Abstract: The technology disclosed herein enables packet handling based on user information included in packet headers. In a particular embodiment, a method provides, in a gateway to a network environment, establishing a first connection with a first connection endpoint outside of the network environment. The first connection is established based on authentication of user information received from the first connection endpoint. The method further provides adding the user information to a packet header of one or more first packets carrying a request to establish a second connection between the gateway and a second connection endpoint within the network environment. Also, the method provides transferring the one or more first packets towards the second connection endpoint.

Abstract: A method of migrating a user profile to a virtual desktop infrastructure (VDI) system includes enumerating applications installed at an endpoint of a user, retrieving a list of application settings files, determining file and registry locations of user profile data relating to the applications installed at the endpoint from the application settings files, and retrieving the user profile data from the determined file and registry locations and storing the user profile data in a shared storage. When a user logs in to a virtual desktop of the VDI system, the user profile data is retrieved from the shared storage and imported into file and registry locations specified by the application settings files of applications that are installed in the virtual desktop.

Abstract: Embodiments enable display updates other than a video stream in a graphical user interface (GUI) to be rendered, encoded, and transmitted exclusive of the video stream. A virtual machine generates a GUI that includes an encoded video stream and other display updates. A virtual graphics processing unit (VGPU) stack associated with the VM renders the other display updates of the GUI to a framebuffer. The rendered display updates are encoded and transmitted to a client for display. The encoded video stream, or a modified (e.g., reduced bit rate) version of the encoded video stream, may be transmitted to the client, such that the client can display the encoded video stream within the GUI. For example, the encoded video stream may be selectively transmitted to the client based on the performance capabilities of the client.

Abstract: Some embodiments provide a method of providing distributed storage services to a host computer from a network interface card (NIC) of the host computer. At the NIC, the method accesses a set of one or more external storages operating outside of the host computer through a shared port of the NIC that is not only used to access the set of external storages but also for forwarding packets not related to an external storage. In some embodiments, the method accesses the external storage set by using a network fabric storage driver that employs a network fabric storage protocol to access the external storage set. The method presents the external storage as a local storage of the host computer to a set of programs executing on the host computer. In some embodiments, the method presents the local storage by using a storage emulation layer on the NIC to create a local storage construct that presents the set of external storages as a local storage of the host computer.

Abstract: Described herein are systems, methods, and software to manage the selection of an edge gateway or edge for processing a packet. In one implementation, a first edge may receive a packet and hash addressing information in the packet to select a second edge to process the packet. The first edge may further forward the packet to the second edge, permitting the second edge to process the packet. Once processed, the second edge may forward the packet to a destination host computing system and notify the host computing system to use the second edge for response packets directed at a source internet protocol (IP) address in the packet.

Abstract: Described herein are systems and methods that manage configuration updates for networking manager virtual machines. In one example, a method includes identifying an update for at least one networking manager virtual machine. In response to identifying the update, the method notifies a daemon on the host with the networking manager virtual machine to establish a channel with a control plane agent to receive communications in place of the networking manager virtual machine. The method further identifies when the configuration modification is complete for the networking manager virtual machine and notifies the daemon on the host to break the channel with the control plane agent.

Abstract: Examples described herein include systems and methods for automatically configuring a VM on a server using information from a switch located remotely from the server. The switch can provide the configuration information in a Link Layer Discovery Protocol (“LLDP”) type-length-value (“TLV”) data structure. The configuration information can include various information related to configuring a VM, such as a VM identifier, an indication of a physical port of the server, a VM interface that corresponds to the identified physical port, and a virtual local area network (“VLAN”) identifier indicating that a particular VLAN corresponds to the VM, VM interface, or the physical port. The hypervisor can use this configuration information to automatically configure a newly instantiated VM, or reconfigure a VM for a new task, without manual user input.

Abstract: Execution of multiple execution streams is scheduled on at least one coprocessor. A software layer located logically between applications and the at least one coprocessor intercepts a first API call from an application and determines that a first execution stream is to be executed. Before scheduling the first execution stream, the software layer transmits a response to the application indicating that the at least one coprocessor is ready to execute another execution stream. The software layer intercepts a second API call from the application and determines that a second execution stream including one or more kernels is to be executed. The software layer determines that the one or more kernels does not have a dependency on the first execution stream. The software layer schedules the one or more kernels for execution prior to when the at least one coprocessor has completed execution of the first execution stream.

Abstract: Example methods and systems for application security enforcement are described. In one example, a computer system may detect, from a client device, a packet requiring processing by a first server pool; and determine whether the packet is associated with a security attack. In response to determination that the packet is not associated with the security attack, the packet may be steered towards the first server pool to cause processing of the packet by one of multiple first application servers. Otherwise, the packet may be steered towards a second server pool to cause processing of the packet by one of multiple second application servers and to learn attack information associated with the security attack. The multiple second application servers in the second server pool may be capable of mimicking behavior of the multiple first application servers in the first server pool.

