Systems, apparatus, articles of manufacture, and methods are disclosed that monitor and correct for configuration drift in cloud accounts by instantiating or executing machine-readable instructions to access target state configuration information from a first user account for a cloud account, onboard the cloud account at a first time to configure cloud resources based on the target state configuration information, detect a first drift between the target state configuration information and an in-use configuration state of the cloud account at a second time, log a corresponding change in the in-use configuration state relative to the target state configuration information, the first event record logged in a timeline of second event records representing second drifts of the cloud account relative to the target state configuration information, and after the detection of the first drift, change an in-use configuration of the cloud account based on the target state configuration information.
Systems, apparatus, articles of manufacture, and methods are disclosed for template generation to enforce desired states on cloud accounts. An example apparatus disclosed herein includes programmable circuitry to access a privilege from a cloud account, the privilege associated with a resource to be deployed based on a template, validate the privilege relative to template privileges specified in the template, secure the resource before deployment of the resource by imputing a privilege access condition to the resource based on the privilege satisfying at least one of the template privileges, and deploy the resource based on the template in a secure state, the secure state corresponding to the privilege access condition.
A management node may include a storage device to store mapping information associating an identifier of a virtual computing instance deployed in a data center with an identifier of an agent that runs in the virtual computing instance. Further, the management node may an agent management module to receive an event notification indicating a state change of the virtual computing instance from an infrastructure management component residing in the data center. The event notification may include the identifier of the virtual computing instance. In response to receiving the event notification, the agent management module may determine the agent that is likely to affect due to the state change of the virtual computing instance based on mapping information and the identifier of the virtual computing instance. Further, the agent management module may manage a state of the agent based on the state change of the virtual computing instance.
An example method may include executing, using an integration plugin installed on a first integrated product running in a first management node, a first schedule job to assess the first management node for a specified period of time or for a specified number of assessments. Further, a check is made to determine, using the integration plugin, whether a thread in a thread pool of the first management node is idle after the specified period of time or the specified number of assessments. Based on the whether the thread is idle, a number of threads allocated for data transfer between a second management node executing a second integrated product and the first management node may be altered using the integration plugin. Based on the altered number of threads, the data transfer between the second management node and the first management node may be performed using the integration plugin.
Some embodiments provide a method for configuring a first Pod in a container cluster to perform layer 7 (L7) services for a logical router. At a second Pod that performs logical forwarding operations for the logical router, the method receives configuration data for the logical router from a network management system that defines a logical network for which the logical router routes data messages and performs L7 services. The method provides a set of Pod definition data to a cluster controller to create the first Pod. After creation of the first Pod, the method provides to the first Pod (i) networking information to enable a connection between the first and second Pods and (ii) configuration data defining the L7 services for the first Pod to perform the L7 services on data traffic sent from the second Pod to the first Pod.
Some embodiments provide a method for implementing a logical router of a logical network at a first Pod executing on a first node of a Kubernetes cluster to implement data message forwarding for the logical router. The method receives a data message for processing by the logical router. The method determines that the data message requires layer 7 (L7) service processing at the logical router. The method selects a second Pod from multiple Pods that perform L7 service for the logical router. Each of the Pods executes on a different node of the cluster. The method forwards the data message to the second Pod via a layer 2 (L2) construct that connects the first and second Pods.
Some embodiments provide a novel method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer. The method configures, on the PNIC, a first firewall to determine actions to perform on flows associated with the set of VMs, and to offload processing of the flows to a flow-cache second firewall of the PNIC. The method configures, on the PNIC, the flow-cache second firewall to process a first set of flows based on a first set of actions determined by the first firewall, and to offload processing of a second set of flows to an embedded hardware switch of the PNIC. The method configures, on the PNIC, the embedded hardware switch to process the second set of flows based on a second set of actions determined by the first firewall.
Some embodiments provide a novel method for migrating virtual machines (VMs) from a first host computer to a second host computer. The first host computer is connected to a physical network interface card (PNIC) that performs middlebox service operations for flows associated with the VMs. At the PNIC, the method receives a notification that a VM is to be migrated from the first to the second host computer. The method configures an embedded hardware switch of the PNIC to forward a set of flows associated with the VM to a firewall of the PNIC. The embedded hardware switch was initially programmed to process the set of flows instead of the firewall. The method synchronizes flow cache information regarding the set of flows from the embedded hardware switch to the firewall. The method processes the set of flows at the firewall until the VM is migrated to the second host computer.
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 41/0897 - Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
9.
MAINTAINING FIREWALL RULES AT A PNIC THAT PERFORMS FIREWALL OPERATIONS ON DATA MESSAGE FLOWS
Some embodiments provide a novel method for updating firewall rules for data message flows processed at a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC receives an update to a particular firewall rule. The firewall identifies a particular data message flow that is processed at an embedded hardware switch of the PNIC using the particular firewall rule. The firewall updates a flow record associated with the particular data message flow to reflect the received update to the particular firewall rule. The firewall provides the updated flow record to the embedded hardware switch for the embedded hardware switch to process the particular flow according to the received update.
Some embodiments provide a novel method for using connection tracking records to process data messages at a physical network interface card (PNIC) connected to a host computer. A first software firewall of the PNIC determines whether processing of a flow is passable to a second software firewall of the PNIC and to a third hardware firewall of the PNIC. The first software firewall creates a connection tracking record for the flow and data specifying whether processing of the flow is passable to the second software firewall and independently whether processing of the flow is passable to the third hardware firewall. The first software firewall provides the connection tracking record and said data to the second software firewall of the PNIC so that the second software firewall processes the flow or passes the connection tracking record and the data to the third hardware firewall if determination was that the flow is passable to the third hardware firewall.
Systems, apparatus, articles of manufacture, and methods are disclosed to resolve conflicts between multiple automation systems. An example apparatus includes interface circuitry, machine readable instructions, and programmable circuitry to at least one of instantiate or execute the machine readable instructions to: cause storage of records indicative of configuration changes made to a computing resource; generate a time series based on the records; analyze the time series to determine if a configuration change conflict is detected; and after detection of a configuration change conflict, generate a notification of the configuration change conflict.
Examples of the disclosure are directed to password management of virtual machines in a virtual machine environment. A password can be obtained that corresponds to a virtual machine. The password can be associated with a password identifier that is generated independent of a storage location of the files associated with the virtual machine. An operating system password vault can be utilized that stores the password and password identifier.
Systems, apparatus, articles of manufacture, and methods are disclosed to manage configuration of a cloud resource. An example system disclosed herein to manage configuration of a cloud resource includes programmable circuitry to at least one of execute or instantiate machine-readable instructions to compare a cloud resource configuration state with a cloud resource target configuration, generate an updated cloud resource configuration specification based on a difference between the cloud resource configuration state and the cloud resource target configuration, and cause an update of a cloud resource configuration parameter in a cloud provider based on the updated cloud resource configuration specification.
Example methods and systems for network status visualization are described. In one example, a computer system may obtain status information associated with a set of multiple object-attribute pairs. Each object-attribute pair may include one of multiple objects and one of multiple attributes. The computer system may generate and display a user interface (UI) view that includes an array of multiple interactive UI elements to display the status information. In response to detecting a first interaction with a first interactive UI element, the computer system may update the UI view to display and enable selection of a first action. In response to detecting a second interaction with a second interactive UI element, the computer system may update the UI view to display and enable selection of a second action.
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
G06F 3/0482 - Interaction with lists of selectable items, e.g. menus
The disclosure herein describes scanning a snapshot of a virtualized computing instance (VCI) for malware. A VCI snapshot associated with a version of a malware infected VCI is scanned for malware. The malware scanning includes selecting a first file of the VCI snapshot and determining that a file, in a previously scanned VCI snapshot associated with another version of the malware infected VCI, which corresponds to the selected first file has a clean reputation indicator. Further, it is determined that the metadata of the selected first file matches metadata of the corresponding file. Based on these determinations, the malware scanning proceeds to scan the next file for malware without scanning the selected first file for malware.
