Abstract: In a computing system having virtualization software including a guest operating system (OS), a method for providing page tables that includes: providing a guest page table used by the guest OS and a shadow page table used by the virtualization software wherein at least a portion of the guest page table and the shadow page table share computer memory.

Abstract: Described herein are systems and methods for preventing a user mode USB driver from performing IOCTL operations other than read-safe IOCTLs on a USB device that has been claimed by a kernel mode driver or is in use by another user mode USB driver. In one method, it is determined whether a kernel mode USB driver will claim a device or whether the device will be available to be claimed by user mode USB drivers. In the event the device is claimed by a kernel mode USB driver, user mode USB drivers will be prevented from claiming the device. In the event the device is available for use by user mode USB drivers, but has been opened for write by one user mode USB driver, all other user mode USB drivers will be prevented from claiming the device. All IOCTL operations other than read-safe IOCTLs will be prevented from being performed by a user mode USB driver unless that USB driver has claimed the device.

Abstract: A memory management sub-system includes code executable by a processor fir performing selecting a plurality of contexts, and selecting a sample of the separately allocable portions of an address space for each of the contexts. For each of the selected allocable portions, a corresponding portion of the host memory to which the selected allocable portion is mapped is determined, and a count corresponding to a number of separately allocable portions of any context that are commonly mapped to the corresponding portion of the host memory. For each context, a metric is computed that is a function of the counts for that context. Host memory is allocated among the contexts at least in part based on their respective metrics.

Abstract: A trusted virtualization platform protects sensitive customer data during operation of virtual machines in a multi-tenant cloud computing center. The trusted virtualization platform limits administrator access to the data and state of the virtual machines running thereon, reports any changes made thereto, and requires keys provided by the customer or a trusted third party of the customer to perform management operations on the virtual machines. By requiring cloud computing centers to use such trusted virtualization platforms, customers uploading their virtual machines into the cloud computing center can be assured that cloud administrators will not be able to access or tamper with their private data. Furthermore, customers can directly audit all important state or configuration changes for their virtual machines as the trusted virtualization platform can be configured to report all such changes according to a security policy set by the customer.

Abstract: In a computing system having virtualization software including a guest operating system (OS), a method for providing page tables that includes: providing a guest page table used by the guest OS and a shadow page table used by the virtualization software wherein at least a portion of the guest page table and the shadow page table share computer memory; wherein: machine pages have a predetermined size; and the virtualization software maps guest OS physical pages to machine pages at a predetermined alignment.

Abstract: A one-way proxy system is provided that supports one-way analysis of a transport control protocol (TCP) data stream. The one-way proxy system is used to intercept a TCP data link between two respective TCP endpoints. A one-way analyzer such as a one-way content filter, virus scanner, or firewall may be used to analyze a TCP data stream that is intercepted by the one-way proxy system. The one way proxy system preserves TCP options and TCP properties associated with the TCP packets in the TCP data stream, so that an existing TCP session between the TCP endpoints can survive in the event of a hardware bypass operation. The one-way proxy has a low overhead because significant TCP processing of the TCP data stream is only required in one direction.

Abstract: A checkpointing fault tolerance network architecture enables a backup computer system to be remotely located from a primary computer system. An intermediary computer system is situated between the primary computer system and the backup computer system to manage the transmission of checkpoint information to the backup VM in an efficient manner. The intermediary computer system is networked to the primary VM through a high bandwidth connection but is networked to the backup VM through a lower bandwidth connection. The intermediary computer system identifies updated data corresponding to memory pages that have been least recently modified by the primary VM and transmits such updated data to the backup VM through the low bandwidth connection. In such manner, the intermediary computer system economizes the bandwidth capacity of the low bandwidth connection, holding back updated data corresponding to more recently modified memory pages, since such memory pages may be more likely to be updated again in the future.

Abstract: A user interface for managing allocations of network resources in a virtualized computing environment provides a graphical overview of the virtual computing environment that allows the user to visualize the virtual network, including the connections between the virtual network adapters and the uplink port groups that provide physical network resources for the virtual machines included in the virtualized computing environment. The user interface also provides graphical elements that allow the user to modify the virtual network, to migrate virtual machines from individual virtual switches to a distributed virtual switch, and/or to modify the arrangement of physical network adapters that provide network backing for the virtual machines. By providing these features, the user interface according to one or more embodiments of the present invention can allow the user to efficiently and safely manage the virtual network in the virtual computing environment.

Abstract: Some embodiments of the present invention include an execution unit of a processor and a memory management unit interposed between the execution unit and an interface to memory suitable for storage of both guest page tables maintained by a guest operating system and shadow page tables maintained generally in correspondence with the guest page tables by virtualization software. The memory management unit is configured to walk in-memory data structures that encode the shadow page tables, to access entries of the shadow page tables and, based thereon or on a cached representation of page mappings therein, to perform virtual-to-physical address translations relative to memory targets of instructions executed by the execution unit.

