Abstract: A system may include a service deployment system configured to receive user indicators, map the user indicators to a plurality of services, determine an order of deployment associated with the plurality of services, and determine deployment locations associated with the plurality of services. The service deployment system may be configured to generate a plurality of actions, responsive to the plurality of services, the order of deployment, and the deployment locations.

Abstract: Methods, systems, and computer readable media are disclosed for creating a multi-port client server connection in a remote desktop environment. In an embodiment, the multi-client server connection can decouple client-server connection and client-server input from graphics delivery from the server to the client. Such embodiment provides higher server performance and enables dynamic server resource management. The multi-client server connection can be implemented in a virtual environment or between physical machines where one set of physical machines receives the graphics requests from the client and another set of physical machines generates and transmits display data to the client.

Abstract: Various embodiments are generally directed to techniques of creating or managing one or more virtual services using at least one application programming interface (API). At a plugin layer, a plugin integrator programmatically interfaces with and integrates one or more virtualization tools. The plugin integrator may be programmatically interfaced with the at least one API. At least one proxy agent may be used to run or consumer the one or more virtual services. The at least one API and the at least one proxy agent may be implemented in an abstraction layer.

Abstract: A provider network implements a proxy to control access to web-based resources of a provider network. The proxy receives requests to access web-based services. The proxy allows access to a web-based service only if user-configured access control rules are satisfied and credentials associated with the web-based service are authenticated. The proxy prevents access to a web-based service if user-configured access control rules are not satisfied or credentials associated with the web-based service are not authenticated. The provider network may also implement a proxy configuration service to set up and launch the proxy. The proxy configuration service receives from the client a specification of the access control rules, configures the proxy based on the access control rules, and launches the proxy.

Abstract: Systems for storage system rollover and rollback. A data mover agent is installed on a source storage system to capture disaster recovery data and send to a target system. Upon receiving a rollover event signal, a virtualized controller creates one or more replica user virtual machines running on the target system that serve to replicate functions of the user virtual machines from the source storage system. The virtualized controller on the target system converts the target disaster recovery data from a first format to a second format to facilitate use of the target disaster recovery data by the replica user virtual machines. Rollback is initiated when the target system receives a rollback event signal. Differences in the data that have occurred between the rollover event and the rollback signal are calculated and sent to the rollback system. The calculated differences are applied to a registered snapshot on the rollback system.

Abstract: Aspects of bundle administration and management are described. The use of bundles, as described herein, may be relied upon to assist users with the installation of applications associated with artifacts. In one embodiment, a bundle includes both a manifest and an artifact. A computing device may open the bundle and parse the manifest to identify an application for the artifact. The computing device may evaluate a status of a qualification to the application and, if the status meets the qualification, then install the application. Thus, with the combination of the manifest and the artifact in the bundle, it is not necessary that a user search for and identify an application associated with the artifact (e.g., a data or content file), because the computing device may reference the manifest to ascertain the application and, based upon one or more qualifications, for example, install the application automatically for the user.

Abstract: The disclosed technology is generally directed to virtualization technology. The disclosed technology includes providing processor feature ID information requested by, or from, a virtual machine (VM), virtualized application, Virtualization Based Security (VBS) user mode process, VBS kernel mode process, or other guest partition, by a processor. Such information may be provided based on information provided a priori to the processor, for example, by a supervisory partition, such as a hypervisor. The disclosed technology also includes a supervisory partition, for example, that provides such information to the processor, and includes guest partitions that receive such information.

Abstract: A method to allocate storage includes assigning a quota on space from a storage reservation pool, allocating an epoch specific storage space to a virtual disk, creating a memory map for the virtual disk to track used space. For every write to the virtual disk during an epoch, the method includes updating the memory map, determining if the used space is greater than a threshold of the epoch specific storage space based on the memory map. When the used space is greater than the threshold, the method includes predicting additional space for future writes to the virtual disk in the epoch, determining if the additional space is available from the storage reservation pool, and, when the additional space is available, increasing the epoch specific storage and proceeding with the write to the virtual disk.

