Abstract: An element of a file system is virtually deleted by creating a deletion marker for the element. Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and filtering out those elements associated with deletion markers. Special processing is invoked in response to detecting certain types of file system access requests, including: enumeration, open, create, rename or delete.

Abstract: Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.

Abstract: Two or more separate physical Registry directories are presented as a single (virtual) Registry directory to an application running in a controlled execution environment called a silo. All of the operations normally available to be performed on the Registry directory can be performed on the merge directory, however, the operating system controls the level of access to the keys in the merge directory. The operating system provides the merged view of the Registry directories by a Registry filter driver. The Registry filter model provides a single callback with a notification code indicating the reason the callback was called. The types of notifications which trigger the special processing include: enumeration of a key, enumeration of the value of a key, query a key, close a key, delete a key, create or open a key or rename a key.

Abstract: Off-the-shelf software can be run from a removable medium without installing the software onto the machine and without modifying the off-the-shelf software. Files and application-associated state created or modified during execution of the application that is not installed on the computer may be saved to the removable media or to a specified area of the system file system and system registry (if present).

Abstract: Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system controls the level of access to the files in the merge directory. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and in response to detecting certain types of file system access requests, provides the view of the seemingly merged directories by performing special processing. The types of requests which trigger the special processing include: enumeration, open, create, rename or close.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping of processes running on a single computer using a single instance of the operating system. The operating system divides the system into multiple side-by-side and/or nested environments enabling the partitioning and controlled sharing of resources and providing an isolated application environment in which applications can run. More specifically, a system environment may be divided into an infrastructure silo and one or more server silos. Each server silo is provided with its own copy of the device driver name space. Each device is associated with a system device object accessed via a system device functional interface and with a server silo-specific device object accessed via a control device interface. The infrastructure silo populates the silo-specific device name space with the control device interface. The server silo uses the control device interface to create new device object(s) as needed.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.

Abstract: Methods for increasing the efficiency of data transfers by passing a reference to the data rather than to transfer the data itself. When a new communication begins, a memory object, e.g. a buffer, is selected to receive the data. Information if provided that may be used to ascertain the communication path without actual knowledge of the path. If a communication pattern is likely to be repeated, a memory object created on the initial access is saved. The saved memory object (“precursor”) is provided to the memory system on subsequent access as a hint about the process path to be used. The memory system can select a cached buffer that has a similar set of mappings to the precursor.

Abstract: An operating system architecture is based on a service model in which active entities (services) are containers for objects having a number of interfaces specified through a contract language that is a subset of the language in which the service is coded. Services may reside in the same address space or may reside in separate address spaces, without changing the programming model or compiled binaries. The location of a service is independent of the location of the service's clients and of services the service calls.

Abstract: Systems and methods for providing a framework within which device drivers may run at a user-mode level. A platform (e.g., APIC) or bus (PCI bus) generic feature is used to take the CPU out of interrupt mode without having to wait for a user-level driver to clear the device interrupt. This allows writing the complete device driver in user space. The device driver still get notifications on interrupts but not at interrupt priority. The same scheme can be extended to shared interrupts, where multiple devices share a single interrupt line.

Abstract: Methods for performing zero-copy memory transfers between processes or services using shared memory without the overhead of current schemes. An IPC move semantic may be used that allows a sender to combine passing a reference and releasing it within the same IPC call. An insulate method removes all references to the original object and creates a new object pointing to the original memory if a receiver requires exclusive access. Alternatively, if a receiving process or service seeks read-only access, the sender unmaps its access to the buffer before sending to the receiver. When the insulate operation is initiated, the kernel detects an object with multiple active references but no active mappings and provides a mapping to the memory without taking a copy or copy-on-write.

Abstract: Method for enabling the dynamic modification of cluster configurations, and apparatus including software to perform the method. To enable this dynamic modification, cluster configuration data is stored as a table in a cluster configuration repository that is accessible from all nodes in the cluster. Accordingly, the present invention enables the modification of the cluster configuration from any node in the cluster dynamically. When a reconfiguration command is given, the configuration table is changed and all the nodes in the cluster are notified of the changed configuration in parallel. Following the notification by the nodes of the changed cluster configuration, the changes to the cluster are implemented dynamically as specified by the command.

Abstract: One embodiment of the present invention provides a system for testing a computer system by using software to inject faults into the computer system while the computer system is operating. This system operates by allowing a programmer to include a fault point into source code for a program. This fault point causes a fault to occur if a trigger associated with the fault point is set and if an execution path of the program passes through the fault point. The system allows this source code to be compiled into executable code. Next, the system allows the computer system to be tested. This testing involves setting the trigger for the fault point, and then executing the executable code, so that the fault occurs if the execution path passes through the fault point. This testing also involves examining the result of the execution.

Abstract: A first computer sends a sequence of messages to a second computer using remote write operations to directly store each message in a corresponding memory location in the second computer. The second computer retains information denoting the sequence numbers of the messages it receives and processes, and it acknowledges each received message with an asynchronous acknowledgment message. The first computer keeps track of which messages it has sent but for which it has not yet received an acknowledgment. Whenever the first computer determines that it has failed to receive a message acknowledgment from the second computer in a timely fashion, or it needs to reuse previously used message sequence numbers, the first computer undertakes remedial actions to resynchronize the first and second computers.

Abstract: One embodiment of the present invention provides a method and an apparatus that facilitates transparent failovers from a primary copy of an object on a first server to a secondary copy of the object on a second server when the first server fails, or otherwise becomes unresponsive. The method includes detecting the failure of the first server; selecting the second server; and reconfiguring the second server to act as a new primary server for the object. Additionally, the method includes transparently retrying uncompleted invocations to the object to the second server, without requiring explicit retry commands from a client application program. A variation on this embodiment further includes winding up active invocations to the object before reconfiguring the second server to act as the new primary server. This winding up process may include causing invocations to unresponsive nodes to unblock and complete.

Abstract: A file disaster recovery system that employs geographical replication of data from a local site to remote site in a such a manner that file requests from clients of the local site can be handled by a file server on the remote site following a failover from the local site to the remote site. Geographical data replication software running on a local server checkpoints to a log in local stable storage all information on file operations that change the file state of the local file system. According to a selected mode, the local geographical data replication software flushes information in the log pertaining to the file operations since the last flush to the remote site. At the remote site, compatible remote geographical data replication software running on a remote file server receives the flushed log and replicates in sequence order the file operations represented in the flushed log. The results of the operations are stored on remote stable storage. The local and remote servers can be clusters or single servers.

Abstract: The present invention pertains to a system and method for performing remote object invocation. A object-oriented computing system includes a number of independent computing nodes that are interconnected via a communications link. The nodes represent client and/or server computers that do not share memory. Each node includes a number of domains having separate address spaces. Each domain includes one or more threads of execution that invoke one or more objects. The object's method can reside in the same domain as the requesting thread, in a different domain within the same node, or in a different domain in another node. A file descriptor is used to represent those objects whose methods reside in a different domain than the requesting thread. A file descriptor is a protected kernel entity that enables a thread to invoke an object. A thread can only access those objects for which it has received an associated file descriptor.