Spawnpoint: Secure Deployment of Distributed, Managed Containers

John Kolb

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2018-1
January 13, 2018

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-1.pdf

Spawnpoint is an infrastructure for deploying and managing distributed software services as execution containers. The heart of the system is spawnd, a persistent daemon process that encapsulates the compute resources offered by a specific host. spawnd advertises available resources and accepts commands from clients to deploy and manage services. spawnd enforces resource reservations, ensuring that a host does not become oversubscribed, and performs admission control to avoid overloading. Spawnpoint offers command-line and graphical clients for interacting with spawnd instances. A third front-end, Raptor, allows users to describe complex distributed applications as a collection of services and specify how these services are deployed through a simple domain-specific language. Spawnpoint maintains security for all operations. Only authorized parties may learn of the existence of a spawnd instance, deploy a service on a host, monitor service state, or manipulate a running service. This is achieved through the use of Bosswave, a secure syndication network. Experiments show that the CPU, memory, and network costs of running spawnd are low and that managed containers have small overhead vs. unmanaged containers. Spawnpoint has been used to deploy real systems, such as a vision-based building control application and drivers to secure legacy IoT devices.

Advisor: Randy H. Katz


BibTeX citation:

@mastersthesis{Kolb:EECS-2018-1,
    Author = {Kolb, John},
    Title = {Spawnpoint: Secure Deployment of Distributed, Managed Containers},
    School = {EECS Department, University of California, Berkeley},
    Year = {2018},
    Month = {Jan},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-1.html},
    Number = {UCB/EECS-2018-1},
    Abstract = {Spawnpoint is an infrastructure for deploying and managing distributed software services as execution containers. The heart of the system is spawnd, a persistent daemon process that encapsulates the compute resources offered by a specific host. spawnd advertises available resources and accepts commands from clients to deploy and manage services. spawnd enforces resource reservations, ensuring that a host does not become oversubscribed, and performs admission control to avoid overloading. Spawnpoint offers command-line and graphical clients for interacting with spawnd instances. A third front-end, Raptor, allows users to describe complex distributed applications as a collection of services and specify how these services are deployed through a simple domain-specific language. Spawnpoint maintains security for all operations. Only authorized parties may learn of the existence of a spawnd instance, deploy a service on a host, monitor service state, or manipulate a running service. This is achieved through the use of Bosswave, a secure syndication network. Experiments show that the CPU, memory, and network costs of running spawnd are low and that managed containers have small overhead vs. unmanaged containers. Spawnpoint has been used to deploy real systems, such as a vision-based building control application and drivers to secure legacy IoT devices.}
}

EndNote citation:

%0 Thesis
%A Kolb, John
%T Spawnpoint: Secure Deployment of Distributed, Managed Containers
%I EECS Department, University of California, Berkeley
%D 2018
%8 January 13
%@ UCB/EECS-2018-1
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-1.html
%F Kolb:EECS-2018-1