公开(公告)号：US20220222098A1

公开(公告)日：2022-07-14

申请号：US17148428

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/50

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

公开(公告)号：US20220197684A1

公开(公告)日：2022-06-23

申请号：US17132367

申请日：2020-12-23

Applicant: VMware, Inc.

Inventor： Yash Nitin DESAI ,  Abhishek SRIVASTAVA ,  Krishna Chaitanya BANDI

IPC: G06F9/455

Abstract: An example method of application monitoring in a virtualized computing system including a host cluster of having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs) and integrated with an orchestration control plane includes: receiving, at a pod VM controller, a health monitoring specification, the pod VM controller executing in the virtualization layer external to the VMs; providing, from the pod VM controller to a pod VM agent executing in a pod VM of the VMs, the health monitoring specification, the pod VM including a container engine supporting execution of containers therein; executing, in the pod VM by the pod VM agent, at least one probe of an application executing in one or more of the containers; and returning, from the pod VM agent to the pod VM controller, application health status obtained from the at least one probe.

公开(公告)号：US20190227957A1

公开(公告)日：2019-07-25

申请号：US15879389

申请日：2018-01-24

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  Saksham JAIN ,  Nikolay ILDUGANOV ,  Christoph KLEE ,  Ashish KAILA

IPC: G06F13/16 ,  G06F12/06 ,  G06F9/455

Abstract: Techniques are disclosed for filtering input/output (I/O) requests in a virtualized computing environment. In some embodiments, a system stores first data in a page of memory, where after the first data is stored in the page of memory, the page of memory is free for allocation to a first memory consumer (e.g., an I/O filter instantiated in a virtualization layer of the virtualized computing environment) and a second memory consumer. The first memory consumer retains a reference to the page of memory. The first memory consumer receives a data request from a virtual computing instance. Based on the data request, the first memory consumer retrieves the first data using the reference to the page of memory. After retrieving the first data, the system returns the first data to the virtual computing instance. While the first memory consumer has the reference to the page of memory, the page of memory can be allocated to the second memory consumer without notifying the first memory consumer.

公开(公告)号：US20220222100A1

公开(公告)日：2022-07-14

申请号：US17148461

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/50 ,  G06F21/60

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; receiving, at the guest from a trust authority, a secret in response to verification of the attestation report; obtaining, at the guest from an entity, at least one key using transport layer security (TLS) data in the secret to verify identity of the guest to the entity; and using, at the guest, the at least one key to access or verify at least one disk attached thereto

公开(公告)号：US20220019454A1

公开(公告)日：2022-01-20

申请号：US16933812

申请日：2020-07-20

Applicant: VMware, Inc.

Inventor： Yash Nitin DESAI ,  Abhishek SRIVASTAVA

IPC: G06F9/455 ,  G06F9/54 ,  G06F9/445

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.

公开(公告)号：US20210311759A1

公开(公告)日：2021-10-07

申请号：US16838542

申请日：2020-04-02

Applicant: VMware, Inc.

Inventor： Benjamin J. CORRIE ,  Abhishek SRIVASTAVA ,  Adrian DRZEWIECKI

IPC: G06F9/455

Abstract: A virtualized computing system includes: a host cluster including hosts executing a virtualization layer on hardware platforms thereof, the virtualization layer configured to support execution of virtual machines (VMs), the VMs including a pod VM, the pod VM including a container engine configured to support execution of containers in the pod VM, the pod VM including a first virtual disk attached thereto; and an orchestration control plane integrated with the virtualization layer, the orchestration control plane including a master server in communication with a pod VM controller, the pod VM controller configured to execute in the virtualization layer external to the VMs and cooperate with a pod VM agent in the pod VM, the pod VM agent generating root directories for the containers in the pod VM, each of the root directories comprising a union a read/write ephemeral layer stored on the first virtual disk and a read-only layer.

公开(公告)号：US20230013405A1

公开(公告)日：2023-01-19

申请号：US17683239

申请日：2022-02-28

Applicant: VMware, Inc.

Inventor： Yash Nitin DESAI ,  Abhishek SRIVASTAVA

IPC: G06F9/455 ,  G06F9/445 ,  G06F9/54

Abstract: An example virtualized computing system includes: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs), the VMs including pod VMs and native VMs, the pod VMs including container engines supporting execution of containers in the pod VMs, the native VMs including applications executing on guest operating systems; an orchestration control plane integrated with the virtualization layer and including a master server and native VM controllers, the master server managing lifecycles of the pod VMs and the native VMs; and management agents, executing in the native VMs, configured to receive decoupled information from the master server through the native VM controllers and to provide the decoupled information for consumption by the applications executing in the native VMs, the decoupled information including at least one of configuration information and secret information.

公开(公告)号：US20220222099A1

公开(公告)日：2022-07-14

申请号：US17148445

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/38

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.

公开(公告)号：US20210311761A1

公开(公告)日：2021-10-07

申请号：US16838597

申请日：2020-04-02

Applicant: VMware, Inc.

Inventor： Daniel MUELLER ,  Abhishek SRIVASTAVA

IPC: G06F9/455 ,  G06F11/34 ,  H04L29/06 ,  H04L29/08

Abstract: Log information is retrieved from a log of a container running in a virtual machine in response to a request for the log information, by accessing a virtual disk of the virtual machine, reading the log of the container from the virtual disk and preparing the requested log information from the log, and transmitting the requested log information to a virtual machine (VM) management process running in a host computer of the virtual machine for the VM management process to forward to a requestor of the log information. Alternatively, log data of the container running in the virtual machine may be streamed to the VM management process over a virtual socket communication channel that is established between the virtual machine and the VM management process.

公开(公告)号：US20210311757A1

公开(公告)日：2021-10-07

申请号：US16838432

申请日：2020-04-02

Applicant: VMware, Inc.

Inventor： Daniel MUELLER ,  Abhishek SRIVASTAVA ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  H04L29/08 ,  H04L12/46 ,  H04L29/06

Abstract: Introspection into containers running in virtual machines (VMs) that are instantiated on a host computer is achieved. A method of processing an introspection command for a container, funning in a virtual machine, is carried out by a VM management process, and includes the steps of receiving a first request that is formulated according to a first protocol, e.g., transmission control protocol, and includes the introspection command, identifying the virtual machine from the first request, formulating a second request that includes the introspection command, according to a second protocol (e.g., virtual socket protocol), and transmitting the second request to a container management process running in the virtual machine for the container management process to execute the introspection command.