US007519814B2
`
`US 7,519,814 B2
`(10) Patent No.:
`a2) United States Patent
`Rochette et al.
`(45) Date of Patent:
`Apr.14, 2009
`
`
`(54) SYSTEM FOR CONTAINERIZATION OF
`APPLICATION SETS
`
`WoO
`
`WO 2006/039181 A
`
`4/2006
`
`(75)
`
`Inventors: Donn Rochette, Fenton, IA (US); Paul
`O'Leary, Kanata (CA); Dean Huffman,
`Kanata (CA)
`
`(73) Assignee: Trigence Corp., Ottawa (CA)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 933 days.
`
`(21) Appl. No.: 10/939,903
`
`(22)
`
`Filed:
`
`Sep. 13, 2004
`
`OTHER PUBLICATIONS
`System
`al,
`‘Container-based Operating
`et
`S.,
`Soltesz,
`Virtualization:A Scalable, High-performance Alternative
`to
`Hypervisors’, SIGOPS Oper. Syst. Rev., vol. 41, No. 3. Jun. 2007),
`pp.
`275-287,
`entire
`article,
`http://delivery.acm.org/10.1145/
`1280000/1273025/p275-soltesz.pdf?key 1=1273025&
`key2=02795 28221 &collI=GUIDE&dl=GUIDE&
`CFID=13091697& CFTOKEN=4667.*
`
`Primary Examiner—Kambiz Zand
`Assistant Examiner—Ronald Baum
`
`(74) Attorney, Agent, or Firm—Allen, Dyer, Doppelt,
`Milbrath & Gilchrist, P.A.
`
`(65)
`
`Prior Publication Data
`
`(57)
`
`ABSTRACT
`
`US 2005/0060722 Al
`
`Mar. 17, 2005
`
`Related U.S. Application Data
`
`(60) Provisional application No. 60/512,103, filed on Oct.
`20, 2003, provisional application No. 60/502,619,
`filed on Sep. 15, 2003.
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 3/00
`(52) US. Ch cccceceecsseceee 713/167; 713/164; 709/248:
`709/214; 719/319
`(58) Field of Classification Search ................. 713/167;
`719/319
`
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`6,381,742 B2*
`
`4/2002 Forbesetal. ......... 717/176
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`WO
`
`WO 02/06941 A
`
`1/2002
`
`A system is disclosed having servers with operating systems
`that may differ, operating in disparate computing environ-
`ments, wherein each server includes a processor and an oper-
`ating system including a kernela set of associated local sys-
`tem files compatible with the processor. This invention
`discloses a methodofprovidingat least some ofthe servers in
`the system with secure, executable, applicationsrelated to a
`service, wherein the applications may be executed in a secure
`environment, wherein the applications each include an object
`executable by at least someofthe different operating systems
`for performing a task relatedto the service. The method ofthis
`invention requires storing in memory accessible to at least
`someofthe servers a plurality of secure containers of appli-
`cation software. Each container includes one or more ofthe
`executable applications and a set of associated system files
`required to execute the one or more applications, for use with
`alocal kernel residing permanently on oneofthe servers. The
`set of associated system files are compatible with a local
`kernel of at least someofthe plurality of different operating
`systems. The containers of application software exclude a
`kernel; and someorall of the associated system files within a
`container stored in memory are utilized in place of the asso-
`ciated local system files resident on the server.
