The Fusion of VMs and Processes: A System Perspective of cKernel

摘要

Virtual machines (VMs) and processes are two important abstractions for cloud virtualization, where VMs usually install a complete operating system (OS) executing user processes. Although existing in different layers in the virtualization hierarchy, VMs and processes have overlapped functionalities. For example, they are both intended to provide execution abstraction (e.g., physical/virtual memory address space), and share similar objectives of isolation, cooperation and scheduling. However, neither of them could provide the benefits of the other: VMs provide higher isolation, security and portability, while processes are more efficient, flexible and easier to schedule and cooperate. Currently, this heavyweight architecture degrades both efficiency and security of cloud services. There are two trends for cloud virtualization: the first is to enhance processes to achieve VM-like security, and the second is to reduce VMs to achieve process-like flexibility. Based on these observations, our vision is that in the near future VMs and processes might be fused into one new abstraction for cloud virtualization that embraces the best of both, providing VM-level isolation and security while preserving process-level efficiency and flexibility. We describe a reference implementation, dubbed cKernel (customized kernel), for the new abstraction. Essentially, cKernel enhances the exokernel architecture by (i) adopting the LibOS paradigm to assemble isolated, smallest possible "execution environments", and (ii) following the the "core-shell" model to dynamically add traditional process features to the environments.