Impact of Secure Container Runtimes on File I/O Performance in Edge Computing
-
Published:2023-12-18
Issue:24
Volume:13
Page:13329
-
ISSN:2076-3417
-
Container-title:Applied Sciences
-
language:en
-
Short-container-title:Applied Sciences
Author:
Lee Kyungwoon1, Kim Jeongsu2, Kwon Ik-Hyeon3, Park Hyunchan4ORCID, Hong Cheol-Ho5ORCID
Affiliation:
1. School of Electronics Engineering, Kyungpook National University, Daugu 41566, Republic of Korea 2. Agency for Defense Development, Daejeon 34186, Republic of Korea 3. School of Electrical and Electronics Engineering, Chung-Ang University, Seoul 06974, Republic of Korea 4. Department of Computer Science and Artificial Intelligence/CAIIT, Jeonbuk National University, Jeonju 54896, Republic of Korea 5. Department of Intelligent Semiconductor Engineering, Chung-Ang University, Seoul 06974, Republic of Korea
Abstract
Containers enable high performance and easy deployment due to their lightweight architecture, thus facilitating resource utilization in edge computing nodes. Secure container runtimes have attracted significant attention because of the necessity for overcoming the security vulnerabilities of containers. As the runtimes adopt an additional layer such as virtual machines and user-space kernels to enforce isolation, the container performance can be degraded. Even though previous studies presented experimental results on performance evaluations of secure container runtimes, they lack a detailed analysis of the root causes that affect the performance of the runtimes. This paper explores the architecture of three secure container runtimes in detail: Kata containers, gVisor, and Firecracker. We focus on file I/O, which is one of the key aspects of container performance. In addition, we present the results of the user- and kernel-level profiling and reveal the major factors that impact the file I/O performance of the runtimes. As a result, we observe three key findings: (1) Firecracker shows the highest file I/O performance as it allows for utilizing the page cache inside VMs, and (2) Kata containers offer the lowest file I/O performance by consuming the largest amount of CPU resources. Also, we observe that gVisor scales well as the block size increases because the file I/O requests are mainly handled by the host OS similar to native applications.
Funder
Korea Institute for Advancement of Technology Chung-Ang University Research Scholarship
Subject
Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science
Reference49 articles.
1. Soltesz, S., Pötzl, H., Fiuczynski, M.E., Bavier, A., and Peterson, L. (2007, January 21–23). Container-based operating system virtualization: A scalable, high-performance alternative to hypervisors. Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007, Lisbon, Portugal. 2. Docker: Lightweight linux containers for consistent development and deployment;Merkel;Linux J.,2014 3. Felter, W., Ferreira, A., Rajamony, R., and Rubio, J. (2015, January 29–31). An updated performance comparison of virtual machines and linux containers. Proceedings of the 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), Philadelphia, PA, USA. 4. Li, Z., Cheng, J., Chen, Q., Guan, E., Bian, Z., Tao, Y., Zha, B., Wang, Q., Han, W., and Guo, M. (2022, January 11–13). RunD: A Lightweight Secure Container Runtime for High-density Deployment and High-concurrency Startup in Serverless Computing. Proceedings of the 2022 USENIX Annual Technical Conference (USENIX ATC 22), Carlsbad, CA, USA. 5. Resource management in fog/edge computing: A survey on architectures, infrastructure, and algorithms;Hong;ACM Comput. Surv. (CSUR),2019
|
|