Abstract: Some embodiments provide a method for configuring logical routers of a logical network. The logical routers are implemented in a Kubernetes cluster as a first set of Pods that each perform logical forwarding operations for the logical routers and a second set of Pods that each perform L7 service operations for a respective logical router. From a Kubernetes control plane component, the method receives a notification that the first set requires scaling to include an additional Pod. The first-set Pods process data messages between the logical network and external networks. Within the network management system, the method defines at least one new interface for processing data messages between the logical network and external networks. The method configures the at least one interface on the additional Pod to communicate with external physical routers to receive traffic from the external networks and send traffic to the external networks.

Abstract: A method of managing configurations of SDDCs of a tenant includes the steps of: retrieving a base configuration document, a first supplemental configuration document of a first SDDC, and a second supplemental configuration document of a second SDDC; issuing, to the first SDDC, a first instruction to update a running configuration state thereof according to the base configuration document and the first supplemental configuration document; and issuing, to the second SDDC, a second instruction to update a running configuration state thereof according to the base configuration document and the second supplemental configuration document, wherein the base configuration document includes settings of first configuration properties common across all of the tenant's SDDCs, the first supplemental configuration document includes first settings of second configuration properties only applicable to the first SDDC, and the second supplemental configuration document includes second settings of the second configuration proper

Abstract: An example method for a first host, being an owner of an object stored in a virtual storage area network (vSAN) cluster, to perform encryption and decryption operations during a rekey in the vSAN cluster is disclosed. The method includes obtaining a first encryption key and a first key identifier (ID) of the first encryption key; transmitting the first key ID and an active key index to a second host; using the first encryption key to perform encryption and decryption operations; and in response to a determination of receiving a key change notification from a master node of the vSAN cluster, terminating a connection with the second host.

Abstract: In a method for managing an upgrade of a virtualization infrastructure component, a plurality of metadata manifests corresponding to a plurality of software upgrade bundles is received, a software upgrade bundle for upgrading a virtualization infrastructure component from a source version to a target version, a metadata manifest comprising a listing of applications comprised within a corresponding software upgrade bundle and installation instructions for the applications comprised within the corresponding software upgrade bundle for upgrading the virtualization infrastructure component from a particular source version to a particular target version.

Abstract: An example computing device includes a processor and a memory coupled to the processor. The memory may include a diagnostic daemon executing in a user space. The diagnostic daemon may include a plugin layer and a plurality of plugins communicatively connected to the plugin layer. Each plugin may perform at least one operation related to diagnostic data collection. The plugin layer may receive an event from a component running in the computing device upon the component encountering an error. The event may include a plugin identifier and an operation identifier. Further, the plugin layer may route the event to a plugin of the plurality of plugins based on the plugin identifier. Furthermore, the plugin may determine an operation to be performed corresponding to the component based on the operation identifier and execute the operation to collect a type of diagnostic information specified for the component.

Abstract: Examples of the present disclosure can include a method. The method may include (1) obtaining, by an network function virtualization orchestrator (“NFVO”), path computation information from the integrated network, the integrated network including a virtual source and a virtual destination, (2) generating, using the path computation information, segments identifying portions of a virtual network path originating at the virtual source and terminating at the virtual destination, (3) generating, by a virtual infrastructure manager (“VIM”), a plurality of labels associated with physical links on the physical network corresponding to the identified portions of the virtual network path, and (4) determining, by the NFVO and using the plurality of labels, a network path for data transfer over the integrated network, the network path identifying virtual and physical network elements.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for force provisioning virtual objects in degraded stretched clusters. A request to provision a virtual object by a stretched cluster according to a storage policy specified as part of the request can be received by a software defined data center (SDDC). The cluster can include a plurality of sites. An insufficiency of storage policy resources to satisfy the storage policy specified for the virtual object can be determined. The virtual object can be force provisioned responsive to determining storage policy resources sufficient to satisfy the storage policy at one of the plurality of sites.

Abstract: The current document is directed to methods and systems that generate lists of component types and quantities needed for system installations based on parameter values that characterize the system, environment, and application domain, referred to as “input values.” An implementation of a private-5G-network component-type-and-quantity-determination system is disclosed. An initial model used to generate component types and quantities is generated from information acquired from various information sources, including system vendors, designers, and/or administrators. The initial model is used to generate lists of component types and quantities on behalf of requesting entities during an initial period of system operation.

Abstract: Example methods and systems for media access control (MAC) address assignment for virtual network interface cards (VNICs) are described. One example may involve a first computer system may determining a first MAC address portion that is uniquely associated with the first computer system. A first VNIC may be assigned with a first MAC address that includes (a) the first MAC address portion and (b) a third MAC address portion that is uniquely associated with the first VNIC on the first computer system. A second VNIC may be assigned with a second MAC address that includes (a) the first MAC address portion and (b) a fourth MAC address portion that is uniquely associated with the second VNIC on the first computer system. The first computer system may perform traffic handling by processing packets specifying the first MAC address or the second MAC address.

