Abstract: Examples described herein enable memory state sharing among a plurality of virtual machines (VM) including a parent VM and a child VM. A request for memory state sharing between the parent VM and the child VM is received, and the parent VM is suspended. The child VM resumes execution of one or more suspended applications. In one example, the child FM is forked with pre-loaded, suspended applications from the parent VM. Aspects of the disclosure offer a high performance, resource efficient solution that outperforms traditional approaches in areas of software compatibility, stability, quality of service control, re-source utilization, and more.

Abstract: A system, method, computer program, and/or computer readable medium for providing hierarchical interception for applications within isolated environments. The computer readable medium includes computer-executable instructions for execution by a processing system. The computer-executable instructions may be for installing interceptors, configuring interceptors, preloading shared libraries, using trampoline functions, removal of interceptors, mapping between resources inside and outside the isolated environment, providing an interception database, loading the interception database, redirection of resources, and providing the hierarchy of interceptors.

Abstract: A virtual switching method, a related apparatus, and a computer system are provided. The method includes receiving a first message sent by a source node, where the first message is used to request a first virtual machine to perform switching processing on to-be-switched data, where the to-be-switched data is sent from the source node to a target node and at least one of the source node and the target node is a second virtual machine; and determining a second message according to an address of the target node contained in the to-be-switched data and a configured port mapping table, and sending the second message, where the second message is used to instruct the target node to acquire the to-be-switched data from a storage device of a hardware layer.

Abstract: A plan including several groups of tasks is constructed for performing maintenance on a plurality of interrelated machines. A maintenance task in a first group is caused to execute within a window of time allocated for the maintenance. A determination is made that an estimated amount of time needed to execute a second group of tasks from the several groups is more than the remaining time in the window. In response to such a determination, the execution of the second group of tasks is omitted. The execution of a post-requisite task of the first group is completed. A maintenance task in the second group is executed during a second window of time allocated for the maintenance.

Abstract: An update is deployed to a guest virtual machine of a hypervisor during runtime of the guest virtual machine. An executing thread of the guest virtual machine is identified and execution of the thread is redirected to a function to open a handle to a file, of the guest virtual machine, to which data of the update is to be written. The data is provided to a component of the guest virtual machine, and then execution of the thread is redirected to a function to write the data provided to the component to the file.

Abstract: Embodiments relate to virtual machine (VM) migration via a mobile device. A method includes requesting, by a mobile device, a source computer to capture a state and memory contents of a VM executing on the source computer. The VM includes the state, the memory contents, and data. The state and memory contents of the VM are stored on the mobile device. Security information about a target computer is determined by the mobile device. A migration of the VM to the target computer is initiated by the mobile device. The initiating includes sending the stored state and memory contents of the VM from the mobile device to the target computer. An activation of the VM on the target computer is initiated and access is provided to at least a subset of the data of the VM. The subset is selected based on the security information.

Abstract: Techniques for configuring virtual machine instances are described herein. A virtual machine instance is instantiated and the virtual machine instance is monitored to receive notifications of configuration events associated with that virtual machine instance. Each configuration event, which specifies configuration changes to the virtual machine instance, includes a set of metadata associated with the configuration event. The metadata is extracted from the configuration event and the configuration changes are applied to the virtual machine instance. A new virtual machine image is then produced from the virtual machine instance and the extracted metadata is associated with the new virtual machine image.

Abstract: Virtual machine data records are obtained from a virtual system manager that manages one or more virtual machines. Storage data records are obtained from a storage controller. The virtual machine data records include one or more particular virtual machine data records relating to a particular virtual machine and identify a particular volume that is configured for use by the particular virtual machine. The storage data records including one or more particular storage data records that specify performance information associated with the particular volume. Based on information in the particular virtual machine data records and information in the particular storage data records, it is determined that the particular storage data records are related to the particular volume used by the particular virtual machine.

Abstract: A system can include a host device that includes a virtual machine execution environment. The host device can execute a host management component in the host device and determine whether a hypervisor or a virtual machine in the virtual machine execution environment violates at least one compliance rule. The host device can also cause the host management component to perform an action in response to determining that the hypervisor the virtual machine violates the at least one compliance rule.

Abstract: Systems and methods for providing a hypercall interface for virtual machines. An example method may comprise receiving, by a hypervisor executing on a computer system, a hypercall instruction issued by a virtual machine to invoke a hypervisor function; and determining an identifier of the hypervisor function based on a value of an instruction pointer of the virtual machine.