`
`34 Claims, 17 Drawing Sheets
`
`Google Exhibit 1001
`Google v. VirtaMove
`
`tIIIIII iIIII:I
`
`' 1ii
`
`
`
`we]
`
`1a
`
`Application
`
`
`
`
`Application =
`
`
`
`Files
`
`Hardware
`
`Google Exhibit 1001
`Google v. VirtaMove
`
`

`

`US 7,519,814 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`1/2005 Kelleretal. wc. 707/100
`6,847,970 B2*
`7/2006 Russell et al. ..........0.. 719/315
`7,076,784 B1*
`7,287,259 B2* 10/2007 Grier etal. wo. eee 719/331
`
`2002/0004854 Al
`2002/0174215 Al
`2003/0101292 Al
`
`1/2002 Hartley
`11/2002 Schaefer .......... eee 709/224
`5/2003 Fisher
`
`* cited by examiner
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 1 of 17
`
`US 7,519,814 B2
`
`WwajshS
`
`saild
`
`
`
`{iuoyeojddy
`
`jauey
`
`QJeMpIeH
`
`Ibb weeeweeeeewewheeeeeeeeeeeeeeeeweeeweeeeeeofaJempleyH
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 2 of 17
`
`US 7,519,814 B2
`
`Zoinbig
`
`20¢
`
`Soll
`
`q0¢
`
`jouay
`
`dJIEMpJeY
`
`02
`
`S8DIAIBSSO
`
`BulAyepuy
`
`PLZ
`
`Jauiejuoy
`
`aunoas
`
`qLz
`
`Jauiejuosy
`
`ainoeg
`
`uoneoddy
`
`{uoneoiyddy
`
`uoneojddy
`
`uonesiddy
`
`ILZ
`
`iLuoneoyjddy
`
`
`
`—{uoijesddy
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 3 of 17
`
`US 7,519,814 B2
`
`¢ainbi4
`
`ve
`
` Jauiejuoy
`
`
`
`UuOIiUyagJoUIe}UOyD
`
`yndu|
`
`Jojesado/sesn=[||
`
`
`
`uojeajddeainjdep
`
`Buysixeuewol4
`
`
`
`Jeysulsantas
`
`<7
`
`(aS
`
`WowUOe]|e}Su|
`
`
`
`JOBIPSw|JE}SU}
`
`uoneoddy
`
`sayabeyoed
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 4 of 17
`
`US 7,519,814 B2
`
`
`
`
`
`
`
`Jaule}uoyandesJaulejuoyainoes
`
`q0z
`
`uonesiddy
`
`uojeoddy
`
`
`
`ifuonesjddy
`
`
`
`—luonjeajddy
`
`yoinbi4
`
`Or
`
`
`
`JaulejuooduJN}e!pu
`
`
`
`Sanjeaoyloads
`
`
`
`
`
`dIEMpPJeH12DwiaysAsjdaosayu|
`
`wa}sks
`
`soll
`
`IEDwajsks
`
`
`
`ssolppeOVIN
`
`ssaJppedj
`
`SWeUISOH
`
`
`
`jauseyjawayyey
`
`e(/Nnpow
`
`uajeinbyuoy
`
`ejeq
`
`Joyeuadgyjiesn
`
`yndu|
`
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 5 of 17
`
`US 7,519,814 B2
`
`sgainbi4
`
`
`
`Jauieyuoyainoasg
`
`
`
`Jauieyuoyaunoas
`
`uojesddy
`
`uonesjddy
`
`Wwa}shS
`
`Soild
`
`rs—uoyesiddy
`
`
`
`rtuoyeojddy
`
`jauley
`
`oy
`
`aJeMpleH
`
`
`
`SJBMpJeyYJO}JOPUOW
`
`sja6esn
`
`LS
`
`Joyesadojasy
`
`
`
`-Jo/pue-}ndul
`
`
`
`
`
`*"payelepoyne-
`
`Asowayy
`
`4IOMJON
`
`Add
`
`SIG
`
`uoneinbyuo7
`
`eyed
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 6 of 17
`
`US 7,519,814 B2
`
`
`
`pained_sovomsJeMpsJeH
`
`ov
`
`
`
`S8DINIBSSOJBUIEJUODJauiejuoy
`
`BulAyepunBINIBSainoesg
`
`
`
`
`
`uojeajddy
`
`
`
`uoneaddyuoijeoddy
`
`q0zF0¢
`
`WuaysAS
`
`S9jl4
`
`—uoiesddy
`-Soll-wajshs
`
`—Luoneoyjddy
`
`wajshS
`
`soll
`
`Fy
`
`
`
`—luoneojddy
`
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 7 of 17
`
`US 7,519,814 B2
`
`aINd2S
`
`JaUIe}uOs)
`
`
`
`—l,uojeojddy
`
`
`
`Soild
`
`Jaulejuo4y
`
