Xing Gao,Zhongshu Gu,Zhengfa Li,Hani Jamjoom,Cong Wang

DOI: https://doi.org/10.1145/3319535.3354227

2019-01-01

Abstract:Linux Control Groups, i.e., cgroups, are the key building blocks to enable operating-system-level containerization. The cgroups mechanism partitions processes into hierarchical groups and applies different controllers to manage system resources, including CPU, memory, block I/O, etc. Newly spawned child processes automatically copy cgroups attributes from their parents to enforce resource control. Unfortunately, inherited cgroups confinement via process creation does not always guarantee consistent and fair resource accounting. In this paper, we devise a set of exploiting strategies to generate out-of-band>workloads via de-associating processes from their original process groups. The system resources consumed by such workloads will not be charged to the appropriate cgroups. To further demonstrate the feasibility, we present five case studies within Docker containers to demonstrate how to break the resource rein of cgroups in realistic scenarios. Even worse, by exploiting those cgroups' insufficiencies in a multi-tenant container environment, an adversarial container is able to greatly amplify the amount of consumed resources, significantly slow-down other containers on the same host, and gain extra unfair advantages on the system resources. We conduct extensive experiments on both a local testbed and an Amazon EC2 cloud dedicated server. The experimental results demonstrate that a container can consume system resources (e.g., CPU) as much as $200\times$ of its limit, and reduce both computing and I/O performance of particular workloads in other co-resident containers by 95%.

Dong ZHANG,Jun-jie GUO,Chun-ming WU

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.03.027

2017-01-01

Abstract:Software defined networking (SDN) is a style of computer networking that separates the control plane from the data plane,shifting the control plane to a centralized controller in order to achieve network flexibility and openness.The controller placement is a key prerequisite to successful SDN.The current study examines the hierarchically distributed control plane controller placement problem,utilizing a multi-level k-way switch partition algorithm to divide large scale network topology.We also fix the traditional SDN controller placement problem,changing zoning and intra-domain controller placement by reducing the edge-cut in order to lower the number of inter-domain flows.Simulation results show that the multilevel k-way switch partition algorithm can effectively reduce control flow overhead and flow set-up time,compared with the other traditional algorithms.

Deze Zeng,Lin Gu,Quan Chen,Yu Lei

DOI: https://doi.org/10.1109/iwqos57198.2023.10188758

2023-01-01

Abstract:To enable inter-container communication of services on different hosts, container overlay network, the most widely used container network mode, provides a layer of virtual network between containers to transparent the physical device heterogeneous. However, overlay network produces two-layered packet encapsulation, and current container network management system cannot identify the source containers from the two-layered encapsulated packets or control the network traffics of different services. To tackle this issue, a traffic control system for container overlay networks (CONTC) is proposed and implemented by redesigning the packets processing procedure in overlay network model, enabling accurate network packet identification, multi-level network resource management and user-centric customized control. Extensive experiment results are conducted on different system settings and practical service cases to show that CONTC can provide accurate network traffic control for data flows with different network protocols and different packet sizes at both the service level and the container level. The results based on open-source microservice benchmarks also validate the correctness and effectiveness of CONTC by reducing the tail latency of single-service and multi-service environments by 37.53% and 22.33%, respectively.

Baohua Zhao,Zhihao Wang,Ningyu An,Chunhui Ren

DOI: https://doi.org/10.1088/1742-6596/1871/1/012016

2021-01-01

Journal of Physics Conference Series

Abstract:Container technology has a series of advantages such as low physical resource consumption, fast startup speed, high concurrency, and can run in a variety of environments. It is widely used in scenarios such as big data and cloud computing. Container technology has certain advantages in performance, but there are some shortcomings in security. The container technology shares the kernel with the host, and its security mainly depends on the host. Once the attacker breaks through the host’s defense, he can easily access the files deployed in the container, steal or tamper with the file data, and cause losses to users and users. In response to the above problems, this paper proposes a container-oriented isolation control technology, which realizes further isolation of files inside the container by adding domain names to programs and files. If the program domain name matches the file part, the files in the current container cannot be accessed, and the security of the files in the container can be effectively ensured after the host is compromised.

