Abstract: Linked clone read performance (e.g., retrieving data) is improved at least by minimizing the number of input/output (I/O) operations. For a child clone, a local logical extent and an inherited logical extent are generated. The local logical extent comprises a logical block address (LBA) for data in a data region of the child clone and a physical sector address (PSA) corresponding to the LBA for the data in the data region of the child clone. The inherited logical extent spans logical extents that are accessible to the child clone. The inherited logical extent comprises an LBA for data in a data region of an ancestor of the child clone and a corresponding identifier (ID) of the ancestor. Data for an LBA in a read request may be rapidly found in the child clone (local logical extent) or an ancestor (inherited logical extent).

Abstract: A method for managing replication of cloned files is provided. Embodiments include determining, at a source system, that a first file has been cloned to create a second file. Embodiments include sending, from the source system to a replica system, an address of the first extent and an indication that a status of the first extent has changed from non-cloned to cloned. Embodiments include changing, at the replica system, a status of a second extent associated with a replica of the first file on the replica system from non-cloned to cloned and creating a mapping of the address of the first extent to an address of the second extent on the replica system. Embodiments include creating, at the replica system, a replica of the second file comprising a reference to the address of the second extent on the replica system.

Abstract: The current document is directed to contention control for computational resources in distributed computer systems and, in particular, to contention control for memory in distributed metrics collection systems that collect and aggregate metric data in distributed computer systems. In one implementation, parallel metric-data collectors in a first distributed computer system collect metric data and one or more aggregators aggregate collected metric data and forward the aggregated metric data to a second distributed computer system, which uses the metric data for various monitoring, analysis, and management tasks. Each parallel data collector stores received metrics in a metrics container assigned to the parallel collector and a write/read-write lock provides contention control that allows multiple metric-data collectors to concurrently access metrics containers but only a single aggregator to access the metrics containers.

Abstract: Some embodiments provide a method for one of multiple shared API processing services in a container cluster that implements a network policy manager shared between multiple tenants. The method receives a configuration request from a particular tenant to modify a logical network configuration for the particular tenant. Configuration requests from the plurality of tenants are balanced across the plurality of shared API processing services. Based on the received configuration request, the method posts a logical network configuration change to a configuration queue in the cluster. The configuration queue is dedicated to the logical network of the particular tenant. Services are instantiated separately in the container cluster for each tenant to distribute configuration changes from the respective configuration queues for the tenants to datacenters that implement the tenant logical networks such that configuration changes for one tenant do not slow down processing of configuration changes for other tenants.

Abstract: The disclosure provides an approach for database query management. Embodiments include receiving, by a service operating on a server, a request for data stored in a database. Embodiments also include determining, by the service, whether to handle the request as an internal request or an external request. Embodiments include, in response to determining to handle the request as an internal request: sending, by the service, a query for at least a portion of the data to the database; receiving, by the service, the at least the portion of the data, and storing query metadata of the request in local memory of the server and not in the database, the query metadata comprising parameters of the request.

Abstract: Some embodiments provide a two-tier DNS (Domain Name System) service for processing DNS requests. In some embodiments, the two-tier DNS service deploys first and second tiers of service machines, with the second-tier having several groups of service machines each of which is configured to resolve DNS requests for a different set of domain names than the other second-tier group(s). Each service machine in the first-tier is configured to identify the second-tier group responsible for each particular DNS request that the service machine receives for each particular domain name, and to forward the particular DNS request to the second-tier group that it identifies for the particular DNS request. The first-tier DNS service in some embodiments has only one group of service machines. Each first or second service machine group in some embodiments can have one or more service machines, and can be scaled up or down to add or remove service machines to the group (e.g., through an active/active layer 3 scaleout with BGP).

Abstract: Some embodiments provide a method that collects metrics for one or more paths of a first tunnel implementing a first security association (SA) and for one or more paths of a second tunnel implementing a second SA. The method selects a path based on the collected metrics of the paths of the first and second tunnels. When the selected path belongs to the first tunnel, the method encrypts data transmitted as encrypted payload of the first SA and transmits the encrypted payload in the first tunnel. When the selected path belongs to the second tunnel, the method encrypts data to be transmitted as encrypted payload of the second SA and transmits the encrypted payload in the second tunnel.

Abstract: An example method of hypervisor lifecycle management in a virtualized computing system having a cluster of hosts is described. The method includes: obtaining, by remediation software executing in a host of the hosts, a host state document from a distributed key-value store, the host state document defining a desired state of software in the host, the software including a hypervisor; and performing, by the remediation software in coordination with other hosts of the hosts through the distributed key-value store, a lifecycle operation on the software of the host in response to determining that a current state of the software does not match the desired state.

Abstract: Systems and methods for analyzing the usage of a set of workloads in a hyper-converged infrastructure are disclosed. A neural network model is trained based upon historical usage data of the set of workloads. The neural network model can make usage predictions of future demands on the set of workloads to minimize over-allocation or under-allocation of resources to the workloads.

