Abstract: A system for scheduling remediation includes a memory, a processor in communication with the memory, a container scheduled on a first node, a scheduler executing on the processor, and a node-local-unscheduler (“NLU”). The scheduler has a watch module. The NLU executes on the processor to determine a status of the container as failing validation. The NLU has access to scheduling policies corresponding to the container and the first node. Responsive to determining the status of the container as failing validation, the NLU annotates the container and stops execution of the container. The watch module executes on the processor to detect the annotation associated with the container. Responsive to detecting the annotation, the container is rescheduled to a second node.

Abstract: The present disclosure provides new methods and systems for input/output command rebalancing in virtualized computer systems. For example, an I/O command may be received by a rebalancer from a virtual queue in a container. The container may be in a first virtual machine. A second I/O command may be received from a second virtual queue in a second container which may be located in a second virtual machine. The rebalancer may detect a priority of the first I/O command and a priority of the second I/O command. The rebalancer may then assign an updated priority each I/O command based on a quantity of virtual queues in the virtual machine of origin and a quantity of I/O commands in the virtual queue of origin. The rebalancer may dispatch the I/O commands to a physical queue.

Abstract: Image subunit based guest scheduling is disclosed. For example, a memory stores an image registry, which stores a plurality of reference entries each associated with subunits hosted on each node of a plurality of nodes. A scheduler executing on a processor manages deployment of guests to the plurality of nodes including a first node and a second node, where a first guest is associated with an image file that includes a first subunit and a second subunit. The image registry is queried for at least one node of the plurality of nodes hosting the first subunit and/or the second subunit and the first node is determined to host the first subunit. The first guest is scheduled to the first node based on the first node hosting the first subunit.

Abstract: Container-image layers can be managed. For example, a computing device can determine a first score for a first layer of a container image and a second score for a second layer of the container image. The computing device can determine that the first score corresponds to a first storage destination among several possible storage destinations. The computing device can also determine that the second score corresponds to a second storage destination among the possible storage destinations. The second storage destination can be different from the first storage destination. The computing device can then store (i) the first layer in the first storage destination based on the first layer being correlated to the first score, and (ii) the second layer in the second storage destination based on the second layer being correlated to the second score.

Abstract: A system for container migration includes containers running instances of an application running on a cluster, an orchestrator with a controller, a memory, and a processor in communication with the memory. The processor executes to monitor a vitality metric of the application. The vitality metric indicates that the application is in either a live state or a dead state. Additionally, horizontal scaling for the application is disabled and the application is scaled-down until the vitality metric indicates that the application is in the dead state. Responsive to the vitality metric indicating that the application is in the dead state, the application is scaled-up until the vitality metric indicates that the application is in the live state. Also, responsive to the vitality metric indication transitioning from the dead state to the live state, the application is migrated to a different cluster while the horizontal scaling of the application is disabled.

Abstract: Methods, systems, and computer program products are included for suggesting at least one container image from one or more searched container images, and including the suggested container image in a search result. A log-in request to log a user into a cloud user account of a cloud platform is received via a user interface, and responsive to the log-in request, the user is logged into the cloud user account. A search query for a type of container image is received from the user via the user interface. The cloud platform is searched for one or more container images within the queried type of container image.

Abstract: According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.

Abstract: One exemplary system described herein can detect a first request associated with invoking a serverless function in a sequence of serverless functions. In response, the system can deploy a primary container and a secondary container in a cloud computing environment. The primary container can execute the serverless function and transmit a second request for invoking a second serverless function in the sequence. The secondary container can intercept the second request and generate a modified second request. The secondary container can then transmit the modified second request to a destination other than an endpoint of the second serverless function, where the destination can cause the second serverless function to be executed in response to receiving the modified second request.

Abstract: Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the function and the identifier of the event source may be validated. The event may then be executed with the function of the serverless computing environment if the identifier of the event sources successfully validated. However, if the identifier of the event source is not successfully validated, execution of the event with the function may be prevented.

Abstract: Systems and methods for provisioning system components to execute jobs are provided. In one embodiment, receiving a request to provision system components of computing units for executing a job. An aggregate latency may be calculated for each of the computing units based on a startup latency for each job executing on the computing units. A computing unit with a lowest aggregate latency may be identified, and system components may be provisioned from the computing unit with the lowest aggregate latency.

Abstract: A system and method for providing high availability for a thin-provisioned container cluster includes a memory, one or more processors in communication with the memory, a scheduler executing on the one or more processors, and a spot instance market monitor. The spot instance market monitor receives market information about spot instances in a cloud system at a first time. The spot instances are available to a client at the first time. The spot instance market monitor determines, based on the market information, a respective reliability value for each of the spot instances at the first time. Then, the scheduler selects one spot instance among the spot instances based on the reliability value of the spot instance. In response to the selection of the spot instance, the scheduler schedules a container on the spot instance and executes the container on the spot instance.

