Research On Container-oriented Isolation For Operating System

As the ecosystem of OS-level virtualization advances,containers have become a viable alternative to virtual machines.The container shares the host hardware resources and OS with other containers in the same host,and obtain performance close to the bare-metal.However,due to the lack of virtual hardware abstraction and guest OS,the container puts forward higher requirements to the isolation of the host OS.With the popularity and landing of containers in more and more fields,the problem of insufficient OS isolation becomes more prominent,the main manifestations are the following three points: First,the resource view isolation is insufficient;Second,the module isolation is insufficient;Third,the thread isolation is insufficient.Solving the above problems mainly involves the optimization of OS isolation,specifically including the following three aspects.To improve OS resource view isolation,a namespace-based resource view isolation method is proposed.It can provide an isolated resource view for the container and help applications in the container to formulate correct resource usage strategies.This method consists of a resource view redirection mechanism and a resource namespace.First,the resource view redirection mechanism intercepts the container’s resource view request and redirects it to the resource namespace for processing.Second,the resource namespace is bound to the container for isolation,and provide accurate resource information for the container based on the host loads and container resource configurations.Experimental results show that,the namespace-based resource view isolation method can reduce at most95% average execution time for all containers running on the host.To improve OS module isolation,a module isolation method based on loading-process renaming is proposed.It can provide isolated modules for the container,improve the efficiency of the container’s access control.This method consists of a module loading and renaming mechanism and a virtualization-based access control module.First,the module loading and renaming mechanism loads and renames the access control module for the container,and binds the module entrance to the container for isolation.Second,the virtualization-based access control module virtualizes the critical kernel structure for the container,and achieves efficient access control over system calls,functions,and files.Experimental results show that,the system module isolation method based on loadingprocess renaming brings an average 24.2% system access throughput improvement to containers.To improve OS thread isolation,a thread isolation method based on oversubscription awareness is proposed.It can provide isolated threads management method for the container,and optimize the efficiency of threads under oversubscription scenario.This method consists of a thread isolation mechanism based on oversubscription flag and an adaptive thread management method.First,the thread isolation mechanism based on oversubscription flag adds an oversubscription flag to the control group of the container,and dynamically adjusts the flag.The adaptive thread management method automatically detects the container’s oversubscription flag,and apply the best thread management method for containers.Experimental results show that,the thread isolation method based on oversubscription awareness can bring 19 x execution performance improvement to the container.In summary,the inefficiency of OS isolation seriously affects the use of containers.The namespace-based resource view isolation method provides an isolated resource view for the container to improves the resource usage efficiency.The module isolation method based on loading-process renaming and the thread isolation method based on oversubscription awareness respectively provide isolated access control modules and isolated thread management policy to improves the system access and execution efficiency.