Please wait a minute...
Shopping Cart Email List Chinese
Advanced Search Fig/Tab
Frontiers of Computer Science

ISSN 2095-2228

ISSN 2095-2236(Online)

CN 10-1014/TP

Postal Subscription Code 80-970

2018 Impact Factor: 1.129

Featured Articles  |  Most Downloaded  |  Most Reading
Online Submission Subscribe to Our RSS Content Feed
Front. Comput. Sci.    2025, Vol. 19 Issue (5) : 195106    https://doi.org/10.1007/s11704-024-2568-8
Architecture
System log isolation for containers
Kun WANG1,2, Song WU1(), Yanxiang CUI1, Zhuo HUANG1, Hao FAN1, Hai JIN1
1. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
2. State Key Laboratory of Complex & Critical Software Environment, College of Information and Communication, National University of Defense Technology, Wuhan 430019, China
 Download: PDF(11854 KB)   HTML
 Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks
Abstract

Container-based virtualization is increasingly popular in cloud computing due to its efficiency and flexibility. Isolation is a fundamental property of containers and weak isolation could cause significant performance degradation and security vulnerability. However, existing works have almost not discussed the isolation problems of system log which is critical for monitoring and maintenance of containerized applications. In this paper, we present a detailed isolation analysis of system log in current container environment. First, we find several system log isolation problems which can cause significant impacts on system usability, security, and efficiency. For example, system log accidentally exposes information of host and co-resident containers to one container, causing information leakage. Second, we reveal that the root cause of these isolation problems is that containers share the global log configuration, the same log storage, and the global log view. To address these problems, we design and implement a system named private logs (POGs). POGs provides each container with its own log configuration and stores logs individually for each container, avoiding log configuration and storage sharing, respectively. In addition, POGs enables private log view to help distinguish which container the logs belong to. The experimental results show that POGs can effectively enhance system log isolation for containers with negligible performance overhead.
Keywords container isolation      system log      cgroup      namespace      cloud computing     
Corresponding Author(s): Song WU   
Just Accepted Date: 17 January 2024   Issue Date: 11 June 2024
 Cite this article:   
Kun WANG,Song WU,Yanxiang CUI, et al. System log isolation for containers[J]. Front. Comput. Sci., 2025, 19(5): 195106.
 URL:  
https://academic.hep.com.cn/fcs/EN/10.1007/s11704-024-2568-8
https://academic.hep.com.cn/fcs/EN/Y2025/V19/I5/195106
Fig.1  An example of system log message
Fig.2  Isolation problems during system log workflow in current container environment
Phases Isolation problems Impacts Root causes
Log generation Log configuration set by one container conflicts with that set by another container. Containers fail to use log configuration to customize log service. Shared configuration
Log operations performed by one container conflict with operations from another container. System log fails to serve containers. Shared storage
Log access One container can view information that does not belong to its respective namespace. Effectively breaking the view isolation realized by current namespace technique. Shared view
System log accidentally exposes information of host and co-resident containers to one container. This information leakage causes additional security concerns (e.g. covert channel attack). Shared view
Log analysis The log storage of one container can be occupied by another container, causing unexpected log loss. Reducing the accuracy of log analysis. Shared storage
One container cannot distinguish its own logs and must analyze redundant logs. Reducing the efficiency and accuracy of log analysis. Shared view
Tab.1  Isolation problems, the impacts, and the root causes
Fig.3  Architecture of POGs
Function Return value APIs
Read logs log messages ? pogRead()
Write logs bool ? pogWrite(message)
Clear logs bool ? pogClear()
Set configuration bool ? pogConf(conf?path)1
Set ring buffer size bool ? pogBuf(size)
Tab.2  POGs APIs used by containers to control and configure their logs
Isolation problems Experimental operation Results of native kernel Results of POGs
Configuration conflict Set the log level of container 1 and container 2 as info and erro, respectively. The output log level is higher than erro. The output log level is higher than info.
Operation conflict Read and clear system log in container 1 and container 2, respectively. No system logs are returned. System logs of container 1 are returned.
Namespace escape, information leakage Read system logs in container 1 and container 2. All system logs are returned. Respective system logs are returned.
Tab.3  Isolation improvement in log generation and log access
Fig.4  The log analysis efficiency under various numbers of containers (POGs versus native Linux kernel)
Fig.5  The log analysis accuracy under various numbers of containers (POGs versus native Linux kernel)
Fig.6  The performance overhead of POGs on launch time, memory footprint, and overall performance. (a) Launch time and Memory; (b) overall performance
Fig.7  Throughput scalability of POGs
  
