Accelerating FaaS/container Image Construction via IPU

NOTE: this paper was developed by Ziye Yang, a Staff Software Engineer at Intel and is being presented by colleague Yadong Li, a Principal Engineer in the Ethernet Products Group at Intel. In many usage cases, FaaS applications usually run or deployed in container/Virtual machine environment for isolation purpose. So, one of the challenges is how to quickly construct the execution environment for FaaS, which can be divided into two parts: Running time Execution environments (VM, container, process) and image/file systems(including code, libraries) construction or provisioning for running FaaS. To accelerate the cold start of FaaS, we can clearly see that there can be lots of work to optimize in these two parts. In this talk, we propose a novel approach to construct the FaaS’s image construction environment via IPU (infrastructure processing unit) instead of optimizing it in host. With our approach, there are the following benefits: 1 Performance and resource benefit, i.e., We reduce the image construction resource overhead in the host side; 2 Security benefits, i.e., When the images area constructed by IPU, IPU can present the images through VF/PF devices to the host. And the host can directly hotplug (including hot attach/detach) the devices to VM/containers, then mount the device to a specific mounting mount. And after the execution of the FaaS application, the IPU can immediately hot remove the devices from the host. Then the sensitive information leak can be avoided.