Abstract: Disclosed are various examples for dynamically generating restriction profiles for updated software platforms. A management system can determine that updated restrictions and/or settings are included in an updated or new version of a definition file. The updated settings identified and categorized according to risk for a given enterprise group without administrator input. An updated restriction profile can be generated according to the updated settings and distributed to managed devices.

Abstract: A combined data processing unit (DPU) and server solution with DPU operating system (OS) integration is described. A DPU OS is executed on a DPU or other computing device, where the DPU OS exercises secure calls provided by a DPU's trusted firmware component, that may be invoked by DPU OS components to abstract DPU vendor-specific and server vendor-specific integration details. An invocation of one of the secure calls made on the DPU to communicate with its associated server computing device is identified. In an instance in which the one of the secure calls is invoked, the secure call invoked is translated into a call or request specific to an architecture of the server computing device and the call is performed, which may include sending a signal to the server computing device in a format interpretable by the server computing device.

Abstract: Example methods and systems for correlation-based security threat analysis are described. In one example, a computer system may obtain event information that is generated by monitoring a virtualized computing instance supported by a host; and network alert information that is generated by monitoring network traffic associated with the virtualized computing instance. The network alert information may specify security threat signature(s) detected based on the network traffic. The computer system may map the network alert information to threat information that specifies indicator(s) of compromise associated with the signature(s) and perform a correlation analysis based on the event information, network alert information and threat information. Based on the correlation analysis, it is determined whether there is a potential security threat associated with the virtualized computing instance.

Abstract: Techniques for efficiently exporting snapshot changes are provided. In some embodiments, a system may receive a first snapshot of a data set in a storage system and a second snapshot the data set in the storage system. The system may further generate actions based on differences between the first snapshot and the second snapshot to produce a list of actions, wherein a modification to a file or directory path having a first directory location includes a first action to rename a file from the first directory location to a temporary storage location and a second action to rename the file from the temporary storage location to a second directory location; and provide the generated actions to a backup system. The backup system may apply the generated actions to a first backup associated with the first snapshot to produce a second backup associated with the second snapshot.

Abstract: A method of generating relevant security rules for a user includes the steps of: building a first tree data structure from paths within a pool of security rules; collecting process paths for the user; and compiling the relevant security rules for the user by traversing the first tree data structure according to the process paths of the user.

Abstract: Methods and systems are described for a distributed auto discovery service for device enrollment. In an example, a user device enrolling in a Unified Endpoint Management (“UEM”) system can receive an email address. The enrolling user device can identify, on a local network that the enrolling user device is connected to, other user devices that are already enrolled with the UEM system. The unenrolled user device can send a discovery request to the enrolled user devices that includes the domain of the email address. One or more of the enrolled user devices can respond with a tenant identifier associated with the domain and a Uniform Resource Locator for a server that the unenrolled user device can contact to complete enrollment. The unenrolled user device can contact the server and complete enrollment using the email address and tenant identifier.

Abstract: A system and method for generating accessible user experience (UX) design guidance materials for software products uses page elements that are optically extracted from an input UX prototype page image and automatically classified into predefined element types to find accessibility rules for at least some of the extracted page elements. At least one accessible UX design guidance material is generated for the input UX prototype page image that indicates the extracted page elements and the accessibility rules corresponding to at least some of the extracted page elements.

Abstract: Redo logs are used to facilitate efficient cloning of virtual machines. When a virtual machine with a virtual hard disk is to be cloned, two redo logs are created, both of which are linked to the virtual hard disk. The virtual machine being cloned is then linked to one redo log, and a newly created virtual machine is linked to the other. Each time an additional virtual machine is created, two new redo logs are created and linked to the end of the disk chain. The parent and newly created virtual machine are each linked to one of the new redo logs.

Abstract: In a computer-implemented method for allocating a host of a pre-configured hyper-converged computing device to a workload domain, a pre-configured hyper-converged computing device including a plurality of hosts is managed, wherein the plurality of hosts is allocable to workload domains. A pool of unallocated hosts of the plurality of hosts is managed within the pre-configured hyper-converged computing device, wherein hosts of the pool of unallocated hosts have associated hypervisor versions. An allocation request to allocate at least one host of the pool of unallocated hosts to a workload domain is received, the allocation request including a requested hypervisor version of at least one host upon allocation. The at least one host is updated to the requested hypervisor version of the allocation request while the at least one host is in the pool of unallocated hosts.

Abstract: Some embodiments of the invention provide a method for providing a visualization of a topology for a logical network implemented in a physical network. The method identifies a set of logical elements of the logical network. For each logical element, the method identifies a set of one or more physical elements in the physical network that implements the logical element. Multiple physical elements are identified for at least one of the logical elements. Through a user interface (UI) the method displays a visualization that includes (1) the set of logical elements, (2) connections between the logical elements, (3) the sets of physical elements that implement each logical element in the set of logical elements, and (4) correlations between each logical element and the set of physical elements that implements the logical element. Each logical element and each physical element is represented by a node in the visualization.

