Abstract: JavaScript library isolation can include replacing instances of a read/write call to a particular object from JavaScript code of a user interface (UI) plugin to a hosting application with a proxy as the JavaScript code is compiled to a JavaScript file, defining a function by which the proxy operates, directing a first subset of read/write calls to the particular object in runtime according to the function, and redirecting a second subset of read/write calls to a different object in runtime according to the function.

Abstract: Some embodiments provide a method for using a first SDN controller as a Network Controller as a Service (NCaaS). The first SDN controller receives a first set of network attributes regarding network elements in a first container cluster configured by a second SDN controller, and a second set of network attributes regarding network elements in a second container cluster configured by a third SDN controller. These container clusters do not have a controller for defining particular network policies. Based on the sets of network attributes, the first SDN controller defines the particular network policies to control forwarding data messages between the first and second container clusters. The first SDN controller distributes at least a subset of the particular network policies to the first container cluster in order for network elements at the first container cluster to enforce on data messages exchanged between the first and second container clusters.

Abstract: The method of some embodiments assigns a client to a particular datacenter from among multiple datacenters. The method is performed at a first datacenter, starting when it receives security data associated with a second datacenter. Then the method receives a DNS request from the client. Based on the received security data, the method sends a DNS reply assigning the client to the particular datacenter instead of the second datacenter. The receiving and sending is performed by a DNS cluster of the datacenter in some embodiments. The particular datacenter includes a set of servers implementing an application for the client in some embodiments. The datacenter to which the client gets assigned can be the first datacenter or a third datacenter.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.

Abstract: Disclosed are various embodiments for optimizing the migration of pages of memory servers in cluster memory systems. To begin, a computing device can mark in a page table of the computing device that a page stored on a first memory host is not present. Then, the computing device can flush a translation lookaside buffer of the computing device. Next, the computing device can copy the page from the first memory host to a second memory host. Moving on, the computing device can update a page mapping table to reflect that the page is stored in the second memory host. Then, the computing device can mark in the page table of the computing device that the page stored in the second memory host is present. Subsequently, the computing device can discard the page stored on the first memory host.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system (OS). A management hypervisor installer executed on a host device launches or causes a server component to provide a management operating system (OS) installer image at a particular URI accessible over a network internal to the host device. A baseboard management controller (BMC) transfers the DPU management OS installer image to the DPU device. A volatile memory based virtual disk is created using the DPU management OS installer image. The DPU device is booted to a DPU management OS installer on the volatile memory based virtual disk. The DPU management OS installer installs a DPU management operating system to a nonvolatile memory of the DPU device on reboot of the DPU device.

Abstract: Some embodiments of the invention provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

Abstract: Some embodiments of the invention provide a method for configuring a physical network card or physical network controller (pNIC) to provide flow processing offload (FPO) for a host computer connected to the pNIC. The host computers host a set of compute nodes in a virtual network. The set of compute nodes are each associated with a set of interfaces that are each assigned a locally-unique virtual port identifier (VPID) by a flow processing and action generator. The pNIC includes a set of interfaces that are assigned physical port identifiers (PPIDs) by the pNIC. The method includes providing the pNIC with a set of mappings between VPIDs and PPIDs. The method also includes sending updates to the mappings as compute nodes migrate, connect to different interfaces of the pNIC, are assigned different VPIDs, etc.

Abstract: Example methods and systems for accessing data in a log-structured file system having a plurality of snapshots of storage objects backed by a first-level copy-on-write (COW) B+ tree data structure and a plurality of second-level B+ tree data structures have been disclosed. One example method includes obtaining a first first-level mapping associated with a first snapshot from the plurality of snapshots based on a first logical block address, wherein each of the plurality of snapshots corresponds to each of the plurality of second-level B+ tree data structures, identifying a first second-level B+ tree data structure corresponding to one of the plurality of snapshots based on the first first-level mapping, obtaining a first second-level mapping based on the first logical block address in the first second-level B+ tree data structure, obtaining a first physical block address based on the first second-level mapping, and accessing data at the first physical block address.

Abstract: Examples provide for automatically provisioning hosts in a cloud environment. A cloud daemon generates a cloud host-state configuration, for a given cloud instance of a host, stored on a cloud metadata service prior to first boot of the given cloud instance of the host. A first boot of a plurality of cloud instances of hosts is performed using a stateless, master boot image lacking host-specific configuration data. On completion of the first boot of a given cloud instance of a host, the cloud host-state configuration is installed on the master boot image to generate a self-configured boot image including host-specific configuration data for the given cloud instance of the host. A second boot is performed on the given cloud instance of the host by executing the self-configured boot image to automatically provision the given cloud instance of the host in the cloud environment.

