Abstract: A virtualized computer platform is established and maintained by virtualization software on one or more physical computers. A multicomponent software application may execute on the virtualized computer platform, with different components of the application executing in different virtual machines, which are supported by the virtualization software. The virtualization software may also provide, and/or facilitate the provision of, one or more services that may be beneficial to the operation of the multicomponent software application, such as automated provisioning, resource allocation, VM distribution, performance monitoring, resource management, high availability, backup, disaster recovery, alarms, security, etc. In some embodiments of the invention, some of these services are provided through coordinated efforts of a system resource manager, a VM manager, an application monitor and an application resource manager.

Abstract: A method for protecting a virtual computer system which may be susceptible to adverse effects from a Denial of Service attack is described. The virtual computer system includes a plurality of VMs. In the method, data that is transferred between the virtual computer system and the computer network is monitored for an indication of a possible Denial of Service attack. If an indication of a possible Denial of Service attack is detected, one or more of the VMs is suspended, to reduce the risk of adverse effects on one or more other VMs.

Abstract: A virtual memory system implementing the invention provides concurrent access to translations for virtual addresses from multiple address spaces. One embodiment of the invention is implemented in a virtual computer system, in which a virtual machine monitor supports a virtual machine. In this embodiment, the invention provides concurrent access to translations for virtual addresses from the respective address spaces of both the virtual machine monitor and the virtual machine. Multiple page tables contain the translations for the multiple address spaces. Information about an operating state of the computer system, as well as an address space identifier, are used to determine whether, and under what circumstances, an attempted memory access is permissible. If the attempted memory access is permissible, the address space identifier is also used to determine which of the multiple page tables contains the translation for the attempted memory access.

Abstract: A virtual computer system enabling dynamic, aggregated use of multiple TCP/IP offload engines (TOEs) by the set of guest computer systems hosted on the virtual computer system. Each of the guest computer systems includes an offload selection switch and the associated virtual machine monitor includes a first virtual context component. Second virtual context components are associated with a set of TCP/IP stacks and TOEs and interoperate with the first virtual context components to establish a virtual routing of network connections between the offload selection switches and the TOEs. The virtual context mapping retains the initially requested network connection information as well as the resolved virtual network connection established, thereby allowing the initial network connection request to be internally reapplied as required to accommodate dynamic changes in the network protocol parameters of the TOEs.

Abstract: The invention is used in a virtual machine monitor for a multiprocessing system that includes a virtual memory system. During a software-based processing of a guest instruction, including translating or interpreting a guest instruction, mappings between virtual addresses and physical addresses are retained in memory until processing of the guest instruction is completed. The retained mappings may be cleared after each guest instruction has been processed, or after multiple guest instructions have been processed. Information may also be stored to indicate that an attempt to map a virtual address to a physical address was not successful. The invention may be extended beyond virtual machine monitors to other systems involving the software-based processing of instructions, and beyond multiprocessing systems to other systems involving concurrent access to virtual memory management data.

Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM' s memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: A virtual computer system, including one or more virtual machines (VMs), is connected to a computer network by multiple network interface cards (NICs). The VMs are supported by a kernel, which includes a resource manager for allocating system resources among the VMs, including network data bandwidth. A NIC manager is loaded into the kernel as a driver or is integrated into the kernel, for selecting NICs over which outgoing network data is transferred, including providing functions such as failovers and failbacks, as well as load distribution. Implementing the NIC manager in the kernel provides NIC teaming functions to each of the VMs without having to implement a NIC teaming solution in each of the VMs, adding to the simplicity, flexibility and portability of the VMs. In addition, integrating the NIC manager into the kernel improves the kernel's ability to manage the VMs and to implement network resource allocations for the VMs.

