Locked In, Leaked Out: Measuring Isolation via Kernel Locks

Isolation is a critical property for shared infrastructure to limit exposure and interference among simultaneous running workloads. Cloud providers use different isolation mechanisms such as full Virtual Machines, microVMs, Linux containers, secure containers, etc., to confine workloads running in a multi-tenant environment. We propose a novel way to understand and measure performance interference and isolation at the system software layer that occurs due to shared access to data structures. We observe that interference takes place through shared structures, such as a kernel-level data structure, and that operating systems must synchronize access to these structures for safety. By measuring the level of synchronization between workloads, we can measure their ability to interfere and thus the amount of isolation the platform provides We demonstrate our method for measuring isolation by measuring the accesses to locks acquired in common across multiple workloads which indicates the amount of sharing through kernel data structures and hence the interference/isolation between two workloads. Furthermore, we identify the isolation properties of different kernel structures under different workloads and find that the file system journal and kernel page allocator are the most common sources of interference.