Abstract: A system and method for assigning virtual machines to network interfaces. A first virtual machine is assigned to a network interface according to a first rule and a second virtual machine is assigned to a network interface according to a second rule. The assignment rules are dependent on network conditions as determined through at least one of the network interfaces. The first rule and the second rule may specify assignments differently, such that the same network conditions may result in different assignments for the first and second virtual machines.

Abstract: I/O operations between a virtual machine (VM) and a device external to the VM are monitored by a virtual machine monitor (VMM). Data passing between the VM and the external device is transformed by the VMM, in some cases only when a predetermined filtering or triggering condition is met. Because the VMM, and thus the transformation operation, is transparent to the VM, the transformation cannot be prevented or undone or even affected by any action by a user of the VM. Examples of the non-defeatable transformation of I/O data include generating display overlays such as banners, masking out portions of a display, encryption, compression and network shaping such as bandwidth limiting.

Abstract: Described herein are approaches to managing expandable resource reservations. In one approach, a method is described in which an attempt is made to change a resource reservation from a first amount to a second amount. The second amount is examined to determine whether it exceeds a reservation limit. The second amount is compared with available resources, and reserved.

Abstract: Snapshots that are consistent across a group of data objects are generated. The snapshots are initiated by a coordinator, which transmits a sequence of commands to each storage node hosting a data object within a group of data objects. The first command prepares a data object for a snapshot. After a data object has been successfully prepared, an acknowledgment is sent to the coordinator. Once all appropriate acknowledgments are received, the coordinator sends a command to confirm that a snapshot has been created for each data object in the respective group. After receiving this confirmation, the coordinator takes action to confirm or record the successful completion of the group-consistent snapshot.

Abstract: For a virtual memory of a virtualized computer system in which a virtual page is mapped to a guest physical page which is backed by a machine page and in which a shadow page table entry directly maps the virtual page to the machine page, reverse mappings of guest physical pages are optimized by removing the reverse mappings of certain immutable guest physical pages. An immutable guest physical memory page is identified, and existing reverse mappings corresponding to the immutable guest physical page are removed. New reverse mappings corresponding to the identified immutable guest physical page are no longer added.

Abstract: A method and system for acquiring a quiesceing set of information associated with a virtual machine. A virtual machine is cloned. The cloned virtual machine has an associated persistent storage device. The state of the persistent storage device is transformed into a quiesced state of the cloned virtual machine by utilizing a shut-down process. The shut-down process is executed on the cloned virtual machine to quiesce the cloned virtual machine and the quiesceing set of information of the cloned virtual machine is automatically reduced to information stored on the persistent storage device.

Abstract: A cloud computing environment provides the ability to deploy a web application that has been developed using one of a plurality of application frameworks and is configured to execute within one of a plurality of runtime environments. The cloud computing environment receives the web application in a package compatible with the runtime environment (e.g., a WAR file to be launched in an application server, for example) and dynamically binds available services by appropriately inserting service provisioning data (e.g., service network address, login credentials, etc.) into the package. The cloud computing environment then packages an instance of the runtime environment, a start script and the package into a web application deployment package, which is then transmitted to an application (e.g., container virtual machine, etc.).

Abstract: A cloud computing environment provides the ability to deploy a web application that has been developed using one of a plurality of application frameworks and is configured to execute within one of a plurality of runtime environments. The cloud computing environment receives the web application in a package compatible with the runtime environment (e.g., a WAR file to be launched in an application server, for example) and dynamically binds available services by appropriately inserting service provisioning data (e.g., service network address, login credentials, etc.) into the package. The cloud computing environment then packages an instance of the runtime environment, a start script and the package into a web application deployment package, which is then transmitted to an application (e.g., container virtual machine, etc.).

Abstract: A policy engine is situated between the communications path of a cloud computing environment and a user of the cloud computing environment to comply with an organization's policies for deploying web applications in the cloud computing environment. The policy engine intercepts communications packets to the cloud computing environment from a user, such as a web application developer, for example, in preparation for deploying a web application in the cloud computing environment. The policy engine identifies commands corresponding to the communications packets and directs the communications packets to appropriate rules engines corresponding to such commands in order to execute rules to comply with an organization's policies. Upon completion of execution of the rules, the communications packets are forwarded to the cloud computing environment if they comply with the policies.

Abstract: A method for facilitating the uploading of web applications to a cloud computing environment utilizes hashes or fingerprints of each file in a web application. Prior to submitting all the files of a web application to the cloud computing environment for deployment, fingerprints of each file in the web application are transmitted to the cloud computing environment to assess whether the cloud computing environment may already possess the file as a result of receiving it from previously uploaded web applications.

Abstract: Embodiments of the present invention provide a dashboard that displays an overview of a datacenter's health which helps prioritize, monitor, and troubleshoot problems. In particular, one embodiment is a method for visualizing the health of datacenter objects which includes displaying datacenter objects on a scatterplot of a dashboard wherein one axis of the scatterplot corresponds to problem severity and another axis of the scatterplot corresponds to time.