Dependable virtualised systems

Abstract

Virtual machines and containers are widely used in data centres and in the cloud for software deployment and management. Their popularity is based on higher capacity utilisation, lower maintenance costs, and better scalability by creating an abstraction layer on top of physical hardware. The economics and scalability of virtualised applications require that the workloads of multiple customers can run on the same hardware with low overhead without compromising security. To address this need, in this work we introduce a new set of IO middleware that allows users to run smaller containers and virtual machines and deploy them in a more secure manner. The presented contributions can be summarised as follows: • CNTR provides a way to extend application containers at runtime with tools deployed in a different container. In this way, you can create "slim" images that contain only the actual application, while all the tools needed for monitoring, testing, and debugging reside in a "fat" image that only needs to be deployed when needed. CNTR achieves this by creating a nested namespace in the application container that proxies files from a remote container using a FUSE filesystem. • VMSH allows users to attach services to running virtual machines independent of the guest userspace and without any pre-installed agents. Similar to CNTR this allows developers to build more light-weight virtual machines by deploying additional services in a separate user-provided file system image on-demand. VMSH achieves this by side-loading kernel code into the guest and mounting a filesystem based on its own block device in a light-weight container without affecting the applications in the VM. • RKT-IO leverages trusted execution environments to run workloads in containers and virtual machines to protect them from other tenants and the cloud provider on the same host, but without sacrificing on I/O performance that is usually degraded by this protection. It does so by providing a userspace network and storage I/O stack in the form of a library OS based on Linux that directly accesses the hardware from within the TEE by-passing the host kernel.