Abstract: Described herein are a system and method for forming a container image. The system and method include obtaining a first layer of a plurality of layers of the container image. The contents of the first layer are stored in a directory such that a first disk image layer file is mounted to the directory. A second layer of the plurality of layers is obtained, and the contents of the second layer are stored in the directory so that the first disk image layer includes contents of the first layer and the second layer. The first disk image layer is saved and is mountable and includes files of the container image.

Abstract: In some embodiments, a method receives a set of packets for a flow and determines a set of features for the flow from the set of packets. A classification of an elephant flow or a mice flow is selected based on the set of features. The classification is selected before assigning the flow to a network resource in a plurality of network resources. The method assigns the flow to a network resource in the plurality of network resources based on the classification for the flow and a set of classifications for flows currently assigned to the plurality of network resources. Then, the method sends the set of packets for the flow using the assigned network resource.

Abstract: An example method of beacon probing in a computing system includes: sending, by cross-host beacon probing (CHBP) software executing in a first host of the computing system, a first beacon probe from a first network interface controller (NIC) of the first host to NICs on a same layer 2 domain as the first NIC, the NICs including a second NIC of the first host and cross-host NICs of at least one host other than the first host; receiving, at the CHBP software through the first NIC, acknowledgements (ACKs) to the first beacon probe from the cross-host NICs; and determining, in response to the first beacon probe, connectivity statuses of the first NIC and the second NIC by the CHBP software based on the ACKs and on whether the second NIC receives the first beacon probe.

Abstract: Disclosed are various approaches for decreasing the latency involved in reading pages from swap devices. These approaches can include setting a first queue in the plurality of queues as a highest priority queue and a second queue in the plurality of queues as a low priority queue. Then, an input/output (I/O) request for an address in memory can be received. The type of the I/O request can be determined, and then the I/O request can be assigned to the first queue or the second queue of the swap device based at least in part on the type of the I/O request.

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

Abstract: Examples are disclosed for upgrading services of a software-based service according to a predefined sequence to account for dependencies between services. An upgrade package that includes a manifest defining an order for upgrading services of the software-based system is retrieved. Each service is upgraded according to the sequence and a status log is modified following each upgrade to include a unified status summary associated with all services being upgraded.

Abstract: The current document is directed to improved distributed service-oriented applications developed according to a new and improved architecture for developing distributed service-oriented applications. The new and improved architecture includes a stateless-communications-protocol interface to external users and clients, services implemented by actors that communicate using message passing, and a distributed data grid for persistent storage of data. Distributed service-oriented applications developed according to the new and improved architecture are referred to as “RAD-squared applications” (“RAD{circumflex over (?)}2 applications”). The acronym “RAD{circumflex over (?)}2” stands for “Rapid Application Development with REST-actor-data-grid” and the acronym “REST” stands for the Representational State Transfer (“REST”) protocol. Alternative stateless communications protocols can be used as alternatives to REST in RAD{circumflex over (?)}2 applications.

Abstract: System and method for managing different classes of storage input/output (I/O) requests for a two-phase commit operation in a distributed storage system assigns reserved log sequence values to each of storage I/O requests of a first class, which are added to a two-phase commit queue. The reserved log sequence values of the storage I/O requests of the first class in the two-phase commit queue are assigned to some of the storage I/O requests of the second class, which are added to the two-phase commit queue.

Abstract: A method of connecting a software-defined data center (SDDC) to a cloud platform to enable the cloud platform to deliver cloud services to the SDDC includes the steps of: deploying an agent platform appliance that is connected to a management network of the SDDC; and deploying a plurality of agents on the agent platform appliance, wherein the agents include a first agent that is configured to issue a command to a component of the SDDC to perform an operation requested by a cloud service of the cloud platform and a second agent that is configured to acquire an authentication token for authenticating to the component of the SDDC, and wherein the second agent acquires the authentication token from the component of the SDDC, and the first agent acquires the authentication token from the second agent and transmits the command and the authentication token to the component of the SDDC.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: Some embodiments of the invention provide a method of sending data messages from an edge router at a first location of an enterprise network to a SaaS (software as a service) application server provided by a third-party at a second location. The method receives, from a DNS (domain name system) first server, a resolution for a particular destination network address for the SaaS application server at the second location. From a second server, the method obtains an identifier for a first cloud gateway from multiple cloud gateways at multiple locations through which the particular destination address for the SaaS application server can be reached, the first cloud gateway farther from the first location than a second cloud gateway in the multiple cloud gateways but closer to the second location than the second cloud gateway. The method uses an optimized SD-WAN connection to the first cloud gateway to forward data messages for the first cloud gateway to the SaaS application at the second location.