`Wa}skS
`
`soll
`
`uonemnByuoy
`
`ainpo;
`
`
`
`preyssddeyoyauyag
`
`
`
`eZWsYMJapJoyeyMulpue$!Jauje}UODandes
`
`
`
`
`
`2oanbi4
`
`JanuaseUOpayjeysul
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 8 of 17
`
`US 7,519,814 B2
`
` E\JEq
`s}NdwoyZJauleyuoyZJauleyuoyD
`
`wdcuoljeinByuoDwa}sks
`
`
`
`J9}}04U0DJUsWebeUeWaBesojsa}l4yIOMJAN
`
`uoljeunbyuogdWwajsks
`|JouIeJUOD}JouleyuOy
`
`eeq
`
`ed
`
`9ainbigv8z8
`
`€JaUIeJUOD
`
`uoneunByuoD
`
`e}EG
`
`€Joule}uoD
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 9 of 17
`
`US 7,519,814 B2
`
` UOPe|g
`
`BuiAyapunandesez9
`S8DINIBSSOJauIe}UOD
`ainpow[|puey_|oe
`aindwoy|evenmen_|"aJemMpJeH
`
`puesajyoyioedssauleyuoZ
`
`wWa}sAS
`
`soll
`
`JaulejuoD
`
`uoljeinbByuo0d
`
`JE}SUj
`
`JBUIEJUOD
`
`WwayskS
`
`cv
`
`
`
`JauieyucoBuunppeurquoo
`
`
`
`aieeyepuoneinByuoo
`
`e}SuI
`
`6ainbi4
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 10 of 17
`
`US 7,519,814 B2
`
`OFeunbi4
`
`
`
`JBUIEJUCDss900Jd&ajyea
`
`palqo
`
`ssoooidBudAJAO/
`
`ssaoode}Ixay||I
`
`aBesnAiows
`
`12Dwaysks
`
`jowey
`
`ainpoyy
`
`uoieojddy
`
`yalqo
`
`
`
`SS9901dabesnnd
`
`jouey
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 11 of 17
`
`US 7,519,814 B2
`
`
`
`yndu|ainByuop
`
`a}eBaD
`
`Joyesadguasn JOUIEUOY|
`
`LPeanbi4
`
`HEySU|
`
`Jauleyuog
`
`
`
`JaniasBurysixa
`
`JOUIEJUOT)
`
`
`
`aJepijeAeIpaw
`
`
`
`Woyjjeysulddy
`
`sounjieyddy
`
`Jauleyuo)wojjeysulddy
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 12 of 17
`
`US 7,519,814 B2
`
`
`
`uodljeo1ydeic)
`
`eBJO
`
`Burjndwoo
`
`wuuoyjeidJo)asnoweBuisn
`
`
`
`BujuiodJaujo
`
`
`
`UOd!jedIYdeJs)
`
`oyloadsbejo
`
`sJeEMYOS
`
`uojeojdde
`
`
`
`
`
`UCD!JOajas(@dIAap
`
`a}NdwooeuO}doippue1Bep
`
`uoo!WO}e\d
`
`7)eunbi4
`
`
`
`
`

`

`Apr. 14, 2009
`
`SJOWDY
`
`UUOVe}4ayndwoy
`
`BJEMYOS
`
`suonjeoydde
`
`U.S. Patent
`
`aleMyos
`
`suonesdde
`
`Sheet 13 of 17
`
`
`
`abesojsajl4
`
`}yBnoJjg
`
`US 7,519,814 B2
`
`
`
`uonesedodoJp9Beipe0}asuodsal
`
`
`
`ul3723SBuIyJomoul
`
`€,oinbiy
`
`puepayjeysu| uinipayy
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 14 of 17
`
`US 7,519,814 B2
`
`13
`
`
`Creai
`
`yleinbi4
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 15 of 17
`
`US 7,519,814 B2
`
`UOHeZIENIU
`
`
`
`UO0D!}eO1D
`
`INDSV
`
`oafqo
`
`e}yelD0Sssy
`
`do.ip
`
`4a|puey
`
`suoieiado
`
`UOD!0}
`
`Gpounbi
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 16 of 17
`
`US 7,519,814 B2
`
`uoIssiwmed
`
`311}19S
`
`
`
`}SAl}PRIS
`
`uonesjdde
`
`ajepdn
`
`ajosuod
`
`9}aunbi4
`
`
`
`aindwodpijeA
`
`wwojje\d
`
`
`
`JOSNa}ea1D
`
`junoooe
`
`uoiesijddy
`
`sol}
`
`1/2}Su]
`
`
`
`

`

`U.S. Patent
`
`Apr. 14, 2009
`
`Sheet 17 of 17
`
`US 7,519,814 B2
`
`SAOWDY
`
`Jasn
`
`junoo0e
`
`ajepdn
`
`a]OSUOD
`
`Zpaanbig
`
`a}e}SWON
`
`épijea
`
`dois
`
`suoijesijdde
`
`uoneajddeAdog
`
`O}Soil}Byep
`
`Asoyisoda.
