Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations. The operations may include analyzing a host system, detecting one or more specifications of the host system, and determining a displaceable capacity of the host system. The determining a displaceable capacity of the host system may include identifying a workload on the host system, establishing a workload priority for the workload, and defining a task priority of a task. The operations may include computing service metrics of the host system. The operations may include displacing a portion of the workload using the displaceable capacity.

Abstract: A method, system, and computer program product are provided for virtualizing specific values in a guest configuration based on the underlying host symbol substitution values. A symbolic link located in a traditional file system in a virtual guest is opened. Each symbol is extracted from a symbol-based file located in a symbol-based file system. The symbol-based file is accessed through a symbolic link from the traditional file system. The virtual guest issues a privileged instruction to a hypervisor for each symbol in the symbol-based file to retrieve a substitution value from a symbol table that is stored in hypervisor storage. The substitution value for each symbol is returned to the virtual guest, and it replaces the symbol in the symbol-based file. In response to a file read request for the traditional file, the substitution value is retrieved from the symbol-based file using the symbolic link from the traditional file.

Abstract: Techniques for integrated authentication for a container-based environment are described herein. An aspect includes accessing, by an application that is running in a container in a container environment that is hosted by a hypervisor on a host system, an authentication module that is located in the container environment. Another aspect includes invoking an authentication handler in the container environment based on the accessing of the authentication module. Another aspect includes passing control to the hypervisor from the authentication handler. Another aspect includes retrieving a security artifact from a security database of the host system by the hypervisor. Another aspect includes providing the retrieved security artifact to the application via the authentication handler. Another aspect includes performing an authentication operation by the application using the security artifact.

Abstract: A method, system, and computer program product are provided for virtualizing specific values in a guest configuration based on the underlying host symbol substitution values. A symbolic link located in a traditional file system in a virtual guest is opened. Each symbol is extracted from a symbol-based file located in a symbol-based file system. The symbol-based file is accessed through a symbolic link from the traditional file system. The virtual guest issues a privileged instruction to a hypervisor for each symbol in the symbol-based file to retrieve a substitution value from a symbol table that is stored in hypervisor storage. The substitution value for each symbol is returned to the virtual guest, and it replaces the symbol in the symbol-based file. In response to a file read request for the traditional file, the substitution value is retrieved from the symbol-based file using the symbolic link from the traditional file.

Abstract: According to one or more embodiments, a computer implemented method includes receiving, by an operating system of a computer server, a request to execute an instance of a computer application. The method further includes, based on a determination that the computer application is a non-native application for the operating system, deploying, by the operating system, a virtual container for the instance of the computer application, the virtual container is allocated a dynamic virtual internet protocol address (DVIPA). The method further includes instantiating, by the operating system, an application instance of the computer application in the virtual container. The method further includes setting, by the operating system, a VC-attribute of the DVIPA of the virtual container to a first state, the first state of the VC-attribute indicative that the virtual container is hosting the application instance of the non-native application.

Abstract: A system for establishing a secure connection is described. The system includes a remote direct memory access over converged Ethernet (RoCE) adapter and host device. The host device includes a processor configured to establish a Transmission Control Protocol (TCP) connection between the host device and a client device via the host device network adapter. The host device forwards Internet Protocol Security (IPSec) Security Associations (SAs) and related keys to a host device Remote Direct Memory Access over Converged Ethernet (RoCE) adapter operatively connected with the host device for remote direct memory access. The RoCE adapter communicates protected data to and from the client device over an RoCE connection using the IPSec SAs and related keys.

Abstract: A system for establishing a secure connection is described. The system includes a remote direct memory access over converged Ethernet (RoCE) adapter and host device. The host device includes a processor configured to establish a Transmission Control Protocol (TCP) connection between the host device and a client device via the host device network adapter. The host device forwards Internet Protocol Security (IPSec) Security Associations (SAs) and related keys to a host device Remote Direct Memory Access over Converged Ethernet (RoCE) adapter operatively connected with the host device for remote direct memory access. The RoCE adapter communicates protected data to and from the client device over an RoCE connection using the IPSec SAs and related keys.

Abstract: A computer-implemented method includes monitoring a plurality of connections of a plurality of host applications at a host, where each connection of the plurality of connections carries network traffic associated with a respective host application of the plurality of host applications. A plurality of sets of security attributes are detected, and include a respective set of security attributes for each connection of the plurality of connections. The plurality of sets of security attributes are stored in a security database. From the security database, the respective set of security attributes of a first connection are compared to a centralized security policy. It is determined that the respective set of security attributes of the first connection do not meet the centralized security policy. A remedial action is performed on the first connection, responsive to the respective set of security attributes of the first connection not meeting the centralized security policy.

Abstract: A method, apparatus and computer program product for improved load balancing provides for the grouping under a same workload of both application instances in an application tier, and data sharing members in a data tier. This grouping enables a workload manager to make recommendations (to load balancer appliances) about how to distribute workload connections, e.g., based on metrics gathered from both the application and data tiers. In this approach, both applications and data sources are grouped into a workload grouping, and health, status and capacity information about both of these tiers (application and data) is then used to determine an overall distribution policy for the workload. These different tiers can reside on the same or different operating system environments.

Abstract: Disclosed is a computer-implemented method of rebalancing persistent client connections to a cluster of servers. The method comprises identifying an increase in a total client connection capacity of the cluster of servers with a network connection balancing component; and for each server in a selection of servers in the cluster of servers calculating a current client connection capacity utilization of the server from the number of persistent connections to the server and the current capacity of the server; comparing the current client connection capacity utilization with the target client connection capacity utilization; and terminating a selection of its persistent client connections by a server based on its current client connection capacity utilization exceeding the target client connection capacity utilization. Also disclosed are a computer program product and a computer system for utilizing the computer-implemented method.

