CN-115885261-B - Partially privileged lightweight virtualized environments

Abstract

The fine-grained selectable partially-privileged container virtual computing environment provides a carrier by which processes involving modification of particular aspects of the host computing environment can be transferred to and executed on the host computing environment while maintaining advantageous and desirable protection and isolation between the remaining aspects of the host computing environment and the partially-privileged container computing environment. Such partial privileges are provided based on actions described directly or indirectly that allow actions to be taken on the host computing environment and disallowed actions by processes executing in the partial privilege container virtual computing environment. Aspects of the host computing environment operating system (such as the kernel) are extended to interface to container-centric mechanisms to receive information about which actions the kernel can allow or deny, even if the process attempting such actions is otherwise sufficiently privileged.

Inventors

• A.T.Guo
• SMITH FREDERIK J. IV
• J. Starks
• L. Royt
• D. THOMAS
• H.R. Prapaca
• B.M. Schultz
• J.J.Liu

Assignees

• 微软技术许可有限责任公司

Dates

Publication Date

20260512

Application Date

20210406

Priority Date

20200604

Claims (20)

1. 1. A computing device for virtualizing an environment, comprising: Processor, and A memory coupled to the processor, the memory comprising computer-executable instructions that, when executed, perform operations to: Executing a process within a container virtual computing environment, the container virtual computing environment being implemented in a host computing environment, wherein the process is executed according to a first privilege level and performs a first action directed to modifying a first computing environment aspect, the first computing environment aspect being implemented in the container virtual computing environment and the host computing environment; Preventing, by an operating system of the host computing environment, the first action from modifying the first computing environment aspect of the host computing environment, wherein the preventing is based on metadata associated with the container virtual computing environment, the metadata indicating that a second action may be allowed to be performed to modify a second computing environment aspect of the host computing environment, and Executing the first action in the container virtual computing environment, thereby modifying the first computing environment aspect of the container computing environment such that a process executing within the container virtual computing environment perceives the first action as having been completed, and a process executing within the host computing environment perceives the first action as not having been completed, wherein executing the first action in the container virtual computing environment modifies the first computing environment aspect of the host computing environment based on the preventing the first action.
2. 2. The computing device of claim 1, wherein preventing the first action from modifying the first computing environment aspect of the host computing environment is performed by the operating system of the host computing environment in a manner that is the same as if the operating system of the host computing environment had determined that the first action was not executable by a process executing at the first privilege level.
3. 3. The computing device of claim 1, wherein performing the first action in the container virtual computing environment comprises modifying the first computing environment aspect in an overlay layer and storing the modified first computing environment aspect in a sandbox on the host computing environment.
4. 4. The computing device of claim 3, wherein storing the modified first computing environment aspect in a sandbox on the host computing environment comprises recording one or more transactions in the sandbox.
5. 5. The computing device of claim 1, wherein the computer-executable instructions further perform operations to: the first action is performed in the host computing environment, modifying the first computing environment aspect of the host computing environment, in the event that the container virtual computing environment terminates.
6. 6. The computing device of claim 1, wherein the process performs at least one step of a multi-step transaction comprising other steps performed by one or more processes executing within one or more other container virtual computing environments, and Wherein instantiation of the container virtual computing environment is triggered by the transaction manager based on success of a previous one of the one or more other container virtual computing environments.
7. 7. The computing device of claim 1, wherein the metadata associated with the container virtual computing environment specifies that modifications to files within a first portion of a file system are allowed to be performed on the host computing environment by processes executing within the container virtual computing environment.
8. 8. The computing device of claim 1, wherein the container virtual computing environment is instantiated after determining that the enumerated preconditions associated with the container virtual computing environment have been satisfied by the host computing environment.
9. 9. The computing device of claim 8, wherein the container package received by the computing device from a remote container management system includes the enumerated preconditions and the metadata associated with the container virtual computing environment.
10. 10. The computing device of claim 1, wherein the container virtual computing environment is selected for instantiation based on policy information received by the computing device from a remote container management system.
11. 11. The computing device of claim 1, wherein the container virtual computing environment is instantiated after performing an idempotent check associated with the container virtual computing environment.
12. 12. The computing device of claim 11, wherein the idempotent check comprises verifying a proof of idempotent associated with the container virtual computing environment.
13. 13. The computing device of claim 11, wherein the idempotent check comprises determining that the container virtual computing environment has not been previously instantiated to completion and that the process has not been previously executed to completion within the container virtual computing environment.
14. 14. A method for virtualizing an environment, the method comprising: Executing a process within a privileged container virtual computing environment, the privileged container virtual computing environment being implemented in a host computing environment, wherein the process is executed according to a first privilege level and performs actions directed to modifying a computing environment aspect, a first instance of the computing environment aspect being implemented in the privileged container virtual computing environment and a second instance of the computing environment aspect being implemented in the host computing environment; Determining, by an operating system kernel of the host computing device, that the privilege level does not allow the action to modify the second instance of the aspect of the computing environment, wherein the determining includes evaluating a container definition file implemented in the host computing environment, the container definition file identifying functions or actions that the process is allowed to perform in the host computing environment, and In response to the determination, modifying the first instance of the computing environment aspect in the execution of the action based on the privilege level.
15. 15. A system for virtualizing an environment, comprising: a first computing device executing computer-executable instructions implementing a first container management system, and A second computing device executing computer-executable instructions implementing a local container manager, the local container manager performing steps comprising: Receiving a first container package from the first computing device, the first container package including a first container definition file, and Receiving a first policy from the first computing device, the first policy affecting when the second computing device instantiates a container virtual computing environment based on the first container package; Wherein the second computing device references the first container definition file to determine whether a process executing within the container virtual computing environment is permitted to perform a first action that modifies a first computing environment aspect of a host computing environment on which the container virtual computing environment is instantiated, the first computing environment aspect being implemented in the container virtual computing environment and the host computing environment.
16. 16. The system of claim 15, wherein the first policy defines a prerequisite to instantiation of the container virtual computing environment by the second computing device based on the first container package, and Wherein the step of the local container manager further comprises providing the first container package to a container creation service executing on the second computing device to instantiate the container virtual computing environment if the prerequisite is determined to have been met.
17. 17. The system of claim 15, wherein the local container manager further performs steps comprising performing an idempotent check associated with the container virtual computing environment.
18. 18. The system of claim 17, wherein the idempotent check comprises verifying a proof of idempotent, the first container package comprising the proof of idempotent.
19. 19. The system of claim 17, wherein the idempotent check comprises determining that the container virtual computing environment has not been previously instantiated to completion.
20. 20. The system of claim 15, wherein the second computing device executes further computer-executable instructions that perform steps comprising: Instantiating the container virtual computing environment; executing the process within the container virtual computing environment at a first privilege level as part of the executing, the process performing the first action, wherein the first action is executable by a process executing at the first privilege level; Preventing, by an operating system of the host computing environment, the first action from modifying the first computing environment aspect of the host computing environment, and Executing the first action in the container virtual computing environment, thereby modifying the first computing environment aspect of the container computing environment such that a process executing within the container virtual computing environment perceives that the first action has been completed and a process executing within the host computing environment perceives that the first action has not been completed; Wherein performing the first action in the container virtual computing environment is based on preventing the first action from modifying the first computing environment aspect of the host computing environment.

