Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: Distributed security key management for protecting roaming data via a trusted platform module is performed by systems that include first and second processors, and first and second respective hardware security modules. The first security module encrypts a security key using a public key from the second security module, and the encrypted security key is provided to the second security module. A virtual machine (VM) executed by the first processor has a first virtual security module instance having state data that includes a storage key encrypting VM virtual disk data and that is encrypted with the security key. When a transfer condition is determined, the VM is transferred and executed by the second processor, using a second virtual security module instance, based on decrypting the security key by the second security module using a private key and decrypting the state data for the second virtual security module using the security key.

Abstract: Virtual Machine (VM) creation based on a dynamically-calculated feature set. A plurality of feature sets are identified. Each feature set in the plurality of feature sets corresponds to a different VM host node of a plurality of VM host nodes that are part of a common VM migration group, and indicates a set of features available at a corresponding VM host node. From the plurality of feature sets, a group feature set is calculated. The group feature set includes a subset of features that are common among the plurality of feature sets. A VM created within the plurality of VM host nodes is configured to use the group feature set.

Abstract: Distributed security key management for protecting roaming data via a trusted platform module is performed by systems that include first and second processors, and first and second respective hardware security modules. The first security module encrypts a security key using a public key from the second security module, and the encrypted security key is provided to the second security module. A virtual machine (VM) executed by the first processor has a first virtual security module instance having state data that includes a storage key encrypting VM virtual disk data and that is encrypted with the security key. When a transfer condition is determined, the VM is transferred and executed by the second processor, using a second virtual security module instance, based on decrypting the security key by the second security module using a private key and decrypting the state data for the second virtual security module using the security key.

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed.

Abstract: Described is a technology by which a virtual hard disk is migrated from a source storage location to a target storage location without needing any shared physical storage, in which a machine may continue to use the virtual hard disk during migration. This facilitates use the virtual hard disk in conjunction with live-migrating a virtual machine. Virtual hard disk migration may occur fully before or after the virtual machine is migrated to the target host, or partially before and partially after virtual machine migration. Background copying, sending of write-through data, and/or servicing read requests may be used in the migration. Also described is throttling data writes and/or data communication to manage the migration of the virtual hard disk.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Described is a technology by which a virtual hard disk is migrated from a source storage location to a target storage location without needing any shared physical storage, in which a machine may continue to use the virtual hard disk during migration. This facilitates use the virtual hard disk in conjunction with live-migrating a virtual machine. Virtual hard disk migration may occur fully before or after the virtual machine is migrated to the target host, or partially before and partially after virtual machine migration. Background copying, sending of write-through data, and/or servicing read requests may be used in the migration. Also described is throttling data writes and/or data communication to manage the migration of the virtual hard disk.

Abstract: Described is a technology by which a virtual hard disk is migrated from a source storage location to a target storage location without needing any shared physical storage, in which a machine may continue to use the virtual hard disk during migration. This facilitates use the virtual hard disk in conjunction with live-migrating a virtual machine. Virtual hard disk migration may occur fully before or after the virtual machine is migrated to the target host, or partially before and partially after virtual machine migration. Background copying, sending of write-through data, and/or servicing read requests may be used in the migration. Also described is throttling data writes and/or data communication to manage the migration of the virtual hard disk.

Abstract: Described is a technology by which a virtual machine may be safely migrated to a computer system with a different platform. Compatibility of the virtual machine may be checked by comparing the virtual machine's capabilities against those of the new platform. To ensure compatibility, when created the virtual machine may have its capabilities limited by the lowest common capabilities of the different platforms available for migration. Computer systems may be grouped into migration pools based upon similar capabilities, and/or a virtual machine may be mapped to certain computer systems based upon capabilities needed by that virtual machine, such as corresponding to needed performance, fault tolerance and/or flexibility.

Abstract: A computer system maintains identifiers that identify changed blocks of virtual machine (VM) storage. The computer system accesses a stable VM checkpoint comprising a restorable VM image at a time, and that stores a representation of data of at least one block as it existed at the time. The computer system converts the checkpoint to a reference point. Reference point information is transferable with the VM, such that if the VM is moved to a different computing system, any data identified by the reference point is recoverable. The conversion includes querying the storage to determine an identifier corresponding to the block of the checkpoint at the time, storing this identifier as a part of the reference point, and releasing the representation of the data of the block from the checkpoint. The computer system then uses the reference point to identify changes in the blocks of the storage since the time.

Abstract: Embodiments are directed to backing up a virtual machine cluster and to determining virtual machine node ownership prior to backing up a virtual machine cluster. In one scenario, a computer system determines which virtual machines nodes are part of the virtual machine cluster, determines which shared storage resources are part of the virtual machine cluster and determines which virtual machine nodes own the shared storage resources. The computer system then indicates to the virtual machine node owners that at least one specified application is to be quiesced over the nodes of the virtual machine cluster, such that a consistent, cluster-wide checkpoint can be created. The computer system further creates a cluster-wide checkpoint which includes a checkpoint for each virtual machine in the virtual machine cluster.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: An operating system running on a computing device, also referred to herein as a host device, uses containers for hardware resource partitioning. A container can include one or more of various different components, such as a base operating system, a user-mode environment, an application, virtual devices, combinations thereof, and so forth. One or more container templates are maintained for a computing device, and in response to a request to create a new container, a template container is copied into memory of the computing device to create the new container. The template container includes the various components of the container, and these components are copied into memory of the computing device rather than being launched or started one after the other. Thus, time need not be expended starting the various components included in the container—the components are just copied into memory as a new container.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Migration of a virtual machine and associated files to a destination host may be performed. A source host may initiate establishment of a temporary network file share at a destination location of the destination host to provide the source host and the destination host with access to the file share. While the virtual machine is running at the source host, a storage migration and a live migration may be initiated. Using the network file share, the source host may copy the associated files to the destination location. A runtime state of the virtual machine may be copied to the destination host. In a final phase of the migration, the virtual machine at the source host may be stopped, the storage migration may be completed, the copying of the runtime state may be completed, and the virtual machine may be started at the destination host.