Abstract: Some embodiments provide a novel method for enforcing service policies at different container clusters configured by several SDN controller clusters. A first SDN controller cluster defines a particular service policy to be enforced for machines in first, second, and third container clusters. First, second, and third sets of network elements for the first, second, and third container clusters are managed by the first, a second, and a third SDN controller cluster respectively. For data message flows exchanged between machines in the first and second container clusters, the first SDN controller cluster distributes the particular service policy to service nodes only in the first container cluster. For data message flows exchanged between machines in the second and third container clusters, the first SDN controller cluster distributes the particular service policy to service nodes in at least one of the second and third container clusters.

Abstract: A system and method for recommending demand-supply agent pairs for transactions uses a deep neural network on data of demand agents to produce a demand agent vector, which is used to select supply agents based on their likelihood of future transaction and to find k nearest neighbor demand agents for each of the demand agents. The candidate supply agents and the k nearest neighbor demand agents are then combined to produce candidate demand-supply agent pairs, which are used to find recommended demand-supply agent pairs by applying modeling using machine learning.

Abstract: Disclosed are various examples for audio data leak prevention using user and device contexts. In some examples, a voice assistant device can be connected to a remote service that provides enterprise data to be audibly emitted by the voice assistant device. In response to a request for the enterprise data being received from the voice assistant device, an audio signal can be generated that audibly broadcasts the enterprise data. The audio signal can be generated to audibly redact at least a portion of the enterprise data based at least in part on a mode of operation of the voice assistant device. The voice assistant device can be directed to emit the enterprise data through a playback of the audio signal.

Abstract: Metrics corresponding to services provided by a cloud service provider can be received via a first API responsive to queries specifying identifiers of the services. A configuration file can be maintained that includes mappings between the identifiers of the services and the metrics corresponding to the services. An identifier of a new service provided by the cloud service provider can be received via a second API. A mapping between the identifier of the new service and a metric corresponding to the new service can be received by the configuration file. The metric corresponding to the new service can be received via the first API responsive to a query specifying the identifier of the new service.

Abstract: Some embodiments provide a method for a compute manager that manages (i) virtual machines executing on host computers and (ii) physical computers. The method uses a first set of application programming interfaces (APIs) to communicate with a virtual machine (VM) executing on a host first computer via a hypervisor executing on the host first computer. The method uses the first set of APIs to communicate with a second computer via a smart network interface controller (NIC) of the second computer, wherein the smart NIC translates the first set of APIs into a different, second set of APIs for the second computer so that the compute manager manages the VM and the second computer with the same first set of APIs.

Abstract: Methods and apparatus to manage a dynamic deployment environment including one or more virtual machines is provided herein. A disclosed example includes involves: scanning, by executing a computer readable instruction with a processor, the virtual machines in the deployment environment to identify a service installed on any of the virtual machines; determining, by executing a computer readable instruction with the processor, the identified service corresponds to a service monitoring rule; determining, by executing a computer readable instruction with the processor, that a monitoring agent identified by the service monitoring rule is installed on the one or more virtual machines on which the service is installed; and configuring the monitoring agent, by executing a computer readable instruction with the processor, to monitor the service in accordance with the service monitoring rule on the at least one of the virtual machines on which the service is installed.

Abstract: A system and method for using private native security groups and private native firewall policy rules for a private cloud computing environment and a public cloud computing environment uses a public cloud gateway for routing data traffic between at least a cloud network created in the public cloud computing environment and the private cloud computing environment. For each of some private native firewall policy rules that has any of newly created private native security groups as one of source and destination, a cloud native security group (CNSG) rule object with an CNSG outbound rule object and an CNSG inbound rule object for the public cloud is created and at least one of the CNSG outbound rule object and the CNSG inbound rule object is updated so that the private native firewall policy rule can be used in the cloud network.

Abstract: To provide a low latency near RT RIC, some embodiments separate the RIC's functions into several different components that operate on different machines (e.g., execute on VMs or Pods) operating on the same host computer or different host computers. Some embodiments also provide high speed interfaces between these machines. Some or all of these interfaces operate in non-blocking, lockless manner in order to ensure that critical near RT RIC operations (e.g., datapath processes) are not delayed due to multiple requests causing one or more components to stall. In addition, each of these RIC components also has an internal architecture that is designed to operate in a non-blocking manner so that no one process of a component can block the operation of another process of the component. All of these low latency features allow the near RT RIC to serve as a high speed IO between the E2 nodes and the xApps.

Abstract: Embodiments enable display updates other than a video stream in a graphical user interface (GUI) to be rendered, encoded, and transmitted exclusive of the video stream. A virtual machine generates a GUI that includes an encoded video stream and other display updates. A virtual graphics processing unit (VGPU) stack associated with the VM renders the other display updates of the GUI to a framebuffer. The rendered display updates are encoded and transmitted to a client for display. The encoded video stream, or a modified (e.g., reduced bit rate) version of the encoded video stream, may be transmitted to the client, such that the client can display the encoded video stream within the GUI. For example, the encoded video stream may be selectively transmitted to the client based on the performance capabilities of the client.

