Bypass Container Overlay Networks with Transparent BPF-driven Socket Replacement

Q1 Computer Science IEEE Cloud Computing Pub Date : 2022-07-01 DOI:10.1109/CLOUD55607.2022.00033

Sunyanan Choochotkaew, Tatsuhiro Chiba, Scott Trent, Marcelo Amaral

{"title":"Bypass Container Overlay Networks with Transparent BPF-driven Socket Replacement","authors":"Sunyanan Choochotkaew, Tatsuhiro Chiba, Scott Trent, Marcelo Amaral","doi":"10.1109/CLOUD55607.2022.00033","DOIUrl":null,"url":null,"abstract":"Containerization on the cloud offers several crucial benefits. However, these benefits are negated by the effects of virtual network stack and address encapsulation, especially for workloads that require intense communication. Socket replacement is a promising approach to breach this wall without changing the underlay infrastructure by replacing a nested network stack with a simple host network stack. Current state-of-the-art approaches perform this replacement by preloading the overridden socket library in a containerized process. However, the preloading approach requires user effort to modify the deploying manifests and a compromised security policy configuration of privileged containers to access the host namespace. This paper introduces a new replacement framework where a secured control plane agent performs the replacement by utilizing low-overhead BPF kernel tracing technology. As a result, containers can obtain host-native network performance and neither modification nor escalated privileges are required for user containers. Experiments on multiple benchmarks including iPerf, MPI, memslap, and GROMACS have been conducted to confirm efficacy.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"228 1","pages":"134-143"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CLOUD55607.2022.00033","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 1

Abstract

Containerization on the cloud offers several crucial benefits. However, these benefits are negated by the effects of virtual network stack and address encapsulation, especially for workloads that require intense communication. Socket replacement is a promising approach to breach this wall without changing the underlay infrastructure by replacing a nested network stack with a simple host network stack. Current state-of-the-art approaches perform this replacement by preloading the overridden socket library in a containerized process. However, the preloading approach requires user effort to modify the deploying manifests and a compromised security policy configuration of privileged containers to access the host namespace. This paper introduces a new replacement framework where a secured control plane agent performs the replacement by utilizing low-overhead BPF kernel tracing technology. As a result, containers can obtain host-native network performance and neither modification nor escalated privileges are required for user containers. Experiments on multiple benchmarks including iPerf, MPI, memslap, and GROMACS have been conducted to confirm efficacy.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

具有透明bpf驱动的套接字替换的旁路容器覆盖网络

云上的容器化提供了几个关键的好处。然而，这些好处被虚拟网络堆栈和地址封装的影响抵消了，特别是对于需要密集通信的工作负载。套接字替换是一种很有前途的方法，可以在不改变底层基础设施的情况下突破这堵墙，方法是用简单的主机网络堆栈替换嵌套网络堆栈。当前最先进的方法通过在容器化进程中预加载被覆盖的套接字库来执行这种替换。但是，预加载方法需要用户修改部署清单和特权容器的安全策略配置，以便访问主机名称空间。本文介绍了一种新的替换框架，该框架利用低开销的BPF内核跟踪技术，由一个安全的控制平面代理执行替换。因此，容器可以获得主机本机网络性能，并且不需要修改或升级用户容器的特权。在iPerf、MPI、memslap和GROMACS等多个基准测试上进行了实验，以证实其有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Cloud Computing Computer Science-Computer Networks and Communications

CiteScore

11.20

自引率

0.00%

发文量

期刊介绍： Cessation. IEEE Cloud Computing is committed to the timely publication of peer-reviewed articles that provide innovative research ideas, applications results, and case studies in all areas of cloud computing. Topics relating to novel theory, algorithms, performance analyses and applications of techniques are covered. More specifically: Cloud software, Cloud security, Trade-offs between privacy and utility of cloud, Cloud in the business environment, Cloud economics, Cloud governance, Migrating to the cloud, Cloud standards, Development tools, Backup and recovery, Interoperability, Applications management, Data analytics, Communications protocols, Mobile cloud, Private clouds, Liability issues for data loss on clouds, Data integration, Big data, Cloud education, Cloud skill sets, Cloud energy consumption, The architecture of cloud computing, Applications in commerce, education, and industry, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Business Process as a Service (BPaaS)