Characterizing and optimizing Kernel resource isolation for containers
Department
Computer Science
Document Type
Article
Publication Date
4-1-2023
Abstract
Container-based virtualization has become increasingly popular as a lightweight alternative to hypervisor-based virtualization in cloud computing. Isolation is a fundamental property for consistent and reliable performance for cloud environment. However, the isolation between containers is much weaker than virtual machines as containers on the same host share one underlying host kernel. Existing works have mainly focused on the isolation problems at physical resources (e.g. CPU) level and almost not discussed with kernel resources (e.g. lock). In this paper, we perform a study to quantify kernel resource isolation for containers with a new microbenchmark, KRIBench. Then we describe kernel resource isolation issues and identify several kernel resources competition behind the poor isolation. Furthermore, we design and implement Valve, a general and flexible system that reduces kernel resources competition through limiting usage of system calls. Valve adopts Pareto-based container identification to locate misbehaving containers and supply–demand model to manage usage of system calls. The evaluation results demonstrate that our system can effectively enhance the kernel resource isolation for containers with negligible performance overhead.
Journal Title
Future Generation Computer Systems
Journal ISSN
0167739X
Volume
141
First Page
218
Last Page
229
Digital Object Identifier (DOI)
10.1016/j.future.2022.11.018