DOCSLIB.ORG

Arxiv:2102.06972V1 [Cs.CR] 13 Feb 2021

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Arxiv:2102.06972V1 [Cs.CR] 13 Feb 2021 BPFCONTAIN: Fixing the Soft Underbelly of Container Security William Findlay David Barrera Anil Somayaji Carleton University Carleton University Carleton University Abstract such isolation is rarely enough on its own to serve a security barrier. In networking, network address translation (NAT) Linux containers currently provide limited isolation guaran- virtualizes IP addresses so one IP address can be shared by an tees. While containers separate namespaces and partition entire network of systems. While this many-to-one mapping resources, the patchwork of mechanisms used to ensure sepa- provides a significant degree of isolation to systems behind ration cannot guarantee consistent security semantics. Even the NAT, it is no substitute for a network firewall, especially worse, attempts to ensure complete coverage results in a one that is configured, e.g., to block outbound connections. mishmash of policies that are difficult to understand or audit. Linux containers are virtualized using cgroups [5] and names- Here we present BPFCONTAIN, a new container confine- paces [18], while confinement is enforced through seccomp- ment mechanism designed to integrate with existing container bpf [29] and mandatory access control mechanisms such as management systems. BPFCONTAIN combines a simple yet SELinux [45] and AppArmor [10]. While these confinement flexible policy language with an eBPF-based implementation mechanisms are powerful and flexible, container isolation that allows for deployment on virtually any Linux system was not their primary design goal, and currently they can only running a recent kernel. In this paper, we present BPFCON- accomplish the task with complex policies that are difficult to TAIN’s policy language, describe its current implementation write and audit. as integrated into docker, and present benchmarks comparing To properly isolate containers, the kernel requires clear it with current container confinement technologies. rules about what interactions are permissible, whether be- tween containers or with the host OS. Much like firewall 1 Introduction rules specify which packets may traverse it, OSes need un- ambiguous, auditable rules to determine what kernel-level Linux containers have become the preferred unit of appli- operations are and are not allowed based on container bound- cation management in the cloud, forming the foundation of aries. Following Unix tradition, the Linux kernel provides Docker [11], Kubernetes [20], Snap [46], Flatpak [14], and only security mechanisms and abstractions for defining secu- others. By including just the binaries, libraries, and configura- rity policies, but leaves policies themselves to be managed in tion files needed by an application, containers enable simpli- userspace. However, unlike processes, files, and network con- arXiv:2102.06972v1 [cs.CR] 13 Feb 2021 fied deployment of vendor-packaged applications, rapid hori- nections, the Linux kernel has no unified abstraction around zontal application scaling, and direct developer-to-production containers. DevOps workflows, all without the overhead of hypervisor- We assert that the lack of strong isolation guarantees for based virtual machines (HVMs). containers arises from a semantic gap between the security Many have recognized that containers currently offer weak mechanisms that currently exist in the Linux kernel and the isolation guarantees [25, 49, 50]. Weak container confine- policies that we wish to define to isolate containers. As long ment is less of a risk when all containers on a given host as the kernel does not implement container-level access con- are deployed by the same party. However, strong container trol mechanisms, the result will be complex, circumventable isolation mitigates privilege escalation attacks and is a critical container isolation. requirement in multi-tenancy environments where attacker- The Linux kernel has recently gained an alternative way controlled containers co-exist with benign containers. to implement security abstractions: eBPF. An extension of The key to improving container isolation lies in recognizing the Berkeley Packet Filter [33], Linux’s eBPF now allows for that isolation is not the same as virtualization. Virtualization complex monitoring and manipulation of kernel-level events. can exhibit isolation characteristics as a side effect; however, Thanks to implicit load-time verification of eBPF bytecode, 1 eBPF provides strong performance, portability, and safety over traditional approaches to container isolation and guarantees. More recent improvements to eBPF [9] have en- least-privilege. abled interfacing