Abstract: A method, system, and computer program product implement a three-factor authorization in a trusted computing environment. The method includes triggering, by a hypervisor, a start of a secure guest by passing control regarding an image of the secure guest and metadata of the secure guest to a trusted firmware, where the secure guest is designed to access a hardware security module (HSM). Upon a successful integrity check of the metadata of the secure guest by the trusted firmware, the secure guest is started using the hypervisor and any sensitive request from the secure guest to the HSM is blocked. The secure guest submits a request with a request structure including a third authorization secret and a characterization of a requested HSM to the trusted firmware. The method also includes binding each HSM protected key generated in the requested HSM in response to the request to the third authorization secret.

Abstract: A system and method for deploying virtual machines in a server farm based on capacity needs of the server farm includes receiving a request to deploy a new virtual machine (VM) in the server farm; determining that a cluster configuration property associated with the new VM specifies one or more parameters for the new VM; upon determining that the cluster configuration property associated with the new VM specifies one or more parameters for the new VM, retrieving at least one of a custom SKU parameter information or custom capacity parameter information for the new VM; and deploying the new VM to the server farm with at least one of the custom SKU parameter or custom capacity parameter.

Abstract: Systems and methods of managing PNF connectivity are provided. A NM determines to add to or remove external connectivity from a PNF and transmits a NS update request to a NFVO that contains an identifier of the NS instance to be updated, an indication of a type of update operation requested, and information of the PNF connectivity to be changed. A NS update response contains a lifecycle operation occurrence identifier identifying a NS lifecycle operation occurrence. Separate NS lifecycle change notification from the NFVO indicate that a NS update to change the connectivity of the PNF has started and a result of the change. The notifications include the lifecycle operation occurrence identifier.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: Systems and methods for automatically configuring a firewall are described. Systems and methods include receiving one or more flows, automatically detecting elements of a computing environment, automatically generating a firewall configuration based on the detected elements of the computing environment and the received one or more flows, and automatically configuring a firewall within the computing environment with the firewall configuration.

Abstract: A system and related method reduce public cloud provisioning latencies using one or more processors. The method comprises, prior to receiving a volume provisioning request from a user, creating a pool of pre-provisioned generic volumes. The method further comprises receiving the request from the user to provision a volume from the pool, and then determining that a pre-provisioned generic volume is available for customization based on the request. Responsive to the determination, the method executes the actions comprising customizing the pre-provisioned generic volume based on the request, creating a custom volume, and providing the customized pre-provisioned volume to the user.

Abstract: The present disclosure provides a scalable, standardized IT deployment environment that allows for deployment to any public or private cloud automatically, and that is resizable such that the individual resources can be released (“turned off”) when not needed and powered on when use is expected. Additionally, the present disclosure provides a cost calculation system for better understanding the costs of the IT environment as early as the pre-provisioning stage. The present disclosure also provides a system for proactively testing productivity and efficiency within the IT environment, the results of which can be fed back into the autoscaling mechanism.

Abstract: Embodiments relate to systems and methods for a self-moving operating system installation in cloud-based network. A host cloud in which a guest operating system operates can be identified by a processor. A set of applications in a host cloud can be instantiated, where each of the set of applications is operated using the guest operating system. Information related to an operation of a first application of the set of applications can be received from the host cloud. The processor can update data related to the operation of the guest operating system using the received information.

Abstract: Methods, systems, and computer program products for direct assignment of physical devices to confidential virtual machines (VMs). At a first guest privilege context of a guest partition, a direct assignment of a physical device associated with a host computer system to the guest partition is identified. The guest partition includes the first guest privilege context and a second guest privilege context, which is restricted from accessing memory associated with the first guest privilege context. The guest partition corresponds to a confidential VM, such that a memory region associated with the guest partition is inaccessible to a host operating system. It is determined, based on a policy, that the physical device is allowed to be directly assigned to the guest partition. Communication between the physical device and the second guest privilege context is permitted, such as by exposing the physical device on a virtual bus and/or forwarding an interrupt.