`
`
`
`
`

`

`US 7,519,814 B2
`
`1
`SYSTEM FOR CONTAINERIZATION OF
`APPLICATION SETS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application claimspriority of U.S. Provisional Patent
`Application No. 60/502,619 filed Sep. 15, 2003 and 60/512,
`103 filed Oct. 20, 2003, which are incorporated herein by
`reference for all purposes.
`
`10
`
`FIELD OF THE INVENTION
`
`The invention relates to computer software. In particular,
`the invention relates to management and deployment of
`server applications.
`
`BACKGROUNDOF THE INVENTION
`
`Computer systems are designed in such a waythat appli-
`cation programs share commonresources. It is traditionally
`the task of an operating system to provide a mechanism to
`safely and effectively control access to shared resources
`required by application programs. This is the foundation of
`multi-tasking systems that allow multiple disparate applica-
`tions to co-exist on a single computer system.
`The current state of the art creates an environment where a
`
`collection of applications, each designed for a distinct func-
`tion, must be separated with each application installed on an
`individual computer system.
`In someinstances this separation is necessitated by conflict
`over shared resources, such as network port numbers that
`would otherwise occur. In other situations the separation is
`necessitated by the requirementto securely separate data such
`as files contained on disk-based storage and/or applications
`between disparate users.
`In yet othersituations, the separation is driven bythe reality
`that certain applications require a specific version of operat-
`ing system facilities and as such will not co-exist with appli-
`cations that require another version.
`As computer system architecture is applied to support spe-
`cific services, it inevitably requires that separate systems be
`deployedfor different sets ofapplications required to perform
`and or support specific services. This fact, coupled with
`increased demandfor support of additional application sets,
`results in a significant increase in the number of computer
`systems being deployed. Such deployment makes it quite
`costly to manage the numberof systems required to support
`several applications.
`There are existing solutions that address the single use
`nature of computer systems. These solutions each have limi-
`tations, some of which this invention will address. Virtual
`Machinetechnology, pioneered by VmWare,offers the ability
`for multiple application/operating system images to effec-
`tively co-exist on a single compute platform. The keydiffer-
`ence between the Virtual Machine approach and the approach
`described herein is that in the former an operating system,
`includingfiles and a kernel, must be deployed for each appli-
`cation while the latter only requires one operating system
`regardless of the numberof application containers deployed.
`The Virtual Machine approach imposes significant perfor-
`mance overhead. Moreover, it does nothing to alleviate the
`requirementthat an operating system mustbe licensed, man-
`aged and maintained for each application. The invention
`described herein offers the ability for applications to more
`effectively share a common compute platform, andalso allow
`
`20
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`2
`applications to be easily moved between platforms, without
`the requirement for a separate and distinct operating system
`for each application.
`A product offered by Softricity, called SoftGrid®, offers
`whatis described as Application Virtualization. This product
`provides a degree of separation of an application from the
`underlying operating system. Unlike Virtual Machine tech-
`nology a separate operating system is not required for each
`application. The SoftGrid® product does notisolate applica-
`tions into distinct environments. Applications executing
`within a SoftGrid® environment don’t possess a unique iden-
`tity.
`This invention provides a solution wherebya plurality of
`services can conveniently be installed on one or more servers
`in a cost effective and secure manner.
`
`The following definitions are used herein:
`Disparate computing environments: Environments where
`computers are stand-alone or where there are plural
`computers and where they are unrelated.
