Container storage.

Fast and secure.

Combine the efficiency of containers with the isolation and sharing semantics of a dedicated per-tenant operating system.

We develop systems software to enable the fast execution, stable performance, fault tolerance and resource efficiency of data-intensive containers in multitenant cloud infrastructures. Our patent-pending technology can be used by either cloud providers or infrastructure customers to improve the quality of service in latency-sensitive applications when they are colocated on shared machines.

Polytropo overview


Polytropo offers to cloud providers increased performance at high utilization, predictable latency and throughput, better scalability over multicore machines and low-latency devices, higher energy efficiency by reducing the number of the powered machines in the cloud infrastructures, improved reliability by dedicating distinct services to the different tenants instead of having them share the same modules of the kernel. The benefits transfer to the data-intensive applications of the tenants (e.g., web services, big-data analytics) and lower the cost of cloud computing.

stability icon


Our technology combines the strong isolation offered by Virtual Machines with the low overhead offered by running containers natively on bare-metal servers. Tenants benefit from predictable behavior because each one depends on private resources and software components. Practically, this means that the throughput and latency perceived by the end users can be configured through the allocated resources and the running software rather than being affected by the activity of neighboring tenants.

performance icon


Our technology increases the efficiency of management and access of cloud resources. Tenants benefit from better performance by avoiding the frequent crossings of the system kernel during container storage access. The container applications access critical I/O services at user level and avoid possible hot spots on shared operating system components. Providers can offer increased performance at high utilization, without worrying for performance variations when the containers of their tenants run natively on shared machines.

security icon


Our technology hardens the system security because we minimize the reliance on the common attack surface of the operating-system kernel. Known container vulnerabilities arise from container escapes to the kernel software. We prohibit such attacks by serving the containers with private service implementations that are distinct per tenant and run at user level outside the system kernel.

flexibility icon


We provide management simplicity through a unified framework that stores both the container images and application data of a tenant primarily over a distributed filesystem, or block volumes if necessary. Our technology also allows each tenant to identify one's own needs and tailor the storage system accordingly with distinct settigns per wokload type.

elasticity icon


Our technology achieves resource elasticity because the software infrastructure of each tenant can be deployed dynamically over containers. This includes not only the applications, but also the client and server side of distributed storage systems and other facilities (e.g., storage engine, local filesystem, network stack software).

cost icon

Cost Optimization

By adopting our technology, the cloud providers may achieve lower operating costs for serving a number of customers. The cloud customers can directly use our technology to efficiently manage the infrastructure resources that they rent. The improved efficiency of the utilized resources can reduce the amount of rented servers and their total yearly costs.


The resource contention in public or private clouds is an unpredictable condition that often undermines the performance stability of the cloud-based services. The problem arises in the computing, network and storage resources of the cloud machines, shared across competing tenants.
With the prevalence of software containers, the system kernel of a machine is contended among the colocated tenants. As a result, the hardware resources along with the software modules used by the kernel can become bottlenecks in the application execution. Moreover, the shared software modules of a system kernel raise security issues, as possible bugs or vulnerabilities of the kernel software can be exploited by a tenant to control the shared resources of the machine and undermine the confidentiality or integrity of the applications executed by other colocated tenants.
The applications in the cloud typically run on client machines that access server machines over the datacenter network In existing infrastructures, the applications run inside containers over the shared operating system of each client machine. Correspondingly, the server machines run common services (e.g., distributed storage) that are shared across the different tenants.

Legacy cloud

We have built functional prototypes of our innovative architecture that address the above problems at a considerable degree. Our key idea is to move parts of the system kernel to user level and provide separate instances of critical services to each tenant on every machine. Accordingly, we have come up with a unified architecture that allows each tenant to run both the applications and I/O services at user level on exclusively reserved resources (e.g., cores, memory, network ports) and avoid contention with colocated entities.

Polytropo cloud

The application and server containers run at user level and access over user-level interprocess communication their local services. The local services themselves run at user level and provide access to local devices, such as storage, network and accelerator cards. In our architecture, we devote to each tenant its own application and server containers along with their interprocess-communication and local services. We build the local services using the libservices framework in order to ensure that they run efficiently at user -level



Stergios Anastasiadis

Stergios Anastasiadis, PhD


Stergios is Director of the Computer Systems Lab and Professor at the Department of Computer Science and Engineering, University of Ioannina, Greece. In the past, he held visiting positions at University of Cambridge, UK, EPFL, Switzerland, Duke University, NC, USA and HP Labs, CA, USA. His research interests include operating systems, data storage and cloud computing. He received MSc and PhD degrees in Computer Science from the University of Toronto, Canada.