with Linux Security Module (LSM) hooks, allowing eBPF code to implement new kernel-level security The rest of this paper proceeds as follows. Section2 mechanisms. presents background and our motivation for implementing This paper proposes BPFCONTAIN, a novel approach to an eBPF-based container security mechanism. Section3 container security under the Linux kernel, rectifying over- presents an overview of BPFCONTAIN and discusses our privileged and insecure containers. Leveraging eBPF, BPF- threat model and design goals. Section4 describes BPFCON- CONTAIN uses runtime security instrumentation to implement TAIN’s policy language. Section5 discusses the design and container-aware policy enforcement and harden the host ker- implementation of its userspace components and enforcement nel against privilege escalation attacks mounted from within engine. Section6 presents an evaluation of BPFCONTAIN’s containers. Specifically, BPFCONTAIN attaches eBPF pro- security and performance. Section7 covers related work and grams to LSM hooks and critical functions within the kernel Section8 discusses limitations and opportunities for future to enforce per-container policy in kernelspace. work. Section9 concludes. Thanks to eBPF’s dynamic instrumentation capabilities, this integration occurs at runtime and requires no modifica- 2 Background and Motivation tion or patching of the kernel. BPFCONTAIN addresses the container userspace/kernelspace semantic gap by defining a This section reviews current techniques for achieving virtual- new YAML-based policy language for container confinement ization, isolation, and least privilege on Linux containers. It that allows for simple default deny and default allow policies, also provides background on the classic and extended Berke- high-level semantically meaningful permissions, and (where ley Packet Filters (BPF and eBPF), and discusses the moti- necessary) fine-grained control over the LSM API, all at the vation behind a new container-focused security enforcement level of containers. mechanism. While BPFCONTAIN can co-exist with seccomp-bpf, A container is a userspace representation of a set of pro- SELinux, and other existing Linux security mechanisms, it cesses that share the same virtualized view of files and system does not rely on them, and in fact in the context of container resources. Containers run directly on the host operating sys- isolation, BPFCONTAIN makes them redundant. It also has tem and share the underlying OS kernel, and thus do not modest userspace requirements, consisting only of a small require a full guest operating system or hypervisor to pro- daemon and a control program, both of which are written in vide the virtualized view of the system to applications (see Rust. In summary, we make the following contributions: Figure 2.1). To support security beyond basic process isola- • We present the design, implementation, and evaluation tion, modern container runtimes rely on a variety of low-level of BPFCONTAIN, a container-aware security enforce- Linux kernel facilities to enforce virtualization, isolation, and ment mechanism for Linux. BPFCONTAIN is available1 least-privilege. Note that by relying on a disparate set of under a GPLv2 license, and installation requires only a mechanisms and corresponding policies, a failure in the en- 5.10 or newer Linux kernel. While there is past work on forcement or policy in any single mechanism exposes the using eBPF for process sandboxing [13], BPFCONTAIN container to attacks. is both more general and more deployable, implementing mechanisms and a policy language specific to container 2.1 Container Security confinement and built using tools such as BPF CO-RE and Rust that have much lower space and runtime over- Namespaces and Control Groups (cgroups). These head. mechanisms allow for further confinement of processes by restricting the system resources that a process or group of pro- • We design a flexible policy language for confining con- cesses can access. Namespaces isolate access by providing tainers that offers optional layers of granularity to meet a a process group a private, virtualized naming of a class of wide range of real world container use cases. The policy resources, such as process IDs, filesystem mountpoints, and language is YAML-based, and expressive enough that user IDs. Cgroups (control groups) limit available quantities it can be used to confine individual system resources, of system resources, such as CPU, memory, and block device yet simple enough that it affords ad-hoc confinement use I/O. Namespaces and cgroups on their own cannot enforce cases. fine-grained access policies (e.g., to resources within a names- pace), and thus require additional mechanisms as described • We discuss integrating BPFCONTAIN with existing con- tainer management frameworks without modifying their below. source code, offering significant security advantages POSIX Capabilities. These provide a finer-grained alter- 1https://github.com/willfindlay/bpfcontain-rs
