Some embodiments provide a novel method of deploying a secondary cluster of one or more service machines to a public secondary cloud to provide a service to supplement a primary cluster of service machines that provide the service in a primary cloud. The method receives a set of one or more user-defined criteria to use to deploy the secondary cluster in the public secondary cloud. After receiving the set of user-defined criteria, the method detects that the secondary cluster is needed to supplement the primary cluster. The method retrieves previously collected data about different public clouds that are candidates for the deployment of the secondary cluster. Based on the set of user-defined criteria, the method analyzes the previously collected data to select for the deployment a particular candidate public cloud as the public secondary cloud. Then, the method deploys the secondary cluster in the selected particular public cloud.
The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
Systems and methods are described for providing a graphical user interface (“GUI”) for migrating workloads in a system. The GUI can display the locations of edge devices in the system and workloads running on the edge devices. A user can drag a workload from one edge device to another in the GUI, and in response the system can schedule the workload to be migrated accordingly. Before the migration is performed, the GUI can calculate a change in computing resource usage at both edge devices. The GUI can display the usage data and prompt the user to confirm the migration. If the user confirms, the workload can be deployed at the target edge device and removed from the source edge device.
An example method of handling traffic for an existing connection of a virtual machine (VM) migrated from a source site to a destination site includes: receiving, at an edge server of the destination site, the traffic, the traffic being associated with a network flow; determining, by the edge server of the destination site, that a stateful service of the edge server does not have state for the network flow; sending, by the edge server of the destination site, a threshold number of packets of the traffic to a plurality of sites; receiving, at the edge server of the destination site, an acknowledgement from the source site that the source site has the state for the network flow; and creating, by the edge server of the destination site, a flow mapping to send the traffic associated with the network flow to the source site.
System and method for managing different classes of storage input/output (I/O) requests for a two-phase commit operation in a distributed storage system assigns reserved log sequence values to each of storage I/O requests of a first class, which are added to a two-phase commit queue. The reserved log sequence values of the storage I/O requests of the first class in the two-phase commit queue are assigned to some of the storage I/O requests of the second class, which are added to the two-phase commit queue.
Deleting directories in a virtual distributed file system (VDFS), and non-virtual file systems, involves changing the name of a selected directory to a unique object identifier (UID) and moving the selected directory, named according to the UID, to a deletion target directory. A recursive process, implemented using a background deletion thread, starts in the current directory and identifies objects in the current directory. For an object that is a file or an empty directory, the object is added to a deletion queue. For an object that is a directory that is not empty, the recursion drops down into that directory as the new current directory. When the recursion has exhausted the selected directory, or some maximum object count has been reached, the objects identified in the deletion queue are deleted. This approach can also be used for file operations other than deletion, such as compression, encryption, and hashing.
Techniques are provided to prevent or allow the execution of a file from a copy device, such as a shadow copy device, depending on whether the file includes malicious code or trusted code. Redirection techniques may be used to cause a file (stored in the copy device) to be analyzed for malicious code at an original volume, rather than being analyzed at or executed from the copy device.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
8.
STORAGE POLICY RECOVERY MECHANISM IN A VIRTUAL COMPUTING ENVIRONMENT
A method for recovering a storage policy of a workload executing in a cluster of host servers that are managed by a first management appliance, wherein the host servers each include a local storage device, and the storage policy corresponds to storage objects of the workload, includes the steps of: in response to an instruction from the first management appliance, creating a first storage object of the workload according to the storage policy, wherein the instruction includes the storage policy; storing the first storage object and the storage policy in a shared storage device that is provisioned from the local storage devices of the host servers; and in response to a request from a second management appliance configured to manage the cluster of host servers, retrieving the storage policy from the shared storage device and transmitting the storage policy to the second management appliance.
Methods, apparatus, systems, and articles of manufacture to store cluster information in a distributed datastore are disclosed. An example apparatus includes memory; programmable circuitry; and first instructions to cause the programmable circuitry to: obtain second instructions to create a cluster of first hosts; determine second hosts of the cluster of the first hosts to implement a distributed datastore in the cluster; and cause transmission of third instructions to store cluster information corresponding to the cluster of the first hosts in datastores of the second hosts.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
The disclosure provides an example method for live packet tracing. Some embodiments of the method include configuring a first network interface of a first pod to mark each of a plurality of packets, with a corresponding flow tag and a corresponding packet identifier, receiving, from one or more observation points, at least one of copies or metadata of the plurality of packets each marked with the corresponding flow tag and the corresponding packet identifier. In some embodiments, the method further includes displaying data indicative of the at least one of the copies or the metadata of the plurality of packets.
Example methods and systems to process input/output (I/O) requests in a distributed storage system in a virtualized computing environment are disclosed. One example method includes executing a first thread to destage one or more data writes, wherein the one or more data writes correspond to a first bucket; executing a second thread to destage the one or more data deletes, wherein the one or more data deletes correspond to a second bucket; in response to executing the first thread, buffering write I/Os associated with the one or more data writes in a logical queue; in response to executing the second thread, buffering delete I/Os associated with the one or more data deletes in the logical queue; and adjusting a number of slots in the logical queue dedicated to buffer the delete I/Os based on a relationship between the first bucket and the second bucket.
Some embodiments provide a method for evaluating a network correctness requirement at an evaluation program instance assigned to evaluate a particular network correctness requirement. The method identifies data message properties associated with the particular network correctness requirement. The method evaluates the particular network correctness requirement by (i) determining a path through a set of network devices for a data message having the identified data message properties and (ii) from a data storage that stores data message processing rules for a plurality of network devices including the set of network devices and additional network devices, retrieving and storing in memory data specifying data message processing rules for the set of network devices to use in evaluating the particular network correctness requirement.
The disclosure provides an approach for backward compatibility of federated data centers. A method includes of synchronizing an object configuration includes creating an object at a global network manager, where the object is associated with one or more properties, and where each of the one or more properties is associated with a minimum virtualized networking version. The method includes determining at the global network manager a minimum compatibility version of the object that is a largest minimum virtualized networking version associated with the one or more properties. The method includes determining a span associated with the object, where the span includes one or more local network managers. The method includes, based on the minimum compatibility version and the span, synchronizing the object at each of the one or more local network managers or determining not to synchronize the object at each of the one or more local network managers.
H04L 41/342 - Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
H04L 41/0859 - Retrieval of network configuration; Tracking network configuration history by keeping history of different configuration generations or by rolling back to previous configuration versions
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
14.
Supporting virtual machine migration when network manager or central controller is unavailable
The disclosure provides an approach for virtual computing instance (VCI) migration. Embodiments include scanning logical segments associated with a customer gateway to identify network addresses associated with the logical segments. Embodiments include determining one or more recommended supernets based on the network addresses associated with the logical segments. Embodiments include providing output to a user based on the one or more recommended supernets. Embodiments include based on the output, receiving input from the user configuring an aggregation supernet for the customer gateway. Embodiments include advertising the aggregation supernet to one or more endpoints separate from the customer gateway.
