Join the LC3 China last week. Some topics seem very interesting.
Secure Containers with EPT Isolation(Huawei, Intel) build the containers with EPT page table protection. EPT is a memory virtualization technology used in kvm and xen by default. It could deployed in vm in the cloud compare with the kvm-based ontainers(Intel: Clear Container or Huawei vm-based containers).
Chunyan Liu From Huawei show that how to prevent the attack by namespace-alike memory isolation:
Coly Li from suse work on ssd/nvm optimization. He Explain the bottleneck for the Global I/O barrier and show the performance improvement after Hash Bucket Barriers and Lockless I/O barrier merged.
The final performance comparision are as follows notes:
There are two relative topics about libos. The first one from vmware who work on Linux libos. It seems similar with the work from Hajime Tazaki firstname.lastname@example.org. The other one is port unikernel to aarch64 in uKVM. I think unikernel could potentially get performance improvement for single process application if unikernel could provide all the dependency for apps. It seems that the only use-casse is network based application. Compare with unikernel, running a ‘full functional’ Linux as base of libos seems resolve the port effort for the dependency of apps, because the software on Linux do not need modify(only need to statically linked).
Reference: The slide of LC3 China