SYSTEM AND METHOD FOR ENABLING SCALABLE ISOLATION CONTEXTS IN A PLATFORM

US 20150082378A1
Filed: 09/18/2014
Published: 03/19/2015
Est. Priority Date: 09/18/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for operating a computing platform comprising:

distributing a job within an isolation context to a computing platform, which comprises;

receiving a deployment request that includes a set of isolation context rules;

transferring a job instance update as specified by the deployment request to a machine of the computing platform;

at the machine, instantiating the job instance within an isolation context and configuring the set of isolation context rules as a set of resource quotas and networking rules of the isolation context; and

enforcing the set of resource quotas and networking rules during operation of the job instance within the computing platform.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for operating a computing platform that includes distributing a job within an isolation context to a computing platform, which includes receiving a deployment request that includes a set of isolation context rules; transferring a job instance update as specified by the deployment request to a machine of the computing platform; and at the machine, instantiating the job instance within an isolation context and configuring the set of isolation context rules as a set of resource quotas and networking rules of the isolation context; and enforcing the set of resource quotas and networking rules during operation of the job instance within the computing platform.

173 Citations

21 Claims

1. A method for operating a computing platform comprising:
- distributing a job within an isolation context to a computing platform, which comprises;
  
  receiving a deployment request that includes a set of isolation context rules;
  
  transferring a job instance update as specified by the deployment request to a machine of the computing platform;
  
  at the machine, instantiating the job instance within an isolation context and configuring the set of isolation context rules as a set of resource quotas and networking rules of the isolation context; and
  
  enforcing the set of resource quotas and networking rules during operation of the job instance within the computing platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein instantiating the job instance within an isolation context comprises setting up a job within an operating system level virtualization container object.
  - 3. The method of claim 2, wherein configuring the set of isolation context rules as a set of networking rules of the isolation context comprises configuring one of IPtables, a generic route encapsulation (GRE) mechanism, or vSwitches.
  - 4. The method of claim 1, wherein the set of resource quotas defines limits on memory, disk, bandwidth, and computation consumed by the job instance on the machine.
  - 5. The method of claim 1, wherein the set of networking rules includes route rules for ingress traffic and a set of bindings and links for egress traffic.
  - 6. The method of claim 1, wherein instantiating the job instance within an isolation context comprises establishing an inner virtual network interface of the job to which the job creates static bindings and an outer virtual network interface with dynamically updated bindings responsive to updates in the computing platform.
  - 7. The method of claim 6, further comprising distributing a second job instance within an isolation context to a computing platform;
    - wherein the networking rule of the first job instance opens networking communication in at least one direction, which comprises setting a mapping within the outer virtual network of the first job according to an endpoint location of the second job instance.
  - 8. The method of claim 7, further comprising changing deployment of the second job instance to a new machine within the computing platform;
    - and updating the mapping within the outer virtual network interface of the first job instance according to a new endpoint location of the second job instance.
  - 9. The method of claim 7, wherein the second job instance is distributed to the same machine as the first job instance, and further comprising updating the communication mapping of the outer virtual network for internal routing of the communication between the first and second job instances.
  - 10. The method of claim 7, wherein a set of instances of the second job are distributed within the computing platform and monitored by an instance manager of the first job instance;
    - and wherein setting a mapping of the outer virtual network interface comprises load balancing across the set of instances of the second job.
  - 11. The method of claim 7, wherein, when an initially mapped second instance of the second job becomes unavailable, dynamically remapping the outer network of the first job to select a new instance of the second job from the set of instances of the second job.
  - 12. The method of claim 1, further comprising distributing a second job instance within an isolation context to a computing platform;
    - wherein the isolation context of the first job instance is instantiated in a first operating environment and the isolation context of the second job instance is instantiated in a second operating environment.
  - 13. The method of claim 1, wherein transferring a job instance update as specified by the deployment request to a machine of the computing platform comprises a job manager broadcasting the deployment request to a set of machines of the computing cluster, receiving a response of at least one confirming machine, and transmitting the job instance update to at least one machine.
  - 14. The method of claim 13, wherein a machine randomly delays responding to the deployment request and ignores the deployment request if the machine cannot fulfill the deployment request.
  - 15. The method of claim 13, wherein transmitting the job instance update to at least one machine further comprises encrypting and digitally signing the job instance update, and at the machine, authenticating the source of the job instance update.
  - 16. The method of claim 13, wherein multiple machines respond to the deployment request broadcast;
    - and further comprising maintaining a list of available machines and sending the job instance update to at least a subset of machines from the list of available machines.
  - 17. The method of claim 1, wherein transferring a job instance update as specified by the deployment request to a machine of the computing platform comprises identifying a machine within the computing platform according to network topology proximity to dependent jobs and machine capability.

18. A system for a computing platform comprising:
- a computing platform that includes a set of host machines;
  
  a set of isolation containers deployed across the set of host machines, wherein the set of isolation containers includes at least one job instance running on the machine;
  
  a host machine comprising a virtual network between a host operating system and an isolation context on the machine, the virtual network including an inner virtual network interface proximal to the isolation context and an outer virtual network interface proximal to the host operating system;
  
  a platform network between the set of host machines;
  
  a corporate network to an external network environment; and
  
  the isolation context including an isolation context rules that define resource usage quotas and rules of ingress and egress communication traffic.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18, further comprising a set of internal services, which comprise an API service, a messaging system, instance managers operating on the host machines, a job manager that communicatively broadcasts deployment request messages to the instance managers.
  - 20. The method of claim 18, wherein the corporate network is a public internet gateway.
  - 21. The method of claim 18, wherein the corporate network includes an on-premise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apcera, Inc. (Telefonaktiebolaget LM Ericsson)
Original Assignee
Apcera, Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Collison, Derek

Application Number

US14/490,387
Publication Number

US 20150082378A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

SYSTEM AND METHOD FOR ENABLING SCALABLE ISOLATION CONTEXTS IN A PLATFORM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

173 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ENABLING SCALABLE ISOLATION CONTEXTS IN A PLATFORM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links