62,574 research outputs found
Are Unikernels Ready for Serverless on the Edge?
Function-as-a-Service (FaaS) is a promising edge computing execution model
but requires secure sandboxing mechanisms to isolate workloads from multiple
tenants on constrained infrastructure. Although Docker containers are
lightweight and popular in open-source FaaS platforms, they are generally
considered insufficient for executing untrusted code and providing sandbox
isolation. Commercial cloud FaaS platforms thus rely on Linux microVMs or
hardened container runtimes, which are secure but come with a higher resource
footprint.
Unikernels combine application code and limited operating system primitives
into a single purpose appliance, reducing the footprint of an application and
its sandbox while providing full Linux compatibility. In this paper, we study
the suitability of unikernels as an edge FaaS execution environment using the
Nanos and OSv unikernel tool chains. We compare performance along several
metrics such as cold start overhead and idle footprint against sandboxes such
as Firecracker Linux microVMs, Docker containers, and secure gVisor containers.
We find that unikernels exhibit desirable cold start performance, yet lag
behind Linux microVMs in stability. Nevertheless, we show that unikernels are a
promising candidate for further research on Linux-compatible FaaS isolation
Detecting and preventing peer-to-peer connections by Linux iptables
Most of companies use Linux iptables as their edge networks’ firewall. Although Linux iptables is a reputed secure stateful packet filter firewall package, it has some weaknesses. This package can not detect or control all peer-to-peer connections. One of the packages which is written for Linux iptables to manage peer-to-peer connections is layer 7-module. This module can not detect all peer-to-peer connections and drop them. Some peer-to-peer connections which use HTTP port for connecting to other peers are detected with this netfilter’s patch-o-matic but those which use static ports or dynamic ports for connecting to peers can not be detected with this module. For controlling peer-to-peer connections investigator blocked some peer-to-peer well known static ports with Linux iptables and then, for increasing the control of other peer-to-peer applications which used dynamic ports, he used QOS rules. Although this trend could drop most of peer-to-peer connections and save internet bandwidth, it was not the complete solution. He decided to control peer-to-peer connections by implementing a new module which checks peer-to-peer payloads in his next investigation
Joint Time-and Event-Triggered Scheduling in the Linux Kernel
There is increasing interest in using Linux in the real-time domain due to
the emergence of cloud and edge computing, the need to decrease costs, and the
growing number of complex functional and non-functional requirements of
real-time applications. Linux presents a valuable opportunity as it has rich
hardware support, an open-source development model, a well-established
programming environment, and avoids vendor lock-in. Although Linux was
initially developed as a general-purpose operating system, some real-time
capabilities have been added to the kernel over many years to increase its
predictability and reduce its scheduling latency. Unfortunately, Linux
currently has no support for time-triggered (TT) scheduling, which is widely
used in the safety-critical domain for its determinism, low run-time scheduling
latency, and strong isolation properties. We present an enhancement of the
Linux scheduler as a new low-overhead TT scheduling class to support offline
table-driven scheduling of tasks on multicore Linux nodes. Inspired by the Slot
shifting algorithm, we complement the new scheduling class with a low overhead
slot shifting manager running on a non-time-triggered core to provide
guaranteed execution time to real-time aperiodic tasks by using the slack of
the time-triggered tasks and avoiding high-overhead table regeneration for
adding new periodic tasks. Furthermore, we evaluate our implementation on
server-grade hardware with Intel Xeon Scalable Processor.Comment: to appear in Operating Systems Platforms for Embedded Real-Time
applications (OSPERT) workshop 2023 co-hosted with 35th Euromicro conference
on Real-time system
Design and Implementation of a Measurement-Based Policy-Driven Resource Management Framework For Converged Networks
This paper presents the design and implementation of a measurement-based QoS
and resource management framework, CNQF (Converged Networks QoS Management
Framework). CNQF is designed to provide unified, scalable QoS control and
resource management through the use of a policy-based network management
paradigm. It achieves this via distributed functional entities that are
deployed to co-ordinate the resources of the transport network through
centralized policy-driven decisions supported by measurement-based control
architecture. We present the CNQF architecture, implementation of the prototype
and validation of various inbuilt QoS control mechanisms using real traffic
flows on a Linux-based experimental test bed.Comment: in Ictact Journal On Communication Technology: Special Issue On Next
Generation Wireless Networks And Applications, June 2011, Volume 2, Issue 2,
Issn: 2229-6948(Online
Container network functions: bringing NFV to the network edge
In order to cope with the increasing network utilization driven by new mobile clients, and to satisfy demand for new network services and performance guarantees, telecommunication service providers are exploiting virtualization over their network by implementing network services in virtual machines, decoupled from legacy hardware accelerated appliances. This effort, known as NFV, reduces OPEX and provides new business opportunities. At the same time, next generation mobile, enterprise, and IoT networks are introducing the concept of computing capabilities being pushed at the network edge, in close proximity of the users. However, the heavy footprint of today's NFV platforms prevents them from operating at the network edge. In this article, we identify the opportunities of virtualization at the network edge and present Glasgow Network Functions (GNF), a container-based NFV platform that runs and orchestrates lightweight container VNFs, saving core network utilization and providing lower latency. Finally, we demonstrate three useful examples of the platform: IoT DDoS remediation, on-demand troubleshooting for telco networks, and supporting roaming of network functions
Linux kernel compaction through cold code swapping
There is a growing trend to use general-purpose operating systems like Linux in embedded systems. Previous research focused on using compaction and specialization techniques to adapt a general-purpose OS to the memory-constrained environment, presented by most, embedded systems. However, there is still room for improvement: it has been shown that even after application of the aforementioned techniques more than 50% of the kernel code remains unexecuted under normal system operation. We introduce a new technique that reduces the Linux kernel code memory footprint, through on-demand code loading of infrequently executed code, for systems that support virtual memory. In this paper, we describe our general approach, and we study code placement algorithms to minimize the performance impact of the code loading. A code, size reduction of 68% is achieved, with a 2.2% execution speedup of the system-mode execution time, for a case study based on the MediaBench II benchmark suite
Description and Experience of the Clinical Testbeds
This deliverable describes the up-to-date technical environment at three clinical testbed demonstrator sites of
the 6WINIT Project, including the adapted clinical applications, project components and network transition technologies
in use at these sites after 18 months of the Project. It also provides an interim description of early experiences with
deployment and usage of these applications, components and technologies, and their clinical service impact
- …