A fledgling open source project at Intel is wiping the slate clean in managing workloads in VMs, in containers, and on bare metal alike.
But don't think of it as direct competition for OpenStack -- yet. It's better seen as a new approach to a problem OpenStack tried to solve: Can software workload management be decoupled from what the workload is, where it runs, and what it needs?
Run one, run all
CIAO is split into three major components: controller, scheduler, and launcher. The controller provides all the top-level setting and policy enforcement around workloads, while the scheduler places workloads on available nodes.
The launcher is where things get interesting. It provides a common handler for workloads completely apart from where and how they're running. The differences between bare metal, VMs, and containers are abstracted away for the sake of the orchestrator -- and, by extension, for the sake of those deploying CIAO.
According to the Register, Intel's engineers chose this abstraction model because legacy workloads in enterprises tend to be a mix of bare metal and VMs, and they need to be handled as-is. It makes sense, both as an approach for handling existing work and as a future-proofing model. Containers may be hot right now, but there's nothing that says every app deployed from here on out will be in a container, as VMs and bare metal still have their place.
A clear dependency
CIAO also leverages Intel's recent security work. The compute nodes run atop Intel Clear Linux, devised to take advantage of hardware-level security features in Intel processors.
Clear Linux provides a higher level of isolation and optimization, especially in the multitenancy scenarios Intel imagines as common use cases for CIAO. But all this comes at the cost of being wedded to current and future generations of Intel processors.
On a practical level, this isn't a problem, given how Intel remains the default choice for most CPUs found in datacenters. But it's a potential thorn in the side for open source advocates -- being tied to one hardware vendor is generally a bad idea. (See also: Nvidia and CUDA.)
Some of the other security measures aren't as closed-ended. Communication between nodes in a CIAO setup, for instance, are all encrypted and protected by SSNTP. As another multitenancy security measure, each node automatically receives its own separate network.
Will the new repeat the old?
The vast majority of CIAO is a clean-slate implementation written in Go, but some pieces come from OpenStack itself. Keystone, OpenStack's identity service, also needs to be installed with any CIAO stack, not necessarily to provide cross-compatibility with OpenStack but to sensibly reuse valuable pieces of the project.
Where CIAO shows little improvement over OpenStack so far is in the setup process. It's a complex, multistage effort reminiscent of OpenStack at its sprawling and tangled worst.
In all fairness, that's normal for a project in its early stages, but for an effort that in part purports to be a ground-up rethink of OpenStack, it wouldn't hurt to avoid recapitulating one of the most egregious flaws.