Score
Packaging applications into images (Docker), running them with container runtimes (containerd), and orchestrating deployments at scale with Kubernetes (pods, services, Helm charts), including container networking, storage volumes, security contexts, and CI/CD integration for reproducible releases.
Addressing the escalating energy consumption and carbon emissions from large-model training and cloud service expansion, this paper investigates carbon-aware container scheduling. Through a systematic literature review, we present the first taxonomy of cloud-native schedulers—particularly Kubernetes—from an environmental sustainability perspective, integrating both hardware-centric and software-centric strategies. We propose the first comprehensive classification framework for cloud task scheduling explicitly targeting carbon reduction, explicitly characterizing each algorithm by its sustainability objective, optimization dimension, and technical approach. Our analysis identifies emerging trends—including dynamic carbon intensity awareness and multi-objective co-optimization—and highlights critical open challenges, such as real-time data-driven closed-loop control and cross-domain coordinated scheduling. This work provides theoretical foundations and practical guidelines for designing and standardizing low-carbon cloud systems.
Containerization enhances operational efficiency but intensifies multidimensional security challenges—including runtime protection, network isolation, configuration compliance, software supply chain security, and monitoring-response capabilities. To address these, this paper proposes a five-dimensional collaborative governance model for production-grade container security, deeply integrating DevSecOps across the entire lifecycle and transcending traditional perimeter-based defense paradigms. Methodologically, the model unifies eBPF-based real-time runtime detection, OCI image signature verification, SBOM-driven supply chain auditing, zero-trust network policy enforcement, and a tightly coupled Prometheus–Falco incident response mechanism. Evaluated on mainstream cloud-native platforms, the approach reduces critical misconfigurations by 92%, shortens mean vulnerability response time to 3.7 minutes, and enables construction of a CNCF Sig-Security-certified hardened baseline—delivering a practical, layered defense framework for containerized environments.
This work proposes CODECO, a framework designed to address the challenges of traditional centralized Kubernetes in federated edge environments, where heterogeneous infrastructure, device mobility, and multi-provider collaboration are prevalent. CODECO enables edge autonomy while preserving global consistency through co-orchestration of data, computation, and networking. It integrates a semantic application model, a partitioned federation mechanism, AI-driven scheduling decisions, and a hybrid governance model. Built upon an extended Kubernetes architecture, CODECO supports context-aware microservice deployment and adaptive management. The framework’s efficacy in orchestrating applications across complex federated edge-cloud scenarios is validated through a reproducible experimental platform, demonstrating its capability to efficiently manage dynamic and heterogeneous edge environments.
This study systematically reveals the significant impact of network misconfigurations on lateral movement attack risks in Kubernetes clusters. Addressing the limited coverage of existing detection tools, we propose a security assessment framework that integrates static configuration analysis with lateral movement path modeling. We conduct a large-scale, cross-organizational empirical study across 287 open-source applications, identifying— for the first time—634 real-world network misconfiguration vulnerabilities, far exceeding the detection capacity of mainstream tools. Our findings have driven remediation efforts in over 30 critical open-source projects; the proposed mitigation strategies have been adopted by multiple enterprises, substantially enhancing network isolation and overall security posture in production Kubernetes deployments.
Research on containerization in multi-cloud environments remains fragmented, lacking a systematic, up-to-date synthesis. Method: We conduct a Systematic Mapping Study (SMS) spanning 2013–2024, analyzing 121 high-quality publications through bibliometric analysis, thematic coding, and ISO/IEC 25010 quality attribute modeling. Contribution/Results: We propose the first four-level classification framework—“Theme–Strategy–Quality Attribute–Tactic”—identifying four core research themes, 98 implementation strategies, 10 critical quality attributes, and 47 corresponding architectural tactics. Innovatively, we introduce a two-dimensional challenge-solution taxonomy organized along Security, Automation, Deployment, and Monitoring dimensions. This yields the first structured, reusable landscape of multi-cloud containerization, bridging theoretical research and industrial practice by supporting architecture design and technology selection—thereby addressing a longstanding gap in systematic knowledge integration for this domain.
