System log isolation for containers
en-GBde-DEes-ESfr-FR

System log isolation for containers

24/06/2025 Frontiers Journals

Container-based virtualization is increasingly popular in cloud computing due to its efficiency and flexibility. Isolation is a fundamental property of containers and weak isolation could cause significant performance degradation and security vulnerability. Using system log in current container environment can introduce several isolation problems and cause significant impacts on system usability, security, and efficiency.

To solve the problems, a research team led by Song WU published their new research on 15 May 2025 in Frontiers of Computer Science co-published by Higher Education Press and Springer Nature.

The team presented a detailed isolation analysis of system log in current container environment and made the following findings:

Finding 1: Using system log in current container environment can introduce several isolation problems and cause significant impacts on system usability, security, and efficiency. In log generation phase, configuration conflict and operation conflict between containers can make system log useless. Log access from containers could cause namespace escape and information leakage, significantly affecting the isolation and security of containers. In log analysis phase, log loss and redundancy would occur, reducing the accuracy and efficiency of log analysis. This finding clearly suggests the necessity of enhancing system log isolation.

Finding 2: There are three root causes of system log isolation problems: shared configuration, shared storage, and shared view. Shared configuration causes configuration conflict. Shared storage causes operation conflict and log loss. Shared view causes namespace escape, information leakage, and log redundancy. This finding sheds a light on our solution to address the isolation problems.

Next, the team proposed private logs (POGs) to provide each container with individual system log instead of sharing system logs among containers. They provided each container with a POG that is made up of individual log configuration, log storage, and log view. First, when one container is started, POGs creates a new log configuration file in its POG. Each container can set its own log configuration and print out logs based on the configuration. Second, POGs also create a new ring buffer for the newly launched containers to store their own logs. One container can set the size of its log ring buffer, based on its needs. To avoid too much memory footprint of such private log storage, POGs account for the ring buffer into containers’ respective memory cgroup. Last, they provide each container a private log view by maintaining the information about which container the POG belongs to. The log view of one POG is visible to its belonger but is invisible to other containers. Hence, one container is not able to manipulate the logs which are owned by another container. They design two key components: pogctl and pogshim to manage the POGs. Pogctl provides several APIs for containers to control and configure POGs precisely. And Pogshim realizes the management of POGs and identifies the belongers of POGs.

Last, they implement and evaluate POGs in Linux kernel 5.11.6. Experimental results show that our system can address configuration and operation conflict, prevent isolation breaking and information leakage, and improve the efficiency and accuracy of log analysis, enhancing system log isolation, with negligible performance overhead.

DOI: 10.1007/s11704-024-2568-8

https://journal.hep.com.cn/fcs/EN/10.1007/s11704-024-2568-8
Research Article, Published: 15 May 2025
Kun WANG, Song WU, Yanxiang CUI, Zhuo HUANG, Hao FAN, Hai JIN. System log isolation for containers. Front. Comput. Sci., 2025, 19(5): 195106, https://doi.org/10.1007/s11704-024-2568-8
Attached files
  • Image
24/06/2025 Frontiers Journals
Regions: Asia, China, North America, United States
Keywords: Applied science, Computing

Disclaimer: AlphaGalileo is not responsible for the accuracy of content posted to AlphaGalileo by contributing institutions or for the use of any information through the AlphaGalileo system.

Testimonials

For well over a decade, in my capacity as a researcher, broadcaster, and producer, I have relied heavily on Alphagalileo.
All of my work trips have been planned around stories that I've found on this site.
The under embargo section allows us to plan ahead and the news releases enable us to find key experts.
Going through the tailored daily updates is the best way to start the day. It's such a critical service for me and many of my colleagues.
Koula Bouloukos, Senior manager, Editorial & Production Underknown
We have used AlphaGalileo since its foundation but frankly we need it more than ever now to ensure our research news is heard across Europe, Asia and North America. As one of the UK’s leading research universities we want to continue to work with other outstanding researchers in Europe. AlphaGalileo helps us to continue to bring our research story to them and the rest of the world.
Peter Dunn, Director of Press and Media Relations at the University of Warwick
AlphaGalileo has helped us more than double our reach at SciDev.Net. The service has enabled our journalists around the world to reach the mainstream media with articles about the impact of science on people in low- and middle-income countries, leading to big increases in the number of SciDev.Net articles that have been republished.
Ben Deighton, SciDevNet

We Work Closely With...

  • e
  • The Research Council of Norway
  • SciDevNet
  • Swiss National Science Foundation
  • iesResearch
Copyright 2025 by AlphaGalileo Terms Of Use Privacy Statement