More on isolation

[ykzeng]

We discovered through experiments that more things should be done on CPU isolation. Comparing with containers, it seems a normal unbounded VM doesn't have too much advantages in isolation, at least when the whole system hasn't been overloaded. However, through bounding VM CPUs to physical ones, better isolation on computational resources can be achieved. Also we need to consider about hyperthreading support in Xen, bounding two VMs to two logical hyperthreading cores doesn't help much.

References for XenServer CPU allocation and bounding, as well as some performance discussions: Check if CPU support masking in XenServer Allocating CPUs for Better Performance in XenServer

[ykzeng]

Likewise, for containers, we should also consider more on isolation, several ways of realizing isolation on containers:

1. combining with Mininet, this would give us the same limitations as they have
2. implement our own isolated containers using cgroup, we have observed that both CPU time slices/CPU pinning/memory limit can be set through cgroup, isn't this the same with VM?