Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: In accordance with input received via a programmatic interface, a level of isolation at which a software container is to be executed is determined. Based on the level of isolation, a category of virtual machines of a virtualized computing service is selected for executing the software containers. The selected category differs from other categories in at least the number of devices emulated for virtual machines of the categories. The software container is run within a virtual machine of the selected category.

Abstract: Techniques are described for identifying resource bottlenecks in decomposing monolithic software applications as part of software modernization processes. An application modernization system constructs a graph model of a software application based on an analysis of application artifacts associated with the software application. The graph model includes nodes representing independent application components, and further includes edges representing identified dependency relationships among the application components. An application modernization system further generates application profile metrics associated with the identified dependencies, and weights derived from the metrics are applied to the nodes and/or the edges of the graph model to generate a weighted graph model that identifies the resource bottlenecks among the application components and the identified dependency relationships. The weighted graph model is transmitted to a computing device for display to a user.

Abstract: Techniques for in-place live migration of guest domain compute instances are described. A secondary host domain, which may be a patched version of an initial host domain, is launched on a computing device in a candidate host domain role or as a guest domain with escalated privileges. Existing guest domains are live migrated within the computing device to utilize the secondary host domain while the initial host domain continues to serve guest domains that have not yet been migrated. When all guest domains have been migrated, the initial host domain may be terminated, resulting in a patched computing device without network-based failures or noticeable service degradation for the guest domains, and while allowing existing guest domain workflows and network connections to continue unaffected.

Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: Techniques are described for automatically identifying monolithic software applications in users' computing environments for software modernization purposes. A monolithic patent application typically refers to a single-tiered application with self-contained functionality designed largely without modularity, although many types of applications can have monolithic characteristics. In many cases, modularity in a software application's design is desirable and thus developers may often seek to decompose monolithic applications into more modular “microservices” or other subunits when possible. A software modernization system includes a software analysis service that obtains, for one or more software applications undergoing evaluation, a collection of application artifacts, application profiling metrics, and other application profile data.

Abstract: Disclosed are various embodiments for a container execution environment. In one embodiment, a container is executed in a virtual machine instance running on a computing device. A container control plane is executed separately from the virtual machine instance in an off-load device operably coupled to the computing device via a hardware interconnect interface. The container is managed using the container control plane executing on the off-load device.

Abstract: Disclosed are various embodiments for anti-pattern detection in extraction and deployment of a microservice. A software modernization service is executed to analyze a computing application to identify various applications. When one or more of the application components are specified to be extracted as an independently deployable subunit, anti-patterns associated with deployment of the independently deployable subunit are determined prior to extraction. Anti-patterns may include increases in execution time, bandwidth, network latency, central processing unit (CPU) usage, and memory usage among other anti-patterns. The independently deployable subunit is selectively deployed separate from the computing application based on the identified anti-patterns.

Abstract: Disclosed are various embodiments for isolated code detection from application code analysis. Various application components may be identified from a source code file or a bytecode file of a computing application. A graph model representative of the computing application is generated having nodes and bridges that connect some nodes to other nodes. The graph model is generated such that at least one of the nodes is an isolated node having less than a threshold number of bridges connecting to other nodes, which is indicative that a corresponding one of the application components can be implemented as an independently deployable component of the computing application.

Abstract: Disclosed are various embodiments for the extraction of isolated nodes during source code refactoring. A graph model representative of a computing application is generated having nodes and bridges that connect some nodes to other nodes. An application component corresponding to a selected one of the nodes may be extracted from the computing application. An independently deployable component of the computing application may be generated and deployed on a network service such that the independently deployable component is accessible through a network-based call.

Abstract: Disclosed are various embodiments for the refactoring of local calls to network calls during software modernization. First and second application components are identified based on analysis of a computing application. A local call from the first application component to a process of the second application component is identified, and an independently deployable microservice is created from the computing application. The independently deployable subunit comprises the second application component having a network endpoint. The independently deployable microservice is deployed such that the process is accessible to the first application component via the network endpoint. The local call is programmatically refactored into a network call from the first application component to the process of the second application component.

Abstract: Disclosed are various embodiments for domain-driven application breakout. Application components are identified based on analysis of a computing application, where the application components are different portions of the computing application. Individual ones of the application components are associated with a category, where the category may include a business domain category. One or more of the application components associated with the category are extracted as an independently deployable subunit, which may include a microservice. The independently deployable subunit is generated for the category using the at least one of the application components and deployed separate from the computing application. A local call in the computing application to the extracted application components is refactored to a network call to the independently deployable subunit.

Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: A virtualization host is identified for an isolated run-time environment. One or more records generated at a security module of the host, which indicate that a first phase of a multi-phase establishment of an isolated run-time environment has been completed by a virtualization management component of the host, is transmitted to a resource verifier. In response to a host approval indicator from the resource verifier, the multi-phase establishment is completed at the virtualization host.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract: Techniques for tenant management of virtualized computing resources are described. Virtualized computing resources are allocated to a tenant who is allowed to request access to the allocated virtualized computing resources. A request is received for launch of a virtual machine instance based on the allocated virtualized computing resources. In response to the request, a secure enclave is instantiated and information is obtained that is indicative of the host computing environment and the secure enclave. The information is sent to the tenant, and an indication is received from the tenant to launch the virtual machine based on an independent attestation by the tenant based on the sent information. The virtual machine is launched in response to the indication.

Abstract: A facility for booting a virtual machine hosted on a host is described. In one example facility, the facility boots the virtual machine in accordance with a policy instance associated with the virtual machine. As part of the booting, the facility extracts information needed to complete the booting from a virtual trusted platform module associated with the virtual machine, the extraction based upon the policy instance associated with the virtual machine. At the completion of the booting, the facility copies contents of a policy instance associated with the host into the policy instance associated with the virtual machine.

Abstract: Deploying an encrypted entity on a trusted entity is illustrated herein. A method includes, at a trusted entity, wherein the trusted entity is trusted by an authority as a result of providing a verifiable indication of certain characteristics of the trusted entity meeting certain requirements, receiving an encrypted entity from an untrusted entity. The untrusted entity is not trusted by the authority. At the trusted entity, a trust credential from the authority is used to obtain a key from a key distribution service. The key distribution service is trusted by the authority. The key is used to decrypt the encrypted entity to allow the encrypted entity to be deployed at the trusted entity.