Isolation with Flexibility: A Resource Management Framework for Central Servers

Isolation with Flexibility:
A Resource Management Framework for Central Servers

David G. Sullivan, Margo I. Seltzer
Division of Engineering and Applied Sciences
Harvard University, Cambridge, MA 02138
{sullivan,margo}@eecs.harvard.edu

6. Related Work

In addition to lottery scheduling, other frameworks can be used to provide proportional-share management of multiple resources. In particular, Rialto's activities [Jon97], Eclipse's reservation domains [Bru98, Bru99a], Verghese et al.'s Software Performance Units (SPUs) [Ver98], and Banga et al.'s resource containers [Ban99] function similarly to currencies in their ability to isolate resource principals from each other.

Reservation domains and resource containers also share lottery scheduling's ability to support hierarchical resource management. However, the hierarchies supported by reservation domains are limited to a tree-shaped structure in which the resource shares of non-leaf domains are divided among their children. As discussed in Section 2.1, lottery scheduling allows resource principals to be funded by more than one currency and to thus share the resource rights of multiple currencies. Resource containers similarly allow threads to be multiplexed over several containers and to receive their combined allocations.

Moreover, most of these alternative frameworks only support hard shares; resource principals that lack a reservation either share the remaining CPU capacity equally (as in Rialto and Eclipse) or are scheduled according to a traditional time-sharing scheduling discipline. Lottery scheduling, on the other hand, can support both hard and soft shares. In their prototype implementation, resource containers were used with both fixed-share CPU guarantees and time-sharing, but they could potentially be used to support soft proportional-share guarantees as well.

The alternative approaches do provide advantages over our lottery-scheduling framework. In particular, activities and resource containers offer finer-grained resource management, addressing applications such as Web servers in which a single thread is associated with more than one independent activity. In addition, resource containers account for kernel-mode processing done on behalf of an activity. We plan to extend our lottery-scheduling framework to support these features.

Regardless of the framework used to provide proportional-share resource management, the need to isolate resource principals from each other necessarily involves imposing limits on allocations of the types described in Sections 3.1 and 3.3. Principals restricted to a particular activity, reservation domain, SPU, or resource container cannot obtain more than their group's overall resource rights. If only one principal in a group is actively competing for a reserved resource, it will receive the entire reservation, even if it would be preferable for it to receive less than that amount. Mechanisms like ticket exchanges would be needed to allow these frameworks to provide more flexible resource allocation while preserving secure isolation.

Verghese et al.'s work on SPUs explicitly addresses the need to provide both secure isolation and flexible allocation. However, their system starts by giving absolute resource shares to each SPU, and it gains added flexibility by dividing unused portions of these shares among SPUs that need additional resources. The original lottery-scheduling framework naturally supports this type of resource sharing by deactivating the tickets of idle tasks. Our extended framework provides added flexibility through ticket exchanges and a utility that emulates the semantics of nice. One advantage of SPUs is that they were designed for use with shared-memory multiprocessors. Extending the lottery-scheduling framework for use with SMPs remains future work.

Other systems have allowed applications to negotiate their resource usage with the operating system [Jon95, Nob97]. Our extended lottery-scheduling framework lets applications coordinate their resource usage with each other, as well as with the system as a whole.

Besides Waldspurger's own prototypes, others have implemented portions of the lottery-scheduling framework [Arp97, Nie97]. Petrou et al. [Pet99] retrofitted lottery scheduling into FreeBSD to schedule the CPU, extending the framework to better support interactive jobs. VINO currently has a small, 10-ms quantum, so such extensions have not been needed in our prototype. Petrou et al. also suggest an alternative approach to overcoming the lower limits that currencies impose.

As discussed in Section 4.4, our scheme for managing memory is a temporary one. The Nemesis operating system [Han99] provides a more complete solution that also allows applications to obtain guaranteed memory shares. Nemesis ensures complete isolation by requiring that applications handle their own page faults.

[top | prev | next]