G06F 15/173 - Interprocessor communication using an interconnection network, e.g. matrix, shuffle, pyramid, star or snowflake
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
A method for efficient write-back for journal truncation is provided. A method includes maintaining a journal in a memory of a computing system including a plurality of records. Each record indicates a transaction associated with one or more pages in an ordered data structure and maintaining a dirty list including an entry for each page indicated by a record in the journal. Each entry in the dirty list includes a respective first log sequence number (LSN) associated with a least recent record of the plurality of records that indicates the page and a respective second LSN associated with a most recent record of the plurality of records that indicates the page. The method includes determining to truncate the journal. The method includes identifying one or more records, of the plurality of records, from the journal to write back to a disk, where the identifying is based on the dirty list.
G06F 12/0804 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches with main memory updating
An example method of automatically deploying a containerized workload on a hypervisor based device is provided. The method generally includes booting the device running a hypervisor, in response to booting the device: automatically obtaining, by the device, one or more intended state configuration files from a server external to the device, the one or more intended state configuration files defining a control plane configuration for providing services for at least deploying and managing the containerized workload and workload configuration parameters for the containerized workload; deploying a control plane pod configured according to the control plane configuration; deploying one or more worker nodes based on the control plane configuration, and deploying one or more workloads identified by the workload configuration parameters on the one or more worker nodes.
The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
A method for efficient journal truncation is provided. A method for journal truncation includes maintaining a journal in a memory of a computing system including a plurality of records. Each record indicates a transaction in an ordered data structure. The method includes maintaining a truncation queue in the memory including one or more entries. Each entry in the truncation queue includes a physical on-disk offset associated with a different record of the plurality of records. The method includes determining to truncate the journal and truncating records, of the plurality of records, from the journal starting from a beginning record in the journal up to the record with the physical on-disk offset associated a least recent entry of the one or more entries in the truncation queue, where the truncating includes removing the records from the memory.
An example method of automatically deploying a containerized workload on a hypervisor based device is provided. The method generally includes booting the device running a hypervisor, in response to booting the device: automatically obtaining, by the device, one or more intended state configuration files from a server external to the device, the one or more intended state configuration files defining a control plane configuration for providing services for at least deploying and managing the containerized workload and workload configuration parameters for the containerized workload; deploying a control plane pod configured according to the control plane configuration; deploying one or more worker nodes based on the control plane configuration, and deploying one or more workloads identified by the workload configuration parameters on the one or more worker nodes.
Some embodiments of the invention provide a method for implementing a software-defined private mobile network (SD-PMN) for an entity. At a physical location of the entity, the method deploys a first set of control plane components for the SD-PMN, the first set of control plane components including a security gateway, a user-plane function (UPF), an AMF (access and mobility management function), and an SMF (session management function). At an SD-WAN (software-defined wide area network) PoP (point of presence) belonging to a provider of the SD- PMN, the method deploys a second set of control plane components for the SD-PMN that includes a subscriber database that stores data associated with users of the SD-PMN. The method uses an SD-WAN edge router located at the physical location of the entity and a SD-WAN gateway located at the SD-WAN PoP to establish a connection from the physical location of the entity to the SD- WAN PoP.
H04W 84/04 - Large scale networks; Deep hierarchical networks
H04L 41/0668 - Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
H04W 24/02 - Arrangements for optimising operational condition
H04L 47/24 - Traffic characterised by specific attributes, e.g. priority or QoS
A computer-implemented method, computer-readable medium and computer system to execute containerized applications includes initiating a Supervisor Cluster on top of a SDDC to support execution of containerized applications. A supervisor cluster namespace is created on the Supervisor Cluster. A storage policy is attached to the supervisor cluster namespace. Then, a control plane is bootstrapped, and containerized applications are executed in a virtual machine cluster using vSphere pods as the worker nodes in the virtual machine cluster.
System and method for anonymizing logs generated in applications running in a computing environment detects log data being generated in an application and compares the log data to a set of predefined search pattern policies to find sensitive information contained in the log data. The sensitive information contained in the log data is converted into anonymous information to produce anonymized log data within the application. The anonymized log data is then written to a destination.
The disclosure describes growing a data cache using a background hash bucket growth process. A first memory portion is allocated to the data buffer of the data cache and a second memory portion is allocated to the metadata buffer of the data cache based on the cache growth instruction. The quantity of hash buckets in the hash bucket buffer is increased and the background hash bucket growth process is initiated, wherein the process is configured to rehash hash bucket entries of the hash bucket buffer in the increased quantity of hash buckets. A data entry is stored in the data buffer using the allocated first memory portion of the data cache and metadata associated with the data entry is stored using the allocated second memory portion of the metadata buffer, wherein a hash bucket entry associated with the data entry is stored in the increased quantity of hash buckets.
G06F 12/0864 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches using pseudo-associative means, e.g. set-associative or hashing
24.
MULTI-CLOUD RECOMMENDATION ENGINE FOR CUSTOMER WORKLOADS
System and computer-implemented method for generating multi-cloud recommendations for workloads uses costs and performance metrics of appropriate instance types in specific public clouds for target workloads to produce recommendation results. The appropriate instance types in the specific public clouds are determined based on instance capabilities and the workload type of the target workloads. In addition, a recommended cloud resource offering is determined for the target workloads, which is sent as a notification with the recommendation results of the appropriate instance types in the specific public clouds.
H04L 41/5061 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the interaction between service providers and their network customers, e.g. customer relationship management
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
25.
EFFICIENTLY AVOIDING PACKET LOOPS WHEN ROUTES ARE AGGREGATED IN A SOFTWARE DEFINED DATA CENTER
The disclosure provides an approach for avoiding packet loops when routes are aggregated in a data center. Embodiments include scanning logical segments associated with a customer gateway to identify network addresses associated with the logical segments. Embodiments include determining one or more recommended supernets based on the network addresses associated with the logical segments. Embodiments include providing output to a user based on the one or more recommended supernets. Embodiments include, based on the output, receiving input from the user configuring an aggregation supernet for the customer gateway. Embodiments include advertising the aggregation supernet to one or more endpoints separate from the customer gateway.
A method of delivering cloud services from a cloud platform to management appliances of one or more software-defined data centers (SDDCs) through recipe execution agents running on an agent platform appliance, includes the steps of: downloading a first recipe corresponding to a first event initiated by a first cloud service, wherein the first event is associated with a task to be performed for the first cloud service; and executing first commands defined in the downloaded first recipe in one of the recipe execution agents to perform a task of the first cloud service on a first management appliance, said executing of the first commands in the one of the recipe execution agents including transmitting a first command to the first management appliance, receiving a first response from the first management appliance, and reporting the first response to the cloud platform.
The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.
