modern systems extensible kernels and containers
play

MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS MOTIVATION - PowerPoint PPT Presentation

Feb 21, 2023 •303 likes •839 views

SHANNON JOYNER MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS MOTIVATION Applications must conform to operating system interface One operating system implementation is not ideal for everyone Cannot optimize for a given application

  1. SHANNON JOYNER MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS

  2. MOTIVATION ‣ Applications must conform to operating system interface ‣ One operating system implementation is not ideal for everyone ‣ Cannot optimize for a given application ‣ OSs did not work well for database management systems 1 1 Operating System Support for Database Management. Michael Stonebraker. Communications of the ACM.

  3. MOTIVATION ‣ Operating systems are complex ‣ Accessing resources require many system calls 1 ‣ This complexity in UNIX lead to Mach ‣ Give application more control over system 1 Mach: A New Kernel Foundation for UNIX Development. Mike Acetta et al. https://pdos.csail.mit.edu/archive/exo/exo-slides/sld001.htm

  4. Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T. Laboratory for Computer Science Proc. 15th ACM Symposium on Operating Systems Principles (SOSP). Pages 251-266.

  5. EXOKERNEL GOALS ‣ Make small, fast kernel implementation by implementing simple primitives ‣ Secure, fast way to access hardware resources ‣ System abstractions can be implemented efficiently by application ‣ Applications can have fast, specialized implementations

  6. EXOKERNEL ‣ Make small, fast kernel implementation by implementing simple primitives ‣ Exokernel ‣ Secure, fast way to access hardware resources ‣ TLB + Secure Bindings ‣ System abstractions can be implemented efficiently by application ‣ LibOS + Exokernel ‣ Applications can have fast, specialized implementations ‣ LibOS

  7. EXOKERNEL ‣ LibOS ‣ Secure Bindings ‣ TLB ‣ Exokernel Exokernel, Figure 1

  8. LIBRARY OPERATING SYSTEMS ‣ Implements OS besides interaction with hardware 1 ‣ Customize based on application needs ‣ Manages resource policies ‣ Example LibOS customizations ‣ Virtual Memory ‣ Scheduling ‣ Networking Exokernel, Figure 1 1 http://www.cs.cornell.edu/courses/cs6410/2010fa/lectures/08-extensible-kernels.pdf

  9. SECURE BINDINGS ‣ Used by LibOSes to access resources ‣ Provides connection to resource ‣ Decouples authorization from use of resource ‣ Hardware can implement protection checks quickly Exokernel, Figure 1

  10. SOFTWARE TRANSLATION LOOK-ASIDE BUFFER (TLB) ‣ Caches virtual memory to physical memory translations ‣ Cache secure bindings in TLB to reduce number of binding connections ‣ Improves performance Software TLB Exokernel, Figure 1

  11. EXOKERNEL ‣ Only handles resource sharing ‣ Rest left to application ‣ Does not handle resource polices Exokernel, Figure 1

  12. EXOKERNEL ‣ Make small, fast kernel implementation by implementing simple primitives ‣ Exokernel ‣ Secure, fast way to access hardware resources ‣ TLB + Secure Bindings ‣ System abstractions can be implemented efficiently by application ‣ LibOS + Exokernel ‣ Applications can have fast, specialized implementations ‣ LibOS

  13. IMPLEMENTATION ‣ Aegis: Exokernel [Page 7] ‣ Processor Time Slices [Page 7] ‣ Exceptions [Page 8] ‣ Protected Control Transfer (PCT) [Page 9] ‣ Dynamic Packet Filter (DPF) [Page 10] Exokernel, Dispatch Exceptions, Table 5

  14. IMPLEMENTATION ‣ ExOS: LibOS [Page 10] ‣ Interprocess communication [Page 10] ‣ Application Specific Safe Handlers [Page 11] ‣ Virtual Memory [Page 11] Exokernel, Figure 2

  15. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Why do we need secure bindings?

  16. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Why do we need secure bindings?