Abstract: Execution of multiple execution streams is scheduled on at least one coprocessor. A software layer located logically between applications and the at least one coprocessor intercepts a first API call from an application and determines that a first execution stream is to be executed. Before scheduling the first execution stream, the software layer transmits a response to the application indicating that the at least one coprocessor is ready to execute another execution stream. The software layer intercepts a second API call from the application and determines that a second execution stream including one or more kernels is to be executed. The software layer determines that the one or more kernels does not have a dependency on the first execution stream. The software layer schedules the one or more kernels for execution prior to when the at least one coprocessor has completed execution of the first execution stream.

Abstract: Described herein are systems and methods that manage configuration updates for networking manager virtual machines. In one example, a method includes identifying an update for at least one networking manager virtual machine. In response to identifying the update, the method notifies a daemon on the host with the networking manager virtual machine to establish a channel with a control plane agent to receive communications in place of the networking manager virtual machine. The method further identifies when the configuration modification is complete for the networking manager virtual machine and notifies the daemon on the host to break the channel with the control plane agent.

Abstract: Described herein are systems, methods, and software to manage the selection of an edge gateway or edge for processing a packet. In one implementation, a first edge may receive a packet and hash addressing information in the packet to select a second edge to process the packet. The first edge may further forward the packet to the second edge, permitting the second edge to process the packet. Once processed, the second edge may forward the packet to a destination host computing system and notify the host computing system to use the second edge for response packets directed at a source internet protocol (IP) address in the packet.

Abstract: An example virtualized computing system includes: a host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, the virtualization layer supporting execution of virtual machines (VMs); an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server executing in a first VM of the VMs; guest cluster infrastructure software (GCIS) executing in the master server, the GCIS configured to create a set of objects defining a container orchestration cluster, and manage lifecycles of second VMs of the VMs based on state of the set of objects; and guest software executing in the second VMs to implement the container orchestration cluster as a guest cluster of the host cluster, the guest software having components that interface with the GCIS.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for cloneless snapshot reversion. A request can be received to revert to a past snapshot of a virtual computing instance in a snapshot chain of a snapshot tree provided by a software defined data center. A live snapshot can be created at an end of the snapshot chain comprising the past snapshot. An intervening snapshot in the snapshot chain can be indicated as abandoned in a snapshot map associated with the snapshot tree based on the reversion.

Abstract: Example methods and systems for application security enforcement are described. In one example, a computer system may detect, from a client device, a packet requiring processing by a first server pool; and determine whether the packet is associated with a security attack. In response to determination that the packet is not associated with the security attack, the packet may be steered towards the first server pool to cause processing of the packet by one of multiple first application servers. Otherwise, the packet may be steered towards a second server pool to cause processing of the packet by one of multiple second application servers and to learn attack information associated with the security attack. The multiple second application servers in the second server pool may be capable of mimicking behavior of the multiple first application servers in the first server pool.

Abstract: The present disclosure relates to using maintenance mode to upgrade a distributed system. One method includes determining that a first host of a cluster of a software-defined datacenter (SDDC) is to be upgraded as a part of a rolling upgrade of the hosts of the cluster, wherein the first host is executing a process instance of a cluster store, demoting the process instance to a proxy, creating a replica of the process instance using a different proxy on a second host of the cluster, instructing the first host to enter a maintenance mode, upgrading the first host, and instructing the first host to leave the maintenance mode.

Abstract: In an embodiment, a distributed firewall that learns from traffic patterns to prevent attacks is configured to receive traffic comprising one or more uniform resource identifiers (URIs), where a URI of the one or more URIs includes one or more parameters and one or more corresponding values. The firewall is configured to classify the corresponding value(s) using a pre-configured classifier and obtain a statistical rule that specifies an allowable type and an allowable length for traffic containing the one or more parameters, where the statistical rule is generated based on the classification. The firewall is configured to apply the statistical rule to incoming traffic to allow or drop requests comprising the parameter(s).

Abstract: In some embodiments, a method stores a plurality of requests for routes in a queue based on respective priorities for the routes. The plurality of requests are for programming destinations and next hops for the destinations in a route table that is used by a device in a network to route packets. The method selects a request for a route from the queue based on a respective priority for the queue. Then, the request for the route is sent to an entity to program the route in the route table.

Abstract: Example methods are provided to use a guest monitoring mode (GMM) module in a hypervisor to authenticate hypercalls sent by a guest agent to the GMM module. The GMM module uses reference information, including thread information associated with a thread, to determine whether a hypercall associated with the thread was issued by the trusted guest agent or by potentially malicious code.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for managing extent sharing between snapshots using mapping addresses. A first mapping address can be assigned to a first extent responsive to a request to write the first extent. A second mapping address can be assigned to a second extent responsive to a request to write the second extent. A snapshot can be created. A snapshot mapping address, that is monotonically increased from the second mapping address, can be assigned to the snapshot. A third mapping address, that is monotonically increased from the second mapping address, can be assigned to a third extent of the snapshot responsive to a request to write the third extent.