A Container-oriented Network Traffic Control System

With the development of cloud computing,virtualization technology has been widely used.In order to provide customers with a reliable operating environment,cloud service providers should ensure effective isolation of virtualized resources.Virtual machines have a complete operating system and a proprietary kernel.They can provide customers with isolation and control of computing,memory,storage,and network in a hardware abstraction.Containers are an emerging lightweight virtualization technology that share the kernel with the host to reduce virtualization overhead with poor isolation.As a mainstream container system,Docker uses CGroup to provide resource isolation and control for computing,memory,and storage but ignores the isolation of network resource.This causes containers to compete for network resource and affects the host's network performance.The container-oriented network traffic control system is based on the Traffic Control(TC)framework.TC is a network traffic control framework designed for non-virtualization processes.It cannot identify container packets under the container Overlay network.Its configuration process is complicated.And it focuses on static resource allocation leading to low resource utilization.The system proposes an identification module that contains a network packet ID designed for containers.The ID prevents information hiding caused by the Overlay and information loss caused by packets across network namespaces by adding container information in the packet control information structure.A resource module is presented that contains a series of container startup parameters and a converter for resource configuration.When a container starts,the network resource requirement is set by the startup parameters which are converted to the network resource to guarantee bandwidth,latency,and priority for containers.A dynamic adjustment module is proposed,which contains an algorithm to adjust the network traffic control requirement according to container states.When there are freed network resources,the module reallocates the resource to the running containers to maximize network resource utilization.Experiments show that the system can effectively provide network resource guarantees.The network influence is eliminated.The dynamic of the system can adjust resource to improves the utilization of the host.The system has no obvious performance overhead and meets the requirements of container lightweight virtualization.