x containers breaking down barriers to improve
play

X-Containers: Breaking Down Barriers to Improve Performance and - PowerPoint PPT Presentation

May 21, 2023 •6 likes •266 views

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Cornell University Joint work with Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, Hakim

  1. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Cornell University Joint work with Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, Hakim Weatherspoon

  2. Software Containers 2

  3. Cloud-Native Container Platforms Img src: https://pivotal.io/cloud-native 3

  4. Cloud-Native Container Platforms • Single Concern Principle: Every container should address a single concern and do it well. • Making containers easier to o Replace, reuse, and upgrade transparently o Scale horizontally o Debug and troubleshoot Img src: https://pivotal.io/cloud-native 4

  5. The Problem Not allowed to install kernel modules Process Process Process Process Shared kernel attack surface and TCB Container Container namespaces cgroups SELinux Hard to tune or optimize Linux Kernel for a specific container Hardware 5

  6. Existing Solutions Isolation Customization VM Optimization Process Process Container Container Portability Linux Process Process Process Process gVisor Performance KVM Linux Linux Linux Container Clear gVisor Container Require nested hardware Ptrace mode: high overhead virtualization support in the cloud KVM mode: require nested virtualization 6

  7. X-Containers achieve • VM-level Isolation Customization • Support of Kernel Optimization • Support of Kernel • Good (without the need of hardware-assisted virtualization) Portability • High Performance AND • Backward Compatibility 7

  8. X-Containers Container Container Process Process Process Process User mode OS Kernel OS Kernel Kernel mode 8

  9. X-Containers Container Container Process Process Process Process OS Kernel OS Kernel User mode Exokernel Kernel mode 9

  10. X-Containers Container Container Process Process Process Process OS Kernel OS Kernel User mode Exokernel Kernel mode 10

  11. X-Containers X-Container X-Container Process Process Process Process X-LibOS X-LibOS User mode X-Kernel Kernel mode 11

  12. X-Containers • A new security paradigm for cloud-native containers VM X-Container Process Process Container Container Process Process Linux Process Process Process Process gVisor X-LibOS KVM Linux Linux Linux X-Kernel Clear gVisor Container X-Container Container • X-Kernel: an exokernel with a small attack surface and TCB • X-LibOS: a LibOS that decouples security isolation from the process model 12

  13. Threat Model and Design Trade-offs • Threat model X-Container X-Container X-Container Process Process Process Process Process Process X-LibOS X-LibOS X-LibOS X-Kernel • Trade-offs • Reduced intra-container isolation • Improved inter-container isolation and performance • Process isolation and kernel-supported security features are not effective 13

  14. Implementation • X-LibOS from Linux kernel • Binary compatibility • Highly customizable X-Container X-Container X-Container • X-Kernel from Xen Process Process Process Process Process Process • Para-virtualization interface X-LibOS X-LibOS X-LibOS User mode • Concurrent multi-processing • Limitations X-Kernel Kernel mode • Memory management • Spawning time 14

  15. Optimizing System Calls • Existing solutions • Patch source code X-Container System calls Function calls • Link to another library Process Process • Our solution • Automatic Binary Optimization X-LibOS User Mode Module (ABOM) • Binary level equivalence Kernel Mode X-Kernel • Position-independence For many applications, more than 90% of syscalls are turned into function calls 15

  16. Evaluation Setup • Testbed • Amazon EC2 • Google Compute Engine • Compared container runtimes • Docker • gVisor (Ptrace in Amazon, and KVM in Google) • Clear-Container (only in Google) • Xen-Container • X-Container • Configurations • Patched for Meltdown 16

  17. System Call Performance Up to 27X of Docker (patched) and 30 1.6X of Clear-Container Normalized Performance 25 20 15 10 5 0 Amazon Google Docker Clear-Container gVisor Xen-Container X-Container 17

  18. Real Application Performance Memcached NGINX 1.21x~1.27x 2.64x~3.08x 1.5 4 Normalized Throughput 1 2 0.5 0 0 Amazon Google Amazon Google Redis Apache 1x~1.2x 0.64x~0.72x 1.5 1.5 1 1 0.5 0.5 0 0 Amazon Google Amazon Google 18

  19. Spawning Time and Memory Footprint Spawning Time Memory Footprint 30 5 25 Memory Footprint (MB) 0.29 4 2.10 0.28 20 Free 3 Time (S) 8.80 User Program X-LibOS 15 X-LibOS Booting 2 Extra 3.66 Xen Tool Stack 10 micropython 11.16 1 0.29 5 0.28 3.56 0.56 0.46 1.93 1.00 0 0 Docker X-Container X-Container' Docker X-Container Reduced to 460ms. Can be further reduced to <10ms. 19

