When a single computer is used to run multiple workloads, a balance should be struck between isolation of applications and the cost of using and administering the application-isolating system. Applications should ideally be isolated from each other so that the workload of one application does not interfere with the operation or use of resources of another application. On the other hand, the system should be flexible and manageable to reduce the cost of using and administering the system. Ideally, the system should be able to selectively share resources while maintaining application isolation. Typically, however, all processes running under the same user account have the same view of system resources. The lack of isolation of the applications running on a particular computer contributes to application fragility, application incompatibility, security problems and the inability to run conflicting applications on the same machine.
A number of different solutions have been proposed which address one or more aspects of the problems discussed above. One way to isolate applications running on the same machine is to run the applications on different “virtual machines”. A virtual machine (VM) enables multiple instances of an operating system (OS) to run concurrently on a single machine. A VM is a logical instance of a physical machine, that is, a virtual machine provides to the operating system software an abstraction of a machine at the level of the hardware: that is, at the level of the central processing unit (CPU), controller, memory, and so on. Each logical instance has its own operating system instance with its own security context and its own isolated hardware resources so that each operating system instance appears to the user or observer to be an independent machine. VMs are typically implemented to maximize hardware utilization. A VM provides isolation at the level of the machine but within the virtual machine, no provisions for isolating applications running on the same VM are provided for by known VM implementations.
Other known proposed solutions to aspects of the problems described above include Sun Microsystem's Solaris Zones, jails for UNIX BSD and Linux, the VServers project for Linux, SWSoft's Virtuozzo, web hosting solutions from Ensim and Sphera, and software available from PolicyMaker, and Softricity.
Another approach that addresses aspects of application isolation is hardware partitioning. A multi-processor machine is divided into sub-machines, each sub-machine booting an independent copy of the OS. Hardware partitioning typically only provides constrained resource allocation mechanisms (e.g., per-CPU allocation), does not enable input/output (IO) sharing and is typically limited to high-end servers.
Hence, in many systems, limited points of containment in the system exist at the operating system process level and at the machine boundary of the operating system itself, but in between these levels, security controls such as Access Control Lists (ACLs) and privileges associated with the identity of the user running the application are used to control process access to resources. There are a number of drawbacks associated with this model. Because access to system resources is associated with the identity of the user running the application rather than with the application itself, the application may have access to more resources than the application needs. Because multiple applications can modify the same files, incompatibility between applications can result. There are a number of other well-known problems as well.
There is no known easy and robust solution using known mechanisms that enables applications to be isolated while still allowing controlled sharing of resources. It would be helpful if there were a mechanism that allowed an application, process, group of applications or group of processes running on a single machine to be isolated using a single operating system instance while enabling controlled sharing of resources.