Internals of Modern FaaS Implementations
Potekhin, Ruslan (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2024052113887
https://urn.fi/URN:NBN:fi:amk-2024052113887
Tiivistelmä
The goal of the thesis was to explore the internals of modern Function-as-a-Service systems, with a focus on their security and operational challenges. The research investigates various isolation technologies, including virtual machine, Linux container, unikernel, and software fault isolation.
Findings indicate that regular virtual machines offer strong security but are limited by slow initialization times. Plain Linux containers provide performance akin to native systems but depend on a shared host kernel. Improvements through user-space kernel implementations have effectively mitigated many security issues in containers. Software fault isolation, offering the fastest cold starts, is primarily suitable for trusted environments due to inherent security limitations. Unikernels enhance execution time but are hindered by a poor developer experience.
The study also addresses the need for transparency in FaaS platforms, as modern applications must adapt to the constraints imposed by vendors.
A practical component of the thesis includes the development of a machine learning inference application, demonstrating the implications of each isolation technology in real-world scenarios.
Findings indicate that regular virtual machines offer strong security but are limited by slow initialization times. Plain Linux containers provide performance akin to native systems but depend on a shared host kernel. Improvements through user-space kernel implementations have effectively mitigated many security issues in containers. Software fault isolation, offering the fastest cold starts, is primarily suitable for trusted environments due to inherent security limitations. Unikernels enhance execution time but are hindered by a poor developer experience.
The study also addresses the need for transparency in FaaS platforms, as modern applications must adapt to the constraints imposed by vendors.
A practical component of the thesis includes the development of a machine learning inference application, demonstrating the implications of each isolation technology in real-world scenarios.