Abstract: Techniques for optimizing cluster-wide operations in a hyper-converged infrastructure (HCI) deployment are provided. In one set of embodiments, a computer system can receive a request to initiate a cluster-wide operation on a cluster of the HCI deployment, where the cluster includes a plurality of host systems, and where the cluster-wide operation involves a host-by-host evacuation of virtual machines (VMs) and storage components from the plurality of host systems. The computer system can further generate a set of recommendations for executing the host-by-host evacuation in a manner that minimizes the total amount of time needed to complete the cluster-wide operation. The computer system can then execute the host-by-host evacuation in accordance with the set of recommendations.

Abstract: Some embodiments of the invention provide a novel method of performing network slice-based operations on a data message at a hardware forwarding element (HFE) in a network. For a received data message flow, the method has the HFE identify a network slice associated with the received data message flow. This network slice in some embodiments is associated with a set of operations to be performed on the data message by several network elements, including one or more machines executing on one or more computers in the network. Once the network slice is identified, the method has the HFE process the data message flow based on a rule that applies to data messages associated with the identified slice.

Abstract: Example methods and systems for intent-based network virtualization design are disclosed. One example may comprise: obtaining configuration information and traffic information associated with multiple virtualized computing instances, processing the configuration information and traffic information to identify network connectivity intents and mapping the network connectivity intents to a logical network topology template. Based on a first switching intent, a first group may be assigned to a first logical network domain and the logical network topology template configured to include a first logical switching element. Based on a second switching intent, a second group may be assigned to a second logical network domain and the logical network topology template configured to include a second logical switching element. Based on a routing intent, the logical network topology template may be configured to include a logical routing element.

Abstract: System and method for managing security-relevant information in a computer network uses a security information plane (SIP) manager to which different types of security-relevant data are uploaded from components in the computer network and from which networkwide aggregated security information produced from the security-relevant data is download to a global security controller. The downloaded networkwide aggregated security information is used by the global security controller to control security applications running in the computer network.

Abstract: The disclosure herein describes synchronizing a data cache and an LSM tree file system on an object storage platform. Instructions to send a cached data set from the data cache to the LSM tree file system are received. An updated metadata catalog is generated. If the LSM tree structure is out of shape, compaction is performed on the LSM tree file system which may be on a different system or server. When an unmerged compacted metadata catalog is identified, a merged metadata catalog is generated, based on the compacted metadata catalog and the cached data set, and associated with the cached data set. The cached data set and the associated metadata catalog are sent to the LSM tree file system, whereby the data cache and the LSM tree file system are synchronized. Synchronization is enabled without the data cache or file system being locked and/or waiting for the other entity.

Abstract: Some embodiments provide a method for deploying edge forwarding elements in a public or private software defined datacenter (SDDC). For an entity, the method deploys a default first edge forwarding element to process data message flows between machines of the entity in a first network of the SDDC and machines external to the first network of the SDDC. The method subsequently receives a request to allocate more bandwidth to a first set of the data message flows entering or exiting the first network of the SDDC. In response, the method deploys a second edge forwarding element to process the first set of data message flows of the entity in order to allocate more bandwidth to the first set of the data message flows, while continuing to process a second set of data message flows of the entity through the default first edge node.

Abstract: In a data processing system running at least one application on a hardware platform that includes at least one processor and a plurality of coprocessors, at least one kernel dispatched by an application is intercepted by an intermediate software layer running logically between the application and the system software. Compute functions are determined within kernel(s), and data dependencies are determined among the compute functions. The compute functions are dispatched to selected ones of the coprocessors based at least in part on the determined data dependencies and kernel results are returned to the application that dispatched the respective kernel.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: Techniques for migrating virtual machines (VMs) in the presence of uncorrectable memory errors are provided. According to one set of embodiments, a source host hypervisor of a source host system can determine, for each guest memory page of a VM to be migrated from the source host system to a destination host system, whether the guest memory page is impacted by an uncorrectable memory error in a byte-addressable memory of the source host system. If the source host hypervisor determines that the guest memory page is impacted, the source host hypervisor can transmit a data packet to a destination host hypervisor of the destination host system that includes error metadata identifying the guest memory page as being corrupted. Alternatively, if the source host hypervisor determines that the guest memory page is not impacted, the source host hypervisor can attempt to read the guest memory page from the byte-addressable memory in a memory exception-safe manner.