  17. QUESTIONS ‣ Who handles resource policies? ‣ Application handles resource policies.

  18. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Why do we need secure bindings?

  19. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Poor isolation. Applications can have conflicting policies. ‣ Why do we need secure bindings? ‣ Why does Exokernel use a software TLB instead of the hardware TLB?

  20. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Why do we need secure bindings?

  21. QUESTIONS ‣ Who handles resource policies? ‣ Is there a problem with how exokernels handle resource policies? ‣ Why do we need secure bindings? ‣ Protection / authorization of resources. Faster to do in kernel and kernel does not need to understand resources. ‣ Why does Exokernel use a software TLB instead of the hardware TLB?

  22. EXOKERNEL TAKEAWAYS ‣ Strengths ‣ Minimal kernel and customizable operating system ‣ Fast ‣ Weakness ‣ Poor isolation ‣ Each application implements own LibOS ‣ No way to prevent systems from conflicting ‣ Hardware compatibility ‣ Need to change LibOS depending on hardware interface

  23. ` ‣ Hypervisor ‣ Hardware abstraction ‣ Previous virtual machines ran on top of hypervisors ‣ No isolation 1 Container-based Operating System Virtualization: A Scalable, High performance Alternative to Hypervisors 
 Stephen Soltesz, Herbert Potzi, Marc Fiuczynski, Andy Bavier, Larry Peterson. EuroSys ’07. 


  24. CONTAINERS ‣ Grouping of processes ‣ Strength ‣ Provide isolation between groups ‣ Weakness ‣ Containers cannot customize operating systems Container Container Container MySQL Web Server MySQL Web Server Web Server OS Hypervisor

  25. Unikernel: Library Operating Systems for the Cloud Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Ralraj Singh, ThomasGazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft University of Cambridge, University of Nottingham, Citrix Systems Ltd, OCamlPro SAS In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems pg. 461–472.

  26. UNIKERNEL = EXOKERNEL + CONTAINERS ‣ Run one application per virtual machine ‣ One process per application ‣ Everything compiled into a VM image ‣ Do not compile unused code Unikernel, Figure 1

  27. UNIKERNEL ‣ Run directly on top of standard hypervisor ‣ Can run multiple unikernels on the same hypervisor Unikernel Unikernel Unikernel Application Application Application OS OS OS Hypervisor

  28. MIRAGE ‣ Produces unikernels ‣ Compiles OCaml code to Xen VM image ‣ 4 main components ‣ Text + Data segment ‣ Foreign Grants ‣ Minor Heap ‣ Major Heap Unikernel, Figure 2

  29. TEXT AND DATA ‣ OCaml Runtime ‣ PVBoot ‣ Initializes VM Unikernel, Figure 2

  30. HEAP ‣ Minor Heap ‣ Short lived values in VM ‣ Fast ‣ Major Heap ‣ Long lived values Unikernel, Figure 2

  31. FOREIGN GRANTS ‣ Used for VM communication ‣ Write data to a grant table ‣ Exchange table between VM address spaces Unikernel, Figure 2

  32. APACHE BENCHMARK ‣ Mirage unikernel improvements result in better performance than having multiple cores Unikernel, Figure 13

  33. EXOKERNEL VERSUS UNIKERNEL ‣ Exokernel ‣ Fast and customizable ‣ All applications on same system ‣ Poor isolation ‣ Unikernel ‣ Fast and customizable ‣ Single application per system ‣ Better isolation

  34. ACKNOWLEDGEMENTS ‣ Thanks to Hakim for helping me prepare for this presentation! ‣ Operating System Support for Database Management. Michael Stonebraker. Communications of the ACM. ‣ Mach: A New Kernel Foundation for UNIX Development. Accetta, Mike, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. ‣ Exokernel: An Operating System Architecture for Application-Level Resource Management. Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. Proc. 15th ACM Symposium on Operating Systems Principles (SOSP). Pages 251-266. ‣ http://www.cs.cornell.edu/courses/cs6410/2010fa/lectures/08-extensible-kernels.pdf ‣ Container-based Operating System Virtualization: A Scalable, High performance Alternative to Hypervisors 
 Stephen Soltesz, Herbert Potzi, Marc Fiuczynski, Andy Bavier, Larry Peterson. EuroSys ’07. ‣ Unikernel: Library Operating Systems for the Cloud. Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Ralraj Singh, ThomasGazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. University of Cambridge, University of Nottingham, Citrix Systems Ltd, OCamlPro SAS. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems pg. 461–472.