An example computer system includes a hardware platform including a processing unit and software executing on the hardware platform. The software includes a workload and a scheduler, the workload including a network function chain having network functions, the scheduler configured to schedule the network functions for execution on the processing unit. A downstream network function includes a congestion monitor configured to monitor a first receive queue supplying packets to the downstream network function, the congestion monitor configured to compare occupancy of the first receive queue against a queue threshold. An upstream network function including a rate controller configured to receive a notification from the congestion monitor generated in response to the occupancy of the first receive queue exceeding the queue threshold, the rate controller configured to modify a rate of packet flow between a second receive queue and the upstream network function in response to the notification.
An example method for implementing a microservice architecture for a management application may include deploying a first service of the management application on a first container running on a container host. Further, the method may include employing a service-to-service communication mechanism to control communication between the first service and a second service of the management application. Furthermore, the method may include employing an inter-process communication mechanism to control communication between the first service and the container host using named pipes and employing a proxy to control communication between the first service and an external application in an external device. Further, the method may include enabling a container orchestrator to monitor and manage the first service.
An example method of entitling software in a cloud includes: receiving, from an entitlement agent of the software, an entitlement request at a first entitlement proxy of an entitlement service executing in the cloud; determining, by the entitlement proxy, an entitlement of the software in response to the entitlement request based on an entitlement specification, the entitlement specification provided by an entitlement root of the entitlement service; and sending, by the entitlement proxy, the entitlement to the entitlement agent for application to the software.
Some embodiments provide a novel method for analyzing data collected by a vehicle at a first location. On a first device operating in the vehicle, the method instantiates a virtual desktop first virtual machine (VM) for remote use of the first device by a remote user that uses a remote second device at a remote second location. The method instantiates a data collection second VM for local use of the first device to collect a set of data at the first location and store the set of data at the vehicle. The method facilitates interaction between the virtual desktop first VM and the remote user over a network for the remote user to access the data collection second VM to analyze the set of data without needing to forward the set of data over the network to the remote second device.
Some embodiments provide a novel method for efficiently updating software of virtual machines (VMs) executing on devices in a vehicle such that updates to the software do not interrupt operations performed by the VMs. While the vehicle operates, the method collects configuration state information of a first VM executing on a device and performing a set of operations. The method uses the configuration state information to instantiate a second VM in an isolated network environment that is isolated from the first VM. The second VM is identical to the first VM at a particular time the configuration state information was collected. The method updates the second VM, and detects a compute downtime of the vehicle. During the compute downtime, the method uses the updated second VM on the device instead of the first VM such that the updated second VM performs the set of operations once the compute downtime ends.
Some embodiments provide a novel method for remotely performing data analysis on a set of data collected using a first device operating in a vehicle at a first location. At a remote second device used by a remote user at a remote second location, the method accesses, over a network, a first VM executing on the first device allowing remote use of a second VM executing on the first device to produce analysis results of data that is collected and stored at the vehicle. The method uses the first VM (1) to direct the second VM to analyze the set of data to produce a set of analysis results, (2) to generate a rendered image that shows the set of analysis results, and (3) to forward the rendered image through the network to the remote second device for the remote user to view the set of analysis results.
System and computer-implemented method for migrating partial tree structures of virtual disks for virtual computing instances between sites in a computer system uses a compressed trie, which is created from target tree structures of virtual disks at a plurality of target sites in the computer system. For a virtual computing instance selected, the compressed trie is used to find candidate target sites based on a disk chain string of the virtual computing instance. For each candidate target site, a cost value for migrating the virtual computing instance along with a partial source tree structure of virtual disks corresponding to the virtual computing instance from the source site to the candidate target site is calculated to select a target site with a lowest cost value as a migration option to reduce storage resource usage in the computer system.
An example method may include generating a license key for a product that manages resources in a data center by encoding client product license data. The client product license data may include a first resource usage quota for an on-premises version of the product and a second resource usage quota for a cloud version of the product. Further, the method may include enabling activation of the on-premises version and the cloud version of the product using the licensed key. Furthermore, the method may include monitoring license usage data associated with the on-premises version and the cloud version. Further, the method may include analyzing the monitored license usage data to ensure compliance of the first resource usage quota and the second resource usage quota for the on-premises version and the cloud version, respectively.
The present disclosure is related to devices, systems, and methods for virtual infrastructure provisioning on government compliant and non-compliant endpoints based on configuration. One embodiment includes receiving a request made by a user to provision a catalog item in a cloud computing environment, determining that the user is assigned to a project required to comply with governmental requirements concerning virtual infrastructure, selecting a cloud zone of a cloud region in which to provision the catalog item, wherein the cloud region is configured to provide compliance with the governmental requirements, and deploying the provisioned catalog item in the selected cloud zone.
Examples described herein include efficient data packet transmission between virtual machines (“VMs”) on different hosts. An example method includes generating a large data packet at a source VM and determining a modified maximum segment size for efficient transmission. This modified size replaces the default maximum segment size through a TSO MSS override. Segmentation occurs based on the modified size, and the data segments are transmitted to the destination VM, even if on a different host. Dynamic determination of the modified size optimizes data transmission efficiency and network performance. It accounts for network headers and enables efficient transmission with or without large receiving offload (“LRO”) support. Additionally, non-transitory computer-readable media and servers implementing the method are disclosed. These systems and methods achieve streamlined data transmission, improving network performance and reducing processing overhead.
Some embodiments provide a novel method for selecting a route for a vehicle traveling from a first location to a second location. For each of a set of two or more candidate navigation routes from the first location to the second location, the method computes (1) a first-metric route score representing a first quality of the candidate navigation route according to a first set of route navigation metrics relating to the vehicle's navigation from the first location to the second location, and (2) a second-metric route score representing a second quality of the candidate navigation route according to a second set of wireless connectivity metrics relating to connectivity of one or more wireless devices operating in the vehicle. Based on the first and second metric route scores, the method uses one navigation route to provide navigation instructions for the vehicle's navigation from the first location to the second location.
System and method for enabling operations for virtual computing instances with physical passthru devices includes moving an input-output memory management unit (IOMMU) domain from a source virtual computing instance having a physical passthru device to a destination virtual computing instance, where guest operations are performed in the source virtual computing instance. After the destinating virtual computing instance is powered on, any interrupt notifications from the physical passthru device are buffered. After memory data is transferred from the source virtual computing instance to the destination virtual computing instance, posting of interrupt notifications from the physical passthru device is resumed and any buffered interrupt notifications from the physical passthru device are posted. Guest operations are performed in the destination virtual computing instance.
The present disclosure is directed to an adjusted group execution framework (“AGEF”) that adjusts execution of a monolithic cloud application based on predictive diagnostics. The AGEF aids owners of monolithic applications with offloading existing overloaded tasks to other nodes in a cluster of server computers. The AGEF includes an executor that is responsible for running specified execution flows described in an instruction file and a built-in predictive diagnostic engine that is trained on metric data recorded in a historical time period during prior executions of the monolithic application. The predictive diagnostic system generate a performance value that reveals the state of the monolithic application in one of two categories, such as success or fail, or in multiple categories, such as high, moderator, or low performance.
Some embodiments provide a novel method for processing flows at an embedded hardware switch of a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC detects an end of a particular data message flow associated with a particular VM of the host computer. Processing of the particular data message flow was offloaded from the firewall to an embedded hardware switch of the PNIC. After detecting the end of the particular data message flow, the firewall ends offloading of the particular data message flow by deleting a first flow record stored at the embedded hardware switch for the particular data message flow. The firewall deletes a second flow record stored at the first firewall for the particular data message flow.