Description

Partially privileged lightweight virtualized environments Background Traditional virtual computing environments, commonly referred to as "virtual machines," virtualize most or all aspects of a computing environment and, thus, may present a computing environment that is very different from the host computing device hardware and operating system. Such a virtual machine computing environment may virtualize the computing hardware itself. However, traditional virtual computing environments may consume large amounts of memory due to the need to virtualize most or all aspects of the hardware of the host computing environment, requiring large amounts of processing resources, which may otherwise be inefficient. In some instances, a lightweight virtual computing environment, often referred to as a "container," may provide many of the isolation benefits of a traditional virtual computing environment in a more efficient manner, such as by utilizing aspects of the host computing device hardware and operating system, rather than virtualizing those aspects of the computing environment. Such a container virtual computing environment may virtualize only portions of the computing environment, such as just the file system, thereby presenting different, isolated views of the file data. Thus, the container may be utilized to provide an isolated computing environment, such as limiting the impact of potentially malicious instructions, to provide an original computing environment, such as for testing or troubleshooting purposes, and other similar benefits. In some instances, it may be desirable to allow processes executing within the container virtual computing environment to persist changes directly onto the host computing environment. For example, the container virtual computing environment may utilize aspects of the operating system of the host computing environment, such as its printer driver. Processes executing within one container virtual computing environment may install new printer drivers within such container virtual computing environment, but since traditionally such changes would only be within the container virtual computing device itself, without affecting the host computing environment, processes executing within other virtual computing environments or within the host computing environment itself would not have access to such new printer drivers. The privileged container may be provided access to the underlying host computing environment. Unfortunately, privileged containers may access the entire host computing environment, defeating many of the protection and isolation advantages of non-privileged legacy containers. Disclosure of Invention The fine-grained selectable partially-privileged container virtual computing environment provides a carrier by which processes involving modification of particular aspects of the host computing environment can be transferred to and executed on the host computing environment while maintaining advantageous and desirable protection and isolation between the remaining aspects of the host computing environment and the partially-privileged container computing environment. Such partial privileges (privilege) are provided based on actions described directly or indirectly that allow actions to be performed on the host computing environment by processes executing in the partial privilege container virtual computing environment and disallowed actions. Aspects of the host computing environment operating system, such as the kernel, are extended to interface to container-centric mechanisms to receive information about which actions the kernel can allow or deny, even if the process attempting such actions is otherwise sufficiently privileged. Rather, the actions that are blocked are performed in the context of a container virtual computing environment in the form of overlays (overlays), which may be recorded in a sandbox of the host computing environment according to conventional container virtual computing environment methodologies. This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Additional features and advantages will be made apparent from the following detailed description that proceeds with reference to the accompanying drawings. Drawings The following detailed description may be better understood when read in conjunction with the accompanying drawings in which: FIG. 1 is a system diagram of an exemplary non-privileged container virtual computing environment; FIG. 2 is a system diagram of an exemplary privileged container virtual computing environment; FIG. 3 is a system diagram of an exemplary partially privileged container virtual computing environment; FIG. 4 is a system diagram of another exemplary partiall