Description
Live migration allows transferring containers and their active process states to a
different host machine, which is beneficial for server maintenance, load balancing, and
security. Container live-migration is usually realized by a Checkpoint and Restore (CR)
mechanism that transparently saves and restores the process state leveraging the user
interface provided by the operating system kernel. However, not all containers can be
live-migrated, as only part of the process state is migratable under Linux. To the best
of our knowledge, no work exists that decides if a specific container is migratable from
user space in the first place.
In this thesis, we analyze whether particular aspects of the process state in a container
environment, and thus the container itself, can be transparently migrated from user
space by leveraging a combined approach based on kernel interface and implementation
analysis. We define a process state as migratable if both import and export
mechanisms for it exist. We analyze the relevance of process state aspects on correct
program execution and assess the migratability of the relevant state with respect to a
container environment. This involves an analysis of the kernel user interface, kernel
implementation, and the de facto standard CR implementation. Based on the analysis
results, we implement a proof-of-concept migratability checker that determines whether
a container can be migrated in its current state.
Our findings show that 7 of 11 classes of process resources are completely migratable,
while 4 are migratable only in certain cases. Our analysis highlights the complexity
of process migration and verifies that it is impossible to determine migratability for
every process at a given point in time. The proof of concept implementation shows that
the migratability of a container can be approximated, however, migratability cannot be
ultimately decided.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching