The disclosed technology provides solutions for performing rapid authentication and authorization for distributed containerized microservices. In some aspects, a process of the technology can include steps for: associating a service type with a set of microservices or service pods, detecting deployment of a first microservice on a first host, and receiving an authentication and authorization state from a first virtual network edge (VNE) of the first host. In some aspects, the process can further include steps for distributing the authentication state to a second VNE on a second host, wherein the authentication state is configured to facilitate authentication of one or more subsequent microservices instantiated on the second host by the second VNE. Systems and machine readable media are also provided.

Rapid launch of secure executables in a virtualized environment includes using a persisted security cache in a virtualized component (VC), such as a virtual machine. The VC generates a cache integrity value (IV), such as a hash value, for the security cache and sends it to a remote validator, which returns an indication of security cache validity or invalidity. Upon receiving a request to execute applications, the VC analyzes whether the applications have been determined to be safe to execute and have not been altered. The VC retrieves application IVs from the security cache, rather than hashing each of the applications, thereby saving compute time, and sends the application IVs to a remote validator, which returns an indication of application validity or invalidity.

Techniques are provided for incrementally restoring a virtual machine hosted by a computing environment. In response to receiving an indication that the virtual machine is to be incrementally restored, a snapshot of the virtual machine may be created while the virtual machine is shut down into an off state. The snapshot is transmitted to a storage environment as a common snapshot. The snapshot and the common snapshot are common snapshots comprising a same representation of the virtual machine. The common snapshot and a prior snapshot of the virtual machine are evaluated to identify a data difference of the virtual machine between the common snapshot and the prior snapshot. An incremental restore is performed of the virtual machine by transmitting the data difference from the storage environment to the computing environment to restore the virtual machine to a state represented by the prior snapshot.

A “backup services container” comprises “backup toolkits,” which include scripts for accessing containerized applications plus enabling utilities/environments for executing the scripts. The backup services container is added to Kubernetes pods comprising containerized applications without changing other pod containers. For maximum value and advantage, the backup services container is “over-equipped” with toolkits. The backup services container selects and applies a suitable backup toolkit to a containerized application to ready it for a pending backup. Interoperability with a proprietary data storage management system provides features that are not possible with third-party backup systems. Some embodiments include one or more components of the proprietary data storage management within the illustrative backup services container. Some embodiments include one or more components of the proprietary data storage management system in a backup services pod configured in a Kubernetes node. All configurations and embodiments are suitable for cloud and/or non-cloud computing environments.

Embodiments of the present invention provide a method, a system, and an apparatus for creating a virtual machine. The method includes: receiving a virtual machine creation request to create a plurality of virtual machines; dividing the plurality of virtual machines into a plurality of virtual machine groups; determining a home physical rack for each virtual machine group, where one virtual machine group corresponds to one home physical rack; and creating each virtual machine group on the home physical rack of each virtual machine group. Because each virtual machine group is created on a home physical rack to which each virtual machine group belongs, each virtual machine group is equivalent to one physical rack.

A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Embodiments described herein are generally directed to a controller of a managed container service that facilitates selection among bare metal machines available within a private cloud. According to an example, a request is received by a Container-as-a-Service controller from a CaaS portal to create a cluster based at least in part on resources of a private cloud of a customer of a managed container service. An inventory of bare-metal machines available within the private cloud is received from a Bare-Metal-as-a-Service (BMaaS) provider associated with the private cloud. A particular bare metal machine is identified for the cluster by selecting among the available bare-metal machines based on cluster information associated with the request, the inventory, and a best fit algorithm configured in accordance with a policy established by the customer.

Disclosed herein are enhancements for deploying application in an edge system of a communication network. In one implementation, a runtime environment identifies a request from a Hypertext Transfer Protocol (HTTP) accelerator service to be processed by an application. In response to the request, the runtime environment may identify an isolation resource to support the request, initiate execution of code for the application, and pass context to the code. Once initiated, the runtime environment may copy data from the artifact to the isolation resource using the context and return control to the HTTP accelerator service upon executing the code.

Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.

A method and a system to perform the method are disclosed, the method includes receiving, by a virtualization server communicatively coupled with a client device, a request to provide a virtual machine (VM) to a client device, accessing a profile associated with the client device, instantiating a VM on the virtualization server, wherein the VM is a linked clone VM of a base VM, wherein the linked clone VM has (1) a read-only access to a shared range of a persistent memory associated with the base VM, wherein the shared range of the persistent memory is determined in view of the profile associated with the client device and stores at least one application installed on the virtualization server, (2) a write access to a private range of the persistent memory, wherein the private range is associated with the VM, and providing the VM to the client device.