Abstract: Disclosed are various approaches for extending a single sign-on (SSO) session to multiple devices. If a device is enrolled as a managed device with a management service, a SSO session can be extended to the device if the user has previously authenticated with an identity provider from another device. The user is authenticated on the second device using a user-and-device token issued by the management service with which the device is enrolled as a managed device.

Abstract: Methods and devices for providing reserved failover capacity across a plurality of data centers are described herein. An exemplary method includes determining whether a management process is executing at a first data center corresponding to a first physical location. In accordance with a determination that the management process is not executing at the first data center corresponding to the first physical location a host is initiated at a second data center corresponding to a second physical location and the management process is executed on the initiated host at the second data center corresponding to the second physical location.

Abstract: Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Abstract: An example method of interfacing with a hypervisor in a computing system is described. The computing system includes a processor having at least three hierarchical privilege levels including a third privilege level more privileged than a second privilege level, the second privilege level more privileged than a first privilege level. The method includes configuring, by the hypervisor executing at the third privilege level, the processor to trap reads to a debug communication channel (DCC) status register of the processor to the third privilege level; trapping, at the hypervisor, a read to the DCC status register by guest software executing in a virtual machine (VM) managed by the hypervisor, the guest software executing at the first or second privilege level; reading, at the hypervisor, a plurality of registers of the processor to obtain data stored by the guest software; and returning execution from the hypervisor to the guest software.

Abstract: Some embodiments of the invention provide a method for collecting metric values relating to operations of a set of one or more resources executing on host computers in a datacenter. In some embodiments, the method hierarchically collects and analyzes samples, with a first set of samples collected and analyzed in the data plane, and a second set of samples collected and analyzed in the control plane by aggregating the samples collected in the data plane. In some embodiments, the data plane includes host computers on which sample collecting engines (e.g., service engines) execute, while the control plane includes a set of one or more servers that obtains sample data collected by the host computers, and aggregates and analyzes this data.

Abstract: Logging includes accessing a plurality of logs associated with network traffic in a distributed networking environment; selecting a subset of logs among the plurality of logs, wherein a log selection rate is pre-specified; determining weights associated with logs in the subset of logs; and collecting log information, including weight information of logs in the subset of logs relative to the plurality of logs.

Abstract: Techniques for discovering applications based on file system directories are disclosed. In one example, process information may be extracted from a file system directory of an application host executing a plurality of applications. Further, an expression match may be performed on the process information. Furthermore, a presence of an application running on the application host may be determined based on an outcome of the expression match.

Abstract: Techniques are described for preserving desktop state between login sessions in desktop computing environments. During an active login session of a desktop by a user, the system intercepts all requests to open a file and records the requested file paths. The information can be recorded locally or at a remote location, such as a server accessed over a network connection. Before the login session is terminated, the system determines all open windows and captures a screenshot of each window that is open on the desktop at the time of terminating the login session. The location of each window is also determined and recorded along with the screenshots before the session is terminated. When the user starts a new active login session at a later time, the state of the desktop is restored using the recorded file paths, screenshots and window locations.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A first request for a certificate is received from a client device. Then a certificate request can be created. The certificate request may include a credential identifier for a certificate authority. The credential identifier may uniquely identify an authentication credential to use to request the certificate from certificate authority. The certificate request can then be added to a message queue. Later, a second request from another computing device is received and the message stored in the message queue is provided in response. A certificate is then received from the other computing device and is provided to the client device in response to the first request.

Abstract: Disclosed are various approaches to automate vulnerability assessment implement policy-based mitigation. A plurality of vulnerability records from respective ones of a plurality of vulnerability feeds are aggregated. Each of the plurality of vulnerability records are stored in a standardized format. A plurality of enterprise-specific severity scores are generated by calculating an enterprise-specific severity score for each of the plurality of vulnerability records. Then, a web page can be created that includes at least a subset of the plurality of enterprise-specific severity scores and respective ones of the plurality of vulnerability records.

Abstract: A method for creating a flow profile is provided. The method identifies a first plurality of flow measurements, each of which corresponding to one of a plurality of flows exchanged between a computing entity and a service during a first time period. The method, for each of a first plurality of buckets each of which has a pair of lower and upper bounds, increments a counter of the corresponding bucket for each of the plurality of flow measurements that falls within the pair of bounds of that bucket. The method generates a second plurality of buckets by merging and splitting at least some of the first plurality of buckets, identifies a second plurality of flow measurements for the computing entity during a second time period, and distributes these measurements into the second plurality of buckets. The method generate the flow profile by aggregating the first and second pluralities of buckets.