Abstract: Direct access to host memory for guests is disclosed. For example, a system includes a processor, a host memory, a filesystem daemon, a guest including a storage controller, and a filesystem queue accessible to the filesystem daemon and the storage controller. The storage controller receives a file retrieval request associated with a file stored in the host memory and forwards the file retrieval request to the filesystem daemon by adding the file retrieval request to the filesystem queue. The filesystem daemon retrieves the file retrieval request from the filesystem queue, determines a host memory address (HMA) associated with the file, and causes the HMA to be mapped to a guest memory address (GMA). The guest accesses the file in the host memory with the GMA, and later terminates access to the file, where the filesystem daemon is then configured cause the GMA to be unmapped.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed to generate code as a plug-in in a cloud computing environment. An example system includes at least one memory, programmable circuitry, and machine readable instructions to program the programmable circuitry to introspect code in a library to obtain introspection data, the library corresponding to a resource that is to be deployed in a cloud infrastructure environment, generate a model based on the introspection data, the model to be a representation of the resource, cross-reference the model with a resource meta-model, the resource meta-model to map characteristics of the resource represented by the model to an actual state of the resource, and generate a plug-in based on the cross-referenced model.

Abstract: An electronic apparatus is configured to generate current capability parameters associated with a software object executing on the electronic apparatus. The current capability parameters include an indication of resources required to execute the software object. The electronic apparatus determines whether the resources required to execute the software object are approaching a limit. The determination may be made by comparison to a threshold value. If the resources required to execute the software object are approaching the limit, then the electronic apparatus identifies a suitable target host based on the current capability parameters and initiates a migration of the software object to the suitable target.

Abstract: In various embodiments, a process for determining metrics including resource expenditures of a digital service includes discovering a plurality of configuration items of a computing infrastructure. The process includes identifying a subset of the plurality of configuration items utilized to provide a digital service, obtaining a plurality of resource expenditures respectively associated with at least a portion of the plurality of configuration items, and associating a subset of the plurality of resource expenditures with the subset of the plurality of configuration items. The process includes aggregating the subset of the plurality of resource expenditures to generate a metric of the digital service.

Abstract: A method for migrating a virtualised function from a first server to a second server depending on data of technical environment parameters. The interfaces specified in the virtualised architectures effectively make it possible to deploy and manage virtualised functions with a view to implementing a service but these interfaces do not contain information relating to the data relating to the technical environment upon which the servers, the virtualised functions and subsequently the services and applications that rely on the virtualised functions are dependent. The migration method proposes virtualised architectures that take into consideration the technical environment parameters in order to move virtualised functions whose functioning could be impacted by a malfunction of one or more technical environment parameter(s).

Abstract: A method includes training a recurrent neural network by monitoring data in a memory of a first server as the first server executes jobs and by determining an amount of computing resources used by the first server while executing the jobs and applying the recurrent neural network to data in the memory to predict an amount of computing resources that the first server will use when executing a first future job. The method also includes, in response to determining that execution of the first future job did not meet a performance criterion, making a change to the first server. The method further includes further training the recurrent neural network using a reinforcement learning technique, applying the recurrent neural network to determine that the change should be made to a second server, and in response, making the change to the second server before the second server executes a second future job.

Abstract: A method for allocating resources on an uplink between a user terminal and a base station of a radio communication network multiplexing the data in resource blocks is disclosed. Such a method implements a standard allocation mode associated with a standard transmission mode of transmission by the terminal; and a priority allocation mode associated with a priority mode of transmission by the terminal. The network favors the priority allocation mode and can allocate to the terminal, according to the priority allocation mode, at least one resource block previously allocated according to the standard allocation mode, introducing a situation of allocation collision. In such a situation, the network implements a temporary allocation mode to allocate at least one replacement resource block in the standard transmission mode, implementing a number of signalling portions containing information on resource allocation greater than that used in the standard allocation mode.

Abstract: In one aspect, an example methodology implementing the disclosed techniques includes receiving, by a systems management console, a network address of a device in a virtual environment, and determining a network address associated with a virtual environment management console based on the received network address of the device in the virtual environment. The method also includes sending, by the systems management console via a systems management agent to the virtual environment management console using the determined network address associated with the virtual environment management console, a request for network addresses of virtual machine (VM) host servers and VMs in the virtual environment. The method also includes receiving, by the systems management console via the systems management agent from the virtual environment management console, the network addresses of the VM host servers and the VMs in the virtual environment and providing a notification of the discovered VM host servers and VMs.