  
  
  
  
  
1 L, Gu D, Zeng J, Hu H, Jin S, Guo A Y Zomaya . Exploring layered container structure for cost efficient microservice deployment. In: Proceedings of IEEE Conference on Computer Communications. 2021, 1−9
2 Z, Li J, Cheng Q, Chen E, Guan Z, Bian Y, Tao B, Zha Q, Wang W, Han M Guo . RunD: a lightweight secure container runtime for high-density deployment and high-concurrency startup in serverless computing. In: Proceedings of 2022 USENIX Annual Technical Conference. 2022, 53−68
3 K, Suo Y, Zhao W, Chen J Rao . An analysis and empirical study of container networks. In: Proceedings of IEEE Conference on Computer Communications. 2018, 189−197
4 R, Zeng X, Hou L, Zhang C, Li W, Zheng M Guo . Performance optimization for cloud computing systems in the microservice era: state-of-the-art and research opportunities. Frontiers of Computer Science, 2022, 16( 6): 166106
5 S, Soltesz H, Pötzl M E, Fiuczynski A, Bavier L Peterson . Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems. 2007, 275−287
6 Z, Zhuang C, Tran J, Weng H, Ramachandra B Sridharan . Taming memory related performance pitfalls in Linux Cgroups. In: Proceedings of 2017 International Conference on Computing, Networking and Communications. 2017, 531−535
7 O, Laadan J Nieh . Operating system virtualization: practice and experience. In: Proceedings of the 3rd Annual Haifa Experimental Systems Conference. 2010, 17
8 Huang Z, Wu S, Jiang S, Jin H. FastBuild: accelerating docker image building for efficient development and deployment of container. In: Proceedings of the 35th Symposium on Mass Storage Systems and Technologies. 2019, 28−37
9 N, Yang W, Shen J, Li Y, Yang K, Lu J, Xiao T, Zhou C, Qin W, Yu J, Ma K Ren . Demons in the shared kernel: abstract resource attacks against OS-level virtualization. In: Proceedings of 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021, 764−778
10 Z, Hua Y, Yu J, Gu Y, Xia H, Chen B Zang . TZ-container: protecting container from untrusted OS with ARM TrustZone. Science China Information Sciences, 2021, 64( 9): 192101
11 M, Plauth L, Feinbube A Polze . A performance survey of lightweight virtualization techniques. In: Proceedings of the 6th IFIP WG 2.14 European Conference on Service-Oriented and Cloud Computing. 2017, 34−48
12 J N, Matthews W, Hu M, Hapuarachchi T, Deshane D, Dimatos G, Hamilton M, McCabe J Owens . Quantifying the performance isolation properties of virtualization systems. In: Proceedings of 2007 Workshop on Experimental Computer Science. 2007, 6−es
13 W, Felter A, Ferreira R, Rajamony J Rubio . An updated performance comparison of virtual machines and Linux containers. In: Proceedings of 2015 IEEE International Symposium on Performance Analysis of Systems and Software. 2015, 171−172
14 P, Sharma L, Chaufournier P, Shenoy Y C Tay . Containers and virtual machines at scale: a comparative study. In: Proceedings of the 17th International Middleware Conference. 2016, 1
15 M G, Xavier Oliveira I C, De F D, Rossi Passos R D, Dos K J, Matteussi Rose C A F De . A performance isolation analysis of disk-intensive workloads on container-based clouds. In: Proceedings of the 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing. 2015, 253−260
16 H, Huang J, Rao S, Wu H, Jin K, Suo X Wu . Adaptive resource views for containers. In: Proceedings of the 28th International Symposium on High-Performance Parallel and Distributed Computing. 2019, 243−254
17 Y, Sun D, Safford M, Zohar D, Pendarakis Z, Gu T Jaeger . Security namespace: making Linux security frameworks available to containers. In: Proceedings of the 27th USENIX Security Symposium. 2018, 1423−1439
18 X, Gao Z, Gu Z, Li H, Jamjoom C Wang . Houdini’s escape: breaking the resource rein of Linux control groups. In: Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019, 1073−1086