Abstract: The disclosure provides migration of control plane nodes across multiple architecture platforms. Embodiments include one or more processors configured to backup data of a source control plane node running on a first host, the first host having a first architecture platform, identify a second architecture platform of a second host, the second architecture platform being different than the first architecture platform, select a first control plane binary of a plurality of control plane binaries based on the first control plane binary being for the second architecture platform, wherein the plurality of control plane binaries are for a plurality of architecture platforms, deploy a target control plane node on the second host using the selected first control plane binary, copy the backed up data to the second host to configured the target control plane node, and run the target control plane node on the second host.

Abstract: A remote application installed on a first remote desktop can be shared with a second remote desktop. The first remote desktop can be associated with a first user, and the second remote desktop can be associated with the first user and/or some other user(s) different from the first user. The sharing of the remote application can be terminated from the first remote desktop and/or from the second remote desktop.

Abstract: A log is received at a user space process of a host from a logical logging component of a virtual computing instance (VCI), the log generated by a container running on the VCI. The log is communicated from the user space process to a logical logging component of the host. The log is communicated from the logical logging component of the host to a logging process of the host. The log is configured and stored in host storage.

Abstract: A method for network address management is provided. Embodiments include determining a creation of a namespace associated with a cluster of computing devices, wherein a subset of computing resources of the cluster of computing devices is allocated to the namespace. Embodiments include assigning, to the namespace, a network address pool comprising a plurality of network addresses in a subnet, wherein the assigning causes the plurality of network addresses to be reserved exclusively for the namespace. Embodiments include receiving an indication that a pod is added to the namespace. Embodiments include, in response to the receiving of the indication, assigning a network address from the network address pool to the pod.

Abstract: In one set of embodiments, a computer system can receive a request to insert or delete a key into or from a plurality of keys maintained by a dynamic search data structure, where the dynamic search data structure is implemented using a balanced binary search tree (BBST) comprising a plurality of nodes corresponding to the plurality of keys, where a first subset of the plurality of nodes are stored in the first memory tier, and where a second subset of the plurality of nodes are stored in the second memory tier. The computer system can further execute the request to insert or delete the key, where the executing results in a change in height of at least one node in the plurality of nodes. In response to the executing, the computer system can move one or more nodes in the plurality of nodes between the first and second memory tiers, the moving causing a threshold number of nodes of highest height in the BBST to be stored in the first memory tier.

Abstract: Some embodiments of the invention provide a method of performing layer 7 (L7) packet processing for a set of Pods executing on a host computer, the set of Pods managed by a container orchestration platform. The method is performed at the host computer. The method receives notification of a creation of a traffic control (TC) custom resource (CR) that is defined by reference to a TC custom resource definition (CRD). The method identifies a set of interfaces of a set of one or more managed forwarding elements (MFEs) executing on the host computer that are candidate interfaces for receiving flows that need to be directed based on the TC CR to a layer 7 packet processor. Based on the identified set of interfaces, the method provides a set of flow records to the set of MFEs to process in order to direct a subset of flows that the set of MFEs receive to the layer 7 packet processor.

Abstract: Embodiments described herein generally involve identifying workloads in a multi-site networking environment. Embodiments include determining that a given network is stretched across a first network segment at a first site and a second network segment at a second site. Embodiments include creating a stretched administrative domain for the given network and mapping an address of the given network to the stretched administrative domain in a lookup table for an administrative domain associated with the first network segment. Embodiments include receiving a flow record from an observation point in the first network segment, the flow record having a source IP address associated with the second network segment and a destination IP address associated with the first network segment. Embodiments include identifying a source workload and destination workload of the flow record using the lookup table and a workload identification table that maps combinations of IP addresses and administrative domains to workloads.

Abstract: Embodiments provide data in-flight (DIF) services to software applications such as virtual machines (VMs) at an application level without requiring modification to established storage protocols. In exemplary embodiments, a storage controller transmits an advertisement of one or more data in-flight (DIF) services supported by a storage container of the storage controller. One or more DIF services communication path is created with attributes corresponding to the DIF services supported by the storage container. The storage controller receives, over the DIF services communication path, tagged data that can include data transmitted by a virtual machine (VM) for storage in the storage container.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: Example methods and systems for multi-engine intrusion detection are described. In one example, a computer system may configure a set of multiple intrusion detection system (IDS) engines that include at least a first IDS engine and a second IDS engine. In response to detecting establishment of a first packet flow and a second packet flow, the computer system may assign the first packet flow to the first IDS engine and second packet flow to the second engine based on an assignment policy. This way, first packet flow inspection may be performed using the first IDS engine to determine whether first packet(s) associated with the first packet flow are potentially malicious. Second packet flow inspection may be performed using the second IDS engine to determine whether second packet(s) associated with the second packet flow are potentially malicious.

Abstract: The disclosure provides an approach for hypervisor-assisted security analysis. Embodiments include receiving, at a hypervisor on a host computer, events from one or more virtual computing instances (VCIs). Embodiments include analyzing, by the hypervisor, the events according to one or more rules to identify a subset of the events for additional analysis. Embodiments include compressing, by the hypervisor, the subset of the events by performing deduplication to produce a compressed subset of the events. Embodiments include transmitting, by the hypervisor, the compressed subset of the events over a network to a separate analysis component, wherein the separate analysis component performs the additional analysis.