Abstract: Adapting automatic software update behavior for virtual desktop infrastructure deployed endpoints includes detecting a request for services of a threat management facility for an enterprise network that originates from a compute instance embodied as a virtual machine instantiated from a versioned software template, and updating software on the compute instance based on a determination of availability of updated software for the compute instance and an update pause parameter indicating that updating software for virtual machines instantiated from the versioned software template is permitted for the compute instance.

Abstract: A method for operating a microcontroller. The microcontroller includes a plurality of resources, a plurality of virtual machines being executed in the microcontroller, a coordination unit being superordinate to the plurality of virtual machines. Access information concerning accesses of the plurality of virtual machines to the plurality of resources is stored in the coordination unit. In the event that one of the virtual machines requests a reset of one of the resources, the coordination unit checks on the basis of the access information, which of the virtual machines are accessing this resource. The coordination unit determines on the basis of this check, whether the resource will be reset or whether a substitute measure will be taken.

Abstract: One or more embodiments provide techniques that permit virtual computing instances in isolated environments to communicate information outside the isolated environments without requiring networking. In one embodiment, an encoder which runs in a virtual machine (VM) within an isolated environment, such as one of the VMs of a packaged virtual machine application that does not have external network connectivity, is configured to encode information, such as state information of the packaged virtual machine application, in portion(s) of a network address. The encoder further configures an unconnected network interface of the same VM, or another VM in the isolated environment, with the network address that includes the encoded information. A decoder, which could not otherwise communicate with the virtual computing instance via any network, may then retrieve the network address assigned to the unconnected network interface and decode that network address to obtain the information encoded therein.

Abstract: A monitoring utility program into a software container in which a containerized virtual machine application is running. The monitoring utility program is to monitor the containerized virtual machine application running within the software container. Monitoring information regarding the containerized virtual machine application is periodically pulled from the monitoring utility program.

Abstract: Distributing dataset requests across service tiers including generating, by a workbook client, a dataset request for a dataset to populate a workbook for presentation on a client computing system, wherein data for the dataset is stored on a cloud-based data warehouse; determining, by the workbook client, a set of service tiers capable of servicing at least a portion of the dataset request, wherein the set of service tiers comprises the cloud-based data warehouse; selecting, by the workbook client from the set of service tiers, a combination of service tiers to service the dataset request based on at least one selection policy; and issuing, by the workbook client, the dataset request to the selected combination of service tiers.

Abstract: A method is provided that includes establishing, by an application server, a remote access session with a client device, and creating, by a file system agent running on the application server, a metadata-only virtual file system associated with the remote access session, wherein the virtual file system only comprises file metadata associated with a plurality of files residing in a local file system of the client device. The method further includes responsive to receiving, by the virtual file system, a request to access content of a file referenced by the virtual file system, redirecting the request to a file system driver implementing at least a sub-tree of the local file system of the client device.

Abstract: Techniques for detecting anomalies in a distributed application based on process data are provided. This process data can include, e.g., the hierarchy (i.e., tree) of processes created and run by the application, the file system operations performed by each process, the network access operations performed by each process.

Abstract: A method performed by a cloud system includes, subsequent to the cloud system connecting to one of a cloud provider and a Software-as-a-Service (SaaS) application, scanning data stored therein for one or more users associated with a tenant of a plurality of tenants of the cloud system; detecting an incident in the data during the scanning; maintaining details of the incident in an in-memory data store; and providing a notification to the tenant of the incident.

Abstract: In some aspects, an apparatus includes a processor and a memory. In some embodiments, the memory includes programmed instructions that, when executed by the processor, cause the apparatus to intercept an I/O transaction between a virtual machine and an I/O device, determine whether data in the I/O transaction indicates a security misconfiguration, and perform a remedial action in response to identifying the security misconfiguration.

Abstract: Computing apparatus includes a host computer, including multiple non-uniform memory access (NUMA) nodes, including at least first and second NUMA nodes, which include first and second local memories and first and second host bus interfaces for connection to first and second peripheral component buses, respectively. A network interface controller (NIC) is to receive a definition of a memory region extending over respective first and second parts of the first and second local memories and to receive a memory mapping with respect to the memory region that is applicable to both the first and second local memories, and to apply the memory mapping in writing data to the memory region via first and second NIC bus interfaces in a sequence of direct memory access (DMA) transactions to the respective first and second parts of the first and second local memories in response to packets received through a network port.

