Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge - - PowerPoint PPT Presentation

fine grained isolation for scalable dynamic multi tenant
SMART_READER_LITE
LIVE PREVIEW

Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge - - PowerPoint PPT Presentation

Feb 24, 2024 6 likes •269 views

Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge Clouds Yuxin Ren, Guyue Liu, Vlad Nitu, Wenyuan Shao, Riley Kennedy, Gabriel Parmer, Timothy Wood, Alain Tchana Presented by: Vlad Nitu Edge Cloud 40 million IoT devices in

slide-1
SLIDE 1

Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge Clouds

Yuxin Ren, Guyue Liu, Vlad Nitu, Wenyuan Shao, Riley Kennedy, Gabriel Parmer, Timothy Wood, Alain Tchana Presented by: Vlad Nitu

slide-2
SLIDE 2

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Edge Cloud

2

  • 40 million IoT devices in 2027
  • CPSs require real-time reaction
  • “code moving to data” -> edge computing
  • Edge clouds: tiny datacenters deployed close to the user
slide-3
SLIDE 3

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Edge cloud

  • Application requirements:
  • “Bump-in-the-wire” -> 5G Cellular processing, network middleboxes…
  • Predictable low latency -> Edge caches, IoT/CPS control…
  • Edge Cloud requirements:
  • Serve a large number of clients with high churn
  • Efficiently use limited resources
  • Guarantee strong isolation: between untrusted services and clients

3

Firewall

slide-4
SLIDE 4

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Edge Cloud: Isolation

4

Memcached IDS Inference Firewall TLS Termination

slide-5
SLIDE 5

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Edge Cloud: Isolation

5

Memcached IDS Inference Firewall TLS Termination

Service isolation

slide-6
SLIDE 6

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Edge Cloud: Isolation

6

Memcached IDS Inference Firewall TLS Termination

Client isolation

slide-7
SLIDE 7

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Existing Solutions

  • Process
  • Container
  • Virtual machine

7

slide-8
SLIDE 8

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Existing Solutions

8

Isolation Scalability Startup time High performance networking

process container Virtual machine

ü

û û

û û

ü

○ ○ ○

û

slide-9
SLIDE 9

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Isolation Scalability Startup time High performance networking

process container Virtual machine EdgeOS

Existing Solutions

9

ü

û û

û û

ü

○ ○ ○

û

ü ü ü ü

slide-10
SLIDE 10

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Isolation Scalability Startup time High performance networking

process container Virtual machine EdgeOS

EdgeOS

10

û

û û

ü

û û

ü

EdgeOS: Isolation, Predictability, and Scale

→ Based on Composite microkernel OS, designed for Real-Time guarantees → High speed data movement (10Gbps+) without sacrificing isolation → Startup 170X faster than fork+exec and 84,000X faster than containers! → Scales to 1000s of services per host = 1 service per user!

slide-11
SLIDE 11

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

  • 3. uKernel and Control Plane

Manages lifecycle and scheduling Defines FWP data flow Capability-based access control

How is this possible?

  • 1. Feather Weight Processes

Lightweight process abstraction Minimal memory footprint Recycle FWP for fast startup

FWP FWP

  • 2. Memory Movement Accelerator

Mediates FWP communication Securely copies data Efficiently manages buffers

FWP FWP MMA FWP FWP

11

slide-12
SLIDE 12

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

EdgeOS architecture

  • FWP (Feather-Weight Processes):
  • Minimal abstractions: memory + a

small set of kernel resources

  • Input and output message rings
  • Library-based OS services
  • Small enough to instantiate one per

incoming client or group of clients

  • Recycled to clean state for fast startup

12

Firewall

FWP

Https Proxy

FWP

In ring Out ring

slide-13
SLIDE 13

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

EdgeOS architecture

  • MMA (Memory Movement Accelerator):
  • Enables chains of FWP services
  • Enforce isolation through data copying
  • Executed on dedicated cores
  • Sustain throughput competitive with data

sharing

  • Optimized buffer allocation and integration

with the FWP scheduler

13

Https Proxy

FWP

Firewall

FWP

Https Proxy

FWP

MMA

slide-14
SLIDE 14

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

EdgeOS architecture

  • Data plane:
  • FWPs and MMA
  • DPDK-based networking
  • Control plane:
  • The EdgeOS controller
  • The FWP Manager
  • The Scheduler

