Abstract: A method for commissioning a variable air volume (VAV) system is shown. The method includes receiving instructions via an application on a user interface, the instructions provided over a wireless communications network. The method further includes determining that a cold commissioning testing sequence has been completed for the VAV system. The method further includes, in response to determining that the cold commissioning testing sequence has been completed, initiating a hot commissioning testing sequence. The method further includes performing the hot commissioning testing sequence. The method further includes providing a report of the hot commissioning testing sequence to the user interface.

Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Described are techniques for secure workload configuration including a method comprising receiving a workload definition file at a worker node and from a master node, where the workload definition file comprises an encrypted immutable definition, a partially immutable definition with a predefined range of values and a first value modified by the master node, and a variable definition with a second value modified by the master node. The method further comprises decrypting, by the worker node, the encrypted immutable definition to generate a decrypted immutable definition. The method further comprises verifying, by the worker node, that the first value satisfies the predefined range of values. The method further comprises, in response to decrypting the encrypted immutable definition and verifying that the first value satisfies the predefined range of values, executing a workload based on the workload definition file in a virtual computing environment.

Abstract: Method, apparatus, and computer program product are provided for dynamically changing containerized workload isolation in response to detection of a triggering factor. In some embodiments, workload is containerized using a default container runtime (e.g., runC) that spawns one or more cgroup-based containers on a compute node using resource limiting capabilities of the compute node's host kernel including cgroups and namespaces. In some embodiments, in response to a triggering factor, such as a host kernel vulnerability, at least some of the containerized workload is migrated from running in the one or more cgroup-based containers to one or more virtual machines (VMs) launched by a standby container runtime (e.g., runV). In some embodiments, the cgroups and namespaces of the one or more cgroup-based containers are live migrated, without service interruption, to one or more VM runtimes on the one or more VMs using CRIU—checkpoint/restore in userspace.

Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Described are techniques for secure workload configuration including a method comprising receiving a workload definition file at a worker node and from a master node, where the workload definition file comprises an encrypted immutable definition, a partially immutable definition with a predefined range of values and a first value modified by the master node, and a variable definition with a second value modified by the master node. The method further comprises decrypting, by the worker node, the encrypted immutable definition to generate a decrypted immutable definition. The method further comprises verifying, by the worker node, that the first value satisfies the predefined range of values. The method further comprises, in response to decrypting the encrypted immutable definition and verifying that the first value satisfies the predefined range of values, executing a workload based on the workload definition file in a virtual computing environment.

Abstract: Method, apparatus, and computer program product are provided for dynamically changing containerized workload isolation in response to detection of a triggering factor. In some embodiments, workload is containerized using a default container runtime (e.g., runC) that spawns one or more cgroup-based containers on a compute node using resource limiting capabilities of the compute node's host kernel including cgroups and namespaces. In some embodiments, in response to a triggering factor, such as a host kernel vulnerability, at least some of the containerized workload is migrated from running in the one or more cgroup-based containers to one or more virtual machines (VMs) launched by a standby container runtime (e.g., runV). In some embodiments, the cgroups and namespaces of the one or more cgroup-based containers are live migrated, without service interruption, to one or more VM runtimes on the one or more VMs using CRIU—checkpoint/restore in userspace.