  36. PROTECTED CONTROL TRANSFER ‣ Implementation of interprocess communication ‣ Put the messages in the receiver process’s context ‣ Asynchronous: Rest of sender process's time slice goes to receiver ‣ Synchronous: All future time slices go to receiver process ‣ 7x faster than best reported implementation Exokernel, Table 6

  37. TIME TO PERFORM NULL PROCEDURE AND SYSTEM CALLS Exokernel, Table 5

  38. TIME FOR IPC Exokernel, Table 8

  39. TIME TO PERFORM VM OPERATIONS Exokernel, Table 10

  40. TIME TO PERFORM VM OPERATIONS (TWO DIFFERENT PAGE-TABLES) Table 3, Exokernel

  41. ROUNDTRIP LATENCY OVER ETHERNET Exokernel, Table 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS Hakim Weatherspoon CS6410 Motivation 2

MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS Hakim Weatherspoon CS6410 Motivation 2

1 MODERN SYSTEMS: EXTENSIBLE KERNELS AND CONTAINERS Hakim Weatherspoon CS6410 Motivation 2 Monolithic Kernels just aren't good enough? Conventional virtual memory isn't what userspace programs need (Appel + Li '91)

713 views • 43 slides
SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi @PulumiCorp @lindydonna SERVERLESS AND CONTAINERS Tradeoff between control and productivity Containers give you full control over your compute

720 views • 40 slides
ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr

ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr

ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr Dick Delaney MSc RAF Chris Gorringe Current ATLAS Strengths of ATLAS: Test technology related Keywords Formal syntax and semantics Non

353 views • 23 slides
Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers and modern cloud computing paradigms Announcements, etc: MP4 due May 6th Get started ASAP! HW1 available! Due May 8th Just an

869 views • 29 slides
Kernel on Automata Cousins of String Kernels and Dynamic Systems Kernels? S.V.N. Vishy

Kernel on Automata Cousins of String Kernels and Dynamic Systems Kernels? S.V.N. Vishy

Kernel on Automata Cousins of String Kernels and Dynamic Systems Kernels? S.V.N. Vishy Vishwanathan vishy@csa.iisc.ernet.in Indian Insitutute of Science Bangalore, India Joint work with Alex Smola S.V.N. Vishy Vishwanathan:

388 views • 16 slides
Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification

Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification

Memorial Sloan-Kettering Cancer Center Overview: Kernels for Sequences and Graphs String Kernels 8 Example Sequence Classification Position-(In)dependent Kernels Advanced Kernels Easysvm Kernels on Graphs 9 Basics Random Walks Subtrees

1.8k views • 148 slides
The Modern Operating System in 2018 Justin Cormack Who am I? Engineer at Docker in Cambridge,

The Modern Operating System in 2018 Justin Cormack Who am I? Engineer at Docker in Cambridge,

The Modern Operating System in 2018 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Formerly Unikernel Systems. Work on security, systems software, LinuxKit, containers @justincormack 2 The last monolith Lines of code in the

934 views • 60 slides
CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE

CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE

Extensible CPS Subhav Pradhan CHARIOT: A DOMAIN SPECIFIC LANGUAGE FOR EXTENSIBLE CYBER-PHYSICAL SYSTEMS Presented at DSM 2015, Pittsburgh, PA Subhav Pradhan , Abhishek Dubey, Aniruddha Gokhale, and

245 views • 11 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems Cameron Macdonell Macdonell Cameron Overview Overview The The Scruf Scruf Framework Framework Examples of Extended File Systems

