ABSTRACT
Serverless computing has gained significant traction for its ability to streamline development workflows and optimize resource utilization. However, ensuring optimal performance and isolation for workloads in multi-tenant environments remains a critical challenge.
In this work, we identify the need for sandboxing mechanisms to extend the tenancy model of Knative and enhance the security and efficiency of multi-tenant serverless deployments. Existing solutions like gVisor and kata-containers provide a level of isolation but do not meet the requirements for allowing the execution of untrusted workloads in a Knative cluster.
We consider the option of unikernels in serverless environments. We build an end-to-end serverless system based on unikernels and compare its performance and isolation characteristics to existing sandbox solutions. Our initial findings demonstrate that existing sandbox mechanisms exhibit significant overheads. On the contrary, a unikernel-based solution offers a compelling balance between performance and security, achieving identical response times to generic containers.
- 2023. HTTP reply function in C. https://github.com/nubificus/app-httpreply/blob/nbfc-knative/main.cGoogle Scholar
- 2023. HTTP reply function in go. https://github.com/nubificus/helloworld-knative/blob/main/hello.goGoogle Scholar
- 2023. K8s tenancy model. https://kubernetes.io/blog/2021/04/15/three-tenancy-models-for-kubernetes/Google Scholar
- 2023. urunc: A unikernel container runtime. https://github.com/nubificus/uruncGoogle Scholar
- Alexander Jung, Unikraft. 2022. Beyond Orchestration: The Cloud Native Runtimes Ecosystem for Performance and Security. https://kccncna2022.sched.com/event/182OMGoogle Scholar
- Brendan Burns, Brian Grant, David Oppenheimer, Eric Brewer, and John Wilkes. 2016. Borg, Omega, and Kubernetes. Commun. ACM 59, 5 (apr 2016), 50--57. Google ScholarDigital Library
- James Cadden, Thomas Unger, Yara Awad, Han Dong, Orran Krieger, and Jonathan Appavoo. 2020. SEUSS: skip redundant paths to make serverless fast. In Proceedings of the Fifteenth European Conference on Computer Systems (Heraklion, Greece) (EuroSys '20). Association for Computing Machinery, New York, NY, USA, Article 32, 15 pages. Google ScholarDigital Library
- Henrique Fingler, Amogh Akshintala, and Christopher J. Rossbach. 2019. USETL: Unikernels for Serverless Extract Transform and Load Why should you settle for less?. In Proceedings of the 10th ACM SIGOPS Asia-Pacific Workshop on Systems (Hangzhou, China) (APSys '19). Association for Computing Machinery, New York, NY, USA, 23--30. Google ScholarDigital Library
- Gaulthier Gain, Cyril Soldani, Felipe Huici, and Laurent Mathy. 2022. Want more unikernels? inflate them!. In Proceedings of the 13th Symposium on Cloud Computing (San Francisco, California) (SoCC '22). Association for Computing Machinery, New York, NY, USA, 510--525. Google ScholarDigital Library
- Muhammed Golec, Guneet Kaur Walia, Mohit Kumar, Felix Cuadrado, Sukhpal Singh Gill, and Steve Uhlig. 2023. Cold start latency in serverless computing: A systematic review, taxonomy, and future directions. arXiv preprint arXiv:2310.08437 (2023).Google Scholar
- Tim Goodwin, Andrew Quinn, and Lindsey Kuper. 2023. What goes wrong in serverless runtimes? A survey of bugs in Knative Serving. In Proceedings of the 1st Workshop on SErverless Systems, Applications and MEthodologies (Rome, Italy) (SESAME '23). Association for Computing Machinery, New York, NY, USA, 12--18. Google ScholarDigital Library
- Google. 2018. gVisor. Documentation website.. https://gvisor.dev/docs/Google Scholar
- Eric Jonas, Johann Schleier-Smith, Vikram Sreekanti, Chia-Che Tsai, Anurag Khandelwal, Qifan Pu, Vaishaal Shankar, Joao Carreira, Karl Krauth, Neeraja Yadwadkar, et al. 2019. Cloud programming simplified: A berkeley view on serverless computing. arXiv preprint arXiv:1902.03383 (2019).Google Scholar
- Julian Friedman. 2020. Knative Threat Model. https://github.com/knative/community/blob/main/working-groups/security/threat-model.mdGoogle Scholar
