Join the LC3 China last week. Some topics seem very interesting.

Secure container

Secure Containers with EPT Isolation(Huawei, Intel) build the containers with EPT page table protection. EPT is a memory virtualization technology used in kvm and xen by default. It could deployed in vm in the cloud compare with the kvm-based ontainers(Intel: Clear Container or Huawei vm-based containers).

Chunyan Liu From Huawei show that how to prevent the attack by namespace-alike memory isolation: LC3China_secure_container

nvme performance optimization

Coly Li from suse work on ssd/nvm optimization. He Explain the bottleneck for the Global I/O barrier and show the performance improvement after Hash Bucket Barriers and Lockless I/O barrier merged[3]. nvme_data_duplication nvme_md_raid1_io_barrier nvme_hash_bucket_barrier nvme_lockless_io_barrier

The final performance comparision are as follows nvme_performance notes:

libos and unikernel

There are two relative topics about libos. The first one from vmware who work on Linux libos. It seems similar with the work from Hajime Tazaki The other one is port unikernel to aarch64 in uKVM. I think unikernel could potentially get performance improvement for single process application if unikernel could provide all the dependency for apps. It seems that the only use-casse is network based application. Compare with unikernel, running a ‘full functional’ Linux as base of libos seems resolve the port effort for the dependency of apps, because the software on Linux do not need modify(only need to statically linked).

Other topics from our department besides secure container

Reference: The slide of LC3 China