IMPROVING LOW-LEVEL ISOLATION OF CONTAINERS INSIDE MICROKERNEL

Abstract

Abstract Namespace isolation plays a major role in modern containerization, enabling secure and efficient process separation in operating systems like Linux. This research introduces a novel approach to implementing namespace awareness in the GNU/Hurd, a system traditionally lacking such mechanisms due to its minimalist design. Two design approaches were evaluated: embedding namespace awareness within the Mach microkernel versus implementing it externally in Hurd’s user-space servers. The latter was chosen, aligning with Hurd’s philosophy of excluding policies from the kernel and adhering to minimalist design, thus maintaining system modularity & flexibility. In this study, a new unshare command is proposed on the selected design, achieved through targeted modifications to Hurd’s proc server & message passing interfaces, to enable process namespace isolation. The implemented unshare command successfully isolates process namespaces, and when combined with chroot, it achieves enhanced isolation comparable to Linux container mechanisms. Using the same design methodology, further namespace isolations can be developed with additional research and optimization. Performance evaluations demonstrate that the isolation introduces acceptable overheads in Hurd, with memory bandwidth and latency impacts higher than Linux’s. . Specifically, memory bandwidth and latency impacts are 7–15% and 5.4%, respectively, compared to Linux’s 0–1.3% and 1.0%. These results validate the feasibility of namespace isolation in microkernels, showcasing Hurd’s potential for container-like functionality, and pave the way for future research into broader namespace support.