Abstract: An example method of scheduling a workload in a virtualized computing system including a host cluster having a virtualization layer directly executing on hardware platforms of hosts is described. The virtualization layer supports execution of virtual machines (VMs) and is integrated with an orchestration control plane. The method includes: receiving, at the orchestration control plane, a workload specification for the workload; selecting, at the orchestration control plane, a plurality of nodes for the workload based on the workload specification, each of the plurality of nodes implemented by a host of the hosts; selecting, by the orchestration control plane in cooperation with a virtualization management server managing the host cluster, a node of the plurality of nodes; and deploying, by the orchestration control plane in cooperation with the virtualization management server, the workload on a host in the host cluster implementing the selected node.

Abstract: Some embodiments of the invention provide a method for implementing an edge device that handles data traffic between a logical network and an external network. The method monitors resource usage of a node pool that includes multiple nodes that each executes a respective set of pods. Each of the pods is for performing a respective set of data message processing operations for at least one of multiple logical routers. The method determines that a particular node in the node pool has insufficient resources for the particular node's respective set of pods to adequately perform their respective sets of data message processing operations. Based on the determination, the method automatically provides additional resources to the node pool by instantiating at least one additional node in the node pool.

Abstract: A network system that implements quality of service (QoS) by rate limiting at a logical network entity is provided. The logical network entity includes multiple transport nodes for transporting network traffic in and out of the logical network entity. The system monitors traffic loads of the multiple transport nodes of the logical network entity. The system allocates a local CR and a local BS to each of the multiple transport nodes. The allocated local CR and the local BS are determined based on the CR and BS parameters of the logical network entity and based on the monitored traffic loads. Each transport node of the logical network entity in turn controls an amount of data being processed by the transport node based on a token bucket value that is computed based on the local CR and the local BS of the transport node.

Abstract: The disclosure provides an approach for secure offloaded data transfer. Embodiments include receiving, by a security component on a client device, from a storage system connected to the client device, a token associated with a data read request corresponding to a source file on the storage system. Embodiments include determining, by the security component, that the source file is trusted. Embodiments include generating, by the security component, an entry in a trusted token cache based on determining that the source file is trusted, wherein the entry comprises the token. Embodiments include receiving, by the security component, a write request corresponding to a destination file on the storage system, wherein the write request comprises the token or a different token. Embodiments include determining, by the security component, based on the trusted token cache, whether to perform one or more operations related to the write request.

Abstract: The present invention is a highly available system comprising a system to send a plurality of bootstrap requests, at least one cloud proxy fit to receive the plurality of bootstrap requests, wherein each instance of the at least one cloud proxy is coupled with an adapter, and at least one host fit to communicate with one of the at least one cloud proxy.

Abstract: A request to configure a platform service associated with a container orchestration system can be received. A plurality of ConfigMaps can be collected from a deployment chart of an application service managed by the container orchestration system. Each of the plurality of ConfigMaps can include platform service configuration data associated with a different version of the platform service. One of the plurality of ConfigMaps can be selected based on a current version of the platform service, and the platform service can be configured using the selected ConfigMap.

Abstract: The present disclosure is related to devices, systems, and methods for placement in a virtualized computing environment based on resource allocation. One embodiment includes instructions to receive a request made by a customer to create a virtual computing instance (VCI) of a project in cloud computing environment and place the VCI.

Abstract: Some embodiments provide a method for a health monitoring service that monitors a system with a set of services executing across a set of one or more datacenters. For each of multiple services monitored by the health monitoring service, the method (1) contacts an API exposed by the service to provide health monitoring data for the service and (2) receives health monitoring data for the service that provides, for each of multiple aspects of the service, (i) a status and (ii) an explanation for the status in a uniform format used by the APIs of each of the services. At least two different services provide health monitoring data in the uniform format for different groups of aspects of the services.

Abstract: A framework for facilitating communication between a multi-cluster management (MCM) system and the clusters managed by the system is provided. According to one set of embodiments, the framework comprises two independent, unidirectional communications channels: a first channel (i.e., “intent channel”) that flows from the MCM system to each cluster, and a second channel (i.e., “data sync channel”) that flows from each cluster to the MCM system. Through the intent channel, the MCM system can deliver control information to each cluster for actuating management changes/operations therein in a manner that is robust against network dropouts and packet loss. Through the data sync channel, the MCM system can collect and process status information from each cluster (such as, e.g., object state transitions triggered by the control information sent via the intent channel) in a manner that can efficiently scale to support large numbers of clusters.

Abstract: Disclosed are various examples of provisioning a data processing unit (DPU) management operating system using a capsule. A management hypervisor installer executed on a host device receives a listing DPU device from a baseboard management controller (BMC). A preinstalled DPU management operating system image is identified for a DPU device from the listing, and is wrapped with a capsule that specifies the capsule as a DPU management operating system image capsule. A server component provides the DPU management operating system image capsule at a particular URI, and the URI is transmitted to the BMC.