Analysis and Improvement of Heterogeneous Hardware Support in Docker Images

TL;DR

This paper investigates the hardware-dependent features in Docker images over a year and introduces tools to detect hardware dependencies, aiming to enhance security and reliability in containerized applications.

Contribution

It provides a systematic analysis of hardware features in Docker images and introduces novel heuristic tools for managing hardware dependencies.

Findings

Hardware-dependent features are present in a significant portion of Docker images.

The proposed tools can detect missing hardware dependencies early.

The dataset and tools are publicly available for further research.

Abstract

Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.