470 views • 18 slides
OSv - A Modern Semi-POSIX LibraryOS Glauber Costa, Lead Engineer glommer@cloudius-systems.com

OSv - A Modern Semi-POSIX LibraryOS Glauber Costa, Lead Engineer glommer@cloudius-systems.com

OSv - A Modern Semi-POSIX LibraryOS Glauber Costa, Lead Engineer glommer@cloudius-systems.com Typical Cloud Stack Application Runtime Protection Operating System and abstraction Hypervisor Hardware Containers Application Application

172 views • 16 slides
Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph

Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph

Extensible Dependency Grammar Extensible Dependency Grammar: A Modular Grammar Formalism Based On Multigraph Description Ralph Debusmann Programming Systems Lab, Saarbrcken, Germany Promotionskolloquium, November 3, 2006 Extensible

988 views • 85 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers

Toward Full Specialization of the HPC System Software Stack: Reconciling Application Containers and Lightweight Multi-kernels Balazs Gerofi , Yutaka Ishikawa , Rolf Riesen , Robert W. Wisniewski bgerofi@riken.jp RIKEN Advanced

485 views • 29 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE

USE IMPROVE EVANGELIZE Sun TM xVM Hypervisor Gary Pennington Solaris Kernel Engineer April 24, 2008 USE IMPROVE EVANGELIZE Agenda Hypervisors 101 Introduction to Sun TM xVM Hypervisor Use Cases Using the hypervisor

731 views • 36 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
World-Wide Web Homepage Helper Workshop Notes Joe Struss April 5, 2007 Registering your

World-Wide Web Homepage Helper Workshop Notes Joe Struss April 5, 2007 Registering your

World-Wide Web Homepage Helper Workshop Notes Joe Struss April 5, 2007 Registering your username with the Homepage Server To register your username with the Homepage Server enter: 1. % add www 2. % setup www and respond to the prompt.

147 views • 4 slides
r sts r rt

r sts r rt

r sts r rt r trtr tt t t r t

889 views • 22 slides
Data-Intensive Science Using GPUs Alex Szalay, JHU Data in HPC Simulations HPC is an

Data-Intensive Science Using GPUs Alex Szalay, JHU Data in HPC Simulations HPC is an

Data-Intensive Science Using GPUs Alex Szalay, JHU Data in HPC Simulations HPC is an instrument in its own right Largest simulations approach petabytes from supernovae to turbulence, biology and brain modeling Pressure for

462 views • 20 slides
Interactive Programs in Agda Anton Setzer (Swansea) 1. Defining IO in Agda. 2. Execution of IO

Interactive Programs in Agda Anton Setzer (Swansea) 1. Defining IO in Agda. 2. Execution of IO

Interactive Programs in Agda Anton Setzer (Swansea) 1. Defining IO in Agda. 2. Execution of IO Programs. 3. Dealing with Complex Programs. 4. A Graphics Library for Agda Anton Setzer: Interactive programs in dependent type theory 1 1. Defining

810 views • 35 slides
Input/Output Programming Chapter 3: Section 3.1, 3.2 Input and output (I/O) programming

Input/Output Programming Chapter 3: Section 3.1, 3.2 Input and output (I/O) programming

Input/Output Programming Chapter 3: Section 3.1, 3.2 Input and output (I/O) programming Communicating with I/O devices Busy-wait I/O Interrupt-driven I/O I/O devices Devices may include digital and non-digital

529 views • 33 slides
CS 1550 Chapter 5 I/O Block Devices A device that stores data in fixed sized blocks, each

CS 1550 Chapter 5 I/O Block Devices A device that stores data in fixed sized blocks, each

CS 1550 Chapter 5 I/O Block Devices A device that stores data in fixed sized blocks, each uniquely addressed, and can be Jonathan Misurda randomly accessed jmisurda@cs.pitt.edu Character Devices Device Controllers Device that delivers

171 views • 4 slides

More recommend