Characterizing and optimizing Kernel resource isolation for containers

Authors

Kun Wang, Huazhong University of Science and Technology
Song Wu, Huazhong University of Science and Technology
Kun Suo, Kennesaw State University
Yijie Liu, Huazhong University of Science and Technology
Hang Huang, Huazhong University of Science and Technology
Zhuo Huang, Huazhong University of Science and Technology
Hai Jin, Huazhong University of Science and Technology

Department

Computer Science

Document Type

Article

Publication Date

4-1-2023

Abstract

Container-based virtualization has become increasingly popular as a lightweight alternative to hypervisor-based virtualization in cloud computing. Isolation is a fundamental property for consistent and reliable performance for cloud environment. However, the isolation between containers is much weaker than virtual machines as containers on the same host share one underlying host kernel. Existing works have mainly focused on the isolation problems at physical resources (e.g. CPU) level and almost not discussed with kernel resources (e.g. lock). In this paper, we perform a study to quantify kernel resource isolation for containers with a new microbenchmark, KRIBench. Then we describe kernel resource isolation issues and identify several kernel resources competition behind the poor isolation. Furthermore, we design and implement Valve, a general and flexible system that reduces kernel resources competition through limiting usage of system calls. Valve adopts Pareto-based container identification to locate misbehaving containers and supply–demand model to manage usage of system calls. The evaluation results demonstrate that our system can effectively enhance the kernel resource isolation for containers with negligible performance overhead.

Journal Title

Future Generation Computer Systems

Journal ISSN

0167739X

Volume

141

First Page

218

Last Page

229

Digital Object Identifier (DOI)

10.1016/j.future.2022.11.018