Paper Info
Title
Blending containers and virtual machines: a study of firecracker and gVisor
Abstract
With serverless computing, providers deploy application code and manage resource allocation dynamically, eliminating infrastructure management from application development. Serverless providers have a variety of virtualization platforms to choose from for isolating functions, ranging from native Linux processes to Linux containers to lightweight isolation platforms, such as Google gVisor [7] and AWS Firecracker [5]. These platforms form a spectrum as they move functionality out of the host kernel and into an isolated guest environment. For example, gVisor handles many system calls in a user-mode Sentry process while Firecracker runs a full guest operating system in each microVM. A common theme across these platforms are the twin goals of strong isolation and high performance. In this paper, we perform a comparative study of Linux containers (LXC), gVisor secure containers, and Firecracker microVMs to understand how they use Linux kernel services differently: how much does their use of host kernel functionality vary? We also evaluate the performance costs of the designs with a series of microbenchmarks targeting different kernel subsystems. Our results show that despite moving much functionality out of the kernel, both Firecracker and gVisor execute substantially more kernel code than native Linux. gVisor and Linux containers execute substantially the same code, although with different frequency.
Year
DOI
Venue
2020
10.1145/3381052.3381315
VEE '20: 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments Lausanne Switzerland March, 2020
DocType
ISBN
Citations 
Conference
978-1-4503-7554-2
0
PageRank 
References 
Authors
0.34
0
3
Name
Order
Citations
PageRank
Anjali100.34
Tyler Harter222512.32
Michael M. Swift3190391.39