Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: The present disclosure provides new and innovative systems and methods for deploying and running webassembly workloads on compute nodes using a webassembly unikernel. In an example method, a computing device having a processor generates, using a container engine, a container runtime. The computing device generates, using the container runtime, a unikernel configured to run a plurality of webassembly applications, thereby resulting in a webassembly unikernel. The computing device may receive a request to run an application. A container image corresponding to the application may be retrieved, via the container engine, from a container registry. A webassembly payload may be stored for the application from the container image. Furthermore, the computing device may cause the webassembly unikernel to run the webassembly payload for the application.

Abstract: A method includes receiving, an operation from a container to synchronize container data from memory to a file system mounted by the container and determining whether the file system indicates that the operation is to be ignored. The method further includes, in response to determining that the file system indicates that the operation is to be ignored, preventing, by the operating system kernel executing on the processing device, performance of the operation.

Abstract: An example system includes a memory, a processor in communication with the memory, and a supervisor. The supervisor is configured to allocate a memory space in the memory to a workload executing on the processor. The supervisor is configured to store data written by the workload as dirty memory in the memory space at least until the data is written back to a data storage. Based on a type of the workload being a first type, the supervisor is configured to trigger write back of at least a portion of the dirty memory into the data storage in response to the dirty memory exceeding a threshold level. Based on the type of the workload being a second type, the supervisor is configured to delay write back of the dirty memory into the data storage in response to the dirty memory exceeding the threshold level.

Abstract: Implementations of the disclosure provide a method including calculating, by a processing device, a time required to have a container image ready for use; determining whether the time satisfies a threshold criterion; and responsive to determining that the time satisfies the threshold criterion, performing a synchronization operation that stores the container image in a persistent storage.

Abstract: Systems, methods, and machine-readable instructions stored on machine-readable media are disclosed for copying a first permission of a file to a second permission of the file, wherein the file is stored on a host file system. The first permission is changed to a third permission. A request is received to access the file from a container file system. In response to the request and before providing the container file system with access to the file, changing the third permission to the second permission. The file is provided to the container file system based on the second permission.

Abstract: A method includes, with a computing system, storing a first container image. The first container image may be defined by a first set of layers. The method further includes, with the computing system, storing a second container image, the second container image defined by a second set of layers. The second set of layers has at least one file in common with a file in the first set of layers. The method further includes, with the computing system, performing an analysis of the first set of layers and the second set of layers. The method further includes, with the computing system, using the analysis to create a new set of layers such that both the first container image and the second container image can be derived from the new set of layers.

Abstract: An example system includes a memory, a processor in communication with the memory, and a hypervisor. The hypervisor is configured to store, as dirty memory, data from a virtual machine (VM) at least until the data is written back into a data storage. The hypervisor is also configured to assign a persistence setting for managing write back of the dirty memory of the VM into the data storage. The hypervisor is also configured to periodically trigger writing at least a portion of the dirty memory of the VM into the data storage based on the persistence setting being a first setting. The hypervisor is also configured to disable periodic triggering, by the hypervisor, of the writing of the dirty memory of the VM into the data storage based on the persistence setting being a second setting.

Abstract: Deployment times for container clones may be reduced by implementing some examples described herein. In one example, a system can receive a container snapshot including runtime data for a software service executed inside a container at a prior point in time. The system can deploy a template container from the container snapshot at least in part by assigning a memory region to the template container and loading the runtime data from container snapshot into the memory region. The system can freeze the template container to prevent modification of the runtime data in the memory region. While the template container is frozen, the system can deploy a container clone using the runtime data in the memory region, such that the container clone includes the software service in at least a substantially ready state by default based on the runtime data.

Abstract: Duplication of files in a storage device of a computing device can be avoided using some techniques described herein. In one example, a system can determine a checksum of a file in a software package. The system can then determine that the file is absent from a storage device by issuing a command for accessing the file based on the checksum. In response to determining that the file is absent from the storage device, the system can download a copy of the file from a remote computing device to the storage device over a network.

Abstract: A sparse files aware rolling checksum is provided by passing, in sequence, each byte of an archival file to a hash function; and in response to: detecting that a sequence of bytes from the archival file produce outputs from the hash function of zero, wherein a number of bytes in the sequence of bytes satisfies a chunk-end threshold, and determining that the sequence of bytes is located in a hole in the archival file of a greater number of bytes than the chunk-end threshold: designating a hole-chunk of the archival file that includes metadata for a location and a length of the hole in the archival file.

Abstract: Systems and methods for duplication avoidance are disclosed. In one implementation, a VM can receive a request to perform a file access operation with respect to a file and determine a hash value corresponding to a content of the file. The VM can search the file identified by the hash value in in a host file system. Responsive to failing to find the hash value in the host file system, the VM can search the hash value in a guest file system of the VM and responsive to finding the file identified by the hash value in the guest file system, can perform the file access operation with respect to the file.

Abstract: Embodiments of the present disclosure provide a hybrid approach to performing a lazy pull of a container image. A file system in user space (FUSE) is utilized to lazy pull the container image, and manage file requests from the container while the container image is being fetched locally. During the retrieving, the FUSE may receive from the container, one or more file requests, and may temporarily block each of the one or more file requests until it can process them. Once the container image is fully fetched locally, the overlay structure of the container image expected by a file system in the kernel (e.g., Overlay FS) is created and control is passed to the file system in the kernel. The FUSE may then unmount itself, to expose the container to the underlying mount point.

Abstract: A request to access an image stored by a host operating system (OS) maybe received from a process running in a container. The container may run a namespace including a plurality of namespace user identifiers (UIDs). A host UID corresponding to the namespace UID of the process may be synchronized with a host UID of an owner of the image based on configuration data of the namespace.

Abstract: An example method of reducing a container image size includes tracing an execution of a process running in a container. The container is associated with a first container image storing a set of files. The method also includes marking, based on the tracing, a subset of files accessed by the process. The method further includes creating a second container image storing the marked set of files.

Abstract: A container image is received at a host device. The container image includes a container application compatible with a first operating system, and the host device includes a second operating system, different from the first operating system. A container engine on a processing device executes a container corresponding to the container image. The container engine includes an emulator configured to translate a request from the container application that is directed to the first operating system into a request to the second operating system.

Abstract: Embodiments of the present disclosure provide a hybrid approach to performing a lazy pull of a container image. A file system in user space (FUSE) is utilized to lazy pull the container image, and manage file requests from the container while the container image is being fetched locally. During the retrieving, the FUSE may receive from the container, one or more file requests, and may temporarily block each of the one or more file requests until it can process them. Once the container image is fully fetched locally, the overlay structure of the container image expected by a file system in the kernel (e.g., Overlay FS) is created and control is passed to the file system in the kernel. The FUSE may then unmount itself, to expose the container to the underlying mount point.

Abstract: Duplication of files in a storage device of a computing device can be avoided using some techniques described herein. In one example, a system can determine a checksum of a file in a software package. The system can then determine that the file is absent from a storage device by issuing a command for accessing the file based on the checksum. In response to determining that the file is absent from the storage device, the system can download a copy of the file from a remote computing device to the storage device over a network.

Abstract: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

Abstract: An archive file that includes an archive start point and an archive end point is received to be segmented and compressed. A first set of compression start points to segment the archive file according to a first function and a second set of compression start points to partition the archive file according to a second function are created. The first set of compression start points and the second set of compression start points are combined to create a set of merged compression start points to partition the archive file into portions between the archive start point and the archive end point. Each portion between the archive start point and the archive end point are compressed to create a compressed archive file.