Analysis and Improvement of Heterogeneous Hardware Support in Docker Images
This work addresses a domain-specific problem for cloud-native application developers and operators by improving hardware support in Docker images, though it is incremental as it builds on existing container technology.
The paper tackled the problem of missing knowledge about hardware-dependent features in Docker images, such as processor-specific trusted execution environments and graphics acceleration, by conducting a systematic one-year evolution analysis and developing novel tools including a heuristic hardware dependency detector and a hardware-aware Docker executor to provide early warnings for missing dependencies.
Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.