Abstract: Automated, computer-implemented methods and systems for resolving performance problems with objects executing in a data center are described. The automated methods use machine learning to train a model that comprises rules defining relationships between probabilities of event types of in log messages and values of a key performance indictor (“KPI”) of the object over a historical time period. When a KPI violates a corresponding threshold, the rules are used to evaluate run time log messages that describe the probable root cause of the performance problem. An alert identifying the KPI threshold violation, and the log messages are displayed in a graphical user interface of an electronic display device.

Abstract: Some embodiments of the invention provide a novel method for managing layer four (L4) ports associated with a machine executing on a host computer. The method collects a set of contextual attributes relating to applications executing on the machine. It then analyzes the collected contextual attributes to identify at least one L4 port that has to have its status modified. Next, it modifies the status of the identified L4 port. In some embodiments, the status of an L4 port can be either open or closed, and the modification can open a closed port or close an open port. In some embodiments, the method is performed when the machine starts up on the host computer, performed each time a new application is installed on the machine, performed periodically to close unused L4 ports, and/or performed periodically to close L4 ports that should not be open based on a set of L4-port control policies.

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads.

Abstract: Disclosed are various examples of providing provide efficient waiting for detection of memory value updates for Advanced RISC Machines (ARM) architectures. An ARM processor component instructs a memory agent to perform a processing action, and executes a waiting function. The waiting function ensures that the processing action is completed by the memory agent. The waiting function performs an exclusive load at a memory location, and a wait for event (WFE) instruction that causes the ARM processor component to wait in a low-power mode for an event register to be set. Once the event register is set, the waiting function completes and a second processing action is executed by the ARM processor component.

Abstract: A device tracks accesses to pages of code executed by processors and modifies a portion of the code without terminating the execution of the code. The device is connected to the processors via a coherence interconnect and a local memory of the device stores the code pages. As a result, any requests to access cache lines of the code pages made by the processors will be placed on the coherence interconnect, and the device is able to track any cache-line accesses of the code pages by monitoring the coherence interconnect. In response to a request to read a cache line having a particular address, a modified code portion is returned in place of the code portion stored in the code pages.

Abstract: The disclosure provides an example method for implementing a network policy in a software defined networking environment. The method generally includes receiving a manifest defining a plurality of pods, wherein: for a first pod, the manifest defines a first environment value, a first port number for a first container of the first pod, and a name for the first port number; for a second pod, the manifest defines the first environment value, a second port number for a second container of the second pod, and the name for the second port number; and the manifest defines a security policy applied to a third pod which defines a first egress policy indicating the first environment value and the name; and creating, based on the manifest indicating different port numbers, but the same name, for the different containers of the different pods, separate egress firewall rules for the first and second pods.

Abstract: For a distributed storage system that has an active-active configuration for hosts and which uses an Internet small computer system interface (iSCSI) protocol, techniques are provided to identify/select a plurality of paths to a target. An active optimized path is selected for a host that is an object owner, and an active non-optimized path is selected for a host that is a component owner. The selection of the optimized path for a host is further based on whether that host has sufficient processor and memory resources to service input/output for the target. A standby path is selected for any other host that is neither an object owner or a component owner. The selected paths are provided to an initiator so as to enable the initiator to choose at least one of the paths to access the target for the input/output.

Abstract: A method of updating a desired state of a virtualization software for a cluster of hosts includes: in response to a notification of a change associated with the cluster, determining versions of a base image of the virtualization software that are compatible with the cluster; for each compatible version of the base image, determining versions of an add-on image of the virtualization software that are compatible with the compatible version of the base image and the cluster; presenting as a recommended image a complete image of the virtualization software, the complete image containing a first version of the base image that is compatible with the cluster and a first version of the add-on image that is compatible with the first version of the base image and the cluster; and upon acceptance of the recommended image, updating a software specification to include the recommended image.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to generate code as a plug-in in a cloud computing environment. An example system includes at least one memory, programmable circuitry, and machine readable instructions to program the programmable circuitry to introspect code in a library to obtain introspection data, the library corresponding to a resource that is to be deployed in a cloud infrastructure environment, generate a model based on the introspection data, the model to be a representation of the resource, cross-reference the model with a resource meta-model, the resource meta-model to map characteristics of the resource represented by the model to an actual state of the resource, and generate a plug-in based on the cross-referenced model.