19 J, Khalid E, Rozner W, Felter C, Xu K, Rajamani A, Ferreira A Akella . Iron: isolating network-based CPU in container environments. In: Proceedings of the 15th USENIX Symposium on Networked Systems Design and Implementation. 2018, 313−328
20 Y, Li J, Zhang C, Jiang J, Wan Z Ren . PINE: optimizing performance isolation in container environments. IEEE Access, 2019, 7: 30410–30422
21 X, Gao Z, Gu M, Kayaalp D, Pendarakis H Wang . ContainerLeaks: emerging security threats of information leakages in container clouds. In: Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2017, 237−248
22 M, Du F, Li G, Zheng V Srikumar . DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017, 1285−1298
23 R Love . Linux Kernel Development. 3rd ed. New York: Pearson Education, 2010
24 D Merkel . Docker: lightweight Linux containers for consistent development and deployment. Linux Journal, 2014, 2014( 239): 2
25 X L, Xie P, Wang Q Wang . The performance analysis of Docker and rkt based on Kubernetes. In: Proceedings of the 13th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery. 2017, 2137−2141
26 K S Senthil . Practical LXC and LXD: Linux Containers for Virtualization and Orchestration. Berkeley: Apress, 2017
27 Yang Y, Shen W, Ruan B, Liu W, Ren K. Security challenges in the container cloud. In: Proceedings of the 3rd IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications. 2021, 137−145
28 X, Lin L, Lei Y, Wang J, Jing K, Sun Q Zhou . A measurement study on Linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference. 2018, 418−429
29 R J, Masti D, Rai A, Ranganathan C, Müller L, Thiele S, Capkun E Zürich . Thermal covert channels on multi-core platforms. In: Proceedings of the 24th USENIX Security Symposium. 2015, 865−880
30 S, He Q, Lin J G, Lou H, Zhang M R, Lyu D Zhang . Identifying impactful service system problems via log analysis. In: Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2018, 60−70
31 Lin Q, Zhang H, Lou J G, Zhang Y, Chen X. Log clustering based problem identification for online service systems. In: Proceedings of the 38th IEEE/ACM International Conference on Software Engineering Companion. 2016, 102−111
32 S, Wu Z, Huang P, Chen H, Fan S, Ibrahim H Jin . Container-aware I/O stack: bridging the gap between container storage drivers and solid state devices. In: Proceedings of the 18th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2022, 18−30
33 L, Gu J, Guan S, Wu H, Jin J, Rao K, Suo D Zeng . CNTC: a container aware network traffic control framework. In: Proceedings of the 14th International Conference of Green, Pervasive, and Cloud Computing. 2019, 208−222
34 Shen Z, Sun Z, Sela G E, Bagdasaryan E, Delimitrou C, Van Renesse R, Weatherspoon H. X-containers: breaking down barriers to improve performance and isolation of cloud-native containers. In: Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems. 2019, 121−135
35 F, Manco C, Lupu F, Schmidt J, Mendes S, Kuenzer S, Sati K, Yasukata C, Raiciu F Huici . My VM is lighter (and safer) than your container. In: Proceedings of the 26th Symposium on Operating Systems Principles. 2017, 218−233
36 Randazzo A, Tinnirello I. Kata containers: an emerging architecture for enabling MEC services in fast and secure way. In: Proceedings of the 6th International Conference on Internet of Things: Systems, Management and Security. 2019, 209−214
37 , AnjaliT, Caraza-Harter M M Swift . Blending containers and virtual machines: a study of firecracker and gVisor. In: Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. 2020, 101−113
38 I, Beschastnikh Y, Brun S, Schneider M, Sloan M D Ernst . Leveraging existing instrumentation to automatically infer invariant-constrained models. In: Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering. 2011, 267−277
39 W, Shang Z M, Jiang H, Hemmati B, Adams A E, Hassan P Martin . Assisting developers of big data analytics applications when deploying on hadoop clouds. In: Proceedings of the 35th International Conference on Software Engineering. 2013, 402−411
