Abstract: Disclosed herein are systems and methods for providing a platform for micro-service-based applications with unified management of infrastructure and client containers. An exemplary system may comprise the platform running on at least one computing device. The platform may comprise at least one client micro-service container and a plurality of infrastructure micro-service containers. Each infrastructure micro-service container may run infrastructure services for the at least one client micro-service container and for other infrastructure micro-service containers, wherein infrastructure micro-service containers are used by the platform to run client micro-service containers. The platform may also comprise a single unified management software layer that is responsible for unified management of the plurality of infrastructure micro-service containers and the at least one client micro-service container.

Abstract: A system and method that tracks changes in system memory executed by a software program. An exemplary method includes referencing a memory access tracking file to a file descriptor of a memory monitoring process and registering one or more virtual memory areas of a tracked process to the memory access tracking file. Moreover, the method includes sending, by the memory access tracking file, event information of a write access to the memory monitoring process that identifies a virtual page, where the write access is performed by the tracked process to the virtual page. Finally, the method includes configuring the virtual page such that the tracked process can execute a subsequent write command to the virtual page.

Abstract: A system and method is provided for providing distributed computing platform on untrusted hardware. An exemplary method includes launching a hypervisor on an untrusted computing node and receiving a request generated to provide a computing function using hardware of the untrusted computing node. Upon receiving the request, an enclave in memory of the untrusted computing node is created and a virtual machine is launched in the memory enclave. Moreover, a guest operating system of the virtual machine verifies the security of the untrusted computing node. Finally, the guest operating system performs the computing function using the hardware of the untrusted computing node upon the guest operating system verifying the security of the untrusted computing node and the hypervisor.

Abstract: The described system provides one or more processors and memory, coupled to the one or more processors, storing thereon a first OS kernel that receives a system call to access a second OS kernel function from a subsystem of the second OS retransmits the system call to one or more drivers of the first OS, support the subsystem. The system further comprises a subsystem of the second OS, comprising one or more user space components executing natively in a non-privileged mode of the one or more processors, a set of drivers associated with the second OS, the set of support components, and the one or more drivers of the first OS. The one or more drivers of the first OS receive the system call originating from the subsystem, wherein the system call is retransmitted by the first OS kernel and process the system call.

Abstract: Systems and methods are disclosed herein for multithreaded access to cloud storage. An exemplary method comprises creating a plurality of mount points by mounting, by a hardware processor, a plurality of file systems on a computer system, creating an image file on each of the plurality of mount points, instantiating, for each of the plurality of mount points, a block device on the image file, creating a union virtual block device that creates one or more stripes from each block device, delegating a request for accessing the union virtual block device, received from a client, to one or more block devices and merging a result of the request from each of the one or more block devices and providing the result to the client.

Abstract: A system and method is provided for fast random access erasure encoded storage. An exemplary method includes writing data to an append-only data log that includes data log extents that are each associated with data that is mapped to corresponding offset range of a virtual file of a client and storing the append-only data log as a sequence of data chunks each allocated on one or more one storage disks. Moreover, the method determines an amount of useful data in one or more data chunks and, when the amount of useful data in the data chunk is less than a predetermined threshold, appending the useful data from the data chunk to an end of the append-only data log. Finally, the data log is cleaned by releasing the one or more data chunk from the append-only data log after the useful data is appended to the append-only data log.

Abstract: Disclosed herein are systems and method for managing blocks of data and metadata. In one aspect, an exemplary method comprises, receiving, by a virtual block device (VBD), a request from a file system, wherein the request includes one or more of: a type of operation requested by the file system, including one of a read operation or a write operation, and/or an indication as to whether the request is for a block of data or a metadata of the file system, when the request includes the indication as to whether the received request is for a block of data or a metadata, selecting, based on the indication, one of two or more separate storage locations associated with the requested block of data or a metadata respectively, and accessing the determined storage location to perform the requested operation on the block of data or the metadata in the storage location.

