Container-based virtualization has become increasingly popular as a lightweight alternative to hypervisor-based virtualization in cloud computing. Isolation is a fundamental property for consistent and reliable performance for cloud environment. However, the isolation between containers is much weaker than virtual machines as containers on the same host share one underlying host kernel. Existing works have mainly focused on the isolation problems at physical resources (e.g. CPU) level and almost not discussed with kernel resources (e.g. lock). In this paper, we perform a study to quantify kernel resource isolation for containers with a new microbenchmark, KRIBench. Then we describe kernel resource isolation issues and identify several kernel resources competition behind the poor isolation. Furthermore, we design and implement Valve, a general and flexible system that reduces kernel resources competition through limiting usage of system calls. Valve adopts Pareto-based container identification to locate misbehaving containers and supply–demand model to manage usage of system calls. The evaluation results demonstrate that our system can effectively enhance the kernel resource isolation for containers with negligible performance overhead.

作为云计算中基于管理程序的虚拟化的轻量级替代方案，基于容器的虚拟化越来越受欢迎。隔离是云环境一致和可靠性能的基本属性。然而，容器之间的隔离比虚拟机弱得多，因为同一主机上的容器共享一个底层主机内核。现有工作主要集中在物理资源（例如CPU）级别的隔离问题，几乎没有讨论内核资源（例如锁）。在本文中，我们进行了一项研究，以使用新的微基准 KRIBench量化容器的内核资源隔离. 然后我们描述了内核资源隔离问题，并确定了隔离不良背后的几个内核资源竞争。此外，我们设计并实现了Valve，这是一个通用且灵活的系统，可通过限制系统调用的使用来减少内核资源竞争。Valve采用基于 Pareto 的容器识别来定位行为不当的容器，并采用供需模型来管理系统调用的使用。评估结果表明，我们的系统可以有效地增强容器的内核资源隔离，而性能开销可以忽略不计。