Improving Low-Level Isolation of Containers: Leveraging Microkernel Design

Abstract

Abstract The container is a concept in virtualization that groups code and dependencies into a single isolated unit. It leverages the operating system’s kernel features to manage and run processes within its isolated environment. While current implementations o↵er seamless integration and enhanced performance, they do come with inherent limitations. The design and architecture of the kernel serve as a critical factor in enhancing key container characteristics, such as isolation, owing to its dependency on kernel functionality. While it a↵ects the level of isolation provided within a container, it also a↵ects the isolation provided among containers. A deeper understanding of container implementations underscores the importance of shifting the primary focus from containers themselves to the underlying kernel and its inherent strengths. The majority of contemporary container engines are optimized for monolithic kernels, which, by definition, prioritize performance over isolation. In contrast, microkernels are designed to provide higher levels of isolation at the cost of performance. It is important to explore how the capabilities of microkernels and the requirements of containers could interact to collectively find a stronger position in terms of isolation. This research investigates the potential of microkernels to emulate container environments, focusing on file system isolation and comparing performance against monolithic implementations. Leveraging GNU Hurd, based on the GNU Mach microkernel, the study employs Subhurd and translators to establish a container environment for evaluating performance and file system isolation against Linux-based containers.