Aspects of the disclosure generate independent encryption keys for objects (e.g., virtual machine disks (VMDKs)) without requiring the management of multiple keys. An encryption manager obtains a primary encryption key, an object identifier (ID) comprising a globally unique ID (GUID) for an object, a data salt comprising the object ID and a data salt string, and a metadata salt comprising the object ID and a metadata salt string. A data encryption key is generated using the primary encryption key, the data salt, and a one-way function. A metadata encryption key is generated using the primary encryption key, the metadata salt, and the one-way function. Because the data salt string and metadata salt string differ, the data encryption and metadata encryption keys differ. Object IDs for different objects differ, so each object and its metadata have globally unique keys. Key generation (other than the primary key) is deterministic, simplifying key management.
A computerized method of restoring a malware-infected computing device using a validated reputation cache includes creating a first virtual machine from a first backup of the infected device. First file reputation data for a plurality of files of the first virtual machine is received. The first file reputation data is stored onto a disk drive accessible by the first virtual machine. Upon detection of malware on the first virtual machine from a first malware scan performed using the first file reputation data, a second virtual machine is created from a second backup of the infected device. A second malware scan of the second virtual machine is performed using the first file reputation data from the secondary storage disk drive. Upon detection of no malware on the second virtual machine, the second backup of the infected device is used as a recovery image to restore the infected device.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
32.
SYSTEM AND METHOD FOR PROVIDING FLEXIBLE CLOUD NAMESPACES IN A CLOUD COMPUTING ENVIRONMENT
System and method for provide a computing infrastructure as a service creates a flexible cloud namespace in a software-defined data center (SDDC) in response to a first instruction from a user and deploys virtual computing instances in the flexible cloud namespace in response to a second instruction from the user. The flexible cloud namespace comprises a logical construct with resources in the SDDC that are supported by underlying SDDC management entities, where the virtual computing instances execute in the flexible cloud namespace of the SDDC using the resources.
System and computer-implemented method for managing software objects in a multi-cloud computing environment uses generated sync cycles for infra managers running in at least one cloud of the multi-cloud computing environment, where at least one of the sync cycles for a particular infra manager includes initial and update state information of software objects associated with the particular infra manager. The object updates of the sync cycles are published to an entity in the multi-cloud computing environment, where the object updates are processed and persistently stored in a database for consumption by a service of the entity.
METHODS AND SYSTEMS INCLUDING A GRAPH-BASED USER INTERFACE THAT DISPLAYS, AND THAT PROVIDES FOR GENERATING AND EDITING, CLOUD-INFRASTRUCTURE-SPECIFICATION-AND-CONFIGURATION FILES
The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system including a graph-based user interface that displays, and that provides for generating and editing, cloud-infrastructure-specification-and-configuration files. The IaC cloud-infrastructure-management service or system processes a set of infrastructure-specification-and-configuration files to identify specified resources and relationships between resources. The resources and relationships are then stored as a graph, along with various indices that can be used for quickly searching the graph for relationships and resources of interest. A graph-based user interface allows users to view portions of the graph, navigate through the graph, search for particular resources and relationships, and edit the infrastructure-specification-and-configuration files.
G06F 3/0481 - Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
G06F 3/04845 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range for image manipulation, e.g. dragging, rotation, expansion or change of colour
G06F 9/451 - Execution arrangements for user interfaces
An example computing system includes software, executing on a hardware platform, configured to manage hypervisors and a distributed switch executing in a host cluster, the software including a control plane of the distributed switch, the hypervisors providing a data plane of the distributed switch, the host cluster including hosts, the distributed switch supporting features; a host membership manager of the software configured to track which of the hosts in the host cluster are members of a group that executes the distributed switch; a feature manager of the software configured to track which of the features of the distributed switch are enabled; and a compatibility checker of the software configured with compatibility data that relates the features of the distributed switch with hypervisor version requirements.
Techniques associated with exchanging data between clusters are disclosed. A data packet can be received from a first pod in a first cluster of a cluster set that targets a second pod or service in a second cluster of the cluster set. A label identity is determined for the first pod from a table of pods and label identities. The label identity for the first pod is added in a virtual network identifier field of a data packet header. The data packet is communicated from a first virtual switch to the second cluster through a tunnel interface and gateway node. Upon receipt of the data packet, the label identity is extracted from the data packet header, and an ingress rule associated with the label identity can be determined. Access to the second pod is controlled based on the rule.
Example methods and systems for blockchain-based licensing as a service are described. In one example, a computer system may receive a first request to obtain a first license associated with a first product from a first client system. In response, the computer system may (a) select a first blockchain from multiple blockchains, and (b) generate and store a first non-fungible token (NFT) on the first blockchain to issue the first license. Further, the computer system may receive a second request to obtain a second license associated with the first product or a second product from a second client system. In response, the computer system may (a) select a second blockchain from multiple blockchains, and (b) generate and store a second NFT on the second blockchain to issue the second license.
Disclosed are examples of a system that publishes metadata to a blockchain network. The metadata can contain properties of data generated by a system. The metadata can allow for other entities to validate or trust the data generated by the system. The metadata can include data attributes that profile the data.
The disclosure provides an approach for automatically scheduling resource-aware software-defined data center (SDDC) upgrades. Embodiments include receiving, via a user interface (UI), user input indicating one or more constraints related to automatically scheduling a plurality of upgrade phases for upgrading components of a plurality of computing devices across a plurality of SDDCs. Embodiments include receiving, via the UI, a user selection of a first UI control that, when selected, initiates an automatic assignment of the plurality of upgrade phases to particular time slots based on the one or more constraints. Embodiments include displaying, via the UI, a depiction of a schedule for the plurality of upgrade phases based on the automatic assignment. Embodiments include displaying, via the UI, a second UI control that, when selected, causes the automatic assignment to be finalized and a third UI control that, when selected, initiates a new automatic assignment.
An example method of resynchronizing a first replica of an object and a second replica of an object in an object storage system, includes: determining, by storage software in response to the second replica transitioning from failed to available, a stale sequence number for the second replica, the storage software having associated the stale sequence number with the second replica when the second replica failed; querying, by the storage software, block-level metadata for the object using the stale sequence number, the block-level metadata relating logical blocks of the object with sequence numbers for operations on the object; determining, by the software as a result of the querying, a set of the logical blocks each related to a sequence number being the same or after the stale sequence number; and copying, by the storage software, data of the set of logical blocks from the first replica to the second replica.
An example method of managing a log-structured file system (LFS) on a storage device includes: receiving, at storage software executing on a host, an operation that overwrites a data block, the data block included in a segment of the LFS; determining from first metadata stored on the storage device, a change in utilization of the segment from a first utilization value to a second utilization value; modifying second metadata stored on the storage device to change a relation between the segment and a first bucket to be a relation between the segment and a second bucket, the first utilization value included in a range of the first bucket and the second utilization value included in a range of the second bucket; and executing a garbage collection process for the LFS that uses the second metadata to identify for garbage collection a set of segments in the second bucket.
A method of protecting a computer system from execution of container images that are not trustworthy, the method comprising: receiving a message from an application programming interface (API) server of a container orchestration system of the computer system, wherein the message indicates that a first container image has been requested for deployment; in response to receiving the message from the API server that the first container image has been requested, transmitting a request to an image evaluation service to evaluate whether the first container image is trustworthy for execution; and in response to receiving an indication from the image evaluation service that the first container image is not trustworthy, transmitting to the API server, an instruction not to deploy containers using the first container image.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A method of protecting a computer system from execution of container images that are not trustworthy, the method comprising: determining that a container runtime of the computer system has downloaded a first container image for execution by the container runtime; in response to determining that the container runtime has downloaded the first container image, transmitting a request to an image evaluation service to evaluate whether the first container image is trustworthy for execution; and in response to receiving an indication from the image evaluation service that the first container image is not trustworthy, transmitting to the container runtime, an instruction to delete the first container image.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
44.