Giorgos Kappes

Giorgos Kappes, PhD


Giorgos is a postdoctoral researcher in the Department of Computer Science and Engineering at the University of Ioannina, Greece. His research activities include the design, implementation, optimization, and evaluation of user-level services for multitenant cloud environments. His research interests include operating systems, data storage, and security. He received Bsc, Msc, and PhD degrees in Computer Science from the Univesity of Ioannina, Greece. Giorgos Designed and developed the Polytropo technology stack as part of his PhD.

Learn More

At Polytropo we design and implement software that can be used at the cloud infrastructure to provide data storage services. The added value comes from our general framework that connects together the applications with the storage clients and servers for high performance and efficiency, but also because it allows the execution of the clients and servers at user level for improved isolation. The design of the software architecture along with the components that we developed for fast request and data transfer are part of a patent application that we filed with the USPTO. Our contribution is demonstrated through published research papers with experimental systems work in top conferences and journals of the ACM and IEEE organizations.

Danaus: Isolation and Efficiency of Container I/O at the Client Side of Network Storage

ACM Middleware, 2021

This paper introduces the Danaus client architecture to let each tenant access the container root and application filesystems over a private host path. We developed a Danaus prototype that integrates a union filesystem with a Ceph distributed filesystem client and a configurable shared cache. Across different host configurations, workloads and systems, Danaus achieves improved performance stability because it handles I/O with reserved pertenant resources and avoids intensive kernel locking.

Asterope: A Cross-Platform Optimization Method for Fast Memory Copy


This paper introduces a methodology based on exhaustive search to optimize the performance across different platforms. We design and implement the Asterope algorithm to experimentally generate optimal memcpy parameters for two x86-64 processor models from different vendors. With experiments on microbenchmarks and two production systems, we demonstrate that Asterope respectively achieves up to 2.4x and 1.9x higher function and system performance in comparison to using the Linux kernel memcpy.

A Lock-free Relaxed Concurrent Queue for Fast Work Distribution

ACM PPoPP, 2021

In this paper we define a relaxed ordering model that splits the queue operations into two stages, the sequential assignment to queue slots and their subsequent concurrent execution. Based on this model, we design and implement the linearizable and lock-free algorithm called Relaxed Concurrent Queue Single (RCQS). We experimentally show that RCQS achieves factors to orders of magnitude advantage over the state-of-the-art queue algorithms in operation latency and item transfer speed.

A User-level Toolkit for Storage I/O Isolation on Multitenant Hosts

ACM SoCC, 2020

This paper introduces the Polytropon toolkit as a collection of user-level components configurable to build several types of filesystems. The toolkit provides an application library to invoke the standard I/O calls, a user-level path to isolate the tenant I/O traffic to private host resources, and user-level filesystem services distinct per tenant. Polytropon serves 32 tenants with RocksDB over network storage with 7.2-14x lower latency than kernel systems, and reduces up to 2.9x the timespan to execute source-code processing in the containers of 32 tenants.

Libservices: Dynamic Storage Provisioning for Multitenant I/O Isolation

ACM APSys, 2020

In this paper we propose to isolate the I/O path of each tenant by running dedicated storage systems at user level on reserved resources. We introduce the libservices as a unified user-level storage abstraction to dynamically provision per tenant container root filesystems, application data filesystems and image repositories. We outline several examples of container storage systems whose clients and servers can be composed from libservices. We demonstrate efficiency, flexibility, and performance advantage of a distributed filesystem built with libservices over existing user-level or kernel-level approaches.

Multitenant Access Control for Cloud-Aware Distributed Filesystems


The scalable deployment of filesystems in such environments is challenging due to intermediate translation layers required for networked file access or identity management. First we define the entities involved in a multitenant filesystem and present relevant security requirements. Then we introduce the design of the Dike authorization architecture. It combines native access control with tenant namespace isolation and compatibility to object-based filesystems. We introduce secure protocols to authenticate the participating entities and authorize the data access over the network.