My VM is Lighter (and Safer) than your Container

Manco, Filipe; Lupu, Costin; Schmidt, Florian; Mendes, Jose; Kuenzer, Simon; Sati, Sumit; Yasukata, Kenichi; Raicu, Costin; Huici, Felipe

Download

Paper published in a book (Scientific congresses and symposiums)

My VM is Lighter (and Safer) than your Container

Manco, Filipe; Lupu, Costin; Schmidt, Florian et al.

2017 • In Proceedings of SOSP ’17: ACM SIGOPS 26th Symposium on Operating Systems Principles

Peer reviewed

Permalink
https://hdl.handle.net/2268/238338

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Manco et al. - 2017 - My VM is Lighter (and Safer) than your Container.pdf

Publisher postprint (1.93 MB)

Download

All documents in ORBi are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Virtualization; Unikernels; Specialization; Operating Systems; Xen; Containers; Hypervisor; Virtual Machine

Abstract :

[en] Containers are in great demand because they are lightweight when compared to virtual machines. On the downside, containers offer weaker isolation than VMs, to the point where people run containers in virtual machines to achieve proper isolation. In this paper, we examine whether there is indeed a strict tradeoff between isolation (VMs) and efficiency (containers). We find that VMs can be as nimble as containers, as long as they are small and the toolstack is fast enough. We achieve lightweight VMs by using unikernels for specialized applications and with Tinyx, a tool that enables creating tailor-made, trimmed-down Linux virtual machines. By themselves, lightweight virtual machines are not enough to ensure good performance since the virtualization control plane (the toolstack) becomes the performance bottleneck. We present LightVM, a new virtualization solution based on Xen that is optimized to offer fast boot-times regardless of the number of active VMs. LightVM features a complete redesign of Xen’s control plane, transforming its centralized operation to a distributed one where interactions with the hypervisor are reduced to a minimum. LightVM can boot a VM in 2.3ms, comparable to fork/exec on Linux (1ms), and two orders of magnitude faster than Docker. LightVM can pack thousands of LightVM guests on modest hardware with memory and CPU usage comparable to that of processes.

Disciplines :

Computer science

Author, co-author :

Manco, Filipe; NEC Europe Ltd.

Lupu, Costin; University Politehnica Bucharest

Schmidt, Florian; NEC Europe Ltd.

Mendes, Jose; NEC Europe Ltd.

Kuenzer, Simon ; Université de Liège - ULiège > Doct. sc. (info.)

Sati, Sumit; NEC Europe Ltd.

Yasukata, Kenichi ; Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Systèmes informatiques répartis et sécurité

Raicu, Costin; University Politehnica Bucharest

Huici, Felipe; NEC Europe Ltd.

Language :

English

Title :

My VM is Lighter (and Safer) than your Container

Publication date :

2017

Event name :

SOSP'17: ACM SIGOPS 26th Symposium on Operating Systems Principles

Event date :

from 28-10-2017 to 31-10-2017

Audience :

International

Main work title :

Proceedings of SOSP ’17: ACM SIGOPS 26th Symposium on Operating Systems Principles

Peer reviewed :

Peer reviewed

European Projects :

H2020 - 671566 - SUPERFLUIDITY - Superfluidity: a super-fluid, cloud-native, converged edge system

Funders :

CE - Commission Européenne

Available on ORBi :

since 25 July 2019

Statistics

Number of views

67 (2 by ULiège)

Number of downloads

216 (0 by ULiège)