`Computing platform: A computer system with a single
`instance of a fully functional operating system installed
`is referred to as a computing platform.
`Container: An aggregate of files required to successfully
`execute a set of software applications on a computing
`platform is referred to as a container. A container is not
`a physical container but a grouping of associatedfiles,
`which maybestored in a plurality of different locations
`that is to be accessible to, and for execution on, one or
`moreservers. Each containerfor use ona server is mutu-
`ally exclusive of the other containers, such that read/
`write files within a container cannot be shared with other
`containers. The term “within a container’, used within
`this specification, is to mean “associated with a con-
`tamer”. A container comprises one or more application
`programs including one or moreprocesses, and associ-
`ated system files for use in executing the one or more
`processes; but containers do not comprise a kernel; each
`containerhas its own executionfile associated therewith
`
`for starting one or more applications. In operation, each
`container utilizes a kernel resident on the server that is
`
`part of the operating system (OS) the containeris run-
`ning under to execute its applications.
`Secure application container: An environment where each
`application set appears to have individual control of
`somecritical system resources and/or where data within
`each application set is insulated from effects of other
`application sets is referred to as a secure application
`container.
`Consolidation: The ability to support multiple, possibly
`conflicting, sets of software applications on a single
`computing platform is referred to as consolidation.
`System files: System files are files provided within an
`operating system and whichare available to applications
`as shared libraries and configurationfiles.
`By way of example, Linux Apache uses the following
`shared libraries, supplied by the OS distribution, which are
`“system”files.
`/ust/lib/libz.so.1
`/lib/libssl.so.2
`
`/lib/liberypto.so.2
`/usr/lib/libaprutil.so.0
`/usr/lib/libgdbm.so.2
`/ib/libdb-4.0.so
`
`/usr/lib/libexpat.so.0
`/usr/lib/libapr.so.0
`/ib/1686/libm.so.6
`
`/lib/liberypt.so.1
`
`

`

`US 7,519,814 B2
`
`/lib/libnsl.so.1
`Mib/libdl.so.2
`
`/itb/1686/libpthread.so.0
`Mib/i686/libc.so.6
`/ib/ld-linux.so.2
`
`10
`
`20
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`Apache uses the following configuration files, also pro-
`vided with the OS distribution:
`/etc/hosts
`/etc/httpd/conf
`/etc/httpd/conf.d
`/etc/httpd/logs
`/etc/httpd/modules
`/etc/httpd/run
`By way of example, together these shared library files and
`configuration files form system files provided by the operat-
`ing system. There may be any numberofotherfiles included
`as system files. Additional files might be included, for
`example, to support maintenanceactivities or to start other
`networkservices to be associated with a container.
`
`SUMMARYOF THE INVENTION
`
`In a system having a plurality of servers with operating
`systemsthat differ, operating in disparate computing environ-
`ments, wherein each server includes a processor and an oper-
`ating system including a kernel a sct of associated local sys-
`tem files compatible with the processor, a methodis provided
`for providing at least someof the servers in the system with
`secure, executable, applications related to a service, wherein
`the applications may be executed in a secure environment,
`wherein the applications each include an object executable by
`at least some ofthe different operating systems for perform-
`ing a task related to the service. The method comprises the
`steps of:
`storing in memory accessible to at least someofthe servers
`a plurality of secure containers of application software, each
`container comprising one or more of the executable applica-
`tions and a set of associated system files required to execute
`the one or more applications, for use with a local kernel
`residing permanently on oneofthe servers; wherein the set of
`associated system files are compatible with a local kernel ofat
`least someofthe plurality of different operating systems, the
`containers of application software excluding a kernel, and
`wherein someorall of the associated system files within a
`container stored in memory are utilized in place of the asso-
`ciated local system files resident on the server prior to said
`storing step.
