Quantifying of runC, Kata and gVisor in Kubernates


Rahmat Purwoko(1); Dimas Febriyan Priambodo(2*); Arbain Nur Prasetyo(3);

(1) Politeknik Siber dan Sandi Negara
(2) Politeknik Siber dan Sandi Negara
(3) Badan Siber dan Sandi Negara
(*) Corresponding Author

  

Abstract


The advent of container technology has emerged as a pivotal solution for application developers, addressing concerns regarding the seamless execution of developed applications during the deployment process. Various low-level container runtimes, including runC, Kata Container, and gVisor, present themselves as viable options for implementation. The judicious selection of an appropriate low-level container runtime significantly contributes to enhancing the efficiency of Kubernetes cluster utilization. To ascertain the optimal choice, comprehensive testing was conducted, encompassing both performance and security evaluations of the low-level container runtimes. This empirical analysis aids developers in making informed decisions regarding the selection of low-level container runtimes for integration into a Kubernetes cluster. The performance assessments span five key parameters: CPU performance, memory utilization, disk I/O efficiency, network capabilities, and the overall performance when executing an nginx web server. Three distinct tools—sysbench, iperf3, and Apache Benchmark—were employed to conduct these performance tests.  The findings of the tests reveal that runC exhibits superior performance across all five parameters evaluated. However, a nuanced consideration of security aspects is imperative. Both Kata Container and gVisor demonstrate commendable host isolation, presenting limited vulnerability to exploitation. In contrast, runC exposes potential vulnerabilities, allowing for exploits against the host (worker node), such as unauthorized directory creation and system reboots. This comprehensive analysis contributes valuable insights for developers, facilitating an informed decision-making process when selecting low-level container runtimes within a Kubernetes environment.

Keywords


Containerization; gVisor; Kata Container; Performance Analysis; RunC; Security Analysis

  
     

Article Metrics

Abstract view: 30 times
     

Digital Object Identifier

doi  https://doi.org/10.33096/ilkom.v16i1.1679.%25p 		  

Cite

How to cite item

References


C. Itron, S. Release, C. Delivery, C. D. Benefi, A. Software, and D. Methodology, “Continuous Delivery Software Release Methodology.”

K. H. Brendan Burns, Joe Beda, Kubernetes: Up and Running, 2nd Editio. Calfornia: O’Reilly Media, Inc., 2019.

R. Kumar and B. Thangaraju, “Performance Analysis Between RunC and Kata Container Runtime,” in 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), 2020, pp. 1–4. doi: 10.1109/CONECCT50063.2020.9198653.

O. Flauzac, F. Mauhourat, and F. Nolot, “A review of native container security for running applications,” Procedia Comput. Sci., vol. 175, no. 2019, pp. 157–164, 2020, doi: 10.1016/j.procs.2020.07.025.

A. Randazzo and I. Tinnirello, “Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way,” in 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), 2019, pp. 209–214. doi: 10.1109/IOTSMS48152.2019.8939164.

D. Bernstein, “Containers and Cloud: From LXC to Docker to Kubernetes,” IEEE Cloud Comput., vol. 1, no. 3, pp. 81–84, 2014, doi: 10.1109/MCC.2014.51.

V. Medel, O. Rana, J. Á. Bañares, and U. Arronategui, “Modelling Performance & Resource Management in Kubernetes,” in 2016 IEEE/ACM 9th International Conference on Utility and Cloud Computing (UCC), 2016, pp. 257–262.

L. Espe, A. Jindal, V. Podolskiy, and M. Gerndt, “Performance evaluation of container runtimes,” CLOSER 2020 - Proc. 10th Int. Conf. Cloud Comput. Serv. Sci., no. Closer, pp. 273–281, 2020, doi: 10.5220/0009340402730281.

T. V Doan et al., “Containers vs Virtual Machines: Choosing the Right Virtualization Technology for Mobile Edge Cloud,” in 2019 IEEE 2nd 5G World Forum (5GWF), 2019, pp. 46–52. doi: 10.1109/5GWF.2019.8911715.

T. Siddiqui, S. A. Siddiqui, and N. A. Khan, “Comprehensive Analysis of Container Technology,” in 2019 4th International Conference on Information Systems and Computer Networks (ISCON), 2019, pp. 218–223. doi: 10.1109/ISCON47742.2019.9036238.

C. Pahl, A. Brogi, J. Soldani, and P. Jamshidi, “Cloud Container Technologies: A State-of-the-Art Review,” IEEE Trans. Cloud Comput., vol. 7, no. 3, pp. 677–692, 2019, doi: 10.1109/TCC.2017.2702586.

M. Luksa, Kubernetes in Action. Manning Publications, 2018.

G. Sayfan, Mastering Kubernetes: Large scale container deployment and management. Birmingham: Packt Publishing, 2017.

“Cluster Architecture | Kubernetes.” https://kubernetes.io/docs/concepts/architecture/ (accessed Jan. 22, 2024).

K. Lee, J. Kim, I.-H. Kwon, H. Park, and C.-H. Hong, “Impact of Secure Container Runtimes on File I/O Performance in Edge Computing,” Appl. Sci., vol. 13, no. 24, p. 13329, 2023, doi: 10.3390/app132413329.

Z. Yu, “The Application of Kata Containers in Baidu AI Cloud,” no. October, 2019.

“What is gVisor? - gVisor.” https://gvisor.dev/docs/ (accessed Jan. 22, 2024).

E. G. Young, P. Zhu, T. Caraza-harter, A. C. Arpaci-dusseau, and R. H. Arpaci-dusseau, “The True Cost of Containing : A gVisor Case Study”.

A. M. Potdar, D. G. Narayan, S. Kengond, and M. M. Mulla, “Performance Evaluation of Docker Container and Virtual Machine,” Procedia Comput. Sci., vol. 171, no. 2019, pp. 1419–1428, 2020, doi: 10.1016/j.procs.2020.04.152.

V. Aggarwal and B. Thangaraju, “Performance Analysis of Virtualisation Technologies in NFV and Edge Deployments,” in 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), 2020, pp. 1–5. doi: 10.1109/CONECCT50063.2020.9198367.

B. Balarajah; C. Rossenhoevel; B. Monkman, “Benchmarking Methodology for Network Security Device Performance,” 2022.

A. Akinshin, Pro .NET Benchmarking: The Art of Performance Measurement, 1st ed. 2019.

M. Reeves, “Investigating Escape Vulnerabilities in Container Runtimes,” Purdue University Graduate School, 2021.


Refbacks

  • There are currently no refbacks.


Copyright (c) 2024 Rahmat Purwoko, Dimas Febriyan Priambodo, Muhammad Hasbi, Andriani Kusumaningrum, Sri Siswanti, Arbain Nur Prasetyo

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.