  20. More Evaluations in the Paper • More micro/macro benchmarks • Patched and unpatched for Meltdown • Comparing to Unikernel and Graphene • Scalability (up to 400 containers on a single host) 20

  21. Conclusion • X-Containers: a new security paradigm for isolating single-concerned cloud-native containers • X-Kernel: an exokernel with a small attack surface and TCB • X-LibOS: A LibOS that decouples security isolation from the process model • Trade-off: intra-container isolation vs. inter-container isolation • Implemented with Xen and Linux • Binary compatibility • Concurrent multi-processing • More at http://x-containers.org Thank You. Questions? 21

  22. Backup Slides 22

  23. Pros and Cons of the X-Container Architecture Container gVisor Clear-Container LightVM X-Container Inter-container isolation Poor Good Good Good Good System call performance Limited Poor Limited Poor Good Portability Good Good Limited Good Good Compatibility Good Limited Good Good Good Intra-container isolation Good Good Good Good Reduced Memory efficiency Good Good Limited Limited Limited Spawning time Short Short Moderate Moderate Moderate Software licensing Clean Clean Clean Clean Need discussion 23

  24. Comparing Isolation Boundaries X-Container VM VM Process Process Container Process Process Process Process Process Process LibOS X-LibOS Process Kernel LibOS L4Linux Process Hypervisor Microkernel Exokernel X-Kernel Kernel Kernel Hypervisor Process Virtual Unikernel, Dune, L4Linux Library OS X-Container Container Machine EbbRT, OS v (Microkernel) (Exokernel) 24

  25. Automatic Binary Optimization Module (ABOM) 00000000000eb6a0 <__read>: eb6a9: b8 00 00 00 00 mov $0x0,%eax eb6ae: 0f 05 syscall 7-Byte Replacement (Case 1) 00000000000eb6a0 <__read>: eb6a9: ff 14 25 08 00 60 ff callq *0xffffffffff600008 000000000007f400 < syscall.Syscall>: 7f41d: 48 8b 44 24 08 mov 0x8(%rsp),%eax 7f422: 0f 05 syscall 7-Byte Replacement (Case 2) 000000000007f400 < syscall.Syscall>: 7f41d: ff 14 25 08 0c 60 ff callq *0xffffffffff600c08 0000000000010330 <__restore_rt>: 10330: 48 c7 c0 0f 00 00 00 mov $0xf,%rax 10337: 0f 05 syscall 9-Byte Replacement (Phase-1) 0000000000010330 <__restore_rt>: 10330: ff 14 25 80 00 60 ff callq *0xffffffffff600080 10337: 0f 05 syscall 9-Byte Replacement (Phase-2) 0000000000010330 <__restore_rt>: 10330: ff 14 25 80 00 60 ff callq *0xffffffffff600080 25 10337: eb f7 jmp 0x10330

  26. The Exokernel Approach • Separating protection and management Process Process Process Process Library OS Library OS Operating System Kernel Exokernel Hardware Hardware Monolithic OS Kernel Exokernel 26

Recommend

Best Practices From Across The Country Morning Session 2014 NCWBA Summit Breaking Barriers

Best Practices From Across The Country Morning Session 2014 NCWBA Summit Breaking Barriers

Breaking Barriers &amp; Building Bridges Best Practices From Across The Country Morning Session 2014 NCWBA Summit Breaking Barriers &amp; Building Bridges Programs/Practices to Break Barriers or Build Bridges Division for Bar Services of

491 views • 20 slides
Breaking Down the Barriers: The Steps to Getting New Innovation Into the U.S. Transportation

Breaking Down the Barriers: The Steps to Getting New Innovation Into the U.S. Transportation

Breaking Down the Barriers: The Steps to Getting New Innovation Into the U.S. Transportation Construction Market 2015 ARTBA TransOvation Panel Jeff Milton Bridge Preservation Specialist Overview of Virginia (VDOT) Practices for New Materials

347 views • 5 slides
Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for

Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for

Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for Breaking Down Barriers BREAKING DOWN BARRIERS WORKSHOP, BIRMINGHAM, SEPTEMBER 2018 Introduction Passion for Genetic Counselling GOSH/UCLH

