Abstract: Systems, methods, and apparatuses for determining a cause of an error in a computing environment, such as a permission denied error in a linux computing environment, are provided herein. An example method comprises executing an application in a linux environment, monitoring a plurality of linux subsystems and functions via an instrumentation inserted on a kernel, and responsive to a failure of the application, providing a summary of a cause of the failure based upon the monitoring of the linux subsystems and functions.

Abstract: Embodiments of the present disclosure relate to security settings for containers. The method may include tracing, using a trace tool, system calls made by an application to determine a system call that is necessary for the application to operate, wherein the system call corresponds to a minimum level of security for the application. The method may also include embedding, based on the system call, a custom security setting into a container image corresponding to the application.

Abstract: The present disclosure provides new and innovative systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. In an example method, a computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: A containerized service can be managed using a system manager and a deployment engine. The system manager can receive a service identifier that can identify a configuration file of the containerized service. The configuration file can be used to initiate one or more containers to run the containerized service. The system manager can transmit the configuration file to the deployment engine integrated with the system manager. The deployment engine can create a service container prior to initiating the one or more containers that can run the containerized service based on a container status of the service container. The service container can be used to manage the one or more containers. The system manager can initiate the containerized service in response to receiving a ready notification from the deployment engine indicating an operational status of the one or more containers.

Abstract: Embodiments of the present disclosure relate to specifying security settings for containers and extracting and applying such security settings from container images provided by e.g., developers or vendors of an application. More specifically, a developer of an application may determine a minimum level of security that is necessary for the application to operate and generate custom security settings based on the determined minimum level of security. The custom security settings may be embedded into a container image corresponding to the application. A user of the application may retrieve the container image and extract the custom security settings and compare them to default security settings. In response to determining that the custom security settings are a subset of the default security settings, the custom security settings may be applied to a container that is run based on the container image.

Abstract: A computing device executing a kernel-based operating system, during a boot process of the operating system, can start a first system and service manager that is configured to start processes from unit files stored in a predetermined directory on a first root volume. The computing device can start, by the first system and service manager, a process from a first unit file that causes generation of a first restricted container environment that includes a second system and service manager, and a second root volume can be mounted to the first restricted container environment. The computing device can start, by the second system and service manager, a process from a second unit file stored in a predetermined directory on the second root volume and the process can execute inside the first restricted container environment.

Abstract: Some embodiments include a control bypass system for industrial cold storage facilities. In some embodiments, the control bypass system includes a cloud scheduler and a bypass controller. The cloud scheduler may be located in a remote location. The cloud scheduler may create a power draw prescription for one or more items of cold storage equipment at the industrial cold storage facility. The power draw prescription, for example, can include a desired power draw level for one or more items of cold storage equipment at the industrial cold storage facility and the desired power draw level changes over a period of time. The bypass controller can be located at the industrial cold storage facility and receives the power draw prescription from the cloud scheduler, produces an environmental setpoint for the one or more items of equipment, and outputs the environmental setpoint to a device or system controller.

Abstract: Systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. A computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: Provided herein are compositions, kits and methods that may be useful for improving the efficiency of solid phase extraction to separate oligonucleotides from a complex matrix. Particularly, the present technology relates to a sorbent material including porous particles, the surface of which is modified with a ligand that includes one or more bridging alkyl substituted amines and at least two siloxyl terminal groups.

Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: The present disclosure provides new and innovative systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. In an example method, a computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: A method includes receiving, an operation from a container to synchronize container data from memory to a file system mounted by the container and determining whether the file system indicates that the operation is to be ignored. The method further includes, in response to determining that the file system indicates that the operation is to be ignored, preventing, by the operating system kernel executing on the processing device, performance of the operation.

Abstract: A container image is received at a host device. The container image includes a container application compatible with a first operating system, and the host device includes a second operating system, different from the first operating system. A container engine on a processing device executes a container corresponding to the container image. The container engine includes an emulator configured to translate a request from the container application that is directed to the first operating system into a request to the second operating system.

Abstract: Some embodiments include electric power demand stabilization methods and systems that may include measuring the power draw of a plurality of controllable devices; determining a rolling average power draw for the plurality of controllable devices over a period of time; measuring an instantaneous power draw of the plurality of controllable devices; and calculating a power budget comprising the difference between the instantaneous power draw and the rolling average power draw. In the event the power budget is positive, increasing power to at least a first subset of the plurality of controllable devices. In the event the power budget is negative, decreasing power to at least a second subset of the plurality of controllable devices.

Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: A filesystem can be shared between containers. For example, a computing device having a host filesystem can launch a first container from an image file. Launching the first container can include creating an initialization directory for the first container on the host filesystem. The initialization directory can include a filesystem to be shared between containers. Launching the first container can also include creating a first filesystem directory for the first container on the host filesystem and mounting the initialization directory to the first filesystem directory. The computing device can also launch a second container from the image file. Launching the second container can include creating a second filesystem directory for the second container on the host filesystem and mounting the initialization directory to the second filesystem directory to enable the second container to access the filesystem.

Abstract: Allocation of access control identifiers to a container can be optimized. For example, a system can determine a largest value for a particular type of access control identifier (ACID) associated with a container image by analyzing content of the container image, the container image being for deploying a container. Next, the system can determine an amount of the particular type of ACID to allocate to the container based on the largest value. The system can then allocate the amount of the particular type of ACID to the container.

Abstract: Embodiments of the present disclosure relate to specifying security settings for containers and extracting and applying such security settings from container images provided by e.g., developers or vendors of an application. More specifically, a developer of an application may determine a minimum level of security that is necessary for the application to operate and generate custom security settings based on the determined minimum level of security. The custom security settings may be embedded into a container image corresponding to the application. A user of the application may retrieve the container image and extract the custom security settings and compare them to default security settings. In response to determining that the custom security settings are a subset of the default security settings, the custom security settings may be applied to a container that is run based on the container image.

Abstract: Embodiments of the present disclosure provide a substitute audit log for use by applications in the user-space of a host operating system to write audit information. When a container makes a system call attempting to write audit information to an audit log of the kernel, the kernel may utilize a predefined set of instructions indicating how to detect such system calls and how such system calls are to be modified so as to reroute the system call to an unprivileged socket. The kernel write the audit information of the system call to an unprivileged socket that is connected to a substitute audit log. A container management program monitoring the unprivileged socket may write the audit information to the substitute log which is defined in container specific directories of the container.