Abstract: Systems and methods are disclosed herein for maintaining data integrity of data in a storage device. An exemplary method comprises determining whether checksums associated with data on the storage device are trusted or untrusted, responsive to determining that the checksums are trusted, retrieving the checksums from a checksum archive, otherwise initializing the checksums as unknown, when a received storage request is a write request, calculating a checksum of the data and updating the checksum in memory, when a received storage request is a read request and an in-memory checksum associated with the identified block is not unknown, calculating the checksum of the data in the identified block and comparing the checksum with an in-memory checksum associated with the identified block, determining that corruption has occurred when the checksums don't match and saving checksums associated with each of the uncorrupted data blocks of the storage device to an archive.

Abstract: System for redirecting input/output, which performs, on a CPU, interrupting an execution of a first process with a first object descriptor table associated with the first process, the first object descriptor table including a reference for the first process to a first system resource; loading parasite code into memory, wherein the parasite code provides access to a second system resource under control of a second process; the second process forcing a switch of execution from the first process to the parasite code, and replacing in the first object descriptor table the reference for the first process to the system resource by a reference to the second system resource, thereby causing the input/output to go through the second system resource instead of the first system resource; and restoring the execution of the first process after the execution of the parasite code is complete.

Abstract: A system and method is provided for switching file systems underneath working processes. An exemplary method includes identifying a process running on an operating system of a computing device that is using a file on a first file system and temporarily suspending execution of the process. Moreover, the method includes identifying existing references of the process to access the file on the first file system during execution of the process and replacing the existing reference of the process with a new reference for the process to access a second file on a second file system during execution of the process. Moreover, the second file on the second file system corresponds to the first file on the first file system. Finally, the method includes resuming execution of the process on the computing device.

Abstract: A system and method is provided for unifying and deploying a microservice-based application platform that includes multiple independent service containers. An exemplary method includes analyzing, on a hardware node, infrastructure services to identify those infrastructure services that are configurable to be launched as microservices; configuring the identified infrastructure services to be launched as microservices by creating an image of an infrastructure microservice container for each identified infrastructure services; building an application platform by defining a minimum set of the infrastructure microservice containers required by the application platform to provide the one or more client microservice; and unifying management of the infrastructure microservice containers and the client microservices of the application platform by classifying each of the created infrastructure microservice containers and the client microservice container to be managed by a single management software layer.

Abstract: A hybrid storage capable of storing the image files and the service files for VMs and Containers is provided. A large files storage is placed onto a service volume. A VM image file is placed onto the large file storage and a file system is mounted on it. The small files storage is also placed onto the service volume. This way a portion of the large file storage can be seen to the management system for VMs and Containers as a part of an interface of the common file system. Thus, large files and small files reside on the same distributed storage. One file from the large file storage is dedicated as a service file. The file system is placed into this file, which is mounted into the system as a virtual disk. The small (service) files are stored on the virtual disk. This way all files are accessible by the management system for VMs and Containers.

Abstract: A system and method for live patching a process in userspace is disclosed. In one exemplary aspect, a system for live patching comprises a process executing in userspace in an operating system executed by a hardware processor and a patcher configured to: suspend execution of the process, wherein a memory address space of the process contains binary code executed in the process, and wherein the binary code comprises one or more symbols, map a binary patch to the memory address space of the process, wherein the binary patch contains amendments to the binary code, wherein the binary patch references a portion of the one or more symbols, and wherein the binary patch contains metadata indicating offsets of the portion of the one or more symbols, resolve the portion of the one or more symbols using the offsets in the metadata and resume execution of the process.