Abstract: Disclosed is a computer-implemented method of rebalancing persistent client connections to a cluster of servers. The method comprises identifying an increase in a total client connection capacity of the cluster of servers with a network connection balancing component; and for each server in a selection of servers in the cluster of servers calculating a current client connection capacity utilization of the server from the number of persistent connections to the server and the current capacity of the server; comparing the current client connection capacity utilization with the target client connection capacity utilization; and terminating a selection of its persistent client connections by a server based on its current client connection capacity utilization exceeding the target client connection capacity utilization. Also disclosed are a computer program product and a computer system for utilizing the computer-implemented method.

Abstract: A system for establishing a secure connection is described. The system includes a remote direct memory access over converged Ethernet (RoCE) adapter and host device. The host device includes a processor configured to establish a Transmission Control Protocol (TCP) connection between the host device and a client device via the host device network adapter. The host device forwards Internet Protocol Security (IPSec) Security Associations (SAs) and related keys to a host device Remote Direct Memory Access over Converged Ethernet (RoCE) adapter operatively connected with the host device for remote direct memory access. The RoCE adapter communicates protected data to and from the client device over an RoCE connection using the IPSec SAs and related keys.

Abstract: A system for establishing a secure connection is described. The system includes a remote direct memory access over converged Ethernet (RoCE) adapter and host device. The host device includes a processor configured to establish a Transmission Control Protocol (TCP) connection between the host device and a client device via the host device network adapter. The host device forwards Internet Protocol Security (IPSec) Security Associations (SAs) and related keys to a host device Remote Direct Memory Access over Converged Ethernet (RoCE) adapter operatively connected with the host device for remote direct memory access. The RoCE adapter communicates protected data to and from the client device over an RoCE connection using the IPSec SAs and related keys.

Abstract: A computer-implemented method includes monitoring a plurality of connections of a plurality of host applications at a host, where each connection of the plurality of connections carries network traffic associated with a respective host application of the plurality of host applications. A plurality of sets of security attributes are detected, and include a respective set of security attributes for each connection of the plurality of connections. The plurality of sets of security attributes are stored in a security database. From the security database, the respective set of security attributes of a first connection are compared to a centralized security policy. It is determined that the respective set of security attributes of the first connection do not meet the centralized security policy. A remedial action is performed on the first connection, responsive to the respective set of security attributes of the first connection not meeting the centralized security policy.

Abstract: A method, apparatus and computer program product for improved load balancing provides for the grouping under a same workload of both application instances in an application tier, and data sharing members in a data tier. This grouping enables a workload manager to make recommendations (to load balancer appliances) about how to distribute workload connections, e.g., based on metrics gathered from both the application and data tiers. In this approach, both applications and data sources are grouped into a workload grouping, and health, status and capacity information about both of these tiers (application and data) is then used to determine an overall distribution policy for the workload. These different tiers can reside on the same or different operating system environments.

Abstract: Embodiments relate to protocol selection for transmission control protocol/internet protocol (TCP/IP). An aspect includes tracking connection data corresponding to a plurality of TCP/IP connections in a computer system. Another aspect includes determining, based on the tracked connection data, whether a particular connection of the plurality of TCP/IP connections is appropriate for sockets over remote direct memory access (RDMA) protocol. Another aspect includes, based on determining that the particular connection is appropriate for sockets over RDMA protocol, automatically enabling sockets over RDMA protocol for the connection. Yet another aspect includes, based on determining that the particular connection is not appropriate for sockets over RDMA protocol, automatically disabling sockets over RDMA protocol for the connection.

Abstract: A method that provides for the grouping under a same workload of both application instances in an application tier, and data sharing members in a data tier. This grouping enables a workload manager to make recommendations (to load balancer appliances) about how to distribute workload connections, e.g., based on metrics gathered from both the application and data tiers. In this approach, both applications and data sources are grouped into a workload grouping, and health, status and capacity information about both of these tiers (application and data) is then used to determine an overall distribution policy for the workload. These different tiers can reside on the same or different operating system environments.

Abstract: A method that provides for the grouping under a same workload of both application instances in an application tier, and data sharing members in a data tier. This grouping enables a workload manager to make recommendations (to load balancer appliances) about how to distribute workload connections, e.g., based on metrics gathered from both the application and data tiers. In this approach, both applications and data sources are grouped into a workload grouping, and health, status and capacity information about both of these tiers (application and data) is then used to determine an overall distribution policy for the workload. These different tiers can reside on the same or different operating system environments.

Abstract: Disclosed is a computer-implemented method of rebalancing persistent client connections to a cluster of servers. The method comprises identifying an increase in a total client connection capacity of the cluster of servers with a network connection balancing component; and for each server in a selection of servers in the cluster of servers calculating a current client connection capacity utilization of the server from the number of persistent connections to the server and the current capacity of the server; comparing the current client connection capacity utilization with the target client connection capacity utilization; and terminating a selection of its persistent client connections by a server based on its current client connection capacity utilization exceeding the target client connection capacity utilization. Also disclosed are a computer program product and a computer system for utilizing the computer-implemented method.

Abstract: Disclosed is a computer-implemented method of rebalancing persistent client connections to a cluster of servers. The method comprises identifying an increase in a total client connection capacity of the cluster of servers with a network connection balancing component; and for each server in a selection of servers in the cluster of servers calculating a current client connection capacity utilization of the server from the number of persistent connections to the server and the current capacity of the server; comparing the current client connection capacity utilization with the target client connection capacity utilization; and terminating a selection of its persistent client connections by a server based on its current client connection capacity utilization exceeding the target client connection capacity utilization. Also disclosed are a computer program product and a computer system for utilizing the computer-implemented method.