Abstract: Co-locating containers based on source to improve compute density is disclosed. For example, a repository stores image files associated with metadata. A scheduler receives a request to launch a container using an image file having a source. The container is launched in a host with a first version of first and second container components loaded to a host memory. A request to launch another container using another image file having the source is received. This container includes the first version of first and third container components, and is launched in the host. The first version of the third container component is loaded to the host memory. A request to launch a third container using a third image file having a different source is received, and is launched in the second host, including a second version of the first, second and third container components, all loaded to a second host memory.

Abstract: Methods, systems, and computer program products are included for suggesting at least one container image from one or more searched container images, and including the suggested container image in a search result. A log-in request to log a user into a cloud user account of a cloud platform is received via a user interface, and responsive to the log-in request, the user is logged into the cloud user account. A search query for a type of container image is received from the user via the user interface. The cloud platform is searched for one or more container images within the queried type of container image.

Abstract: Instantiating containers with a unified data volume is disclosed. For example, a host includes a first memory, and an orchestrator requests a persistent storage to be provisioned in a second memory located across a network from the host based an image file and/or metadata associated with the image file. The persistent storage is mounted to the host. The image file is copied to the first memory as a lower system layer of an isolated guest based on the image file, where the lower system layer is write protected. An upper system layer is constructed in the first persistent storage based on the image file. A baseline snapshot of the persistent storage is captured, including the upper system layer after the upper system layer is constructed. The isolated guest is launched while attached to the lower system layer and the upper system layer.

Abstract: Computing resources can be allocated to a container in a computing environment. For example, a computing device can determine that a dependent computing resource is to be allocated to the container. The dependent computing resource can depend on another computing resource being allocated to the container before the dependent computing resource is allocated to the container. The computing device can determine a parameter value for a backoff process for checking the availability of the dependent computing resource. The parameter value can be determined using another parameter value for another backoff process for checking the availability of the other computing resource. The computing device can then determine that the dependent computing resource is available by executing the backoff process using the parameter value. In response to determining that the dependent computing resource is available, the computing device can allocate the dependent computing resource to the container.

Abstract: A processing device receives a request that identifies an object to store in a storage system. The request includes a custom path for the object that represents content of the object. The processing device selects one or more other objects in the storage system that has a respective custom path that is similar to the custom path in the request. The one or more other objects that have the respective custom path that is similar to the custom path in the request includes content that is similar to the content of the object that is identified in the request. The processing device determines which data store in the storage system stores the one or more other objects that have the respective custom path that is similar to the custom path in the request, and routes the object identified in the request to a storage node corresponding to the data store to store the object in the data store with the one or more other objects.

Abstract: Aspects of the disclosure provide for mechanisms for reducing service disruptions in a computer system. A method of the disclosure may include determining that a service replica is to be deployed in a computer system; determining, by a processing device, a plurality of lost impact factors corresponding to a plurality of nodes of the computer system; selecting, in view of the plurality of lost impact factors, a first node of the plurality of nodes; and deploying the service replica on the first node. In some embodiments, the method further includes identifying one or more services running on a first node of the plurality of nodes; and determining, a plurality of service capacity factors corresponding to each of the identified services, wherein each of the service capacity factors represents an amount of service loss of one of the identified services resulted from a loss of one of the nodes.

Abstract: Dual-level storage device reservation is disclosed. A first request associated with a first application of a plurality of applications to reserve a first network-attached storage device for write access is accessed. A first storage device reservation key is stored on the first network-attached storage device to reserve the network-attached storage device. A first mapping entry that associates the first storage device reservation key with a first application identifier (ID) of the first application is generated. The first storage device reservation key is received from the first application, and a message is sent to the first application that contains information that identifies the first application as having write access to the first network-attached storage device based on the first mapping entry.

Abstract: Aspects of the disclosure provide for polymorphism and type casting in storage volume connections. A method of the disclosure includes receiving an identifier of a persistent volume (PV) created on a storage device and list of polymorphic connection types supported by the PV, creating a PV record for the PV at the container manager, responsive to receiving a query of the PV record from a container host, performing, for a connection from the container host to the storage device, type casting to select a connection type from the list of polymorphic connection types, and returning the identifier of the PV and connection information to cause the container host to establish the connection to the storage device via the selected connection type.

Abstract: An access control system includes a memory, a processor, a host operating system (OS) executing on the processor, a container on the host OS, and a security manager running on the host OS. The container has a set of access control rules and includes a containerized utility. The security manager receives a request to run the utility to complete a transaction, retrieves credentials associated with the user, and determines a status of the credentials. The status of the credentials is privileged if the credentials are included in the set of access control rules and is non-privileged if the credentials are not included in the access control rules. Responsive to determining the status as privileged, the security manager executes an RBD command for the transaction to obtain a target RBD image, retrieves the target RBD image, and records the transaction.

Abstract: Methods and systems for security threat detection are disclosed. For example, a virtual machine with a network interface of a plurality of virtual machines includes a plurality of applications including first and second applications. The plurality of applications is associated with a respective plurality of application security modules, including a first and second application security modules associated with the first and second applications. A security policy engine executes on a processor in communication with a network including a network controller. The application security module detects an abnormality with a request to the first application, identifies a source and a mode of the abnormality, and reports the source and the mode to the security policy engine. The security policy engine prevents a further abnormality with the source and/or the mode from affecting the second application and commands the network controller to prevent the source from interacting with the network.

