Abstract: In various embodiments, methods and systems for optimizing allocation of dynamic resources are provided. A user service request resource instance is received at an allocator. The user service request resource instance is based on a dynamic resource protocol that supports generating and communicating resource instances between components in a resource allocation platform. The dynamic resource protocol also defines a set of rules for translating and representing resources as logical resource types and logical units. At a node, a node resource instance is generated and communicated, based on the dynamic resource protocol, from the node to the allocator. The node resource instance specifically comprises a resource interaction matrix that indicates dependencies between resource types. A resource allocation instance is generated at the allocator for the user service request resource instance.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: In various embodiments, methods and systems for optimizing allocation of dynamic resources are provided. A user service request resource instance is received at an allocator. The user service request resource instance is based on a dynamic resource protocol that supports generating and communicating resource instances between components in a resource allocation platform. The dynamic resource protocol also defines a set of rules for translating and representing resources as logical resource types and logical units. At a node, a node resource instance is generated and communicated, based on the dynamic resource protocol, from the node to the allocator. The node resource instance specifically comprises a resource interaction matrix that indicates dependencies between resource types. A resource allocation instance is generated at the allocator for the user service request resource instance.

Abstract: The techniques and arrangements described herein provide for updating services, host operating systems and other applications while satisfying update domain constraints. In some examples, one or more controller modules may maintain a data structure including a plurality of server update domains, each server update domain including a set of machines of a plurality of machines of a distributed computing system which may be concurrently updated. The one or more controller modules may allocate the plurality of instances to the plurality of machines such that a number of server update domains is minimized.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Techniques are described for updating a host operating system on a server while maintaining virtual machines running on the server. An updated host operating system is copied to the server. The currently active host operating system freezes the virtual machines but leaves them resident in RAM. The allocations and state for each virtual machine is copied to RAM or local storage. The active host operating system is shut down. Instead of issuing a command to reboot the server after it finishes shutting down, the active host operating system transfers execution to a loader. The loader reads the kernel of the updated host operating system into RAM along with an allocation map for the virtual machines and instructions to resume the virtual machines. The loader transfers execution to the updated host operating system entry point, and the updated host operating system loads the states of the virtual machines and resumes them.

Abstract: An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.

Abstract: The techniques and arrangements described herein provide for updating services, host operating systems and other applications while satisfying update domain constraints. In some examples, one or more controller modules may maintain a data structure including a plurality of server update domains, each server update domain including a set of machines of a plurality of machines of a distributed computing system which may be concurrently updated. The one or more controller modules may allocate the plurality of instances to the plurality of machines such that a number of server update domains is minimized.

Abstract: Techniques are described for updating a host operating system on a server while maintaining virtual machines running on the server. An updated host operating system is copied to the server. The currently active host operating system freezes the virtual machines but leaves them resident in RAM. The allocations and state for each virtual machine is copied to RAM or local storage. The active host operating system is shut down. Instead of issuing a command to reboot the server after it finishes shutting down, the active host operating system transfers execution to a loader. The loader reads the kernel of the updated host operating system into RAM along with an allocation map for the virtual machines and instructions to resume the virtual machines. The loader transfers execution to the updated host operating system entry point, and the updated host operating system loads the states of the virtual machines and resumes them.

Abstract: An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.