Abstract: Exemplary methods, apparatuses, and systems include a hypervisor receiving an error message from an agent within a first virtual machine run by the hypervisor. In response to the error message, the hypervisor determines and initiates a corrective action for the hypervisor to take in response to the error message. An exemplary corrective action includes initiating a reset of the first virtual machine or a reset of a second virtual machine.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: To provide enhanced operation of computing systems to control access to audit logging resources by virtual machines, various systems, apparatuses, methods, and software are provided herein. In a first example, a method of operating a computing system is provided. The method includes receiving requests for audit credentials from virtual machines, and responsively providing individualized audit credentials to the virtual machines based at least on identities of the virtual machines. The method also includes, in the audit system, authorizing storage of audit data transferred by the virtual machines based at least on the individualized audit credentials accompanying the audit data. The method also includes, in the authorization system, selectively de-authorizing one or more of the virtual machines and reporting information regarding the de-authorized one or more of the virtual machines to the one or more audit systems.

Abstract: Techniques for using a cache to accelerate virtual machine (VM) I/O are provided. In one embodiment, a host system can intercept an I/O request from a VM running on the host system, where the I/O request is directed to a virtual disk residing on a shared storage device. The host system can then process the I/O request by accessing a cache that resides on one or more cache devices directly attached to the host system, where the accessing of the cache is transparent to the VM.

Abstract: A method of composing and displaying screen images includes transmitting a screen image of a guest operating system (OS) to a host OS, in response to the guest OS and the host OS exclusively or jointly accessing a graphics processing unit (GPU) in a pass-through or mediated pass-through environment via GPU virtualization; generating a composition screen image by transforming the screen image of the guest OS into a texture and composing the texture with a texture screen image of the host OS; and displaying the composition screen image.

Abstract: A method and system are provided for storage checkpointing in a mirrored virtual machine system. The method includes a storage controller receiving a modifying operation to storage from a virtual machine and carrying out the modifying operation in a non-destructive manner by saving the modifying operation data to a checkpointing region of storage and preserving the stored previous data state. The method also includes receiving a checkpoint notification and committing modifying operation data from the checkpointing region and releasing the stored previous data state. If a failover notification is received, the storage controller rolls back the physical storage to match a checkpoint state.

Abstract: An apparatus in one embodiment comprises a processing platform that includes a plurality of processing devices each comprising a processor coupled to a memory. The processing platform is configured to implement converged infrastructure including a plurality of containers. The converged infrastructure comprises one or more middleware layers configured to support containerized workloads running in respective ones of the containers using underlying commodity hardware. The one or more middleware layers comprise a container hub having a plurality of preconfigured containers for use with respective particular types of containerized workloads, a container engine adapted to provide the preconfigured containers for the container hub, and software-defined storage configured to provide storage resources for allocation by the container engine to the preconfigured containers.

Abstract: A computer, on which a plurality of operating systems run, wherein the plurality of operating systems includes a first operating system and a second operating system configured to generate a plurality of virtual computers. The first operating system runs on a first logical resource, and the second operating system runs on a second logical resource. A third operating system runs on each of the plurality of virtual computers. The third operating system secures a cache memory area in a virtual memory. The second operating system generates location information, which indicates a location of the cache memory area in a physical address space that the second operating system manages. The first operating system obtain data stored in the cache memory area based on the location information.

Abstract: A method for provisioning a virtualized resource includes directing, by a provisioning machine, a server-executed hypervisor to provision a virtual machine. The provisioning machine directs generation of an organizational unit within a first organizational unit within a multi-tenant directory service separated from a second organizational unit in the multi-tenant directory service by a firewall. The provisioning machine associates the virtual machine with the first organizational unit. The provisioning machine establishes at least one firewall rule on the virtual machine restricting communications to the virtual machine to communications from explicitly authorized machines, which including at least one other machine within the organizational unit. The provisioning machine receives a request to provision a virtualized resource for at least one user. The provisioning machine updates data associated with the organizational unit to include an identification of the at least one user.

Abstract: A method for operating a processing system comprising in a hypervisor, negotiating with a host platform to determine compatibility between a virtual machine and the host platform, responsive to determining that the virtual machine is compatible with the host platform, receiving a control block from the virtual machine, tagging the control block with information that associates the control block with a control group, determining whether the hypervisor is a base hypervisor, and scheduling the control block for processing responsive to determining that the hypervisor is the base hypervisor.