Computer-implemented methods, media, and systems for context-sensitive defragmentation and aggregation of containerized workloads running on edge devices are disclosed. One example method includes monitoring telemetry data from multiple software defined wide area network (SD-WAN) edge devices that run multiple workloads, where the telemetry data includes at least one of resource utilization at the multiple SD-WAN edge devices, inter-workload trigger dependency, or inter-workload data dependency among the multiple workloads. It is determined, based on the telemetry data, that at least two of the multiple workloads running on at least two SD-WAN edge devices have the inter-workload trigger dependency or the inter-workload data dependency. In response to the determination that the at least two of the multiple workloads have the inter-workload trigger dependency or the inter-workload data dependency, a first process of migrating the at least two of the multiple workloads to a first SD-WAN edge device of is initiated.
H04L 41/0897 - Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
29.
REMEDIATION OF CONTAINERIZED WORKLOADS BASED ON CONTEXT BREACH AT EDGE DEVICES
Computer-implemented methods, media, and systems for remediation of containerized workloads based on context breach at edge devices are disclosed. One example computer-implemented method includes monitoring telemetry data from a first software defined wide area network (SD-WAN) edge device, where the telemetry data includes multiple context elements at the first SD-WAN edge device. It is determined that a context change occurs for at least one of the context elements at the first SD-WAN edge device. It is determined that due to the context change, the first SD-WAN edge device does not satisfy one or more requirements for running one or more workloads scheduled to run. In response to the determination that the first SD-WAN edge device does not satisfy the one or more requirements, the at least one of the one or more workloads is offloaded from the first SD-WAN edge device to a second SD-WAN edge device.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
30.
AUTO-CONFIGURATION OF ROUTES BETWEEN NEIGHBOR DEVICES
In some embodiments, a method inserts, by a first computing device, a first value for a capability in a first message that is used in a process to automatically exchange capability values with a second computing device. The first value for the capability indicates the first computing device requires a default route to reach the second computing device as a next hop for sending a packet to a destination. The first computing device sends the first message to the second computing device; and receives a second value for the capability in a second message from the second computing device. The second value indicating the second computing device will send the default route to reach the second computing device. When the default route is received from the second computing device, the first computing device stores the default route from the second computing device in a route table.
Distributed storage system and method for transmitting storage-related messages between host computers in a distributed storage system uses a handshake operation of a first-type communication connection between a source data transport daemon of a source host computer and a target data transport daemon of a target host computer to derive a symmetric key at each of the source and target data transport daemons. The two symmetric keys are sent to a source data transport manager of the source host computer and to a target data transport manager of the target host computer. The source and target data transport managers then use the same symmetric keys to encrypt and decrypt storage-related messages that are transmitted from the source data transport manager to the target data transport manager through multiple second-type communication connections between the source and target data transport managers.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
Anomalies are detected in a distributed application that runs on a plurality of nodes to execute at least first and second workloads. The method of detecting anomalies includes collecting first network traffic data of the first workload and second network traffic data of the second workload during a first period of execution of the first and second workloads, collecting third network traffic data of the first workload and fourth network traffic data of the second workload during a second period of execution of the first and second workloads, and detecting an anomaly in the distributed application based on a comparison of the third network traffic data against the first network traffic data or a comparison of the fourth network traffic data against the second network traffic data. Anomalies may also be detected by comparing network traffic data of two groups of containers executing the same workload.
H04L 67/1029 - Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers using data related to the state of servers by a load balancer
H04L 67/1031 - Controlling of the operation of servers by a load balancer, e.g. adding or removing servers that serve requests
H04L 43/062 - Generation of reports related to network traffic
H04L 47/783 - Distributed allocation of resources, e.g. bandwidth brokers
H04L 43/04 - Processing captured monitoring data, e.g. for logfile generation
H04L 67/1008 - Server selection for load balancing based on parameters of servers, e.g. available memory or workload
In one aspect, A computerized method of a gateway distributing routes learned through routing protocols (RP) into a Border Gateway Protocol (BGP) includes the step of providing a first gateway that receives a route over a routing protocol. The method includes the step of with the first gateway, redistributing the route to one or more peer routers as a BGP route based on one or more specified criteria. The method includes the step of setting a gateway precedence based on the redistribution of the route to the one or more peer routers as the BGP route. The method includes the step of, based on the gateway precedence, setting a second, gateway to automatically redistribute the route with different priorities to influence steering of traffic to a preferred gateway,
H04L 12/66 - Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
H04L 47/24 - Traffic characterised by specific attributes, e.g. priority or QoS
H04L 69/325 - Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
34.
INTER-CLUSTER AUTOMATED FAILOVER AND MIGRATION OF CONTAINERIZED WORKLOADS ACROSS EDGES DEVICES
Computer-implemented methods, media, and systems for inter-cluster automated failover and migration of containerized workloads across edges devices are disclosed. One example method includes monitoring telemetry data received from a first software defined wide area network (SD-WAN) edge device that has a workload scheduled, where the telemetry data includes at least one of a health status of the workload or multiple runtime context elements at the first SD-WAN edge device. It is determined that a failure associated with either the first SD-WAN edge device or the workload occurs. A mode of the failure is determined. A remediation process based on the determined mode of the failure and a current state of the workload is performed.
G06F 11/20 - Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
H04L 41/0654 - Management of faults, events, alarms or notifications using network fault recovery
35.
CONTEXT BASED META SCHEDULING OF CONTAINERIZED WORKLOADS ACROSS EDGE DEVICES
Computer-implemented methods, media, and systems for context based meta scheduling of containerized workloads across edge devices are disclosed. One example computer-implemented method includes receiving a manifest file that includes multiple context requirements of a workload, where the multiple context requirements include multiple runtime service level agreement (SLA) requirements of the workload. Telemetry data is received from multiple software defined wide area network (SD-WAN) edge devices, where the telemetry data includes respective context data of each of the multiple SD-WAN edge devices. A SD-WAN edge device is selected, based on the telemetry data and the multiple context requirements of the workload, from the multiple SD-WAN edge devices for placing the workload on the selected SD-WAN edge device, where the context data of the selected SD-WAN edge device meets the multiple context requirements of the workload. The workload is run on the selected SD-WAN edge device.
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
36.
GENERATING INSTALLATION IMAGES BASED UPON DPU-SPECIFIC CAPABILITIES
Disclosed are various embodiments provisioning a data processing unit in a host machine. There can be multiple data processing units within the host machine with varying hardware or software requirements for an installation image that can be utilized to provision the device. Multiple installation images can be generated for different data processing units having varying requirements in a heterogeneous environment.
Today, stateful services (e.g., firewall services, load balancing services, encryption services, etc.) running inside guest machines (e.g., guest virtual machines (VMs)) can be very expensive, particularly for applications that need to handle large volumes of firewall, load balancing, and VPN (virtual private network) traffic. In some such cases, these stateful services can cause bottlenecks for datacenter traffic going in and out of the datacenter, and result in significant negative impacts on customer experiences. Additionally, service-critical guest machines may need to migrate from one host to another, and need to maintain service capability and throughput before and after the migration such that from a user perspective, the service is not only uninterrupted, but also performant.
