Abstract
Containers are resource-efficient and most IT industries are adopting container-based infrastructure. However, the security and isolation of the container is rather weak. In this work, we aim to conduct an in-depth quantitative analysis of the performance characteristics of containerization technologies that strengthen container isolation and security, and discuss the applicable scenarios of various containerization technologies. We evaluate multiple cloud resource management dimensions of RunC, gVisor, and Kata Containers runtimes, including performance, system call, startup time, density, and isolation. Experimental results show that RunC and Kata Containers have less performance overhead, while gVisor suffers significant performance degradation in I/O and system call, although its isolation is the best. Our work deepens the understanding of the container performance characteristics and may help cloud computing practitioners in making proper decisions on platform selection, system maintenance and/or design.
Similar content being viewed by others
Data availability
Data available on request from the authors.
References
Bachiega, N.G., Souza, P.S., Bruschi, S.M., De Souza, S.D.R.: Container-based performance evaluation: a survey and challenges. In: 2018 IEEE International Conference on Cloud Engineering (IC2E), pp. 398–403 (2018)
Williams, D., Koller, R., Lucina, M., Prakash, N.: Unikernels as processes. In: Proceedings of the ACM Symposium on Cloud Computing (SoCC ’18), Association for Computing Machinery, New York, NY, USA, pp. 199–211 (2018)
Manco, F., Lupu, C., Schmidt, F., Mendes, J., Kuenzer, S., Sati, S., et al.: My VM is lighter (and safer) than your container. In: Proceedings of the 26th Symposium on Operating Systems Principles (SOSP ’17), pp. 218–233 (2017)
https://gvisor.dev/docs/user_guide/. Accessed 20 Dec 2020
https://github.com/firecracker-microvm/firecracker/. Accessed 20 Dec 2020
https://katacontainers.io/. Accessed 15 Dec 2020
Kumar, R., Thangaraju, B.: Performance analysis between RunC and kata container runtime. In: 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), Bangalore, India, pp. 1–4 (2020)
Caraza-Harter, T., Swift, M.M.: Blending containers and virtual machines: a study of firecracker and gVisor. In: Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE ’20), Association for Computing Machinery, New York, NY, USA, pp. 101–113 (2020)
Debab, R., Hidouci, W.K.: Containers runtimes war: a comparative study. In: Proceedings of the Future Technologies Conference, Springer, pp. 135–161 (2020)
Viktorsson, W., Klein, C., Tordsson, J.: Security-performance trade-offs of kubernetes container runtimes. In: 2020 Symposium on Modelling, Analysis, and Simulation of Computer and Telecommunication Systems, November 17–19, Nice, France pp. 1–4 (2020)
Kozhirbayev, Z., Sinnott, R.O.: A performance comparison of containerbased technologies for the cloud. Future Gener. Comput. Syst. 68, 175–182 (2017)
Zhao, C., Wu, Y., Ren, Z., Shi, W., Ren, Y., Wan, J.: Quantifying the isolation characteristics in container environments. In: IFIP International Conference on Network and Parallel Computing, Springer, pp. 145–149 (2017)
Tesfatsion, S. K., Klein, C., Tordsson, J.: Virtualization techniques compared: performance, resource, and power usage overheads in clouds. In: Proceedings of the 2018 ACM/SPEC International Conference on Performance Engineering, pp. 145–156 (2018)
Mavridis, I., Karatza, H.: Combining containers and virtual machines to enhance isolation and extend functionality on cloud computing. Future Gener. Comput. Syst. 94, 674–696 (2019)
Chae, M., Lee, H., Lee, K.: A performance comparison of linux containers and virtual machines using Docker and KVM. Clust. Comput. 22, 1765–1775 (2019)
Espe, L., Jindal, A., Podolskiy, V., Gerndt, M.: Performance evaluation of container runtimes. In: CLOSER, pp. 273–281 (2020)
Young, E.G., Zhu, P., Caraza-Harter, T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: The true cost of containing: a gVisor case study. In: 11th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 19) (2019)