Load more

Recommended publications
  • The Kernel Report
    The kernel report (ELC 2012 edition) Jonathan Corbet LWN.net [email protected] The Plan Look at a year's worth of kernel work ...with an eye toward the future Starting off 2011 2.6.37 released - January 4, 2011 11,446 changes, 1,276 developers VFS scalability work (inode_lock removal) Block I/O bandwidth controller PPTP support Basic pNFS support Wakeup sources What have we done since then? Since 2.6.37: Five kernel releases have been made 59,000 changes have been merged 3069 developers have contributed to the kernel 416 companies have supported kernel development February As you can see in these posts, Ralink is sending patches for the upstream rt2x00 driver for their new chipsets, and not just dumping a huge, stand-alone tarball driver on the community, as they have done in the past. This shows a huge willingness to learn how to deal with the kernel community, and they should be strongly encouraged and praised for this major change in attitude. – Greg Kroah-Hartman, February 9 Employer contributions 2.6.38-3.2 Volunteers 13.9% Wolfson Micro 1.7% Red Hat 10.9% Samsung 1.6% Intel 7.3% Google 1.6% unknown 6.9% Oracle 1.5% Novell 4.0% Microsoft 1.4% IBM 3.6% AMD 1.3% TI 3.4% Freescale 1.3% Broadcom 3.1% Fujitsu 1.1% consultants 2.2% Atheros 1.1% Nokia 1.8% Wind River 1.0% Also in February Red Hat stops releasing individual kernel patches March 2.6.38 released – March 14, 2011 (9,577 changes from 1198 developers) Per-session group scheduling dcache scalability patch set Transmit packet steering Transparent huge pages Hierarchical block I/O bandwidth controller Somebody needs to get a grip in the ARM community.
    [Show full text]
  • Storage Administration Guide Storage Administration Guide SUSE Linux Enterprise Server 12 SP4
    SUSE Linux Enterprise Server 12 SP4 Storage Administration Guide Storage Administration Guide SUSE Linux Enterprise Server 12 SP4 Provides information about how to manage storage devices on a SUSE Linux Enterprise Server. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xii 2 Giving Feedback xiv 3 Documentation Conventions xiv 4 Product Life Cycle and Support xvi Support Statement for SUSE Linux Enterprise Server xvii • Technology Previews xviii I FILE SYSTEMS AND MOUNTING 1 1 Overview
    [Show full text]
  • Security Assurance Requirements for Linux Application Container Deployments
    NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 October 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NISTIR 8176 SECURITY ASSURANCE FOR LINUX CONTAINERS National Institute of Standards and Technology Internal Report 8176 37 pages (October 2017) This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This p There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each ublication is available free of charge from: http publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
    [Show full text]
  • Rootless Containers with Podman and Fuse-Overlayfs
    CernVM Workshop 2019 (4th June 2019) Rootless containers with Podman and fuse-overlayfs Giuseppe Scrivano @gscrivano Introduction 2 Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running the container payload as an unprivileged user • Container runtime runs also as an unprivileged user 3 Don’t confuse with... • sudo podman run --user foo – Executes the process in the container as non-root – Podman and the OCI runtime still running as root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 4 Don’t confuse with... • podman run --uidmap – Execute containers as a non-root user, using user namespaces – Most similar to rootless containers, but still requires podman and runc to run as root 5 Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers 6 Caveat: Not a panacea • Although rootless containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 7 Podman 8 Rootless Podman Podman is a daemon-less alternative to Docker • $ alias
    [Show full text]
  • Course Outline & Schedule