ATTESTATION AND ENFORCEMENT OF CRYPTOGRAPHIC REQUIREMENTS ACROSS MULTIPLE HOPS
The disclosure provides an approach for multi-endpoint cryptographic orchestration. Embodiments include establishing, by a first endpoint of a plurality of endpoints related to a multi-endpoint secure communication session, a metadata channel with one or more other endpoints of the plurality of endpoints. Embodiments include sending, by the first endpoint, to a second endpoint of the one or more other endpoints, via the metadata channel, an indication of a cryptographic requirement related to the multi-endpoint secure communication session. Embodiments include performing, by the second endpoint, one or more cryptographic operations related to the multi-endpoint secure communication session based on the indication of the cryptographic requirement. Embodiments include attesting, by the second endpoint, via the metadata channel, that the one or more cryptographic operations comply with the cryptographic requirement.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
The disclosure provides an approach for providing cryptographic agility for data storage. Embodiments include receiving, by a cryptographic provider component, a request to perform a cryptographic operation with respect to a storage operation for a data object, wherein the cryptographic provider component is associated with an interception point between a metadata layer of a storage system and an object storage layer of the storage system. Embodiments include determining, by the cryptographic provider component, one or more attributes related to the request based on information received from the metadata layer about the data object. Embodiments include selecting, by the cryptographic provider component, based on the one or more attributes related to the request, a cryptographic technique for handling the request from a set of possible cryptographic techniques. Embodiments include storing, at the object storage layer, an encrypted version of the data object based on the selected cryptographic technique.
Example methods and systems for network status visualization are described. In one example, a first computer system may generate and send a first query identifying a first-level object. Based on a first response, the first computer system may generate and display a first UI view that includes (a) a first user interface (UI) element and multiple second UI elements, (b) a first-level status indicator to indicate that the first-level object is associated with a performance issue, and (c) a second-level status indicator to indicate that the performance issue is associated with a particular second-level object. In response to detecting a user's interaction, the first computer system may generate and send a second query identifying the particular second-level object. Based on a second response, the first computer system may generate and display a second UI view to facilitate troubleshooting of the performance issue.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 41/0631 - Management of faults, events, alarms or notifications using root cause analysisManagement of faults, events, alarms or notifications using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
H04L 43/045 - Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
Embodiments of the present disclosure provide a data compression technique, referred to as entropy-constrained uniform quantization (ECUQ), that performs lossy compression of a real valued vector in a manner that ensures a size budget for the compressed vector. In one set of embodiments, ECUQ achieves this by finding “close-to-the-best” quantization values for quantizing the vector in view of the size budget via a fast and robust search procedure.
Aspects of the disclosure perform network scheduling in a distributed storage system. Example operations include: determining a network congestion condition at a first host; based on the network congestion condition, determining a packet delay time; based on a first data packet belonging to a first traffic class of a plurality of traffic classes, delaying transmitting the first data packet, from the first host across a network to a second host, by the packet delay time; and based on a second data packet belonging to a second traffic class, transmitting the second data packet from the first host to the second host without a delay. In some examples, the first traffic class comprises resync input/output operations (I/Os) and the second traffic class comprises non-resync traffic I/Os. Some examples delay packets differently, based on the destination host. Some examples adjust delays to drive the network congestion condition toward a target.
H04L 47/12 - Avoiding congestionRecovering from congestion
H04L 47/2408 - Traffic characterised by specific attributes, e.g. priority or QoS for supporting different services, e.g. a differentiated services [DiffServ] type of service
H04L 47/52 - Queue scheduling by attributing bandwidth to queues
Some embodiments provide a method for monitoring a first service that executes in a Pod on a node of a Kubernetes deployment. At a second service executing on the node, the method monitors a storage of the node that stores core dump files to detect when a core dump file pertaining to the first service is written to the storage. Upon detection of the core dump file being written to the storage, the method automatically (i) generates an image of the first service based on data in the core dump file and (ii) instantiates a new container on the node to analyze the generated image in order to debug the first service.
The disclosure provides a method for assigning containerized workloads to isolated network constructs within a networking environment associated with a container-based cluster. The method generally includes receiving, at the container-based cluster, a subnet port custom resource specification to initiate creation of a subnet port object to assign a node to a subnet within the networking environment, wherein one or more containerized workloads are running on the node, in response to receiving the subnet port custom resource specification, creating the subnet port object, and modifying a state of the container-based cluster to match a first intended state of the container-based cluster at least specified in the subnet port object, wherein modifying the state comprises assigning the node to the subnet in the networking environment.
The disclosure provides an approach for cryptographic agility for multi-layer privacy-preserving data aggregation. Embodiments include receiving a request for dynamic cryptographic technique selection related to a data aggregation process involving a first aggregator device and a second aggregator device performing one or more computations on data provided from multiple endpoints. Embodiments include determining, based on contextual information, that the second aggregator device is associated with a confidential computing component and that the first aggregator device is not associated with any confidential computing component. Embodiments include selecting one or more homomorphic encryption techniques for protecting the data while in use by the first aggregator device based on the determining that the first aggregator device is not associated with any confidential computing component and selecting a confidential computing technique for protecting the data while in use by the second aggregator device.
The disclosure provides an approach for providing cryptographic agility for virtualized data storage. Embodiments include determining, by a hypervisor running on a host machine, one or more attributes of a virtual machine (VM) running on top of the hypervisor. Embodiments include sending, by the hypervisor, to a cryptographic provider component, a request to perform cryptographic functionality with respect to one or more virtual disks associated with the VM, wherein the request comprises the one or more attributes of the VM. Embodiments include selecting, by the cryptographic provider component, based on the one or more attributes of the VM and one or more cryptographic policies, one or more cryptographic techniques for handling the request from a set of possible cryptographic techniques. Embodiments include encrypting the one or more virtual disks in a virtual storage area network (VSAN) based on the selected one or more cryptographic techniques.
The disclosure provides a method for configuring rate limiting policies for microservices in a request execution chain of a distributed system. The method generally includes receiving global rate limit(s), where each global rate limit is associated with a tag and a microservice of a plurality of microservices, and each global rate limit indicates a rate of requests tagged with the tag associated with the global rate limit allowed to be processed by the microservice associated with the global rate limit; and configuring, for each global rate limit: each of the local rate limiter(s) associated with microservice instance(s) associated with the global rate limit with a local rate limit indicating a rate of requests tagged with the tag associated with the global rate limit allowed to be processed by the microservice instance, wherein the local rate limit of each of the local rate limiter(s) is based on the global rate limit.
Techniques associated with security orchestration for on-premises infrastructure are disclosed. A policy definition associated with on-premises infrastructure that defines a desired state can be received. From the policy definition, a target of the on-premises infrastructure can be identified. A management service associated with the target can be determined, and a plugin for the management service can be identified. The policy definition can be communicated to the management service through the plugin, and the management service sets the state of the target to the desired state. The state of the target can be monitored. If the state differs from the desired state, a remediation workflow is initiated to set the state to the desired state specified by the policy definition.
Systems, apparatus, articles of manufacture, and methods are disclosed to tag cloud resources. An example apparatus includes interface circuitry, machine readable instructions, and programmable circuitry to at least one of instantiate or execute the machine readable instructions to obtain first accesses of a cloud resource, the first accesses defining a first usage pattern associated with the cloud resource, associate the cloud resource with a business environment based on the first accesses, compare the first usage pattern to a second usage pattern corresponding to historical accesses of reference cloud resources associated with the business environment, and when the first usage pattern is different from the second usage pattern, limit second accesses of the cloud resource based on the second usage pattern.
An example method may include receiving a request to create a temporary break glass account from a user associated with a user account. The request may include a time period for accessing a data center resource. In response to receiving the request, the temporary break glass account may be created. Further, credentials associated with the temporary break glass account may be notified to the user. Furthermore, an operation may be enabled on the data center resource via the temporary break glass account using the credentials. Further, the temporary break glass account may be deleted in response to an expiration of a timer. The timer may be configured based on the time period.