Abstract: Disclosed aspects relate to upgrade management for a shared pool of configurable computing resources having a set of logical partition (LPAR) nodes which includes a set of established members. Performance of a live kernel update (LKU) operation may be initiated with respect to a first original LPAR node. Generation of a first surrogate LPAR node to succeed the first original LPAR node may be initiated. The first surrogate LPAR node may be identified as a new original LPAR node. The first surrogate LPAR node may be joined with the set of LPAR nodes. In response to the first surrogate LPAR node joining the set of LPAR nodes, the first surrogate LPAR node may be identified as a new surrogate LPAR node. The first surrogate LPAR node may be established as a first established member, thereby removing the first original LPAR node from the set of established members.

Abstract: In certain information handling system environments, physical devices connected to a client are redirected to a server or other information handling system. The time to redirect a universal serial bus (USB) mass storage device may be lengthy given that the same metadata must be read several times. Arrival time of a redirected USB mass storage device may be decreased by collecting the complete metadata at the client and transmitting that complete metadata to the server. The server builds a metadata cache to store the metadata received from the client. Efficiencies are achieved by caching the complete metadata associated with the redirected device at the server instead of making repeated transactions requesting the same metadata from the client.

Abstract: Described systems and methods enable performing software audits remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.) An audit engine executes on each client system, in a hardware virtualization configuration wherein the audit engine executes outside an audited virtual machine. When receiving an audit request from an audit server, some embodiments of the audit engine drop an audit agent into the audited virtual machine, and remove the audit agent upon completion of the audit.

Abstract: Methods and/or systems for provisioning storage capacity of a virtual machine are disclosed. Storage provisioning requests are received from virtual machines executing within a physical host environment. The provisioning requests are validated and processed to generate or otherwise expand storage capacities of the requesting virtual machines.

Abstract: A method for processing virtualization of computers that are part of a group into virtual computers is provided. The method includes obtaining relationship data from the computers, where the relationship data identifies parameters used to communicate within the group. Then, the method analyzes utilization parameters for each of the computers of the group. A visual model for proposed virtualization of the group of computers is then generated. The visual model identifies hosting machines designated to define a virtual computer for each of the computers, where the visual model provides a graphical illustration of the group of computers once converted to virtual computers. The method enables adjustment of the proposed virtualization of the group of computers. Then, an execution sequence of virtualization operations to be carried out is generated, if execution of the proposed virtualization is triggered, and the execution sequence is saved to storage and accessed upon execution.

Abstract: An orchestration engine that interfaces with the various clouds to implement the system solution. The orchestration engine builds, configures, and converges the single system solution. The orchestration engine builds the system by instantiating machines and services on the various clouds. The orchestration engine configures the system according to input from the client and the solution provider and then converges the various systems by establishing relationships and connections between the various services. Optionally, the orchestration engine also runs tests to verify that the system is working properly. Once the system has been built, configured and converged, the orchestration engine provides the client with a single entry point for using the system solution.

Abstract: A system for determining a quota comprises an input interface, a candidate quota determiner, one or more quota modification determiners, and an output interface. The input interface is for receiving a quota request for an activity and receiving an estimation or an actual measurement of one or more operating parameters. A candidate quota determiner is for determining a candidate quota amount based at least in part on candidate quota parameters. The one or more quota modification determiners are for determining one or more quota modifications based on the estimation or the actual measurement of the one or more operating parameters. The output interface for providing a final quota amount based at least in part on the candidate quota amount and the one or more quota modifications.

Abstract: A method and a computer program product for causing a processor to perform the method are provided. The method includes creating a virtual machine having a virtual machine identifier, and storing an entry in a temporary virtual machine registry, wherein the entry includes the virtual machine identifier, inactivity criteria for the virtual machine, and a responsive action for the virtual machine. The method further includes monitoring the activity of the virtual machine, and initiating the responsive action associated with the virtual machine in response to the virtual machine satisfying the inactivity criteria.

Abstract: A technology is described for identifying a destination physical host used to host a computing instance modeled on a source computing instance. An example method may include obtaining specifications for a source computing instance in preparation to migrate the source computing instance to a destination physical host. A destination physical host may then be identified for hosting a destination computing instance modeled on the source computing instance, where the destination physical host may have specifications determined to support the destination computing instance. A model of the source computing instance as hosted on the source physical host may be compared with a model of the source computing instance as hosted on the destination physical host to identify any conflicts that may prevent the destination physical host from hosting the destination computing instance.

Abstract: A method and system are provided for storage checkpointing in a mirrored virtual machine system. The method includes a storage controller receiving a modifying operation to storage from a virtual machine and carrying out the modifying operation in a non-destructive manner by saving the modifying operation data to a checkpointing region of storage and preserving the stored previous data state. The method also includes receiving a checkpoint notification and committing modifying operation data from the checkpointing region and releasing the stored previous data state. If a failover notification is received, the storage controller rolls back the physical storage to match a checkpoint state.

Abstract: A method includes determining a first host Non-Uniform Memory Access (NUMA) node of a plurality of host NUMA nodes on a host machine that provides a virtual machine to a guest, the first host NUMA node being associated with a pass-through device, creating a virtual NUMA node on the virtual machine, mapping the virtual NUMA node to the first host NUMA node, adding a virtual expander to a virtual root bus of the virtual machine, and associating the virtual expander with the virtual NUMA node.

Abstract: A computer system comprises a storage system that is configured by at least one real storage apparatus that is provided with a plurality of real resources and a management system that is coupled to the storage system. The management system is configured to allocate a real resource or a virtual resource based on the real resource as a tenant resource from the at least one real storage apparatus to a tenant based on first information that includes an upper limit that is related to a real resource of each of at least one real storage apparatus that is provided with a plurality of real resources and second information that is an upper limit that is related to a real resource that is allocated as a tenant resource that is a resource that can be used by a tenant or as a resource that is a basis of the tenant resource.

Abstract: Managing a virtual computer resource on at least one virtual machine. The managing of the virtual computer resource on the at least one virtual machine is by controlling execution of the virtual computer resource on the at least one virtual machine by a virtual machine instance, such as a firmware facility, of a trusted part of a computer system. The virtual machine instance is unique in the computer system.

Abstract: Methods, systems, and computer programs for creating virtual machines (VM) and associated networks in a virtual infrastructure are presented. The method defines virtual network templates in a database, where each virtual network template includes network specifications. A configuration of a virtual system is created, which includes VMs, virtual lab networks associated with virtual network templates, and connections from the VMs to the virtual lab networks. Further, the configuration is deployed in the virtual infrastructure resulting in a deployed configuration. The deployment of the configuration includes instantiating in the virtual infrastructure the VMs of the configuration, instantiating in the virtual infrastructure the virtual lab networks, retrieving information from the database, and creating and executing programming instructions for the VMs.

Abstract: Various embodiments pertain to computing devices and virtual machines. In particular, various embodiments relate to the start-up, operation, and communication of virtual machines. A method includes initiating operation of a virtual machine on a computing device, and sending a token from the computing device to a virtual machine, where the token is used to connect the computing device and the virtual machine. The method also includes establishing a virtual private network between the virtual machine and a network node using the token, and launching a user interface of the virtual machine on the computing device after the virtual private network has been established.

Abstract: Systems and methods are disclosed for distributing an in-memory data store over a plurality of independent data partitions. For example, the method includes associating each of the plurality of independent data partitions with at least one of a plurality of processing units such that one or more data sets in a corresponding each of the plurality of independent data partitions are processed by the at least one of the plurality of processing units. A query execution engine is provided for causing the plurality of processing units to execute, in parallel, a series of queries to the plurality of independent data partitions.

Abstract: In one embodiment, a method includes receiving, at a first host, a security profile related to a first data socket descriptor indicating risk to data security of a second host. The method also includes, in response to the risk indicated by the security profile, performing by the first host, at least one action selected from a group of actions. The group of actions includes a cache flush on a cache of the first host according to a cache flush policy, cache locking on data stored in the cache of the first host, data redaction on data of a payload prior to being sent by the first host, memory locking of data stored in an in-memory database of the first host, and encryption of data stored in the in-memory database of the first host or encryption of selected data fields of a payload prior to being sent from the first host.

Abstract: A system, an apparatus and a method for providing a secure computing environment may be provided. In one aspect, an apparatus may comprise a communication port and a computer processor coupled to the communication port. The computer processor may be configured to initialize a hypervisor, establish a first virtual machine under control of the hypervisor and execute code for a secure zone on the first virtual machine. To execute code for the secure zone, the computer processor may be further configured to verify an administrative task and execute the administrative task, which may include: establish a connection with an administrator device, ensure that the administrator device is one of a set of intended administrator devices, receive a command through the connection with the administrator device and establish a second virtual machine under control of the hypervisor. The command may relate to executing a task on the second virtual machine.

Abstract: A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.

Abstract: A user attribute information provision system processes attribute information of users while preventing a leakage of attribute information. A provision apparatus: selects an apparatus group forming a communication path; generates information registration request in which information of a predetermined user is concealed in data recognizable only to a correspondent of the provision apparatus; and transmits the information registration request to an access destination solving apparatus via the apparatus groups.