125 views • 10 slides
1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If

1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If

1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If we were not restricted by the traditional limitations of HTTP, what type of Web applications would we build? 3 Speakers Jonas Jacobi

618 views • 35 slides
Dreaming of Inclusion Breaking Down Barriers to Library Work for People with Disabilities

Dreaming of Inclusion Breaking Down Barriers to Library Work for People with Disabilities

Dreaming of Inclusion Breaking Down Barriers to Library Work for People with Disabilities Overview Workplace barriers for people with disabilities Ways to provide support Workplace accommodation Question 1: Which of these have a

303 views • 28 slides
Breaking down non-cost barriers to technology adoption is critical for the transport-energy

Breaking down non-cost barriers to technology adoption is critical for the transport-energy

Breaking down non-cost barriers to technology adoption is critical for the transport-energy transformation International BE4 Workshop London, UK April 20-21, 2015 David McCollum , Keywan Riahi, Volker Krey (IIASA) Charlie Wilson, Hazel

749 views • 32 slides
Breaking Barriers to Criminal Justice Transformation - Opportunities and Risks for Devolution

Breaking Barriers to Criminal Justice Transformation - Opportunities and Risks for Devolution

Westminster Legal Policy Forum Keynote Seminar: Next steps for the devolution of criminal justice service transformation, new partnerships and meeting local needs Breaking Barriers to Criminal Justice Transformation - Opportunities and

252 views • 7 slides
Topics TRANSITION ONE MEMBER, ONE VOTE BREAKING THROUGH BARRIERS AWARD NEW RESEARCH: Why So

Topics TRANSITION ONE MEMBER, ONE VOTE BREAKING THROUGH BARRIERS AWARD NEW RESEARCH: Why So

Topics TRANSITION ONE MEMBER, ONE VOTE BREAKING THROUGH BARRIERS AWARD NEW RESEARCH: Why So Few? THINGS TO WATCH FOR ADDITIONAL INFORMATION 1 TRANSITION 2 Transition Highlights Mission Expanded: AAUW advances equity for women and girls

687 views • 31 slides
Breaking Down Barriers to the Sharing of Behavioral Health Information Ch Chri rist sty A

Breaking Down Barriers to the Sharing of Behavioral Health Information Ch Chri rist sty A

Breaking Down Barriers to the Sharing of Behavioral Health Information Ch Chri rist sty A Avery ry, Client Service Manager Nich chola olas P s Pry rys, Behavioral Health Care Consultant October 2, 2019 DI DISC SCLAI LAIME MER By

984 views • 46 slides
BREAKING TRADITIONAL WORK BARRIERS THROUGH ADAPTATION. was founded to serve the demand for high

BREAKING TRADITIONAL WORK BARRIERS THROUGH ADAPTATION. was founded to serve the demand for high

BREAKING TRADITIONAL WORK BARRIERS THROUGH ADAPTATION. was founded to serve the demand for high quality translation in large volumes; a one stop language shop. adapts to their requirements by offering an alternative work-from-home and training

574 views • 7 slides
Breaking Ground and Barriers: COMMUNITY LEADERSHIP CENTER Building a Legacy of Excellence Gloria

Breaking Ground and Barriers: COMMUNITY LEADERSHIP CENTER Building a Legacy of Excellence Gloria

Breaking Ground and Barriers: COMMUNITY LEADERSHIP CENTER Building a Legacy of Excellence Gloria Bonilla-Santiago Ph.D., Board of Governors Distinguished Service Professor of the Graduate Department of Public Policy and Administration at

622 views • 35 slides
BREAKING DOWN THE BARRIERS TO EFT/ERA March 1, 2016 Chris Bruns, Head of Product Development for

BREAKING DOWN THE BARRIERS TO EFT/ERA March 1, 2016 Chris Bruns, Head of Product Development for

BREAKING DOWN THE BARRIERS TO EFT/ERA March 1, 2016 Chris Bruns, Head of Product Development for MedInformatix/President of Healthcare Administrative Technology Association (HATA) Tim McMullen, JD, CAE, Executive Director of Healthcare

585 views • 20 slides
Breaking the Barriers: supporting and engaging mature age first-in-family university learners

Breaking the Barriers: supporting and engaging mature age first-in-family university learners

Breaking the Barriers: supporting and engaging mature age first-in-family university learners and their families Dr Sarah O Shea Dr Cathy Stone A/Prof Josephine May Who we are Dr Sarah O Shea School of Education, Faculty of Social

