Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: In an architecture of a virtualized computing system plugins are less tightly integrated with a core user interface of a management server. Rather than being installed and executed at the management server as local plugins, the plugins are served as remote plugins from a plugin server, and may be accessed by a web client through a reverse proxy at the management server. Plugin operations may be executed at the plugin server and/or invoked from a user device where the web client resides. Furthermore, a plugin sandbox and other isolation configurations are provided at the user device, so as to further control access capability and interaction of the plugins.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

Abstract: System and method for managing migration of trusted execution environments (TEEs) based on migration policies utilizes a source migration agent in the source host computer and a destination migration agent in a destination host computer to migrate a source TEE in the source host computer to the destination host computer. A migration policy data of the source TEE is first transmitted to the destination migration agent from the source migration agent to determine whether the destination host computer satisfies migration policies specified in the migration policy data. In response to a determination that the destination host computer satisfies the migration policies specified in the migration policy data, a destination TEE is created in the destination host computer and memory pages of the source TEE are transmitted to the destination TEE. The memory pages are then restored at the destination TEE for execution.

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.

Abstract: Examples herein describe systems and methods for self-healing in a Telco network function virtualization cloud. KPI attributes for virtual network functions can be mapped to physical fault notifications to create synthesized alerts. The synthesized alerts can include information from both a virtual and physical layer, allowing a self-healing action framework to determine root causes of problems in the Telco cloud. Remedial actions can then be performed in either the virtual or physical layer of the Telco cloud. Remedial actions in one layer can be based on root causes identified in the other, which can allow for remediation before network downtime occurs.

Abstract: The disclosure relates to processing application programming interface (API) requests. Embodiments include receiving, at an API wrapper, from a first caller, a first call to an API and sending the first call to the API. Embodiments include receiving, by the API wrapper, from one or more second callers, a second one or more calls to the API prior to receiving a response from the API to the first call. Embodiments include receiving, by the API wrapper, the response from the API to the first call and responding to the first call from the first caller with the response from the API to the first call. Embodiments include responding, by the API wrapper, to the second one or more calls from the one or more second callers with the response from the API to the first call without sending the second one or more calls to the API.

Abstract: Disclosed are examples related to data driven interfaces for decoupling management system components from a manufacturer or a platform of client devices managed by the management system. In some examples, among others, a system can generate a data driven interface template that can be used to cause rendering of a data driven user interface for configuring a profile payload of a device profile for the client device. The system can generate, based on values associated with the data driven user interface, a profile document in an instance in which values are obtained from the data driven user interface. In some aspects, the profile document is a generic representation of the profile payloads for the platform, the manufacturer or the type of the client device.

Abstract: Disclosed are various embodiments for improving the resiliency and performance of clustered memory. A computing device can generate at least one parity page from at least a first local page and a second local page. The computing device can then submit a first write request for the first local page to a first one of a plurality of memory hosts. The computing device can also submit a second write request for the second local page to a second one of the plurality of memory hosts. Additionally, the computing device can submit a third write request for the parity page to a third one of the plurality of memory hosts.

Abstract: Examples described herein include systems and methods for brokerless reliable totally ordered many-to-many inter-process communication on a single node. A messaging protocol is provided that utilizes shared memory for one of the control plane and data plane, and multicast for the other plane. Readers and writers can store either control messages or message data in the shared memory, including in a ring buffer. Write access to portions of the shared memory can be controlled by a robust futex, which includes a locking mechanism that is crash recoverable. In general, the writers and readers can control the pace of communications and the crash of any process does not crash the overall messaging on the node.

