Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

Abstract: Examples described herein generally relate to hosting virtual memory backed kernel isolated containers. A server includes at least one physical processor and at least one physical computer memory addressable via physical memory addresses. The at least one physical computer memory stores executable code configured to provide at least one host including a kernel and at least one kernel isolated container within the at least one host. The host allocates virtual memory having virtual memory addresses to a respective container of the at least one kernel isolated container. The host pins a subset of the virtual memory addresses to a subset of the physical memory addresses. The host performs a direct memory access operation or device memory-mapped input-output operation of the respective container on the subset of the physical memory addresses. At least part of the physical computer memory that is not pinned is oversubscribed.

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

Abstract: Examples described herein generally relate to hosting virtual memory backed kernel isolated containers. A server includes at least one physical processor and at least one physical computer memory addressable via physical memory addresses. The at least one physical computer memory stores executable code configured to provide at least one host including a kernel and at least one kernel isolated container within the at least one host. The host allocates virtual memory having virtual memory addresses to a respective container of the at least one kernel isolated container. The host pins a subset of the virtual memory addresses to a subset of the physical memory addresses. The host performs a direct memory access operation or device memory-mapped input-output operation of the respective container on the subset of the physical memory addresses. At least part of the physical computer memory that is not pinned is oversubscribed.

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: An invention is disclosed for maintaining out-of-band metadata for data. In embodiments of the invention, an upper layer of a storage stack determines that the metadata of a lower layer of that storage stack may have become out of sync. In response, the upper layer may issue a series of commands to the lower layer based on the metadata. In other embodiments of the invention, an offload-copy operation on data may also transfer out-of-band metadata so that it is applied to the data at the destination.

Abstract: The writing of data to a storage system such that change tracking is efficiently performed. If a portion is to be written to the storage system, the system writes a write record indicating that a group of portions (that includes the particular portion) of the storage system is to be written to the storage system. This is represented even though those other portions are not being contemporaneously written to the storage system, and may in fact never be written. The particular portion is then written to the storage system. At some point thereafter, perhaps in the background, a change tracking structure is changed to reflect that the particular portion is written to the storage system, but without reflecting writes of all of the group of portions. The write record may then be invalidated. This reduces latency in systems that track changes with small cost at the time of backup.

Abstract: Tracking changes amongst unit portions (e.g., blocks or files) of a storage system. A logical time identifier is associated with each unit portion and is included within a logical time identifier structure. When writing to a particular write portion, the mechanism updates the appropriate logical time identifiers, calculates redundancy data of a group of one or more logical time identifiers associated with the unit portion(s) of the write portion. Furthermore, the write portion of the storage system is written. In addition, the corresponding redundancy data for that write portion is written to the logical time identifier structure. Later, for a given write portion, the redundancy data is verified to be consistent or inconsistent with the group of one or more logical time identifiers associated with the write portion. If the redundancy data is not consistent, then a current logical time identifier is assigned to each of the logical time identifiers.

Abstract: The writing of data to a storage system such that change tracking is efficiently performed. If a portion is to be written to the storage system, the system writes a write record indicating that a group of portions (that includes the particular portion) of the storage system is to be written to the storage system. This is represented even though those other portions are not being contemporaneously written to the storage system, and may in fact never be written. The particular portion is then written to the storage system. At some point thereafter, perhaps in the background, a change tracking structure is changed to reflect that the particular portion is written to the storage system, but without reflecting writes of all of the group of portions. The write record may then be invalidated. This reduces latency in systems that track changes with small cost at the time of backup.

Abstract: Tracking changes amongst unit portions (e.g., blocks or files) of a storage system. A logical time identifier is associated with each unit portion and is included within a logical time identifier structure. When writing to a particular write portion, the mechanism updates the appropriate logical time identifiers, calculates redundancy data of a group of one or more logical time identifiers associated with the unit portion(s) of the write portion. Furthermore, the write portion of the storage system is written. In addition, the corresponding redundancy data for that write portion is written to the logical time identifier structure. Later, for a given write portion, the redundancy data is verified to be consistent or inconsistent with the group of one or more logical time identifiers associated with the write portion. If the redundancy data is not consistent, then a current logical time identifier is assigned to each of the logical time identifiers.

Abstract: A computing device manages access to a block-based storage device. The computing device has an operating system with a storage stack. The storage stack may have a file system, a device driver driving the block-based storage device, and a storage component intermediating between the device driver and the file system. The file system may receive a request to tag a file that is managed by the file system and is stored on the storage device. In response the file system requests the storage component to tag blocks corresponding to the file. The device driver forwards or translates the request from the storage component to the storage device. In turn, the storage device stores indicia of the blocks. Data stored in the identified blocks may receive differentiated treatment, by the storage device and/or the operating system, such as a particular choice of backing store, preferential handling, or others.

Abstract: An invention is disclosed for maintaining out-of-band metadata for data. In embodiments of the invention, an upper layer of a storage stack determines that the metadata of a lower layer of that storage stack may have become out of sync. In response, the upper layer may issue a series of commands to the lower layer based on the metadata. In other embodiments of the invention, an offload-copy operation on data may also transfer out-of-band metadata so that it is applied to the data at the destination.

Abstract: An invention is disclosed for maintaining out-of-band metadata for data. In embodiments of the invention, an upper layer of a storage stack determines that the metadata of a lower layer of that storage stack may have become out of sync. In response, the upper layer may issue a series of commands to the lower layer based on the metadata. In other embodiments of the invention, an offload-copy operation on data may also transfer out-of-band metadata so that it is applied to the data at the destination.

Abstract: A casting machine furnace apparatus that includes a furnace adapted to receive molten metal is described herein. The furnace includes an outer wall structure, a cover adapted to seal the furnace, a source of fluid, and a casting apparatus in fluid communication with the molten metal. The fluid is supplied into the furnace for applying fluid pressure on the molten metal. The application of fluid pressure on the molten metal causes the molten metal to supply the casting apparatus. The outer wall structure of the furnace is provided with a plurality of exhaust ports where the ports are provided in the outer wall structure at predetermined locations. The ports are selectively controllable between a first closed position, where the exhaust ports do not allow air to be exhausted from the furnace, and a second opened position, where the exhaust ports enable air to be exhausted from the furnace.