Abstract: Disclosed aspects relate to compliance configuration management for asset migration on a shared pool of configurable computing resources having a set of compute nodes. A migration request to migrate an asset coupled with a first compliance configuration from a source compute node to a target compute node may be detected. The first compliance configuration coupled with the asset on the source compute node may be compared with an expected compliance configuration for the target compute node. Based on and in response to the comparing, a mismatch of the first compliance configuration with respect to the expected compliance configuration may be determined. A set of response actions may be performed with respect to the migration request.

Abstract: Aspects of updating or upgrading a management system for a virtualized computing environment are described. In some aspects, a virtualization management system that manages a virtualized computing environment can be upgraded or updated with limited downtime of the system by deploying a new instance of the system and subsequently assigning a network address of the previous instance to the new instance once it is deployed in the environment.

Abstract: Composite virtual machine templates may be used in the deployment of virtual machines into virtualized computing environments. A composite virtual machine template may define a plurality of deployment attributes for use in a virtual machine deployment, and at least some of these deployment attributes may be determined through references to other virtual machine templates and included in the composite virtual machine template.

Abstract: Some examples relate generally to computer architecture software data classification and information security and, in some more particular aspects, to verifying information or events in a file system using spatial data.

Abstract: A system includes a load balancer and storage including a first data structure and a second data structure. Each of the data structures includes a plurality of different weight levels. At least one of the weight levels of the first data structure includes an identifier of a target. At least one of the weight levels of the second data structure includes a map that associates a target identifier with a final weight value. Responsive to receipt of a request and responsive to a target identifier included at a given weight level in the first data structure corresponding to a pointer, the load balancer selects the target identified in the first data structure at the given weight level. Responsive to no target identifiers included at the given weight level in the first data structure, the load balancer selects a target identified in the second data structure at the given weight level. The load balancer forwards the request to the selected target.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: Peripheral device access support in a distributed computing resource cluster is described. In one example, an application can be supported in a container on a virtual machine in a distributed computing resource cluster. A need or requisite of the container for access to a peripheral device is identified. A device profile is created for the container and associated with the isolation environment. The device profile can be relied upon to check and confirm the compliance of one or peripheral devices on various host machines in the resource cluster. First, one or more host machines having access to the peripheral device are identified in the resource cluster. Then, a check for compliance of the peripheral device on one or more of the host machines is performed based on the device profile. The container is instantiated for the application on one of the host machines based on the check for compliance.

Abstract: An electronic device and a control method therefor are disclosed. An electronic device according to the present invention comprises: a communication unit for performing data communication with at least one peripheral device; an output unit for outputting virtual environment content; and a control unit for controlling the output unit so as to play the virtual environment content according to a user command, determining the peripheral device, which can provide a function corresponding to a virtual effect, among peripheral devices of which there is at least one, on the basis of information on the virtual effect provided from the virtual environment content, and controlling the communication unit so as to transmit a control signal, which corresponds to the virtual effect, to the determined peripheral device.

Abstract: A method for monitoring several data compute nodes (DCNs) on a group of managed host machines is provided. The method receives service usage data from a group of managed hosts. The service usage data identifies service usage for each of a plurality of entities associated with each managed host. The method aggregates the received service usage data. The method displays the aggregated service usage data.

Abstract: A system for providing low-latency compute capacity is provided. The system may be configured to route incoming code execution requests based on user indications to use specific containers running on a plurality of virtual machine instances. The system may be configured to process a code execution request, identify, based on the user indication that a specific container previously used to handle a request of similar type is to be used for handling the code execution request, and cause the code execution request to be handled using the specific container.

