Abstract: Disclosed systems and methods initiate an instance of an isolated application on a node computing device. The systems determine that the isolated application requests exclusive access to a block storage resource, create a control group associated with the block storage resource to provide access to members of the control group and set an access rate limit to zero for non-members of the control group, and assign the isolated application to the control group.

Abstract: An object may be received by a serverless computing system, such as a distributed object storage system, to be processed using serverless functions of the distributed object storage system. The object includes object metadata indicating an attribute of the object. The content of the object, such as the object's header is analyzed and the attribute indicated in the object metadata is validated based on the content of the object. The object analysis is performed using one or more scripts at an object-based storage level of the distributed object storage. A validation event is published indicating a validation status of the attribute. Serverless computing functions of the distributed object storage system may determine whether to process the object based on the validation status indicated in the validation event.

Abstract: Aspects and features of the present disclosure can provide a trusted, privacy-preserved deduplication process by executing deduplication functions in a trusted execution environment (TEE). In some examples, encrypted, incoming user data blocks are decrypted in the TEE to produce unencrypted user data blocks. An incoming digital fingerprint or each unencrypted user data block is produced. A processing device can compare the incoming digital fingerprint to existing digital fingerprints stored in the TEE to determine a presence of the incoming digital fingerprint and hence the presence of a copy of the data block in the storage platform, and writes the encrypted. Incoming data blocks are written to storage only when necessary. The technique allows public mass storage systems to meet cybersecurity objectives while achieving the storage space efficiency that deduplication provides.

Abstract: A plurality of serverless function invocations are received. A quantity of serverless function invocations of the plurality of serverless function invocations that corresponds to a particular type of serverless function invocation are determined. A number of serverless functions are scaled at a determined rate in view of the quantity of serverless function invocations corresponding to the particular type of serverless function invocation.

Abstract: A plurality of serverless function invocations are received. A quantity of serverless function invocations of the plurality of serverless function invocations that corresponds to a particular type of serverless function invocation are determined. A number of serverless functions are scaled at a determined rate in view of the quantity of serverless function invocations corresponding to the particular type of serverless function invocation.

Abstract: A method includes generating an instance on a host computing device in response to a request to host a web application on the host computing device, and determining a resource usage profile associated with the instance. The resource usage profile indicates one or more specific resources on the host computing device to be utilized to host the web application. The method further includes selecting one of a stored plurality of resource models based at least in part on the resource usage profile, and modifying the instance on the host computing device in accordance with the selected one of the stored plurality of resource models. The instance is modified to host the web application.

Abstract: A system for scheduling remediation includes a memory, a processor in communication with the memory, a container scheduled on a first node, a scheduler executing on the processor, and a node-local-unscheduler (“NLU”). The scheduler has a watch module. The NLU executes on the processor to determine a status of the container as failing validation. The NLU has access to scheduling policies corresponding to the container and the first node. Responsive to determining the status of the container as failing validation, the NLU annotates the container and stops execution of the container. The watch module executes on the processor to detect the annotation associated with the container. Responsive to detecting the annotation, the container is rescheduled to a second node.

Abstract: A method for data auditing for object storage public clouds includes a service broker receiving a request to store data in public object storage, where the request includes user information or a container image. The service broker, based on either the user information or the container image, determines that data auditing is necessary. The service broker creates a storage unit, in public object storage, and a storage proxy. The method further includes the storage proxy storing data, and a data auditor retrieving data from the storage proxy. The data auditor determines a data qualification for the data, and notifies the storage proxy of the data qualification.

Abstract: Methods and systems for executing code referenced from a microservice registry are disclosed. For example, a microservice registry is stored in a memory. The microservice registry includes references to a plurality of microservices including a first microservice. An isolated guest executing on one or more processors receives a request to execute an executable code and determines that the executable code is unavailable in the first isolated guest. The isolated guest determines that, based on the microservice registry, the first microservice executes the executable code. The isolated guest forwards the first request to the first microservice and receives a result of the request from the first microservice.

Abstract: An access control engine can enable a host operating system to propagate a private resource of an isolated virtual environment, such as a container, running on the host operating system outside of the isolated virtual environment. The private resource can include, for example, a file system mounted within the isolated virtual environment. The access control engine can receive a command and launch the isolated virtual environment in response to the command. Also, in response to the command, the access control engine can interface with a kernel of the host operating system to configure the isolated virtual environment so that the private resource is accessible outside the isolated virtual environment.