Agache, A., Brooker, M., Iordache, A., Liguori, A., Neugebauer, R., Piwonka, P., Popa, D. M.: Firecracker: Lightweight virtualization for serverless applications. In: 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pp. 419–434 (2020)
https://docs.docker.com/. Accessed 10 Dec 2020
https://podman.readthedocs.io/en/latest/index.html. Accessed 10 Dec 2020
https://coreos.com/rkt/docs/latest/. Accessed 10 Dec 2020
https://docs.microsoft.com/en-us/windows/wsl/wsl2-index. Accessed 10 Dec 2020
Frazelle, J.: Research for practice: security for the modern age. Commun. ACM 62(1), 43–45 (2018)
http://www.jbkempf.com/blog/post/2018/Introducing-dav1d. Accessed 18 Dec 2020
https://github.com/akopytov/sysbench. Accessed 18 Dec 2020
https://hewlettpackard.github.io/netperf/doc/netperf.html. Accessed 20 Dec 2020
https://github.com/microsoft/ethr. Accessed 20 Dec 2020
https://github.com/kdlucas/byte-unixbench. Accessed 20 Dec 2020
https://www.iozone.org. Accessed 10 Nov 2020
www.flockport.com/. Accessed 5 Nov 2020
https://openbenchmarking.org/test/pts/sqlite. Accessed 12 Nov 2020
Krebs, R., Momm, C., Kounev, S.: Metrics and techniques for quantifying performance isolation in cloud environments. Sci. Comput. Programm. PT.B(2), 116–134 (2014)
Xavier, M.G., De Oliveira, I.C., Rossi, F.D., Dos Passos, R.D., Matteussi, K.J., De Rose, C.A.: A performance isolation analysis of disk-intensive workloads on container-based clouds. In: 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing. IEEE, pp. 253–260 (2015)
https://github.com/cloud-hypervisor/cloud-hypervisor. Accessed 21 Nov 2020
https://github.com/jedisct1/Blogbench. Accessed 7 June 2021
Zhao, N., Tarasov, V., Albahar, H., Anwar, A., Rupprecht, L., Skourtis, D., et al.: Large-scale analysis of docker images and performance implications for container storage systems. IEEE Trans. Parallel Distrib. Syst. 32(4), 918–930 (2021)
Bhatt, G., Bhavsar, M.: Performance consequence of user space file systems due to extensive CPU sharing in virtual environment. Clust. Comput. 23(4), 3119–3137 (2020)
Shih, W.C., Yang, C.T., Ranjan, R., Chiang, C.I.: Implementation and evaluation of a container management platform on Docker: Hadoop deployment as an example. Clust. Comput. 24, 3421–3430 (2021)
Tang, X., Zhang, Z., Wang, M., Wang, Y., Feng, Q., Han, J.: Performance evaluation of light-weighted virtualization for paas in clouds. In: International Conference on Algorithms and Architectures for Parallel Processing, Springer, pp. 415–428 (2014)
Walraven, S., Monheim, T., Truyen, E., Joosen, W.: Towards performance isolation in multi-tenant saas applications. In: Proceedings of the 7th Workshop on Middleware for Next Generation Internet Computing., pp. 1–6 (2012)
Acknowledgements
This work is partially supported by a grant from the National Natural Science Foundation of China (No.62032017), the National Key R&D Program of China (2018YFB1003605), the Key Industrial Innovation Chain Project in Industrial Domain of Shaanxi Province (Nos. 2021ZDLGY03-09, 2021ZDLGY07-02), and the Youth Innovation Team of Shaanxi Universities.
Author information
Authors and Affiliations
Contributions
All authors contributed equally to this work.
Corresponding authors
Ethics declarations
Conflict of interest
The authors declare that they have no conflicts of interest.
Informed consent
Informed consent was obtained from all individual participants involved in the study.
Research involving human participants or animals
This paper does not contain any studies involving human participants or animals performed by any of the authors. Xingyu Wang carried out the experiment and wrote the manuscript.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary Information
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Wang, X., Du, J. & Liu, H. Performance and isolation analysis of RunC, gVisor and Kata Containers runtimes. Cluster Comput 25, 1497–1513 (2022). https://doi.org/10.1007/s10586-021-03517-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-021-03517-8