Xiaohui Luo,Fengyuan Ren,Tong Zhang

DOI: https://doi.org/10.1007/978-3-030-03596-9_4

2018-01-01

Abstract:Containerized microservices have become popular for building systems using simple, lightweight, loosely coupled services. Due to replacing the monolithic application with multiple microservices, inner function calls become inter-microservice communications, which increases the network pressure. However, the networking of containerized microservice built on the kernel that is inefficient. In this paper, we propose DockNet, a high-performance userspace networking solution for containerized microservices. We (1) leverage DPDK and customized LwIP as the high-performance data plane and TCP/IP stack, respectively. (2) introduce a master-slave threading model to decouple execution and management. (3) adopt namespace mechanism to control the access of microservices to data planes and employ timer-based rate limiters to achieve performance isolation. (4) construct fast channels between partner microservices to improve network performance further. In our various experiments, DockNet shows over (4.2times , 4.3times , 5.5times ) of higher performance compared with existing networking solutions - kernel bridge, Open vSwitch and SR-IOV, respectively.

Qinlu He,Fan Zhang,Genqing Bian,Weiqi Zhang,Zhen Li,Dongli Duan

DOI: https://doi.org/10.1007/s10586-022-03731-y

2022-09-16

Cluster Computing

Abstract:Cloud computing platform is a data-centric architecture, which utilize virtualization resource scheduling technology to integrate and distribute the processing power of distributed server cluster and other network devices distributed over the network, and uses service-oriented architecture to provide users with highly reliable, highly available, and efficient application data services. Although the cloud platform application based on various requirements has become a research hotspot in cloud computing technology, in some high Real-time requirements application scenarios, the research on how to guarantee the real time performance of cloud platform is few. Compared to traditional resource virtualization such as CPU and memory, Docker only provides a small portion of network resource virtualization. The four network modes provided by Docker officially have a single function, which makes it very difficult to apply to cloud platform scenarios with complex network bandwidth requirements and high real-time requirements. Based on Docker's traditional NAT communication method, this paper proposes a network virtualization solution based on SDN and Docker containers. Through comparison experiments, it is proved that the scheme can guarantee the Real-time performance of the container cloud platform.

computer science, information systems, theory & methods

Zhifeng Zhao,Feng Hong,Rongpeng Li

DOI: https://doi.org/10.1109/ACCESS.2017.2762362

IF: 3.9

2017-01-01

IEEE Access

Abstract:Nowadays, cloud computing networks significantly benefit the deployment of new services and have become one infrastructure provider in the digital society. The virtual extensible local area network (VxLAN), which belongs to the network schemes to overlay Layer 2 over Layer 3, is one of the most popular methods to realize cloud computing networks. Though VxLAN partially overcomes the capacity limitation of its predecessor virtual local area network, it still faces several challenges like annoying signaling overhead during the multicast period and interrupted communication with a migrating virtual machine (VM). In this paper, we propose a new software defined network (SDN) based VxLAN network architecture. Based on this architecture, we address how we can deploy an intelligent center to enhance the multicast capability and facilitate the VM migration. Besides, we discuss the means to update the global information and guarantee the communication continuum. Finally, we use Mininet to emulate this SDN based VxLAN architecture and demonstrate effective load balancing results. In a word, this proposed architecture could provide a blueprint for future cloud computing networks.

Yutian Yang,Wenbo Shen,Bonan Ruan,Wenmao Liu,Kui Ren

DOI: https://doi.org/10.1109/tpsisa52974.2021.00016

2021-01-01

Abstract:In recent years, containerization has become a major trend in the cloud due to its high resource utilization efficiency and convenient DevOps support. However, the complexity of container system also introduces attack surfaces. This paper aims to summarize security challenges in the container cloud. In particular, we first divide the whole container system into different layers according to their functionalities, including the kernel layer, the container layer, and the orchestration layer. We then summarize security-related technologies. After that, we discuss the security challenges for each layer. Finally, we present the current protection status for the container system and highlight future research directions. Our study shows that to improve the container cloud security, we need to design and implement more robust kernel isolation mechanisms, conduct systematic and thorough security analysis on existing container techniques, and develop comprehensive configuration checking tools.

