Unicontainers
Inventors
Assignees
Publication Number
US-12118361-B2
Publication Date
2024-10-15
Expiration Date
2039-11-20
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
In general, this disclosure describes techniques for building an application designed to run on a given infrastructure as a container. For example, a unicontainer as described herein may represent a smallest-size, statically-linked binary that is the most optimal implementation of a container for executing an application. In some examples, a computing system builds this container by identifying unused or unneeded functionalities from dependencies for the application, for instance where such functionalities are provided by a target infrastructure for the container.
Core Innovation
This invention discloses techniques for building optimized application containers, called unicontainers, which are minimal, statically-linked binaries tailored for specific infrastructures. A unicontainer is constructed by identifying and including only those functionalities from dependencies that are required for the application to run, excluding any features provided by the target infrastructure or not needed for execution. The system analyzes the dependency hierarchy, determines the minimum set of functions necessary, and generates a language-independent intermediate representation. This intermediate representation may be further optimized using methods such as static previrtualization and partial evaluation.
The primary problem addressed by this invention is the excessive size and redundancy in traditional container images, where each container often includes unnecessary libraries and services, leading to bloated images and increased security vulnerabilities. Existing approaches, such as unikernels, attempt similar goals but are not compatible with distributed computing environments and lack adequate debugging capabilities. There is a need to efficiently build, test, and deploy software while reducing security risks associated with exploitable dependencies prevalent in modern IT infrastructures.
The computing system described in the disclosure employs a build module to receive a recipe file specifying an application's dependencies and target infrastructure. The system constructs a bottom-up or top-down dependency analysis, selecting or building only the required, reduced-function versions of dependencies not available in the target infrastructure, and statically links these into the application. The system may also maintain a registry for managing optimized dependencies and version conflicts, and can generate containers from traditional files such as Dockerfiles, producing statically-linked, self-contained unicontainer images. This method ensures that container images are minimized, repeatable, and optimized for deployment across a range of target infrastructures.
Claims Coverage
The patent includes multiple independent claims specifying systems and methods for generating container images using selective dependency optimization and static linking. There are inventive features articulated in both system and method claims.
Generating optimized container images by selective static linking
A computing system uses a build module to: - Receive a recipe file for an application build and an indication of a target infrastructure. - Obtain, based on required functions of a dependency not provided by the target infrastructure, a version of the dependency that provides only those required functions and omits others. - Build a container image by statically linking this optimized version of the dependency into the application. This results in an application container that is tailored to the needs of the application and the capabilities of the target infrastructure, minimizing code footprint.
Utilizing a registry file to manage dependency versions for container builds
The system maintains a registry and a registry file mapping lists of required functions for a dependency to respective optimized versions. The build module identifies required functions from a recipe file and uses the registry file to map these functions to the correct dependency version, resolving potential conflicts between dependency versions. The generated container image is stored in the registry, and the registry file is updated to record included versions.
Layered dependency structure and optimization in container generation
The system processes the recipe file to generate a dependency structure with multiple layers, each containing dependencies or application packages. The build module identifies required functions for each dependency layer and removes unnecessary functions from child dependencies, ensuring each layer is built with only the code required for the higher layer. This optimization is performed for each layer up to the application, and each layer can be an application package or a unicontainer.
Dynamic adjustment of container content based on target infrastructure properties
The build module leverages a data structure mapping target infrastructure identifiers to their properties (such as provided dependencies). When a build request is received, the module determines which dependencies are already available on the target infrastructure and excludes them from the container image, only statically linking those not provided.
Method for generating, storing, and managing optimized container images
A method is disclosed for: 1. Receiving a recipe file and target infrastructure indication. 2. Obtaining optimized dependencies as described above. 3. Statically linking the optimized dependencies to generate a container image. 4. Storing this image in a registry and updating the registry file to reflect its contents. This method supports reproducibility and conflict resolution in dependency management for containerized applications.
The independent claims cover techniques for building, storing, and managing minimal container images by statically linking only the required parts of dependencies not provided by a given target infrastructure, leveraging a registry system, and optimizing across layered dependencies. These features allow for container images that are minimized, maintainable, and adaptable for various deployment scenarios.
Stated Advantages
Produces smallest possible, statically-linked container images for applications, minimizing code size and resource usage.
Reduces potential security vulnerabilities by excluding unnecessary dependency code from container images.
Enables deployment of containers across diverse target infrastructures by optimizing contents for specific environments.
Allows orchestration logic and microservices to be flexibly incorporated, improving deployment and scaling flexibility.
Facilitates repeatable, verifiable builds with traceability for dependency and build step management.
Supports formal verification at the language-independent intermediate representation level, enhancing code safety and correctness.
Improves build environment isolation and integrity by using disposable environments for builds.
Documented Applications
Deployment of optimized unicontainer images on cloud infrastructures, bare metal servers, Docker environments, and virtual machines.
Use in microservice architectures and breaking applications into smaller, independently deployable units.
Building containers for running shell command sequences, custom runtimes (e.g., statically-linked Python interpreters), and specific popular development environments (e.g., GoLang, Node.js) with only required dependencies.
Supporting whole-program analysis and formal verification for software packages to be deployed as containers.
Interested in licensing this patent?