Abstract: Systems and methods are described for communications across privilege domains within a central processing unit (“CPU”) core. The CPU core can store a kernel context associated with an operating system within the CPU. An application can request access to the CPU, and the CPU can load a user context associated with the application into the CPU. The CPU can execute instructions from the application while both the kernel context and the user context persist in the CPU. Because both contexts are stored on the CPU, the CPU can switch contexts without loading or unloading context data from memory.

Abstract: Disclosed are various embodiments for a unified boot image that can be used to install an operating system onto a host machine and a respective operating system onto a data processing units (DPU) installed on a host machine. The unified boot image contains installation files for installing an operating system on the host machine and an installation depot that can be used to create a boot image for installing the same or different operating system on the DPU. During installation of an operating system on a host machine, the installation workflow can also require installation of an additional operating system or other configuration of a DPU installed in a host machine. In response to determining that an operating system is to be installed on the DPU, the installation depot can be obtained and reformatted into a downloadable format that is compatible with the DPU.

Abstract: In one set of embodiments, a hypervisor of a host system can receive a packet processing program from a virtual network interface controller (NIC) driver of a virtual machine (VM) running on the hypervisor. The hypervisor can then attach the packet processing program to a first execution point in a physical NIC driver of the hypervisor and to a second execution point in a virtual NIC backend of the hypervisor, where the virtual NIC backend corresponds to a virtual NIC of the VM that originated the packet processing program.

Abstract: Some embodiments provide a method for modifying a firewall rule of a security policy implemented in a network. The method identifies a set of compute machines to be added to a match condition for the firewall rule. The match condition is expressed using one or more groups of compute machines. The method selects a set of groups for the identified set of compute machines from a plurality of existing groups of compute machines based on a user-specified threshold indicating tolerance for inclusion of compute machines that are not in the identified set of compute machines in the selected groups. The method uses the selected set of groups for the match condition of the firewall rule.

Abstract: Solutions for enabling lower privilege users (e.g., applications, virtualized computing environment applications such as virtual machines or containers) to perform requests for service (e.g., remote procedure calls) that require higher privilege include: receiving, by a relay service executing at a first privilege level, from an application executing at a lower privilege level, a received request for service. The first privilege level is sufficient for the request, however, the application's privilege level is insufficient. The relay service determines whether the application is authorized to perform the request by comparing the application identity and the request with privilege exception information (e.g., a list of application identities and corresponding requests that are subject to privilege exception). If the application's request is authorized, the relay service relays the request (e.g.

Abstract: Some embodiments of the invention provide a method of deploying first and second tenant deployable elements to a set of one or more public clouds, the first and second tenant deployable elements being different types of elements. The method identifies first and second sets of performance metrics respectively for first and second sets of candidate resource elements to use to deploy the first and second tenant deployable elements, the two sets of performance metrics being different sets of metrics because the first and second tenant deployable elements being different types of elements, the first set of performance metrics having at least one metric that is not included in the second set of performance metrics.

Abstract: Various examples are described for improving accessibility in a user interface. A is generated to manipulate a floorplan. A list user interface element can be included that allows a user to assign unassigned locations in a floorplan without having to drag and drop within the user interface.

Abstract: An example method of mitigating oversubscription of traffic to edge services gateways in a data center includes: receiving, by a host of the data center, traffic metrics corresponding to the ESGs; determining traffic congestion at a first active edge of the ESGs in response to the traffic metrics; dividing, in response to the traffic congestion, a classless inter-domain routing (CIDR) block assigned to the first active edge into a first CIDR block and a second CIDR block; and creating, in a routing table of a router, a first route between an internet protocol (IP) address of the first active edge and the first CIDR block, and a second route between an IP address of a second active edge of the ESGs and the second CIDR block.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads.

Abstract: An example method of application identification in a virtualized computing system having a cluster of hosts, the hosts including virtualization layers supporting virtual machines (VMs), is described. The method includes: executing, by application analysis software, process discovery agents for the VMs; receiving, at the application analysis software from the process discovery agents, process metadata describing processes executing on the VMs; generating signatures for the processes based on the process metadata; and determining components of an application based on the signatures.

Abstract: A method of upgrading a VIM server appliance includes: creating a snapshot of logical volumes mapped to physical volumes that store configuration and database files of virtual infrastructure management (VIM) services provided by a first VIM server appliance to be upgraded; after the snapshot is created, expanding the configuration and database files to be compatible with a second VIM server appliance; replicating the logical volumes which have been modified as a result of expanding the configuration and database files, in the second VIM server appliance; after replication, performing a switchover of VIM services that are provided, from the first VIM server appliance to the second VIM server appliance; and upon failure of any of the steps of expanding, replicating, and performing the switchover, aborting the upgrade, and reverting to a version of the configuration and database files that was preserved by creating the snapshot.