Abstract: A system for providing access to remotely hosted applications obtains information indicative of the resolution of a client desktop and an arrangement of windows on the client desktop. A host of the applications is made to conform its desktop resolution and arrangement of windows to that of the client desktop, such that the occluded window portions correspond between the client and host. Visible content of the hosted application windows is tracked and streamed to the client.

Abstract: Device security across multiple operating system modalities may include allocating, by a hypervisor, to a first virtual machine comprising a first operating system of a first modality, based on the first modality, a first one or more access privileges to one or more resources; and allocating, by the hypervisor, to a second virtual machine comprising a second operating system of a second modality, based on the second modality, a second one or more access privileges to the one or more resources.

Abstract: Some embodiments provide a method for a network controller that manages multiple managed forwarding elements (MFEs) that implement multiple logical networks. The method stores (i) a first data structure including an entry for each logical entity in a desired state of the multiple logical networks and (ii) a second data structure including an entry for each logical entity referred to by an update for at least one MFE. Upon receiving updates specifying modifications to the logical entities, the method adds separate updates to separate queues for the MFEs that require the update. The separate updates reference the logical entity entries in the second data structure. When the second data structure reaches a threshold size in comparison to the first data structure, the method compacts the updates in at least one of the queues so that each queue has no more than one update referencing a particular logical entity entry.

Abstract: A computer device may include a memory storing instructions and processor configured to execute the instructions to maintain a repository of network function devices in a network; obtain a transport network key performance indicator (KPI) for a particular network function device in the network; and generate an administration weight based on the obtained transport network KPI, wherein the administration weight corresponds to a measure of performance associated with the particular network function device. The processor may be further configured to receive, from a requesting network function device, a network function discovery request for a network function type associated with the particular network function device; and provide a network function discovery answer to the requesting network function device, wherein the network function discovery answer includes the generated administration weight for the particular network function device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing blockchain contracts are provided. One of the methods includes: obtaining bytecode of a blockchain contract, wherein the bytecode comprises an indicator indicating a type of the blockchain contract; determining a virtual machine corresponding to the type based at least on the indicator; and triggering the determined virtual machine to execute the blockchain contract.

Abstract: A system and method for providing a unified file system on an air-gapped endpoint are provided. The method included monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to intercept at least one file system operation to access files on a first security zone; determining if the detected file system operation triggers a display of the file system dialog window effecting a second security zone; and when the file system dialog window effecting the second security zone, blocking the display of the file system dialog window in the first security zone; and displaying the file system dialog window in the second security zone.

Abstract: Disclosed are systems and methods for debugging program code using a computing system. The disclosed method includes designating a control point in a software application subject to a debugging procedure, and then executing the program code for the software application as a guest application executing within a virtual machine. Upon detection of a virtualization event, the hardware processor transfers program control to a hypervisor which then determines whether the virtualization event corresponds to the designated control point based on an execution state of the guest application. If so, the virtualization event handler may generate a debugging event that is used by a debugger.

Abstract: Adding a computing node to a distributed computing system. A method includes executing a binary, for nodes of the distributed computing system, at the computing node. A public node is identified as a result of executing the binary. Various characteristics of the computing node are identified as a result of executing the binary. The various characteristics are provided to the public node. The computing node receives from the public node a registration confirmation packet comprising information identifying a category from among a plurality of categories of the distributed computing system. The identified category is identified for the computing node based on the identified characteristics of the computing node, and based on the health of the identified category. The computing node is connected to the distributed computing system by the computing node connecting to the identified category.

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

Abstract: A packet processing method in a computing system is disclosed. The computing system comprises a host, wherein at least one network interface card is connected to the host. The network interface card includes switching equipment and at least two network ports. A first network port is corresponding to at least one physical function PF and multiple virtual functions VFs. At least one VF of the first network port is provided for a first virtual machine on the host in a passthrough manner. The first virtual machine sends a data packet from the VF that is connected to the first virtual machine. Switching equipment of the first network port forwards the data packet according to a destination MAC address of the data packet, and sends the data packet to a virtual bridge on VMM of the host. The VMM provides abundant network function processing for the data packet.

