Title: Light Weight Security Container

 

Technical Area: System Software

 

Background

VM (Virtual Machine) and Container are two major popular OS isolations technologies, which are widely used in cloud data centers. Especially, in recent years, Docker, CoreOS, and Kubernetes enable DevOps adoptions in almost all industries and company sizes, and the OCI ecosystem becomes a very important industry standard.

 

Compared with VM, container has the big advantage on agility and performance, but it has security isolation issue, and also gives bigger fault domain. Due to these limitations, lots of cloud services have to build their infrastructures on top of containers, which reside in a VM for security reason. This solution provides security, fault isolations, as well as container ecosystem, but compared with container solutions over bare-metal system, it introduces significant cost and complexity under certain scenarios.

 

There are some well-known solutions to address container isolation or VM overheads problems. For example, Openstack launched Kata initiatives, which aims to combine container’s agility with VM’s isolation. However, it still has the following drawbacks,

- Virtualization overheads, such as resource consumption and performance degradation, are still notable, and these impact the container density significantly.

- Resources sharing and scheduling for each containers are not efficient enough.

 

Target

We are looking for any innovative solutions on improving current container solutions in our cloud services. We appreciate following research approaches.

1. Any new breakthrough light weight security container or sandbox solutions, which could have both container’s agility and VM like isolation.

2. Any innovated improvements for existing container solutions on following aspects,

3. The research outputs may include but not limited for,

 

Related Research Topics

USENIX 12 Dune: Safe User-level Access to Privileged CPU Features Openstack Kata Containers: https://katacontainers.io