用于高密度部署和高并发启动的轻量级和整体可扩展的无服务器安全容器运行时

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Computers Pub Date : 2025-03-21 DOI:10.1109/TC.2025.3566912

Zijun Li;Chenyang Wu;Chuhao Xu;Quan Chen;Shuo Quan;Bin Zha;Qiang Wang;Weidong Han;Jie Wu;Minyi Guo

{"title":"用于高密度部署和高并发启动的轻量级和整体可扩展的无服务器安全容器运行时","authors":"Zijun Li;Chenyang Wu;Chuhao Xu;Quan Chen;Shuo Quan;Bin Zha;Qiang Wang;Weidong Han;Jie Wu;Minyi Guo","doi":"10.1109/TC.2025.3566912","DOIUrl":null,"url":null,"abstract":"The secure container that hosts a single container in a micro virtual machine (VM) is now used in serverless computing, as the containers are isolated through the microVMs. There are high demands on the high-density container deployment and high-concurrency container startup to improve both the resource utilization and user experience, as user functions are fine-grained in serverless platforms. Our investigation shows that the entire software stacks, containing the cgroups in the host operating system, the guest operating system, and the container <italic>rootfs for the function workload, together result in low deployment density and slow startup performance at high-concurrency. We propose a lightweight and holistic-scalable secure container runtime, named <bold>RunD-V, to resolve above problems in serverless computing. RunD-V proposes a guest-to-host runtime template for microVM scaling-out, and CR-bind feature in guest kernel for microVM scaling-up. Using guest-to-host runtime template, over 200 secure containers can be launched within 1<italic>s on a node equipped with 104 vCPUs. It also enables more than 2,500 secure containers to be deployed on a node with 384GB of memory. The vertical scaling mechanism CR-bind further enhances both startup concurrency and deployment density.","PeriodicalId":13087,"journal":{"name":"IEEE Transactions on Computers","volume":"74 8","pages":"2621-2634"},"PeriodicalIF":3.8000,"publicationDate":"2025-03-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Lightweight and Holistic-Scalable Serverless Secure Container Runtime for High-Density Deployment and High-Concurrency Startup\",\"authors\":\"Zijun Li;Chenyang Wu;Chuhao Xu;Quan Chen;Shuo Quan;Bin Zha;Qiang Wang;Weidong Han;Jie Wu;Minyi Guo\",\"doi\":\"10.1109/TC.2025.3566912\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The secure container that hosts a single container in a micro virtual machine (VM) is now used in serverless computing, as the containers are isolated through the microVMs. There are high demands on the high-density container deployment and high-concurrency container startup to improve both the resource utilization and user experience, as user functions are fine-grained in serverless platforms. Our investigation shows that the entire software stacks, containing the cgroups in the host operating system, the guest operating system, and the container <italic>rootfs for the function workload, together result in low deployment density and slow startup performance at high-concurrency. We propose a lightweight and holistic-scalable secure container runtime, named <bold>RunD-V, to resolve above problems in serverless computing. RunD-V proposes a guest-to-host runtime template for microVM scaling-out, and CR-bind feature in guest kernel for microVM scaling-up. Using guest-to-host runtime template, over 200 secure containers can be launched within 1<italic>s on a node equipped with 104 vCPUs. It also enables more than 2,500 secure containers to be deployed on a node with 384GB of memory. The vertical scaling mechanism CR-bind further enhances both startup concurrency and deployment density.\",\"PeriodicalId\":13087,\"journal\":{\"name\":\"IEEE Transactions on Computers\",\"volume\":\"74 8\",\"pages\":\"2621-2634\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-03-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Computers\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/11008773/\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Computers","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11008773/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

在微虚拟机（VM）中托管单个容器的安全容器现在用于无服务器计算，因为容器是通过微虚拟机隔离的。由于在无服务器平台中，用户功能是细粒度的，因此对高密度的容器部署和高并发的容器启动提出了很高的要求，以提高资源利用率和用户体验。我们的调查显示，整个软件堆栈（包含主机操作系统中的cgroup、客户机操作系统中的cgroup和用于功能工作负载的容器rootfs）共同导致部署密度低，并且在高并发性下启动性能慢。我们提出了一个轻量级的、整体可扩展的安全容器运行时，命名为run - v，以解决无服务器计算中的上述问题。run - v提出了用于微虚拟机横向扩展的客户机到主机运行时模板，以及用于微虚拟机横向扩展的客户机内核中的CR-bind特性。使用guest-to-host运行时模板，可以在15秒内在配备104个vcpu的节点上启动200多个安全容器。它还支持在具有384GB内存的节点上部署超过2,500个安全容器。垂直扩展机制CR-bind进一步增强了启动并发性和部署密度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Lightweight and Holistic-Scalable Serverless Secure Container Runtime for High-Density Deployment and High-Concurrency Startup

The secure container that hosts a single container in a micro virtual machine (VM) is now used in serverless computing, as the containers are isolated through the microVMs. There are high demands on the high-density container deployment and high-concurrency container startup to improve both the resource utilization and user experience, as user functions are fine-grained in serverless platforms. Our investigation shows that the entire software stacks, containing the cgroups in the host operating system, the guest operating system, and the container rootfs for the function workload, together result in low deployment density and slow startup performance at high-concurrency. We propose a lightweight and holistic-scalable secure container runtime, named RunD-V, to resolve above problems in serverless computing. RunD-V proposes a guest-to-host runtime template for microVM scaling-out, and CR-bind feature in guest kernel for microVM scaling-up. Using guest-to-host runtime template, over 200 secure containers can be launched within 1s on a node equipped with 104 vCPUs. It also enables more than 2,500 secure containers to be deployed on a node with 384GB of memory. The vertical scaling mechanism CR-bind further enhances both startup concurrency and deployment density.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Computers 工程技术-工程：电子与电气

CiteScore

6.60

自引率

5.40%

发文量

199

审稿时长

6.0 months

期刊介绍： The IEEE Transactions on Computers is a monthly publication with a wide distribution to researchers, developers, technical managers, and educators in the computer field. It publishes papers on research in areas of current interest to the readers. These areas include, but are not limited to, the following: a) computer organizations and architectures; b) operating systems, software systems, and communication protocols; c) real-time systems and embedded systems; d) digital devices, computer components, and interconnection networks; e) specification, design, prototyping, and testing methods and tools; f) performance, fault tolerance, reliability, security, and testability; g) case studies and experimental and theoretical evaluations; and h) new and important applications and trends.