Open Access iconOpen Access

ARTICLE

crossmark

Container Introspection: Using External Management Containers to Monitor Containers in Cloud Computing

Dongyang Zhan1,*, Kai Tan1, Lin Ye1,2, Haining Yu1,3, Hao Liu4

1 School of Cyberspace Science, Harbin Institute of Technology, Harbin, 150001, China
2 Temple University, Philadelphia, 19122, USA
3 City University of Hong Kong, Kowloon Tong, 518057, Hong Kong
4 Qianxin Technology Group Co., Ltd., Beijing, 100000, China

* Corresponding Author: Dongyang Zhan. Email: email

Computers, Materials & Continua 2021, 69(3), 3783-3794. https://doi.org/10.32604/cmc.2021.019432

Abstract

Cloud computing plays an important role in today's Internet environment, which meets the requirements of scalability, security and reliability by using virtualization technologies. Container technology is one of the two mainstream virtualization solutions. Its lightweight, high deployment efficiency make container technology widely used in large-scale cloud computing. While container technology has created huge benefits for cloud service providers and tenants, it cannot meet the requirements of security monitoring and management from a tenant perspective. Currently, tenants can only run their security monitors in the target container, but it is not secure because the attacker is able to detect and compromise the security monitor. In this paper, a secure external monitoring approach is proposed to monitor target containers in another management container. The management container is transparent for target containers, but it can obtain the executing information of target containers, providing a secure monitoring environment. Security monitors running inside management containers are secure for the cloud host, since the management containers are not privileged. We implement the transparent external management containers by performing the one-way isolation of processes and files. For process one-way isolation, we leverage Linux namespace technology to let management container become the parent of target containers. By mounting the file system of target container to that of the management container, file system one-way isolation is achieved. Compared with the existing host-based monitoring approach, our approach is more secure and suitable in the cloud environment.

Keywords


Cite This Article

D. Zhan, K. Tan, L. Ye, H. Yu and H. Liu, "Container introspection: using external management containers to monitor containers in cloud computing," Computers, Materials & Continua, vol. 69, no.3, pp. 3783–3794, 2021.



cc This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 1346

    View

  • 789

    Download

  • 0

    Like

Share Link