`In accordance with another aspect of the invention a com-
`puter system is provided for performing a plurality of tasks
`each comprising a plurality of processes comprising:
`a plurality of secure stored containers of associated files
`accessible to, and for execution on, one or moreservers, each
`container being mutually exclusive of the other, such that
`read/write files within a container cannot be shared with other
`
`containers, each container of files having its own unique
`identity associated therewith, said identity comprisingat least
`one of an IP address, a host name, and a MACaddress;
`wherein, the plurality of files within each of the plurality of
`containers comprise one or more application programs
`including one or more processes, and associated system files
`for use in executing the one or more processes, each container
`having its own execution file associated therewith for starting
`one or more applications, in operation, each containerutiliz-
`ing a kernel resident on the server and wherein each container
`exclusively uses a kernel in an underlying operation system in
`whichit is running and is absent its own kernel; and, a run
`time module for monitoring system calls from applications
`
`4
`associated with one or more containers and for providing
`control of the one or more applications.
`In accordance with a broad aspect, the invention provides a
`method of establishing a secure environment for executing,
`ona computer system,a plurality of applications that require
`shared resources. The method involves, associating one or
`more respective software applications and required system
`files with a container. A plurality of containers have these
`containerized files within.
`
`Containers residing on or associated with a respective
`server each have a resource allocation associated therewith to
`allow the at least one respective application or a plurality of
`applications residing in the container to be executed on the
`computer system accordingto the respective resourcealloca-
`tion without conflict with other applicationsin other contain-
`ers which have their given set of resources andsettings.
`Containers, and therefore the applications within contain-
`ers, are provided with a secure environment from which to
`execute. In some embodimentsofthe invention, each group of
`applications is provided with a secure storage medium.
`In some embodimentsofthe invention the method involves
`containerizing the at least one respective application associ-
`ated respective secure application container, the respective
`secure application container being storable in a storage
`medium.
`
`In some embodiments ofthe invention, groups ofapplica-
`tions are containerized into a single container for creating a
`single service. By way of example applications such as
`Apache, MySql and PHP mayall be grouped in a single
`container for supporting a single service, such as a web based
`human resource or customer managementtypeofservice.
`In some embodiments of the invention,
`the method
`involves exporting one or moreofthe respective secure appli-
`cation containers to a remote computer system.
`In an embodimentof the invention, each respective secure
`application-container has data files for the at least one appli-
`cation within the respective secure application container.
`The method involves makingthe datafiles within one ofthe
`respective secure application containers inaccessible to any
`respective applications within another one ofthe secure appli-
`cation containers.
`
`In embodiments of the invention,all applications within a
`given container have their own commonrootfile system
`exclusive thereto and unique from other containers and from
`the operating system’s rootfile system.
`In embodiments of the invention, a group of applications
`within a single container share a same IP address, unique to
`that container.
`Hence in some embodiments of the invention a method is
`providedfor associating a respective IP address for a group of
`applications within a container.
`In some embodiments of the invention, for each container
`ofapplications, the methodinvolves associating resourcelim-
`its for all applications within the container.
`In some embodiments of the invention, for each group of
`the plurality of groups of applications, for example, for each
`container of applications and system files,
`the method
`involves associating resource limits comprising any one or
`more of limits on memory, CPU bandwidth, Disk size and
`bandwidth and Network bandwidth for the at least one respec-
`tive application associated with the group.
`For each secure application container, the method involves
`determining whether resources available on the computer
`system can accommodate the respective resource allocation
`associated with the group of applications comprising the
`secure application container.
`
`

`

`US 7,519,814 B2
`
`5
`By way of example, when a containeris to be placed on a
`platform comprising a computer and an operating system
`(OS) a check is done to ensure that the computer can accom-
`modate the resources required for the container. Care is exer-
`cised to ensure that the installation of a container will not
`
`overload the computer. For example, if the computeris using
`80% of its CPU capacity and installing the container will
`increase its capacity past 90% the containeris notinstalled.
`If the computer system can accommodate the respective
`resource allocation associated with the group of applications
`forming the secure application container, the secure applica-
`tion container is exported to the computer system.
`Furthermore, in another embodiment, ifone or more secure
`application containers are already installed on the computer
`system, the method involves determining whether the com-
`puter system has enough resources available to accommodate
`the one or more secure application containers are already
`installed in addition to the secure application container being
`exported.
`If there are enough resources available, the resources are
`distributed between the one or more secure application con-
`tainers and the secure application container being exported to
`provide resource control.