Abstract: A device for managing communication via interfaces in a virtualized system in which a plurality of virtual machines shares a hardware platform which is virtualized with the aid of a hypervisor, and interfaces assigned to the hardware platform access to the interfaces taking place with the aid of a gateway implemented in hardware. A method for operating the device is also described.

Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations. The operations may include calculating a priority factor with a node autonomous center in a node and computing a node service capability with the node autonomous center. The operations may further include selecting, with the node autonomous center, a task based on the priority factor and the node service capability. The operations may further include directing the task to the node.

Abstract: Technologies for dynamic accelerator selection include a compute sled. The compute sled includes a network interface controller to communicate with a remote accelerator of an accelerator sled over a network, where the network interface controller includes a local accelerator and a compute engine. The compute engine is to obtain network telemetry data indicative of a level of bandwidth saturation of the network. The compute engine is also to determine whether to accelerate a function managed by the compute sled. The compute engine is further to determine, in response to a determination to accelerate the function, whether to offload the function to the remote accelerator of the accelerator sled based on the telemetry data. Also the compute engine is to assign, in response a determination not to offload the function to the remote accelerator, the function to the local accelerator of the network interface controller.

Abstract: Techniques for expanded trusted domains are disclosed. In the illustrative embodiment, a trusted domain can be established that includes hardware components from a processor as well as an off-load device. The off-load device may provide compute resources for the trusted domain. The trusted domain can be expanded and contracted on-demand, allowing for a flexible approach to creating and using trusted domains.

Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

Abstract: A computer comprising one or more processors and memory may implement multiple threads that perform a lock operation using a data structure comprising an allocation field and a grant field. Upon entry to a lock operation, a thread allocates a ticket by atomically copying a ticket value contained in the allocation field and incrementing the allocation field. The thread compares the allocated ticket to the grant field. If they are unequal, the thread determines a number of waiting threads. If the number is above the threshold, the thread enters a long term wait operation comprising determining a location for long term wait value and waiting on changes to that value. If the number is below the threshold or the long term wait operation is complete, the thread waits for the grant value to equal the ticket to indicate that the lock is allocated.

Abstract: Embodiments of the present disclosure relate to a method, system and computer program product for providing system services. In some embodiments, a method is disclosed. According to the method, from a user program in a user address space, a request for a system service is received via a program call instruction of a set of program call instructions in an application interface code library. Based on the program call instruction, a target authorized address space of a plurality of authorized address spaces and a target system service routine for providing the system service in the target authorized address space is determined. A result of running the target system service routine in the target authorized address space is returned to the user program as a response to the request.

Abstract: Techniques to utilize excess resources in a cloud system, such as by enabling an auxiliary resource utilizer to use resources while they are not needed to support primary resource utilizers, are described herein. Some embodiments are directed to identifying and allocating excess capacity of resources in a cloud system to auxiliary resource utilizers based on one or more policies. In various embodiments, excess resources in one or more of the set of resources in the cloud system, or cloud resources, may be determined based on monitoring utilization of the cloud resources by the primary resource utilizers. In many embodiments, an auxiliary resource utilizer that is in compliance with a set of utilization policies may be identified and the excess resources may be allocated to the auxiliary resource utilizer.

Abstract: Apparatus and method for migrating a container including graphics processor state.

Abstract: A method of provisioning a self-provisioning computer system is disclosed. The method includes executing code in a secure base activation image to perform various functions. This includes executing an identification process, using a cryptographically created identifier included in the base activation image, with an activation service to confirm an identity of the computer system with the activation service. This further includes confirming system integrity of the computer system with the activation service. Based on confirming the identity of the computer system and confirming system integrity of the computer system, The computer system is unlocked for load installation. Load installation is performed by providing capabilities for the computer system to the activation service and receiving the load based on the provided capabilities.

Abstract: This disclosure relates to a method of allocating a resource in a virtualized radio access network, wherein the virtualized radio access network includes a first virtual machine delivering a first service type and a second virtual machine delivering a second service type.

Abstract: A data center adapted to connect via a first wide area network to a core network connected with a base station and to a wireless LAN, variably controls service provided in a virtual core network of the data center to a terminal enabled to select connection to either a wireless LAN or a base station and connect to the data center.