Liang Lv,Yuchao Zhang,Yusen Li,Ke Xu,Dan Wang,Wendong Wang,Minghui Li,Xuan Cao,Qingqing Liang

DOI: https://doi.org/10.1109/jsac.2019.2895473

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Containerization has been used in many applications for isolation purposes due to its lightweight, scalable, and highly portable properties. However, to apply containerization in large-scale Internet data centers faces a big challenge. Services in data centers are always instantiated as a group of containers, which often generate heavy communication workloads and therefore resulting in inefficient communications and downgraded service performance. Although assigning the containers of the same service to the same server can reduce the communication overhead, this may cause heavily imbalanced resource utilization since containers of the same service are usually intensive to the same resource. To reduce communication cost as well as balance the resource utilization in large-scale data centers, we further explore the container distribution issues in a real industrial environment and find that such conflict lies in two phases-container placement and container reassignment. The objective of this paper is to address the container distribution problem in these two phases. For the container placement problem, we propose an efficient communication aware worst fit decreasing algorithm to place a set of new containers into data centers. For the container reassignment problem, we propose a two-stage algorithm called Sweep&Search to optimize a given initial distribution of containers by migrating containers among servers. We implement the proposed algorithms in Baidu's data centers and conduct extensive evaluations. Compared with the state-of-the- art strategies, the evaluation results show that our algorithms perform better up to 70% and increase the overall service throughput up to 90% simultaneously.

Yuchao Zhang,Yusen Li,Ke Xu,Dan Wang,Minghui Li,Xuan Cao,Qingqing Liang

DOI: https://doi.org/10.1109/ICDCS.2017.10

2017-01-01

Abstract:Containers have been used in many applications for isolation purposes due to the lightweight, scalable and highly portable properties. However, to apply containers in virtual network functions (VNFs) faces a big challenge because high-performance VNFs often generate frequent communication workloads among containers while the container communications are generally not efficient. Compared with hardware modification solutions, properly distributing containers among hosts is an efficient and low-cost way to reduce communication overhead. However, we observe that this approach yields a trade-off between the communication overhead and the overall throughput of the cluster. In this paper, we focus on the communication-aware container re-distribution problem to optimize the communication overhead and the overall throughput jointly for VNF clusters. We propose a solution called FreeContainer which utilizes a novel two-stage algorithm to re-distribute containers among hosts. We implement FreeContainer in Baidu clusters with 6000 servers and 35 services deployed. Extensive experiments on real networks are conducted to evaluate the performance of the proposed approach. The results show that FreeContainer can increase the overall throughput up to 90% with significant reduction on communication overhead.

Xinxing Zhang,Hongri Liu,Bailing Wang,Junheng Huang,Xixian Han

DOI: https://doi.org/10.1109/iccsn.2017.8230265

2017-01-01

Abstract:Real network traffic is mostly generated by an interactive session between applications, thus we feel that there is a strong demand for a solution capable to reproduce these interactive application workloads. For this purpose, we propose a new strategy for generating realistic network traffic and interactive application workloads using container technology. In this article, we also demonstrate why light-weight container technology is chosen in our strategy compared with virtual machines, which also are widely used in virtualization. Finally, we present some experimental results gathered in the prototype system we have implemented.

Kun Qiu,Renlong Tu,Siyuan Huang,Jin Zhao,Xin Wang

DOI: https://doi.org/10.1109/iwqos.2015.7404728

2015-01-01

Abstract:OpenFlow has been widely used in Software Defined Networking (SDN) to customize data plane behaviors through policies given by a logically centralized controller. The centralized control plane design brings the potential of simplifying network management, but it also raises scalability concern for large-scale networks. In this paper, we aim to build a highly scalable and flexible OpenFlow control plane. We propose the design and implementation of cCluster, which leverage the parallelism of cluster to balance the control plane load. Compared with existing solutions, cCluster can achieve better scalability, and can enable elastic management. We evaluated the scalability and response time of cCluster using Mininet, and our results show that cCluster can serve thousands of flow entries simultaneously, with only slightly latency penalty.

