Abstract: Metadata of a shared file in a clustered file system is changed in a way that ensures cache coherence amongst servers that can simultaneously access the shared file. Before a server changes the metadata of the shared file, it waits until no other server is attempting to access the shared file, and all I/O operations to the shared file are blocked. After writing the metadata changes to the shared file, local caches of the other servers are updated, as needed, and I/O operations to the shared file are unblocked.

Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by scanning an input string for subsequences contained therein and configuring the computational system to generate a fault (or other triggered event) coincident with access to a memory location corresponding to one or more possible interpretations of data contained in the input string, it is possible to detect and/or interdict many forms of attack. For example, some realizations may scan for subsequences susceptible to interpretation as valid, canonical addresses, or as addresses in ranges that contain code, the stack, the heap, and/or system data structures such as the global offset table. Some realizations may scan for subsequences susceptible to interpretation as format strings or as machine code or code (source or otherwise) that could be executed in an execution environment (such as a Java™ virtual machine) or compiled for execution.

Abstract: A virtual-machine-based system provides a mechanism to implement application file I/O operations of protected data by implementing the I/O operations semantics in a shim layer with memory-mapped regions. The semantics of these I/O operations are emulated in a shim layer with memory-mapped regions by using a mapping between a process' address space and a file or shared memory object. Data that is protected from viewing by a guest OS running in a virtual machine may nonetheless be accessed by the process.

Abstract: Embodiments perform adaptive throttling of tasks into a virtual datacenter having dynamically changing resources. Tasks are processed concurrently in batches. The rate of change in throughput at different batch sizes is calculated. With each iteration, the batch size is increased or decreased based on the rate of change to achieve a maximum throughput for given resources and load on the virtual datacenter.

Abstract: Multiple servers sharing a distributed file system are used to perform copies of regions of a source file in parallel from a source storage unit to corresponding temporary files at a destination storage unit. These temporary files are then merged or combined into a single file at the destination storage unit in a way that preserves the inode structure and attributes of the source file. A substantial speedup is obtained by copying regions of the file in parallel.

Abstract: A shared input/output (IO) resource is managed in a decentralized manner. Each of multiple hosts having IO access to the shared resource, computes an average latency value that is normalized with respect to average IO request sizes, and stores the computed normalized latency value for later use. The normalized latency values thus computed and stored may be used for a variety of different applications, including enforcing a quality of service (QoS) policy that is applied to the hosts, detecting a condition known as an anomaly where a host that is not bound by a QoS policy accesses the shared resource at a rate that impacts the level of service received by the plurality of hosts that are bound by the QoS policy, and migrating workloads between storage arrays to achieve load balancing across the storage arrays.

Abstract: An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

Abstract: A cloud computing environment with the ability to deploy a web application that has been developed using one of a plurality of application frameworks and is configured to execute within one of a plurality of runtime environments can be delivered as a self-contained virtual machine disk image configured to launch in a virtualization environment. Upon request (or alternatively, in a pre-processing phase), a cloud computing platform provider can compose a virtual machine disk image comprising the cloud computing environment. The virtual machine disk image may be attached to any virtual machine, whether running on a personal computing device such as a laptop or in an infrastructure-as-a-service service provider to provide a cloud computing environment that is automatically configured to receive and deploy a web application.

Abstract: Embodiments provide a network address translation (NAT) service for network devices. A network connection from at least one private network device to the NAT service is received and a network connection from at least one remote device to the NAT service is received. The private network device is positioned within a private network and the remote device is positioned within a public network. A network availability of the remote device is determined. If the remote device is unavailable or a network configuration setting associated with the remote device changes, the private network device is notified and a connection reset message is transmitted to the private network device.