Although Docker is widely assumed to ensure reproducibility of software environments, its practical efficacy remains insufficiently validated. This study presents the first systematic investigation combining a literature review with large-scale empirical analysis of 5,298 real-world GitHub projects. By reconstructing Docker images, performing differential comparisons, and mining workflow patterns, we quantitatively assess the reproducibility of Docker builds and the effectiveness of recommended best practices. Our findings reveal that a significant proportion of Docker builds are not reproducible, and existing best practices offer limited improvements in practice. These results challenge the prevailing assumption that “containers guarantee reproducibility” and provide empirical evidence and actionable insights for enhancing reproducibility in computational research.
This study addresses the challenge of automating the deployment of multi-service containerized applications in heterogeneous edge-cloud environments, where minimizing manual intervention while ensuring performance guarantees remains difficult. The authors evaluate and validate the open-source CODECO toolkit’s orchestration capabilities across diverse hardware platforms—including ARM, AMD, and Raspberry Pi—and lightweight Kubernetes distributions such as k3s. Experimental results demonstrate that, compared to standard Kubernetes workflows, CODECO significantly reduces human intervention during deployment while maintaining competitive deployment efficiency, runtime performance, and manageable resource overhead. These findings highlight CODECO’s strong compatibility and its potential to lower operational complexity in edge-cloud collaborative deployments.
This study addresses the lack of systematic empirical investigation into how heterogeneous infrastructure affects Docker container startup latency—a critical gap that hinders performance optimization in CI/CD and serverless systems. For the first time, the container startup process is decomposed into fine-grained, quantifiable operations. Through 50 rounds of multidimensional benchmarking across three real-world heterogeneous environments—cloud SSD, cloud HDD, and macOS Docker Desktop—the work integrates key technologies including OverlayFS, Linux namespaces, volume mounts, and CPU throttling. The findings reveal several counterintuitive insights: runtime overhead dominates startup time, while image size has negligible impact (only 2.5% variation); HDDs incur 2.04× higher latency, Docker Desktop imposes a 2.69× penalty, and OverlayFS write performance degrades by two orders of magnitude. The complete toolchain and dataset are publicly released.
This work addresses the inefficiencies of traditional container images, which require separate builds for each target platform—leading to substantial storage and network overheads and complex maintenance, particularly for cross-platform machine learning applications in Python or R. To overcome these limitations, the authors propose a lazy-build approach featuring a novel intermediate representation format, CIR, which encapsulates only direct application dependency identifiers and defers platform-specific adaptation until deployment. At runtime, a lazy-builder dynamically assembles the complete dependency stack, effectively decoupling application code from the underlying execution environment. This design significantly streamlines multi-platform deployment workflows. Experimental results demonstrate that CIR-based images reduce image size by up to 95% compared to conventional approaches and accelerate deployment by 40–60%, outperforming mainstream container systems such as Docker, Buildah, and Apptainer.
This study presents the first systematic evaluation of the deployment feasibility of spiking neural networks (SNNs) in containerized edge environments. Focusing on resource- and energy-constrained virtual edge scenarios, we construct a testbed leveraging Docker Desktop, WSL2, and Windows 11 atop a single-node Kubernetes cluster orchestrated via K3d. We investigate end-to-end latency, throughput, classification accuracy, and concurrent behavior of SNN workloads under resource constraints and autoscaling conditions. Our findings reveal that SNNs are highly sensitive to CPU and memory availability: resource limitations substantially increase latency and reduce throughput, while classification accuracy remains stable. Furthermore, the default round-robin load-balancing strategy proves mismatched with SNNs’ long-duration inference tasks, leading to elevated tail latency. This work highlights the limitations of current stateless orchestration mechanisms in supporting neuromorphic computing paradigms.
This study addresses the deployment latency caused by delayed detection of newly pushed container images in continuous deployment workflows. To mitigate this issue, the authors construct an end-to-end continuous deployment pipeline based on FluxCD and, for the first time, integrate SyMon into a real-world FluxCD environment to enable runtime monitoring of logs from GitHub Actions, GitHub Container Registry, FluxCD, and Kubernetes applications. Experimental results demonstrate that FluxCD consistently detects new images within 10 minutes, although detection within 5 minutes is not always reliable. SyMon effectively enables near-real-time monitoring, thereby validating its feasibility and practicality in quantifying image detection latency and ensuring timely deployments.