Provided is a system and method for a multi-tenant datacenter with nested hypervisors. This is provided by at least two physical computing systems each having at least one processor and memory store adapted to provide a first level Hypervisors, each providing a First Virtual Computing Environment with a plurality of inactive Virtual Hypervisors nested therein. The multi tenant data center is structured and arranged to activate a Virtual Hypervisor on one of the at least two Hypervisors and automatically migrate the at least one Customer VM from a Customer Hypervisor to the Active Virtual Hypervisor; and evacuate the remaining inactive Virtual Hypervisors from the Hypervisor supporting the Active Hypervisor to another of the at least two Hypervisors supporting inactive Virtual Hypervisors. Further, each Customer Virtual Machine in the Active Virtual Hypervisor is coupled to the second physical computing system by OSI Layer 2, prior to an OSI Layer 3 connection, for the transfer of data frames, each frame having a plurality of OSI Layer 2 tags permitting the segregation of each Virtual Machine independent of Layer 3 communication. An associated method of use is also provided.

Systems and methods for event notification support for nested virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor, wherein the Level 1 hypervisor manages a Level 2 virtual machine. The Level 1 hypervisor may generate a virtual device and an input/output (I/O) translation table comprising an I/O translation table entry associated with the virtual device, and associate the I/O translation table entry with a Level 1 virtual machine context maintained by at least one of the Level 0 hypervisor or Level 1 hypervisor. The method may further responsive to detecting, by the Level 0 hypervisor, an event notification from the Level 2 virtual machine, cause a central processing unit (CPU) to use the I/O translation table to execute access to the Level 1 guest virtual address.

Memory security technologies are described. An example processing device includes a processor core and a memory controller coupled to the processor core and a memory. The processor core can determine that an exit condition to transfer control of a resource for a processor core from a first virtual machine monitor (VMM) to a second VMM has occurred. The processor core can also determine whether a control virtual machine control structure (VMCS) link pointer is valid. The processor core can also determine whether a reason value corresponding to the control VMCS link pointer is set. The processor core can also determine whether the reason value is set to zero. The processor core can also determining whether an exception bit corresponding to a specific exception type of a reason value is set. The processor core can also transfer a control of the resource from the first VMM to the second VMM.

A method includes creating, by a hypervisor executing on a processing device, a first virtual machine nested within a second virtual machine. The method further includes identifying a context of the second virtual machine and providing, to a context of the first virtual machine, a parent context pointer indicating the context of the second virtual machine.

A computing device may include a memory and a processor cooperating with the memory and configured to provide first and second application layers that include different versions of a virtual application accessible by a client device. The first and second versions of the virtual application may interoperate with application libraries of different application layers.

Virtualized computing instances, such as virtual machines, in a virtualized computing environment are provisioned using a tree-based template structure. The tree-based template structure includes a base node and multiple nodes linked to the base node. Each of the multiple nodes includes at least one component that represents a delta relative to the base node. By matching the requirements and role of a virtualized computing instance to be provisioned with the content(s) of a particular node, the particular node can be selected for cloning/creating the virtualized computing instance.

A method of creating containers in a physical host that includes a managed forwarding element (MFE) configured to forward packets to and from a set of data compute nodes (DCNs) hosted by the physical host. The method creates a container DCN in the host. The container DCN includes a virtual network interface card (VNIC) configured to exchange packets with the MFE. The method creates a plurality of containers in the container DCN. The method, for each container in the container DCN, creates a corresponding port on the MFE. The method sends packets addressed to each of the plurality of containers from the corresponding MFE port to the VNIC of the container DCN.

Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.

At a virtualization host which includes an instance partitioning controller, a set of resources is allocated to a compute instance by a virtualization manager. The first compute instance does not include another virtualization manager. In response to a communication from the controller, the virtualization manager allocates a subset of the resources to a child compute instance launched at the virtualization host. An application is executed within the child compute instance.

A method for unifying VMs comprises presenting, in a display device, a unified view that includes GUI elements for multiple applications that execute in respective VMs in a computing device. The operation of presenting the unified view may be performed by a unification console that executes in a dedicated VM. The method also comprises (a) after presenting the unified view, receiving, by the unification console, user input pertaining to a selected application; (b) redirecting the user input from the unification console in the dedicated VM to the selected application in its respective VM; (c) receiving, by the unification console outside of the VM for the selected application, application output from the selected application; and (d) rendering output for a user, based on the application output received by the unification console. Other embodiments are described and claimed.