Systems and methods for controlled container execution
First Claim
1. A method comprising, by a computer system:
- receiving a request to execute a particular container;
retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;
wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;
for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;
for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;
validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;
determining an execution context of the request, the execution context comprising information related to a location where the particular container would be executed;
accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and
responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on an isolated user-space instance in a shared kernel space on an operating system of a target resource.
22 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a method is performed by a computer system. The method includes receiving a request to execute a particular container. The method further includes retrieving a manifest of the particular container from a data store, the manifest indicating a plurality of items included in the particular container. In addition, the method includes validating one or more signatures of the container that are associated with the items indicated in the manifest. Also, the method includes determining an execution context of the request. Further, the method includes accessing an applicable execution policy for the determined execution context. Additionally, the method includes, responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on a target resource.
-
Citations
17 Claims
-
1. A method comprising, by a computer system:
-
receiving a request to execute a particular container; retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items; wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items; for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source; for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source; validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container; determining an execution context of the request, the execution context comprising information related to a location where the particular container would be executed; accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on an isolated user-space instance in a shared kernel space on an operating system of a target resource. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An information handling system comprising a processor and executable instructions, wherein the processor is operable to implement the executable instructions comprising:
-
receiving a request to execute a particular container on an isolated user-space instance in a shared kernel space on an operating system; retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items; wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items; for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source; for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source; validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container; determining an execution context of the request, the execution context comprising information related to the isolated user-space instance in the shared kernel space on the operating system where the particular container would be executed; accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on the isolated user-space instance in the shared kernel space on the operating system of a target resource. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer-program product comprising a non-transitory computer-usable medium having computer-readable program code embodied therein, the computer-readable program code adapted to be executed to implement a method comprising:
-
receiving a request to execute a particular container on an isolated user-space instance in a shared kernel space on an operating system; retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items; wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items; for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source; for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source; validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container; determining an execution context of the request, the execution context comprising information related to the isolated user-space instance in the shared kernel space on the operating system where the particular container would be executed; accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on the isolated user-space instance in the shared kernel space on the operating system of a target resource. - View Dependent Claims (14, 15, 16, 17)
-
Specification