An electronic device includes a processor that executes a guest operating system and a hypervisor, an input-output (IO) device, and an input-output memory management unit (IOMMU). The IOMMU handles communications between the IOMMU and the guest operating system by: replacing, in communications received from the guest operating system, guest domain identifiers (domainIDs) with corresponding host domainIDs and/or guest device identifiers (deviceIDs) with corresponding host deviceIDs before further processing the communications; replacing, in communications received from the IO device, host deviceIDs with guest deviceIDs before providing the communications to the guest operating system; and placing, into communications generated in the IOMMU and destined for the guest operating system, guest domainIDs and/or guest deviceIDs before providing the communications to the guest operating system. The IOMMU handles the communications without intervention by the hypervisor.

Systems and methods for supporting dynamic power management states for virtual machine (VM) migration are disclosed. In one implementation, a processing device may generate, by a host computer system, a host power management data structure specifying a plurality of power management states of the host computer system. The processing device may also detect that a VM has been migrated to the host computer system. The processing device may then prevent the VM from performing power management operations and may cause the virtual machine to read the host power management data structure. Responsive to receiving a notification that the VM has read the host power management data structure, the processing device may enable the VM to enter a first power management state of the plurality of power management states.

Building images that enable improved utilization of previously built image layers. An image build system evaluates commands prior to their use and differentiate between stateful and stateless commands. Employing such an approach enables stateless commands to be identified (e.g. labeled), thus enabling the image build system to handle the stateless commands differently from stateful commands. This enables the re-use of cached/stored image layers, thus reducing image size by avoiding the creation of new image layers.

A host computing system may include a processor and a memory coupled to the processor. The memory may include an auto-discovery module to broadcast a message to a set of management nodes in a data center. The message may include a configuration policy. Further, the auto-discovery module may receive an acknowledgment message from a management node. The acknowledgment message may indicate that the management node supports the configuration policy. Furthermore, the auto-discovery module may establish a trust relationship with the management node in response to receiving the acknowledgment message. Further, the auto-discovery module may enable the host computing system to add to a cluster managed by the management node upon establishing the trust relationship.

An example method of handling, at a hypervisor on a host in a virtualized computing system, a write input/output (IO) operation to a file on a storage device having a virtual machine file system (VMFS) is described. The method includes: sorting, at the hypervisor, a scatter-gather array for the write IO operation into sets of scatter-gather elements, each of the sets including at least one scatter-gather element targeting a common file block address; resolving offsets of the sets of scatter-gather elements to identify a first scatter-gather array of transaction-dependent scatter-gather elements; generating logical transactions for the first scatter-gather array having updates to metadata of the VMFS for the file; batching the logical transactions into a physical transaction; and executing the physical transaction to commit the updates to the metadata of the VMFS on the storage device for the file.

A data processing system (DPS) uses platform protection technology (PPT) to protect some or all of the code and data belonging to certain software modules. The PPT may include a virtual machine monitor (VMM) to enable an untrusted application and a trusted application to run on top of a single operating system (OS), while preventing the untrusted application from accessing memory used by the trusted application. The VMM may use a first extended page table (EPT) to translate a guest physical address (GPA) into a first host physical address (HPA) for the untrusted application. The VMM may use a second EPT to translate the GPA into a second HPA for the trusted application. The first and second EPTs may map the same GPA to different HPAs. Other embodiments are described and claimed.

Provided is a server delay control device deployed in a kernel of an OS of a server. The OS includes: the kernel; a ring buffer managed by the kernel, in a memory space in which the server deploys the OS; and a poll list in which packet arrival information indicative of the presence of a packet in the ring buffer is to be registered. The server delay control device spawns a thread configured to monitor a packet arrival according to a polling model. The thread includes: a packet arrival monitoring part configured to monitor whether the packet arrival information has been registered in the poll list, and a packet dequeuer configured to, when the packet arrival information has been registered in the poll list, dequeue the packet from the ring buffer on the basis of the packet arrival information.

A computer-implemented method or system is provided to automate actions for one or more applications executed via a platform using at least one virtual machine in a guest system. Each virtual machine includes a guest operating system, a guest agent and an application to be executed on the virtual machine. The method or system stores in a memory user-defined automation actions and causal relationships between the user-defined automation actions from which an automation graph is derived for the application to be executed on the virtual machine on the guest system; launches the guest system and the virtual machine via the platform; and executes the user-defined automation actions via the guest agent of the virtual machine according to the automation graph after the guest system and the virtual machine are launched.

Aspects of the disclosure provide for implementing host address space identifiers for non-uniform memory access (NUMA) locality in virtual machines. A method of the disclosure includes determining, by a virtual machine (VM), that a guest memory page is to be moved from a first virtual NUMA node of the VM to a second virtual NUMA node of the VM. The method also includes updating, one or more designated bits of a guest physical address (GPA) of the memory page to include a host address space identifier (HASID) of the second virtual NUMA node, where the guest page table maps the GPA of the memory page to a corresponding guest virtual address (GVA) of the VM and where the HASID associates the GPA of the memory page with a corresponding virtual NUMA node locality, and accessing by the VM, the updated GPA.

A system for application (APP) protection includes a processor. The processor is arranged to execute a guest virtual machine (VM), at least one primary VM, a hypervisor, and a host VM, wherein at least one APP protection with at least one identification (ID) of the at least one APP running on the guest VM is downloaded to the guest VM. The hypervisor includes an install service module and a launcher module. The host VM is arranged to: receive at least one install command from the guest VM, and generate an install service command to the install service module; verify the at least one APP protection by the at least one ID and generate at least one verification result; obtain the at least one ID from the at least one primary VM according to the at least one verification result; and generate a launch command to the launcher module.