Background

Application running on GEISA need separation / isolation from each other to ensure that one application doesn’t impact another. While some level of resource management and process isolation is provided by most operating systems, this isn’t robust enough to for GEISA.

There are several methods for providing advanced isolation including:

• Containers

• Virtual Machines / Hypervisors

• Virtual Execution Environments (e.g. Java’s JVM, Erlang’s BEAM, .Net’s CLR)

Amazon’s Firecracker team released a whitepaper on their efforts which includes a helpful discussion of the advantages and disadvantages of these approaches.

Isolation Mechanism

Resource Management

Need mechanism for prioritization if there is resource contention. Also, need mechanism for observing total load on a device to allow for management of the application portfolio.

• Define Container Resource Limits

  • CPU limit (% of CPU)

  • Memory Limit (in 1 KB units)

  • Storage Limit (in 1 KB units)

  • Allowed Network Bandwidth (in 1 KB units)

    • Ongoing Limit Outbound

    • Ongoing Limit Inbound

    • Burst Limit Outbound

  • Allowed Network Interfaces

    • HAN

    • LAN

• Define Container Access Levels:

  • Level 0 - Read & Control - Core Features - Immutable

  • Level 1 - Read & Control - Utility

  • Level 2 - Read Only