Systems, apparatus, articles of manufacture, and methods are disclosed to test an automated query language by interfacing with a query endpoint, generating a first test suite based on a plurality of combinations of a plurality of attributes corresponding to an API specification, transmitting the first test suite to be executed on the query endpoint, the first test suite to include instructions to cause the query endpoint to access data stored in a database accessible to a plurality of secondary endpoints, obtaining a response time corresponding to the access of the data, comparing the response time corresponding to the access of the data with a service level agreement required response time, and in response to the response time corresponding to the access of the data being longer than the service level agreement required response time, notifying a developer of the plurality of secondary endpoints.
The disclosure provides an approach for providing cryptography as a service. Embodiments include receiving, by a cryptographic provider component, policy information. Embodiments include receiving, by the cryptographic provider component, requests from a plurality of applications to perform cryptographic operations, wherein the plurality of applications comprise separate processes from the cryptographic provider component. Embodiments include selecting, by a cryptographic router of the cryptographic provider component, based on the policy information and information associated with the requests, one or more cryptographic implementation components for servicing each request of the requests.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
59.
METHODS AND APPARATUS FOR GENERATING AND MONITORING A SECURITY INFRASTRUCTURE
Systems, apparatus, articles of manufacture, and methods are disclosed to generate and monitor security infrastructure. An example apparatus comprises programmable circuitry to at least one of instantiate or execute the machine readable instructions to: provision the security infrastructure based on a security infrastructure generation request; detect a global infrastructure template based on the security infrastructure generation request; and generate the security infrastructure based on the provisioned security infrastructure, the global infrastructure template, and an identified security infrastructure generation authorization, the security infrastructure generation authorization to indicate whether the generation of the security infrastructure is permitted.
An example disclosed system includes programmable circuitry to at least one of instantiate or execute instructions to update a compliance rule based on a target compliance definition to generate a target compliance rule, the compliance rule corresponding to a resource in a software defined data center, and output configuration update information based on a comparison of the target compliance rule with a current resource configuration, the current resource configuration corresponding to the resource in the software defined data center.
The disclosure provides for pre-deployment evaluation of a plurality of resource definitions of a plurality of resources for deployment, comprising: determining, for each of one or more resource types, one or more attributes of the resource type including a kind of the resource type; determining, for each of the plurality of resources, an associated resource type of the one or more resource types, based on a match between the kind of the associated resource type and a kind of the resource as defined in a corresponding resource definition of the plurality of resource definitions; generating, for each of the plurality of resources, a role-based access control (RBAC) rule based on the one or more attributes of the associated resource type of the resource and the corresponding resource definition of the resource; generating a collection of RBAC rules including the generated RBAC rule for each of the plurality of resources.
Systems, apparatus, articles of manufacture, and methods are disclosed to prevent data loss, including determining a multi-layered security protocol from a plurality of security protocols stored in a database, after a determination that the multi-layered security protocol includes at least one security protocol corresponding to each unique type, causing the multi-layered security protocol to be enabled, after a breach of the multi-layered security protocol, performing an enforcement, the enforcement to include using a third-party integration and notifying a developer.
Data usage by networking and data processing services is measured using a timeslot system. The timeslots have multiple states for collecting, collecting with processing, and expired timeslots. Data from upstream components is reported to local manager clusters and placed into timeslots corresponding to a timestamp of the data. Data can be reported from local managers to an entitlement service and/or a cloud service portal. Timing inconsistencies due to latency or processing time can be resolved by accounting for a timestamp difference using a timestamp difference value between the timeslot time and the reporting time. Data can be deduplicated, cleaned, and/or compacted. Data can be also be version controlled, with timeslots maintaining a version number. Complete and accurate tracking of data usage and associated costs is improved by reporting and collecting usage data using state-based timeslots.
Some embodiments provide a novel method for efficiently assigning replication-multicast network addresses to overlay-multicast groups of machines executing on host computers of a software-defined network (SDN). For a source machine that is a source of one or more multicast flows, an SDN controller receives from the source machine an overlay-multicast group network address of an overlay-multicast group for which the source machine is the source, and an overlay-multicast source network address associated with the source machine. The SDN controller uses the overlay-multicast group and source network addresses to determine a replication-multicast network address for the overlay-multicast group. The replication-multicast group network address is determined using both the overlay-multicast group and source network address to avoid different overlay-multicast groups being assigned a same replication-multicast network address. The source machine uses the replication-multicast group network address to forward the multicast flows to destination machines that are members of the overlay-multicast group.
Some embodiments of the invention provide a method of migrating a VM from a first host computer to a second host computer, the first host computer having a first PNIC that performs at least one of network forwarding operations and middlebox service operations for the VM. At an RDMA client executing on a set of one or more processors of the first host computer, the method directs an RDMA server executing on the first PNIC to provide networking state data associated with at least one of network forwarding operations and middlebox service operations that the first PNIC performs for the VM. The provided networking state data resides in a memory of the first PNIC that is accessible to the RDMA server. At the RDMA client, the method provides the obtained networking state data to the second host computer as part of a data migration that is performed to migrate the VM from the first host computer to the second host computer.
A system and method for reducing the startup times of applications are described. A plugin extension to a worker node of an orchestration system is established. The plugin extension, once started, is not stopped. The plugin extension comprises one or more lightning containers and a pool of threads/fibers. Each lightning container comprises a virtual machine, such as a WebAssembly virtual machine, to which a thread or fiber from the pool is assigned to run the application. Multiple applications run concurrently as long as threads/fibers are available from the pool. When an application is completed, the thread assigned to it is returned to the thread/fiber pool for re-use.
The disclosure provides an approach for cryptographic agility for privacy-preserving federated learning. Embodiments include receiving a request from an application for dynamic cryptographic technique selection related to a federated learning process, wherein the request indicates one or more types of mathematical operations that are to be performed by an aggregator device on data that is to be provided from multiple endpoints during the federated learning process. Embodiments include selecting, based on the one or more types of mathematical operations that are to be performed by the aggregator device, a cryptographic technique from a plurality of cryptographic techniques. Embodiments include providing a response to the application based on the selecting of the cryptographic technique, wherein the cryptographic technique is used to perform one or more cryptographic operations related to the federated learning process.
The disclosure provides an approach for cryptographic agility for privacy-preserving data aggregation. Embodiments include receiving a request for dynamic cryptographic technique selection related to a data aggregation process, wherein the data aggregation process is to involve an aggregator device performing one or more computations on data that is to be provided from multiple endpoints. Embodiments include selecting a cryptographic technique based on contextual information related the request, wherein the contextual information comprises one or more of: one or more types of mathematical operations that are to be performed by the aggregator device on the data that is to be provided from the multiple endpoints during the data aggregation process; or an indication of whether the aggregator device is associated with a confidential computing component. Embodiments include providing a response based on the selecting of the cryptographic technique.
The disclosure provides an approach for multi-endpoint cipher negotiation. Embodiments include determining, by one or more first endpoints of a plurality of endpoints involved in a multi-party data aggregation process, a privacy-preserving version of an underlying function to be evaluated for cryptographic technique selection. Embodiments include sending, by the one or more first endpoints, to a second endpoint of the plurality of endpoints, the privacy-preserving version of the underlying function and encrypted input values related to attributes of the one or more first endpoints. Embodiments include evaluating, by the second endpoint, the privacy-preserving version of the function based on the encrypted input values and one or more additional encrypted input values. Embodiments include determining, based on the evaluating of the privacy-preserving version of the function, one or more cryptographic techniques to be used for the multi-party data aggregation process.