Abstract: A method and apparatus for efficiently executing guest programs in a virtualized computing environment are presented. The method includes executing a virtual machine on a computing hardware; executing a single hypervisor in a first security ring on the virtual machine; executing a single guest program on the virtual machine, wherein the single guest program includes a single kernel being executed in the first security ring and at least one application being executed in a second security ring; and executing at least an instruction issued by the at least one application without trapping the single hypervisor.

Abstract: Migration of virtual machines within a computing environment is facilitated. A processor obtains a current virtual machine to host mapping in the computing environment, as well as a plurality of future virtual machine to host mappings. A current migration plan to migrate from a current state of the computing environment to another state of the computing environment is also obtained. Based on the current virtual machine to host mapping and one or more future virtual machine to host mappings of the plurality of future virtual machine to host mappings a determination is made that one or more potential alert conditions exist in the current migration plan. The current migration plan and/or one or more future virtual machine to host mappings are displayed. The current migration plan is adjusted to address at least one potential alert condition of the one or more potential alert conditions to improve processing within the computing environment.

Abstract: A computer-implemented method includes identifying a primary code segment, determining a confidence score associated with said primary code segment, and determining whether the confidence score exceeds a confidence threshold. The computer-implemented method further includes responsive to the confidence score exceeding the confidence threshold, determining a logger code segment associated with the primary code segment. A corresponding computer program product and computer system are also disclosed.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.

Abstract: The current document is directed to methods for aggregating host computers into distributed computing systems and to distributed computing systems created by the methods. In a described implementation, host computers are aggregated into two or more clusters, at a first distributed-computing-system level, each managed by a second-level management server. The two or more clusters are then, in turn, aggregated into a hierarchical distributed computing system managed by a top-level management server. The top-level management server is interconnected to, and accesses, the second-level management servers through a host-gateway appliance that includes host-gateway control logic implemented within a server computer. In order to achieve scalability and efficiency, the top-level management server provides a subset of the native management commands to system administrators and other users who access a management interface provided by the top-level management server.

Abstract: Live migration of a virtual disk of a virtual machine between storage devices is described. In accordance with one example, a computer system prepares a first area of a first storage device and a second area of a second storage device for a live snapshot of a virtual disk of a virtual machine. A transaction is then executed that includes storing the live snapshot in the first area of the first storage device, copying the live snapshot to the second area of the second storage device, and mirroring a change to the virtual disk that occurs after the creation of the live snapshot, where the mirroring is via one or more write operations to the live snapshot in the first area and to the copy of the live snapshot in the second area.

Abstract: Systems and methods are disclosed for reusing fetched and decoded instructions in block-based processor architectures. In one example of the disclosed technology, a system includes a plurality of block-based processor cores and an instruction scheduler. A respective core is capable of executing one or more instruction blocks of a program. The instruction scheduler can be configured to identify a given instruction block of the program that is resident on a first processor core of the processor cores and is to be executed again. The instruction scheduler can be configured to adjust a mapping of instruction blocks in flight so that the given instruction block is re-executed on the first processor core without re-fetching the given instruction block.

Abstract: A persistent caching system is provided. The persistent caching system includes a storage system having a caching server for storing data, and a client for accessing the data through a network. The caching server is configured to store the data in a number of virtual memory blocks. The virtual memory blocks refer to an associated memory-mapped file in a file system of the caching server. The caching server is configured to export addresses of the virtual memory blocks to the client. The client is configured to access at least some of the virtual memory blocks through RDMA using the exported addresses. The caching server is configured to page virtual memory blocks being accessed by one or more clients through RDMA to and/or from the memory-mapped files associated with the accessed virtual memory blocks.

Abstract: A storage manager that interoperates with a file manager application that integrates with virtualization substantially enables end-user control and storage management of virtual machines (VMs). The storage manager may manage information management operations relative to virtual machines based on and/or in response to messages and/or instructions received from the file manager application. The storage manager may further report results to the file manager application for presentation to the user.

Abstract: A computer-implemented method, carried out by one or more processors, for policy based virtual resource allocation. In an embodiment, the method includes identifying a number of host resources specified by host resource requirements for a first resource consumer. The method determines if the host resource requirements include a list of host resource pools for the first resource consumer. Responsive to determining that the host resource requirements include the list of host resource pools for the first resource consumer, a first set of eligible host resource pools is identified. An allocation policy may be identified, where the allocation policy includes one or more parameters for allocating host resources. Host resources from the first set of eligible host resource pools are allocated based on the allocation policy.