Abstract: In a virtual computer system, the invention virtualizes a primary protection mechanism, which restricts memory accesses based on the type of access attempted and a current hardware privilege level, using a secondary protection mechanism, which is independent of the hardware privilege level. The invention may be used to virtualize the protection mechanisms of the Intel IA-64 architecture. In this embodiment, virtual access rights settings in a virtual TLB are translated into shadow access rights settings in a hardware TLB, while virtual protection key settings in a virtual PKR cache are translated into shadow protection key settings in a hardware PKR cache, based in part on the virtual access rights settings. The shadow protection key settings are dependent on the guest privilege level, but the shadow access rights settings are not.

Abstract: A virtual memory system implementing the invention provides concurrent access to translations for virtual addresses from multiple address spaces. One embodiment of the invention is implemented in a virtual computer system, in which a virtual machine monitor supports a virtual machine. In this embodiment, the invention provides concurrent access to translations for virtual addresses from the respective address spaces of both the virtual machine monitor and the virtual machine. Multiple page tables contain the translations for the multiple address spaces. Information about an operating state of the computer system, as well as an address space identifier, are used to determine whether, and under what circumstances, an attempted memory access is permissible. If the attempted memory access is permissible, the address space identifier is also used to determine which of the multiple page tables contains the translation for the attempted memory access.

Abstract: Multiple computers are connected to a data storage unit that includes a file system, which further includes multiple data entities, including files, directories and the file system itself. The file system also includes, for each data entity, an owner field for indicating which computer, if any, has exclusive or shared access to the data entity, along with a time field for indicating when a lease of the data entity began. When a computer wants to lease a data entity, the computer uses a disk reservation capability to temporarily lock the data storage unit, and, if the data entity is not currently leased, the computer writes its own identification value into the owner field and a current time into the time field for the data entity, to claim the data entity for a renewable lease period. If a prior lease of a data entity has expired, another computer may break the lease and claim ownership for itself.

Abstract: A virtual computer system, including one or more virtual machines (VMs), is connected to a redundant data storage system having multiple paths for routing data between the computer system and the data storage system. The VMs are supported by a kernel, which includes a resource manager for allocating system resources among the VMs, including data storage space and data storage bandwidth. A storage path manager (SPM) is integrated into the kernel for routing data between the computer system and the data storage system, including providing functions such as failovers and failbacks, as well as load distribution. Integrating the SPM into the kernel improves the kernel's ability to manage the VMs and to provide SAN resources to the VMs. For example, the SPM may enhance the isolation between multiple VMs by routing their respective data over different data paths. Also, the SPM may improve the allocation of system resources by coordinating with the resource manager.

Abstract: A computer system has secondary data that is derived from primary data, such as entries in a TLB being derived from entries in a page table. When an actor changes the primary data, a producer indicates the change in a set data structure, such as a data array, in memory that is shared by the producer and a consumer. There may be multiple producers and multiple consumers and each producer/consumer pair has a separate channel. At coherency events, at which incoherencies between the primary data and the secondary data should be removed, consumers read the channels to determine the changes, and update the secondary data accordingly. The system may be a multiprocessor virtual computer system, the actor may be a guest operating system, and the producers and consumers may be subsystems within a virtual machine monitor, wherein each subsystem exports a separate virtual central processing unit.

Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM's memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: A first software entity occupies a portion of a linear address space of a second software entity and prevents the second software entity from accessing the memory of the first software entity. For example, in one embodiment of the invention, the first software entity is a virtual machine monitor (VMM), which supports a virtual machine (VM), the second software entity. The VMM sometimes directly executes guest instructions from the VM and, at other times, the VMM executes binary translated instructions derived from guest instructions. When executing binary translated instructions, the VMM uses memory segmentation to protect its memory. When directly executing guest instructions, the VMM may use either memory segmentation or a memory paging mechanism to protect its memory. When the memory paging mechanism is active during direct execution, the protection from the memory segmentation mechanism may be selectively deactivated to improve the efficiency of the virtual computer system.