Techniques associated with adaptive infrastructure security are disclosed. Information regarding a plurality of threat events from one or more source systems is received. For each of the plurality of threat events, a probability of a target system being exploited can be computed. A threat event can be selected at a first time from the plurality of threat events associated with a first probability that meets a threshold. Remedial actions performed to address the threat event at a respective source system can be received, and a guardrail to apply to the target system can be determined based on the remedial actions. The guardrail can then be applied to the target system.
Securely persisting transient data between virtual machine restarts or VM migrations involves terminating, by a first virtual machine (VM) during a shutdown process for the first VM, execution of user-space processes on the first VM, writing, by a first agent executing on the first VM, protected data from transient memory of the first VM to a virtual disk accessible by the first VM and shutting down the first VM. The process also involves initiating a startup process of a second VM, the second VM mounting the virtual disk; and executing, at the second VM and prior to execution of user-space processes, a second agent, the second agent being configured to: read the protected data from the virtual disk into transient memory of the second VM; and delete the protected data from the virtual disk.
The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically generates a parameterized cloud template that represents an already deployed cloud-based infrastructure managed by a different cloud-infrastructure-management service or system and that uses the parameterized cloud template to assume management of the already deployed cloud-based infrastructure. The IaC cloud-infrastructure-management service or system uses an infrastructure-discovery service as well as data representations of the already deployed cloud-based infrastructure generated by the different cloud-infrastructure-management service or system to generate the parameterized cloud template and to detect drift in the already deployed cloud-based infrastructure.
The current document is directed to methods and systems that automatically bind an attribute value, within a resource descriptor in a cloud-infrastructure-specification-and-configuration file, that references a parent resource descriptor via a resource identifier to the resource identifier in the parent resource descriptor. One implementation of attribute-value binding is employed in an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically generates parameterized cloud templates that represent already deployed cloud-based infrastructure, including virtual networks, virtual machines, load balancers, and connection topologies. The IaC cloud-infrastructure manager provides an infrastructure-discovery service that accesses a cloud-computing facility to obtain information about already deployed cloud infrastructure and that generates a textual description of the deployed infrastructure, which the IaC cloud-infrastructure-manager then transforms into a set of parameterized cloud-infrastructure-specification-and-configuration files, a resource_ids file, and a parameters file that together comprise a parameterized cloud template.
Some embodiments provide a novel method for optimizing replication of multicast flows to overlay-multicast groups of machines executing on host computers of an SDN. A Layer-2 switch receives, from a particular destination machine that is a member of an overlay-multicast group, a registration to receive multicast flows from a source machine. The registration specifies a replication-multicast network address associated with the overlay-multicast group, a source identifier (ID) associated with the source machine, and a destination ID associated with the destination machine. The switch stores in a local data store, a record specifying the replication-multicast network address, overlay-multicast source network address, and destination ID. The switch receives, from the source machine, a multicast flow specifying the replication-multicast network address as its destination and the source ID as its source. Based on the stored record, the switch forwards the multicast flow to the destination machine.
Cascading style sheets (CSS) library isolation can include replacing instances of a definition of a base root element font size from CSS code of a user interface (UI) plugin to a hosting application with a CSS variable as the CSS code is compiled to a CSS file, reading a definition of a quantity of pixels per one root element font size from the UI plugin, calculating a ratio between the base root element font size of the UI plugin and a base root element font size of the hosting application in pixels, and defining the CSS variable as the ratio at runtime.
JavaScript library isolation can include replacing instances of a read/write call to a particular object from JavaScript code of a user interface (UI) plugin to a hosting application with a proxy as the JavaScript code is compiled to a JavaScript file, defining a function by which the proxy operates, directing a first subset of read/write calls to the particular object in runtime according to the function, and redirecting a second subset of read/write calls to a different object in runtime according to the function.
The disclosure provides a method for storing data in a datastore. The method generally includes storing first data from a first data producer in a first file maintained in the datastore, receiving a read input/output (I/O) request to read the first data stored in the first file, in response to receiving the read I/O request, locking data in the first file to prevent further data from being stored in the first file, processing the read I/O request, and creating a second file for storing at least second data from the first data producer.
Some embodiments of the invention provide a method of migrating a virtual machine (VM) from a first host computer to a second host computer, the first host computer having a first PNIC, the second host computer having a second PNIC, the first and second PNICs for performing at least one of network forwarding operations and middlebox service operations for the VM. At an RDMA client executing on a set of one or more processors of the second PNIC, the method receives a notification from the second host computer indicating a data migration that is performed to migrate the particular VM from the first host computer to the second host computer has started. Based on the notification, at the RDMA client, the method directs an RDMA server executing on the first PNIC to provide networking state data associated with at least one of network forwarding operations and middlebox service operations that the first PNIC performs for the VM. The provided networking state data resides in a memory of the first PNIC that is accessible to the RDMA server.
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
79.
SINGLE ADAPTER INSTANCE CONFIGURATION FOR MONITORING MULTIPLE VIRTUAL INFRASTRUCTURES
An example method may include generating, during a first boot of a collector appliance, an adapter instance on the collector appliance. Further, the method may include receiving a request to bootstrap a first VCI running in a first virtual infrastructure managed by a first VIM and a second VCI running in a second virtual infrastructure managed by a second VIM. Furthermore, the method may include performing, using the adapter instance, a bootstrapping process of the first VCI to map the adapter instance to the first virtual infrastructure and to install a first monitoring agent, and the second VCI to map the adapter instance to the second virtual infrastructure and to install a second monitoring agent. Further, the method may include collecting, using the adapter instance, performance metrics associated with the first VCI and the second VCI from the first monitoring agent and the second monitoring agent, respectively.
Disclosed herein are a system and method for transitioning a cluster of host computer systems from being configured imperatively to being configured declaratively according to a configuration profile. First, the eligibility of the cluster to be transitioned is determined. Next, a transition wizard is started, which guides the administrator through the steps of the transition. The steps include obtaining the configuration profile, validating the configuration, viewing compliance to the configuration by the cluster, performing a pre-check, and then applying the configuration to the cluster when the validation and pre-check are successful. In this manner, all of the hosts in the cluster are properly configured according to the declarative profile, and error-prone manual configuration is eliminated.
The disclosure provides a method for orchestrating simulated events in a distributed container-based system. The method generally includes monitoring, by a chaos controller deployed in a management cluster of the container-based system, for new objects generated at the management cluster, wherein the management cluster is configured to manage a plurality of simulated workload clusters in a simulation system, based on the monitoring, discovering, by the chaos controller, a new object generated at the management cluster providing information about events intended to be simulated for one or more simulated workload clusters of the plurality of simulated workload clusters, determining a plan for orchestrating a simulation of the events in the one or more simulated workload clusters based on the information provided in the new object, and triggering the simulation of the events in accordance with the plan.
The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically generates parameterized cloud templates that represent already deployed cloud-based infrastructure, including virtual networks, virtual machines, load balancers, and connection topologies. The IaC cloud-infrastructure manager provides an infrastructure-discovery service that accesses a cloud-computing facility to obtain information about already deployed cloud infrastructure and that generates a textual description of the deployed infrastructure, which the IaC cloud-infrastructure-manager then transforms into a set of parameterized cloud-infrastructure-specification-and-configuration files, a resource_ids file, and a parameters file that together comprise a parameterized cloud template.
The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically segregates resource descriptors into category-associated files. In a first mode of operation, an automatic segregator receives one or more raw specification-and-configuration files and partitions the resources specified in the one or more raw specification-and-configuration files into category-associated resource groups. The specifications for the resources that are then stored in category-associated files that may, in turn, be stored in category-associated subdirectories of a file-system directory. In a second mode of operation, the automatic segregator transforms a first type of specification-and-configuration files within a first file-system directory into a second type of equivalent specification-and-configuration files within a second file-system directory.
G06F 16/16 - File or folder operations, e.g. details of user interfaces specifically adapted to file systems
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
84.
