Research On Container-Oriented Kernel Resource Isolation Method

Container has become a basic technology of cloud computing because of its fast startup,high performance and low footprint.However,containers on a same host share the hardware resources and operating system kernel,making container isolation weak,which results in performance degradation,security vulnerabilities and system crash,and restricts the further development of the container.Most of the existing research on container isolation focuses on the optimization of hardware resource isolation,while the research on kernel resource isolation is less.Existing kernel resource management methods do not fully consider the characteristics of high deployment density of containers,resulting in fierce competition of kernel resources in container environment.Such that the kernel resource isolation is so weak that the performance and security of containers is affected.Kernel resources can be divided into single access portal resources and multiple access portal resources based on the way containers access kernel resources.The single access portal resources can be accessed by at most one container at any time.Existing methods can not ensure containers can access a single access point resource represented by kernel lock resources in an orderly manner,resulting in a problem of intense resource competition.Multiple access portal resources can be accessed by multiple containers simultaneously.Consumable file system resources(including page cache,inode and fd)and system log are two typical multiple access portal resources.The consumable file system resources can be consumed by containers and their total amount is limited.Some containers may use a large amount of consumable file kernel resources,resulting in a small amount of system resources remaining and unable to meet the resource requests of other containers.So,containers suffer from unfair resource allocation.System log contain the container’s private information.Some containers may read important runtime information of other containers,causing security problems such as information leakage.So,containers suffer from the problem of lax privacy protection.Solving the above problems mainly involves optimizing kernel resource management methods,which requires designing resource isolation methods based on resource characteristics.To address the above problems,the study in this dissertation mainly includes the following three aspects.Aiming at the problem of fierce competition of kernel lock resources,this dissertation proposes the method of kernel lock resources isolation based on limiting system call frequency.This method can precisly control the system calls frequency of containers,prevent the container from excessive competition for kernel lock resources,and thus solve the problem of insufficient isolation of kernel lock resources.The method consists of a container identification mechanism based on Pareto distribution and a resource management mechanism based on supply and demand model.Firstly,the container identification mechanism uses Pareto distribution,which is formed by the system calls frequency of containers,to divide containers into normal containers and dangerous containers.Secondly,the resource management mechanism tries to meet the resource requirements of normal containers to ensure good performance,and limit the resource access frequency of dangerous containers to enhance isolation.The experimental results show that compared with native Linux kernel,this method can reduce the competition of kernel lock resource for containers,resulting in an average 37.7% improvement in container performance.Aiming at the problem of unfair resource allocation in consumable file systems,this dissertation proposes the consumable file system resource isolation method based on the maximum quota model.The method can set the maximum quota of the available resources for containers to ensure that containers can not use resources that exceed its maximum quota,thus solving the problem of insufficient isolation of consumable file system resources.This method consists of page cache isolation mechanism and inode and fd resource isolation mechanism.First,the page cache isolation mechanism accurately counts the page cache usage to prevent free memory usage,and evicts the page cache as needed to reduce performance impacts caused by page eviction,achieving an efficient page cache usage strategy for containers.Secondly,the inode and fd resource isolation mechanism uses the maximum quota model to limit the maximum value of the available inode and fd resources of containers to prevent containers from using too many resources.The experimental results show that compared with the native Linux kernel,this method can ensure fair share of consumable file system resources between containers,bringing an average performance improvement of 54.25% for containers.Aiming at the problem of lax privacy protection caused by container sharing of system log,this dissertation proposes the system log isolation method based on log privatization.The method can provide independent system log service for each container,so that system logs are not shared between containers,thus solving the problem of insufficient isolation of system log.This method consists of log operation redirection mechanism and private log management mechanism.First,the log operation redirection mechanism redirects the system log operation issued by a container to its corresponding private log for processing.Secondly,the private log management mechanism help containers indentify their private system log by corresponding the container to the private log one by one and provides the container with the full life cycle management of the private log.The experimental results show that compared with the native Linux kernel,this method effectively enhances the system log isolation and security of containers and improves the efficiency of log analysis by an average of 32% for containers.In summary,the inefficiency of kernel resource isolation seriously affects the efficiency and security of the container.The kernel lock resource isolation method based on the system call frequency limit and the consumable file system resource isolation method based on the maximum quota model provide efficient resource use strategies for containers and optimize the efficiency.The system log isolation method based on log privatization provides isolated system log services for containers and enhances the security of containers.