Title: Light Weight Security Container
Technical Area: System Software
VM (Virtual Machine) and Container are two major popular OS isolations technologies, which are widely used in cloud data centers. Especially, in recent years, Docker, CoreOS, and Kubernetes enable DevOps adoptions in almost all industries and company sizes, and the OCI ecosystem becomes a very important industry standard.
Compared with VM, container has the big advantage on agility and performance, but it has security isolation issue, and also gives bigger fault domain. Due to these limitations, lots of cloud services have to build their infrastructures on top of containers, which reside in a VM for security reason. This solution provides security, fault isolations, as well as container ecosystem, but compared with container solutions over bare-metal system, it introduces significant cost and complexity under certain scenarios.
There are some well-known solutions to address container isolation or VM overheads problems. For example, Openstack launched Kata initiatives, which aims to combine container’s agility with VM’s isolation. However, it still has the following drawbacks,
- Virtualization overheads, such as resource consumption and performance degradation, are still notable, and these impact the container density significantly.
- Resources sharing and scheduling for each containers are not efficient enough.
We are looking for any innovative solutions on improving current container solutions in our cloud services. We appreciate following research approaches.
1. Any new breakthrough light weight security container or sandbox solutions, which could have both container’s agility and VM like isolation.
2. Any innovated improvements for existing container solutions on following aspects,
- High container density and less resource consumption
- Low container launch latency and better performance
- Efficient and reliable resources planning, sharing, scheduling, overcommit
- Reduce redundant layer, make data path simple enough with better per-cost ratio.
3. The research outputs may include but not limited for,
- At least one paper and one patent regarding to above research approaches.
- The product prototype for proof of concept
Related Research Topics
USENIX 12 Dune: Safe User-level Access to Privileged CPU Features Openstack Kata Containers: https://katacontainers.io