Some embodiments of the invention provide a method for defining a telecommunications network deployment for a particular geographic region that includes of a set of sub-regions. The telecommunications network including an access network, an edge network, and a core network. The method is performed for each sub-region in the set of sub-regions. The method determines population density of UEs (user equipment) within the sub-region. Based on the determined population density, the method identifies an area type for the sub-region from a set of area types. The method simulates performance of the telecommunications network to explore, based on the identified area type, multiple configurations for access nodes that connect the UEs to the telecommunications network, each configuration in the multiple configurations indicating (1) a number of access nodes to be included in the telecommunications network deployment and (2) locations at which each access node is to be deployed. The method selects a particular configuration for access nodes from the multiple configurations for use in defining the telecommunications network deployment.
System and computer-implemented method for managing multi-availability zone (AZ) clusters of host computers in a cloud computing environment automatically detects a degraded state of a first AZ in the cloud computing environment based on host failure events for host computers in a first cluster section of a multi-AZ cluster of host computers located in the first AZ and a recovered state of the first AZ based a successful scale-in operation of another multi-AZ cluster located partially in the first AZ. In response to the detection of the degraded state of the first AZ, a second cluster section of the multi-AZ cluster of host computers located in a second AZ is scaled out. In response to the detection of the recovered state of the first AZ, the second cluster section of the multi-AZ cluster of host computers located in the second AZ is scaled in.
G06F 11/20 - Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
40.
WORKLOAD PLACEMENT FOR VIRTUAL GPU ENABLED SYSTEMS
Disclosed are aspects of workload selection and placement in systems that include graphics processing units (GPUs) that are virtual GPU (vGPU) enabled. In some aspects, workloads are assigned to virtual graphics processing unit (vGPU)-enabled graphics processing units (GPUs). A number of vGPU placement neural networks are trained to maximize a composite efficiency metric based on workload data and GPU data for the plurality of vGPU placement models. A combined neural network selector is generated using the vGPU placement neural networks, and utilized to assign a workload to a vGPU-enabled GPU.
Computer-implemented methods, media, and systems for automating secured deployment of containerized workloads on edge devices are disclosed. One example computer-implemented method includes receiving, by a software defined wide area network (SD-WAN) edge device and from a remote manager, resource quotas for a compute service to be enabled at the SD-WAN edge device. Pre-deployment sanity checks are performed by confirming availability of resources satisfying the resource quotas, where the resources are at the SD-WAN edge device. In response to the confirmation of the availability of resources satisfying the resource quotas, one or more security constructs are set up to isolate SD-WAN network functions at the SD-WAN edge device from the compute service at the SD-WAN edge device. The compute service is attached to a SD-WAN network by the SD-WAN edge device. An acknowledgement that the compute service is enabled at the SD-WAN edge device is sent to the remote manager.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/342 - Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
Some embodiments provide a system that includes a set of network controllers for receiving definitions of first and second logical switching elements. The system includes several managed switching elements. The set of network controllers configure the several managed switching elements to implement the defined first and second logical switching elements. The system includes several network hosts that are each (1) communicatively coupled to one of the several managed switching elements and (2) associated with one of the first and second logical switching elements. Network data communicated between network hosts associated with the first logical switching element are isolated from network data communicated between network hosts associated with the second logical switching element.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 41/0853 - Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
43.
AUTOMATING SECURED DEPLOYMENT OF CONTAINERIZED WORKLOADS ON EDGE DEVICES
Computer-implemented methods, media, and systems for automating secured deployment of containerized workloads on edge devices are disclosed. One example computer-implemented method includes receiving, by a software defined wide area network (SD-WAN) edge device and from a remote manager, resource quotas for a compute service to be enabled at the SD-WAN edge device. Pre-deployment sanity checks are performed by confirming availability of resources satisfying the resource quotas, where the resources are at the SD-WAN edge device. In response to the confirmation of the availability of resources satisfying the resource quotas, one or more security constructs are set up to isolate SD-WAN network functions at the SD-WAN edge device from the compute service at the SD-WAN edge device. The compute service is attached to a SD-WAN network by the SD-WAN edge device. An acknowledgement that the compute service is enabled at the SD-WAN edge device is sent to the remote manager.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 41/0895 - Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
H04L 41/5051 - Service on demand, e.g. definition and deployment of services in real time
H04L 41/5054 - Automatic deployment of services triggered by the service manager, e.g. service implementation by automatic configuration of network components
H04L 67/10 - Protocols in which an application is distributed across nodes in the network
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
44.
END USER PRIVACY MANAGEMENT OF ACCESSED DEVICE DATA
Disclosed are various examples for controlling and managing data access to increase user privacy and minimize intentional or inadvertent misuse of accessed information. Upon detecting a request for an administrator review of a user client device, permission for administrator access can be obtained from a user associated with the user client device. The client device identifier can be obfuscated such that the administrator accessing the data is not provided the actual device identifier. An administrator review session between the user client device and an administrator client device can be established to allow the administrator client device access to the permitted client device data.
Disclosed are various approaches for exposing peripheral component interconnect express (PCIe) configuration space implementations as Enhanced Configuration Access Mechanism (ECAM)-compatible. In some examples, a bridge device is identified on a segment corresponding to a root complex of a computing device. An endpoint device is connected to a bus downstream from the bridge device. A synthetic segment identifier is assigned to the bus once the endpoint device is identified as connected to the bus. Synthetic address data is generated for the endpoint device. The synthetic address data includes the synthetic segment identifier for the bus and sets a bus identifier of the bus to zero regardless of a hierarchical position of the bus in a standard peripheral component interconnect express (PCIe) bus hierarchy.
Systems and methods are described for linking Kubernetes resources with underlying infrastructure. An agent running in a Kubernetes cluster can collect data about the cluster. The agent can add universal identifiers (“UIDs”) corresponding to specific characteristics of the Kubernetes cluster. The agent can send the data with the UIDs to a backend service. The backend service can identify a cluster on a host platform that corresponds to the Kubernetes cluster based on the UIDs. The backend service can then link components of the Kubernetes cluster to host machines in the host platform that they are running on. Using the links, a graph model can be displayed in a graphical user interface. The graph model can visually illustrate how the components in the Kubernetes cluster and the host cluster connect to each other.
Aspects of remote edge virtualization management are described. An edge hypervisor shadow application is executed. The edge hypervisor shadow application acts as an Input/Output for an edge hypervisor that is IP inaccessible to a virtualization service. The edge hypervisor shadow application receives a hypertext transport protocol (HTTP) communication from the virtualization service. A Message Queue Telemetry Transport (MQTT) message is generated to include the HTTP request, and is published to an MQTT broker service, the MQTT message comprising the HTTP request.