Abstract: A container intrusion detection and prevention system includes a memory, a physical processor in communication with the memory, and an image scanner executing on the physical processor. The image scanner scans an image of a container in a container image registry. The container includes an application. The image scanner creates an image tag of the container and a set of generic rules for the container. The image scanner packages the image tag of the container with the set of generic rules to form a tuple and stores the tuple in an application rule registry.

Abstract: A service executed on a container is associated with a bandwidth setting, a load balancer that includes a service traffic monitor, and a network switch with a network bandwidth monitor that includes a latency setting, both monitors communicating with a policy engine. The network bandwidth monitor determines first and second bandwidth usage rates of the service over a first time period and a later second time period. The service traffic monitor determines first and second request rates of the service over third and fourth time periods overlapping with the first and second time periods. The policy engine calculates first and second ratios of the first and second bandwidth usage rates to the first and second request rates. The latency setting or the bandwidth setting is increased based on comparing the first and second ratios.

Abstract: Container-image layers can be managed. For example, a computing device can determine a first score for a first layer of a container image and a second score for a second layer of the container image. The computing device can determine that the first score corresponds to a first storage destination among several possible storage destinations. The computing device can also determine that the second score corresponds to a second storage destination among the possible storage destinations. The second storage destination can be different from the first storage destination. The computing device can then store (i) the first layer in the first storage destination based on the first layer being correlated to the first score, and (ii) the second layer in the second storage destination based on the second layer being correlated to the second score.

Abstract: Systems and methods for provisioning system components to execute jobs are provided. In one embodiment, receiving a request to provision system components of computing units for executing a job. An aggregate latency may be calculated for each of the computing units based on a startup latency for each job executing on the computing units. A computing unit with a lowest aggregate latency may be identified, and system components may be provisioned from the computing unit with the lowest aggregate latency.

Abstract: Compressibility instrumented dynamic volume provisioning is disclosed. For example, a plurality of storage pools includes first and second storage pools, and is managed by a storage controller that receives a request to provision a first persistent storage volume associated with a first container, where the first storage pool has a first storage configuration including a deduplication setting, a compression setting, and/or an encryption setting. The first persistent storage volume is created in the first storage pool based on a first storage mode stored in metadata associated with the first container, where the storage mode includes a deduplication mode, a compression mode, and/or an encryption mode. A second persistent storage volume is in the second storage pool with a second storage configuration different from the first storage configuration based on a second storage mode associated with a second container.

Abstract: Categorizing computing process output data streams for flash storage devices is disclosed. A first computing process characteristic of a first computing process that generates a first output data stream is determined. A structure that correlates the first computing process characteristic to a first stream identifier is accessed. A first filter driver is associated with the first computing process to configure the first filter driver to receive the first output data stream. The first filter driver is associated with a flash storage device. The first stream identifier is sent to the first filter driver.

Abstract: Image subunit based guest scheduling is disclosed. For example, a memory stores an image registry, which stores a plurality of reference entries each associated with subunits hosted on each node of a plurality of nodes. A scheduler executing on a processor manages deployment of guests to the plurality of nodes including a first node and a second node, where a first guest is associated with an image file that includes a first subunit and a second subunit. The image registry is queried for at least one node of the plurality of nodes hosting the first subunit and/or the second subunit and the first node is determined to host the first subunit. The first guest is scheduled to the first node based on the first node hosting the first subunit.

Abstract: The present disclosure provides new methods and systems for input/output command rebalancing in virtualized computer systems. For example, an I/O command may be received by a rebalancer from a virtual queue in a container. The container may be in a first virtual machine. A second I/O command may be received from a second virtual queue in a second container which may be located in a second virtual machine. The rebalancer may detect a priority of the first I/O command and a priority of the second I/O command. The rebalancer may then assign an updated priority each I/O command based on a quantity of virtual queues in the virtual machine of origin and a quantity of I/O commands in the virtual queue of origin. The rebalancer may dispatch the I/O commands to a physical queue.

Abstract: Virus scanning of container images can be managed. For example, container images can be received in a sequential order. The container images can then be analyzed to determine the contents of the container images. The container images can be arranged in a virus-scanning queue in an order that is different from the sequential order in which the container images were received based on the contents of the container images. The container images can then be scanned for viruses in the order in which the container images are arranged in the virus-scanning queue.