Abstract: Examples are disclosed for upgrading services of a software-based service according to a predefined sequence to account for dependencies between services. An upgrade package that includes a manifest defining an order for upgrading services of the software-based system is retrieved. Each service is upgraded according to the sequence and a status log is modified following each upgrade to include a unified status summary associated with all services being upgraded.

Abstract: The current document is directed to improved distributed service-oriented applications developed according to a new and improved architecture for developing distributed service-oriented applications. The new and improved architecture includes a stateless-communications-protocol interface to external users and clients, services implemented by actors that communicate using message passing, and a distributed data grid for persistent storage of data. Distributed service-oriented applications developed according to the new and improved architecture are referred to as “RAD-squared applications” (“RAD{circumflex over (?)}2 applications”). The acronym “RAD{circumflex over (?)}2” stands for “Rapid Application Development with REST-actor-data-grid” and the acronym “REST” stands for the Representational State Transfer (“REST”) protocol. Alternative stateless communications protocols can be used as alternatives to REST in RAD{circumflex over (?)}2 applications.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: System and method for managing different classes of storage input/output (I/O) requests for a two-phase commit operation in a distributed storage system assigns reserved log sequence values to each of storage I/O requests of a first class, which are added to a two-phase commit queue. The reserved log sequence values of the storage I/O requests of the first class in the two-phase commit queue are assigned to some of the storage I/O requests of the second class, which are added to the two-phase commit queue.

Abstract: Some embodiments of the invention provide a method of sending data messages from an edge router at a first location of an enterprise network to a SaaS (software as a service) application server provided by a third-party at a second location. The method receives, from a DNS (domain name system) first server, a resolution for a particular destination network address for the SaaS application server at the second location. From a second server, the method obtains an identifier for a first cloud gateway from multiple cloud gateways at multiple locations through which the particular destination address for the SaaS application server can be reached, the first cloud gateway farther from the first location than a second cloud gateway in the multiple cloud gateways but closer to the second location than the second cloud gateway. The method uses an optimized SD-WAN connection to the first cloud gateway to forward data messages for the first cloud gateway to the SaaS application at the second location.

Abstract: A method of connecting a software-defined data center (SDDC) to a cloud platform to enable the cloud platform to deliver cloud services to the SDDC includes the steps of: deploying an agent platform appliance that is connected to a management network of the SDDC; and deploying a plurality of agents on the agent platform appliance, wherein the agents include a first agent that is configured to issue a command to a component of the SDDC to perform an operation requested by a cloud service of the cloud platform and a second agent that is configured to acquire an authentication token for authenticating to the component of the SDDC, and wherein the second agent acquires the authentication token from the component of the SDDC, and the first agent acquires the authentication token from the second agent and transmits the command and the authentication token to the component of the SDDC.

Abstract: A computer-implemented method, medium, and system for multi-network/domain service discovery in a container orchestration platform are disclosed. In one computer-implemented method, a pool of servers with a plurality of network interface controllers (NICs) is created in a load balancer and by an operator in a worker node of a container orchestration platform, where each of the plurality of NICs is defined by a corresponding network attachment definition (NAD) object of a plurality of NAD objects. A virtual service object is generated using an annotation corresponding to the plurality of NAD objects. The virtual service object is associated to the pool of servers with the plurality of NICs. An internet protocol (IP) address of the virtual service object is transmitted to the container orchestration platform to update a status of a service object in the container orchestration platform using the IP address.

Abstract: Described herein are systems, methods, and software to manage the encapsulation of layer two communications across computing sites. In one example, a gateway at a first computing site may receive an encapsulated packet from a second gateway at a second computing site. After receiving the encapsulated packet, the gateway decapsulates the encapsulated packet and determines that the decapsulated packet satisfies MSS criteria. The gateway further, in response to determining that the decapsulated packet satisfies the MSS criteria, modifies an MSS option associated with the decapsulated packet to a maximum value and forwards the decapsulated packet to a destination virtual node in the first computing site.

Abstract: Some embodiments provide a method of implementing capacity-aware load balancing across a set of data compute nodes (DCNs) by reducing latency for the set of DCNs. From the set of DCNs, the method identifies (1) a first subset of DCNs including DCNs that have a latency that is higher than an average latency computed for the set of DCNs and (2) a second subset of DCNs including DCNs that have a latency that is lower than the average latency computed for the set of DCNs. For each DCN in the first subset of DCNs, the method assigns to the DCN a weight value that corresponds to a target latency computed for the set of DCNs. Based on the assigned weight values for the first subset of DCNs, the method computes an excess weight value to be redistributed across the second subset of DCNs. The method redistributes the computed excess weight value across the second subset of DCNs.