An example method of diagnosing remote sites of a distributed container orchestration system includes: receiving, at a management cluster, definition of a test suite custom resource; deploying, in response to the test suite custom resource, a first pod in the management cluster; deploying, by the first pod, a second pod in a server of a first remote site of the remote sites; checking, by the second pod, configuration of the server that includes an additional pod executing alongside the second pod, at least one virtual machine (VM) in which the second pod and the additional pod execute, a hypervisor configured to support the at least one VM, and a hardware platform on which the hypervisor executes; and returning test data from the second pod to the first pod, the test data including results of the step of checking the configuration of the server.
An example method of propagating fault domain topology information in a distributed container orchestration system includes: receiving, at control plane software executing in a data center, the fault domain topology, which includes tags for a protection group and fault domains for remote sites in communication with the data center; deploying, by a master server of the distributed container orchestration system that executes in the data center, a node pool comprising virtual machines (VMs) executing in servers of the remote sites, the VMs being nodes of the distributed container orchestration system in which containers execute; determining, by a controller of the master server, relationships among the VMs, the servers, the protection group, and the fault domains based on state of resources maintained by the master server; and providing, by the controller, labels to the servers for associating the tags of the protection group and the fault domains to the VMs.
Example methods and systems for centralized service insertion in an active-active cluster are described. In one example, a first service endpoint may operate in an active mode on a first logical service router (SR) supported by the computer system. The first service endpoint may be associated with a second service endpoint operating on the second logical SR in a standby mode. The first logical SR and the second logical SR may be assigned to a first sub-cluster of the active-active cluster. In response to receiving a service request originating from a virtualized computing instance, the service request may be processed using the first service endpoint according to a centralized service that is implemented by both the first service endpoint and the second service endpoint. A processed service request may be forwarded towards a destination capable of generating and sending a service response in reply to the processed service request.
Example methods and systems for cluster add-on lifecycle management are described. In one example, a computer system may obtain cluster add-on definition information specifying multiple add-ons that are each capable of extending functionality of at least a first cluster and a second cluster. In response to receiving a first instruction to perform a first management action, a first validation operation may be performed based on the cluster add-on definition information and multiple first configuration values associated the multiple first configuration fields. In response to receiving a second instruction to perform a second management action associated with the second add-on, a second validation operation may be performed based on the cluster add-on definition information and multiple second configuration values associated the multiple second configuration fields. The first/second management action may be performed in response to determination that the first/second validation operation is successful.
Systems and methods are provided for dynamically optimizing and configuring various aspects of virtual desktops in virtual desktop infrastructure. Data collectors can be installed on and operate on various components in the virtual desktop infrastructure, such as on the virtual desktops running on the server, on the virtual desktop clients running on user devices, and on the connection server. The data collectors can operate to collect various types of information from corresponding components, such as application usage data and status, device performance, networking environment and speed, application or system crash data, and so on. The collected data can be logged, tracked, and analyzed to perform various actions on the virtual desktop.
A computer-implemented method for electing a leader in a computing system is provided. In one aspect, a method includes identifying a computing resource for multiple container groups that each include one or more containers. A determination is made, from applications running in containers of the container groups, of multiple election candidate applications. Each election candidate application has an instance deployed in a corresponding container in each container group. For each container group, an election runner process is established within the container group. For each instance of each of the election candidate applications, a corresponding election watcher process is established. A communication link is established between the election runner process and each election watcher process. A request for leader election is transmitted from the election runner process to the computing resource. A response received from the computing resource. The response is transmitted to each election watcher process via the communication link.
Example methods and systems for identity firewall with context information tracking are described. In one example, a first computer system may detect establishment of a connection with a virtualized computing instance, and track context information associated with the connection. The context information may include (a) first identity information that is associated with a prior connection between the client device and a second computer system, and (b) second identity information that is associated with the connection with the virtualized computing instance. Further, the first computer system may obtain a first identity firewall policy associated with the first identity information. In response to detecting a packet associated with a flow originating from, or destined for, the virtualized computing instance, the first computer system may allow or block forwarding of the packet based on the first identity firewall policy.
Systems and methods are provided for efficiently registering cloned VMs while preventing unnecessary subsequent registrations. Two independent threads can execute on a cloned VM and control different variables indicating whether registration is needed or has already been performed. A first thread can set a first variable based on an internal identifier of the cloned VM relative to the parent VM. It can also check a second variable, set by a second thread, based on an external identifier of the cloned VM not being updated at a backend cloud service. It can then set a third variable indicating whether registration has been triggered or not, based on the other variables. To avoid duplication, the second thread sets the second variable based on both the external identifier as well as a status of the first variable. The variables can be atomic variables to avoid multi-thread interference and undesirable thread locks.
Embodiments described herein relate to load balancing using multiple CPUs. A method for tunnel creation according to a security protocol at a source tunnel endpoint (TEP) includes exchanging messages with a destination TEP to create a security association (SA) for the tunnel creation; sending a message to the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the source TEP and a number of available CPUs of the source TEP; receiving a message from the destination TEP, wherein the message is an encrypted message based on the first message exchange, and the message includes a traffic selector of the destination TEP and a number of available CPUs of the destination TEP; and determining a number of SAs to create with the destination TEP, wherein the determination is based on the traffic selectors and the number of available CPUs.
An example method of deploying an application by a telecommunications platform in a multi-cloud computing system includes: receiving, at the telecommunications platform executing in a first software-defined data center (SDDC), an application deployment specification for a first application; receiving, at the telecommunications platform, selection of a virtual infrastructure (VI) template for the first application, the VI template defining a configuration of SDDC resources in the multi-cloud computing system; and deploying the first application based on the application deployment specification of the first application and the VI template.
Disclosed are various approaches for dynamically scheduling meetings for user groups. Users participating in an email thread can provide feedback regarding whether they would like for a meeting to be scheduled. A meeting service can automatically schedule a meeting based upon user feedback or an analysis of the email thread.
Disclosed are various examples of control plane lifecycle management using data processing unit (DPU) devices. In some examples, a passthrough between a control plane virtual machine and a data processing unit (DPU) is enabled using a DPU management hypervisor executed by a DPU device. The DPU device is installed to the host device. The DPU device receives a control plane update command with instructions to update a control plane that includes the control plane virtual machine. The control plane update command is performed. Control plane data for the update is transmitted through the passthrough.
Systems, methods, devices and non-transitory, computer-readable storage mediums are disclosed for simulating nodes of a container orchestration system. An example method includes: deploying a mock node for taking on a role of actual worker nodes, wherein the mock node is provided with a first set of resources providing a first compute capacity and the mock node includes an interface for interacting with an API server of the container orchestration system; configuring the interface to present to the container orchestration system an available compute capacity of a second compute capacity; registering the mock node as an actual worker node of the cluster with the API server based on the interface of the mock node; causing the container orchestration system to deploy a plurality of application pods to the mock node; and obtaining events generated by the interface in the mock node indicating deployment and running statuses of the application pods.
