Systems and methods for controlled container execution

US 10,127,030 B1
Filed: 03/04/2016
Issued: 11/13/2018
Est. Priority Date: 03/04/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising, by a computer system:

receiving a request to execute a particular container;

retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;

wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;

for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;

for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;

validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;

determining an execution context of the request, the execution context comprising information related to a location where the particular container would be executed;

accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and

responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on an isolated user-space instance in a shared kernel space on an operating system of a target resource.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method is performed by a computer system. The method includes receiving a request to execute a particular container. The method further includes retrieving a manifest of the particular container from a data store, the manifest indicating a plurality of items included in the particular container. In addition, the method includes validating one or more signatures of the container that are associated with the items indicated in the manifest. Also, the method includes determining an execution context of the request. Further, the method includes accessing an applicable execution policy for the determined execution context. Additionally, the method includes, responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on a target resource.

Citations

17 Claims

1. A method comprising, by a computer system:
- receiving a request to execute a particular container;
  
  retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;
  
  wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;
  
  for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;
  
  for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;
  
  validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;
  
  determining an execution context of the request, the execution context comprising information related to a location where the particular container would be executed;
  
  accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and
  
  responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on an isolated user-space instance in a shared kernel space on an operating system of a target resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, comprising:
    - wherein the particular container comprises one or more sub-containers;
      
      traversing the particular container; and
      
      validating signatures of the one or more sub-containers.
  - 3. The method of claim 1, wherein the plurality of signatures comprise signatures of a plurality of purported sources.
  - 4. The method of claim 1, wherein the applicable execution policy that is accessed is different for different execution contexts.
  - 5. The method of claim 1, wherein the applicable execution policy is applicable to multiple container formats.
  - 6. The method of claim 1, wherein the execution context comprises information related to a user responsible for the request.

7. An information handling system comprising a processor and executable instructions, wherein the processor is operable to implement the executable instructions comprising:
- receiving a request to execute a particular container on an isolated user-space instance in a shared kernel space on an operating system;
  
  retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;
  
  wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;
  
  for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;
  
  for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;
  
  validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;
  
  determining an execution context of the request, the execution context comprising information related to the isolated user-space instance in the shared kernel space on the operating system where the particular container would be executed;
  
  accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and
  
  responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on the isolated user-space instance in the shared kernel space on the operating system of a target resource.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The information handling system of claim 7, the method comprising:
    - wherein the particular container comprises one or more sub-containers;
      
      traversing the particular container; and
      
      validating signatures of the one or more sub-containers.
  - 9. The information handling system of claim 7, wherein the plurality of signatures comprise signatures of a plurality of purported sources.
  - 10. The information handling system of claim 7, wherein the applicable execution policy that is accessed is different for different execution contexts.
  - 11. The information handling system of claim 7, wherein the applicable execution policy is applicable to multiple container formats.
  - 12. The information handling system of claim 7, wherein the execution context comprises information related to a user responsible for the request.

13. A computer-program product comprising a non-transitory computer-usable medium having computer-readable program code embodied therein, the computer-readable program code adapted to be executed to implement a method comprising:
- receiving a request to execute a particular container on an isolated user-space instance in a shared kernel space on an operating system;
  
  retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;
  
  wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;
  
  for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;
  
  for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;
  
  validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;
  
  determining an execution context of the request, the execution context comprising information related to the isolated user-space instance in the shared kernel space on the operating system where the particular container would be executed;
  
  accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and
  
  responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on the isolated user-space instance in the shared kernel space on the operating system of a target resource.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-program product of claim 13, the method comprising:
    - wherein the particular container comprises one or more sub-containers;
      
      traversing the particular container; and
      
      validating signatures of the one or more sub-containers.
  - 15. The computer-program product of claim 13, wherein the plurality of signatures comprise signatures of a plurality of purported sources.
  - 16. The computer-program product of claim 13, wherein the applicable execution policy that is accessed is different for different execution contexts.
  - 17. The computer-program product of claim 13, wherein the applicable execution policy is applicable to multiple container formats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Mortman, David, McNeill, Campbell
Primary Examiner(s)
Zhen, Li B
Assistant Examiner(s)
Soltanzadeh, Amir

Application Number

US15/061,209
Time in Patent Office

984 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6281   at program execution time, ...

G06F 8/61   Installation

G06F 8/64   Retargetable

G06F 9/445   Program loading or initiati...

G06F 9/455   Emulation; Interpretation; ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Systems and methods for controlled container execution

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for controlled container execution

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links