Abstract: An example virtualized computing system includes a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs, the pod VMs including container engines supporting execution of containers in the pod VMs; an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server and pod VM controllers, the pod VM controllers executing in the virtualization layer external to the VMs, the pod VM controllers configured as agents of the master server to manage the pod VMs; pod VM agents, executing in the pod VMs, configured as agents of the pod VM controllers to manage the containers executing in the pod VMs.

Abstract: The disclosure provides an approach for alarm state restoration. Embodiments include determining a plurality of alarm definitions applicable to an inventory of a plurality of entities in a computing environment. Embodiments include assigning each given alarm definition of the plurality of alarm definitions to a given alarm category of a plurality of alarm categories. Embodiments include restoring declared states of the plurality of alarms definition on the inventory based on the assigning, wherein the restoring comprises, for each given alarm category of the plurality of alarm categories, performing a single traversal of the inventory to identify all respective entities of the plurality of entities that correspond to one or more alarm definitions assigned to the given alarm category.

Abstract: Automated methods and systems for identifying problems associated with objects of a data center are described. Automated methods and systems are performed by an operations management server. For each object, the server determines a baseline distribution from historical events that are associated with a normal operational state of an object. The server determines a runtime distribution of runtime events that are associated with the object and detected in a runtime window of the object. The management server monitors runtime performance of the object while the object is running in the datacenter. When a performance problem is detected, the management server determines a root cause of a performance problem based on the baseline distribution and the runtime distribution and displays an alert in a graphical user interface of a display.

Abstract: Certain embodiments described herein relate to methods and systems for detecting unexpected behavior associated with a process. In certain embodiments, a method comprises receiving a memory allocation request, the request indicating one or more memory segments to be allocated in memory of a computing system. The method further comprises allocating the one or more memory segments in the memory based on the memory allocation request. The method further comprises allocating one or more decoy memory segments in the memory based on the memory allocation request. The method further comprises trapping an input/output (I/O) operation. The method further comprises detecting an unexpected behavior associated with the I/O operation based on determining that the I/O operation impacts at least one of the one or more decoy memory segments. The method further comprises performing one or more actions based on the detection.

Abstract: Plugins are authenticated for purposes of accessing and using application program interfaces (APIs) of a management service of a virtualized computing environment. In an authentication process, each plugin is associated with a session ticket that is unique to the plugin. The session ticket may be in the form of a single-use token that has a finite duration, and which may be used by the plugin to establish a session with the APIs of the management service. Because of the single-use and finite duration constraints of the token, the plugin is unable to use the token for other sessions and other plugins are also unable to use the same token to conduct their own sessions with the management service.

Abstract: Example methods and systems for logical network packet handling are described. In one example, a physical network interface controller (PNIC) may receive an egress packet associated with a packet flow via a first virtual function supported by the PNIC. The PNIC may steer the egress packet towards a processing pipeline by applying a filter associated with the first virtual function or content of the egress packet, or both. The egress packet may be processed using the processing pipeline to generate a processed packet by (a) retrieving a logical network policy associated with the packet flow from a datastore on the PNIC and (b) performing one or more actions according to the logical network policy. The processed packet may be forwarded towards the destination via a second virtual function supported by the PNIC or a physical network connected to the PNIC.

Abstract: Some embodiments provide a hierarchical data service (HDS) that manages many resource clusters that are in a resource cluster hierarchy. In some embodiments, each resource cluster has its own cluster manager, and the cluster managers are in a cluster manager hierarchy that mimics the hierarchy of the resource clusters. In some embodiments, both the resource cluster hierarchy and the cluster manager hierarchy are tree structures, e.g., a directed acyclic graph (DAG) structure that has one root node with multiple other nodes in a hierarchy, with each other node having only one parent node and one or more possible child nodes.

Abstract: Some embodiments provide a method of performing load balancing for a group of machines that are distributed across several physical sites. The method of some embodiments iteratively computes (1) first and second sets of load values respectively for first and second sets of machines that are respectively located at first and second physical sites, and (2) uses the computed first and second sets of load values to distribute received data messages that the group of machines needs to process, among the machines in the first and second physical sites. The iterative computations entail repeated calculations of first and second sets of weight values that are respectively used to combine first and second load metric values for the first and second sets of machines to repeatedly produce the first and second sets of load values for the first and second sets of machines.

Abstract: Container images are fetched in a clustered container host system with a shared storage device. Fetching a first container image in a first virtual machine includes creating a first virtual disk in the shared storage device, storing an image of the first container in the first virtual disk, mounting the first virtual disk to the first virtual machine, and updating a metadata cache to associate the image of the first container to the first virtual disk. Fetching a second container image in a second virtual machine includes checking the metadata cache to determine that a portion of the image of the second container is stored in the first virtual disk, creating a second virtual disk in the shared storage device, adding a reference to the first virtual disk in a metadata of the second virtual disk, and mounting the second virtual disk to the second virtual machine.

Abstract: A method and system for performing a flexible Byzantine fault tolerant (BFT) protocol. The method includes sending, from a client device, a proposed value to a plurality of replica devices and receiving, from at least one of the plurality of replica devices, a safe vote on the proposed value. The replica device sends the safe vote, based on a first quorum being reached, to the client device and each of the other replica devices of the plurality of replica devices. The method further includes determining that a number of received safe votes for the proposed value meets or exceeds a second quorum threshold, selecting the proposed value based on the determination, and setting a period of time within which to receive additional votes. The method further includes, based on the period of time elapsing without receiving the additional votes, committing the selected value for the single view.