Abstract: According to one example, a method includes receiving from a client device, a data object for storage within an object storage system, performing a plurality of hashes on the data object tenant profile data associated with the data object to determine one of a plurality of object storage devices to which to store the data object, and autoscaling the object storage device based on active compute jobs associated with data objects stored on the object storage device.

Abstract: Aspects of the disclosure provide for polymorphism and type casting in storage volume connections. A method of the disclosure includes storing, in a memory associated with a processing device executing a container manager, a persistent volume (PV) identifier of a PV created on a storage device and a list of polymorphic connection types supported by the PV, and responsive to receiving a query comprising the PV identifier from a container host, performing, for a connection from the container host to the storage device, type casting to identify a connection type from the list of polymorphic connection types and connection information for the connection type to enable establishment of the connection between the container host and the storage device.

Abstract: Scalable storage cluster mirroring is disclosed. A compute instance comprising a processor device determines that storage segments have been modified on a first storage node of a plurality of storage nodes in a first cluster of storage nodes at a first data modification rate. In response to determining that the storage segments have been modified on the first storage node at the first data modification rate, a first mirror process that is configured to copy storage segments from an identified storage node to a mirrored cluster of storage nodes is initiated, and a storage node identifier that identifies the first storage node is communicated to the first mirror process.

Abstract: A system and method for providing high availability for a thin-provisioned container cluster includes a memory, one or more processors in communication with the memory, a scheduler executing on the one or more processors, and a spot instance market monitor. The spot instance market monitor receives market information about spot instances in a cloud system at a first time. The spot instances are available to a client at the first time. The spot instance market monitor determines, based on the market information, a respective reliability value for each of the spot instances at the first time. Then, the scheduler selects one spot instance among the spot instances based on the reliability value of the spot instance. In response to the selection of the spot instance, the scheduler schedules a container on the spot instance and executes the container on the spot instance.

Abstract: Methods and systems are provided for assigning nodes to execute functions in a serverless computing environment. In one embodiment, a method is provided that includes receiving a function for execution in a serverless computing environment and identifying a storage pool needed during execution of the function. The serverless computing environment may include nodes for executing functions and a first set of nodes may be identified that implement the storage pool. Colocation measures may be determined between the first set of nodes and a second set of nodes. Available computing resources may be determined for the second set of nodes, such as available processing cores and available memory. The second set of nodes may be ranked according to the colocation measures and the available computing resources and a first node may be selected based on the ranking. The first node may be assigned to execute the function.

Abstract: Cloning of virtual-machine images can be managed. For example, a computing device can copy a segment of a virtual-machine image stored in a second storage device to a first storage device in response to receiving a first read request for the segment from a virtual machine. The first storage device may be capable of responding to read requests from the virtual machine with less latency than the second storage device. The computing device can also update a log to indicate that the segment is stored on the first storage device. Thereafter, the computing device can receive a second read request for the segment. In response, the computing device can determine that the segment is stored in the first storage device using the log, and provide the segment by obtaining the segment from the first storage device.

Abstract: Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as corresponding to the first function and the first bytecode may be received. The first bytecode may then be injected into a container for execution of the second function.

Abstract: Systems and methods for provisioning system components to execute jobs are provided. In one embodiment, a method is provided that includes receiving a request to provision system components for executing a job. Aggregate latencies for computing units may be calculated based on startup latencies for jobs executing on the computing units. A particular computing unit may be selected from among the plurality of computing units based on the aggregate latencies, and system components may be provisioned from the computing unit.

Abstract: Computing resources can be allocated to a container in a computing environment. For example, a computing device can determine that a dependent computing resource is to be allocated to the container. The dependent computing resource can depend on another computing resource being allocated to the container before the dependent computing resource is allocated to the container. The computing device can determine a parameter value for a backoff process for checking the availability of the dependent computing resource. The parameter value can be determined using another parameter value for another backoff process for checking the availability of the other computing resource. The computing device can then determine that the dependent computing resource is available by executing the backoff process using the parameter value. In response to determining that the dependent computing resource is available, the computing device can allocate the dependent computing resource to the container.

Abstract: Compressibility instrumented dynamic volume provisioning is disclosed. For example, a plurality of storage pools includes first and second storage pools, and is managed by a storage controller that receives a request to provision a first persistent storage volume associated with a first container, where the first storage pool has a first storage configuration including a deduplication setting, a compression setting, and/or an encryption setting. The first persistent storage volume is created in the first storage pool based on a first storage mode stored in metadata associated with the first container, where the storage mode includes a deduplication mode, a compression mode, and/or an encryption mode. A second persistent storage volume is in the second storage pool with a second storage configuration different from the first storage configuration based on a second storage mode associated with a second container.