Abstract: Some embodiments provide a method of implementing capacity-aware load balancing across a set of data compute nodes (DCNs) by reducing latency for the set of DCNs. From the set of DCNs, the method identifies (1) a first subset of DCNs including DCNs that have a latency that is higher than an average latency computed for the set of DCNs and (2) a second subset of DCNs including DCNs that have a latency that is lower than the average latency computed for the set of DCNs. For each DCN in the first subset of DCNs, the method assigns to the DCN a weight value that corresponds to a target latency computed for the set of DCNs. Based on the assigned weight values for the first subset of DCNs, the method computes an excess weight value to be redistributed across the second subset of DCNs. The method redistributes the computed excess weight value across the second subset of DCNs.

Abstract: A computer-implemented method, medium, and system for multi-network/domain service discovery in a container orchestration platform are disclosed. In one computer-implemented method, a pool of servers with a plurality of network interface controllers (NICs) is created in a load balancer and by an operator in a worker node of a container orchestration platform, where each of the plurality of NICs is defined by a corresponding network attachment definition (NAD) object of a plurality of NAD objects. A virtual service object is generated using an annotation corresponding to the plurality of NAD objects. The virtual service object is associated to the pool of servers with the plurality of NICs. An internet protocol (IP) address of the virtual service object is transmitted to the container orchestration platform to update a status of a service object in the container orchestration platform using the IP address.

Abstract: An example method of upgrading a host in a cluster under management of a lifecycle manager in a virtualized computing system includes: receiving, from the lifecycle manager at a host in the cluster being upgraded, a desired software specification for a hypervisor of the host; determining, by the host, a list of required software installation bundles (SIBs) to satisfy the desired software specification; identifying a neighboring host in the cluster for the host; downloading, from the neighboring host to the host, at least a portion of the required SIBs; and executing an upgrade of the hypervisor in the host using the required SIBs.

Abstract: Described herein are systems, methods, and software to manage the encapsulation of layer two communications across computing sites. In one example, a gateway at a first computing site may receive an encapsulated packet from a second gateway at a second computing site. After receiving the encapsulated packet, the gateway decapsulates the encapsulated packet and determines that the decapsulated packet satisfies MSS criteria. The gateway further, in response to determining that the decapsulated packet satisfies the MSS criteria, modifies an MSS option associated with the decapsulated packet to a maximum value and forwards the decapsulated packet to a destination virtual node in the first computing site.

Abstract: A method for offloading multicast replication from multiple tiers of edge nodes implemented by multiple host machines to a physical switch is provided. Each of the multiple host machines implements a provider edge node and a tenant edge node. One host machine among the multiple host machines receives a packet having an overlay multicast group identifier. The host machine maps the overlay multicast group identifier to an underlay multicast group identifier. The host machine encapsulates the packet with an encapsulation header that includes the underlay multicast group identifier to create an encapsulated packet. The host machine forwards the encapsulated packet to a physical switch of the network segment. The physical switch forwards copies of the encapsulated packet to tenant edge nodes at one or more ports that are determined to be interested in the underlay multicast group identifier.

Abstract: Some embodiments provide a method for a forwarding element that receives a packet. The method determines whether the packet matches any flow entries in a first cache that uses a first type of algorithm to identify matching flow entries for packets. When the packet does not match any flow entries in the first cache, the method determines whether the packet matches any flow entries in a second cache that uses a second, different type of algorithm to identify matching flow entries for packets. The method executes a set of actions specified by a flow entry matched by the packet in one of the first and second caches.

Abstract: An example method of distributed load balancing in a virtualized computing system includes: configuring, at a logical load balancer, a traffic detector to detect traffic to a virtual internet protocol address (VIP) of an application having a plurality of instances; detecting, at the traffic detector, a first request to the VIP from a client executing in a virtual machine (VM) supported by a hypervisor executing on a first host; sending, by a configuration distributor of the logical load balancer in response to the detecting, a load balancer configuration to a configuration receiver of a local load balancer executing in the hypervisor for configuring the local load balancer to perform load balancing for the VIP at the hypervisor using the load balancer configuration.

Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

Abstract: A search engine queries a network model for behavior of the entire network, such as data flow, based on combinations of multiple network elements. The search engine provides the state information and/or predicted behavior of the network by searching network objects in a graph-based model or a network state database that satisfy constraints given in a search query. The search engine provides the state information and/or predicted behavior based on regular-expression or plain language search expressions that do not provide packet header information. The search engine parses such search expression into a sequence of atoms that encode forwarding paths of interest to the user. A flow path through the modeled network can be generated dynamically, within the context of the search queries.