Abstract: A virtual memory system implementing the invention provides concurrent access to translations for virtual addresses from multiple address spaces. One embodiment of the invention is implemented in a virtual computer system, in which a virtual machine monitor supports a virtual machine. In this embodiment, the invention provides concurrent access to translations for virtual addresses from the respective address spaces of both the virtual machine monitor and the virtual machine. Multiple page tables contain the translations for the multiple address spaces. Information about an operating state of the computer system, as well as an address space identifier, are used to determine whether, and under what circumstances, an attempted memory access is permissible. If the attempted memory access is permissible, the address space identifier is also used to determine which of the multiple page tables contains the translation for the attempted memory access.

Abstract: A first software entity occupies a portion of a linear address space of a second software entity and prevents the second software entity from accessing the memory of the first software entity. For example, in one embodiment of the invention, the first software entity is a virtual machine monitor (VMM), which supports a virtual machine (VM), the second software entity. The VMM sometimes directly executes guest instructions from the VM and, at other times, the VMM executes binary translated instructions derived from guest instructions. When executing binary translated instructions, the VMM uses memory segmentation to protect its memory. When directly executing guest instructions, the VMM may use either memory segmentation or a memory paging mechanism to protect its memory. When the memory paging mechanism is active during direct execution, the protection from the memory segmentation mechanism may be selectively deactivated to improve the efficiency of the virtual computer system.

Abstract: A first software entity occupies a portion of a linear address space of a second software entity and prevents the second software entity from accessing the memory of the first software entity. For example, in one embodiment of the invention, the first software entity is a virtual machine monitor (VMM), which supports a virtual machine (VM), the second software entity. The VMM sometimes directly executes guest instructions from the VM and, at other times, the VMM executes binary translated instructions derived from guest instructions. When executing binary translated instructions, the VMM uses memory segmentation to protect its memory. When directly executing guest instructions, the VMM may use either memory segmentation or a memory paging mechanism to protect its memory. When the memory paging mechanism is active during direct execution, the protection from the memory segmentation mechanism may be selectively deactivated to improve the efficiency of the virtual computer system.

Abstract: A virtual computer system including multiple virtual machines (VMs) is implemented in a single physical computer system. The multiple VMs have their own layer 2 and layer 3 addresses, but they share a common network connection for which only a single layer 2 address may be used, such as in the case of a standard wireless network interface card (NIC) or in the case of multiple NICs and a standard NIC teaming solution. For outgoing data frames from a VM to a network entity outside the virtual computer system, the layer 2 address of the VM contained in the source address field is generally replaced with the layer 2 address of the network connection. For incoming data frames from a network entity to a VM, the layer 2 address of the network connection contained in the destination address field is generally replaced with the layer 2 address of the VM.

Abstract: A processor has multiple operating modes, such as the long/compatibility mode, the long/64-bit mode and the legacy modes of the x86-64 microprocessor. Different software entities execute in different ones of these operating modes. A switching routine is implemented to switch from one operating mode to another and to transfer control from one software entity to another. The software entities may be, for example, a host operating system and a virtual machine monitor. Thus, for example, a virtual computer system may comprise a 64-bit host operating system and a 32-bit virtual machine monitor, executing on an x86-64 microprocessor in long mode and legacy mode, respectively, with the virtual machine monitor supporting an x86 virtual machine. The switching routine may be implemented partially or completely in an identity-mapped memory page. Execution of the switching routine may be initiated by a driver that is installed in the host operating system of a virtual computer system.

Abstract: An interface for a communications channel, in which blocks of data are divided into multiple sub-blocks for conveyance, such as a USB (Universal Serial Bus) interface, is virtualized. One or more host drivers may provide an interface with a physical device that supports the communications channel. Virtualization software emulates a virtual device that appears to support the communications channel, and one or more guest drivers may provide an interface with the virtual device, so that the guest drivers receive one or more guest data block buffers for use in conveying data over the communications channel and generate multiple corresponding guest data sub-block buffers for each guest data block buffer, and the virtualization software obtains access to the guest data sub-block buffers. The guest data sub-block buffers are scanned for an indication of a boundary between multiple guest data block buffers, such as an IOC (Interrupt on Complete) flag being set.