Abstract: Standard nested virtualization allows a hypervisor to run other hypervisors as guests, i.e. a level-0 (L0) hypervisor can run multiple level-1 (L1) hypervisors, each of which can run multiple level-2 (L2) virtual machines (VMs), with each L2 VM is restricted to run on only one L1 hypervisor. Span provides a Multi-hypervisor VM in which a single VM can simultaneously run on multiple hypervisors, which permits a VM to benefit from different services provided by multiple hypervisors that co-exist on a single physical machine. Span allows (a) the memory footprint of the VM to be shared across two hypervisors, and (b) the responsibility for CPU and I/O scheduling to be distributed among the two hypervisors. Span VMs can achieve performance comparable to traditional (single-hypervisor) nested VMs for common benchmarks.

Abstract: A system and method for facilitating communication between one or more of a plurality of user virtual machines and external devices is disclosed. The system includes a plurality of uplink bridges configured to facilitate communication between the plurality of user virtual machines and the external devices, a plurality of local bridges, with each of the plurality of user virtual machines being connected to one or more of the plurality of local bridges, and a first multiplexing bridge connected to the plurality of local bridges. The first multiplexing bridge is configured to direct data between the plurality of user virtual machines and the plurality of uplink bridges. The system also includes a second multiplexing bridge connected to the first multiplexing bridge and the plurality of uplink bridges. The second multiplexing bridge is configured to direct the data between the first multiplexing bridge and the plurality of uplink bridges.

Abstract: Provided are semiconductor devices. A semiconductor device includes a processor which provides a virtualization function for a physical device to a first guest operating system and a second guest operating system; and an SFR (Special Function Register) which is electrically connected to the processor, and includes a first region allocated to the first guest operating system and a second region allocated to the second guest operating system, wherein information on a first data access request provided from the first guest operating system is stored in the first region, and information on a second data access request provided from the second guest operating system is stored in the second region, and the processor generates a first interrupt and a second interrupt designated to the first guest operating system and the second guest operating system, respectively, in response to the first data access request and the second data access request.

Abstract: A method and system determines discrete policy target groups for information objects stored in an enterprise IT system. The method and system provide cleansed information about information objects stored on the enterprise IT system. Criteria for sorting the information objects is determined. Initial sorting of the information objects is carried out, resulting in an initial set of clusters. The information objects are clustered into discrete policy target groups based on the information about the information objects and the initial set of clusters, and human-understandable names and definite descriptions for policy target groups are computed.

Abstract: When a virtualized service platform encounters a catastrophic fault, an orchestrator may instantiate new virtual machines instances to deploy additional capacity in other cloud locations to handle failover storms. After the network fault is fixed and service returns to normal condition, these additional VM instances may be removed from the platform and cloud resources may be released. The system may minimize the resource over-provisioning and may continue to support geographical redundancy or dynamic scaling in a large-scale service network.

Abstract: Techniques to utilize excess resources in a cloud system, such as by enabling an auxiliary resource utilizer to use resources while they are not needed to support primary resource utilizers, are described herein. Some embodiments are directed to identifying and allocating excess capacity of resources in a cloud system to auxiliary resource utilizers based on one or more policies. In various embodiments, excess resources in one or more of the set of resources in the cloud system, or cloud resources, may be determined based on monitoring utilization of the cloud resources by the primary resource utilizers. In many embodiments, an auxiliary resource utilizer that is in compliance with a set of utilization policies may be identified and the excess resources may be allocated to the auxiliary resource utilizer.

Abstract: In general, in one aspect, the invention relates to a method for managing pool device resources, the method including obtaining, by a distribution manager, a resource use request from a user application, wherein the user application and the distribution manager are operating on a pool device, identifying a peripheral component interconnect (PCI) bus device, wherein the PCI bus device is located on a second pool device and connected to a pool device resource on the second pool device, and initiating access to the PCI bus device using a virtual switch operating on the pool device.