Yang Zhao,Nai Xia,Chen Tian,Bo Li,Yizhou Tang,Yi Wang,Gong Zhang,Rui Li,Alex X. Liu

DOI: https://doi.org/10.1145/3094405.3094406

2017-01-01

Abstract:Container networking is now an important part of cloud virtualization architectures. It provides network access for containers by connecting both virtual and physical network interfaces. The performance of container networking has multiple dependencies, and each factor may significantly affect the performance. In this paper, we perform systematic experiments to study the performance of container networking technologies. For every measurement result, we try our best to qualify influencing factors.

Xinjie Guan,Xili Wan,Baek-Young Choi,Sejun Song,Jiafeng Zhu

DOI: https://doi.org/10.1109/lcomm.2016.2644658

IF: 3.5529

2017-03-01

IEEE Communications Letters

Abstract:Docker offers an opportunity for further improvement in data centers' (DCs) efficiency. However, existing models and schemes fall short to be efficiently used for Docker container-based resource allocation. We design a novel application oriented Docker container (AODC)-based resource allocation framework to minimize the application deployment cost in DCs, and to support automatic scaling while the workload of cloud applications varies. We then model the AODC resource allocation problem considering features of Docker, various applications' requirements, and available resources in cloud data centers, and propose a scalable algorithm for DCs with diverse and dynamic applications and massive physical resources.

telecommunications

Qianyu Zhang,Gongming Zhao,Hongli Xu,Zhuolong Yu,Liguang Xie,Yangming Zhao,Chunming Qiao,Ying Xiong,Liusheng Huang

2022-01-01

Abstract:With the broad deployment of distributed applications on clouds, the dominant volume of traffic in cloud networks traverses in an east-west direction, flowing from server to server within a data center. Existing communication solutions are tightly coupled with either the control plane (e.g., preprogrammed model) or the location of compute nodes (e.g., conventional gateway model). The tight coupling makes it challenging to adapt to rapid network expansion, respond to network anomalies (e.g., burst traffic and device failures), and maintain low latency for east-west traffic. To address this issue, we design Zeta, a scalable and robust east-west communication framework with gateway clusters in large-scale clouds. Zeta abstracts the traffic forwarding capability as a Gateway Cluster Layer, decoupled from the logic of control plane and the location of compute nodes. Specifically, Zeta adopts gateway clusters to support large-scale networks and cope with burst traffic. Moreover, a transparent Multi IPs Migration is proposed to quickly recover the system/devices from unpredictable failures. We implement Zeta based on eXpress Data Path (XDP) and evaluate its scalability and robustness through comprehensive experiments with up to 100k container instances. Our evaluation shows that Zeta reduces the 99% RTT by 5.1x in burst video traffic, and speeds up the gateway recovery by 10.8 x compared with the state-of-the-art solutions.

Yunzhuo Liu,Junchen Guo,Bo Jiang,Pengyu Zhang,Xiaoqing Sun,Yang Song,Wei Ren,Zhiyuan Hou,Biao Lyu,Rong Wen,Shunmin Zhu,Xinbing Wang

DOI: https://doi.org/10.1145/3646547.3688436

2024-01-01

Abstract:In this paper, we use empirical measurements to show that container network startup is a key factor that contributes to the slow startup of secure containers in multi-tenant clouds, especially in the scenario of serverless computing, where the issue is pronounced by high-volume concurrent container invocations. We conduct extensive and detailed analysis on existing Container Network Interface (CNI) plugins and show that even the fastest one doubles the startup time from the no-network scenario. We show that the major cause of the blowup in total startup time is that enabling networking significantly increases the contention among different startup stages, particularly for global Linux kernel locks, including the Routing Table NetLink (RTNL) mutex lock and various spin locks. We reveal that contending for these locks hinders startup performance in three ways, including directly increasing stage time, causing poor pipeline overlap and wasting CPU resources. To mitigate such kernel lock contention, we propose a multi-stage concurrency control mechanism based on Bayesian optimization to limit the concurrency of each contended stage. Our results show that this lightweight mechanism can effectively reduce the end-to-end container startup time by 18.8% with negligible extra overhead.

