Secure container runtimes serve as the foundational layer for creating and running containers, which is the bedrock of emerging computing paradigms like microservices and serverless computing. Although existing secure container runtimes indeed enhance security via running containers over a guest kernel and a Virtual Machine Monitor (VMM or Hypervisor), they incur performance penalties in critical areas such as networking, container startup, and I/O system calls. In our practice of operating microservices and serverless computing, we build a high-performance secure container runtime named Quark. Unlike existing solutions that rely on traditional VM technologies by importing Linux for the guest kernel and QEMU for the VMM, we take a different approach to building Quark from the ground up, paving the way for extreme customization to unlock high performance. Our development centers on co-designing a custom guest kernel and a VMM for secure containers. To this end, we build a lightweight guest OS kernel named QKernel and a specialized VMM named QVisor. The QKernel-QVisor codesign allows us to deliver three key advancements: high-performance RDMA-based container networking, fast container startup mode, and efficient mechanisms for executing I/O syscalls. In our practice with real-world apps like Redis, Quark cuts down P95 latency by 79.3% and increases throughput by 2.43x compared to Kata. Moreover, Quark container startup achieves 96.5% lower latency than the cold-start mode while saving 81.3% memory cost to the keep-warm mode. Quark is open-source with an industry-standard codebase in Rust.

翻译：摘要：安全容器运行时是创建和运行容器的基础层，也是微服务与Serverless计算等新兴计算范式的基石。虽然现有安全容器运行时通过客户内核和虚拟机监视器（VMM或Hypervisor）运行容器确实增强了安全性，但在网络传输、容器启动和I/O系统调用等关键领域存在性能损失。在微服务和Serverless计算的运营实践中，我们构建了名为Quark的高性能安全容器运行时。与依赖传统虚拟化技术（即引入Linux作为客户内核、QEMU作为VMM）的现有方案不同，我们采取截然不同的方法从零构建Quark，为极致定制以释放高性能奠定基础。我们的开发聚焦于协同设计定制化客户内核与VMM，为此构建了轻量级客户操作系统内核QKernel和专用VMM QVisor。QKernel-QVisor协同设计实现了三项关键突破：基于RDMA的高性能容器网络、快速容器启动模式，以及高效的I/O系统调用执行机制。在实际应用（如Redis）的测试中，Quark较Kata方案将P95延迟降低79.3%，吞吐量提升2.43倍。此外，Quark容器启动较冷启动模式延迟降低96.5%，同时较热保留模式节省81.3%内存开销。Quark基于工业级标准的Rust代码库开源。