Some embodiments provide a method for dynamically implementing quality of service (QoS) for machines of a network. The method identifies a QoS policy rule that defines a QoS policy to be implemented for machines that meet a set of criteria specified by the QoS policy rule. The method dynamically identifies a set of machines that meet the set of criteria. The method configures a set of managed forwarding elements of the network to implement the QoS policy rule for network traffic associated with the set of machines. In some embodiments, the method monitors network events (e.g., user logins, addition of new machines, etc.) and identifies a corresponding QoS policy rule to be enforced at corresponding locations in the network based on the detected event.
A novel method for dynamic network service allocation that maps generic services into specific configurations of service resources in a network is provided. An application that is assigned to be performed by computing resources in the network is associated with a set of generic services, and the method maps the set of generic services to the service resources based on the assignment of the application to the computing resources. The mapping of generic services is further based on a level of service that is chosen for the application, where the set of generic services are mapped to different sets of network resources according to different levels of services.
G06F 9/50 - Allocation of resources, e.g. of the central processing unit [CPU]
H04L 41/5051 - Service on demand, e.g. definition and deployment of services in real time
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
Some embodiments provide a novel method for performing services on a host computer that executes several data compute nodes (DCNs). The method receives, at a module executing on the host, a data message associated with a DCN executing on the host. The method supplies the data message to a service virtual machine (SVM) that executes on the host and on which several service containers execute. One or more of the service containers then perform a set of one or more services on the data message. The method then receives an indication from the SVM that the set of services has been performed on the data message.
A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.
A scanner redirection method includes the steps of: receiving from an application running on a host server, a request for scanner properties; acquiring properties of the physical scanner; converting the properties of the physical scanner that are described according to a first scanning protocol to properties of the physical scanner that are described according to a second scanning protocol; transmitting the properties of the physical scanner that are described according to the second scanning protocol to the application; in response to detecting a user selection made on an image of a user interface, transmitting the user selection to the application; and in response to the user selection, receiving from the application, a request for a scanned image, and transmitting a request to an image capture core to acquire the scanned image from the physical scanner.
Disclosed herein is a system and method for controlling network traffic among namespaces in which various entities, such as virtual machines, pod virtual machines, and a container orchestration system, such as Kubernetes, reside and operate. The entities have access to a network that includes one or more firewalls. The traffic that is permitted to flow over the network among and between the namespaces is defined by a security policy definition. The security policy definition is posted to a master node in a supervisor cluster that supports and provisions the namespaces. The master node invokes a network manager to generate a set of firewall rules and program the one or more firewalls in the network to enforce the rules.
Disclosed are various embodiments for a unified boot image that can be used to install an operating system onto a host machine and a respective operating system onto a data processing units (DPU) installed on a host machine. The unified boot image contains installation files for installing an operating system on the host machine and an installation depot that can be used to create a boot image for installing the same or different operating system on the DPU. During installation of an operating system on a host machine, the installation workflow can also require installation of an additional operating system or other configuration of a DPU installed in a host machine. In response to determining that an operating system is to be installed on the DPU, the installation depot can be obtained and reformatted into a downloadable format that is compatible with the DPU.
Disclosed are mechanisms that enable secure file sharing between applications using an operating system framework. In some examples, an extension map is received by a client device. The extension map relates a file extension to an alias file extension. A management software development kit (SDK) is used by an application. The management SDK identifies that the application originates a file comprising the file extension, stores the file as an extension-aliased file by changing its file extension to the alias file extension according to the extension map. The extension-aliased file is transferred to a recipient application using a file sharing utility of an operating system of the client device.
Systems and methods are described herein for dynamic debug logging during application runtime. In an example, a wrapper can be added to the code for functions of the application. During runtime, the wrapper can cause the functions to retain certain debug data. In one example, a function call graph can be constructed, which can include all the possible function call paths for the application. When an error occurs, if the application does not have a stack trace tool or API available, the application can use the function call graph to determine all possible function call paths between the entrant function and the errored function. If an application does have a stack trace tool or API, then the application can retrieve the actual function call path that led to the error. The application can enable a debug flag in the wrapper for each function in the function call path, which can cause those functions to log runtime debug data.
Systems and methods are described herein for dynamic debug logging during application runtime. In an example, a wrapper can be added to the code for functions of the application. During runtime, the wrapper can cause the functions to retain certain debug data. In one example, a function call graph can be constructed, which can include all the possible function call paths for the application. When an error occurs, if the application does not have a stack trace tool or API available, the application can use the function call graph to determine all possible function call paths between the entrant function and the errored function. If an application does have a stack trace tool or API, then the application can retrieve the actual function call path that led to the error. The application can enable a debug flag in the wrapper for each function in the function call path, which can cause those functions to log runtime debug data.
The present disclosure relates to translation of voice commands using machine learning. Command text corresponding to a voice command can be received, and at least one error can be identified in the command text. A comparison can be performed between the at least one error and at least one lexical pattern corresponding to a user associated with the voice command. Modified command text can be generated based at least in part on the comparison between the at least one error and the at least one lexical pattern. The modified command text can be determined to fail to comprise an additional error.
Computer-implemented methods, media, and systems for automatic discovery of application resources for application backup in a container orchestration platform (e.g., a Kubernetes system) are disclosed. In an example method, a pod of an application deployed in a container orchestration platform is identified. Then an owner object of the pod is determined. Resources mounted on the pod and on the owner object of the pod in the container orchestration platform are checked. Based on the pod, the owner object of the pod, and the resources mounted on the pod and on the owner object of the pod, a resource hierarchy of the application is constructed. A backup specification for backup of the application is identified. Based on the backup specification and the resource hierarchy of the application, resources of the application are backed up.
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
To implement secure block cloning on file systems that support block cloning, a computer security application is executed on a computer system deploying a file system that supports block cloning. The computer security application receives a block cloning command to clone a source file to a target file. Before the computer system executes the block cloning command, the computer security application identifies a trust status associated with the source file. The trust status is identified by looking up a base inventory that stores trust data associated with multiple files stored on the file system. The multiple files include the source file. Based on the trust status associated with the source file, the computer security application determines that the trust status associated with the source file is trustworthy. In response to determining that the source file is trustworthy, the computer security application applies the trust status associated with the source file to the target file.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
74.
LOG FORWARDING FOR AN AGENT PLATFORM APPLIANCE AND SOFTWARE-DEFINED DATA CENTERS THAT ARE MANAGED THROUGH THE AGENT PLATFORM APPLIANCE
A method of forwarding logs of a software-defined data center (SDDC) and logs of an agent platform appliance to a cloud platform through the agent platform appliance, the agent platform appliance having deployed thereon a plurality of agents of cloud services that are delivered to the SDDC, includes the steps of: collecting first log data from one or more management appliances of the SDDC; collecting second log data from one or more of the agents of cloud services; acquiring one or more access tokens for communicating with the cloud platform; and transmitting log data generated from the collected first log data and the collected second log data, along with the one or more access tokens, to a log monitoring service running in the cloud platform, wherein the log monitoring service is configured to generate alerts separately for different tenants of the computer system from log data of the different tenants.
