Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of a Platform-as-a-Service (PaaS) system, a size limitation of a container, where the size limitation is associated with disk space usage of a storage volume group. The amount of disk space used by applications of the container is monitored in view of the size limitation of the container. Responsive to determining that the amount of the disk space used by the applications of the container satisfies a threshold, a storage volume of the storage volume group is allocated to the container in view of the size limitation of the container.

Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of a Platform-as-a-Service (PaaS) system, a size limitation of a container, where the size limitation is associated with disk space usage of a storage volume group. The amount of disk space used by applications of the container is monitored in view of the size limitation of the container. Responsive to determining that the amount of the disk space used by the applications of the container satisfies a threshold, a storage volume of the storage volume group is allocated to the container in view of the size limitation of the container.

Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of the PaaS system, a size used space in a storage volume with respect to a container associated with an execution of an application. The size is a summation of current usage of disk space for the storage volume by the application. This size of the used space is compared to a threshold size. The threshold size indicates a determined amount of the storage volume allocated to the container. Responsive to the size meeting the threshold size, an increase in the allocated amount of the storage volume associated with the container is regulated by the processing device.

Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of the PaaS system, a size used space in a storage volume with respect to a container associated with an execution of an application. The size is a summation of current usage of disk space for the storage volume by the application. This size of the used space is compared to a threshold size. The threshold size indicates a determined amount of the storage volume allocated to the container. Responsive to the size meeting the threshold size, an increase in the allocated amount of the storage volume associated with the container is regulated by the processing device.

Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of the PaaS system, a size used space in a storage volume with respect to a container associated with an execution of an application. The size is a summation of current usage of disk space for the storage volume by the application. This size of the used space is compared to a threshold size. The threshold size indicates a determined amount of the storage volume allocated to the container. Responsive to the size meeting the threshold size, an increase in the allocated amount of the storage volume associated with the container is regulated by the processing device.

Abstract: Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container.

Abstract: Implementations of the disclosure provide for size adjustable volumes for containers. A method of the disclosure includes determining, by a processing device of the PaaS system, a size used space in a storage volume with respect to a container associated with an execution of an application. The size is a summation of current usage of disk space for the storage volume by the application. This size of the used space is compared to a threshold size. The threshold size indicates a determined amount of the storage volume allocated to the container. Responsive to the size meeting the threshold size, an increase in the allocated amount of the storage volume associated with the container is regulated by the processing device.

Abstract: A sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process.

Abstract: An operating system identifies a request of a process to create a new object with a name in a file system of the processing device. The operating system identifies a policy rule applicable to the new object in view of at least the name of the new object. The operating system creates a label for the new object using the applicable policy rule and associates the new object with the created label.

Abstract: A computing system calculates a hash value of binary of a component of the computing system using a hash function and determines whether a signature that is associated with the binary of the component is valid. A trusted platform module in the computing system extends a platform configuration register value in the trusted platform module using a known value that is associated with the binary if the signature is valid.

Abstract: A processor receives within a user interface of a process server on a first computer system a first signal that includes a request to create an isolated execution environment within a host environment controlled by an operating system executing on a second computer system, receives a second signal that specifies a control group, which specifies an amount of hardware resources on the second computer system that are accessible to the isolated execution environment, for the isolated execution environment. The processor generates a third signal that requests creation by a processor of the second computer system of the isolated execution environment and application of the control group to the isolated execution environment. The processor then repeatedly monitors for signals, from the second computer system, that report on one of an activity and a status of the isolated execution, and displays in the user interface information reflective of such signals.

Abstract: Embodiments relate to systems and methods for establishing isolation between content hosting services executing on a common support server. In aspects, a server virtualization platform can operate on a common physical support server to instantiate, configure, and operate a set of virtual servers. The set of virtual servers can, for instance, be used to run independent Web sites or other locations or services. The data available to each process on each virtual server can be encoded using an SELinux™ label including an MCS (multi-category security) category or categories uniquely identifying that process. Isolation of the potentially sensitive data for multiple Web sites and/or their content hosted on a common physical server can therefore be enforced, since each process operating on each virtual server is restricted to only access and manipulate data objects or other entities having matching MCS category information identified on that baremetal support server.

Abstract: In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system.

Abstract: An operating system identifies a request of a process to create a new object with a name in a file system of the processing device. The operating system identifies a policy rule applicable to the new object in view of at least the name of the new object. The operating system creates a label for the new object using the applicable policy rule and associates the new object with the created label.

Abstract: An operating system identifies a request of a process to create, in a file system of the computing device, a new object. The operating system creates an object label for the new object, identifies one or more security policy rules applicable to the process, and verifies whether the process is authorized to create the new object with the object label in the file system of the computing device using the applicable security policy rules. When the process is authorized to create the new object with the object label, the operating system creates the new object with the object label in the file system of the computing device. When the process is not authorized to create the new object with the object label, an error message is generated.

Abstract: A processor receives within a user interface of a process server on a first computer system a first signal that includes a request to create an isolated execution environment within a host environment controlled by an operating system executing on a second computer system, receives a second signal that specifies a control group, which specifies an amount of hardware resources on the second computer system that are accessible to the isolated execution environment, for the isolated execution environment. The processor generates a third signal that requests creation by a processor of the second computer system of the isolated execution environment and application of the control group to the isolated execution environment. The processor then repeatedly monitors for signals, from the second computer system, that report on one of an activity and a status of the isolated execution, and displays in the user interface information reflective of such signals.