Abstract: Site reliability engineering (SRE) may be provided as a service to software products, such as an on-premises software product residing at a first computing environment. A SRE service site may be hosted at a second computing environment that is remote and separate from the first computing environment. A SRE agent resides at the first computing environment to monitor the software product, and provides information, such as metric data or log information pertaining to the software product, to the SRE service site. A SRE service of the SRE service site performs analysis of the information to identify an issue with the software product, diagnosis to determine a cause of the issue, and identifies a remediation that may be applied by the SRE agent to address the issue.

Abstract: A method for containerized workload scheduling can include monitoring network traffic between a first containerized workload deployed on a node in a virtual computing environment to determine affinities between the first containerized workload and other containerized workloads in the virtual computing environment. The method can further include scheduling, based, at least in part, on the determined affinities between the first containerized workload and the other containerized workloads, execution of a second containerized workload on the node on which the first containerized workload is deployed.

Abstract: Dynamic supply of trusted certificates to a containerized environment by mounting a directory into a container image can be implemented as computer-readable methods, media and systems. The directory stores trusted certificates related to a tenant account at a platform system. The trusted certificates include user specific trusted certificates relevant for authentication at an external system and default certificates relevant for an operating system running at a containerized runtime environment of the tenant account. The trusted certificates are used during execution of functions requested by a user of the tenant account. A function that is defined for a tenant account is executed at a container instantiated at the containerized runtime environment of the platform system. The function dynamically uses the trusted certificates maintained at the directory that is mounted at the containerized runtime environment, where at least one of the trusted certificates is used for authentication at the external system.

Abstract: The disclosure herein describes deduplicating data chunks using chunk objects. A batch of data chunks is obtained from an original data object and a hash value is calculated for each data chunk. A first duplicate data chunk is identified using the hash value and a hash map. A chunk logical block address (LBA) of a chunk object is assigned to the duplicate data chunk. Payload data of the duplicate data chunk is migrated from the original data object to the chunk object, and a chunk map is updated to map the chunk LBA to a physical sector address (PSA) of the migrated payload data on the chunk object. A hash entry is updated to map to the chunk object and the chunk LBA. An address map of the original data object is updated to map an LBA of the duplicate data chunk to the chunk object and the chunk LBA.

Abstract: Automated computer-implemented methods and systems for troubleshooting and resolving problems with objects of a cloud infrastructure are described herein. In response to detecting abnormal behavior of an object running in the cloud infrastructure based on a key performance indicator (“KPI”) of the object, a graphical user interface (“GUI”) is displayed to enable a user to select KPIs of components of the object. For each of the components, a separate rule learning engine is deployed to generate rules for detecting a problem with the component based on the KPI of the object and the KPIs of the component. The rules are subsequently used to detect a runtime problem with the object and display in the GUI remedial measures for resolving the problem. Remedial measures are automatically executed to resolve the problem with the object via the GUI.

Abstract: A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies.

Abstract: The current document is directed a resource-exchange system that facilitates resource exchange and sharing among computing facilities. The currently disclosed methods and systems employ efficient, distributed-search methods and subsystems within distributed computer systems that include large numbers of geographically distributed data centers to locate resource-provider computing facilities that match the resource needs of resource-consumer computing-facilities based on attribute values associated with the needed resources, the resource providers, and the resource consumers. Nested-hypervisor technology is employed, in disclosed implementations, to guarantee data security for, and prevent monitoring of operational states and characteristics of, resource-consumer virtual machines and virtual applications while they execute above leased computational resources in remote computing facilities.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to generate code as a plug-in in a cloud computing environment. An example system includes at least one memory, programmable circuitry, and machine readable instructions to program the programmable circuitry to introspect code in a library to obtain introspection data, the library corresponding to a resource that is to be deployed in a cloud infrastructure environment, generate a model based on the introspection data, the model to be a representation of the resource, cross-reference the model with a resource meta-model, the resource meta-model to map characteristics of the resource represented by the model to an actual state of the resource, and generate a plug-in based on the cross-referenced model.

Abstract: Some embodiments of the invention provide a method for WAN (wide area network) optimization for a WAN that connects multiple sites, each of which has at least one router. At a gateway router deployed to a public cloud, the method receives from at least two routers at least two sites, multiple data streams destined for a particular centralized datacenter. The method performs a WAN optimization operation to aggregate the multiple streams into one outbound stream that is WAN optimized for forwarding to the particular centralized datacenter. The method then forwards the WAN-optimized data stream to the particular centralized datacenter.

Abstract: Some embodiments provide a method of implementing service rules for a container cluster that is configured by a first SDN controller cluster. The method registers for event notification from an application programming interface (API) server to receive notification regarding events associated with resources deployed in the container cluster. The method forwards to a second SDN controller cluster resource identifiers collected through the registration for resources of the container cluster. The second SDN controller cluster defines service policies that are not defined by the first SDN controller cluster. The method receives, from the second SDN controller cluster, service policies defined by the second SDN controller cluster based on the resource identifiers. The method distributes service rules defined based on the service policies to network elements in the container cluster to enforce on data messages associated with machines deployed in the container cluster configured by the first SDN controller cluster.