The disclosure herein describes managing smart alarms based on an associated set of alarms and/or events. The alarms are detected in a computing system and the detected alarms are used to identify a smart alarm definition with which the detected alarms are associated. A condition of the identified smart alarm definition is evaluated, and it is determined that the condition is satisfied at least in part by the set of alarms. Smart alarm information is then provided using the smart alarm definition and the detected set of alarms. Providing smart alarm information associated with the detected set of alarms and/or events provides additional context to enable efficient interpretation of detected alarms in a computing system. Further, managing the smart alarms as described reduces the quantity of individual alarms that must be processed and reduces the likelihood of errors occurring as those alarms are processed.
G08B 19/00 - Alarms responsive to two or more different undesired or abnormal conditions, e.g. burglary and fire, abnormal temperature and abnormal rate of flow
The disclosure provides an approach for simulating a virtual environment. A method includes simulating, using a virtualization simulator, a plurality of hosts; simulating, using the virtualization simulator, a plurality of virtual computing instances (VCIs) associated with the plurality of simulated hosts, based on information obtained from a cluster application programming interface (API) provider; creating, using a virtualization simulator operator, one or more node simulator schedulers; creating, using the one or more node schedulers, a node simulator; simulating, using the node simulator, a plurality of guest operating systems (OSs) associated with the plurality of simulated VCIs; and joining the plurality of simulated guest OSs to one or more node clusters in a data center via an API server.
A system and method for capturing resource usage information in a network for namespaces in which pods operate are described herein. A data structure specifies a topology that includes a gateway and routing addresses in a network whose usage is to be captured. The data structure is provided to an API of a master node controlling the pods. A controller in the master node enforces the data structure and reports results back to the API.
Disclosed herein is a system and method for controlling network traffic among namespaces in which various entities, such as virtual machines, pod virtual machines, and a container orchestration system, such as Kubernetes, reside and operate. The entities have access to a network that includes one or more firewalls. The traffic that is permitted to flow over the network among and between the namespaces is defined by a security policy definition. The security policy definition is posted to a master node in a supervisor cluster that supports and provisions the namespaces. The master node invokes a network manager to generate a set of firewall rules and program the one or more firewalls in the network to enforce the rules.
An example method of virtualized cache allocation for a virtualized computing system includes: providing, by a hypervisor for a virtual machine (VM), a virtual shared cache, the virtual shared cache backed by a physical shared cache of a processor; providing, by the hypervisor to the VM, virtual service classes and virtual service class bit masks; mapping, by the hypervisor, the virtual service classes to physical service classes of the processor; associating, by the hypervisor, a shift factor with the virtual service class bit masks with respect to physical service class bit masks of the processor; and configuring, by the hypervisor, service class registers and service class bit mask registers of the processor based on the mapping and the shift factor in response to configuration of the virtual shared cache by the VM.
Systems and methods are described for providing a graphical user interface (“GUI”) for graph-based visualizations of network flows using entity clustering. In an example, an application service can periodically execute a job for assigning network entities to clusters according to a clustering type. The job can also include creating metadata about each cluster. The application service can store the assignments in a cache. A user can select to display a visualization of the network in the GUI based on the clustering type. The application service can detect any entities without cluster assignments and create a best guess assignment for them. The GUI can then display a visualization of the network according to the selected clustering type.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/0893 - Assignment of logical groups to network elements
G06F 9/451 - Execution arrangements for user interfaces
G06F 16/28 - Databases characterised by their database models, e.g. relational or object models
A method of performing open and close input/output (I/O) requests targeting a directory of a client computing device includes the steps of: receiving a first I/O request to open the directory, from a driver of a host server, forwarding the first I/O request to the client computing device; in response to the first I/O request, receiving an identifier (ID) of the directory from the client computing device and transmitting the ID to the driver; in response to receiving a second I/O request to close the directory, from the driver, storing the ID in a cache, and not forwarding the second I/O request to the client computing device; and in response to receiving a third I/O request to open the directory, from the driver, retrieving the ID from the cache, and transmitting the ID to the driver again.
An example method of upgrading remote sites of a distributed container orchestration system includes: deploying, by upgrade software executing in a data center remote from the remote sites, a second container orchestration (CO) control plane executing concurrently with a first CO control plane, the second CO control plane having a second version different than a first version of the first CO control plane, the first CO control plane initially managing all of the remote sites; upgrading, by the upgrade software, CO support software of a first portion of the remote sites; adding, by the upgrade software, the first portion of the remote sites to a second CO cluster managed by the second CO control plane; and removing, by the upgrade software, the first portion of the remote sites from a first CO cluster managed by the first CO control plane.
Example methods and systems for cluster add-on lifecycle management are described. In one example, a computer system may obtain cluster add-on definition information specifying multiple add-ons that are each capable of extending functionality of at least a first cluster and a second cluster. User interface(s) may be generated based on the cluster add-on definition information to allow a user to request for a management action associated. In response to receiving a first request for a first management action associated with the first add-on, a first instruction may be generated and sent to cause the first management action to be performed in the first cluster. In response to receiving a second request for a second management action associated with the second add-on, a second instruction may be generated and sent to cause the second management action to be performed in the first cluster or the second cluster.
A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.
Disclosed are various examples for controlling and managing data access to increase user privacy and minimize intentional or inadvertent misuse of accessed information. Upon detecting a request for an administrator review of a user client device, permission for administrator access can be obtained from a user associated with the user client device. The client device identifier can be obfuscated such that the administrator accessing the data is not provided the actual device identifier. An administrator review session between the user client device and an administrator client device can be established to allow the administrator client device access to the permitted client device data.
Some embodiments provide a method for one of multiple shared API processing services in a container cluster that implements a network policy manager shared between multiple tenants. The method receives a configuration request from a particular tenant to modify a logical network configuration for the particular tenant. Configuration requests from the plurality of tenants are balanced across the plurality of shared API processing services. Based on the received configuration request, the method posts a logical network configuration change to a configuration queue in the cluster. The configuration queue is dedicated to the logical network of the particular tenant. Services are instantiated separately in the container cluster for each tenant to distribute configuration changes from the respective configuration queues for the tenants to datacenters that implement the tenant logical networks such that configuration changes for one tenant do not slow down processing of configuration changes for other tenants.
H04L 41/0895 - Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
H04L 41/342 - Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
87.
METHOD FOR MODIFYING AN SD-WAN USING METRIC-BASED HEAT MAPS
Some embodiments provide a method for using a heat map to modify an SD-WAN (software-defined wide-area network) deployed for a set of geographic locations. From a set of managed forwarding elements (MFEs) that forward multiple data message flows through the SD- WAN to a set of destination clusters, the method collects multiple metrics associated with the multiple data message flows. Based on the collected multiple metrics, the method generates a heat map that accounts for (1) the multiple data message flows, (2) locations of the set of MFEs, and (3) locations of the one or more destination clusters. The method uses the generated heat map to identify at least one modification to make to the SD-WAN to improve forwarding of the multiple data message flows.