Abstract: Method and system for deallocating shared system resources. In an example, the system includes a memory storing a system resource allocation database, a processor running a scheduler, including an I/O and a scheduler engine. The scheduler receives a request to deallocate a first plurality of system resources, which includes a first and a second system resource. The scheduler then updates the system resource allocation database at a starting time by marking the first and the second system resource both as conditionally available including inserting a first time-to-live timestamp and a second time-to-live timestamp associated with the first and the second system resource respectively.

Abstract: Methods, systems, and computer program products are included for querying and retrieving objects from images. An example method includes traversing a persistent local mirror overlay filesystem (PLMO FS) to determine whether one or more objects of a requested image already exist on a local data storage device. If so, an I/O hit is determined, and the objects are not pulled from the registry. Conversely, if the objects are not found on the local data storage device, an I/O miss is determined, and the objects are pulled from the registry. A local copy of the requested image is then built using the already locally-existing I/O-hit objects and the newly retrieved I/O-missed objects, such that the local copy of the requested image is a mirror of the original requested image in the registry.

Abstract: A processing device receives a request to recreate an application from a particular point in time. The processing device determines a set of hierarchical tags in a data store of hierarchical tags, the set of hierarchical tags describes a computing environment hosting the application from the particular point in time. The processing device copies, from the data store, a snapshot associated with a source data tag of the set of hierarchical tags. The processing device recreates the computing environment hosting the application from the particular point in time in a replication environment using the set of hierarchical tags and the snapshot.

Abstract: A method for identifying and isolating faults in versioned microservices includes a request replicator receiving an original request, and determining whether to replicate the original request. The request replicator replicates the original request creating one or more replicated requests, including a first replicated request. In an example, the request replicator dispatches the original request to a stable production system, and dispatches the first replicated request to a first modified production system. The stable production system produces a first reply to the original request. The first modified production system produces a second reply to the first replicated request. A fault detector performs a comparison of the second reply and the first reply and determines, based on the comparison, that the first modified production system has a verification status. Then, the stable production system is replaced with first modified production system.

Abstract: Efficient cloud service capacity scaling is disclosed. For example, a plurality of services are configured to execute on a plurality of isolated guests, each service being in a real-time latency tolerance or a retriable latency tolerance. A first service in the real-time latency tolerance is added to a scheduling queue while second and third services in the retriable latency tolerance and execute in the plurality of isolated guests. A scheduler determines that a current computing capacity of the plurality of isolated guests is below a minimum capacity threshold. The scheduler determines whether to elevate the second and/or the third service to the real-time latency tolerance. The scheduler determines to, and then elevates the second service to the real-time latency tolerance. The scheduler determines not to elevate the third service, which is then terminated, freeing computing capacity. The first service is then executed in the plurality of isolated guests.

Abstract: Compressibility instrumented dynamic volume provisioning is disclosed. For example, a plurality of storage pools includes first and second storage pools, and is managed by a storage controller that receives a request to provision a first persistent storage volume associated with a first container, where the first storage pool has a first storage configuration including a deduplication setting, a compression setting, and/or an encryption setting. The first persistent storage volume is created in the first storage pool based on a first storage mode stored in metadata associated with the first container, where the storage mode includes a deduplication mode, a compression mode, and/or an encryption mode. A second persistent storage volume is in the second storage pool with a second storage configuration different from the first storage configuration based on a second storage mode associated with a second container.

Abstract: A method for data auditing for object storage public clouds includes a service broker receiving a request to store data in public object storage, where the request includes user information or a container image. The service broker, based on either the user information or the container image, determines that data auditing is necessary. The service broker creates a storage unit, in public object storage, and a storage proxy. The method further includes the storage proxy storing data, and a data auditor retrieving data from the storage proxy. The data auditor determines a data qualification for the data, and notifies the storage proxy of the data qualification.

Abstract: Cross layer signaling for network resource scaling is disclosed. For example, a service executed on a container associated with a bandwidth setting is associated with a load balancer including a service traffic monitor and a latency setting included in a network switch with a network bandwidth monitor, both monitors communicating with a policy engine. The network bandwidth monitor determines first and second bandwidth usage rates of the service over a first time period and a later second time period. The service traffic monitor determines first and second request rates of the service over third and fourth time periods overlapping with the first and second time periods. The policy engine calculates first and second ratios of the first and second bandwidth usage rates to the first and second request rates. The latency setting or the bandwidth setting is increased based on comparing the first and second ratios.

Abstract: The present disclosure provides for dynamic resource allocation to a container on a host. For example, in a first directed acyclic graph (“DAG”), a CPU resource usage of a container may be detected. In a second DAG, an I/O resource usage of the container may be detected. In a third DAG, a network traffic resource usage of the container may be detected. Each detected resource may be associated with a distinct control group. Each detected resource usage may be compared to a detected service level objective (“SLO”). Resources that fail to meet the SLO may be adjusted. Each adjusted resource usage may be compared to the SLO, and any resources that continue to fail to meet the SLO may be further adjusted. An orchestrator may be notified when a resource has been adjusted to a threshold limit and the container may be migrated to a second host.

Abstract: A processing device, responsive to requests for builds for an application, forces an error to occur during an execution of each request. The execution of each request represents an execution of a set of operations for providing a respective build. The processing device determines that each execution has a false failure caused by a forced error, classifies each execution of the set of operations as having the false failure, determines that an execution of a new set of operations for providing a new build has a failure, determines that one or more features pertaining to the execution of the new set of operations correspond to one or more features pertaining to an execution of one of the sets of operations classified as having the false failure, and re-executes the new set of operations in a modified computing environment to increase a likelihood of successfully providing the new build.