More statistics

Scopus citations^®

200

Scopus citations^®
without self-citations

192

Bibliography

Amazon Web Services [n. d.]. Amazon EC2 Container Service. https://aws.amazon.com/ecs/. ([n. d.]).
Amazon Web Services [n. d.]. AWS Lambda - Serverless Compute. https://aws.amazon.com/lambda. ([n. d.]).
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Wareld. 2003. Xen and the Art of Virtualization. SIGOPS Oper. Syst. Rev. 37, 5 (Oct. 2003), 164–177. https://doi.org/10.1145/1165389.945462
J. Clark. [n. d.]. Google: “EVERYTHING at Google runs in a container”. http://www.theregister.co.uk/2014/05/23/google_containerization_two_billion/. ([n. d.]).
Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker, Tim Deegan, Peter Loscocco, and Andrew Wareld. 2011. Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP’11). ACM, New York, NY, USA, 189–202. https://doi.org/10.1145/2043556.2043575
Docker [n. d.]. The Docker Containerization Platform. https://www.docker.com/. ([n. d.]).
John R. Douceur, Jeremy Elson, Jon Howell, and Jacob R. Lorch. 2008. Leveraging Legacy Code to Deploy Desktop Applications on the Web. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). USENIX Association, Berkeley, CA, USA, 339–354. http://dl.acm.org/citation.cfm?id=1855741.1855765
D. R. Engler, M. F. Kaashoek, and J. O’Toole, Jr. 1995. Exokernel: An Operating System Architecture for Application-level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles (SOSP’95). ACM, New York, NY, USA, 251–266. https://doi.org/10.1145/224056.224076
Erlang on Xen 2012. Erlang on Xen. http://erlangonxen.org/. (July 2012).
Google Cloud Platform [n. d.]. The Google Cloud Platform Container Engine. https://cloud.google.com/container-engine. ([n. d.]).
A. Grattaori. [n. d.]. Understanding and Hardening Linux Containers. https://www.nccgroup.trust/us/our-research/understanding-andhardening-linux-containers/. ([n. d.]).
Cameron Hamilton-Rich. [n. d.]. axTLS Embedded SSL. http://axtls.sourceforge.net. ([n. d.]).
Poul henning Kamp and Robert N. M. Watson. 2000. Jails: Conning the omnipotent root. In In Proc. 2nd Intl. SANE Conference.
J. Hertz. [n. d.]. Abusing Privileged and Unprivileged Linux Containers. https://www.nccgroup.trust/uk/our-research/abusing-privilegedand-unprivileged-linux-containers/. ([n. d.]).
Jon Howell, Bryan Parno, and John R. Douceur. 2013. Embassies: Radically Refactoring the Web. In Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). USENIX, Lombard, IL, 529–545. https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/howell
Yun Chao Hu, Milan Patel, Dario Sabella, Nurit Sprecher, and Valerie Young. 2015. Mobile Edge Computing - A key technology towards 5G. ETSI White Paper No. 11, First edition (2015).
IBM. [n. d.]. Docker at insane scale on IBM Power Systems. https://www.ibm.com/blogs/bluemix/2015/11/docker-insanescale-on-ibm-power-systems. ([n. d.]).
IBM developerWorks Open [n. d.]. Solo5 Unikernel. https://developer.ibm.com/open/openprojects/solo5-unikernel/. ([n. d.]).
Intel. [n. d.]. Intel Clear Containers: A Breakthrough Combination of Speed and Workload Isolation. https://clearlinux.org/sites/default/les/vmscontainers_wp_v5.pdf. ([n. d.]).
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux Virtual Machine Monitor. In In Proc. 2007 Ottawa Linux Symposium (OLS’07).
Avi Kivity, Dor Laor, Glauber Costa, Pekka Enberg, Nadav Har’El, Don Marti, and Vlad Zolotarov. 2014. OSv—Optimizing the Operating System for Virtual Machines. In Proceedings of the 2014 USENIX Annual Technical Conference (USENIX ATC’14). USENIX Association, Philadelphia, PA, 61–72. https://www.usenix.org/conference/atc14/technicalsessions/presentation/kivity
E. Kovacs. [n. d.]. Docker Fixes Vulnerabilities, Shares Plans For Making Platform Safer. http://www.securityweek.com/docker-xesvulnerabilities-shares-plans-making-platform-safer. ([n. d.]).
Simon Kuenzer, Anton Ivanov, Filipe Manco, Jose Mendes, Yuri Volchkov, Florian Schmidt, Kenichi Yasukata, Michio Honda, and Felipe Huici. 2017. Unikernels Everywhere: The Case for Elastic CDNs. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’17). ACM, New York, NY, USA, 15–29. https://doi.org/10.1145/3050748.3050757
Horacio Andrés Lagar-Cavilla, Joseph Andrew Whitney, Adin Matthew Scannell, Philip Patchin, Stephen M. Rumble, Eyal de Lara, Michael Brudno, and Mahadev Satyanarayanan. 2009. SnowFlock: Rapid Virtual Machine Cloning for Cloud Computing. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys’09). ACM, New York, NY, USA, 1–12. https://doi.org/10.1145/1519065.1519067
LinuxContainers.org [n. d.]. LinuxContainers.org. https://linuxcontainers.org. ([n. d.]).
Anil Madhavapeddy, Thomas Leonard, Magnus Skjegstad, Thomas Gazagnaire, David Sheets, Dave Scott, Richard Mortier, Amir Chaudhry, Balraj Singh, Jon Ludlam, Jon Crowcroft, and Ian Leslie. 2015. Jitsu: Just-In-Time Summoning of Unikernels. In 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI’15). USENIX Association, Oakland, CA, 559–573. https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/madhavapeddy