Abstract: The present disclosure relates to using maintenance mode to upgrade a distributed system. One method includes determining that a first host of a cluster of a software-defined datacenter (SDDC) is to be upgraded as a part of a rolling upgrade of the hosts of the cluster, wherein the first host is executing a process instance of a cluster store, demoting the process instance to a proxy, creating a replica of the process instance using a different proxy on a second host of the cluster, instructing the first host to enter a maintenance mode, upgrading the first host, and instructing the first host to leave the maintenance mode.

Abstract: Example methods and systems for packet flow monitoring are described. In one example, a first computer system may detect a flow of packets along a datapath between a source and a destination and determine source attribute information associated with the source and destination attribute information associated with the destination. The first computer system may perform attribute-to-identifier mapping by (a) mapping the source attribute information to a source identifier having a reduced size compared to the source attribute information, and/or (b) mapping the destination attribute information to a destination identifier having a reduced size compared to the destination attribute information.

Abstract: Example methods and systems for decentralized network topology adaptation in a in a peer-to-peer (P2P) network are described. In one example, a first computer system may obtain first attribute information associated with the first computer system; and second attribute information associated with a second computer system. Based on the first and second attribute information, the first computer system may generate a connection confidence prediction associated with a connection between the first computer system and the second computer system. The connection confidence prediction may indicate whether the connection is a suboptimal connection associated with a suboptimal network topology. In response to determination that the connection confidence prediction satisfies a break condition, the first computer system may break the connection between the first computer system and the second computer system, but otherwise maintain the connection.

Abstract: A system and method of communicating between computing devices including pairing a first computing device with a second computing device. The first computing device and the computing second device are configured to communicate with an application workspace system. The first computing device provides token and application information to a second computing device. The second computing device is authenticated with the application workspace system using the token and launches an application corresponding to the application information.

Abstract: Software development kit (“SDK”) applications may be implemented with user data on an enterprise end-user or shared device subsequent to a single check-out process on the device. A user profile and a context ID for a user can be accessed based on user provided credentials. An agent application can set a value of an agent context ID to a server context ID corresponding to the context ID for the user profile. A status of a local context ID (“LCID”) of an SDK application can be determined in response to an application launch. Using the LCD, a context ID comparison can be performed on the device with a value of a context ID from one of the SDK application, the server, and the agent application based on the LCID status. The SDK application can be implemented with user specific user data obtained from one of the SDK application and the agent application based on a result of the context ID comparison.

Abstract: Disclosed are various implementations of approaches for continuous delivery of management configurations. In some examples, a management configuration delivery workflow is retrieved from a source environment. The management configuration is transmitted to a destination environment specified in the management configuration delivery workflow. The destination environment us updated to apply the management configuration.

Abstract: Disclosed are various embodiments for implementing a key escrow system without disclosure of a client's encryption key to third parties. An encryption key is split into a plurality of key segments pursuant to a shared secret protocol. A plurality of peer client devices are then identified. Each peer client device in the plurality of peer client devices is then verified and the respective one of the plurality of key segments are sent to a respective one of the plurality of peer client devices. A response is then received from each respective one of the plurality of peer client devices, the response confirming receipt of the respective one of the plurality of key segments. A list identifying the plurality of peer client devices is finally provided to a key escrow service, the list comprising key-value pairs that identify each respective one of the plurality of peer client devices and the respective one of the plurality of key segments.

Abstract: Examples described herein include systems and methods for managing slices in a Telco network by using a graphical user interface (“GUI”) with augmented reality (“AR”). A user device can scan a code that is related to physical hardware in a datacenter. Based on the code, the GUI can display at least one virtual component that resides on that hardware. The user can move the virtual component from one slice to another, such as by dragging it to a displayed slice region. Similarly, the user can drag the virtual component to new physical hardware. This can cause an AR engine to contact an orchestrator to route traffic to the virtual component according to the new slice identifier and new hardware. The GUI can also provide a datacenter map to related physical or virtual components, allowing the user to locate and inspect other hardware relied on by a slice.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: Disclosed are aspects of workload selection and placement in systems that include graphics processing units (GPUs) that are virtual GPU (vGPU) enabled. In some aspects, workloads are assigned to virtual graphics processing unit (vGPU)-enabled graphics processing units (GPUs) based on a variety of vGPU placement models. A number of vGPU placement neural networks are trained to maximize a composite efficiency metric based on workload data and GPU data for the plurality of vGPU placement models. A combined neural network selector is generated using the vGPU placement neural networks, and utilized to assign a workload to a vGPU-enabled GPU.

Abstract: Example methods are provided to use a guest monitoring mode (GMM) module in a hypervisor to monitor for attempts to maliciously modify operating system (OS) kernel objects in a virtualized computing environment. A created OS kernel object is migrated to a memory space where the GMM module can detect an attempt to modify the OS kernel object. The GMM module uses reference information to determine whether the modification is authorized by trusted OS kernel code or is being attempted by malicious code.