40 R, Ding Q, Fu J G, Lou Q, Lin D, Zhang T Xie . Mining historical issue repositories to heal large-scale online service systems. In: Proceedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2014, 311−322
41 M S, Rakha C P, Bezemer A E Hassan . Revisiting the performance evaluation of automated approaches for the retrieval of duplicate issue reports. IEEE Transactions on Software Engineering, 2018, 44( 12): 1245–1268
42 He S, Zhu J, He P, Lyu M R. Experience report: system log analysis for anomaly detection. In: Proceedings of the 27th IEEE International Symposium on Software Reliability Engineering. 2016, 207−218
43 M H, Lim J G, Lou H, Zhang Q, Fu A B J, Teoh Q, Lin R, Ding D Zhang . Identifying recurrent and unknown performance issues. In: Proceedings of 2014 IEEE International Conference on Data Mining. 2014, 320−329
[1] FCS-22568-OF-KW_suppl_1 Download
[1] Kun WANG, Song WU, Shengbang LI, Zhuo HUANG, Hao FAN, Chen YU, Hai JIN. Precise control of page cache for containers[J]. Front. Comput. Sci., 2024, 18(2): 182102-.
[2] Xingxin LI, Youwen ZHU, Rui XU, Jian WANG, Yushu ZHANG. Indexing dynamic encrypted database in cloud for efficient secure k-nearest neighbor query[J]. Front. Comput. Sci., 2024, 18(1): 181803-.
[3] Ashish SINGH, Abhinav KUMAR, Suyel NAMASUDRA. DNACDS: Cloud IoE big data security and accessing scheme based on DNA cryptography[J]. Front. Comput. Sci., 2024, 18(1): 181801-.
[4] Jianwei LI, Xiaoming WANG, Qingqing GAN. SEOT: Secure dynamic searchable encryption with outsourced ownership transfer[J]. Front. Comput. Sci., 2023, 17(5): 175812-.
[5] Sedigheh KHOSHNEVIS. A search-based identification of variable microservices for enterprise SaaS[J]. Front. Comput. Sci., 2023, 17(3): 173208-.
[6] Changbo KE, Fu XIAO, Zhiqiu HUANG, Fangxiong XIAO. A user requirements-oriented privacy policy self-adaption scheme in cloud computing[J]. Front. Comput. Sci., 2023, 17(2): 172203-.
[7] Rong ZENG, Xiaofeng HOU, Lu ZHANG, Chao LI, Wenli ZHENG, Minyi GUO. Performance optimization for cloud computing systems in the microservice era: state-of-the-art and research opportunities[J]. Front. Comput. Sci., 2022, 16(6): 166106-.
[8] Zhengxiong HOU, Hong SHEN, Xingshe ZHOU, Jianhua GU, Yunlan WANG, Tianhai ZHAO. Prediction of job characteristics for intelligent resource allocation in HPC systems: a survey and future directions[J]. Front. Comput. Sci., 2022, 16(5): 165107-.
[9] Zhangjie FU, Yan WANG, Xingming SUN, Xiaosong ZHANG. Semantic and secure search over encrypted outsourcing cloud based on BERT[J]. Front. Comput. Sci., 2022, 16(2): 162802-.
[10] Arpita BISWAS, Abhishek MAJUMDAR, Soumyabrata DAS, Krishna Lal BAISHNAB. OCSO-CA: opposition based competitive swarm optimizer in energy efficient IoT clustering[J]. Front. Comput. Sci., 2022, 16(1): 161501-.
[11] Yao QIN, Hua WANG, Shanwen YI, Xiaole LI, Linbo ZHAI. A multi-objective reinforcement learning algorithm for deadline constrained scientific workflow scheduling in clouds[J]. Front. Comput. Sci., 2021, 15(5): 155105-.
[12] Wei ZHENG, Ying WU, Xiaoxue WU, Chen FENG, Yulei SUI, Xiapu LUO, Yajin ZHOU. A survey of Intel SGX and its applications[J]. Front. Comput. Sci., 2021, 15(3): 153808-.
[13] Najme MANSOURI, Mohammad Masoud JAVIDI, Behnam Mohammad Hasani ZADE. Hierarchical data replication strategy to improve performance in cloud computing[J]. Front. Comput. Sci., 2021, 15(2): 152501-.
[14] Jiayang LIU, Jingguo BI, Mu LI. Secure outsourcing of large matrix determinant computation[J]. Front. Comput. Sci., 2020, 14(6): 146807-.
[15] Meysam VAKILI, Neda JAHANGIRI, Mohsen SHARIFI. Cloud service selection using cloud service brokers: approaches and challenges[J]. Front. Comput. Sci., 2019, 13(3): 599-617.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed