Abstract: In an architecture of a virtualized computing system plugins are less tightly integrated with a core user interface of a management server. Rather than being installed and executed at the management server as local plugins, the plugins are served as remote plugins from a plugin server, and may be accessed by a web client through a reverse proxy at the management server. Plugin operations may be executed at the plugin server and/or invoked from a user device where the web client resides. Furthermore, a plugin sandbox and other isolation configurations are provided at the user device, so as to further control access capability and interaction of the plugins.

Abstract: Some embodiments provide a method of identifying packet latency in a software defined datacenter (SDDC) that includes a network and multiple host computers executing multiple machines. At a first host computer, the method identifies and stores (i) multiple time values associated with several packet processing operations performed on a particular packet sent by a first machine executing on the first host computer, and (ii) a time value associated with packet transmission through the SDDC network from the first host computer to a second host computer that is a destination of the particular packet. The method provides the stored time values to a set of one or more controllers to process to identify multiple latencies experienced by multiple packets processed in the SDDC.

Abstract: Techniques are described providing improved ways to benchmark and validate virtual desktop deployments where targeted workloads are delivered to virtual desktops based on parameters such as the desktop type and origin, and where workload operations can be triggered from the client device. Client instructions for performing workload operations can be encoded into a digital image such as a Quick Response (QR) code on the virtual desktop and inserted into the virtual desktop graphical user interface (GUI). The client decodes the digital image in the received GUI to obtain the instructions and actuate the operations. Completion of operations can be tracked to benchmark desktop performance.

Abstract: Disclosed are various examples for an application settings module that provides uniform access to diverse types of data, such as mobile device settings. A client device, such as a mobile device, can be configured through execution of program instructions to access a schema file comprising a definition of a plurality of keypaths, where individual ones of the plurality of keypaths uniquely correspond to one of a plurality of device settings and the keypaths are defined in the schema file in association with a plurality of methods. The client device can identify a function invoked using one of the keypaths to read or write a corresponding one of the device settings, whether stored locally or remote, and, in response to the function being invoked, execute a portion of the methods corresponding to the one of the keypaths in the schema file and return a result to a requesting process.

Abstract: Examples of device-driven management are described. A management console can include a set of workflow objects to use in a workflow creation user interface. Workflow objects can be positioned in the workflow creation user interface area based on user manipulation. A device state criteria overlay can be painted on a connector workflow object to indicates that a branch of executable instructions corresponding to the connector workflow object is performed where a client device corresponds to the specified device state criteria.

Abstract: An in-guest agent in a virtual machine (VM) operates in conjunction with a replication module. The replication module performs continuous data protection (CDP) by saving images of the VM as checkpoints at a disaster recovery site over time. Concurrently, the in-guest agent monitors for behavior in the VM that may be indicative of the presence of malicious code. If the in-guest agent identifies behavior (at a particular point in time) at the VM that may be indicative of the presence of malicious code, the replication module can tag a checkpoint that corresponds to the same particular point in time as a security risk. One or more checkpoints generated prior to the particular time may be determined to be secure checkpoints that are usable for restoration of the VM.

Abstract: System and method for managing migration of trusted execution environments (TEEs) based on migration policies utilizes a source migration agent in the source host computer and a destination migration agent in a destination host computer to migrate a source TEE in the source host computer to the destination host computer. A migration policy data of the source TEE is first transmitted to the destination migration agent from the source migration agent to determine whether the destination host computer satisfies migration policies specified in the migration policy data. In response to a determination that the destination host computer satisfies the migration policies specified in the migration policy data, a destination TEE is created in the destination host computer and memory pages of the source TEE are transmitted to the destination TEE. The memory pages are then restored at the destination TEE for execution.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: Disclosed are various examples of providing AI accelerator access as a service at the edge. In some embodiments an artificial intelligence (AI) accelerator device identifier is transmitted to register an AI accelerator with the AI broker service. An AI processing request for the AI accelerator is received from a networked computing device. A bus redirect of the AI accelerator to the networked device is enabled. An AI workload is performed controlled by the networked device through the bus redirect.

Abstract: A version control interface for data provides a layer of abstraction that permits multiple readers and writers to access data lakes concurrently. An overlay file system, based on a data structure such as a tree, is used on top of one or more underlying storage instances to implement the interface. Each tree node tree is identified and accessed by means of any universally unique identifiers. Copy-on-write with the tree data structure implements snapshots of the overlay file system. The snapshots support a long-lived master branch, with point-in-time snapshots of its history, and one or more short-lived private branches. As data objects are written to the data lake, the private branch corresponding to a writer is updated. The private branches are merged back into the master branch using any merging logic, and conflict resolution policies are implemented. Readers read from the updated master branch or from any of the private branches.

Abstract: Mapping of applications by the most common file path in which they are installed or found to be running. Embodiments of the disclosure may determine the most commonly occurring hash values appearing in events generated by a virtualized network. These most commonly occurring hash values may correspond to the hash values of file paths associated with the greatest number of detected events. The database may then be queried to determine the most commonly occurring file path for each of these hash values. A table of such most commonly occurring file paths and their associated hash values may then be compiled and stored. Use of the most commonly occurring file path in lieu of an alert's actual file path may prevent undesired or malicious processes from going undetected by simply adopting a new file path that has yet to be recognized as being associated with undesired behavior.

Abstract: A noisy neighbor in a cloud multitenant system can present resource governance issues. Usage quotas can be applied, and traffic can be throttled to mitigate the problem. Network traffic can be monitored from routers of a software defined data center (SDDC) configured to process network traffic for machines of different tenants. By default, the network traffic from the routers can be processed via a first edge router for the SDDC. A second edge router can be deployed for the SDDC in response to the network traffic from a particular router exceeding a threshold. Network traffic from the particular router can be processed via the second edge router while the remaining traffic can continue to be processed via the first edge router.

Abstract: Examples herein describe systems and methods for self-healing in a Telco network function virtualization cloud. KPI attributes for virtual network functions can be mapped to physical fault notifications to create synthesized alerts. The synthesized alerts can include information from both a virtual and physical layer, allowing a self-healing action framework to determine root causes of problems in the Telco cloud. Remedial actions can then be performed in either the virtual or physical layer of the Telco cloud. Remedial actions in one layer can be based on root causes identified in the other, which can allow for remediation before network downtime occurs.

Abstract: This disclosure is directed to automated processes for attesting to trustworthiness of a host considered for connection to a data center network. The attestation process is performed in two attestation phases. In the first phase, attestation is performed on a smart network interface controller (“SNIC”) connected to an internal bus of the host using a first trusted platform module (“TPM”) of the SNIC. In the second phase, attestation is performed on the host by the SNIC using a second TPM connected to the internal bus of the host in response to a determination that the SNIC is trustworthy. The host is connected to the data center network in response to a determination by the SNIC that the host is trustworthy.

Abstract: Examples described herein include systems and methods for brokerless reliable totally ordered many-to-many inter-process communication on a single node. A messaging protocol is provided that utilizes shared memory for one of the control plane and data plane, and multicast for the other plane. Readers and writers can store either control messages or message data in the shared memory, including in a ring buffer. Write access to portions of the shared memory can be controlled by a robust futex, which includes a locking mechanism that is crash recoverable. In general, the writers and readers can control the pace of communications and the crash of any process does not crash the overall messaging on the node.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: When containers run in a guest operating system of a virtual machine running on the host computer system, the containers communicate with each other via ports of each container and a network. The ports of each container stay constant, but the virtual machine in which they run may change its IP address on the network when it is power-cycled. To avoid losing connection to the ports of the containers, a record table that associates static identifiers, such as MAC addresses, of the virtual machine with the container ports is maintained. The static identifiers of the virtual machines do not change and provide a way of identifying the virtual machine on which the virtual container was running before it was powered off. When the virtual machine is powered on, the linkage between the container port and the network can be re-established using the record table.

Abstract: A system and method for observing and controlling a programmable network via higher layer attributes is disclosed. According to one embodiment, the system includes one or more collectors and a remote network manager. The one or more collectors are configured to receive network traffic data from a plurality of network elements in the network. The remote network manager is configured to connect to the one or more collectors over the Internet via a network interface. The one or more collectors extract metadata from the network traffic data and send the metadata to the network manager.

Abstract: A method and apparatus for autoscaling a custom resource of a containerized application handling system utilizes a metric value defined for a system object of the custom resource to scale the system object of the custom resource. An API request for the metric value is sent from an autoscaler to a control plane of the containerized application handling system to receive the metric value, which is compared to a desired metric value. A target scale metric value is then determined based on the comparison and posted in a database of the containerized application handling system. The system object of the custom resource is scaled by an operator of the containerized application handling system based on the posted target scale metric value.

Abstract: Examples disclosed herein relate to propagating changes made on a file system volume of a primary cluster of nodes to the same file system volume also being managed by a secondary cluster of nodes. An application is executed on both clusters, and data changes on the primary cluster are mirrored to the secondary cluster using an exo-clone file. The exo-clone file includes the differences between two or more snapshots of the volume on the primary cluster, along with identifiers of the change blocks and (optionally) state information thereof. Just these changes, identifiers, and state information are packaged in the exo-clone file and then exported to the secondary cluster, which in turn makes the changes to its version of the volume. Exporting just the changes to the data blocks and the corresponding block identifiers drastically reduces the information needed to be exchanged and processed to keep the two volumes consistent.