Abstract: Some embodiments provide a novel method for resiliently associating Internet Protocol (IP) addresses with pods that each have unique identifiers (IDs) in a managed cluster of worker nodes managed by a first set of one or more controllers of the managed cluster. The resilient association between IP addresses and pods is maintained even when pods are moved between worker nodes. At a second set of controllers, the method receives notification regarding deployment, on a first worker node, of a stateful pod associated with a particular ID. The method allocates an IP address to the stateful pod. The method creates a mapping between the IP address and the particular ID in order to maintain the allocation of the IP address to the stateful pod. The method provides the IP address to the first set of controllers to use for the stateful pod.

Abstract: System and method for managing distributed storage objects for host unavailability in a distributed storage system uses at least one of a crash indicator in a specific on-disk block and a paused object indicator for a distributed storage object to determine whether to perform data recovery for the distributed storage object. When the crash indicator is set or the paused object indicator implies that the distributed storage object is a paused object, the distributed storage object is left as a paused object without perform the data recovery for the distributed storage object. When the crash indicator is unset and the paused object indicator implies that the distributed storage object is not a paused object, the data recovery for the distributed storage object is performed.

Abstract: Some embodiments provide a method for selecting a transmit queue of a network interface card (NIC) of a host computer for an outbound data message. The NIC includes multiple transmit queues and multiple receive queues. Each of the transmit queues is individually associated with a different receive queue, and the MC performs a load balancing operation to distribute inbound data messages among multiple receive queues. The method extracts a set of header values from a header of the outbound data message. The method uses the extracted set of header values to identify a receive queue which the MC would select for a corresponding inbound data message upon which the NIC performed the load balancing operation. The method selects a transmit queue associated with the identified receive queue to process the outbound data message.

Abstract: The current document is directed to graph databases and, in particular, to improvements in the operational efficiencies of, and the range of functionalities provided by, graph databases. One currently disclosed improvement provides for associating user-defined and developer-defined functions with node and relationship entities stored within the graph database. These entity-associated functions are executed in entity-associated execution environments provided to the entities during query execution. Another currently disclosed improvement provides text-replacement-based preprocessing of graph-database queries for increased clarity and for increasing the speed and accuracy with which the queries can be formulated.

Abstract: Example methods and systems for state consistency monitoring in a network environment are described. In one example, a computer system may identify association chain(s) that associate (a) first state information associated with one or more first network entities residing on a first plane with (b) second state information associated with one or more second network entities residing on a second plane. Based on the association chain(s), a consistency check may be performed to compare multiple first fields of the first state information with multiple second fields of the second state information. In response to determination that there is a state inconsistency based on the consistency check, a remediation action to address the state inconsistency by generating and sending at least one of the following: a notification to a user, and a remediation request to a particular first network entity residing on the first plane or a particular second network entity residing on the second plane.

Abstract: Some embodiments provide a method of load balancing data message flows across multiple secure connections. The method receives a data message having source and destination addresses formatted according to a first protocol. Based on the source and destination addresses, the method selects one of the multiple secure connections for the data message. Each of the secure connections handles a first set of connections formatted according to the first protocol and a second set of connections formatted according to a second protocol that is an alternative to the first protocol. The method securely encapsulates the data message and forwards the encapsulated data message onto a network. The encapsulation includes an identifier for the selected secure connection.

Abstract: Techniques for efficiently managing a file clone from a filesystem which supports efficient volume snapshots are provided. In some embodiments, a system may receive an instruction to remove the file clone from the filesystem. The file clone may be a point-in-time copy of metadata of an original file. The system may further—for a file map entry in a filesystem tree associated with the file clone, the file map entry indicating a data block—decrement a reference count in a reference count entry associated with the file map entry. The reference count entry may be stored in the filesystem tree according to a key and the key may comprise an identification of the original file. The system may further reclaim the data block in a storage system when the reference count is zero.

Abstract: An example method of provisioning a network service in a cloud computing system includes: defining, at an orchestrator, the network service to include a plurality of network functions; defining, at the orchestrator, network connectivity among the plurality of network functions; identifying a plurality of vendor device managers (VDMs) configured to provision virtual network functions that implement the plurality of network functions; and instructing, by the orchestrator, the VDMs to deploy the virtual network functions having the defined network connectivity.

Abstract: The disclosure provides an approach for content based read cache (CBRC) digest file creation. Embodiments include determining a mapping between entries in a CBRC and physical block addresses (PBAs) associated with a source virtual machine (VM). Embodiments include creating a clone VM based on the source VM. Embodiments include, for each data block associated with the clone VM: determining a PBA associated with a logical block address (LBA) of the data block, determining, based on the mapping, whether data associated with the PBA is cached in the CBRC, and, if the data associated with the PBA is cached in the CBRC, copying a hash of the data from a first digest file of the source VM to a second digest file of the clone VM and associating the hash with the LBA in the second digest file.

Abstract: The disclosure provides an approach for fault tolerance handling. Embodiments include determining, by a management component, that a host stores data relating to a service. Embodiments include receiving, by the management component, fault tolerance information from the service, the fault tolerance information comprising first information about host failures tolerated by the service and second information about existing host failures related to the service. Embodiments include determining, by the management component, based on the fault tolerance information from the service, whether the service will tolerate the host becoming unavailable. Embodiments include performing, by the management component, one or more actions based on the determining of whether the service will tolerate the host becoming unavailable.