摘要:
Systems, methods, and computer-readable media for updating a component utilized by an application within a distributed computing environment. An inventory of components relied on by applications within a distributed computing environment is created and maintained to facilitate identifying applications utilizing a particular component. A determination is made from the inventory of applications that utilize the particular component. An indication is received that an update is available for the particular component. An application image for an application utilizing the particular component is booted in an isolated computing environment to allow the component to be updated. A new image of the application is created to reflect the updated component. A user, such as a developer, of the application may be notified that the new image is available for future instantiations of the application.
摘要:
Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system controls the level of access to the files in the merge directory. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and in response to detecting certain types of file system access requests, provides the view of the seemingly merged directories by performing special processing. The types of requests which trigger the special processing include: enumeration, open, create, rename or close.
摘要:
Systems, methods, and computer-readable media for updating a component utilized by an application within a distributed computing environment. An inventory of components relied on by applications within a distributed computing environment is created and maintained to facilitate identifying applications utilizing a particular component. A determination is made from the inventory of applications that utilize the particular component. An indication is received that an update is available for the particular component. An application image for an application utilizing the particular component is booted in an isolated computing environment to allow the component to be updated. A new image of the application is created to reflect the updated component. A user, such as a developer, of the application may be notified that the new image is available for future instantiations of the application.
摘要:
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.
摘要:
An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.
摘要:
An element of a file system is virtually deleted by creating a deletion marker for the element. Two or more separate physical file system directories are presented as one merged (virtual) file system directory to a process running in a silo. The operating system provides the merged view of the file system directories by monitoring file system requests made by processes in silos on a computer or computer system and filtering out those elements associated with deletion markers. Special processing is invoked in response to detecting certain types of file system access requests, including: enumeration, open, create, rename or delete.
摘要:
Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.
摘要:
A computer system having virtual memory that can be mapped using multiple page sizes onto logically addressable physical memory. An intermediate addressing scheme permits the mapping of several non-contiguous small pages in physical memory onto a bigger sized virtual memory page. Rather than translating a virtual address directly into a physical address, a virtual address is translated into an intermediate address that may or may not be a physical address. If the virtual page is backed by physical memory that is contiguous and aligned on a proper boundary for the page size, then the intermediate address will be the physical address and no second translation is required. If the intermediate address is not a physical address, it is then translated into a physical address. This is the case where a big page in virtual memory is backed by more than one smaller page in physical memory. Thus, non-contiguous small pages in physical memory can be mapped together using an intermediate translation to form a single big page thereby removing the requirement that a big page be mapped using a single contiguous portion of physical memory and further removing the requirement that the big page be big page boundary aligned within physical memory. Furthermore, several small pages can be promoted to a single big page simply by changing the virtual address to intermediate address mappings and also changing the intermediate address to physical address mappings to reflect the promotion thereby eliminating the need to move the contents of the small pages into a single contiguous, big page aligned region of physical memory. Furthermore, a big page sized region of virtual memory that has one or more smaller page sized holes within it can be treated as a single big virtual memory page and be backed in physical memory using only as many smaller pages as are required to back the non-hole regions of the virtual address space.
摘要:
This disclosure describes a solution to this basic problem of transaction management for systems which use the object metaphor to define the interfaces between different components of a system. An elegant solution is described which defines a transaction manager protocol and process, which is independent of the operating system micro-kernel's interprocess communication activities. The object-oriented transaction manager ("TM") creates transactions, keeps track of all object managers (servers) that are a part of a transaction, and coordinates transaction termination among all objects that are involved in the transaction. In addition, operations by naive applications can be made to execute under transaction control without modifying the applications.
摘要:
A method and apparatus to share virtual memory translations in a computer is described. The apparatus includes an operating system that runs in conjunction with a central processing unit. The operating system is programmed to include an address identification routine to identify distinct virtual memory translation entries, associated with a plurality of distinct processes running on the computer, that map to one or more common physical memory page addresses. The operating system also includes a mask assignment routine to assign a first mask value to the distinct virtual memory translation entries, and a write routine to write, to a translation-lookaside buffer or a page table, the distinct virtual memory translation entries as a single address associated with the first mask value. A comparison mechanism is used to compare a second mask value of a translation-request virtual memory translation value to the first mask value to determine whether the second mask value corresponds to said first mask value. If the two mask values correspond, then the single address associated with the first mask value is used as a virtual memory translation address.