Abstract: Disclosed are various embodiments for the controlling the amount of active updates that can occur during a given time on devices that are associated with tenants (e.g., organizations) and subtenants (e.g., sub-organizations) in a multi-tenant environment. In particular, each tenant and subtenant is assigned throttle corresponding to different update parameters (e.g., an amount of devices executing an active update, an amount of data to be downloaded during a campaign, a time for completing the update campaign, etc.). When an update campaign is established, the update campaign can define the different devices that are to be updated. In some situations, the number of active updates required may exceed the allotted resources for a given subtenant. When a subtenant requires additional resources than what is assigned to complete the update, the subtenant can borrow resources defined by the update parameters from a subtenant peer that has a surplus.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A method of adjusting a number of virtual machines in a data plane is provided. A number of virtual machines in the data plane each having a data plane proxy is provisioned. The virtual machines provide data routing for a first number of operational pods in a deployment plane associated with the data plane. A status of the deployment plane is monitored. The status reflects the deployment plane has a second number of operational pods different from the first number of operational pods. The first number of operational pods is compared to the second number of operational pods. Based on the comparison, the number of virtual machines in the data plane is adjusted.

Abstract: An example method of managing guest time for a virtual machine (VM) supported by a hypervisor of a virtualized host computer includes: configuring, by the hypervisor, a central processing unit (CPU) of the host computer to trap, to the hypervisor, access by guest code in the VM to a physical counter and timer of the CPU; configuring, by the hypervisor, the guest code in the VM to use the physical counter and timer of the CPU rather than a virtual counter and timer of the CPU; trapping, at the hypervisor, an access to the physical counter and timer by the guest code; and executing, by the hypervisor, the access to the physical counter and timer on behalf of the guest code while compensating for an adjustment of a system count of the physical counter and timer to maintain the guest time as scaled with respect to frequency of the physical counter and timer.

Abstract: A method includes receiving profile information for a network. The method also includes determining a network configuration based on at least a constraint associated with at least one of a network session or a hardware capacity of a hardware platform of the network and a number of sessions that the network configured based on the network configuration can support. The method also includes configuring the network based on the network configuration.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: Techniques are disclosed pertaining to migrating a database between different storage clusters. A computer system identifies a current state of the database that is managed by a database application that enables a client application to access data of the database stored at a first storage cluster. The computer system copies first particular data of the database that is associated with the current state from the first storage cluster to a second storage cluster. After the copying, the computer system transitions the database application into a read-only mode in which it processes read but not write traffic. The computer system copies, from the first storage cluster to the second storage cluster, second particular data of the database that was generated by the database application during the copying of the first particular data. The computer system may also instantiate another instance of the database application in association with the second storage cluster.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting partitions in a multitenant application server environment. In accordance with an embodiment, an application server administrator (e.g., a WLS administrator) can create or delete partitions; while a partition administrator can administer various aspects of a partition, for example create resource groups, deploy applications to a specific partition, and reference specific realms for a partition. Resource groups can be globally defined at the domain, or can be specific to a partition. Applications can be deployed to a resource group template at the domain level, or to a resource group scoped to a partition or scoped to the domain. The system can optionally associate one or more partitions with a tenant, for use by the tenant.

Abstract: An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.

Abstract: To provide a low latency near RT RIC, some embodiments separate the RIC's functions into several different components that operate on different machines (e.g., execute on VMs or Pods) operating on the same host computer or different host computers. Some embodiments also provide high speed interfaces between these machines. Some or all of these interfaces operate in non-blocking, lockless manner in order to ensure that critical near RT RIC operations (e.g., datapath processes) are not delayed due to multiple requests causing one or more components to stall. In addition, each of these RIC components also has an internal architecture that is designed to operate in a non-blocking manner so that no one process of a component can block the operation of another process of the component. All of these low latency features allow the near RT RIC to serve as a high speed IO between the E2 nodes and the xApps.

Abstract: In some implementations, a cloud system may obtain data via a copy of an application executing in a first cloud deployment zone of the multiple cloud deployment zones, wherein the application has copies executing in respective cloud deployment zones of the multiple cloud deployment zones. The cloud system may store, in a database executing in the first cloud deployment zone, the data with a deployment zone identifier that indicates the first cloud deployment zone, where the multiple cloud deployment zones include respective databases of multiple databases including the database. The cloud system may perform, via a cloud resource in the first cloud deployment zone, an operation using the data based on the data including the deployment zone identifier that indicates the first cloud deployment zone and based on the cloud resource being in the first cloud deployment zone.