14

slide-15
SLIDE 15

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

EdgeOS: packet processing steps

15

(1) (2) (3) (4) (5) (6) (7)

slide-16
SLIDE 16

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

  • Docker: the execution time of “docker start”
  • Firecracker: the start time of the recommended “hello” image
  • Linux: fork() + exec()

Evaluation: start time

16

0.001 0.01 0.1 1 10 100 1000

Docker start Fire cracker fork +exec EOS create EOS activate

Start Time (ms) 521 126 1.058 0.048 0.0062

slide-17
SLIDE 17

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

0.001 0.01 0.1 1 10 100 1000

Docker start Fire cracker fork +exec EOS create EOS activate

Start Time (ms) 521 126 1.058 0.048 0.0062

  • EdgeOS creates an FWP 20x faster than a Linux process

Evaluation: start time

17

20x

slide-18
SLIDE 18

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

0.001 0.01 0.1 1 10 100 1000

Docker start Fire cracker fork +exec EOS create EOS activate

Start Time (ms) 521 126 1.058 0.048 0.0062

Evaluation: start time

18

170x

  • EdgeOS creates an FWP 20x faster than a Linux process
  • When the FWP is cached, the activation time is 170x faster than Linux
slide-19
SLIDE 19

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

0.001 0.01 0.1 1 10 100 1000

Docker start Fire cracker fork +exec EOS create EOS activate

Start Time (ms) 521 126 1.058 0.048 0.0062

Evaluation: start time

19

~105

  • EdgeOS creates an FWP 20x faster than a Linux process
  • When the FWP is cached, the activation time is 170x faster than Linux
  • FWP activation is ~105 faster than “docker start”
slide-20
SLIDE 20

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Evaluation: memcopy overhead

  • EdgeOS provides isolation and adds negligible overheads

2 4 6 8 10 1 2 3 4 5 6 Throughput(Gbps) Chain Length

ONVM-64 EOS-64 ONVM-1024 EOS-1024

20

slide-21
SLIDE 21

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Evaluation: scalability

FPWs as middleboxes

21

5 10 15 20 25 30 400 800 1200 1600 2000 Latency (100us) #Clients

ONVM-chain ONVM-single EOS-chain EOS-single

ONVM-chain ONVM-single EOS-chain EOS-single

slide-22
SLIDE 22

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Evaluation: scalability

22

5 10 15 20 25 30 400 800 1200 1600 2000 Latency (100us) #Clients

ONVM-chain ONVM-single EOS-chain EOS-single

ONVM-chain ONVM-single EOS-chain EOS-single

25x

FPWs as middleboxes

slide-23
SLIDE 23

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Evaluation: scalability

23

5 10 15 20 25 30 400 800 1200 1600 2000 Latency (100us) #Clients

ONVM-chain ONVM-single EOS-chain EOS-single

ONVM-chain ONVM-single EOS-chain EOS-single

2x

FPWs as middleboxes

slide-24
SLIDE 24

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Evaluation: scalability

FWPs as TLS proxys

24

20 40 60 80 200 400 600 800 1000 Throughput (10K reqs/sec) #Instances EOS throughput Linux throughput

slide-25
SLIDE 25

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Conclusion

  • EdgeOS: an OS for Edge clouds
  • Strong copy-based isolation
  • Minimalistic execution instances
  • Optimized for high churn and dense multi-tenancy
  • Start-up times up to 170x faster than Linux processes and 105x faster

than Docker containers

  • Maintain line rate even with chains of 6 FWPs
  • Substantially improved scalability

25

slide-26
SLIDE 26

EdgeOS: Fine-Grained Isolation for Scalable, Dynamic, Multi-Tenant Edge Clouds – USENIX ATC 2020

Thank you for your attention!

Vlad Nitu: vlad.nitu@insa-lyon.fr Yuxin Ren: ryx@gwmail.gwu.edu Gabriel Parmer: gparmer@gwu.edu Timothy Wood: timwood@gwu.edu

26