Abstract: Methods, systems, and computer-storage media having computer-executable instructions embodied thereon that, when executed, perform methods in accordance with embodiments hereof, for managing component programs within a service application according to a service model. Initially, configuration settings, which can be administered to the component programs, are extracted from the service model. An instantiation process is initiated to manage the service application in accordance with the changes to a level of load on the service application and/or to specifications within the service model. The instantiation process includes deploying, or identifying as available, the component programs within the data center, and automatically propagating formalized values derived from the configuration settings throughout the deployed component programs. These derived formalized values are installed into the component programs, thereby providing for functionality of the service application consistent with the service model.

Abstract: Software deployment to server nodes within large-scale networked systems is provided using image-based deployment. A mostly immutable image is provided at a central service and transferred from the central service to the server nodes. The image includes a base image, which is immutable, and a delta image, which is writable and provides role-specific and/or node-specific state to the base portion. When a server node receives an image from the central server, the server node stores the image intact without installation. The server node then runs software directly from the stored image.

Abstract: When a process running in an isolated execution environment is started by a user, the credentials of the user are associated with a naming environment for the isolated execution environment. The isolated execution environment may be implemented via creation of a namespace representing resources available to one or more processes running within the isolated execution environment. The resources available to the isolated processes may represent some subset of global resources. When a request to access a named resource is received, the request is mediated by the operating system. Access, if provided, may be provided via the naming environment associated with the isolated execution environment. The operating system determines whether to grant or deny access to the resource by checking the credentials associated with the naming environment with the ACL of the resource.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.

Abstract: An operating system architecture is based on a service model in which active entities (services) are containers for objects having a number of interfaces specified through a contract language that is a subset of the language in which the service is coded. Services may reside in the same address space or may reside in separate address spaces, without changing the programming model or compiled binaries. The location of a service is independent of the location of the service's clients and of services the service calls.

Abstract: An element such as a Registry key or value is virtually deleted by creating a deletion marker for the element. Two or more separate sets of physical Registry keys/values are presented as one merged (virtual) Registry to a process running in a silo. The operating system provides the merged view of the Registry by monitoring Registry key or value system requests made by processes in silos on a computer or computer system and filtering out those elements associated with deletion markers. Special processing is invoked in response to detecting certain types of Registry key or value system access requests, including but not limited to: enumeration, open, create, rename or delete.

Abstract: An element of a file system is virtually deleted by creating a deletion marker for the element. Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and filtering out those elements associated with deletion markers. Special processing is invoked in response to detecting certain types of file system access requests, including: enumeration, open, create, rename or delete.

Abstract: A silo-specific view of the file system is provided to processes running in the silo. Processes can access a file only by uttering the silo-relative name. To determine if access to a file identified by a file ID should be permitted, a list of physical names of the file identified by the file ID is constructed. If a silo-relative name that translates to a name in the list can be uttered, the file is opened and the file ID for the opened file is retrieved. If the file IDs match, the silo-relative name is used to open the file. If a process running within a silo requests a list of names for a file that has been opened using a file ID, results returned are filtered so that only names visible in the silo are returned, thus restricting the process' access to files to those files within its hierarchical namespace.

Abstract: Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.

Abstract: Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system controls the level of access to the files in the merge directory. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and in response to detecting certain types of file system access requests, provides the view of the seemingly merged directories by performing special processing. The types of requests which trigger the special processing include: enumeration, open, create, rename or close.

Abstract: Off-the-shelf software can be run from a removable medium without installing the software onto the machine and without modifying the off-the-shelf software. Files and application-associated state created or modified during execution of the application that is not installed on the computer may be saved to the removable media or to a specified area of the system file system and system registry (if present).

Abstract: Two or more separate physical Registry directories are presented as a single (virtual) Registry directory to an application running in a controlled execution environment called a silo. All of the operations normally available to be performed on the Registry directory can be performed on the merge directory, however, the operating system controls the level of access to the keys in the merge directory. The operating system provides the merged view of the Registry directories by a Registry filter driver. The Registry filter model provides a single callback with a notification code indicating the reason the callback was called. The types of notifications which trigger the special processing include: enumeration of a key, enumeration of the value of a key, query a key, close a key, delete a key, create or open a key or rename a key.

Abstract: When a process running in an isolated execution environment is started by a user, the credentials of the user are associated with a naming environment for the isolated execution environment. The isolated execution environment may be implemented via creation of a namespace representing resources available to one or more processes running within the isolated execution environment. The resources available to the isolated processes may represent some subset of global resources. When a request to access a named resource is received, the request is mediated by the operating system. Access, if provided, may be provided via the naming environment associated with the isolated execution environment. The operating system determines whether to grant or deny access to the resource by checking the credentials associated with the naming environment with the ACL of the resource.

Abstract: The resources needed by an application to execute are declared by the application. When the application is activated, only the declared resources are made available to the application because only the declared resources are connected to the execution environment. Accessibility to resources may be controlled by the operating system by making the resource visible or invisible to the executing software by mapping a local name used by the executing software to a global resource, possibly limiting the type of access allowed. Because the executing software relies on the mapping function performed by the operating system for access to resources, and the operating system only maps names declared by the software, the operating system can isolate the software, and prevent the application from accessing undeclared global resources.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping of processes running on a single computer using a single instance of the operating system. The operating system divides the system into multiple side-by-side and/or nested environments enabling the partitioning and controlled sharing of resources and providing an isolated application environment in which applications can run. More specifically, a system environment may be divided into an infrastructure silo and one or more server silos. Each server silo is provided with its own copy of the device driver name space. Each device is associated with a system device object accessed via a system device functional interface and with a server silo-specific device object accessed via a control device interface. The infrastructure silo populates the silo-specific device name space with the control device interface. The server silo uses the control device interface to create new device object(s) as needed.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.

Abstract: An operating system architecture is based on a service model in which active entities (services) are containers for objects having a number of interfaces specified through a contract language that is a subset of the language in which the service is coded. Services may reside in the same address space or may reside in separate address spaces, without changing the programming model or compiled binaries. The location of a service is independent of the location of the service's clients and of services the service calls.