A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.

A method and an apparatus are provided for deploying a security access control policy in the field of network security. The method, executed by a cloud management platform, includes: determining, according to an application creation instruction, an application template used for an application that needs to be created and a security profile corresponding to the application template; instructing a virtualization platform to create, according to the application template, a corresponding virtual machine for each application component in the application, and obtaining an IP address of each virtual machine created by the virtualization platform; generating a group of security access control policies corresponding to the application according to the IP address of each virtual machine and by using the security profile; and delivering the group of security access control policies to a corresponding firewall. Therefore, a security access control policy is automatically deployed.

There are provided measures for conflict resolution in a network virtualization scenario, wherein a virtualized network function is utilized by a first virtualized network service managed by a first network component and a second virtualized network service managed by a second network component. The measures comprise requesting, by the first network component, an alteration of the virtualized network function, transmitting information indicative of the alteration of the virtualized network function to the second network component, and determining when the alteration of the virtualized network function impacts the second virtualized network service.

Examples of systems described herein include a file server virtual machine of a virtualized file server configured to manage storage of a plurality of storage items. The file server virtual machine including a file system configured to receive an access request directed to a storage item of the plurality of storage items and associated with a user. The file system is further configured to retrieve an access control list having permissions information associated with the storage item, and to cache a permissions profile for the user including all permissions pertaining to the user for the storage item. The file system is further configured to determine whether the access request is permissible based on the cached permissions profile.

Embodiments of this application provide a service management method and apparatus, so as to cover service level indication information at interfaces between various management network elements in NFV MANO, and further perform differentiated resource allocation and fault recovery for services based on the service level indication information. The service management method includes: receiving, by a first management unit, a first message sent by a second management unit, where the first message includes first identification information, the first identification information is used to obtain first information, the first information includes information used to obtain first service level information, and the first information is a network service NS deployment flavor DF or a virtualized network function VNF deployment flavor DF; and determining, by the first management unit, the first service level information based on the first identification information and the first information.

Representative apparatus, method, and system embodiments are disclosed for configurable computing. A representative system includes an interconnection network; a processor; and a plurality of configurable circuit clusters. Each configurable circuit cluster includes a plurality of configurable circuits arranged in an array; a synchronous network coupled to each configurable circuit of the array; and an asynchronous packet network coupled to each configurable circuit of the array. A representative configurable circuit includes a configurable computation circuit and a configuration memory having a first, instruction memory storing a plurality of data path configuration instructions to configure a data path of the configurable computation circuit; and a second, instruction and instruction index memory storing a plurality of spoke instructions and data path configuration instruction indices for selection of a master synchronous input, a current data path configuration instruction, and a next data path configuration instruction for a next configurable computation circuit.

The present disclosure relates to systems, methods, and computer readable media that utilize a low-impact live-migration system to reduce unfavorable impacts caused as a result of live-migrating computing containers between physical server devices of a cloud computing system. For example, systems disclosed herein evaluates characteristics of computing containers on server devices to determine a predicted unfavorable impact of live-migrating the computing containers between the server devices. Based on the predicted impact, the systems disclosed herein can selectively identify which computing containers to live-migrate as well as carry out live-migration of the select computing containers in such a way the significantly reduces unfavorable impacts to a customer or client device associated with the computing containers.

Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

A lightweight, workload-agnostic application management agent (AMA) automatically upgrading application agents on a virtual machine (VM). The AMA is installed in the VM as part of a Gold image installation. The AMA detects a workload-type of the VM and sends the workload information to an application manager. The AMA continuously monitors the VM for any change in workload type, and any change causes the AMA to install a respective workload-specific agent (WSA) for the new workload in the VM. The AMA accesses the new WSA from the application manager though a push or pull operation. Applications are thus automatically upgraded through VM resident agents. The user needs only to update policies and load updated software to the application manager without manually upgrading the WSA agents themselves.

An example method of providing a common volume (cVol) datastore for virtual machines (VMs) managed by a hypervisor in a cloud computing system includes: mounting, by the hypervisor in cooperation with a network file system server, a network file system share of a common volume (cVol), the network file system share storing metadata for the VMs; creating a file system container backed by the network file system share; routing file operations targeting the metadata to the file system container; attaching cloud volumes as devices on a host of the hypervisor, the cloud volumes referenced by descriptors in the metadata; and routing file operations targeting virtual disks of the VMs to the devices.