Abstract: A method of managing the sharing of inventory data across a plurality of data centers, includes the steps of detecting a change made to the inventory data by one of the data centers, updating a desired state document that specifies a desired state of each of the data centers, the updated desired state document including the inventory data as changed, and instructing each of other ones of the data centers to update the inventory data using the updated desired state document. Each of the data centers employ a database for storing the inventory data, and so after the remaining ones of the data centers have updated the inventory data using the updated desired state document, the change made to the inventory data stored in the database of one of the data centers is replicated in the respective databases of the remaining ones of the data centers.

Abstract: Example methods and systems to support accessibility to a web page are disclosed. One example method includes examining a document to be rendered to the web page and determining whether an accessibility issue exists in the document. In response to determining that the accessibility issue exists in the document, the example method further includes determining whether a first remediation of the document corresponding to the accessibility issue exists. In response to determining that the first remediation exists, the example method further includes performing the first remediation to the document to generate a first remediated document to be rendered to the web page. After performing the first remediation, the example method includes examining the first remediated document and determining whether an additional accessibility issue exists in the first remediated document.

Abstract: An example method includes: executing, by application analysis software executing in the virtualized computing system, process discovery agents on the VMs; receiving, at the application analysis software from the process discovery agents, process metadata describing processes executing on the VMs; generating signatures for the processes based on the process metadata; determining components of an application based on the signatures; determining components of an application based on the signatures; identifying, for a first component of the components, a component-specific metadata collector; executing, by the application analysis software, the component-specific metadata collector on a first VM of the VMs; and receiving, at the application analysis software from the component-specific metadata collector, custom metadata further describing a first process of the processes associated with the first component.

Abstract: Described herein are systems, methods, and software to manage internet protocol (IP) address allocation for tenants in a computing environment. In one implementation, a logical router associated with a tenant in the computing environment requests a public IP address for a new segment instance from a controller. In response to the request, the controller may select a public IP address from a pool of available IP addresses and update networking address translation (NAT) on the logical router to associate the public IP address with a private IP address allocated to the new segment instance.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method receives a set of connections between a set of DCNs in the datacenter over a particular time period. The set of DCNs includes at least a first DCN at which a first anomalous event was detected. The method analyzes a set of detected anomalous events to identify additional anomalous events detected at other DCNs in the set of DCNs during the particular time period. Based on the first anomalous event and identified additional anomalous events, the method determines whether the anomalous events indicate a threat to the datacenter.

Abstract: Some embodiments provide a method for synchronizing state between multiple smart NICs of a host computer that perform operations using dynamic state information. At a first smart NIC of the plurality of smart NICs, the method stores a set of dynamic state information. The method synchronizes the set of dynamic state information across a communication channel that connects the smart NICs so that each of the smart NICs also stores the set of dynamic state information.

Abstract: Some embodiments of the invention provide a method of performing services on a host computer on which a machine executes. The method sends, to a file inspector, a first set of data associated with an event detected on the machine that is associated with a file stored on the machine. The method receives, from the file inspector, indication that the file stores confidential information. The method sends, to a context engine executing on the host computer separately from the machine, a second set of data associated with the file, the context engine storing the second set of data for subsequent access by a service engine that executes on the host computer separately from the machine, the service engine using the second set of data to perform a service operation on data messages associated with the machine.

Abstract: A virtual machine (VM) is migrated from a source host to a destination host in a virtualized computing system, the VM having a plurality of virtual central processing units (CPUs). The method includes copying, by VM migration software executing in the source host and the destination host, memory of the VM from the source host to the destination host by installing, at the source host, write traces spanning all of the memory and then copying the memory from the source host to the destination host over a plurality of iterations; and performing switch-over, by the VM migration software, to quiesce the VM in the source host and resume the VM in the destination host. The VM migration software installs write traces using less than all of the virtual CPUs, and using trace granularity larger than a smallest page granularity.

Abstract: A method of migrating an application to a container platform includes the steps of: installing a first agent that collects information about the application; detecting information about a first process of the application, wherein the detected information about the first process is received from the first agent; and based on the detected information about the first process, generating a container file including instructions for building a first container that executes the first process and a deployment file for deploying the first container for execution on the container platform.

Abstract: In one set of embodiments, each server executing a secure multi-party computation (MPC) protocol can receive shares of inputs to the MPC protocol from a plurality of clients, where each input is private to each client and where each share is generated from its corresponding input using a threshold secret sharing scheme. Each server can then verify whether the shares of the plurality of inputs are valid/invalid and, for each invalid share, determine whether a client that submitted the invalid share or a server that holds the invalid share is corrupted. If the client that submitted the invalid share is corrupted, each server can ignore the input of that corrupted client during a computation phase of the MPC protocol. Alternatively, if the server that holds the invalid share is corrupted, each server can prevent that corrupted server from participating in the computation phase.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.