`In some embodiments of the invention, in determining
`whether resources available on the computer system to
`accommodate the respective resource allocation, the method
`involves verifying whether the computer system supports any
`specific hardware required by the secure application con-
`tainer to be exported. Therefore, a determination can be made
`as whether any specific hardware requirements of the appli-
`cations within a container are supported by the server into
`whichthe containeris being installed. This is somewhatsimi-
`lar to the abovementioned step wherein a determination is
`made as to whether the server has sufficient resources to
`support a containerto be installed.
`In some embodiments of the invention, for each group of
`applications within a container, in associating a respective
`resource allocation with the group, the method involves asso-
`ciating resource limits for the at least one respective applica-
`tion associated with the group.
`Moreparticularly, the method also involves, during execu-
`tion on the computer system:
`monitoring resource usage of the at least one respective
`application associated with the group;
`intercepting system calls to kernel mode, made bythe at
`least one respective application associated with the group of
`applications from user mode to kernel mode;
`comparing the monitored resource usageofthe at least one
`respective application associated with the group with the
`resource limits;
`and forwarding the system calls to a kernel on the basis of
`the comparison between the monitored resource usage and
`the resource limits.
`The above steps define that the resource limit checks are
`done by means of a system call intercept, which is, by defi-
`nition, a hardware mechanism where an application in user
`modetransitions to kernel code executing in a protected
`mode, i.e. kernel mode. Therefore, the invention provides a
`mechanism wherebycertain, but not all system calls are inter-
`cepted; and wherein operations specific to the needs of a
`particular container are performed, for example, checks
`determinesif limits may have been exceeded, and then allows
`the original system to proceed.
`Furthermore, in some instances a modification may be
`made to whatis returned to the application; for example,
`when a system call is made to retrieve the IP address or
`hostname. The system in accordance with an embodiment of
`
`20
`
`35
`
`40
`
`45
`
`50
`
`55
`
`6
`this invention may chooseto return a container specific value
`as opposed to the valuc that would have otherwise been nor-
`mally returned by the kernel. This intervention is termed
`“spoofing” and will be explained in greater detail within the
`disclosure.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Exemplary embodiments may be envisaged without
`departing from the spirit and scope ofthe invention.
`FIG. 1 is a schematic diagram illustrating a containerized
`system in accordance with an embodimentof this invention.
`FIG. 2 is aschematic diagram illustrating a system wherein
`secure containers of applications and system files are
`installed on a server in accordance with an embodimentofthe
`invention.
`FIG.3 is a pictorial diagram illustrating the creation of a
`container.
`FIG.4 is a diagram illustrating how a containeris assigned
`a unique identity such as IP address, Hostname, and MAC
`address and introducesthe “kernel module” which is used to
`
`handle system calls.
`FIG. 5 is a diagram similar to FIG. 4, wherein additional
`configuration data is provided.
`FIG.6 is a diagram illustrating a system wherein the con-
`tainers are secure containers.
`FIG.7 is a diagram introducing the sequencing or order in
`which applications within a container are executed.
`FIG.8 is a diagram illustrating the relationship between the
`storage of container system files and container configuration
`data for a plurality of secure containers which may be run on
`a particular computer platform.
`FIG. 9 is a diagram that illustrates the installation of a
`container on a server.
`
`FIG. 10 is a diagram that illustrates the monitoring of a
`numberof applications and state information.
`FIG. 11 is a diagram which showsthat the container cre-
`ation process includes the steps to install the container and
`validate that applications associated with the container are
`functioning properly.
`FIG. 12 is a schematic diagram showing the operation of
`the invention, according to an embodimentof the invention.
`FIG. 13 is a schematic diagram showing software applica-
`tion icons collected in a centralizedfile storage medium and
`a remote computing platform icon, according to another
`embodimentof the invention.
`FIG. 14 is a screen snapshot of an implementation accord-
`ing to the schematic of FIG. 13.
`FIG. 15 is a flow chart of a methodofinitializing icons of
`FIG. 14.
`
`FIG. 16 is a flow chart of a methodofinstalling a software
`application on a computing platform in responseto a drag and
`drop operation of FIG. 14; and,
`FIG. 17 is a flow chart of a method of de-installing a
`software application from a computing platform in response
`to a drag and drop operation of FIG. 13.
