Abstract: Some embodiments provide a method for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network. The method receives a data message at the gateway device. To process the data message, the method executes a set of processing stages that includes a processing stage for a particular logical router. As part of the processing stage for the particular logical router, the method (i) uses an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router and (ii) only when the data message is subject to rate limiting controls, determines whether to allow the data message according to a rate limiting mechanism for the particular logical router.

Abstract: Example methods and systems for a computer system to perform security threat detection are described. In one example, a computer system may intercept an egress packet from a virtualized computing instance to pause forwarding of the egress packet towards a destination and obtain process information associated a process from which the egress packet originates. The computer system may initiate security analysis based on the process information. In response to determination that the process is a potential security threat based on the security analysis, the egress packet may be dropped, and a remediation action performed. Otherwise, the egress packet may be forwarded towards the destination.

Abstract: The present disclosure is related to methods, systems, and machine-readable media for deleting snapshot pages using sequence numbers and page lookups. A monotonically-increasing sequence number (SN) can be assigned to each created page of a first snapshot of a storage volume. A first snapshot sequence number (snapSN) can be assigned to the first snapshot responsive to a creation of a second snapshot, wherein the first snapSN is equal to a largest SN of the first snapshot. An SN can be assigned to each created page of the second snapshot, wherein a first page of the second snapshot is assigned an SN monotonically increased from the first snapSN. A second snapSN can be assigned to the second snapshot responsive to a creation of a third snapshot, wherein the second snapSN is equal to a largest SN of the second snapshot. An SN can be assigned to each created page of the third snapshot, wherein a first page of the third snapshot is assigned an SN monotonically increased from the second snapSN.

Abstract: A rollback can be performed after completing an upgrade to components of a virtualized computing environment. When the upgrade is performed, an upgrade bundle having rollback scripts is provided to edges, hosts, and managers in the virtualized computing environment that are to be upgraded. When a rollback is to be performed, the rollback scripts are executed, and the components are rolled back in a reverse order relative to their upgrade order. Data and configuration checking are performed to validate the results of the rollback.

Abstract: A rollback can be performed after completing an upgrade to components of a virtualized computing environment. When the upgrade is performed, an upgrade bundle having rollback scripts is provided to edges, hosts, and managers in the virtualized computing environment that are to be upgraded. When a rollback is to be performed, the rollback scripts are executed, and the components are rolled back in a reverse order relative to their upgrade order. Data and configuration checking are performed to validate the results of the rollback.

Abstract: A method for alleviating flow congestion at forwarding elements is provided. The method receives traffic related data from a plurality of forwarding elements of a network, and based on the traffic related data, determines congestion at a first forwarding element of the plurality of forwarding elements caused by at least one flow passing through the first forwarding element at a first rate. The method calculates, based on a burst size of the at least one flow, a second rate for the at least one flow such that when the at least one flow passes through the first forwarding element at the second rate the congestion at the first forwarding element is alleviated. The method rate limits the at least one flow by passing the at least one flow through a flow rate manager at the calculated second rate before transmitting the at least one flow to the first forwarding element.

Abstract: Described herein are systems and methods to manage blacklists and duplicate addresses in software defined networks (SDNs). In one implementation, a method includes, in a control plane and data plane of an SDN environment, obtaining a blacklist for a logical port in the SDN environment. The method further includes deleting realized address bindings in a realized address list for the logical port that match the one or more address bindings in the blacklist and preventing subsequent address bindings that match the one or more address bindings in the blacklist from being added to the realized address list.

Abstract: Disclosed are various approaches for remotely deploying provisioned packages. An installer for an application is stored in a cache location of the client device. A hash of the installer is then written to a registry of the client device. The installer is then executed to install the application on the client device. Then, the client device is registered with a management service. Subsequently, a registration confirmation is received from the management service. The hash of the installer is then confirmed and the installed application is identified to the management service as a managed application installed on the client device.

Abstract: Disclosed are various embodiments for automatic enrollment of Internet of Things (IoT) endpoints. An enrollment request is received from an internet of things (IoT) gateway, the enrollment request comprising an identifier for an IoT endpoint and at least one property of the IoT endpoint. In response to enrollment of the IoT endpoint, a campaign template is identified that matches the at least one property of the IoT endpoint. A campaign associated with the campaign template is then identified, the campaign comprising a collection of policies that are applicable to individual IoT endpoints assigned to the campaign. Subsequently, the IoT endpoint is assigned to the campaign.

Abstract: Disclosed are various implementations of approaches for reassigning hosts between computing clusters. A computing cluster assigned to a first queue is identified. The first queue can include a first list of identifiers of computing clusters with insufficient resources for a respective workload. A host machine assigned to a second queue can then be identified. The second queue can include a second list of identifiers of host machines in an idle state. A command can then be sent to the host machine to migrate to the computing cluster. Finally, the host machine can be removed from the second queue.