Abstract: The disclosure herein describes a client-side system that enhances user experience on a remoting client without consuming additional network bandwidth. During operation, the system receives a sequence of frame updates for a display screen, and determines a sequence of frames corresponding to the frame updates. The system further adaptively applies one or more image enhancing techniques to the sequence of frames based on available network bandwidth, frame refresh rate, or image quality. The image enhancement techniques include predicting a frame based on previously received frames, interpolating a frame based on at least two buffered frames, and reducing appearance of artifacts in a received frame, thereby reducing visual artifacts.

Abstract: A computer-implemented method for accessing a patch file for use in a system center configuration manager (SCCM) environment. The method includes accessing a patch file by a patch file agent, wherein the patch file agent is located in a system center configuration manager (SCCM) environment; and providing the patch file, by the patch file agent, to a server update services (SUS) without requiring use of a system center updates publisher (SCUP).

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Exemplary methods, apparatuses, and systems receive a copy of or make a copy of one or more packets of a flow of packets between a source and a destination. While or after the one or more packets are forwarded to the destination, the content of the one or more packets is compared to a policy to determine if the flow of packets triggers a policy response. A map of devices within a datacenter cluster of devices is maintained and used to select one or more available devices when packet inspection is distributed.

Abstract: Techniques for performing I/O load balancing are provided. In one embodiment, a computer system can receive an I/O request destined for a storage array, where the computer system is communicatively coupled with the storage array via a plurality of paths, and where the plurality of paths include a set of optimized paths and a set of unoptimized paths. The computer system can further determine whether the I/O request can be transmitted to the storage array via either an optimized path or an unoptimized path, or solely via an optimized path. The computer system can then select a path in the plurality of paths based on the determination and transmit the I/O request to the storage array via the selected path.

Abstract: A method for migrating a virtual machine disk (VM disk) from first physical storage to second physical storage while the virtual machine (VM) is running, the method comprising: (a) creating a first child VM disk to which writes are redirected from a first parent VM disk, the first parent VM disk being on the first physical storage; (b) copying the first parent VM disk to the second physical storage as a second parent VM disk; (c) re-parenting the first VM child disk to the second parent VM disk; and (d) consolidating the first child VM disk and the second parent VM disk.

Abstract: In one embodiment, a server system receives, from a client device configured to remotely access a desktop hosted by the server system, user input directed to the desktop. The server system further identifies a desktop operation to be performed in response to the user input, where the identifying is performed without relying on preconfigured information that indicates what the desktop operation should be, determines when the desktop operation has completed, and adds, upon completion of the desktop operation, one or more markers to the desktop. The server system then transmits an image of the desktop that includes the one or more markers to the client device, thereby signaling the completion of the desktop operation to the client device.

Abstract: In one embodiment, a method for placing virtual machines in a collection is provided. A plurality of equivalence sets of compatible hosts is determined prior to placing virtual machines in the collection. The hosts in an equivalence set of hosts are considered similar. An equivalence set of hosts in the plurality of equivalence sets is selected to place the virtual machines in the collection. The method then places at least a portion of the virtual machines in the collection on one or more hosts in the selected equivalence set of hosts.

Abstract: A method and system for enabling viewing of email attachments through a system external to the email application itself In one embodiment, the email application creates categories and the email attachments are accordingly categorized. These categories are mapped into a format understandable by the external system, and provided to the external system in such format. In one embodiment, the email application appears as a file system to the operating system of a user's computer. The created categories are provided to the operating system as the “folders” in the file system. In one embodiment, the file system seen by the external system is a virtual file system, and any sub-categories and/or email attachment themselves are provided to the external system upon a specific request.

Abstract: In one embodiment, a method includes storing a cost assigned to a physical computing device in a storage device. The physical computing device is found in a physical infrastructure of a data center. The method determines an instantiation of a virtual machine in a virtual infrastructure. Information for a provisioning of the virtual machine with the physical computing device in the physical infrastructure of the data center is then received. The cost assigned to the physical computing device from the storage device is determined where the cost is used to determine a charge for the virtual machine based on usage of the physical computing device.