Abstract: A method and apparatus for autoscaling a custom resource of a containerized application handling system utilizes a metric value defined for a system object of the custom resource to scale the system object of the custom resource. An API request for the metric value is sent from an autoscaler to a control plane of the containerized application handling system to receive the metric value, which is compared to a desired metric value. A target scale metric value is then determined based on the comparison and posted in a database of the containerized application handling system. The system object of the custom resource is scaled by an operator of the containerized application handling system based on the posted target scale metric value.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: Examples disclosed herein relate to propagating changes made on a file system volume of a primary cluster of nodes to the same file system volume also being managed by a secondary cluster of nodes. An application is executed on both clusters, and data changes on the primary cluster are mirrored to the secondary cluster using an exo-clone file. The exo-clone file includes the differences between two or more snapshots of the volume on the primary cluster, along with identifiers of the change blocks and (optionally) state information thereof. Just these changes, identifiers, and state information are packaged in the exo-clone file and then exported to the secondary cluster, which in turn makes the changes to its version of the volume. Exporting just the changes to the data blocks and the corresponding block identifiers drastically reduces the information needed to be exchanged and processed to keep the two volumes consistent.

Abstract: In accordance with an embodiment of the invention, a cloud computing system is disclosed. The system includes a software-defined data center (SDDC), the SDDC including at least one cluster supported within the SDDC and at least one host computer running within the cluster, wherein the at least one host computer is configured to support at least one workload comprising an operating system and an application, and a cloud infrastructure, the cloud infrastructure including at least one child VM, the at least one child VM configured to virtualize the at least one host computer running within the cluster, and at least one parent virtual machine, wherein additional child VMs are deployed by forking the at least one parent VM.

Abstract: Disclosed are various examples for enrollment of gateway enrollment for Internet-of-Things (IoT) device management. In some examples, a client device receives a gateway management installation package from a management service. The client device installs a gateway management application to the gateway device using the installation package. Enrollment credentials are entered through a user interface generated using the gateway management application and shown on the client device. The client device instructs the gateway management application enroll the gateway device with the management service. Usage of the enrollment credentials prevents a user from being exposed to gateway credentials that authenticate communications between the gateway device and the management service.

Abstract: When containers run in a guest operating system of a virtual machine running on the host computer system, the containers communicate with each other via ports of each container and a network. The ports of each container stay constant, but the virtual machine in which they run may change its IP address on the network when it is power-cycled. To avoid losing connection to the ports of the containers, a record table that associates static identifiers, such as MAC addresses, of the virtual machine with the container ports is maintained. The static identifiers of the virtual machines do not change and provide a way of identifying the virtual machine on which the virtual container was running before it was powered off. When the virtual machine is powered on, the linkage between the container port and the network can be re-established using the record table.

Abstract: Certain embodiments described herein are directed to methods and systems for adding one or more nodes to a first cluster including a first node in a computer system. A method performed by the first node comprises receiving a first request from a second node to join the first cluster. The method also comprises retrieving a first cluster configuration associated with the first cluster from a distributed database through a first database server (DBS) and creating a second cluster configuration using the first cluster configuration and information received from the second node as part of the request. The method further comprises populating a first one or more local trust stores of a first one or more processes executing on the first node with a second one or more security certificates of a second one or more processes executing on the second node. The method further comprises writing the second cluster configuration to the distributed database and returning the second cluster configuration to the second node.

Abstract: At least one application of a client executes via system software on a hardware computing system that includes at least one CPU and at least one coprocessor. A virtualization layer establishes unified memory address space between the client and the hardware computing system, which also includes memory associated with the at least one coprocessor. The virtualization layer then synchronizes memory associated with the client and memory associated the at least one coprocessor. The virtualization layer may be installed and run in a non-privileged, user space, without modification of the application or of the system software running on the hardware computing system.

Abstract: The disclosure provides for analyzing upgrade and migration readiness. Embodiments include receiving an indication to upgrade a software product and a selected upgrade path identifying a target-upgrade version. Embodiments include accessing an array of pre-upgrade procedures comprising code for identifying one or more conditions that must be met before the software product can be upgraded based on the accessed array being associated with the software product. Embodiments include executing one or more of the pre-upgrade procedures in advance of upgrading the software product. Embodiments include accessing one or more autonomous remediation scripts from the repository based on identification of one or more failed pre-upgrade procedures. Embodiments include executing the one or more autonomous remediation scripts to cure the one or more failed pre-upgrade procedures and initiating an upgrade of the software product based on identifying that the array of pre-upgrade procedures successfully completed execution.