Systems and methods for double hulled virtualization operations

US 8,793,688 B1
Filed: 03/15/2013
Issued: 07/29/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method for storing and processing data, comprising:

providing an operating system (OS) virtualization running on a processor and having a plurality of containers, one or more containers preventing privilege escalation by a user to an administrator of a global zone running the OS virtualization;

providing a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the one or more containers;

limiting access by the user associated with the HVM to the one of the one or more containers encapsulating the HVM; and

limiting operations of the user within the one of the one or more containers to instantiating another HVM.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for storing and processing data includes providing an operating system (OS) virtualization running on a processor and having a plurality of containers. Each container may prevent privilege escalation by a user to an administrator of a global zone running the OS virtualization. The method may also include providing a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the containers. A system for storing and processing data is provided that includes an operating system (OS) virtualization stored in a memory and running on a processor. The OS virtualization has a plurality of containers, and each container prevents privilege escalation by a user to an administrator of a global zone running the OS virtualization. The HVM may be encapsulated in one of the containers. A non-transitory computer readable storage medium having a program recorded thereon is provided.

Citations

18 Claims

1. A method for storing and processing data, comprising:
- providing an operating system (OS) virtualization running on a processor and having a plurality of containers, one or more containers preventing privilege escalation by a user to an administrator of a global zone running the OS virtualization;
  
  providing a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the one or more containers;
  
  limiting access by the user associated with the HVM to the one of the one or more containers encapsulating the HVM; and
  
  limiting operations of the user within the one of the one or more containers to instantiating another HVM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising eliminating code paths directed from within the one of the one or more containers to outside the one of the one or more containers.
  - 3. The method of claim 1 further comprising configuring the HVM by a quick emulator (QEMU) to limit access by the user via a virtual network interface card (VNIC) to the one of the one or more containers encapsulating the HVM.
  - 4. The method of claim 3, further comprising:
    - preventing the user from changing the VNIC; and
      
      limiting actions of the user within the HVM by limiting privileges of the user at an instantiation of the HVM by the QEMU.
  - 5. The method of claim 1, wherein limited resource control of the OS virtualization is inherited by the HVM.
  - 6. The method of claim 5, wherein:
    - the HVM accesses at least one storage volume for the user via at least one of a virtual network interface card (VNIC) and a virtual disk controller (VDC);
      
      input/output is dynamically throttled for the HVM by the OS virtualization; and
      
      processor scheduling is performed for the HVM by the OS virtualization.
  - 7. The method of claim 1, further comprising providing a debug module in the global zone hosting the OS virtualization, the debug module adapted to monitor input/output of the one of the one or more containers.
  - 8. The method of claim 7, wherein the debug module is adapted to observe virtual register states of the HVM.
  - 9. The method of claim 1, further comprising throttling input/output of the HVM by an administrator of the global zone.

10. A system for storing and processing data, comprising:
- an operating system (OS) virtualization stored in a memory and running on a processor, the OS virtualization having a plurality of containers, one or more containers preventing privilege escalation by a user to an administrator of a global zone running the OS virtualization;
  
  a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the one or more containers;
  
  wherein;
  
  access by the user associated with the HVM is limited to the one of the one or more containers encapsulating the HVM; and
  
  operations of the user within the one of the one or more containers are limited to instantiating another HVM.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein code paths directed from within the one of the one or more containers to outside the one of the one or more containers are eliminated.
  - 12. The system of claim 10, further comprising configuring the HVM by a quick emulator (QEMU) to limit access by the user via at least one of a virtual network interface card (VNIC) and a virtual disk controller (VDC) to the one of the one or more containers encapsulating the HVM.
  - 13. The system of claim 12, wherein:
    - the user is prevented from changing the VNIC; and
      
      actions of the user within the HVM are limited by limiting privileges of the user at an instantiation of the HVM by the QEMU.
  - 14. The system of claim 10, wherein:
    - limited resource control of the OS virtualization is inherited by the HVM;
      
      the HVM accesses at least one storage volume for the user via at least one of a virtual network interface card (VNIC) and a virtual disk controller;
      
      input/output is dynamically throttled for the HVM by the OS virtualization; and
      
      processor scheduling is performed for the HVM by the OS virtualization.
  - 15. The system of claim 10, further comprising a debug module in the global zone hosting the OS virtualization, the debug module adapted to monitor input/output of the one of the one or more containers, the debug module further adapted to observe register states of the HVM.
  - 16. The system of claim 10, wherein input/output of the HVM is throttled by an administrator of the global zone.

17. A non-transitory computer readable storage medium having a program recorded thereon, the program when executed causing a computer to perform a method for storing and processing data, the method comprising:
- providing an operating system (OS) virtualization having a plurality of containers, one or more containers preventing privilege escalation by a user to an administrator of a global zone running the OS virtualization;
  
  providing a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the one or more containers;
  
  eliminating code paths directed from within the one of the one or more containers to outside the one of the one or more containers;
  
  limiting access by the user associated with the HVM to the one of the one or more containers encapsulating the HVM; and
  
  limiting operations of the user within the one of the one or more containers to instantiating another HVM.
- View Dependent Claims (18)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the method further comprises:
    - configuring the HVM by a quick emulator (QEMU) to limit access by the user via at least one of a virtual network interface card (VNIC) and a virtual disk controller (VDC) to the one of the one or more containers encapsulating the HVM;
      
      preventing the user from changing the VNIC; and
      
      limiting actions of the user within the HVM by limiting privileges of the user at instantiation of the HVM by the QEMU.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Joyent, Inc. (Samsung Electronics Co. Ltd.)
Original Assignee
Joyent, Inc. (Samsung Electronics Co. Ltd.)
Inventors
Cantrill, Bryan, Mustacchi, Robert, Bruning, Max, Jelinek, Gerald
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
DO, STEVEN M

Application Number

US13/835,865
Time in Patent Office

501 Days
Field of Search

718/1
US Class Current

718/1
CPC Class Codes

G06F 2009/45587 Isolation or security of vi...

G06F 9/45558 Hypervisor-specific managem...

Systems and methods for double hulled virtualization operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for double hulled virtualization operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links