Research On Kernel Log Isolation Mechanism Of Operating System Oriented To Container Environment

With the massive migration of computing to the cloud,more and more computing tasks will be completed on service clusters in data centers.Container technology meets the needs of the application-centric era and is widely used in application deployment.Unlike traditional virtual machine technology,there is no hardware-level virtualization for a container,and all containers directly share the kernel of the host.This structure brings the advantages of lightweight,fast startup,and easy migration to the container,but at the same time,it also makes the container inevitably have the defect of incomplete system resource isolation.Therefore,improving the isolation of containers has always been the focus of the industry.Kernel log of the Linux system is a global resource of the system,and the isolation requirements are not considered,resulting in the access effect of the privileged container to the kernel log is the same as that of the host.This situation is obviously contrary to the requirement of isolation,and it also brings security risks.Therefore,it is necessary to design and implement a set of kernel log isolation mechanism to realize the isolation of the kernel log and improve the isolation of the container.The kernel log isolation mechanism of operating system oriented to container environment aims to solve the isolation problem of kernel logs of container.Its core design idea is to define an isolation-oriented kernel log structure,use the pid namespace number of the process as the identity of the kern el log,and realize the association with the container through the Linux process management mechanism,and the container and the host will read the kernel log according to the identification result is determined.On a system that implements the kernel log isolation mechanism,the kernel log has the identity information that associated with the container that owns it.The container can only read the kernel log generated by itself,and cannot read the kernel log generated by the host and other containers;at the same time,the host can read all Kernel log.The function test verifies that the mechanism correctly realizes the designed isolation function.Meanwhile,the performance test shows that the performance overhead of running this mechanism is 2.2%,and is within the allowable range.