METHODS AND SYSTEMS THAT AUTOMATICALLY COMPACT, AND ENHANCE THE MANAGEABILITY OF, CLOUD-INFRASTRUCTURE-MANAGEMENT CODE
The current document is directed to an infrastructure-as-code (“IaC”) cloud-infrastructure-management service or system that automatically compacts, and enhances the manageability of, IaC specification-and-configuration files. In a disclosed implementation, specification-and-configuration files used by a first cloud-infrastructure-management service or system to deploy cloud-based infrastructure in a cloud-computing facility are used by a different cloud-infrastructure-management service or system to compact and enhance a parameterized cloud template generated by the different cloud-infrastructure-management service or system to represent the already deployed cloud-based infrastructure. Compaction and manageability enhancement are implemented using control structures and constructs of a template language introduced into the parameterized cloud template.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software for managing, testing, and using multiple operating systems, and instructional manuals therefor sold as a unit; computer software for automation of IT processes; computer software for the management and deployment of computing resources across computer networks; downloadable software for creating and managing a cloud-based software-defined datacenter of compute, storage and network capabilities; computer software for automation of IT processes; computer software for the management and deployment of computing resources across computer networks; downloadable software for creating and managing a cloud-based software-defined datacenter of compute, storage and network capabilities; operating system software used across servers, storage and networks to aggregate hardware resources and provide built-in services to applications for operating, developing, and managing software and hardware resources; operating system software for managing and automating information technology network management processes; computer software for managing, testing, and using multiple operating systems, and instructional manuals therefor sold as a unit. (1) Building, executing, securing and managing computer applications and application components; deploying, managing, securing and operating containerized applications across different environments; Platform as a service (PaaS) featuring computer software platforms for deploying, managing, securing and operating containerized applications across different environments; technical consulting and research services in the fields of computer software, and computer networks; consulting services in the field of design, selection, implementation and use of computer hardware and software systems; computer programming services; design, development, deployment, implementation, analysis, integration, and management of computer software for others; installation, modification, maintenance, and repair of computer software; customization and configuration of computer software; consulting services related to virtual infrastructure, storage and networking; managed information technology services and operations for others, namely, management of virtual infrastructure, networking and storage services; service provider, namely, hosting, managing and administering computer software for others; leasing and rental of computer software; technical support services, namely, trouble shooting of computer software; technical support services, namely, trouble shooting in the nature of computer hardware diagnosis; technical support services, namely, trouble shooting in the nature of diagnosing computer hardware problems; platform as a Service (PaaS) for creating and managing a cloud-based software-defined data center of compute, storage and network capabilities; software as a Service (SaaS) which monitors endpoints of a data center for known-good behavior and provides inputs upon detecting divergence from the known-good behavior; software as a service (SAAS) services featuring software to provide platform mobility for software applications; software as a service for the management of storage and network resources; software as a service for the automation of IT processes; software as a service for the management and deployment of computing resources across computer networks; enterprise computing services, namely, providing temporary use of non- downloadable software for use in computer program license management and for use in account and permissions administration; providing temporary use of non-downloadable software for data manipulation, validation and reporting of customer specific information and customer identity; computer services, namely, designing, programming, managing, and developing virtual desktop infrastructure platforms; designing, programming, managing, and developing software applications for use on virtual desktop infrastructure platforms; computer services, namely, creation and management of computer services for operating system software used across servers, storage and networks to aggregate software and hardware resources; computer services, namely, designing, developing, implementing, managing applications, infrastructure, computer software and hardware, development platforms, networks and databases; computer services, namely, maintaining applications, infrastructure, computer software, development platforms, networks and databases; creation, management and delivery of computer applications and IT services via the Internet and web/intranet/phone/mobile networks, namely, computer software development; computer time-sharing services; leasing computer facilities; computer services in the nature of web/intranet/phone/mobile network-based access to and manipulation of user defined information, personal profiles, and information in the nature of an application service provider, namely, providing, hosting, managing, developing, and maintaining applications, software, web sites, and databases of others in the fields of business productivity, wireless communication, mobile information access, and remote data management for wireless delivery of content to handheld computers, laptops, desktops, servers and mobile electronic devices; computer services, namely, the management of computing resources and the delivery of computer applications and IT services by means of global computer information networks and intranet/phone/mobile networks, namely, design, creation and maintenance of web sites for others; providing temporary use of on-line non- downloadable software for management of computing resources and the delivery of computer applications and IT services; consultation services related to all of the foregoing.
86.
ARCHITECTURE FOR MONITORING METRICS OF NETWORK MANAGEMENT SYSTEM
Some embodiments provide a method for monitoring a multi-tenant network management system deployed in a cloud to manage groups of datacenters. The network management system includes multiple groups of service instances. For each respective group of service instances deployed in the cloud to manage a respective datacenter group, the method deploys a metrics collection agent within each service instance of the group of service instances to collect metrics from services of the service instance and provide the collected metrics to a metric monitoring service instance of the group of service instances. For each respective group of service instances, the method deploys a metrics collection manager within the metric monitoring service instance of the group of service instances. The metrics collection manager is for configuring each of the metrics collection agents deployed within the service instances of the group of service instances.
Some embodiments provide a method for monitoring a multi-tenant network management system deployed in a public cloud to manage groups of datacenters. Each respective datacenter group includes one or more datacenters of a respective tenant that defines the datacenter group. For each datacenter group of a set of datacenter groups managed by the multi-network management system, the method deploys a set of network management service instances in the cloud specified by the tenant for the datacenter group. Each of the network management service instances provides a specified service to the datacenters of the datacenter group. For each datacenter group, the method deploys a metric monitoring service instance in the cloud for the datacenter group. The metric monitoring service instance is for collecting and analyzing metrics from services belonging to each of the network management service instances deployed for the datacenter group.
The system includes a first endpoint and a second endpoint executing a remote collector to receive metrics from the first endpoint using a first CA certificate of the remote collector. Further, the system includes a storage device to store a second CA certificate for a collector group that shares responsibility for a monitoring function to support high availability and a management node including a certificate management module. The certificate management module may add the second endpoint to the collector group in response to receiving a request. Further, the certificate management module may retrieve the second CA certificate from the storage device and replace the first CA certificate of the remote collector with the second CA certificate of the collector group. Furthermore, the certificate management module may enable the collector group to validate a request to accept the metrics from the first endpoint based on the second CA certificate.
An example receiver in a distributed edge system includes sensors configured to receive radio frequency (RF) signals from a channel in an environment. The sensors include front-end circuits configured to convert the RF signals into mixed signals at baseband having a discrete-time basis. Each of the mixed signals includes a mixture of source signals, which are compressively sampled and transmitted by sources in the distributed edge system over the channel. The receiver includes a processor, coupled to the sensors, configured to use measurements of the mixed signals with an implementation of convolutive blind source separation (CBSS) in multiple domains to separate estimated source signals from the mixed signals and determine estimated channel coefficients for the channels. The processor is configured to send, to the sources, information to adjust sampling rates in response to a relation between the measurements, the estimated source signals, and the estimated channel coefficients.
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
The disclosure provides an approach for verifying and improving the visual experience on client machines located on a virtual desktop infrastructure (VDI) system in response to measuring various metrics of the visual display. The metrics include frame rate, smoothness, and image quality. The metrics are obtained by using an arbitrary workload. Obtaining the metrics involves running screenshots of the arbitrary workload through convolutional neural nets to measure blemishes and blurriness.
Some embodiments provide a novel method for associating machines of a first network with gateways that connect the machines to an external second network. The method assigns first and second sets of machines to first and second traffic groups that are associated with first and second gateways. Based on statistics regarding data message load on the first gateway, the method identifies a first machine to reassign from a first traffic group to the second traffic group. The method reassigns the first machine to the second traffic group to reduce data message load on the first gateway.