Abstract: In one example, a method may include obtaining, by a computing device, a high-level topology description for a virtual computing environment to be provisioned in a plurality of computing infrastructures. Each of the computing infrastructures may be implemented using a different computing architecture and deployed by a different provider. The example method may further include transforming, by a rules engine executing on the computing device, the high-level topology description to respective templates for the computing infrastructures that each describes a topology for a virtual computing environment in a format that conforms to a schema that can be processed by a corresponding one of the computing infrastructures to implement the virtual computing environment in the corresponding one of the computing infrastructures, and outputting the templates for configuring the computing infrastructures.

Abstract: Implementations of the disclosure provide for secret keys management in a virtualized data-center. In one implementation, a system is provided. The system comprises a memory to store secret key data and a processing device coupled to the memory. The processing device is to identify authentication information provided by a user, the authentication information comprising access information associated with a data storage domain, receive a secret key to access the data storage domain in view of the authentication information, wherein the secret key comprises a universally unique identifier (UUID), and register the secret key, wherein to register the secret key, the processing device to store a data structure in volatile memory indicating an association between the UUID of the secret key and the hypervisor.

Abstract: A system can collect, from an address resolution protocol (“ARP”) cache of a managed virtual network function (“VNF”), at least one active entry corresponding to at least one active element of a plurality of virtual local area network (“VLAN”) networks. The system can check the ARP cache for an entry associated with at least one of the plurality of VLAN elements. The system can determine whether an entry associated with at least one of the plurality of VLAN elements was found. In response to determining that an entry associated with at least one of the plurality of VLAN elements was not found, the system can send an ARP request to the plurality of VLAN elements, wait for an ARP response, and, in response to determining that an ARP response has not been received, generate a notification that VLAN connectivity has been lost.

Abstract: Aspects of the present invention provide devices that determine a load for each tenant of a plurality of tenants running applications on a shared computer server for a predetermined interval of time, wherein the computer server includes a plurality of computer processor cores, compute a capacity for each tenant of the plurality of tenants which includes a difference between the load and a service level agreement for each tenant, determine computer processor cores corresponding to the capacity of a largest capacity tenant, wherein the processors cores include a subset of the plurality of computer processor cores for the shared computer server, pin the subset of computer processor cores to perform garbage collection for one or more tenants, and invoke the garbage collection using the pinned subset of computer processor cores which deallocates no longer used memory in a corresponding heap for the one or more tenants.

Abstract: Aspects of the subject disclosure may include, for example, generating a instruction set according to a data analytics collection strategy and identifying first and second network devices adapted to perform first and second types of network functions, respectively, within a communications network, wherein the first and second types of network functions are different. First and second collectors are instantiated in association with the first and second network devices, respectively, and the instruction set is provided to each of the first and second collectors. The first and second collectors are adapted to autonomously execute first and second segments of the instruction set according to the first and second types of network function to obtain first and second collection results, respectively, wherein network analytic functions are adapted to process the first and second collection results. Other embodiments are disclosed.

Abstract: Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.

Abstract: A system and related method provides within a data processing system (DPS), a first set of computing resources comprising a set of processor units that comprises a first core in an active state, and a second core that is initially in an inactive state. The processor allocates, for a partition that is hosted on the DPS, the first set of computing resources. The partition is operated using the first core before the second core has been activated. A resource manager determines whether to increase processing capacity based on an abnormal event. The processor then activates the second core from the inactive state to the active state. The partition is then operated using both the first and second (activated). In response to a predefined criterion, the second core is deactivated from the active state to the inactive state.

Abstract: Systems and methods for analyzing a customer deployment in a converged or hyper-converged infrastructure are disclosed. A machine learning model is trained based upon historical usage data of other customer deployments. A k-means clustering is performed to generate a prediction as to whether a deployment is configured for optimal failover. Recommendations to improve failover performance can also be generated.

