Research Of Container Virtualization Technology Based On The FT Platform

Processor FT1000, which is a64bits general processor with high performance，was developed by the National University of Defense Technology. The processor,which supports hardware virtualization, has implemented a hypervisor virtualization.Thus, it can run up to64partitions. Each partition owns independent computer resourceand it can run separate operating systems. The hypervisor model provides privateresources for each partition. However, this strong independent security strategysacrifices the execution efficiency of the system. As the performance of domestic FTCPU is poorer than that of major CPUs in some foreign countries by an order ofmagnitude, we find that a research of a lightweight virtulization technology based on theFT platform is essential. Our study is thus focused on a suitable lightweightvirtualizaiton solution----container based virtualization on the FT platform. And wehave designed and realized the FTContainer framework on Kylin operating system.Firstly, this paper introduces a container-based architecture—FT Containerframework on the FT processor according to in-depth analyses of advantages anddisadvantages of current mainstream container-based virtualization software. And thenwe implement the framework on the Kylin Operating system. The FT Containerframework consists of three parts: the application isolation module, the resourcemanagement module and the live migration module. The application isolation modulecreates virtual execution environment for all kinds of applications on the Kylinoperating system, and each virtual execution environment are isolated. The resourcemanagement module makes use of Cgroup mechanism in Linux kernel for resourceallocation, including CPU, memory, I/O device and so on. The live migration modulerealizes a realtime migration for container image between the FT servers. The image ofa container covers execution status of a container, open file information, bufferinformation and virtual CPU status etc.Next, a series of approaches is proposed to solve problems in the FTContainerframework from the application isolation, resource management and live migrationaspects. For application isolation, we present a strong isolation method with completecontainer context and achieve isolation by packing PID, mounted file system, IPC, UTS,user and net namespace in a container. Each container will not exist any pointer thatpoint to objects of other namespace. We provide an enhanced isolation environment forapplications with a complete execution context. For resource management, we proposea two-level process group management and implement resource statistics andvirtualization of/proc file_system by combined the Cgroup mechanism with aBeancounter approach. Therefore, we provide a conveinient way for the containerresource control. Meanwhile, we also present a two-level fair CPU scheduling and disk quota algorithm and implement them by CPU and disk share of a container. In this way,we provide a flexible resource scheduling for the system. For live migration, acheckpoint-based mechanism is used. We bring in a process checkpoint to restore theexecution context for a progress, and implement a smooth migration with zero containerhalt.Finally, the study makes a contrast performance test between FT-Container Kylinoperating system and naked Kylin operating system through Lmbench, Unixbench andIOZone test sets. The test results show that FT-Container Kylin gains a goodperformance and better than the hypervisor model with an increasement of61%.