Abstract: The present disclosure provides an approach for scaling the number of VNFs in a data center without scaling the number of control sessions between VNFs and a data center gateway. The approach includes opening a session between a VNF and a route server, rather than between the VNF and the gateway, when the VNF needs to send its connectivity information to the gateway. The VNF sends its connectivity information to the route server, and the route server forwards the connectivity information to the gateway. The gateway receives connectivity information of a plurality of VNFs in the data center from the route server rather than from each of the VNFs individually. The connectivity information is then used to send packets, by the gateway to a VNF, for processing. The packets are sent using three layers of networking: an underlay physical network, an overlay logical network, and a second overlay logical network.

Abstract: Example methods and systems for virtual tunnel virtualized computing instance (VTEP) learning based on transport protocol information are described. In one example, a computer system may learn first mapping information and second mapping information. The first mapping information may associate (a) a first VTEP with (b) first transport protocol information and inner address information associated with a first virtualized computing instance. The second mapping information may associate (a) a second VTEP with (b) second transport protocol information and inner address information associated with a second virtualized computing instance. The computer system may detect an egress packet that is addressed to the inner address information. In response to determination that the egress packet specifies the first transport protocol information, a first encapsulated packet may be generated and sent towards the first VTEP. Otherwise, a second encapsulated packet may be generated and sent towards the second VTEP.

Abstract: A system and method for executing multi-stage distributed computing operations initiates an operation workflow for a multi-stage distributed computing operation in response to a request to execute the multi-stage distributed computing operation. The operation workflow includes tasks of the multi-stage distributed computing operation that are executed by a plurality of service compute nodes, which are monitored to detect any failures. When a failure of the operation workflow for the multi-stage distributed computing operation is detected, a rollback workflow for the multi-stage distributed computing operation is initiated, which includes rollback tasks that correspond to the tasks of the operation workflow to roll back executed tasks of the operation workflow. The rollback workflow is an independent workflow from the operation workflow.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: A method of deleting a first pointer block of a plurality of pointer blocks of a file system from a storage device used by a plurality of applications, wherein the plurality of pointer blocks are each subdivided into sub-blocks, includes the steps of: determining that a first sub-block of the first pointer block is marked as being empty of any addresses of the file system at which storage space is allocated to files of the applications, determining that a second sub-block of the first pointer block has not been marked as being empty; in response to the determining that the second sub-block has not been marked as being empty, determining that the second sub-block does not contain any addresses of the file system at which storage space is allocated to the files of the applications; and deleting the first pointer block from the storage device.

Abstract: The present disclosure relates to time aware caching. One method includes receiving an API request for data from a database, wherein the request defines a time window associated with the data, creating a first and second query based on the request, wherein the first query corresponds to a first chunk of the time window, and wherein the second query corresponds to a second chunk of the time window, hashing a first statement associated with the first query to produce a first key and hashing a second statement associated with the second query to produce a second key, retrieving a first portion of the data corresponding to the first chunk of the time window from cache responsive to a determination that the first key is in the cache, and retrieving a second portion of the data corresponding to the second chunk of the time window from the database responsive to a determination that the second key is not in the cache.

Abstract: Disclosed are various embodiments for resolving conflicts between workflows in a workflow processing system. A plurality of workflows stored in a workflow queue are evaluated to identify a common dependency of the plurality of workflows. Then, a version hierarchy is created for the common dependency of the plurality of workflows, the version hierarchy identifying multiple versions of the common dependency. In response to execution of a first one of the plurality of workflows stored in the workflow queue, the version hierarchy can be evaluated to identify the most recent version of the common dependency. Then, installation of the most recent version of the common dependency can be initiated.

Abstract: Techniques for performing predictability-driven compression of training data sets used for machine learning (ML) are provided. In one set of embodiments, a computer system can receive a training data set comprising a plurality of data instances and can train an ML model using the plurality of data instances, the training resulting in a trained version of the ML model. The computer system can further generate prediction metadata for each data instance in the plurality of data instances using the trained version of the ML model and can compute a predictability measure for each data instance based on the prediction metadata, the predictability measure indicating a training value of the data instance. The computer system can then filter one or more data instances from the plurality of data instances based on the computed predictability measures, the filtering resulting in a compressed version of the training data set.

Abstract: Systems and methods disclosed herein provide context-based application suggestions to a user in real time. A user device can identify a keyword displayed in an application, such as an email application. The user device can request a card from a connector external to the user device. The connector can identify an application that relates to the keyword and determine a current installation status for the application with respect to the user device. The connector can query a management server at which the user device is enrolled to request the installation status. If the application is not installed on the user device, the connector can instruct the user device to prompt the user to install the application. If the application is installed, the connector can instruct the user device to prompt the user to launch the installed application.

Abstract: Some embodiments provide a method for implementing a logical network across multiple datacenters. The method receives a configuration for a logical router that handles data traffic between the logical network implemented in the plurality of datacenters and networks external to the logical network. The method, for each datacenter defines (i) an active centralized routing component of the logical router in the datacenter and (ii) a standby centralized routing component of the logical router in the datacenter. The centralized routing components for a particular datacenter handle the data traffic between the logical network in the particular datacenter and the external networks. The active and standby centralized routing components are each assigned to edge computing devices in the datacenter that implement the centralized routing components.