Fine-Grained Metadata Management in a Distributed File System
US-2017220598-A1 · Aug 3, 2017 · US
Partially privileged lightweight virtualization environments
US12164948B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12164948-B2 |
| Application number | US-202016893288-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 4, 2020 |
| Priority date | Jun 4, 2020 |
| Publication date | Dec 10, 2024 |
| Grant date | Dec 10, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed. Aspects of the host computing environment operating system, such as the kernel, are extended to interface with container-centric mechanisms to receive information upon which actions can be allowed or denied by the kernel even if the process attempting such actions would otherwise have sufficient privilege.
First claim
Opening claim text (preview).
We claim: 1. A computing device comprising: a processor; and memory coupled to the processor, the memory comprising computer-executable instructions that, when executed, perform operations comprising: executing a process within a container virtual computing environment that is implemented in a host computing environment, wherein the process is executed in accordance with a first privilege level and performs a first action that is intended to modify a first computing environment aspect, the first computing environment aspect being implemented in the container virtual computing environment and the host computing environment; determining, by a host operating system kernel at the host computing environment, whether the container virtual computing environment is permitted to perform the first action in the host computing environment by querying, by the host operating system kernel, a container creation service at the host computing environment, the container creation service: having instantiated the container virtual computing environment; having access to metadata specifying allowable actions of the container virtual computing environment; and being separate from the host operating system kernel; determining the container virtual computing environment is not permitted to perform the first action in the host computing environment based on the metadata, the metadata indicating that the process is not permitted to perform the first action to modify the first computing environment aspect of the host computing environment based on the first privilege level; in response to determining the container virtual computing environment is not permitted to perform the first action in the host computing environment, preventing by the host operating system kernel, the first action from modifying the first computing environment aspect of the host computing environment; and performing the first action in the container virtual computing environment thereby modifying the first computing environment aspect of the container virtual computing environment such that processes executing within the container virtual computing environment perceive the first action as having been completed but processes executing within the host computing environment perceive the first action as not having been completed. 2. The computing device of claim 1 , wherein the preventing the first action from modifying the first computing environment aspect of the host computing environment is performed by the host operating system kernel in a same manner as if the host operating system kernel had determined that the first action is not performable by processes executed with the first privilege level. 3. The computing device of claim 1 , wherein the performing the first action in the container virtual computing environment comprises modifying the first computing environment aspect in an overlay layer and storing the modified first computing environment aspect in a sandbox on the host computing environment. 4. The computing device of claim 3 , wherein the storing the modified first computing environment aspect in the sandbox comprises recording one or more transactions in the sandbox. 5. The computing device of claim 1 , wherein the computer-executable instructions further perform operations further comprising: upon termination of the container virtual computing environment, performing the first action in the host computing environment, thereby modifying the first computing environment aspect of the host computing environment. 6. The computing device of claim 1 , wherein the process performs at least one step of a multi-step transaction comprising other steps, the other steps performed by one or more processes executing within one or more other container virtual computing environments; and wherein instantiation of the container virtual computing environment is triggered by a transaction manager based on a success of a prior one of the one or more other container virtual computing environments. 7. The computing device of claim 1 , wherein the metadata specifies that modifications to files within a first portion of a file system are allowed to be performed on the host computing environment by processes executing within the container virtual computing environment. 8. The computing device of claim 1 , wherein the container virtual computing environment is instantiated after determining that enumerated pre-conditions associated with the container virtual computing environment have been met by the host computing environment. 9. The computing device of claim 8 , wherein a container package received by the computing device from a remote container management system comprises the enumerated pre-conditions and the metadata associated with the container virtual computing environment. 10. The computing device of claim 1 , wherein the container virtual computing environment is selected for instantiation based on policy information received by the computing device from a remote container management system. 11. The computing device of claim 1 , wherein the container virtual computing environment is instantiated after performing an idempotency check associated with the container virtual computing environment. 12. The computing device of claim 11 , wherein the idempotency check comprises verifying a certification of idempotency associated with the container virtual computing environment. 13. The computing device of claim 11 , wherein the idempotency check comprises determining that the container virtual computing environment has not been previously instantiated to completion and the process has not been previously executed to completion within the container virtual computing environment. 14. A method comprising: executing a process within a privileged container virtual computing environment that is implemented in a host computing environment, wherein the process is executed in accordance with a privilege level and performs an action that is intended to modify a computing environment aspect, a first instance of the computing environment aspect being implemented in the privileged container virtual computing environment and a second instance of the computing environment aspect being implemented in the host computing environment; determining, by a host operating system kernel of the host computing device, the privilege level does not allow the action to modify the second instance of the computing environment aspect by querying, by the host operating system kernel, a container creation service having instantiated the container virtual computing environment, the container creation service being implemented in the host computing environment separately from the host operating system kernel and having access to a container definition file implemented in the host computing environment, the container definition file identifying functions or actions the process is permitted to perform in the host computing environment in accordance with the privilege level; in response to the determining the privilege level does not allow the action to modify the second instance of the computing environment aspect, modifying the first instance of the computing environment aspect in performance of the action based on the privilege level; and determining whether to persist modifications performed on the first instance of the computing environment aspect in performance of the action by validating whether the modifications introduced instability into the first instance of the computing environment aspect. 15. A system comprising: a first computing device executing computer-executable instructions that implement a firs
Assignees
Inventors
Classifications
Creating, deleting, cloning virtual machine instances · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
where tasks reside in different layers, e.g. user- and kernel-space · CPC title
Isolation or security of virtual machine instances · CPC title
- G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12164948B2 cover?
- A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 10 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).