Abstract: This application discloses a virtual machine hot migration method performed by a virtual machine hot migration apparatus to a cloud computing system including a plurality of hosts, each host including a plurality of virtual machines. The apparatus obtains a load of each host, determines a host whose load exceeds a preset threshold as a source host, determines a to-be-hot-migrated target virtual machine in the source host; and controls the target virtual machine to be hot-migrated from the source host to a target host. According to the solutions provided in the embodiments of this application, when a load of a host is excessively high, a redundantly configured virtual machine on the host is hot-migrated to another host, thereby improving the resource utilization rate of the host when use by a user is ensured.

Abstract: In an embodiment, a method includes receiving, at a data processing system, a packet from a first component in a first remote network in an overlay network. In an embodiment, a method includes determining whether a largesend option is supported on a set of paths between the first component and a second component, the second component in a second remote network in the overlay network. In an embodiment, a method includes sending, responsive to determining a largesend option is supported on a subset of the set of paths, a packet on the subset of the set of paths.

Abstract: A system for testing changes to a website includes a hypervisor that instantiates a first virtual machine, from a first snapshot stored in a repository, as a first environment node in a test environment. The hypervisor applies scripts to configure the first virtual machine to test a first proposed webpage of the website. If the test is successful, then a second snapshot of the first virtual machine as configured is stored in the repository. The hypervisor may then instantiate a second virtual machine from the second snapshot, and configure the second virtual machine to test a second webpage of the website.

Abstract: Container image building using dependency container images. First dependency information that identifies a first set of dependencies necessary to generate a first application container image is accessed. A dependency container image index that identifies dependencies contained in one or more dependency container images is accessed. A first dependency container image of the one or more dependency container images is selected based on the dependency container image index and the first dependency information. The first dependency container image lacks at least one dependency identified in the first set of dependencies. A new dependency container image is generated using the first dependency container image and the at least one dependency. A new entry is stored in the dependency container image index that identifies the new dependency container image and each dependency contained in the new dependency container image.

Abstract: The disclosure provides an approach for mounting a virtual disk to a virtual computing instance (VCI). The method comprises obtaining a set of required applications for each VCI in a set of VCIs. The method comprises obtaining constraints of each VCI in the set of VCIs. The method further comprises determining pair-wise application overlap between each pair of VCIs of the set of VCI, wherein the overlap complies with constraints of the two VCIs for which the overlap is determined. The method also comprises placing applications of at least one of the application overlaps into a virtual disk file, associating the virtual disk with the virtual disk file, and mounting the virtual disk to a first VCI of the set of VCIs.

Abstract: Techniques for providing an improved user interface in which a computer system usage type is configured are disclosed. In some embodiments, a computer-implemented method comprises: displaying a first plurality of selectable UI elements indicating distinct system types based on a request to create a new computer system; receiving a first user selection of one of the first plurality of selectable UI elements; displaying a second plurality of selectable UI elements indicating distinct system usage types in response to a determination that the distinct system type indicated by the first user selection comprises a predetermined system type; receiving a second user selection of one of the second plurality of UI elements; creating the new computer system; and storing the distinct system usage type indicated by the second user selection in association with the new computer system in a database.

Abstract: An approach for accessing one or more resources at a virtualized desktop infrastructure (VDI) client running on a client device by a remote virtual machine (VM) is provided. The method includes intercepting, via a VDI agent, a request to access one or more resources at the client device, transferring the request from the remote VM to the client device via a network redirector protocol, and filtering the request to determine if the request complies with one or more rules. For a first resource of the one or more resources, if the request does not comply with any one of one or more first rules of the one or more rules, access to the first resource is denied. If the request complies with the one or more first rules, access to the first resource is granted and a response is sent to the VDI agent via the network redirector protocol.