Abstract: A load balancer receives a client request from a client device for a connection to an application. The load balancer queries a monitoring server for a list of one or more application servers associated with the application. The monitoring server determines, based on cache state information of the plurality of application servers, the list of one or more application servers. The load balancer establishes a connection on behalf of the client device to one of the application servers.

Abstract: A container for one or more scheduled meeting is pre-built for the meeting prior to the meeting occurring. The container can be built in a variety of manners, including using both static and dynamic techniques. Dynamic techniques for building a container allows a pre-build system to include more pertinent data in the container whereas static techniques reduce computing workload and allow for pre-building containers for unscheduled meetings. A combination of static and dynamic building techniques can be applied using a layer repository. Alternately, a static base layer can be used and customized for scheduled meetings.

Abstract: Anonymous containers are discussed herein. An operating system running on a computing device, also referred to herein as a host operating system running on a host device, prevents an application from accessing personal information (e.g., user information or corporate information) by activating an anonymous container that is isolated from the host operating system. In order to create and activate the anonymous container, a container manager anonymizes the configuration and settings data of the host operating system, and injects the anonymous configuration and settings data into the anonymous container. Such anonymous configuration and settings data may include, by way of example and not limitation, application data, machine configuration data, and user settings data. The host operating system then allows the application to run in the anonymous container.

Abstract: Deploying containers constrained by power profiles on a host system. A method includes identifying a container template, a set of reusable stored characteristics, to be used for deploying a container instance. The method further includes obtaining a power profile, defining at least one power consumption threshold, for the container instance based on at least one of the set of reusable stored characteristics of the container template or other information about the container instance. The method further includes deploying the container instance on the host system by applying the set of reusable stored characteristics and the power profile by applying one or more configuration layers which causes power to the container instance to be at least one of regulated or monitored based on information in the power profile.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Securely performing file operations. A method includes determining a trust characteristic assigned to a file. When the trust characteristic assigned to the file meets or exceeds a predetermined trust condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the container operating system. When the trust characteristic assigned to the file does not meet or exceed the predetermined trust condition, then the method includes performing the file operation on the file in the container operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: Distribution and management of services in virtual environments is described herein. In one or more implementations, a service distribution and management model is implemented in which system services and applications are seamlessly distributed across multiple containers which each implement a different runtime environment. In one or more implementations, a system for distributing access to services in a host operating system of a computing device includes a host operating system configured to implement a host runtime environment, and one or more services implemented by the host operating system. The system further includes a service control manager configured to enable communication between a client stub of a service implemented in a client runtime environment and a service provider of the service that is implemented in a service runtime environment that is separate from the first client runtime environment.

Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.

Abstract: Functionality is described herein for performing at least one network connectivity task on a client device with the aid of one or more assistant devices. In some implementations, a client device (such as a smartphone, desktop personal computing device, etc.) relies on an assistant device to assist it in updating its programs, including its driver programs. In other implementations, a client device relies on an assistant device in establishing a network connection with a network-accessible entity. Functionality is also described herein for performing at least one program execution task on a client device with the aid of one or more assistant devices. For instance, the client device may rely on the assistant device to assist it in executing a driver program. The driver program, in turn, enables the client device to interact with a peripheral device or some other component.

Abstract: The techniques described herein enable client APIs to be deployed within isolated computing environments while externally exposing and/or maintaining a log of computing events that the client APIs perform and/or attempt to perform within the isolated computing environments. Generally described, configurations disclosed herein enable audit parameters associated with client application programming interfaces (APIs) to be deployed within an isolated computing environment to generate a log of computing events performed by the client APIs. Ultimately, access to the log of computing events is provided externally to the isolated computing environment without exposing sensitive computing resources (e.g., a host operating system (OS)) to the various client APIs.

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract: Personalized containers for use at a public device are provided. A container can be personalized based on a multitude of factors including a profile associated with a user, a profile associated with the public device, a time of day, and a file accessed. The container can be used to access one or more sensitive files or programs associated with permissions. The permissions are consolidated and managed by the container such that only authorized users can view and edit the sensitive files or programs.

Abstract: Technologies are described for selective persistence of data utilized by software containers. A configuration policy is defined that includes data that specifies one or more data stores for which data is not to be persisted following accesses to a software container and one or more data stores for which data is to be persisted following accesses to the software container. When the software container is first accessed, the data stores identified in the configuration policy are attached to the software container. Upon a subsequent access to the container, such as at the conclusion of a user session or upon destruction of the container, the data in the attached data stores is persisted or deleted based upon the configuration policy. When the software container is once again accessed, the data store containing the persisted data can be re-attached to the software container.

Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.

Abstract: A container comprising an isolated computing session is associated with a project. One or more users associated with the container can access the container across multiple usage sessions as the container keeps data, applications, and so on for the project together. The container can comprise multiple layers that require user authentication to access.

Abstract: Facilities are provided to secure guest runtime environments (GREs). Security policy specifications may be associated with GREs. A GRE's security policy may be specific to the GRE and may also include security policy inherited from higher levels such as a host operating environment. The security policy of a GRE specifies restrictions and/or permissions for activities that may be performed within the scope of execution of the GRE. A GRE's security policy may limit what the GRE's guest software may do within the GRE. Restrictions/permissions may be applied to objects such as files, configuration data, and the like. Security specifications may be applied to execution initiated within a GRE. A GRE's security specification may restrict/permit executable objects from loading and executing within the GRE. The executability or accessibility of objects may be conditioned on factors such as the health/integrity of the GRE, the host system, requested files, and others.

Abstract: A container for one or more scheduled meeting is pre-built for the meeting prior to the meeting occurring. The container can be built in a variety of manners, including using both static and dynamic techniques. Dynamic techniques for building a container allows a pre-build system to include more pertinent data in the container whereas static techniques reduce computing workload and allow for pre-building containers for unscheduled meetings. A combination of static and dynamic building techniques can be applied using a layer repository. Alternately, a static base layer can be used and customized for scheduled meetings.