`DETAILED DESCRIPTION
`
`Turning now to FIG.1, asystem is shown having a plurality
`of servers 10a, 105. Each server includes a processor and an
`independent operating system. Each operating system
`includes a kernel 12, hardware 13 in the form of a processor
`and a set of associated system files, not shown. Each server
`with an operating system installed is capable of executing a
`number of application programs. Unlike typical systems,
`containerized applications are shown on each server having
`application programs 11a, 116 and related system files 11c.
`
`

`

`US 7,519,814 B2
`
`15
`
`30
`
`40
`
`45
`
`7
`These system files are used in place of system files such as
`library and configuration files present typically used in con-
`junction with the execution of applications.
`FIG.2 illustrates asystem in accordance withthe invention
`in which multiple applications 21a, 216, 21c, 21d, 21e, and
`21fcan execute in a secure environment on a single server.
`This is made possible by associating applications with secure
`containers 20a, 206 and 20c. Applications are segregated and
`execute with their own copies of files and with a unique
`identity. In this manner multiple applications may contend for
`common resources and utilize different versions of system
`files. Moreover, applications executing within a secure con-
`tainer can co-exist with applications that are not associated
`with a container, but which are associated with the underlying
`operating system.
`Containers are created through the aggregation of applica-
`tion specific files. A container contains application and data
`files for applications that provide a specific service. Examples
`of specific services include butare not limited to CRM (Cus-
`tomer Relation Management) tools, Accounting, and Inven-
`tory.
`The Secure application containers 20a, 205 and 20c are
`shown in FIG. 2 in which each combines un-installed appli-
`cation files on a storage medium or network,applicationfiles
`installed on a computer, and system files. The containeris an
`aggregate ofall files required to successfully execute a set of
`software applications on a computing platform. In embodi-
`ments of the invention, containers are created by combining
`application files with system files.
`The containers are output to a file storage medium and
`installed on the computing platforms fromthe file storage
`medium. Each container contains application and data files
`for applications that together provide a specific service. The
`containers are created using, for example, Linux, Windows
`and Unix systemsand preferably programmed in C and C++;
`however, the invention is not limited to these operating sys-
`tems and programming languages and other operating sys-
`tems and programming language maybe used. An application
`set is a set of one or more software applications that support
`a specific service. As shown in the figures, which follow,
`application files are combined with system files to create a
`composite or containerofthefiles required to support a fully
`functional software application.
`Referring now to FIG. 3 the creation of a container is
`illustrated from the files used by a specific application and
`user defined configuration information. The requiredfiles can
`be captured from an existing computer platform 32 where an
`application of interest is currently installed orthefiles can be
`extracted from install mediaor packagefiles 30. Two methods
`of container creation will be described hereafter.
`
`FIG.4 illustrates a system having two secure containers
`20a 206, each provided with a unique identity. This allows,
`for example, other applications to locate a containerized ser-
`vice in a consistent manner independent of which computer
`platform the containerized service is located on. Container
`configuration data, collected from a useror user-defined pro-
`gram, is passed to services resident on a computerplatform 40
`hosting containers. One embodiment shows these services
`implemented in a kernel module 43. The configuration infor-
`mation is transferred one time whenthe containeris installed
`
`on a platform. The type of information required in order to
`provide an application associated with a container a unique
`identity includes items such as an IP address, MAC address
`and hostname. As applications execute within a container
`20a, 205 environment system calls are intercepted, by the
`kernel module 43 passing throughservices installed as part of
`
`8
`this invention, before being passed on to the kernel. This
`system call intercept mechanism allows applications to be
`provided with values that are container specific rather than
`values that would otherwise be returned from the kernel by
`“spoofing” the system.
`Asintroduced heretofore, “spoofing” is invoked when a
`system call is made. Instead of returning values ordinarily
`providedby the operating system’s kernel a module in accor-
`dance with this invention intervenes and returns container
`
`specific values to the application making the system call. By
`way of example, when an application makes the ‘uname’
`system call, the kernel returns values for hostname, OS ver-
`sion, date, time and processor type. The software module in
`accordancewith this invention intercepts the system call and
`causes the application to see kernel defined valu