Abstract: Systems, methods, and apparatuses for determining a cause of an error in a computing environment, such as a permission denied error in a linux computing environment, are provided herein. An example method comprises executing an application in a linux environment, monitoring a plurality of linux subsystems and functions via an instrumentation inserted on a kernel, and responsive to a failure of the application, providing a summary of a cause of the failure based upon the monitoring of the linux subsystems and functions.

Abstract: This disclosure provides devices, systems, methods, and techniques for booting up an operating system with an initial scalable filesystem. An example method includes loading, from a non-transitory and non-volatile memory, a bootloader into a random access memory (RAM). The method includes loading, by the bootloader, a kernel into the RAM. The method includes initializing, by the kernel, an initial filesystem to load storage drivers relevant to the hardware resources for starting essential storage components. The method includes, when the initial filesystem is initialized, mounting, by a processing device, an overlay filesystem onto the initial filesystem of the RAM. The method further includes transitioning, upon completion of system initialization tasks in the overlay filesystem, from the overlay filesystem to a target root filesystem.

Abstract: A containerized service can be managed using a system manager and a deployment engine. The system manager can receive a service identifier that can identify a configuration file of the containerized service. The configuration file can be used to initiate one or more containers to run the containerized service. The system manager can transmit the configuration file to the deployment engine integrated with the system manager. The deployment engine can create a service container prior to initiating the one or more containers that can run the containerized service based on a container status of the service container. The service container can be used to manage the one or more containers. The system manager can initiate the containerized service in response to receiving a ready notification from the deployment engine indicating an operational status of the one or more containers.

Abstract: An access control engine can enable a host operating system to propagate a private resource of an isolated virtual environment, such as a container, running on the host operating system outside of the isolated virtual environment. The private resource can include, for example, a file system mounted within the isolated virtual environment. The access control engine can receive a command and launch the isolated virtual environment in response to the command. Also, in response to the command, the access control engine can interface with a kernel of the host operating system to configure the isolated virtual environment so that the private resource is accessible outside the isolated virtual environment.

Abstract: A system can be used to control access to protected resources with respect to remote access of a computing environment. The system can execute a service file to generate a container in a host system based on user input received from a user device to initiate a login session. The service file can correspond to the user input. Subsequent to generating the container, the system can execute a user shell associated with the container to assign the user device to the container. The container can restrict the user device to access a set of predefined resources indicated in the service file. In response to detecting that the login session has ended, the system can remove the container associated with the user device from the host system.

Abstract: Embodiments of the present disclosure provide a substitute audit log for use by applications in the user-space of a host operating system to write audit information. When a container makes a system call attempting to write audit information to an audit log of the kernel, the kernel may utilize a predefined set of instructions indicating how to detect such system calls and how such system calls are to be modified so as to reroute the system call to an unprivileged socket. The kernel write the audit information of the system call to an unprivileged socket that is connected to a substitute audit log. A container management program monitoring the unprivileged socket may write the audit information to the substitute log which is defined in container specific directories of the container.

Abstract: A computing device executing a kernel-based operating system, during a boot process of the operating system, can start a first system and service manager that is configured to start processes from unit files stored in a predetermined directory on a first root volume. The computing device can start, by the first system and service manager, a process from a first unit file that causes generation of a first restricted container environment that includes a second system and service manager, and a second root volume can be mounted to the first restricted container environment. The computing device can start, by the second system and service manager, a process from a second unit file stored in a predetermined directory on the second root volume and the process can execute inside the first restricted container environment.

Abstract: Systems, methods, and apparatuses for determining a cause of an error in a computing environment, such as a permission denied error in a linux computing environment, are provided herein. An example method comprises executing an application in a linux environment, monitoring a plurality of linux subsystems and functions via an instrumentation inserted on a kernel, and responsive to a failure of the application, providing a summary of a cause of the failure based upon the monitoring of the linux subsystems and functions.

Abstract: Embodiments of the present disclosure relate to security settings for containers. The method may include tracing, using a trace tool, system calls made by an application to determine a system call that is necessary for the application to operate, wherein the system call corresponds to a minimum level of security for the application. The method may also include embedding, based on the system call, a custom security setting into a container image corresponding to the application.

Abstract: The present disclosure provides new and innovative systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. In an example method, a computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: A containerized service can be managed using a system manager and a deployment engine. The system manager can receive a service identifier that can identify a configuration file of the containerized service. The configuration file can be used to initiate one or more containers to run the containerized service. The system manager can transmit the configuration file to the deployment engine integrated with the system manager. The deployment engine can create a service container prior to initiating the one or more containers that can run the containerized service based on a container status of the service container. The service container can be used to manage the one or more containers. The system manager can initiate the containerized service in response to receiving a ready notification from the deployment engine indicating an operational status of the one or more containers.

Abstract: Embodiments of the present disclosure relate to specifying security settings for containers and extracting and applying such security settings from container images provided by e.g., developers or vendors of an application. More specifically, a developer of an application may determine a minimum level of security that is necessary for the application to operate and generate custom security settings based on the determined minimum level of security. The custom security settings may be embedded into a container image corresponding to the application. A user of the application may retrieve the container image and extract the custom security settings and compare them to default security settings. In response to determining that the custom security settings are a subset of the default security settings, the custom security settings may be applied to a container that is run based on the container image.

Abstract: A computing device executing a kernel-based operating system, during a boot process of the operating system, can start a first system and service manager that is configured to start processes from unit files stored in a predetermined directory on a first root volume. The computing device can start, by the first system and service manager, a process from a first unit file that causes generation of a first restricted container environment that includes a second system and service manager, and a second root volume can be mounted to the first restricted container environment. The computing device can start, by the second system and service manager, a process from a second unit file stored in a predetermined directory on the second root volume and the process can execute inside the first restricted container environment.

Abstract: Some embodiments include a control bypass system for industrial cold storage facilities. In some embodiments, the control bypass system includes a cloud scheduler and a bypass controller. The cloud scheduler may be located in a remote location. The cloud scheduler may create a power draw prescription for one or more items of cold storage equipment at the industrial cold storage facility. The power draw prescription, for example, can include a desired power draw level for one or more items of cold storage equipment at the industrial cold storage facility and the desired power draw level changes over a period of time. The bypass controller can be located at the industrial cold storage facility and receives the power draw prescription from the cloud scheduler, produces an environmental setpoint for the one or more items of equipment, and outputs the environmental setpoint to a device or system controller.

Abstract: Systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. A computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: Provided herein are compositions, kits and methods that may be useful for improving the efficiency of solid phase extraction to separate oligonucleotides from a complex matrix. Particularly, the present technology relates to a sorbent material including porous particles, the surface of which is modified with a ligand that includes one or more bridging alkyl substituted amines and at least two siloxyl terminal groups.

Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: The present disclosure provides new and innovative systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. In an example method, a computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: A method includes receiving, an operation from a container to synchronize container data from memory to a file system mounted by the container and determining whether the file system indicates that the operation is to be ignored. The method further includes, in response to determining that the file system indicates that the operation is to be ignored, preventing, by the operating system kernel executing on the processing device, performance of the operation.

Abstract: A container image is received at a host device. The container image includes a container application compatible with a first operating system, and the host device includes a second operating system, different from the first operating system. A container engine on a processing device executes a container corresponding to the container image. The container engine includes an emulator configured to translate a request from the container application that is directed to the first operating system into a request to the second operating system.