Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: Embodiments provide a method and system for transferring data between different computing devices. Specifically, a communication session is established between a first computing device and a second computing device. The communication session may be established using a first communication protocol. The first computing device creates a virtual memory object which is bound to one or more memory blocks of the first computing device. A path to the virtual memory object is generated and the path is transmitted to the second computing device using the communication session. The second computing device may then read or write data directly into/from the virtual memory object using a second communication protocol that is different from the first communication protocol. The data is written into and read from the virtual memory object using file system commands.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Described is a technology by which a virtual hard disk is migrated from a source storage location to a target storage location without needing any shared physical storage, in which a machine may continue to use the virtual hard disk during migration. This facilitates use the virtual hard disk in conjunction with live-migrating a virtual machine. Virtual hard disk migration may occur fully before or after the virtual machine is migrated to the target host, or partially before and partially after virtual machine migration. Background copying, sending of write-through data, and/or servicing read requests may be used in the migration. Also described is throttling data writes and/or data communication to manage the migration of the virtual hard disk.

Abstract: Described is a technology by which a virtual hard disk is migrated from a source storage location to a target storage location without needing any shared physical storage, in which a machine may continue to use the virtual hard disk during migration. This facilitates use the virtual hard disk in conjunction with live-migrating a virtual machine. Virtual hard disk migration may occur fully before or after the virtual machine is migrated to the target host, or partially before and partially after virtual machine migration. Background copying, sending of write-through data, and/or servicing read requests may be used in the migration. Also described is throttling data writes and/or data communication to manage the migration of the virtual hard disk.

Abstract: Described is a technology by which a virtual machine may be safely migrated to a computer system with a different platform. Compatibility of the virtual machine may be checked by comparing the virtual machine's capabilities against those of the new platform. To ensure compatibility, when created the virtual machine may have its capabilities limited by the lowest common capabilities of the different platforms available for migration. Computer systems may be grouped into migration pools based upon similar capabilities, and/or a virtual machine may be mapped to certain computer systems based upon capabilities needed by that virtual machine, such as corresponding to needed performance, fault tolerance and/or flexibility.

Abstract: A computer system maintains identifiers that identify changed blocks of virtual machine (VM) storage. The computer system accesses a stable VM checkpoint comprising a restorable VM image at a time, and that stores a representation of data of at least one block as it existed at the time. The computer system converts the checkpoint to a reference point. Reference point information is transferable with the VM, such that if the VM is moved to a different computing system, any data identified by the reference point is recoverable. The conversion includes querying the storage to determine an identifier corresponding to the block of the checkpoint at the time, storing this identifier as a part of the reference point, and releasing the representation of the data of the block from the checkpoint. The computer system then uses the reference point to identify changes in the blocks of the storage since the time.

Abstract: Embodiments are directed to backing up a virtual machine cluster and to determining virtual machine node ownership prior to backing up a virtual machine cluster. In one scenario, a computer system determines which virtual machines nodes are part of the virtual machine cluster, determines which shared storage resources are part of the virtual machine cluster and determines which virtual machine nodes own the shared storage resources. The computer system then indicates to the virtual machine node owners that at least one specified application is to be quiesced over the nodes of the virtual machine cluster, such that a consistent, cluster-wide checkpoint can be created. The computer system further creates a cluster-wide checkpoint which includes a checkpoint for each virtual machine in the virtual machine cluster.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: An operating system running on a computing device, also referred to herein as a host device, uses containers for hardware resource partitioning. A container can include one or more of various different components, such as a base operating system, a user-mode environment, an application, virtual devices, combinations thereof, and so forth. One or more container templates are maintained for a computing device, and in response to a request to create a new container, a template container is copied into memory of the computing device to create the new container. The template container includes the various components of the container, and these components are copied into memory of the computing device rather than being launched or started one after the other. Thus, time need not be expended starting the various components included in the container—the components are just copied into memory as a new container.

