Orchestrated sandboxed containers, unikernels, and virtual machines for isolation‐enhanced multitenant workloads and serverless computing in cloud
Ilias Mavridis,Helen Karatza
DOI: https://doi.org/10.1002/cpe.6365
2021-05-24
Concurrency and Computation: Practice and Experience
Abstract:<p>Containers emerge as the prevalent virtualization technology in cloud computing. Containers are more light-weight and agile compared to traditional virtual machines (VMs), since they provide virtualization at the operating system level. There are specific factors driving the container adoption in cloud, however, the main disadvantage of container-based virtualization technologies is poor isolation. To address isolation and security-related issues, new container runtimes appeared. In this study we present and evaluate the most common security-oriented runtimes, Kata, gVisor and Nabla, running with Docker, Containerd, and CRI-O. We deploy containers for all the aforementioned container solutions, as well as the default Kubernetes runtime runc, on a Kubernetes cluster and additionally on a Docker node. Moreover, in a similar way to containers, we deploy and evaluate unikernels and security-oriented lightweight Linux-based VMs running on Kubernetes cluster. To evaluate container runtimes, we take under consideration Firecracker microVM too. To automate the deployment of high isolated containers and VMs on Kubernetes clusters, we have developed our own tool. Finally, we recognize the increasing interest on Function-as-a-Service and other serverless architectures. In the same direction with these emerging cloud computing services, we have extended the Kubeless serverless framework to support security-oriented container runtimes.</p>