Exposing data to virtual machines

US 8,677,449 B1
Filed: 03/19/2012
Issued: 03/18/2014
Est. Priority Date: 03/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed by a system of one or more computers, the method comprising:

executing a virtual machine on a host operating system;

mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine;

receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications;

determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises;

translating the first system call into a server request; and

providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and

denying access to the external data repository to the first guest application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for exposing metadata to a virtual machine. In one aspect, a method includes executing a virtual machine on a host operating system. A synthetic file system is mounted on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine. The synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to external metadata stored outside the virtual machine.

Citations

20 Claims

1. A method performed by a system of one or more computers, the method comprising:
- executing a virtual machine on a host operating system;
  
  mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine;
  
  receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications;
  
  determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises;
  
  translating the first system call into a server request; and
  
  providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and
  
  denying access to the external data repository to the first guest application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the server is configured to provide the token to the virtual machine only once; and
      
      the trusted agent is configured to shut down the virtual machine when, during the booting process, the trusted agent requests the token and the metadata server denies the request for the token.
  - 3. The method of claim 2, wherein the synthetic file system is implemented using Filesystem in Userspace (FUSE).
  - 4. The method of claim 1, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises:
    - translating the first system call into a host request; and
      
      providing the host request to a virtual machine monitor, the virtual machine monitor being a process executing on the host operating system and not on the virtual machine, the virtual machine monitor having access to the external data repository.
  - 5. The method of claim 4, wherein translating the first system call into a host request comprises serializing the first system call and information identifying the first guest application into the host request.
  - 6. The method of claim 4, wherein providing the host request to the virtual machine monitor comprises using a ring buffer that is shared between the virtual machine and the host operating system.
  - 7. The method of claim 1, wherein the system of one or more computers is a host machine executing the host operating system, and wherein the virtual machine executes a guest operating system that controls the execution of the guest applications within the virtual machine and provides services to the guest applications.

8. A system of one or more computers configured to perform operations comprising:
- executing a virtual machine on a host operating system;
  
  mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine;
  
  receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications;
  
  determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises;
  
  translating the first system call into a server request; and
  
  providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and
  
  denying access to the external data repository to the first guest application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - the server is configured to provide the token to the virtual machine only once; and
      
      the trusted agent is configured to shut down the virtual machine when, during the booting process, the trusted agent requests the token and the metadata server denies the request for the token.
  - 10. The system of claim 9, wherein the synthetic file system is implemented using Filesystem in Userspace (FUSE).
  - 11. The system of claim 8, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises:
    - translating the first system call into a host request; and
      
      providing the host request to a virtual machine monitor, the virtual machine monitor being a process executing on the host operating system and not on the virtual machine, the virtual machine monitor having access to the external data repository.
  - 12. The system of claim 11, wherein translating the first system call into a host request comprises serializing the first system call and information identifying the first guest application into the host request.
  - 13. The system of claim 11, wherein providing the host request to the virtual machine monitor comprises using a ring buffer that is shared between the virtual machine and the host operating system.
  - 14. The system of claim 8, wherein the system of one or more computers is a host machine executing the host operating system, and wherein the virtual machine executes a guest operating system that controls the execution of the guest applications within the virtual machine and provides services to the guest applications.

15. A computer storage medium encoded with a computer program, the program comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
- executing a virtual machine on a host operating system;
  
  mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine;
  
  receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications;
  
  determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises;
  
  translating the first system call into a server request; and
  
  providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and
  
  denying access to the external data repository to the first guest application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer storage medium of claim 15, wherein:
    - the server is configured to provide the token to the virtual machine only once; and
      
      the trusted agent is configured to shut down the virtual machine when, during the booting process, the trusted agent requests the token and the metadata server denies the request for the token.
  - 17. The computer storage medium of claim 16, wherein the synthetic file system is implemented using Filesystem in Userspace (FUSE).
  - 18. The computer storage medium of claim 15, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises:
    - translating the first system call into a host request; and
      
      providing the host request to a virtual machine monitor, the virtual machine monitor being a process executing on the host operating system and not on the virtual machine, the virtual machine monitor having access to the external data repository.
  - 19. The computer storage medium of claim 18, wherein translating the first system call into a host request comprises serializing the first system call and information identifying the first guest application into the host request.
  - 20. The computer storage medium of claim 18, wherein providing the host request to the virtual machine monitor comprises using a ring buffer that is shared between the virtual machine and the host operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Beda, Joseph S. III
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US13/424,013
Time in Patent Office

729 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/6218 to a system of files or obj...

Exposing data to virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Exposing data to virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links