    Course Outline & Schedule Call US 408-759-5074 or UK +44 20 7620 0033 Suse Linux Advanced System Administration Curriculum Linux Course Code SLASA Duration 5 Day Course Price $2,425 Course Description This instructor led SUSE Linux Advanced System Administration training course is designed to teach the advanced administration, security, networking and performance tasks required on a SUSE Linux Enterprise system. Targeted to closely follow the official LPI curriculum (generic Linux), this course together with the SUSE Linux System Administration course will enable the delegate to work towards achieving the LPIC-2 qualification. Exercises and examples are used throughout the course to give practical hands-on experience with the techniques covered. Objectives The delegate will learn and acquire skills as follows: Perform administrative tasks with supplied tools such as YaST Advanced network configuration Network troubleshooting and analysing packets Creating Apache virtual hosts and hosting user web content Sharing Windows and Linux resources with SAMBA Configuring a DNS server and configuring DNS logging Configuring a DHCP server and client Sharing Linux network resources with NFS Creating Unit Files Configuring AutoFS direct and indirect maps Configuring a secure FTP server Configuring a SQUID proxy server Creating Btrfs subvolumes and snapshots Backing-up and restoring XFS filesystems Configuring LVM and managing Logical Volumes Managing software RAID Centralised storage with iSCSI Monitoring disk status and reliability with SMART Perpetual
    [Show full text]
  • How SUSE Helps Pave the Road to S/4HANA
    White Paper How SUSE Helps Pave the Road to S/4HANA Sponsored by: SUSE and SAP Peter Rutten Henry D. Morris August 2017 IDC OPINION According to SAP, there are now 6,800 SAP customers that have chosen S/4HANA. In addition, many more of the software company's customers still have to make the decision to move to S/4HANA. These customers have to determine whether they are ready to migrate their database for mission-critical workloads to a new database (SAP HANA) and a new application suite (S/4HANA). Furthermore, SAP HANA runs on Linux only, an operating environment that SAP customers may not have used extensively before. This white paper discusses the choices SAP customers have for migrating to S/4HANA on Linux and looks at how SUSE helps customers along the way. SITUATION OVERVIEW Among SAP customers, migration from traditional databases to the SAP HANA in-memory platform is continuing steadily. IDC's Data Analytics Infrastructure (SAP) Survey, November 2016 (n = 300) found that 49.3% of SAP customers in North America are running SAP HANA today. Among those that are not on SAP HANA, 29.9% will be in two to four years and 27.1% in four to six years. The slower adopters say that they don't feel rushed, stating that there's time until 2025 to make the decision, and that their current databases are performing adequately. While there is no specific order that SAP customers need to follow to get to S/4HANA, historically businesses have often migrated to SAP Business Warehouse (BW) on SAP HANA first as BW is a rewarding starting point for SAP HANA for two reasons: there is an instant performance improvement and migration is relatively easy since BW typically does not contain core enterprise data that is business critical.
    [Show full text]
  • An Introduction to Linux IPC
    An introduction to Linux IPC Michael Kerrisk © 2013 linux.conf.au 2013 http://man7.org/ Canberra, Australia [email protected] 2013-01-30 http://lwn.net/ [email protected] man7 .org 1 Goal ● Limited time! ● Get a flavor of main IPC methods man7 .org 2 Me ● Programming on UNIX & Linux since 1987 ● Linux man-pages maintainer ● http://www.kernel.org/doc/man-pages/ ● Kernel + glibc API ● Author of: Further info: http://man7.org/tlpi/ man7 .org 3 You ● Can read a bit of C ● Have a passing familiarity with common syscalls ● fork(), open(), read(), write() man7 .org 4 There’s a lot of IPC ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memory attach ● Pseudoterminals ● proc_vm_readv() / proc_vm_writev() ● Sockets ● Signals ● Stream vs Datagram (vs Seq. packet) ● Standard, Realtime ● UNIX vs Internet domain ● Eventfd ● POSIX message queues ● Futexes ● POSIX shared memory ● Record locks ● ● POSIX semaphores File locks ● ● Named, Unnamed Mutexes ● System V message queues ● Condition variables ● System V shared memory ● Barriers ● ● System V semaphores Read-write locks man7 .org 5 It helps to classify ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memory attach ● Pseudoterminals ● proc_vm_readv() / proc_vm_writev() ● Sockets ● Signals ● Stream vs Datagram (vs Seq. packet) ● Standard, Realtime ● UNIX vs Internet domain ● Eventfd ● POSIX message queues ● Futexes ● POSIX shared memory ● Record locks ● ● POSIX semaphores File locks ● ● Named, Unnamed Mutexes ● System V message queues ● Condition variables ● System V shared memory ● Barriers ● ● System V semaphores Read-write locks man7 .org 6 It helps to classify ● Pipes ● Shared memory mappings ● FIFOs ● File vs Anonymous ● Cross-memoryn attach ● Pseudoterminals tio a ● proc_vm_readv() / proc_vm_writev() ● Sockets ic n ● Signals ● Stream vs Datagram (vs uSeq.
    [Show full text]
  • Linux and Free Software: What and Why?
