a bundle?

And then recompile again whenever a bundle gets updated?

mrmondo10y ago

Correct me if I'm wrong but shouldn't 'Cloud' have a lower case C if it's not a product?

MerkurOP10y ago

I didn't find very mutch information about it.. yet. :( anyone played with it?

zxcvcxz10y ago

Download link didn't work for me in firefox for some reason, had to paste the link:

https://download.clearlinux.org/

smegel10y ago

I am surprised they didn't go down the container route for OS updates like CoreOS. I think I like that approach.

philips10y ago

This does use containers and in fact they have some interesting modifications that they have made to the rkt container runtime to use KVM isolation instead of just namespaces and cgroups. See a link in 4ad's comment for an LWN article.

Those modifications are exciting for me as one of the developers of rkt. We built rkt with this concept of "stages"[1] where the rkt stage1 here is being swapped out from the default which uses "Linux containers" and instead executing lkvm. In this case the Clear Containers team was able to swap out the stage1 with some fairly minimal code changes to rkt which are going upstream. Cool stuff!

[1] https://github.com/coreos/rkt/blob/master/Documentation/deve...

frozenport10y ago

Would be cool if it built with ICC, like the old Linux DNA project.

j / k navigate · click thread line to collapse

56 comments

jcoffland10y ago

kasabali10y ago

The site is weak but you should check the LWN link given in this thread. They have done some cool stuff actually.

vidarh10y ago

I don't think they really expect you to want to use it directly. As it says, it's a showcase. But a lot of the technology might make it into other distros in more generic forms.

digi_owl10y ago

Not the first time Intel does this.

Moblin was started because MS balked at making Windows for a Intel chip that didn't offer PCI enumeration.

drewg12310y ago

One issue where "pure" containers have an advantage over VMs is IO.

justincormack10y ago

SR-IOV should not really make you nervous, it uses the iommu. Billing might have some issues I guess.

There are higher performance virtual network setups eg see http://www.virtualopensystems.com/en/solutions/guides/snabbs...

MerkurOP10y ago

LWN got an article about it... https://lwn.net/Articles/644675/

4ad10y ago

Public link: http://lwn.net/SubscriberLink/644675/5be656c24083e53b/

zatkin10y ago

Is it bad to send an LWN Subscriber link to a large number of people? Will they get upset? They mention that they'll remove the feature if it gets abused.

3 more replies

MerkurOP10y ago

thx!

kbenson10y ago

I'm interested in seeing it tried though. The learning is in the doing.

drewg12310y ago

I think PBI does de-duplication at the package manager level by manipulating hard-links to common files, rather than installing multiple copies.

derefr10y ago

> I think PBI does de-duplication at the package manager level by manipulating hard-links to common files, rather than installing multiple copies.

2 more replies

kbenson10y ago

Self contained packages are not the problem, individualized libraries shipped along with those packages are.

1 more reply

tbronchain10y ago

If they are micro-vms, container-style, I don't think they will have such need to share any library? -in theory, at least- ..

I mean, it is possible to completely isolate them, all.

kbenson10y ago

1 more reply

zobzu10y ago

I just tried it. it is fast.

its a VM really, but packaged like a container. On my laptop, it starts about as fast as a Docker container, ie less than a second.

This is quite impressive.

zymhan10y ago

I'm not so sure that running a container is directly analagous to using it in a VM.

stephen-mw10y ago

When using something like LXD I can barely tell the difference.

zobzu10y ago

While namespacing allows you to do various things, most container setups are vm-replacements, running either full OS or not, they're used for the same purpose in the end (ie resources separation)

1 more reply

dbbolton10y ago

After reading the overview and features, I'm left wondering:

* what tangible benefits would I get from using Clear Linux over my own heavily customized/handrolled linux server?

* how does the update system handle breakage/conflicts?

* are any of Intel's changes likely to make it into other existing distros or kernels?

ramidarigaz10y ago

This was linked elsewhere in the comments. I think it answers some of your questions:

http://lwn.net/SubscriberLink/644675/5be656c24083e53b/

Thaxll10y ago

I just tried on my desktop, woot it's super fast!

[ 0.000000] KERNEL supported cpus:

[ 0.000000] Intel GenuineIntel

[ 0.000000] e820: BIOS-provided physical RAM map:

...

[ 1.245851] calling fuse_init+0x0/0x1b6 [fuse] @ 1

[ 1.245853] fuse init (API version 7.23)

[ 1.246299] initcall fuse_init+0x0/0x1b6 [fuse] returned 0 after 431 usecs

n3mes1s10y ago

read the hypervisor part of the lwn article: https://lwn.net/SubscriberLink/644675/5be656c24083e53b/

voltagex_10y ago

Anyone know what they might be doing for the speed increase?

graycoder10y ago

mbrzusto10y ago

i wonder if it builds with icc? seems like a matter of pride they should get that working.

pyvpx10y ago

that was my first guess at "how'd they make it faster?" icc is sometimes a shockingly better (read: compiled code that is faster) compiler.

Meai10y ago

I dont quite understand what this is: Is it a linux distribution that can have a graphical interface like Gnome 3? My question is essentially: Is it more like Ubuntu or more like Docker?

oldsj10y ago

More like CoreOS

rgborn10y ago

Would very much like to see a comparison of Clear Containers and LXD. Would also like to know why Intel decided to do their own thing and not just help with the LXD project.

lqdc1310y ago

Unless I am not getting something, are the developers expected to manually compile everything that isn't in a bundle?

And then recompile again whenever a bundle gets updated?

mrmondo10y ago

Correct me if I'm wrong but shouldn't 'Cloud' have a lower case C if it's not a product?

MerkurOP10y ago

I didn't find very mutch information about it.. yet. :( anyone played with it?

zxcvcxz10y ago

Download link didn't work for me in firefox for some reason, had to paste the link:

https://download.clearlinux.org/

smegel10y ago

I am surprised they didn't go down the container route for OS updates like CoreOS. I think I like that approach.

philips10y ago

[1] https://github.com/coreos/rkt/blob/master/Documentation/deve...

frozenport10y ago

Would be cool if it built with ICC, like the old Linux DNA project.

j / k navigate · click thread line to collapse