Score
Packaging and running applications in containerized environments involves authoring Dockerfiles, building layered images, managing registries and container lifecycle, and using networking/volume primitives to deploy portable, isolated workloads on hosts or orchestrators like Kubernetes.
Addressing the escalating energy consumption and carbon emissions from large-model training and cloud service expansion, this paper investigates carbon-aware container scheduling. Through a systematic literature review, we present the first taxonomy of cloud-native schedulers—particularly Kubernetes—from an environmental sustainability perspective, integrating both hardware-centric and software-centric strategies. We propose the first comprehensive classification framework for cloud task scheduling explicitly targeting carbon reduction, explicitly characterizing each algorithm by its sustainability objective, optimization dimension, and technical approach. Our analysis identifies emerging trends—including dynamic carbon intensity awareness and multi-objective co-optimization—and highlights critical open challenges, such as real-time data-driven closed-loop control and cross-domain coordinated scheduling. This work provides theoretical foundations and practical guidelines for designing and standardizing low-carbon cloud systems.
Containerization enhances operational efficiency but intensifies multidimensional security challenges—including runtime protection, network isolation, configuration compliance, software supply chain security, and monitoring-response capabilities. To address these, this paper proposes a five-dimensional collaborative governance model for production-grade container security, deeply integrating DevSecOps across the entire lifecycle and transcending traditional perimeter-based defense paradigms. Methodologically, the model unifies eBPF-based real-time runtime detection, OCI image signature verification, SBOM-driven supply chain auditing, zero-trust network policy enforcement, and a tightly coupled Prometheus–Falco incident response mechanism. Evaluated on mainstream cloud-native platforms, the approach reduces critical misconfigurations by 92%, shortens mean vulnerability response time to 3.7 minutes, and enables construction of a CNCF Sig-Security-certified hardened baseline—delivering a practical, layered defense framework for containerized environments.
To address the challenges of difficult development and debugging, complex integration testing environments, and high pedagogical barriers in the GlideinWMS distributed system, this paper proposes the “Workspace Container” methodology—a unified, lightweight, containerized environment for development and education. Built upon a multi-container architecture—including Factory, Frontend, compute nodes, and batch systems—it integrates Docker and VS Code to enable one-click local deployment, offline debugging, and seamless IDE collaboration. The key contribution lies in abstracting development, testing, and teaching workflows into reusable, composable, standardized container units, thereby substantially reducing onboarding overhead for new users. Empirical validation across multiple workshops confirms that the full system runs efficiently on commodity laptops, accelerates development and debugging cycles, and significantly improves instructional interactivity and experimental reproducibility.
Research on containerization in multi-cloud environments remains fragmented, lacking a systematic, up-to-date synthesis. Method: We conduct a Systematic Mapping Study (SMS) spanning 2013–2024, analyzing 121 high-quality publications through bibliometric analysis, thematic coding, and ISO/IEC 25010 quality attribute modeling. Contribution/Results: We propose the first four-level classification framework—“Theme–Strategy–Quality Attribute–Tactic”—identifying four core research themes, 98 implementation strategies, 10 critical quality attributes, and 47 corresponding architectural tactics. Innovatively, we introduce a two-dimensional challenge-solution taxonomy organized along Security, Automation, Deployment, and Monitoring dimensions. This yields the first structured, reusable landscape of multi-cloud containerization, bridging theoretical research and industrial practice by supporting architecture design and technology selection—thereby addressing a longstanding gap in systematic knowledge integration for this domain.
This study addresses prolonged task completion times, low resource utilization, and high resource release latency in Docker/Kubernetes containers on cloud-native platforms running compute-intensive workloads (e.g., big data and deep learning). We systematically evaluate the performance impact of diverse resource scheduling strategies through system-level monitoring—leveraging cgroups and metrics-server—and multi-workload stress testing. For the first time, we empirically quantify how key resource configurations significantly affect task completion time (±79.4% variation) and resource release latency (+116.7% degradation). Based on these findings, we propose an evidence-driven configuration optimization paradigm that reduces maximum task completion time by up to 79.4% and precisely identifies configuration bottlenecks responsible for latency. Our results provide reproducible, transferable empirical foundations for resource management tuning and deployment decisions in cloud-native environments.