Abstract: Method for writing objects into an object storage. Performing, on a protocol end point: receiving a client request for inserting an object into the object storage, wherein the object has a name and object data; generating a unique ID (UID) for the object; sending, to a name server (NS), a request for creating a guard entry (GE). The GE has a lifetime that defines when the name-object pair is inserted into the object storage. A request to an object server (OS) atomically creates a Garbage Collection Entry and assigns space for the object data. The GCE has a lifetime that defines when the object data is inserted into the object storage; sending, to the OS, object data for writing to storage; sending, to the NS, a request for writing the name; and sending response to the client, to report success after requests to the NS and the OS are successful.

Abstract: A method for zeroing guest memory of a VM during boot up, includes the guest OS attempts to set a page to zero. A page fault is generated and is handled by the hypervisor. The page is mapped by the hypervisor to a page in host memory, and is given to the guest. The guest OS attempts to set the next page to zero. Another page fault is generated the hypervisor unmaps the host memory page, and the second page is mapped to the same page. The hypervisor then gives the page to the guest, which contains all zeros. The process is repeated for remaining pages of the guest memory.

Abstract: System for for managing host reclaimable memory based on VM needs includes a plurality of VMs; a hypervisor configured to process VM memory requests; a host CPU configured to control host physical memory reclaim process; at least one VM being allocated physical memory; Guest tool configured to determine page types based on a memory map; and a host module configured to scan an LRU list for pages that it can reacquire, and to force a slowdown in VM operations when reclaim operations use up more than a predefined share of CPU time. The host CPU performs the following based on the page type: (i) hard lock protection, when the page is a VM kernel page, for host-based reclaim of the page when no other VM pages are left to reacquire; and (ii) access/dirty (A/D) bit marking, when the page is a regular VM page.

Abstract: On a computer system having a processor, a single OS and a first instance of a system driver installed and performing system services, method for sharing driver pages among Containers, including instantiating a plurality of Containers that virtualize the OS, wherein the first instance is loaded from an image, and instantiating a second instance of the system driver upon request from Container for system services by: allocating virtual memory pages for the second instance and loading, from the image, the second instance into a physical memory; acquiring virtual addresses of identical pages of the first instance compared to the second instance; mapping the virtual addresses of the identical pages of the second instance to physical pages to which virtual addresses of the corresponding pages of the first instance are mapped, and protecting the physical pages from modification; and releasing physical memory occupied by the identical pages of the second instance.

Abstract: System for launching application containers inside VMs without data duplication, includes first and second VMs on a host; a storage to which the host has access; a container generation module running on the host and configured to interface to VM-side container generation daemons in the VMs; the container generation daemons transmits to the container generation module a request to pull container layers; a host-side container generation daemon processes the request to pull the container layers from the container generation daemons running inside the VMs; and a DAX device residing on each of the VMs. The host container generation daemon sends the request for any missing container layers to a registry, and writes them onto the storage, maps the layers to the VMs as the DAX devices, maps all needed container layers to the first VM and maps any identical container layers to the second VM, without accessing the registry.

Abstract: A computer-implemented system for network socket management includes a host having a plurality of sockets and a hash table (data structure) storing data on network connections corresponding to the sockets; a firewall with a plurality of rules for routing incoming packets to the sockets; a socket image file that stores a state of each suspended socket. A network connection corresponding to the suspended socket is maintained open. A filter that monitors incoming packets and restores suspended sockets to active status when a packet for the suspended socket is received. The filter is implemented as part of the firewall, or as a hardware front end. The sockets, the firewall and the socket image file are all maintained in user space.

Abstract: A system and method is provided for intercepting and processing input/output of computer processes without requiring the restarting and/or recompiling of the connected processes. An exemplary method includes interrupting an execution of a first process by a CPU of a computing device having an operating system with a first file descriptor table that references the first process to a system resource and loading parasite code into an address space of the first process. The method further includes creating a communication channel between the first and second processes, updating a second file descriptor table for the second process so that the second file descriptor table includes an index references to the system resource and the communication channel, and updating the index reference in the first file descriptor table to reference the communication channel. Once the file descriptor tables have been updated the execution of the first process is restored.