- Kata Containers Community. 2019. kata-containers. Splash page. https://katacontainers.ioGoogle Scholar
- Simon Kuenzer, Vlad-Andrei Bădoiu, Hugo Lefeuvre, Sharan Santhanam, Alexander Jung, Gaulthier Gain, Cyril Soldani, Costin Lupu, Ştefan Teodorescu, Costi Răducanu, Cristian Banu, Laurent Mathy, Răzvan Deaconescu, Costin Raiciu, and Felipe Huici. 2021. Unikraft: fast, specialized unikernels the easy way. In Proceedings of the Sixteenth European Conference on Computer Systems (Online Event, United Kingdom) (EuroSys '21). Association for Computing Machinery, New York, NY, USA, 376--394. Google ScholarDigital Library
- Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Balraj Singh, Thomas Gazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. 2013. Unikernels: library operating systems for the cloud. SIGARCH Comput. Archit. News 41, 1 (mar 2013), 461--472. Google ScholarDigital Library
- Anil Madhavapeddy and David J. Scott. 2014. Unikernels: the rise of the virtual library operating system. Commun. ACM 57, 1 (jan 2014), 61--69. Google ScholarDigital Library
- Chetankumar Mistry, Bogdan Stelea, Vijay Kumar, and Thomas Pasquier. 2020. Demonstrating the Practicality of Unikernels to Build a Serverless Platform at the Edge. In 2020 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). 25--32. Google ScholarCross Ref
- MITRE. 2024. CVE-list related to containers. CVE list of vulnerabilities related to the term 'containers'.. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=containersGoogle Scholar
- Felix Moebius, Tobias Pfandzelter, and David Bermbach. 2024. Are Unikernels Ready for Serverless on the Edge? arXiv:cs.DC/2403.00515Google Scholar
- Michael Sammler, Deepak Garg, Derek Dreyer, and Tadeusz Litak. 2019. The high-level benefits of low-level sandboxing. Proc. ACM Program. Lang. 4, POPL, Article 32 (dec 2019), 32 pages. Google ScholarDigital Library
- Hossein Shafiei, Ahmad Khonsari, and Payam Mousavi. 2022. Serverless Computing: A Survey of Opportunities, Challenges, and Applications. ACM Comput. Surv. 54, 11s, Article 239 (nov 2022), 32 pages. Google ScholarDigital Library
- Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, and Hakim Weatherspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) (ASPLOS '19). Association for Computing Machinery, New York, NY, USA, 121--135. Google ScholarDigital Library
- Vincent van Rijn and Jan S. Rellermeyer. 2021. A fresh look at the architecture and performance of contemporary isolation platforms. In Proceedings of the 22nd International Middleware Conference (Québec city, Canada) (Middleware '21). Association for Computing Machinery, New York, NY, USA, 323--335. Google ScholarDigital Library
Index Terms
- Sandboxing Functions for Efficient and Secure Multi-tenant Serverless Deployments
Recommendations
High-density Multi-tenant Bare-metal Cloud
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsVirtualization is the cornerstone of the infrastructure-as-a-service (IaaS) cloud, where VMs from multiple tenants share a single physical server. This increases the utilization of data-center servers, allowing cloud providers to provide cost-efficient ...
Multi-tenant, secure, load disseminated SaaS architecture
ICACT'10: Proceedings of the 12th international conference on Advanced communication technologyThe availability of high speed internet has diversified the way we used to intermingle with each other. The emergence of social networks and interactive web applications has left a dent in existing software and service delivery models. Software vendors ...
Supporting Multi-Provider Serverless Computing on the Edge
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel ProcessingServerless computing has recently emerged as a new execution model for cloud computing, in which service providers offer compute runtimes, also known as Function-as-a-Service (FaaS) platforms, allowing users to develop, execute and manage application ...
Comments