Container-based virtualization is increasingly popular in cloud computing due to its efficiency and flexibility. Isolation is a fundamental property of containers and weak isolation could cause significant performance degradation and security vulnerability. Using system log in current container environment can introduce several isolation problems and cause significant impacts on system usability, security, and efficiency.
To solve the problems, a research team led by Song WU published their new research on 15 May 2025 in Frontiers of Computer Science co-published by Higher Education Press and Springer Nature.
The team presented a detailed isolation analysis of system log in current container environment and made the following findings:
Finding 1: Using system log in current container environment can introduce several isolation problems and cause significant impacts on system usability, security, and efficiency. In log generation phase, configuration conflict and operation conflict between containers can make system log useless. Log access from containers could cause namespace escape and information leakage, significantly affecting the isolation and security of containers. In log analysis phase, log loss and redundancy would occur, reducing the accuracy and efficiency of log analysis. This finding clearly suggests the necessity of enhancing system log isolation.
Finding 2: There are three root causes of system log isolation problems: shared configuration, shared storage, and shared view. Shared configuration causes configuration conflict. Shared storage causes operation conflict and log loss. Shared view causes namespace escape, information leakage, and log redundancy. This finding sheds a light on our solution to address the isolation problems.
Next, the team proposed private logs (POGs) to provide each container with individual system log instead of sharing system logs among containers. They provided each container with a POG that is made up of individual log configuration, log storage, and log view. First, when one container is started, POGs creates a new log configuration file in its POG. Each container can set its own log configuration and print out logs based on the configuration. Second, POGs also create a new ring buffer for the newly launched containers to store their own logs. One container can set the size of its log ring buffer, based on its needs. To avoid too much memory footprint of such private log storage, POGs account for the ring buffer into containers’ respective memory cgroup. Last, they provide each container a private log view by maintaining the information about which container the POG belongs to. The log view of one POG is visible to its belonger but is invisible to other containers. Hence, one container is not able to manipulate the logs which are owned by another container. They design two key components: pogctl and pogshim to manage the POGs. Pogctl provides several APIs for containers to control and configure POGs precisely. And Pogshim realizes the management of POGs and identifies the belongers of POGs.
Last, they implement and evaluate POGs in Linux kernel 5.11.6. Experimental results show that our system can address configuration and operation conflict, prevent isolation breaking and information leakage, and improve the efficiency and accuracy of log analysis, enhancing system log isolation, with negligible performance overhead.
DOI: 10.1007/s11704-024-2568-8