415 views • 23 slides
Breaking Down Barriers: Achieving Real Board Diversity and Inclusion June 7, 2018 ArtsFunds

Breaking Down Barriers: Achieving Real Board Diversity and Inclusion June 7, 2018 ArtsFunds

Breaking Down Barriers: Achieving Real Board Diversity and Inclusion June 7, 2018 ArtsFunds convenings series is sponsored by The Boeing Company 1 Rena Henderson Mason Board Development Strategic Planning Executive Coaching

389 views • 20 slides
S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps,

S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps,

S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps, Solution Architect, NVIDIA, lcapps@nvidia.com A TALE OF ENLIGHTENMENT Basic OK 1 FPS List 10 for x = 1 to 3 20 print x 30 next x Run 1 1 2 2

743 views • 24 slides
Session Abstract Breaking Asset Tracking Cost Barriers with IoT Technology What if you could track

Session Abstract Breaking Asset Tracking Cost Barriers with IoT Technology What if you could track

Session Abstract Breaking Asset Tracking Cost Barriers with IoT Technology What if you could track and recover any supply chain asset a crate, a pallet, even an envelope, and do so cost efficiently? In the age of digitization, this is now a

177 views • 16 slides
Breaking Through the Barriers to GPU Accelerated Monte Carlo Particle Transport GTC 2018 Jeremy

Breaking Through the Barriers to GPU Accelerated Monte Carlo Particle Transport GTC 2018 Jeremy

Breaking Through the Barriers to GPU Accelerated Monte Carlo Particle Transport GTC 2018 Jeremy Sweezy Scientist Monte Carlo Methods, Codes and Applications Group 3/28/2018 Operated by Los Alamos National Security, LLC for the U.S.

639 views • 29 slides
Breaking Down Barrie iers Monitoring &amp; Evaluation Oscar Bingham, Consultant (M&amp;E)

Breaking Down Barrie iers Monitoring &amp; Evaluation Oscar Bingham, Consultant (M&amp;E)

Breaking Down Barrie iers Monitoring &amp; Evaluation Oscar Bingham, Consultant (M&amp;E) BREAKING DOWN BARRIERS WORKSHOP, BIRMINGHAM, SEPTEMBER 2018 Reminder: Why are we evaluating BDB? To highlight the good work of member organisations

454 views • 13 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
Breaking the Barriers Teach What Matters Alpha M. Sanford K-12 Special Education Coordinator

Breaking the Barriers Teach What Matters Alpha M. Sanford K-12 Special Education Coordinator

Breaking the Barriers Teach What Matters Alpha M. Sanford K-12 Special Education Coordinator Randolph Public Schools Co- founder, The Teachers Gallery Alpha Sanford My Why? Alpha Sanford My BIGGEST Why? Alpha Sanford Recap: SPED

772 views • 49 slides
BREAKING BARRIERS AIRLINES FLIGHT DATA MONITORING A PILOTS PERSPECTIVE Session 9

BREAKING BARRIERS AIRLINES FLIGHT DATA MONITORING A PILOTS PERSPECTIVE Session 9

IASS 2019 - TAIPEI Flight Safety | Pilot Training BREAKING BARRIERS AIRLINES FLIGHT DATA MONITORING A PILOTS PERSPECTIVE Session 9 Pilot Training - Capt. Bertrand de Courville FDM/FOQA DATA WHO ARE THE OWNERS? WHO ARE THE

675 views • 19 slides
Breaking the Barriers The Lynas Story Diggers and Dealers Mining Forum Amanda Lacaze Managing

Breaking the Barriers The Lynas Story Diggers and Dealers Mining Forum Amanda Lacaze Managing

Breaking the Barriers The Lynas Story Diggers and Dealers Mining Forum Amanda Lacaze Managing Director and CEO 2 August 2016 Disclaimer This Presentation has been prepared by Lynas Corporation Limited (ABN 27 009 066 648) (Lynas or the

248 views • 22 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Breaking Down Barrie iers Workshop 19 th th &amp; 20 th th September 2018 19 KERRY

Breaking Down Barrie iers Workshop 19 th th &amp; 20 th th September 2018 19 KERRY

Breaking Down Barrie iers Workshop 19 th th &amp; 20 th th September 2018 19 KERRY LEESON-BEEVERS &amp; ASYA CHOUDRY BREAKING DOWN BARRIERS WORKSHOP, BIRMINGHAM, SEPTEMBER 2018 House Keeping Fire drill Assembly Point Toilets

587 views • 20 slides

More recommend