Abstract: Described herein are a system and method for forming a container image. The system and method include obtaining a first layer of a plurality of layers of the container image. The contents of the first layer are stored in a directory such that a first disk image layer file is mounted to the directory. A second layer of the plurality of layers is obtained, and the contents of the second layer are stored in the directory so that the first disk image layer includes contents of the first layer and the second layer. The first disk image layer is saved and is mountable and includes files of the container image.

Abstract: A method comprises: in response to detecting a new expression in a policy rule, updating a global version number to a new value; identifying a particular IP address that corresponds to an FQDN matching on the new expression; storing an entry comprising the particular IP address, the new expression, and an entry version number in a first data structure, the entry version number being assigned the new value; in response to detecting a new connection to a destination IP address: finding a matching entry in the first data structure corresponding to the destination IP address; determining whether the global version number matches the entry version number for the matching entry; and in response to determining that the global version number does not match the entry version number for the matching entry, sending update information to a slowpath process that associates an updated configuration information for the matching entry.

Abstract: Some embodiments provide a novel method for dynamically associating mobile devices with different logical networks implemented on an entity's shared network fabric. At least two logical networks are implemented for at least two entity groups. At a first site, the method authenticates a mobile device and uses mobile device management (MDM) servers to identify an MDM group associated with the mobile device. The method uses the MDM group (1) to identify a first logical network over a shared network fabric at the first site to connect the mobile device to resources of the first site, and (2) to identify a logical network identifier (LNI) of a second logical network connecting a first edge gateway at the first site to a second edge gateway at a second site. The method inserts the LNI in an encapsulation header of data messages sent from the mobile device to resources at the second site.

Abstract: Some embodiments provide a novel method for connecting one or more vehicles to a software defined wide area network (SD-WAN). The method deploys an edge router to operate in the vehicle, and configures the edge router to connect to several wireless network links (e.g., 5G cellular links) operating in the vehicle. In some embodiments, the different wireless network links are different mobile hotspot links provided by different telecommunication network providers (e.g., AT&T, Verizon, T-Mobile, Orange, etc.). The method configures the edge router to forward several data message flows from a device operating in the vehicle (e.g., a computer located in the vehicle or a machine (e.g., virtual machine, Pod, container, etc.) executing on a computer located in the vehicle) to the SD-WAN using the several telecommunications network links.

Abstract: An example method for provisioning data volume for a virtual compute instance may include receiving a request to provision a data volume for a virtual compute instance. The request may specify a size of the data volume, a type of the data volume, and a first input/output operations per second (IOPS) value for the data volume. Further, the method may include determining a recommended IOPS value for the data volume by applying a logic to the specified size, the specified type, and the first IOPS value. Furthermore, the method may include provisioning the data volume for the virtual compute instance with the specified size, the specified type, and the recommended IOPS value.

Abstract: The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

Abstract: A host computer is configured to issue one or more unmap commands to a file system of a storage device, the file system being shared by a plurality of host computers including the host computer, by performing the steps of: acquiring unmap privilege information from the storage device, the unmap privilege information indicating whether or not an unmap privilege is available to the host computer; in response to determining that the unmap privilege is available, transmitting a request to update an unmap privilege file stored in the storage device to indicate that the host computer has the unmap privilege; and then issuing to the file system, the one or more unmap commands to deallocate storage space from one or more files of the file system.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed for state convergence associated with high availability application migration in a virtualized environment. An example apparatus includes at least one memory, machine readable instructions, and processor circuitry to at least one of execute or instantiate the machine readable instructions to identify a high availability slot in a virtual server rack including a first virtual machine (VM) associated with first configuration data that identifies the first VM as a protected VM, transmit second configuration data to a second VM that identifies the first VM as a nonprotected VM and the second VM as the protected VM, after a determination that a network partition is identified based on a failure of a request to retrieve the second configuration data from the second VM, and transfer data from the first VM to the second VM after causing the removal of the network partition.

Abstract: A pre-emptive scheduling of workloads enables improved sharing of resources of a cluster of hosts. The steps of this pre-emptive scheduling method include: adjusting priority of active workloads that are each running on one of the nodes and idle workloads that have been suspended; determining that a priority of a first workload, which is one of the idle workloads, exceeds a priority of a second workload, which is one of the active workloads and is executing on a first node of the cluster of nodes; and suspending the second workload and resuming the first workload to run on the first node.

Abstract: Some embodiments provide a method of forwarding data messages between source and destination host computers that execute source and destination machines. At a source computer on which a source machine for a data message flow executes, the method in some embodiments identifies a source tunnel endpoint group (TEPG) associated with the source machine. For the flow, the method selects one TEP of the TEPG as the source TEP. The method then uses the selected source TEP to forward the flow to the destination computer on which the destination machine executes.

Abstract: Some embodiments provide a novel method of migrating a particular virtual machine (VM) from a first host computer to a second host computer. The first host computer of some embodiments has a physical network interface card (PNIC) that performs at least one of network forwarding operations and middlebox service operations for the particular VM. The first host computer sends, to the PNIC of the first host computer, a request for state information relating to at least one of network forwarding operations and middlebox service operations that the PNIC performs for the particular VM. The first host computer receives the state information from the PNIC. The first host computer provides the state information received from the PNIC to the second host computer as part of a data migration that is performed to migrate the particular VM from the first host computer to the second host computer.