Thread local storage is allocated to a thread that is executed in different link domains that share a memory address space by initially allocating a thread local storage having a first base address in the shared memory address space to the thread and a thread local storage having a second base address in the shared memory address space to a second thread that is created as a watcher thread of the first thread. When it is determined that the first thread has made a transition from executing code from the first link domain to executing code from the second link domain, the thread local storage having the second base address is allocated to the first thread. Thereafter, when it is determined that the first thread has resumed executing code from the first link domain, the thread local storage having the first base address is allocated to the first thread.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software for managing, testing, and using multiple operating systems, and instructional manuals therefor sold as a unit; computer software for automation of IT processes; computer software for the management and deployment of computing resources across computer networks; downloadable software for creating and managing a cloud-based software-defined data center of compute, storage and network capabilities; computer software for automation of IT processes; computer software for the management and deployment of computing resources across computer networks; downloadable software for creating and managing a cloud-based software-defined data center of compute, storage and network capabilities; operating system software used across servers, storage and networks to aggregate hardware resources and provide built-in services to applications for operating, developing, and managing software and hardware resources; operating system software for managing and automating information technology network management processes; computer software for managing, testing, and using multiple operating systems, and instructional manuals therefor sold as a unit. Building, executing, securing and managing computer applications and application components; deploying, managing, securing and operating containerized applications across different environments; Platform as a service (PaaS) featuring computer software platforms for deploying, managing, securing and operating containerized applications across different environments; technical consulting and research services in the fields of computer software, and computer networks; consulting services in the field of design, selection, implementation and use of computer hardware and software systems; computer programming services; design, development, deployment, implementation, analysis, integration, and management of computer software for others; installation, modification, maintenance, and repair of computer software; customization and configuration of computer software; consulting services related to virtual infrastructure, storage and networking; managed information technology services and operations for others, namely, management of virtual infrastructure, networking and storage services; service provider, namely, hosting, managing and administering computer software for others; leasing and rental of computer software; technical support services, namely, trouble shooting of computer software; technical support services, namely, trouble shooting in the nature of computer hardware diagnosis; technical support services, namely, trouble shooting in the nature of diagnosing computer hardware problems; platform as a Service (PaaS) for creating and managing a cloud-based software-defined data center of compute, storage and network capabilities; software as a Service (SaaS) which monitors endpoints of a data center for known-good behavior and provides inputs upon detecting divergence from the known-good behavior; software as a service (SAAS) services featuring software to provide platform mobility for software applications; software as a service for the management of storage and network resources; software as a service for the automation of IT processes; software as a service for the management and deployment of computing resources across computer networks; enterprise computing services, namely, providing temporary use of non- downloadable software for use in computer program license management and for use in account and permissions administration; providing temporary use of non-downloadable software for data manipulation, validation and reporting of customer specific information and customer identity; computer services, namely, designing, programming, managing, and developing virtual desktop infrastructure platforms; designing, programming, managing, and developing software applications for use on virtual desktop infrastructure platforms; computer services, namely, creation and management of computer services for operating system software used across servers, storage and networks to aggregate software and hardware resources; computer services, namely, designing, developing, implementing, managing applications, infrastructure, computer software and hardware, development platforms, networks and databases; computer services, namely, maintaining applications, infrastructure, computer software, development platforms, networks and databases; creation, management and delivery of computer applications and IT services via the Internet and web/intranet/phone/mobile networks, namely, computer software development; computer time-sharing services; leasing computer facilities; computer services in the nature of web/intranet/phone/mobile network-based access to and manipulation of user defined information, personal profiles, and information in the nature of an application service provider, namely, providing, hosting, managing, developing, and maintaining applications, software, web sites, and databases of others in the fields of business productivity, wireless communication, mobile information access, and remote data management for wireless delivery of content to handheld computers, laptops, desktops, servers and mobile electronic devices; computer services, namely, the management of computing resources and the delivery of computer applications and IT services by means of global computer information networks and intranet/phone/mobile networks, namely, design, creation and maintenance of web sites for others; providing temporary use of on-line non- downloadable software for management of computing resources and the delivery of computer applications and IT services; consultation services related to all of the foregoing.
In some embodiments, a method fragments a first packet into a plurality of fragments when a length of an encapsulated first packet is larger than a maximum transmission unit size. For each fragment in the plurality of fragments, fragmentation information is generated. The method encapsulates each fragment in the plurality of fragments with an outer header to form a plurality of encapsulated packets. The respective fragmentation information for each fragment is inserted in a portion of the outer header that is processed by endpoints of an overlay tunnel and not processed by a device along a path of the overlay tunnel. The plurality of encapsulated packets are sent via the overlay tunnel.
This disclosure relates generally to creating and managing cloud infrastructure, and more specifically, integrating one or more cloud infrastructure tools for building cloud infrastructures. An example method includes, receiving a request to deploy a cloud infrastructure on a cloud service provider based on a cloud template of the cloud management platform; transmitting configuration instructions to a container orchestration platform for execution on one or more containers running on the container orchestration platform, the configuration instructions directing the one or more containers to deploy the cloud infrastructure; receiving a deployment state of the cloud infrastructure on the cloud service provider from the container orchestration platform following execution of the configuration instructions; and reporting a status of the cloud infrastructure based on the deployment state.
System and computer-implemented method for predicting durations for virtual computing instance migrations between computing environments calculates initial estimated migration durations for virtual computing instances of a group based on the total available resources and the number of active virtual computing instances being migrated. Revised estimated migration durations are then calculated for at least one of the virtual computing instances of the group selected for migration based on the total available resources and the number of current active virtual computing instances being migrated when migration of at least one of the virtual computing instances of the group is predicted to complete before other virtual computing instances of the group. The revised migration durations are associated with a duration migration prediction for the group of virtual computing instances from a source computing environment to a destination computer environment.
The system includes a first endpoint executing a configuration agent and a second endpoint executing a remote collector. The remote collector may use a first service to receive metrics of the first endpoint based on a first client certificate. The remote collector includes a detection unit to detect whether the second endpoint has been added to or removed from a collector group that shares responsibility for monitoring functions to support high availability. The remote collector includes a certificate generation unit to generate a second client certificate for the first endpoint based on whether the second endpoint has been added to or removed from the collector group. Further, the remote collector includes a configuration master to update the first endpoint to replace the first client certificate with the second client certificate and cause the first endpoint to post metrics to a second service at the remote collector.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
98.
FEDERATED QUERY PROCESSING FOR DISTRIBUTED DATABASES
The disclosure provides a method for querying data across a plurality of distributed databases. The method includes receiving a query at a local coordinator of a local database cluster. The method further includes sending the query to a remote coordinator of a remote database cluster. The method further includes retrieving, by each local segment of a plurality of local segments of the local database cluster, data responsive to the query from corresponding one or more remote segments of the remote database cluster associated with the local segment. The method further includes sending a response to the query based on the data responsive to the query from each of the corresponding one or more remote segments.
In one set of embodiments, a computer system executing a virtual machine (VM) packaging tool can receive a reference to a container comprising one or more applications of a workload and a reference to an operating system (OS) kernel to be included in the workload. The computer system can inject an agent into the container that is configured to request execution of a hardware VM attestation function, combine contents of the container and the OS kernel into an image file, and compute a hash of the image file. The computer system can then generate a firmware for the workload that includes the hash.
Some embodiments of the invention provide a method for increasing system capacity of a RIC in a RAN, the RIC including a first datapath pod for forwarding communications between a first set of RAN applications connected to the RIC and a first set of base station components connected to the RIC. The method uses the first datapath pod to forward communications between the first set of RAN applications and the first set of base station components. The method determines that the first datapath pod has insufficient resources for forwarding traffic between the first set of base station components and the first set of RAN applications. Based on said determination, the method configures a second datapath pod on the RIC for forwarding traffic between the first set of base station components and the first set of RAN applications. The method assigns a first subset of the first set base station components to the first datapath pod and a second subset of the first set of base station components to the second datapath pod.
