Analysis of security isolation technologies for HEP-Computing
- Virtual machines are for the most part not used inside of high-energy physics (HEP) environments. Even though they provide a high degree of isolation, the performance overhead they introduce is too great for them to be used. With the rising number of container technologies and their increasing separation capabilities, HEP-environments are evaluating if they could utilize the technology. The container images are small and self-contained which allows them to be easily distributed throughout the global environment. They also offer a near native performance while at the same time aproviding an often acceptable level of isolation. Only the needed services and libraries are packed into an image and executed directly by the host kernel. This work compared the performance impact of the three container technologies Docker, rkt and Singularity. The host kernel was additionally hardened with grsecurity and PaX to strengthen its security and make an exploitation from inside a container harder. The execution time of a physics simulation was used as a benchmark. The results show that the different container technologies have a different impact on the performance. The performance loss on a stock kernel is small; in some cases they were even faster than no container. Docker showed overall the best performance on a stock kernel. The difference on a hardened kernel was bigger than on a stock kernel, but in favor of the container technologies. rkt showed performed in almost all cases better than all the others.
Author: | Daniel Bilanovic |
---|---|
URN: | urn:nbn:de:hebis:30:3-479311 |
Referee: | Udo KebschullGND |
Advisor: | Udo Kebschull |
Document Type: | Master's Thesis |
Language: | English |
Year of Completion: | 2017 |
Year of first Publication: | 2017 |
Publishing Institution: | Universitätsbibliothek Johann Christian Senckenberg |
Granting Institution: | Johann Wolfgang Goethe-Universität |
Date of final exam: | 2017/12/21 |
Release Date: | 2018/10/30 |
Tag: | HEP-Computing; Isolation; Linux Container |
Page Number: | 48 |
HeBIS-PPN: | 438304411 |
Institutes: | Informatik und Mathematik / Informatik |
Dewey Decimal Classification: | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik |
Sammlungen: | Universitätspublikationen |
Licence (German): | Deutsches Urheberrecht |