H04L 41/122 - Discovery or management of network topologies of virtualised topologies e.g. software-defined networks [SDN] or network function virtualisation [NFV]
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 41/5009 - Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
H04L 43/026 - Capturing of monitoring data using flow identification
The disclosure provides an approach for virtual computing instance (VCI) placement. Embodiments include receiving, by a resource optimization system, physical network interface (NIC) queue availability information relating to a plurality of host computers. Embodiments include determining, by the resource optimization system, physical NIC queue requirements of a VCI. Embodiments include selecting, by the resource optimization system, a target host computer for the VCI from the plurality of host computers based on the physical NIC queue availability information and the physical NIC queue requirements of the VCI. Embodiments include loading, by the resource optimization system, the VCI on the target host computer.
The disclosure provides an approach for dynamic centralized model compilation. Embodiments include receiving, from a client, a request for a machine learning model, wherein the request indicates either one or more attributes comprising one or more of a hardware characteristic, a target precision, or a compiler characteristic, or that one or more default behaviors should be used to compile the machine learning model. Embodiments include determining a compiler for the machine learning model based on the one or more attributes or the one or more default behaviors, wherein the compiler is stored in a registry. Embodiments include compiling the machine learning model using the compiler. Embodiments include providing the compiled machine learning model to the client in response to the request.
An example method of entitling endpoint software in a multi-cloud environment having a public cloud in communication through a messaging fabric with a data center includes: determining, by an entitlement service executing as a cloud service in the public cloud, deployment information for the endpoint software executing on virtualized hosts of the data center; generating, by the entitlement service in response to an entitlement request, an entitlement task in response to verifying the entitlement request against the deployment information; sending, through the messaging fabric, the entitlement task from the entitlement service to an entitlement agent of an agent platform appliance executing in the data center; and applying, by the entitlement agent in cooperation with a licensing service of the endpoint software, a subscription entitlement as indicated in the entitlement task.
An example method of classifying alerts generated by endpoints in a virtualized computing system includes: receiving, at an alert processing engine executing in the virtualized computing system, a stream of the alerts generated by security agents executing in the endpoints; extracting fields from the alerts at the alert processing engine; computing, at the alert processing engine, features from the alerts based on the fields; computing, at the alert processing engine, a plurality of model scores for each alert using the features as parametric input to a plurality of models; aggregating, by the alert processing engine, the plurality of model scores into a final score for each alert; and annotating each of the alerts with a respective final score.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Systems and methods are described for provisioning a desktop interface at a cloud service provider. An application service is introduced that selects a cloud service provider for provisioning a virtual machine (“VM”) that hosts the desktop interface. In an example, a user can request access to a virtual desktop from a client device. The application service can retrieve network latency data from multiple cloud service providers and select the provider with the lowest network latency for the client device. In some examples, the application service can select the cloud service provider on additional factors, such as the cost of provisioning the VM at each cloud service provider. The application service can provision the VM at the selected cloud service provider and facilitate access to the virtual desktop for the client device.
A scanner redirection method for a remote desktop system that includes a client computing device that has running therein a scanner redirection module, and a host server, the scanner redirection module including a data source manager for communicating with a data source that is configured to communicate with a physical scanner, includes the steps of: receiving from an application running on the host server, a request for a scanned image; in response to the request for the scanned image, transmitting to the data source a request to acquire the scanned image from the physical scanner; and upon receiving the scanned image from the data source, transmitting the scanned image to the application.
An example method of updating device firmware in a distributed container orchestration system includes: receiving, at a master server executing in a data center, a definition for a firmware custom resource; obtaining, by an operator of the master server in response to the firmware custom resource, a firmware file set; providing, from the operator to a plurality of remote sites in communication with the data center, the firmware file set; and executing, by servers at the plurality of remote sites, updates of firmware for devices of the servers.
The disclosure provides a method of seamlessly launching at least one of applications or files located on remote desktops. The method generally includes receiving, at a connection server, application information for an application located on a first remote desktop in response to a first request from a client device to add the application to the connection server, receiving, at the connection server, from the client device, a second request to launch the application, validating, at the connection server, the second request based on credentials included in the second request, and forwarding, to the first remote desktop, the second request based on validating the second request, wherein, based on the second request, the first remote desktop launches the application for display at the client device.
The disclosure provides a method of associating thread identifiers (IDs) to input/output (I/O) requests in a remote computing environment. The method generally includes receiving, by a mini-filter on a remote device that is remote from a client device, a request from an application on the remote device to access resources at the client device, determining, by the mini-filter, a thread identifier (ID) associated with the request, the thread ID corresponding to an application thread of the application that generated the request, determining, by the mini-filter, one or more parameters of the request, and transmitting, by the mini-filter, to a redirection server process on the remote device, a message comprising the thread ID and the one or more parameters of the request, wherein the thread ID and the one or more parameters of the request are added to a cache maintained by the redirection server process.
Disclosed are various embodiments for coordinating the rollback of installed operating systems to an earlier, consistent state. In response to determining that a data processing unit (DPU) installed on a computing device has failed to successfully boot a first time, the computing device can be power cycled for a first time. In response to determining that the DPU has successfully booted a second time, a first version of a host operating system can be booted. A DPU operating system (DPU OS) is then booted from a DPU alternate boot image. In response to determining that the first version of the host operating system fails to match an executing version of the DPU OS, the computing device can be power cycled a second time and the host operating system is then booted from a host alternate boot image.
Disclosed are various embodiments for identifying a connection to an external user or organization based upon analysis of data sources within an enterprise. User activity within communications applications can be assessed to identify a closest connection to the external user or organization based upon frequency of communication, age of communication, and/or a sentiment analysis.
Computer-implemented methods, media, and systems for providing container security manageability are disclosed. In one computer-implemented method, a host device connected to a cloud server detects an event of a plurality of events generated by a plurality of containers hosted in the host device. The host device identifies container context data of the event, associates the container context data with the event, sends the container context data to the cloud server for security analysis. The host device receives, from the cloud server, security rules based on the security analysis and implements the security rules.
Example methods and systems for malicious process termination are described. In one example, a computer system may detect a first instance of a malicious network activity associated with a first virtualized computing instance. Termination of a first process implemented by the first virtualized computing instance may be triggered, the first instance of the malicious network activity being associated with the first process. The computer system may obtain event information associated with the first process and/or the first instance of the malicious network activity, and trigger termination of a second process implemented by a second virtualized computing instance based on the event information. Examples of the present disclosure may be implemented to leverage the detection of the first instance of the malicious network activity to terminate both the first process and the second process, and to block a second instance of a malicious network activity associated with the second process.
