Abstract: In a method for software attestation, an enclave including an operating system (OS) library is initialized in a trusted execution environment, wherein software attestation is performed to verify an identity of the enclave, wherein an application is executed inside the enclave using the OS library, and wherein performing the software attestation includes attestation of a content of a disk image associated with the application.

Abstract: The present disclosure provides a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN). The system comprises at least one data storage or memory, configured to store flow states of data flows, and to share and update the flow states across the system, at least one shared-state forwarding element (FE) configured to block, forward, or replicate a received data flow based on a flow state of the data flow and/or a comparison of the data flow with predetermined patterns, and at least one inspection element (IE), configured to receive a replicated data flow, and to classify, whether the data flow is malicious or allowed. The IE is configured to alter the flow state of the data flow according to a classification result. The present disclosure provides a corresponding method for detecting and preventing intrusion of malicious data flows in a SDN.

Abstract: In a method for software attestation, an enclave including an operating system (OS) library is initialized in a trusted execution environment, wherein software attestation is performed to verify an identity of the enclave, wherein an application is executed inside the enclave using the OS library, and wherein performing the software attestation includes attestation of a content of a disk image associated with the application.

Abstract: The present disclosure provides a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN). The system comprises at least one data storage or memory, configured to store flow states of data flows, and to share and update the flow states across the system, at least one shared-state forwarding element (FE) configured to block, forward, or replicate a received data flow based on a flow state of the data flow and/or a comparison of the data flow with predetermined patterns, and at least one inspection element (IE), configured to receive a replicated data flow, and to classify, whether the data flow is malicious or allowed. The IE is configured to alter the flow state of the data flow according to a classification result. The present disclosure provides a corresponding method for detecting and preventing intrusion of malicious data flows in a SDN.

Abstract: Live migration of a virtual disk of a virtual machine between storage devices is described. In accordance with one example, a computer system prepares a first area of a first storage device and a second area of a second storage device for a live snapshot of a virtual disk of a virtual machine. A transaction is then executed that includes storing the live snapshot in the first area of the first storage device, copying the live snapshot to the second area of the second storage device, and mirroring a change to the virtual disk that occurs after the creation of the live snapshot, where the mirroring is via one or more write operations to the live snapshot in the first area and to the copy of the live snapshot in the second area.

Abstract: A system and method deallocates data blocks in virtual environments with high efficiency. A computer system hosting a virtual machine includes an I/O device driver in the guest operating system of the virtual machine. The I/O device driver intercepts an operation performed by the guest operating system that causes a data block to be deallocated in the virtual machine. The I/O device driver informs a hypervisor of the computer system that the data block is to be deallocated. The hypervisor then instructs the data storage to deallocate the data block for reuse.

Abstract: A system and method are disclosed for servicing requests to create live snapshots of a plurality of virtual disks in a virtualized environment. In accordance with one example, a first computer system detects that a second computer system has issued one or more commands to create a first snapshot of a first virtual disk of a virtual machine and a second snapshot of a second virtual disk of the virtual machine while the virtual machine is running on the second computer system. In response to a determination that the creating of the second snapshot failed, the first computer system issues one or more commands to destroy the first snapshot and deallocate an area of a storage device that stores the first snapshot.

Abstract: A system and method are disclosed for cloning a live virtual machine (i.e., a virtual machine that is running). In accordance with one example, a computer system prepares an area of a storage device for a clone of a live virtual machine, and a transaction is then executed that comprises: creating the clone of the live virtual machine based on a live snapshot of the live virtual machine, copying the clone to the area of the storage device, and mirroring a change to a virtual disk of the live virtual machine that occurs after the live snapshot is created, wherein the mirroring is via one or more write operations to the virtual disk and to a replica of the virtual disk associated with the clone.

Abstract: A computing device receives a request from a host for a shared lock on a resource. The computing device obtains an exclusive lock on the resource using a locking data structure that is stored on the storage domain. The computing device subsequently obtains a shared lock on the resource for the host by writing a flag to the locking data structure, wherein the flag indicates that the host has the shared lock on the resource. The computing device then releases the exclusive lock on the resource.

Abstract: Live migration of a virtual disk of a virtual machine between storage devices is described. In accordance with one example, a computer system prepares a first area of a first storage device and a second area of a second storage device for a live snapshot of a virtual disk of a virtual machine. A transaction is then executed that includes storing the live snapshot in the first area of the first storage device, copying the live snapshot to the second area of the second storage device, and mirroring a change to the virtual disk that occurs after the creation of the live snapshot, where the mirroring is via one or more write operations to the live snapshot in the first area and to the copy of the live snapshot in the second area.