    Linux and Free Software: What and Why? (Qué son Linux y el Software libre y cómo beneficia su uso a las empresas para lograr productividad económica y ventajas técnicas?) JugoJugo CreativoCreativo Michael Kerrisk UniversidadUniversidad dede SantanderSantander UDESUDES © 2012 Bucaramanga,Bucaramanga, ColombiaColombia [email protected] 77 JuneJune 20122012 http://man7.org/ man7.org 1 Who am I? ● Programmer, educator, and writer ● UNIX since 1987; Linux since late 1990s ● Linux man-pages maintainer since 2004 ● Author of a book on Linux programming man7.org 2 Overview ● What is Linux? ● How are Linux and Free Software created? ● History ● Where is Linux used today? ● What is Free Software? ● Source code; Software licensing ● Importance and advantages of Free Software and Software Freedom ● Concluding remarks man7.org 3 ● What is Linux? ● How are Linux and Free Software created? ● History ● Where is Linux used today? ● What is Free Software? ● Source code; Software licensing ● Importance and advantages of Free Software and Software Freedom ● Concluding remarks man7.org 4 What is Linux? ● An operating system (sistema operativo) ● (Operating System = OS) ● Examples of other operating systems: ● Windows ● Mac OS X Penguins are the Linux mascot man7.org 5 But, what's an operating system? ● Two definitions: ● Kernel ● Kernel + package of common programs man7.org 6 OS Definition 1: Kernel ● Computer scientists' definition: ● Operating System = Kernel (núcleo) ● Kernel = fundamental program on which all other programs depend man7.org 7 Programs can live
    [Show full text]
  • Have You Driven an Selinux Lately? an Update on the Security Enhanced Linux Project
    Have You Driven an SELinux Lately? An Update on the Security Enhanced Linux Project James Morris Red Hat Asia Pacific Pte Ltd [email protected] Abstract All security-relevant accesses between subjects and ob- jects are controlled according to a dynamically loaded Security Enhanced Linux (SELinux) [18] has evolved mandatory security policy. Clean separation of mecha- rapidly over the last few years, with many enhancements nism and policy provides considerable flexibility in the made to both its core technology and higher-level tools. implementation of security goals for the system, while fine granularity of control ensures complete mediation. Following integration into several Linux distributions, SELinux has become the first widely used Mandatory An arbitrary number of different security models may be Access Control (MAC) scheme. It has helped Linux to composed (or “stacked”) by SELinux, with their com- receive the highest security certification likely possible bined effect being fully analyzable under a unified pol- for a mainstream off the shelf operating system. icy scheme. SELinux has also proven its worth for general purpose Currently, the default SELinux implementation com- use in mitigating several serious security flaws. poses the following security models: Type Enforcement (TE) [7], Role Based Access Control (RBAC) [12], While SELinux has a reputation for being difficult to Muilti-level Security (MLS) [29], and Identity Based use, recent developments have helped significantly in Access Control (IBAC). These complement the standard this area, and user adoption is advancing rapidly. Linux Discretionary Access Control (DAC) scheme. This paper provides an informal update on the project, With these models, SELinux provides comprehensive discussing key developments and challenges, with the mandatory enforcement of least privilege, confidential- aim of helping people to better understand current ity, and integrity.
    [Show full text]
  • Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car
    2015-01-0224 Published 04/14/2015 Copyright © 2015 SAE International doi:10.4271/2015-01-0224 saepcelec.saejournals.org Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car Patrick Shelly Mentor Graphics Corp. ABSTRACT With the dramatic mismatch between handheld consumer devices and automobiles, both in terms of product lifespan and the speed at which new features (or versions) are released, vehicle OEMs are faced with a perplexing dilemma. If the connected car is to succeed there has to be a secure and accessible method to update the software in a vehicle's infotainment system - as well as a real or perceived way to graft in new software content. The challenge has become even more evident as the industry transitions from simple analog audio systems which have traditionally served up broadcast content to a new world in which configurable and interactive Internet- based content rules the day. This paper explores the options available for updating and extending the software capability of a vehicle's infotainment system while addressing the lifecycle mismatch between automobiles and consumer mobile devices. Implications to the design and cost of factory installed equipment will be discussed, as will expectations around the appeal of these various strategies to specific target demographics. CITATION: Shelly, P., "Addressing Challenges in Automotive Connectivity: Mobile Devices, Technologies, and the Connected Car," SAE Int. J. Passeng. Cars – Electron. Electr. Syst. 8(1):2015, doi:10.4271/2015-01-0224. INTRODUCTION be carefully taken into account. The use of app stores is expected to grow significantly in the coming years as automotive OEMs begin to Contemporary vehicle infotainment systems face an interesting explore apps not only on IVI systems, but on other components of the challenge.
