×

Systems and methods for controlled container execution

  • US 10,127,030 B1
  • Filed: 03/04/2016
  • Issued: 11/13/2018
  • Est. Priority Date: 03/04/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising, by a computer system:

  • receiving a request to execute a particular container;

    retrieving a manifest of the particular container from a data store, the manifest comprising a listing of a plurality of items included in the particular container, a plurality of signatures, and a plurality of hashes of the plurality of items;

    wherein the plurality of signatures each comprise a signature of a purported source of at least one of the plurality of items;

    for each signature of the plurality of signatures, retrieving, from a key store that is external to a container runtime of the particular container, a public key of the purported source;

    for each signature of the plurality of signatures, validating the signature using the retrieved public key of the purported source;

    validating contents of the particular container in relation to the manifest based, at least in part, on a comparison of the plurality of hashes from the manifest to hashes of corresponding items in the particular container;

    determining an execution context of the request, the execution context comprising information related to a location where the particular container would be executed;

    accessing an applicable execution policy, from among a plurality of execution policies, for the determined execution context; and

    responsive to a determination that the applicable execution policy is satisfied, causing the particular container to be installed on an isolated user-space instance in a shared kernel space on an operating system of a target resource.

View all claims
  • 22 Assignments
Timeline View
Assignment View
    ×
    ×