Abstract: A host machine executing a connection agent receives a configuration identifying a set of connections to a plurality of storage servers. The host machine later receives a command to run a virtual machine. The host machine determines, based on the configuration, a particular connection of the set of connections to a particular storage server of the plurality of storage servers, the particular connection enabling access to data associated with the virtual machine that is stored by the particular storage server. The host machine then establishes the particular connection to the particular storage server without first receiving a command to establish the particular connection.

Abstract: A system and method are disclosed for live migration of a virtual disk of a virtual machine between storage devices. In accordance with one example, a computer system prepares a first area of a first storage device and a second area of a second storage device for a live snapshot of a virtual disk of a virtual machine. A transaction is then executed that comprises: storing the live snapshot in the first area of the first storage device, copying the live snapshot to the second area of the second storage device, and mirroring a change to the virtual disk that occurs after the creation of the live snapshot, where the mirroring is via one or more write operations to the live snapshot in the first area and to the copy of the live snapshot in the second area.

Abstract: Virtual machine images are transferred from a source storage location to a target storage location over a network. In one embodiment, a host at the source storage location computes signature values of a plurality of disk blocks that contain a plurality of virtual machine images. Each computed signature value corresponds to one of the disk blocks. A subset of the disk blocks, all of which have different signature values, is then transferred from the source storage location to the target storage location. Only one copy of duplicate disk blocks is transferred.

Abstract: A virtual disk image manager running on a computing device determines that an operation is to be performed on a virtual disk image. The virtual disk image manager then determines whether an underlying storage domain on which the virtual disk image is stored supports the operation. In response to determining that the storage domain supports the operation, the virtual disk image manager uses native capabilities of the storage domain to perform the operation. In response to determining that the storage domain does not support the operation, the virtual disk image manager performs the operation without the use of the storage domains native capabilities.

Abstract: A system and method are disclosed for servicing requests to create live snapshots of a plurality of virtual disks in a virtualized environment. In accordance with one example, a computer system issues one or more commands to create a first snapshot of a first virtual disk of a virtual machine and a second snapshot of a second virtual disk of the virtual machine while the virtual machine is running. The computer system determines that the creating of the second snapshot failed and, in response, destroys the first snapshot.

Abstract: A system and method are disclosed for selecting an allocation policy and format for storing a disk image of a virtual machine (VM). In accordance with one embodiment, a computer system that hosts a virtual machine (VM) selects an allocation policy and format for storing the disk image on a particular storage device (e.g., a magnetic hard disk, a Universal Serial Bus [USB] solid state drive, a Redundant Array of Independent Disks [RAID] system, a network attached storage [NAS] array, etc.), where the selection is based on one or more capabilities of the storage device, and on a parameter that indicates a tradeoff between performance and storage consumption.

Abstract: A system and method are disclosed for efficiently copy a disk image between storage devices. In accordance with one example, a computer system issues a request to create on a first storage device a snapshot of a first disk image that is stored on the first storage device. The computer system then issues a request to create on the first storage device a second disk image based on the snapshot, and copies the snapshot on to a second storage device. The computer system issues a request to create on the second storage device a third disk image based on the snapshot. The computer system then issues a request to compute a difference between the second disk image and the snapshot, and the difference is overwritten on to the third disk image.

Abstract: A computing device receives a command to start a virtual machine, the virtual machine having a read-only layer and a copy-on-write (COW) layer. The computing device accesses the COW layer of the virtual machine from a network storage. The computing device determines whether the read-only layer of the virtual machine is cached in a local storage. Upon determining that the read-only layer of the virtual machine is cached in the local storage, the computing device starts the virtual machine based on a combination of the downloaded COW layer and the cached read-only layer of the virtual machine.

Abstract: A mechanism for storing virtual machines on a file system in a distributed environment is disclosed. A method of the invention includes initializing creation of a VM by a hypervisor of a host machine, allocating a logical volume from a logical volume group of a shared storage pool to the VM, and creating a file system on top of the allocated logical volume, the file system to manage all files, metadata, and snapshots associated with the VM.

Abstract: A logical volume manager (LVM) may manage a plurality of logical volumes and a plurality of drives in a logical data storage using metadata stored on the plurality of drives. The LVM may operate in one of two modes. In the first mode, the LVM may deleted uncommitted metadata on a drive and may use committed metadata on the drive when accessing a logical volume. In a second mode, the LVM may use committed metadata on the drive when accessing the logical volume and may refrain from deleting the uncommitted metadata.