Locked In, Leaked Out: Measuring Isolation via Kernel Locks

TL;DR

This paper introduces a novel method to measure system software-level isolation by analyzing kernel lock contention, revealing key sources of interference like the file system journal and kernel page allocator.

Contribution

It presents a new approach to quantify workload interference by measuring shared kernel lock access, providing insights into kernel structure impacts on isolation.

Findings

File system journal and kernel page allocator are major interference sources.

Kernel lock contention correlates with workload interference levels.

Method enables better understanding of system-level isolation mechanisms.

Abstract

Isolation is a critical property for shared infrastructure to limit exposure and interference among simultaneous running workloads. Cloud providers use different isolation mechanisms such as full Virtual Machines, microVMs, Linux containers, secure containers, etc., to confine workloads running in a multi-tenant environment. We propose a novel way to understand and measure performance interference and isolation at the system software layer that occurs due to shared access to data structures. We observe that interference takes place through shared structures, such as a kernel-level data structure, and that operating systems must synchronize access to these structures for safety. By measuring the level of synchronization between workloads, we can measure their ability to interfere and thus the amount of isolation the platform provides We demonstrate our method for measuring isolation by measuring the accesses to locks acquired in common across multiple workloads which indicates the amount of sharing through kernel data structures and hence the interference/isolation between two workloads. Furthermore, we identify the isolation properties of different kernel structures under different workloads and find that the file system journal and kernel page allocator are the most common sources of interference.