Anil Madhavapeddy and David J. Scott. 2013. Unikernels: Rise of the Virtual Library Operating System. Queue 11, 11, Article 30 (Dec. 2013), 15 pages. https://doi.org/10.1145/2557963.2566628
Y. Mao, J. Zhang, and K. B. Letaief. 2016. Dynamic Computation Of-oading for Mobile-Edge Computing With Energy Harvesting Devices. IEEE Journal on Selected Areas in Communications 34, 12 (Dec 2016), 3590–3605. https://doi.org/10.1109/JSAC.2016.2611964
Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici. 2014. ClickOS and the Art of Network Function Virtualization. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI’14). USENIX Association, Seattle, WA, 459–473. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/martins
McAee. 2016. Mobile Threat Report. https://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf. (2016).
MicroPython [n. d.]. MicroPython. https://micropython.org/. ([n. d.]).
Microsoft. [n. d.]. Azure Container Service. https://azure.microsoft.com/en-us/services/container-service/. ([n. d.]).
Microsoft Research. [n. d.]. Drawbridge. https://www.microsoft.com/en-us/research/project/drawbridge/. ([n. d.]).
minios [n. d.]. Mini-OS. https://wiki.xenproject.org/wiki/Mini-OS. ([n. d.]).
A. Mourat. [n. d.]. 5 security concerns when using Docker. https://www.oreilly.com/ideas/ve-security-concerns-when-usingdocker. ([n. d.]).
Vlad Nitu, Pierre Olivier, Alain Tchana, Daniel Chiba, Antonio Bar-balace, Daniel Hagimont, and Binoy Ravindran. 2017. Swift Birth and Quick Death: Enabling Fast Parallel Guest Boot and Destruction in the Xen Hypervisor. In Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’17). ACM, New York, NY, USA, 1–14. https://doi.org/10.1145/3050748.3050758
MAN page. [n. d.]. Linux system calls list. http://man7.org/linux/manpages/man2/syscalls.2.html. ([n. d.]).
Rumpkernel.org [n. d.]. Rump Kernels. http://rumpkernel.org/. ([n. d.]).
Sandvine. [n. d.]. Internet trac encryption. https://www.sandvine.com/trends/encryption.html. ([n. d.]).
Mahadev Satyanarayanan, Paramvir Bahl, Ramón Caceres, and Nigel Davies. 2009. The Case for VM-Based Cloudlets in Mobile Computing. IEEE Pervasive Computing 8, 4 (Oct. 2009), 14–23. https://doi.org/10.1109/MPRV.2009.82
Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. 2012. Making Middleboxes Someone Else’s Problem: Network Processing As a Cloud Service. In Proceedings of the ACM SIGCOMM 2012 Conference on Computer Communication (SIGCOMM’12). ACM, New York, NY, USA, 13–24. https://doi.org/10.1145/2342356.2342359
Stephen Soltesz, Herbert Pötzl, Marc E. Fiuczynski, Andy Bavier, and Larry Peterson. 2007. Container-based Operating System Virtualization: A Scalable, High-performance Alternative to Hypervi-sors. SIGOPS Oper. Syst. Rev. 41, 3 (March 2007), 275–287. https://doi.org/10.1145/1272998.1273025
S. Stabellini. [n. d.]. Xen on ARM. http://www.slideshare.net/xen_com_mgr/alsf13-stabellini. ([n. d.]).
Udo Steinberg and Bernhard Kauer. 2010. NOVA: A Microhypervisor-based Secure Virtualization Architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys’10). ACM, New York, NY, USA, 209–222. https://doi.org/10.1145/1755913.1755935
A. van de Ven. [n. d.]. An introduction to Clear Containers. https://lwn.net/Articles/644675/. ([n. d.]).
Akshat Verma, Gargi Dasgupta, Tapan Kumar Nayak, Pradipta De, and Ravi Kothari. 2009. Server Workload Analysis for Power Minimization Using Consolidation. In Proceedings of the 2009 USENIX Annual Technical Conference (USENIX ATC’09). USENIX Association, Berkeley, CA, USA, 28–28. http://dl.acm.org/citation.cfm?id=1855807.1855835
VMWare. [n. d.]. vSphere ESXi Bare-Metal Hypervisor. http://www.vmware.com/products/esxi-and-esx.html. ([n. d.]).
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Georey M. Voelker, and Stefan Savage. 2005. Scalability, Fidelity, and Containment in the Potemkin Virtual Honey-farm. SIGOPS Oper. Syst. Rev. 39, 5 (Oct. 2005), 148–162. https://doi.org/10.1145/1095809.1095825
Andrew Whitaker, Marianne Shaw, and Steven D. Gribble. 2002. Scale and Performance in the Denali Isolation Kernel. SIGOPS Oper. Syst. Rev. 36, SI (Dec. 2002), 195–209. https://doi.org/10.1145/844128.844147
Dan Williams and Ricardo Koller. 2016. Unikernel Monitors: Extending Minimalism Outside of the Box. In 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud’16). USENIX Association, Denver, CO. https://www.usenix.org/conference/hotcloud16/workshopprogram/presentation/williams
Wei Zhang, Jinho Hwang, Shriram Rajagopalan, K.K. Ramakrish-nan, and Timothy Wood. 2016. Flurries: Countless Fine-Grained NFs for Flexible Per-Flow Customization. In Proceedings of the 12th International on Conference on Emerging Networking EXperiments and Technologies (CoNEXT’16). ACM, New York, NY, USA, 3–17. https://doi.org/10.1145/2999572.2999602