Distribution and management of services in virtual environments

What is claimed is: 1. A host computing device comprising: storage hardware and processing hardware; the storage hardware storing a host operating system configured to execute on the processing hardware and manage execution of containers, the containers comprising respective processes managed by the host operating system, each container comprising separate, isolated execution environment; the storage hardware storing one or more services configured to execute on the processing hardware, the services implemented via the host operating system; a first one of the containers comprising guest software configured to use a first service of the services implemented on the host operating system, the first container further comprising a client stub of the first service, the client stub configured to intermediate exchanges between the guest software executing on the first container and the first service executing on the host operating system through inter-process communication (IPC); and the storage hardware storing a service control manager configured to facilitate the exchanges between at least the first service and the guest software via the client stub of the first service, the facilitating comprising: responding to service-access requests from the client stub of the first service; and determining whether to approve the service-access requests; wherein the responding to the service-access requests comprises, upon determining to approve the service-access requests, providing connection information of the IPC to the client stub of the first service. 2. A host computing device according to claim 1 , the service control manager determining whether to approve the service-access requests comprising: accessing a security policy in correspondence with the service-access requests; and applying the security policy to attributes of the services and/or the client containers. 3. A host computing device according to claim 1 , wherein the service control manager is implemented in a second one of the containers that is separate from the first container. 4. A host computing device according to claim 1 , wherein the service control manager is further configured to perform load balancing when servicing the service-access requests. 5. A host computing device according to claim 1 , the storage hardware further storing a service endpoint that is configured to identify the service control manager, from among multiple service control managers, and associate the service control manager with the client stub. 6. A host computing device according to claim 1 , the storage hardware further storing a client management service configured to: monitor demand for the services; in response to the monitoring detecting an increase in demand for a service, allocate resources for the corresponding service; and in response to the monitoring detecting a decrease in demand for a service, deallocate resources for the corresponding service. 7. A host computing device according to claim 1 , wherein the first service is provided by a first service application, and wherein the first service provider is a library configured to be linked within the first service application. 8. A host computing device according to claim 1 , wherein the first client stub is a library configured to be linked within the guest software. 9. A method performed by a computing device, the method comprising: executing an operating system, the operating system configured to manage the execution of containers, each container comprising a separate, isolated execution environment, the containers comprising client containers and service containers, the client containers hosting respective client stubs of services and the service containers hosting respective service providers of the services; receiving, at a first client stub of a first one of the services, a request by an application to access the first service, the first client stub and the application both executing in the first client container; receiving, at a manager module, a request from the first client stub of the first service for connection information to a first service provider of the first service; if an instance of the first service is available, returning, by the manager module, to the first client stub, the connection information for the first service provider of the first service, the first service provider executing in a first one of the service containers, wherein the connection information for the first service provider is configured to enable the first client stub, executing in the first client container, and the first service provider, executing in the first service container, to communicate through a corresponding direct connection; and if an instance of the first service is not available, starting a new one of the service containers and hosting an instance of the first service and an instance of the first server provider in the new service container. 10. A method according to claim 9 , wherein the services comprise network services. 11. A method according to claim 9 , further comprising managing, by the manager module, the service containers based on demand from the client containers. 12. A method according to claim 11 , further comprising terminating a service container or a service hosted thereby if there is no demand for the service container or service. 13. A method according to claim 9 , wherein the direction connection comprises an inter-process communication channel. 14. A method of according claim 9 , wherein the first service is provided by a first service application, and wherein the first service provider is a library configured to be linked within the first service application. 15. A method of according claim 9 , wherein the first client stub is a library configured to be linked within the application. 16. A method of according claim 9 , wherein the connection information for the first service provider of the first service is only returned to the first client stub if the application is permitted to access the service. 17. A method performed by a host computing device comprising processing hardware, the method comprising: executing a host operating system on the processing hardware, the host operating system managing the execution of containers, the containers comprising respective processes managed by the host operating system, each container comprising an isolated environment within which processes thereof execute in isolation from processes on the computing device; based on a determination that a container does not already exist for a corresponding user, automatically creating a new container for the user; based on a determination that an attempt to access a network resource is an attempt to access an untrusted network resource, activating the container to handle the untrusted network resource; and based on the container being activated, blocking access to untrusted network resources from the host operating system and blocking access to trusted network resources from the container. 18. A method according to claim 17 , further comprising configuring the host computing device to use a unique local account credential to connect the host operating system to the new container. 19. A method according to claim 18 , wherein a username associated with the unique local account credential for the container is saved and reused for a second new container for the user. 20. A method according to claim 17 , further comprising automatically launching a virtual version of an application within the container.