Study Of Computing Resource Hard Isolation Technology Between Containers Based On VT-x

CPU computing performance has been developed rapidly,but the problem of low CPU resource utilizat ion is more and more serious.The traditional virtual machine abstracts hardware at the same time for multiple clients to provide a unified service interface,and improves the utilizat ion of CPU resources,but the traditional virtual machine itself occupies more resources,which resulting in duplication of resources waste.Container as another virtualizat ion technology,with the features of lightweight,mult iplexing kernel services etc.,greatly improves the CPU resource utilizat ion,and is widely used in various fields.But the container technology is based on a common kernel code,through the software,to isolate the use of resources,which invokes serious security risks.This thesis investigates the problems of the container,and puts forward a kind of resource isolation technology for the problems existing in the container.The technology can run on the bare metal hardware with a number of hardware resources isolated operat ing systems.Each operating system is a separate client to run the container.It helps to improve CPU resource utilization,and also to provide efficient and safe operating environment.Based on the VT-x features provided by the Intel platform,this thesis designs the key mechanisms of hardware isolation,including physical CP U isolat ion,peripheral isolat ion,and memory isolation.Physical CP U isolation is implemented through the VMCS mechanism.The VMCS mechanism allocates a 4KB memory page for each physical CPU,which maps all operations on the CPU.When modify the data items of a specific field in the memory page,for example,will modify the data of the corresponding register of the physical CP U mapped to the memory page.By using this feature,the containers are run in their own exclusive CPUs.Peripheral isolation is achieved via VAPIC.VAPIC through interrupt forwarding,VMM receives external hardware interrupt information first according to pre-set configurations,then re-injects the interrupt into the client.In this way,the peripheral device is operated in an exclusive manner in the container.Memory isolat ion is achieved through the EPT feature.EPT mechanism in the CPU adds a new MMU hardware,isolated all the illegal memory access to the container.Through the above three kinds of isolat ion to ensure the safe and reliable operat ion of the container.On the basis of realizing the key mechanism,the article designs and realizes the hardware isolation solution.At the end of the article,the author tested and validated the system.According to the results of the test case feedback,the system successfully achieved physical CP U isolation,PCI device isolat ion and memory isolat ion.In this system,different containers can not access each other,a container error will not spread to other containers.The system has a safe,stable,reliable operat ion and other characteristics,to ensure long-term operation of the container system.