Abstract: Described herein are embodiments for transferring knowledge of intrusion signatures derived from a number of software-defined data centers (SDDCs), each of which has an intrusion detection system (IDS) with a convolutional neural network (CNN) to a centralized neural network. The centralized neural network is implemented as a generative adversarial neural network (GANN) having a multi-feed discriminator and a generator, which is trained from the discriminator. Knowledge in the GANN is then transferred back to the CNNs in each of the SDDCs. In this manner, each CNN obtains the learning of the CNNs in nearby IDSs of a region so that a distributed attack on each of the CNNs, such as a denial of service attack, can be defended by each of the CNNs.

Abstract: When a user attempts to access a first application installed on a user device, it can send an authentication request to an authentication server. The authentication server can assign a unique request token to the request and load a script to a component of the operating system executing on the user device that displays content within the first application. The script can cause a portal application to launch on the user device. The portal application can send a request to the authentication server on behalf of the user, including the unique request token and an access token stored by, or accessible to, the portal application. The authentication server can receive the request from the portal application and validate the request based on the unique request token and the access token. Upon validating the request, the authentication server can authenticate the user at the first application.

Abstract: The present disclosure is directed to a leader-based partially synchronous BFT SMR protocol that improves upon existing protocols by exhibiting two rounds of communication latency, linear authenticator complexity, and optimistic responsiveness. This is achieved through the novel use of an aggregate signature scheme as part of the protocol's view-change procedure.

Abstract: Methods, apparatus, systems, and articles of manufacture to manage resources when performing an account health check are disclosed. An example apparatus includes memory; computer readable instructions; and processor circuitry to execute the computer readable instructions to: perform health checks on a cloud account at a first polling frequency; after a failure count at the first polling frequency meets a first threshold, perform the health checks on the cloud account at a second polling frequency lower than the first polling frequency; and after the failure count at the second polling frequency meets a second threshold, suspend the cloud account.

Abstract: Techniques are described for storing a virtual disk in an object store comprising a plurality of physical storage devices housed in a plurality of host computers. A profile is received for creation of the virtual disk wherein the profile specifies storage properties desired for an intended use of the virtual disk. A virtual disk blueprint is generated based on the profile such that that the virtual disk blueprint describes a storage organization for the virtual disk that addresses redundancy or performance requirements corresponding to the profile. A set of the physical storage devices that can store components of the virtual disk in a manner that satisfies the storage organization is then determined.

Abstract: A method for direct communication between a source endpoint executing in a first datacenter and a destination endpoint executing in a second datacenter. The method receives, at a gateway of the second datacenter, a packet sent by the source endpoint, the packet having a header that includes a source IP address corresponding to a public IP address of the first datacenter, a destination IP address corresponding to a public IP address of the second datacenter, and source and destination port numbers. The method performs a DNAT process on the packet to replace at least the destination IP address in the header with a private IP address of the destination endpoint. The DNAT process identifies the private IP address by mapping the source and destination port numbers to the private IP address of the destination endpoint. The method then transmits the packet to the destination endpoint in the second datacenter.

Abstract: Disclosed herein are embodiments for managing the placement of virtual machines in a virtual machine network. In an embodiment, a method involves determining whether to separate at least one virtual machine in a set of virtual machines supporting a process and running on a first host computer from other virtual machines in the set. If at least one virtual machine is to be separated, then at least one virtual machine is selected based on a number of memory pages changed. The selected virtual machine is then separated from the other virtual machines in the set.

Abstract: Example methods and systems for flow-based secure packet forwarding are described. In one example, a first computer system may assess validity of a security token associated with a flow of one or more packets. In response to determination that the security token is valid, a security association associated with the flow and the security token may be negotiated with a second computer system. The first computer system may process a packet associated with the flow and the security token to generate an encapsulated encrypted packet by performing encryption and encapsulation based on the security association. The encapsulated encrypted packet may be forwarded towards the second computer system to cause the second computer system to perform decapsulation and decryption, and to forward a decapsulated and decrypted packet towards the destination.

Abstract: Some embodiments provide policy-driven methods for deploying edge forwarding elements in a public or private SDDC for tenants or applications. For instance, the method of some embodiments allows administrators to create different traffic groups for different applications and/or tenants, deploys edge forwarding elements for the different traffic groups, and configures forwarding elements in the SDDC to direct data message flows of the applications and/or tenants through the edge forwarding elements deployed for them. The policy-driven method of some embodiments also dynamically deploys edge forwarding elements in the SDDC for applications and/or tenants after detecting the need for the edge forwarding elements based on monitored traffic flow conditions.

Abstract: Some embodiments of the invention provide a method for connecting deployed machines in a set of one or more software-defined datacenters (SDDCs) to a virtual private cloud (VPC) in an availability zone (AZ). The method deploys network plugin agents (e.g. listening agents) on multiple host computers and configures the network plugin agents to receive notifications of events related to the deployment of network elements from a set of compute deployment agents executing on the particular deployed network plugin agent's host computer. The method, in some embodiments, is performed by a network manager that receives notifications from the deployed network plugin agents regarding events relating to the deployed machines and, in response to the received notifications, configures network elements to connect one or more sets of the deployed machines.