    [Show full text]
  • Automatic Benchmark Profiling Through Advanced Trace Analysis Alexis Martin, Vania Marangozova-Martin
    Automatic Benchmark Profiling through Advanced Trace Analysis Alexis Martin, Vania Marangozova-Martin To cite this version: Alexis Martin, Vania Marangozova-Martin. Automatic Benchmark Profiling through Advanced Trace Analysis. [Research Report] RR-8889, Inria - Research Centre Grenoble – Rhône-Alpes; Université Grenoble Alpes; CNRS. 2016. hal-01292618 HAL Id: hal-01292618 https://hal.inria.fr/hal-01292618 Submitted on 24 Mar 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Automatic Benchmark Profiling through Advanced Trace Analysis Alexis Martin , Vania Marangozova-Martin RESEARCH REPORT N° 8889 March 23, 2016 Project-Team Polaris ISSN 0249-6399 ISRN INRIA/RR--8889--FR+ENG Automatic Benchmark Profiling through Advanced Trace Analysis Alexis Martin ∗ † ‡, Vania Marangozova-Martin ∗ † ‡ Project-Team Polaris Research Report n° 8889 — March 23, 2016 — 15 pages Abstract: Benchmarking has proven to be crucial for the investigation of the behavior and performances of a system. However, the choice of relevant benchmarks still remains a challenge. To help the process of comparing and choosing among benchmarks, we propose a solution for automatic benchmark profiling. It computes unified benchmark profiles reflecting benchmarks’ duration, function repartition, stability, CPU efficiency, parallelization and memory usage.
    [Show full text]
  • Automated Performance Testing for Virtualization with Mmtests
    Automated Performance Testing For Virtualization with MMTests Dario Faggioli <[email protected]> Software Engineer - Virtualization Specialist, SUSE GPG: 4B9B 2C3A 3DD5 86BD 163E 738B 1642 7889 A5B8 73EE https://about.me/dario.faggioli https://www.linkedin.com/in/dfaggioli/ https://twitter.com/DarioFaggioli (@DarioFaggioli) Testing / Benchmarking / CI Tools & Suites • OpenQA • Jenkins • Kernel CI • Autotest / Avocado-framework / Avocado-vt • Phoronix Test Suite • Fuego • Linux Test Project • Xen-Project’s OSSTests • … • ... SRSLY THINKING I’ll TALK ABOUT & SUGGEST USING ANOTHER ONE ? REALLY ? Benchmarking on Baremetal What’s the performance impact of kernel code change “X” ? Baremetal Baremetal Kernel Kernel (no X) VS. (with X) CPU MEM CPU MEM bench bench bench bench I/O I/O bench bench Benchmarking in Virtualization What’s the performance impact of kernel code change “X” ? Baremetal Baremetal Baremetal Baremetal Kernel Kernel Kernel (no X) Kernel (no X) (with X) (with X) VM VS. VM VS. VM VS. VM Kernel Kernel Kernel (no X) Kernel (no X) (with X) (with X) CPU MEM CPU MEM CPU MEM CPU MEM bench bench bench bench bench bench bench bench I/O I/O I/O I/O bench bench bench bench Benchmarking in Virtualization What’s the performance impact of kernel code change “X” ? Baremetal Baremetal Baremetal Baremetal Kernel Kernel Kernel (no X) Kernel (no X) (with X) (with X) VM VS. VM VS. VM VS. VM Kernel Kernel Kernel (no X) Kernel (no X) (with X) (with X) We want to run the benchmarks inside VMs CPU MEM CPU MEM CPU MEM CPU MEM bench bench bench bench bench bench bench bench I/O I/O I/O I/O bench bench bench bench Benchmarking in Virtualization What’s the performance impact of kernel code change “X” ? Baremetal Baremetal Baremetal Baremetal Kernel Kernel Kernel (no X) Kernel (no X) (with X) (with X) VM VS.
    [Show full text]