Abstract: Disclosed are various embodiments provisioning a data processing unit in a host machine. There can be multiple data processing units within the host machine with varying hardware or software requirements for an installation image that can be utilized to provision the device. Multiple installation images can be generated for different data processing units having varying requirements in a heterogeneous environment.

Abstract: Some embodiments of the invention provide a method of implementing a FaaS (functions as a service) framework executing in a first cloud for multiple applications operating on multiple machines in the first cloud. The method provides to the FaaS framework (1) multiple sets of credentials for accessing of multiple cloud providers and (2) a set of selection rules for selecting cloud providers from the multiple cloud providers to execute multiple functions for the multiple programs. For each particular function in the multiple functions, the method configures the FaaS framework to use the set of selection rules to select a particular cloud provider from the multiple cloud providers to execute the particular function, and configures the FaaS framework to use a particular set of credentials associated with the selected particular cloud provider from the multiple sets of credentials to forward the particular function to the selected particular cloud provider for execution.

Abstract: Some embodiments provide a method for configuring a logical router implemented in a Kubernetes cluster. The method receives configuration data specifying a service rule for the logical router. The service rule requires processing of L5-L7 headers of data messages sent to the logical router. Based on the service rule, the method defines (i) a redirection rule specifying a set of data messages to which the service rule applies based on L2-L4 header values and (ii) an L5-L7 processing rule for application of the service rule. the method provides the redirection rule to a first set of Pods in the cluster and the L5-L7 processing rule to a second set of Pods in the cluster.

Abstract: Example methods and systems for elastic provisioning of container-based graphics processing unit (GPU) nodes are described. In one example, a computer system may monitor usage information associated with a pool of multiple container-based GPU nodes. Based on the usage information, the computer system may apply rule(s) to determine whether capacity adjustment is required. In response to determination that capacity expansion is required, the computer system may configure the pool to expand by adding (a) at least one container-based GPU node to the pool, or (b) at least one container pod to one of the multiple container-based GPU nodes. Otherwise, in response to determination that capacity shrinkage is required, the computer system may configure the pool to shrink by removing (a) at least one container-based GPU node, or (b) at least one container pod from the pool.

Abstract: Some embodiments provide a method for configuring logical routers of a logical network. The logical routers are implemented in a Kubernetes cluster as a first set of Pods that each perform logical forwarding operations for the logical routers and a second set of Pods that each perform L7 service operations for a respective logical router. From a Kubernetes control plane component, the method receives a notification that the first set requires scaling to include an additional Pod. The first-set Pods process data messages between the logical network and external networks. Within the network management system, the method defines at least one new interface for processing data messages between the logical network and external networks. The method configures the at least one interface on the additional Pod to communicate with external physical routers to receive traffic from the external networks and send traffic to the external networks.

Abstract: An example method of managing hardware capacity in a multi-cloud computing system includes: obtaining, by a hardware inventory service executing in the multi-cloud computing system, hardware information for physical servers, in a public cloud, for which a customer has a subscription entitling bare-metal management of the physical servers; maintaining, by the hardware inventory service, an inventory of hardware capacity comprising a physical server pool that includes the physical servers; receiving, at the hardware inventory service, a request to consume the hardware capacity; and providing, by the hardware inventory service, a response to the request that identifies the physical server pool for deploying software to execute therein.

Abstract: Some embodiments provide a novel method for forwarding data messages between first and second host computers. To send, to a first machine of the first host, a second flow from a second machine of the second host in response to a first flow from the first machine, the method identifies from a set of tunnel endpoints (TEPs) of the first host a TEP that is a source TEP of the first flow. The method uses the identified TEP to identify one non-uniform memory access (NUMA) node of a set of NUMA nodes of the first host as the NUMA node associated with the first flow. The method selects, from a subset of TEPs of the first host that is associated with the identified NUMA node, one TEP as a destination TEP of the second flow. The method sends the second flow to the selected TEP of the first host.

Abstract: The disclosure provides a method for isolated environments for containerized workloads within a virtual private cloud in a networking environment. The method generally includes defining, by a user, a subnet custom resource object for creating a subnet in the virtual private cloud, wherein defining the subnet custom resource object comprises defining a connectivity mode for the subnet; deploying the subnet custom resource object such that the subnet is created in the virtual private cloud with the connectivity mode specified for the subnet; defining, by the user, a subnet port custom resource object for assigning a node to the subnet, wherein one or more containerized workloads are running on the node; and deploying the subnet port custom resource object such that the node is assigned to the subnet.

Abstract: An example method of performing a scaling operation for a distributed load balancer in a multi-cloud system includes: initiating, by a controller of the distributed load balancer, a scaling operation targeting a plurality of clouds in the multi-cloud system; determining, by the controller, implementations of the scaling operation for the plurality of clouds based on networking infrastructures of the plurality of clouds; and executing, by the controller, an implementation of the scaling operation for a first cloud of the plurality of clouds, the implementation including operations of: configuring a network interface on a data plane device of the distributed load balancer and configuring an upstream network of the first cloud.