Abstract: This disclosure is directed to automated computer-implemented methods and systems for optimizing and provisioning virtual data storage of virtual machines in a data center. The methods and systems attach virtual disks to virtual machines on the same datastore of the VMs. The methods and systems adjust storage space of the VDs based on storage space available to the VDs, and retains data stored in the VDs in response to receiving a request to delete the VM and the VD identifies as persistent.

Abstract: Automated computer-implemented methods and systems for automated detection and termination of idle objects executing in a cloud infrastructure. The methods and systems learn rules from previous instances in which the object was terminated based on log messages associated with the previous instances. The rules are used to perform real time detection of idle instances of the object and, in response, terminate the object.

Abstract: In a computer-implemented method for cardinality-based index caching of time series data, a cardinality of an index of a time series data monitoring system is determined. The cardinality of the index is compared to a cardinality threshold. Responsive to determining that the cardinality of the index exceeds the cardinality threshold, the index is cached in a local memory cache of a query node of the times series data monitoring system. Responsive to determining that the cardinality of the index does not exceed the cardinality threshold, the index is cached in a distributed memory cache of the times series data monitoring system.

Abstract: Some embodiments of the invention provide, for an intrusion detection and prevention system (IDPS) engine operating on a host computer deployed in a software-defined datacenter (SDDC), a method for detecting and analyzing malicious packet flows. Upon detecting a new packet flow, the method captures packets belonging to the new packet flow in a file. When the new packet flow ends, the method determines that a particular packet belonging to the new packet flow has triggered an alert indicating the particular packet includes a potentially malicious payload. The method annotates the file for the new packet flow with a set of contextual data that (1) specifies the new packet flow as a potentially malicious packet flow and (2) identifies the particular packet and at least one signature associated with the alert triggered by the particular packet.

Abstract: Techniques for detecting anomalies in a distributed application based on process data are provided. This process data can include, e.g., the hierarchy (i.e., tree) of processes created and run by the application, the file system operations performed by each process, the network access operations performed by each process.

Abstract: Drift is automatically detected in configuration of services running in a management appliance of a software-defined data center. A method of automatically detecting drift includes: in response to a notification of a change in a configuration of a first service enabled for proactive drift detection, transmitting a first request to compute drift in the configuration of the first service to a plug-in of the first service, the first request including the change in the configuration of the first service; periodically, at designated time intervals, transmitting a second request to compute drift in the configuration of a second service enabled for passive drift detection, to the plug-in of the second service, the second request including a current state of the configuration of the second service; and notifying a desired state management service of the computed drift in the configuration of the first and second services.

Abstract: Some embodiments of the invention provide a method for forwarding packets through an SD-WAN. To facilitate the forwarding of packets between first and second regions of the SD-WAN, said first and second regions having respective first and second hub routers forwarding packets between respective first and second sets of edge routers of respective first and second sets of sites of the first and second regions, the method directs (1) the first set of edge routers to establish connections to the first and second hub routers, and to use the first hub router as a next-hop to initiate communications with the second set of edge routers, and (2) the second set of edge routers to establish connections to the first and second hub routers, and to use the second hub router as a next-hop to initiate communications with the first set of edge routers.

Abstract: The disclosure herein describes converting a disk cluster to a different format. A format conversion instruction associated with a disk cluster is received. A first subgroup of disks of the disk cluster that are the emptiest disks of the disk cluster are identified and all data is evacuated from the first subgroup of disks to other disks of the disk cluster. The first subgroup of disks is reformatted based on the received format conversion instruction. A group of data objects stored in the disk cluster is converted based on the format conversion instruction and the converted group of data objects are written to the reformatted first subgroup of disks. The process iterates through the disks of the disk cluster to reformat all disks and convert all data objects based on the received format conversion instruction. The process reduces the write operations required to convert the format of the disk cluster.

Abstract: A virtualized computing environment includes a plurality of host computers, each host being connected to a physical network and having a hypervisor executing therein. To provision a virtual machine requiring a connection to a virtual network in one of the hosts, a candidate host for hosting the virtual machine, the candidate host having the virtual network configured therein, is selected. A request is then made for a status of the virtual network to the candidate host. The status of the virtual network is then received from the candidate host. If the virtual network is available, then the virtual machine is deployed to the candidate host. If the virtual network is not available, then a second candidate host is selected for hosting the virtual machine.

Abstract: One or more embodiments provide techniques that permit virtual computing instances in isolated environments to communicate information outside the isolated environments without requiring networking. In one embodiment, an encoder which runs in a virtual machine (VM) within an isolated environment, such as one of the VMs of a packaged virtual machine application that does not have external network connectivity, is configured to encode information, such as state information of the packaged virtual machine application, in portion(s) of a network address. The encoder further configures an unconnected network interface of the same VM, or another VM in the isolated environment, with the network address that includes the encoded information. A decoder, which could not otherwise communicate with the virtual computing instance via any network, may then retrieve the network address assigned to the unconnected network interface and decode that network address to obtain the information encoded therein.