Although Docker is widely assumed to ensure reproducibility of software environments, its practical efficacy remains insufficiently validated. This study presents the first systematic investigation combining a literature review with large-scale empirical analysis of 5,298 real-world GitHub projects. By reconstructing Docker images, performing differential comparisons, and mining workflow patterns, we quantitatively assess the reproducibility of Docker builds and the effectiveness of recommended best practices. Our findings reveal that a significant proportion of Docker builds are not reproducible, and existing best practices offer limited improvements in practice. These results challenge the prevailing assumption that “containers guarantee reproducibility” and provide empirical evidence and actionable insights for enhancing reproducibility in computational research.
Existing container solutions for resource-constrained microcontrollers lack runtime dynamic configurability, making them ill-suited for multi-tenant scenarios in dynamic heterogeneous environments. This work proposes and implements a lightweight container runtime middleware that, for the first time, enables container-granularity dynamic scheduling and fine-grained resource access control on Cortex-M microcontrollers. The system employs a metadata-driven architecture and a runtime abstraction layer, ensuring compatibility with execution environments such as RIOT OS and integrating WebAssembly via WAMR. Experimental results on mainstream IoT development boards demonstrate that container-to-host service invocation incurs less than 4 ms of overhead. Furthermore, the system successfully validates a novel application paradigm in TinyML contexts, where native RTOS executes inference while containers retain model weights.
This work addresses the inefficiencies of traditional container images, which require separate builds for each target platform—leading to substantial storage and network overheads and complex maintenance, particularly for cross-platform machine learning applications in Python or R. To overcome these limitations, the authors propose a lazy-build approach featuring a novel intermediate representation format, CIR, which encapsulates only direct application dependency identifiers and defers platform-specific adaptation until deployment. At runtime, a lazy-builder dynamically assembles the complete dependency stack, effectively decoupling application code from the underlying execution environment. This design significantly streamlines multi-platform deployment workflows. Experimental results demonstrate that CIR-based images reduce image size by up to 95% compared to conventional approaches and accelerate deployment by 40–60%, outperforming mainstream container systems such as Docker, Buildah, and Apptainer.
Modern software systems face a codebase organization dilemma: monorepos ensure consistency but suffer from poor scalability and complex toolchains, whereas multi-repos improve modularity at the cost of increased dependency coordination and integration overhead. To address this, we propose Causify Dev—a novel development system introducing the “Runnable Directory” paradigm, wherein each directory functions as an isolated, self-contained execution unit with its own dependencies and full lifecycle management. Leveraging lightweight unified development environments and containerized workflows—built on Docker, standardized CI/CD pipelines, and shared utility libraries—the system achieves end-to-end decoupled collaboration while preserving monorepo-level consistency and multi-repo-style modularity. Empirical evaluation demonstrates that Causify Dev significantly enhances reliability, maintainability, and engineering scalability for large-scale codebases, while simultaneously reducing toolchain complexity and cross-team coordination costs.
This work proposes CODECO, a framework designed to address the challenges of traditional centralized Kubernetes in federated edge environments, where heterogeneous infrastructure, device mobility, and multi-provider collaboration are prevalent. CODECO enables edge autonomy while preserving global consistency through co-orchestration of data, computation, and networking. It integrates a semantic application model, a partitioned federation mechanism, AI-driven scheduling decisions, and a hybrid governance model. Built upon an extended Kubernetes architecture, CODECO supports context-aware microservice deployment and adaptive management. The framework’s efficacy in orchestrating applications across complex federated edge-cloud scenarios is validated through a reproducible experimental platform, demonstrating its capability to efficiently manage dynamic and heterogeneous edge environments.
This paper addresses the challenge of balancing security and functional availability in container security policy enforcement. We propose an environment-aware, automated policy generation method that leverages eBPF-based kernel monitoring and multi-environment dynamic analysis to faithfully reconstruct runtime contexts—thereby uncovering implicit execution paths missed by conventional static or lightweight analysis. Our approach introduces a dual-dimension scoring mechanism (security vs. functionality) and a heuristic environment exploration strategy to enable customizable policy optimization. Evaluation across the Top 15 containers shows that our method identifies 16.5% more system calls on average than baseline approaches, covers 45 known vulnerability-related risks, and successfully blocks exploitation attempts for two representative vulnerabilities—CVE-2022-23648 and CVE-2023-2728—demonstrating substantial attack surface reduction.