Quark: A High-Performance Secure Container Runtime for Serverless Computing

TL;DR

Quark is a high-performance, secure container runtime designed for serverless computing, utilizing a custom co-designed kernel and VMM to significantly improve latency, throughput, and startup times over traditional solutions.

Contribution

It introduces a novel co-designed guest kernel and VMM, QKernel and QVisor, enabling high-performance secure containers tailored for serverless environments.

Findings

Reduces P95 latency by 79.3% compared to Kata

Increases throughput by 2.43x over Kata

Achieves 96.5% lower startup latency and 81.3% memory savings

Abstract

Secure container runtimes serve as the foundational layer for creating and running containers, which is the bedrock of emerging computing paradigms like microservices and serverless computing. Although existing secure container runtimes indeed enhance security via running containers over a guest kernel and a Virtual Machine Monitor (VMM or Hypervisor), they incur performance penalties in critical areas such as networking, container startup, and I/O system calls. In our practice of operating microservices and serverless computing, we build a high-performance secure container runtime named Quark. Unlike existing solutions that rely on traditional VM technologies by importing Linux for the guest kernel and QEMU for the VMM, we take a different approach to building Quark from the ground up, paving the way for extreme customization to unlock high performance. Our development centers on co-designing a custom guest kernel and a VMM for secure containers. To this end, we build a lightweight guest OS kernel named QKernel and a specialized VMM named QVisor. The QKernel-QVisor codesign allows us to deliver three key advancements: high-performance RDMA-based container networking, fast container startup mode, and efficient mechanisms for executing I/O syscalls. In our practice with real-world apps like Redis, Quark cuts down P95 latency by 79.3% and increases throughput by 2.43x compared to Kata. Moreover, Quark container startup achieves 96.5% lower latency than the cold-start mode while saving 81.3% memory cost to the keep-warm mode. Quark is open-source with an industry-standard codebase in Rust.