Container Introspection: Using External Management Containers to Monitor Containers in Cloud Computing  

作　　者：Dongyang Zhan Kai Tan Lin Ye Haining Yu Hao Liu 

机构地区：[1]School of Cyberspace Science,Harbin Institute of Technology,Harbin,150001,China [2]Temple University,Philadelphia,19122,USA [3]City University of Hong Kong,Kowloon Tong,518057,Hong Kong [4]Qianxin Technology Group Co.,Ltd.,Beijing,100000,China

出　　处：《Computers, Materials & Continua》2021年第12期3783-3794,共12页计算机、材料和连续体（英文）

基　　金：This paper is supported by National Natural Science Foundation of China(http://www.nsfc.gov.cn/)under Grant No.61872111,and Sichuan Science and Technology Program(http://kjt.sc.gov.cn/)under Grant No.2019YFSY0049 which are both received by L.Ye.

摘　　要：Cloud computing plays an important role in today’s Internet environment,which meets the requirements of scalability,security and reliability by using virtualization technologies.Container technology is one of the two mainstream virtualization solutions.Its lightweight,high deployment efficiency make container technology widely used in large-scale cloud computing.While container technology has created huge benefits for cloud service providers and tenants,it cannot meet the requirements of security monitoring and management from a tenant perspective.Currently,tenants can only run their security monitors in the target container,but it is not secure because the attacker is able to detect and compromise the security monitor.In this paper,a secure external monitoring approach is proposed to monitor target containers in another management container.The management container is transparent for target containers,but it can obtain the executing information of target containers,providing a secure monitoring environment.Security monitors running inside management containers are secure for the cloud host,since the management containers are not privileged.We implement the transparent external management containers by performing the one-way isolation of processes and files.For process one-way isolation,we leverage Linux namespace technology to let management container become the parent of target containers.By mounting the file system of target container to that of the management container,file system one-way isolation is achieved.Compared with the existing host-based monitoring approach,our approach is more secure and suitable in the cloud environment.

关 键 词：Container introspection management container external approach one-way isolation 

分 类 号：TP3[自动化与计算机技术—计算机科学与技术]