Yang Luo,Wu Luo,Xiaoning Sun,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/trustcom.2016.0119

2016-01-01

Abstract:Over the last few years, the cloud computing industry has witnessed the wider adoption of the container-based technologies. And it is obvious to see that Docker has become the de facto standard of the container-based approaches. However, the security mechanism of Docker is far from satisfaction owing to its rapid development without adequate security concerns. This paper primarily identifies several possible covert channels against Docker, which causes critical results like information leak between one container and another (or even the host). Furthermore, we also categorizes the Linux capabilities used by Docker into different groups and find a way to identify the misconfiguration of capabilities based on our classification result. We prove false-negative capabilities to be dangerous by finding a covert channel associated with them. The paper also demonstrates how false-positive capabilities are already well restricted by the current isolating mechanism of Docker via a call analysis approach. So these capabilities can be securely granted to the containers. The experimental results indicate that the proposed covert channels can reach a capacity as high as 733.5b/s at the precision no lower than 90%. At last, the paper discusses what could be done when using Docker to increase its level of security.

Shouyin Xu,Yuewu Wang,Lingguang Lei,Kun Sun,Jiwu Jing,Siyuan Ma,Jie Wang,Heqing Huang

DOI: https://doi.org/10.1109/tifs.2024.3411915

IF: 7.231

2024-06-22

IEEE Transactions on Information Forensics and Security

Abstract:Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Yifan Li,Chengjun Jia,Xiaohe Hu,Jun Li

DOI: https://doi.org/10.1109/hoti51249.2020.00024

2020-01-01

Abstract:Container technology is a light weight back-end virtualization solution which copes with the growing demand for internet service concurrency. For security and availability, network isolation is essential in container network. Label based network access control policies are employed as a network isolation solution by the famous container orchestrator, Kubernetes. The large scale and flexibility of container networks implies a prohibitive complexity, whereas the constant changes of policies and containers demand a short response time, thus the policy verification needs to be efficient. However, there is no existing tool that solves the verification problem of label based network access control policies. Kano is proposed as the first system to cover container network policy verification, including incremental verification. It leverages on a prefiltration algorithm to reduce the time complexity of reachability matrix calculation from O(n 2 ) to O(n). With predefined and user-defined constraints which can be verified quickly with the reachability matrix, Kano removes potential risk from the container network. Based on the verification result, Kano provides advices to reinforce the security and availability of the container network.

Jun Wu,Mianxiong Dong,Kaoru Ota,Jianhua Li,Zhitao Guan

DOI: https://doi.org/10.1109/tnsm.2018.2799000

2018-03-01

IEEE Transactions on Network and Service Management

Abstract:In software-defined networks (SDNs), the abstracted control plane is its symbolic characteristic, whose core component is the software-based controller. The control plane is logically centralized, but the controllers can be physically distributed and composed of multiple nodes. To meet the service management requirements of large-scale network scenarios, the control plane is usually implemented in the form of distributed controller clusters. Cluster management technology monitors all types of events and must maintain a consistent global network status, which usually leads to big data in SDNs. Simultaneously, the cluster security is an open issue because of the programmable and dynamic features of SDNs. To address the above challenges, this paper proposes a big data analysis-based secure cluster management architecture for the optimized control plane. A security authentication scheme is proposed for cluster management. Moreover, we propose an ant colony optimization approach that enables big data analysis scheme and the implementation system that optimizes the control plane. Simulations and comparisons show the feasibility and efficiency of the proposed scheme. The proposed scheme is significant in improving the security and efficiency SDN control plane.

computer science, information systems