Using VM Cloning for Efficient, Backward-Compatible, Secure Containerization
Abstract
Despite the lack of hardware-enforced isolation, containers have been widely adopted in cloud due to deployability and lightweightness. Secure containers such as gVisor, Firecracker, and Katacontainer have addressed the security issue, yet its still missing a solution that is both backward compatible and resource efficient. This thesis proposes a new approach to build secure, lightweight, backward-compatible containers using the Xen hypervisor. Using Copy-on-Write(COW) cloning, a container can be quickly spun up in a virtual machine (VM) that is identical to the container-hosting VM. The containers built this way don’t need any underlying kernel modifications or external agents or proxies and are more efficient than spinning up a whole new VM for a container. We demonstrate a prototype which shows the feasibility of such a virtualization-based containerization solution.
Subject
EfficientBackward-Compatible
Secure
Containerization
Xen
gVisor
runc
firecracker
Katacontainer
Extended page tables
Hardware assisted virtualization
Citation
Kanmantha Reddy, Manvitha (2020). Using VM Cloning for Efficient, Backward-Compatible, Secure Containerization. Master's thesis, Texas A&M University. Available electronically from https : / /hdl .handle .net /1969 .1 /192343.