Abstract: An example method of upgrading a host in a cluster under management of a lifecycle manager in a virtualized computing system includes: receiving, from the lifecycle manager at a host in the cluster being upgraded, a desired software specification for a hypervisor of the host; determining, by the host, a list of required software installation bundles (SIBs) to satisfy the desired software specification; identifying a neighboring host in the cluster for the host; downloading, from the neighboring host to the host, at least a portion of the required SIBs; and executing an upgrade of the hypervisor in the host using the required SIBs.

Abstract: Some embodiments provide a method for a forwarding element that receives a packet. The method determines whether the packet matches any flow entries in a first cache that uses a first type of algorithm to identify matching flow entries for packets. When the packet does not match any flow entries in the first cache, the method determines whether the packet matches any flow entries in a second cache that uses a second, different type of algorithm to identify matching flow entries for packets. The method executes a set of actions specified by a flow entry matched by the packet in one of the first and second caches.

Abstract: A method for offloading multicast replication from multiple tiers of edge nodes implemented by multiple host machines to a physical switch is provided. Each of the multiple host machines implements a provider edge node and a tenant edge node. One host machine among the multiple host machines receives a packet having an overlay multicast group identifier. The host machine maps the overlay multicast group identifier to an underlay multicast group identifier. The host machine encapsulates the packet with an encapsulation header that includes the underlay multicast group identifier to create an encapsulated packet. The host machine forwards the encapsulated packet to a physical switch of the network segment. The physical switch forwards copies of the encapsulated packet to tenant edge nodes at one or more ports that are determined to be interested in the underlay multicast group identifier.

Abstract: An example method of distributed load balancing in a virtualized computing system includes: configuring, at a logical load balancer, a traffic detector to detect traffic to a virtual internet protocol address (VIP) of an application having a plurality of instances; detecting, at the traffic detector, a first request to the VIP from a client executing in a virtual machine (VM) supported by a hypervisor executing on a first host; sending, by a configuration distributor of the logical load balancer in response to the detecting, a load balancer configuration to a configuration receiver of a local load balancer executing in the hypervisor for configuring the local load balancer to perform load balancing for the VIP at the hypervisor using the load balancer configuration.

Abstract: A search engine queries a network model for behavior of the entire network, such as data flow, based on combinations of multiple network elements. The search engine provides the state information and/or predicted behavior of the network by searching network objects in a graph-based model or a network state database that satisfy constraints given in a search query. The search engine provides the state information and/or predicted behavior based on regular-expression or plain language search expressions that do not provide packet header information. The search engine parses such search expression into a sequence of atoms that encode forwarding paths of interest to the user. A flow path through the modeled network can be generated dynamically, within the context of the search queries.

Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

Abstract: While an application or a virtual machine (VM) is running, a device tracks accesses to cache lines to detect access patterns that indicate security attacks, such as cache-based side channel attacks or row hammer attacks. To enable the device to detect accesses to cache lines, the device is connected to processors via a coherence interconnect, and the application/VM data is stored in a local memory of the device. The device collects the cache lines of the application/VM data that are accessed while the application/VM is running into a buffer and the buffer is analyzed for access patterns that indicate security attacks.

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

Abstract: A remote desktop may be localized to a local operating system (OS), such that remote applications and remote files are accessible via the local OS, without having to launch a remote desktop client that renders a user interface (UI) for connection with the remote desktop. The remote desktop client runs in a background as one or more services without any UI. A user may access and use remote applications/files via the same UIs of the local OS that are used to access and use local applications/files.

Abstract: Example methods and systems for cloud native network function deployment are described. One example may involve a computer system obtaining cluster configuration information associated with multiple single node clusters (SNCs). Based on the cluster configuration information, the computer system may configure (a) a first SNC on a first node and (b) a second SNC on a second node. The computer system may configure (a) a first virtual agent associated with the first SNC, and (b) a second virtual agent associated with the second SNC. In response to receiving a deployment request to deploy a first pod and a second pod, the computer system may process the deployment request by (a) deploying, using the first virtual agent, the first pod on the first SNC, and (b) deploying, using the second virtual agent, the second pod on the second SNC.

Abstract: The disclosure provides a method for virtual volume snapshot creation by a storage array. The method generally includes receiving a request to generate a snapshot of a virtual volume associated with a virtual machine, in response to receiving the request, preparing a file system of the storage array to generate the snapshot, wherein preparing the file system comprises creating a delta storage structure to receive write input/output (I/O) requests directed for the virtual volume when generating the snapshot of the virtual volume, deactivating the virtual volume, activating the delta storage structure, generating the snapshot of the virtual volume, and during the generation of the snapshot of the virtual volume: receiving a write I/O directed for the virtual volume and committing the write I/O in the delta storage structure.