Abstract: An operating system running on a computing device uses containers for hardware resource partitioning. Using the techniques discussed herein, pausing and resuming of containers is managed to reduce the pressure a container exerts on system resources when paused. Resuming of containers can further be managed to reduce the startup time for containers. This managing of containers can implemented various different techniques, such as stopping scheduling of virtual processors, stopping scheduling of processes or threads, compressing memory, swapping pages of memory for the container to a page file on a hard drive, and so forth.

Abstract: Migration of a virtual machine and associated files to a destination host may be performed. A source host may initiate establishment of a temporary network file share at a destination location of the destination host to provide the source host and the destination host with access to the file share. While the virtual machine is running at the source host, a storage migration and a live migration may be initiated. Using the network file share, the source host may copy the associated files to the destination location. A runtime state of the virtual machine may be copied to the destination host. In a final phase of the migration, the virtual machine at the source host may be stopped, the storage migration may be completed, the copying of the runtime state may be completed, and the virtual machine may be started at the destination host.

Abstract: A computer system maintains identifiers that identify changed blocks of virtual machine (VM) storage. The computer system accesses a stable VM checkpoint comprising a restorable VM image at a time, and that stores a representation of data of at least one block as it existed at the time. The computer system converts the checkpoint to a reference point. Reference point information is transferable with the VM, such that if the VM is moved to a different computing system, any data identified by the reference point is recoverable. The conversion includes querying the storage to determine an identifier corresponding to the block of the checkpoint at the time, storing this identifier as a part of the reference point, and releasing the representation of the data of the block from the checkpoint. The computer system then uses the reference point to identify changes in the blocks of the storage since the time.

Abstract: Described is a technology by which a virtual machine may be safely migrated to a computer system with a different platform. Compatibility of the virtual machine may be checked by comparing the virtual machine's capabilities against those of the new platform. To ensure compatibility, when created the virtual machine may have its capabilities limited by the lowest common capabilities of the different platforms available for migration. Computer systems may be grouped into migration pools based upon similar capabilities, and/or a virtual machine may be mapped to certain computer systems based upon capabilities needed by that virtual machine, such as corresponding to needed performance, fault tolerance and/or flexibility.

Abstract: Described is a technology by which a virtual machine may be safely migrated to a computer system with a different platform. Compatibility of the virtual machine may be checked by comparing the virtual machine's capabilities against those of the new platform. To ensure compatibility, when created the virtual machine may have its capabilities limited by the lowest common capabilities of the different platforms available for migration. Computer systems may be grouped into migration pools based upon similar capabilities, and/or a virtual machine may be mapped to certain computer systems based upon capabilities needed by that virtual machine, such as corresponding to needed performance, fault tolerance and/or flexibility.

Abstract: Embodiments are directed to backing up a virtual machine cluster and to determining virtual machine node ownership prior to backing up a virtual machine cluster. In one scenario, a computer system determines which virtual machines nodes are part of the virtual machine cluster, determines which shared storage resources are part of the virtual machine cluster and determines which virtual machine nodes own the shared storage resources. The computer system then indicates to the virtual machine node owners that at least one specified application is to be quiesced over the nodes of the virtual machine cluster, such that a consistent, cluster-wide checkpoint can be created. The computer system further creates a cluster-wide checkpoint which includes a checkpoint for each virtual machine in the virtual machine cluster.

Abstract: Techniques for providing the ability to live migrate a virtual machine from one physical host to another physical host employ shared storage as the transfer medium for the state of the virtual machine. In addition, the ability for a virtualization module to use second-level paging functionality is employed, paging-out the virtual machine memory content from one physical host to the shared storage. The content of the memory file can be restored on another physical host by employing on-demand paging and optionally low-priority background paging from the shared storage to the other physical host.

Abstract: Embodiments are directed to establishing efficient virtual machine reference points and to specifying a virtual machine reference point to query incremental changes. In one scenario, a computer system accesses a stable virtual machine checkpoint that includes portions of underlying data stored in data storage, where the checkpoint is associated with a specific point in time. The computer system then queries the data storage to determine data storage identifiers that reference the point in time associated with the checkpoint and stores the determined data storage identifiers as a virtual machine reference point, where each subsequent change to the data storage results in an update to the data storage identifier, so that virtual machine reference point is usable to identify incremental changes from specific points in time on.