{"title":"bypass4netns: Accelerating TCP/IP Communications in Rootless Containers","authors":"Naoki Matsumoto, Akihiro Suda","doi":"arxiv-2402.00365","DOIUrl":null,"url":null,"abstract":"\"Rootless containers\" is a concept to run the entire container runtimes and\ncontainers without the root privileges. It protects the host environment from\nattackers exploiting container runtime vulnerabilities. However, when rootless\ncontainers communicate with external endpoints, the network performance is low\ncompared to rootful containers because of the overhead of rootless networking\ncomponents. In this paper, we propose bypass4netns that accelerates TCP/IP\ncommunications in rootless containers by bypassing slow networking components.\nbypass4netns uses sockets allocated on the host. It switches sockets in\ncontainers to the host's sockets by intercepting syscalls and injecting the\nfile descriptors using Seccomp. Our method with Seccomp can handle statically\nlinked applications that previous works could not handle. Also, we propose\nhigh-performance rootless multi-node communication. We confirmed that rootless\ncontainers with bypass4netns achieve more than 30x faster throughput than\nrootless containers without it. In addition, we evaluated performance with\napplications and it showed large improvements on some applications.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"5 1 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2402.00365","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
"Rootless containers" is a concept to run the entire container runtimes and
containers without the root privileges. It protects the host environment from
attackers exploiting container runtime vulnerabilities. However, when rootless
containers communicate with external endpoints, the network performance is low
compared to rootful containers because of the overhead of rootless networking
components. In this paper, we propose bypass4netns that accelerates TCP/IP
communications in rootless containers by bypassing slow networking components.
bypass4netns uses sockets allocated on the host. It switches sockets in
containers to the host's sockets by intercepting syscalls and injecting the
file descriptors using Seccomp. Our method with Seccomp can handle statically
linked applications that previous works could not handle. Also, we propose
high-performance rootless multi-node communication. We confirmed that rootless
containers with bypass4netns achieve more than 30x faster throughput than
rootless containers without it. In addition, we evaluated performance with
applications and it showed large improvements on some applications.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
