Abstract: One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract: A layered composite boot device, and a corresponding layered composite file system, can be implemented by a boot manager. Requests directed to the layered composite boot device and file system, can be serviced from a primary device and file system that are encapsulated by the layered composite boot device and file system. The primary device and file system can correspond to a virtualized file system within a container environment, thereby enabling changes within the container environment to affect early stages of operating system booting in the container environment. Should such requests not be serviceable from the primary layers, the composite device and file system can comprise secondary layers that can correspond to a container host connection and the host file system, providing fallback to existing data if changes within the container environment were not made, thereby enabling booting to proceed in a traditional manner.

Abstract: An optical module includes an optoelectronic assembly and a heat spreader. The optoelectronic assembly includes a flat, rigid substrate, an array of electrical contacts positioned on a first portion of the substrate, and an optoelectronics assemblage that is electrically connected to the array of contacts and is positioned apart from the array of electrical contacts. The heat spreader is comprised of a thermally conductive material and comprises a second portion that is structurally connected to the first portion and a third portion that is thermally connected to the optoelectronics assemblage.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract: Enacting a compliance action using an assessment that considers a mix of coldpatches and hotpatches includes identifying a policy defining the compliance condition based on patching status of a software component. A patching state of the software component is determined, including identifying evidence of coldpatched binary file(s) and hotpatch binary file(s) applicable to the software component, and using the evidence to determine whether or not the hotpatch binary file(s) have been applied to a memory image into which an instance of the software component is loaded. Based on the policy and on the patching state of the software component, a compliance action is enacted for the compliance condition. The compliance action includes generating a health report or a health attestation, initiating a patching action, initiating an execution control action, and the like.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Apparatus and methods for producing ultrashort optical pulses are described. A high-power, solid-state, passively mode-locked laser can be manufactured in a compact module that can be incorporated into a portable instrument. The mode-locked laser can produce sub-50-ps optical pulses at a repetition rates between 200 MHz and 50 MHz, rates suitable for massively parallel data-acquisition. The optical pulses can be used to generate a reference clock signal for synchronizing data-acquisition and signal-processing electronics of the portable instrument.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.

Abstract: A layered composite boot device, and a corresponding layered composite file system, can be implemented by a boot manager. Requests directed to the layered composite boot device and file system, can be serviced from a primary device and file system that are encapsulated by the layered composite boot device and file system. The primary device and file system can correspond to a virtualized file system within a container environment, thereby enabling changes within the container environment to affect early stages of operating system booting in the container environment. Should such requests not be serviceable from the primary layers, the composite device and file system can comprise secondary layers that can correspond to a container host connection and the host file system, providing fallback to existing data if changes within the container environment were not made, thereby enabling booting to proceed in a traditional manner.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: Disclosed herein are systems, methods, computer media, and apparatuses for providing resource tracking, such as in a data center environment. A control and monitoring node receives updates indicating instantiation of resources in the computing system network. The control and monitoring node determines that there are duplicate resources in the network, and then determines which of the duplicate resources to provide connectivity to. The control and monitoring node provides network configuration updates to various networking resources in the network to provide network connectivity to the one of the duplicate resources in the network.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: Disclosed herein are systems, methods, computer media, and apparatuses for providing resource tracking, such as in a data center environment. A control and monitoring node receives updates indicating instantiation of resources in the computing system network. The control and monitoring node determines that there are duplicate resources in the network, and then determines which of the duplicate resources to provide connectivity to. The control and monitoring node provides network configuration updates to various networking resources in the network to provide network connectivity to the one of the duplicate resources in the network.

Abstract: Enacting a compliance action using an assessment that considers a mix of coldpatches and hotpatches includes identifying a policy defining the compliance condition based on patching status of a software component. A patching state of the software component is determined, including identifying evidence of coldpatched binary file(s) and hotpatch binary file(s) applicable to the software component, and using the evidence to determine whether or not the hotpatch binary file(s) have been applied to a memory image into which an instance of the software component is loaded. Based on the policy and on the patching state of the software component, a compliance action is enacted for the compliance condition. The compliance action includes generating a health report or a health attestation, initiating a patching action, initiating an execution control action, and the like.

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.