Abstract: Embodiments are directed to deploying a workload on the best/highest performance node. Nodes configured to accommodate a request for a workload are selected. Information is collected on each of the selected nodes and the workload. Predicted response times expected for the workload running on each of the selected nodes are determined. The workload is deployed on a node of the selected nodes, the node having a corresponding predicted response time for the workload, the workload being deployed on the node based at least in part on the corresponding predicted response time.

Abstract: User data security is provided. Encrypted user data are identified in a virtual machine. A private key of a public/private cryptographic key pair corresponding to a user is retrieved. The encrypted user data is decrypted within the virtual machine utilizing the private key corresponding to the user to form decrypted user data. The encrypted user data are replaced in the virtual machine with the decrypted user data. The decrypted user data is processed in the virtual machine to perform a service in a cloud environment.

Abstract: A system may include a memory and a processor in communication with the memory configured to perform operations. The may operations include obtaining transaction logs in blocks from nodes of a data storage system. The operations may include, for each transaction log, splitting the transaction log into log entries, grouping log entries into groups associated with a same data source, and writing the log entries of the groups to empty blocks such that log entries from different groups do not share a same block. The operations may include identifying a same sequence of log entries from the written transaction logs and uploading first blocks of a first transaction log, including the same sequence of log entries, to an object-based storage without uploading second blocks of a second transaction log including the same sequence of log entries to the object-based storage.

Abstract: An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.

Abstract: A system may include a memory and a processor in communication with the memory configured to perform operations. The may operations include obtaining transaction logs in blocks from nodes of a data storage system. The operations may include, for each transaction log, splitting the transaction log into log entries, grouping log entries into groups associated with a same data source, and writing the log entries of the groups to empty blocks such that log entries from different groups do not share a same block. The operations may include identifying a same sequence of log entries from the written transaction logs and uploading first blocks of a first transaction log, including the same sequence of log entries, to an object-based storage without uploading second blocks of a second transaction log including the same sequence of log entries to the object-based storage.

Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: A computer-implemented method to limit access to sensitive information by filtering log files. The method includes deploying a first pod on a node of a cloud computing system, where the first pod includes a first container configured to run an application. The method also includes generating a first log file for the first container, where the first log file includes a set of actions performed by the application for a period of time. The method further includes filtering, by a filter, the first log file wherein the filter is configured to remove a type of sensitive data from the first log file. The method includes exporting, in response to the filtering, the first log file to the node. Advantageously, this can prevent various parties from accessing sensitive data that is contained in log files.

Abstract: In an approach, a processor receives, at an edge node, a message from an IoT device associated with the edge node, the message being embedded with at least one non-fungible token (NFT) and each of the at least one NFT representing a corresponding authorization associated with the IoT device. A processor retrieves, at the edge node, the at least one NFT from the received message. A processor validates, at the edge node, the received message based on the retrieved at least one NFT. A processor, responsive to validating the received message, forwards, by the edge node, the received message to a center node associated with the edge node.

Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations that include generating a key pair and encrypting a data credential with a public key to make a data credential secret. The operations may further include storing the data credential secret in a cluster on a host and deploying a workload on the cluster. The operations may also include establishing an empty bundle in the host and generating a pod trusted execution environment.

Abstract: Embodiments are directed to using remote pods. An intermediary software is instantiated in a worker node virtual machine and is used to cause a pod virtual machine to be created, the pod virtual machine being remote from the worker node virtual machine. An overlay network is established between the intermediary software in the worker node virtual machine and a pod space in the pod virtual machine. The overlay network is used to cause containers to be created in the pod virtual machine, where the worker node virtual machine is configured to use the overlay network to manage communications with the pod virtual machine.

Abstract: Embodiments are directed to a container storage system in remote pods. A worker node virtual machine determines that a volume is available for attachment to the worker node virtual machine. An intermediary software of the worker node virtual machine causes a pod container storage interface to attach the volume to a pod virtual machine. In response to attaching the volume to the pod virtual machine, the intermediary software of the worker node virtual machine causes the pod container storage interface to mount the volume to the pod virtual machine such that the volume is available for use by the pod virtual machine.

Abstract: Embodiments generally enable a mobile device to display a window of a remote desktop on a mobile device with a native layout. In some embodiments, a method includes receiving a remote desktop display request from a mobile client device, wherein the remote desktop display request includes display information of the mobile client device. The method further includes generating a copy of a window process of a remote desktop computer. The method further includes generating a virtual display based at least in part on the copy of the window process of the remote desktop computer and on the display information of the mobile client device. The method further includes sending virtual display information to the mobile client device based at least in part on the virtual display.

Abstract: In a method for encryption of sensitive data, an encrypted user private key is received in a Trusted Execution Environment (TEE) in a worker node in a container management system, the encrypted user private key being an encrypted version of a user private key for decrypting a message from a user in the container management system. The user private key is obtained in the TEE, and the encrypted user private key being decrypted into the user private key with a provider private key that is received from an encryption manager for managing the container management system. With these embodiments, the user private key may be transmitted to the worker node safely, such that the worker node may use the user private key to decrypt messages from the user. Therefore, the security level of the container management system may be increased.

Abstract: Aspects include providing isolation between a plurality of containers in a pod that are each executing on a different virtual machine (VM) on a host computer. Providing the isolation includes converting a data packet into a serial format for communicating with the host computer. The converted data packet is sent to a router executing on the host computer. The router determines a destination container in the plurality of containers based at least in part on content of the converted data packet and routes the converted data packet to the destination container.

Abstract: Embodiments are directed to deploying a workload on the best/highest performance node. Nodes configured to accommodate a request for a workload are selected. Information is collected on each of the selected nodes and the workload. Predicted response times expected for the workload running on each of the selected nodes are determined. The workload is deployed on a node of the selected nodes, the node having a corresponding predicted response time for the workload, the workload being deployed on the node based at least in part on the corresponding predicted response time.

Abstract: A process deployment controller creates an updated image for an intermediary engine in order to execute one or more applications on a host infrastructure. The process deployment controller generates a partial image by executing source code from a template repository. The partial image provides a structure used to create an intermediary engine used with a container, which includes an application, as well as binaries and libraries required to execute the application in an infrastructure via the intermediary engine. The process deployment controller transmits an identifier of the infrastructure to a component registry; receives a component description of the infrastructure from the component registry; and uses the component description to create an updated image of the partial image. The process deployment controller, upon receiving a request for the application to run on the infrastructure, utilizes the updated image and intermediary engine to execute the application on the infrastructure.

Abstract: A method includes predicting, using a machine learning model and based on a received set of user interactions on keywords appearing in a presentation, a knowledge background of the user indicating the user's degree of understanding of the presentation. The method also includes generating, based on the predicted knowledge background, a message comprising a description of a keyword in the presentation and coordinates where the description is to be positioned in the presentation and communicating the message to a device of the user.

Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: A process deployment controller creates an updated image for an intermediary engine in order to execute one or more applications on a host infrastructure. The process deployment controller generates a partial image by executing source code from a template repository. The partial image provides a structure used to create an intermediary engine used with a container, which includes an application, as well as binaries and libraries required to execute the application in an infrastructure via the intermediary engine. The process deployment controller transmits an identifier of the infrastructure to a component registry; receives a component description of the infrastructure from the component registry; and uses the component description to create an updated image of the partial image. The process deployment controller, upon receiving a request for the application to run on the infrastructure, utilizes the updated image and intermediary engine to execute the application on the infrastructure.