Linux System Call Virtualization For Container Environment

Compared with traditional virtual machines,containers start fast and have a lower resource occupancy rate,and are more and more widely used in the field of cloud computing.However,containers are far less secure and isolated than virtual machines.The root cause of this problem is that multiple containers share the same operating system kernel and use the same system call interface provided by the kernel.Any container that corrupts the kernel through system calls may affect the normal execution of other containers and even the host.The existing system call filtering methods,which are mainly based on the filter at the kernel level or the kernel based on the user mode,will bring significant performance overhead to the container.How to enhance the security of container system calls while introducing as little performance overhead as possible is an issue worthy of attention.The Linux System Call Virtualization for Container Environments aims to solve the above problems.The core of the design is to use kernel modules to virtualize system calls for containers.The kernel modules are loaded and unloaded by the modified run C runtime.Each kernel module independently implements a set of container system call code and generates an independent container system call table,which solves the problem that containers share a unified system call interface,eliminates the containers’ dependence on the global system call table,and achieves the purpose of enhancing the container system call security.At the same time,the lightweight and flexibility of the kernel module can effectively reduce the performance overhead of the system.Experimental results show that the container system call table is transparent to the container,and the system calls of the container can be processed normally without relying on the kernel global system call table.The functional test using system calls futex()and getpid()as examples returns correct results,proving the feasibility of the system call virtualization method.The system call latency test results show that after the system call virtualization function is enabled,the system call latency of the container increases by less than 4% at most.The performance test using the system call futex()as an example also shows that compared with Docker containers,system call virtualization has less than 2%performance overhead.