Managing virtual machines with system-wide policies

US 8,015,563 B2
Filed: 04/14/2006
Issued: 09/06/2011
Est. Priority Date: 04/14/2006
Status: Active Grant

First Claim

Patent Images

1. A method for automatically managing the creation and operation of a virtual machine, comprising:

receiving electronic control instructions from a virtual machine authority, the control instructions comprising a policy setting, the policy setting authorizing a creation of a virtual machine or an operation of a virtual machine;

storing the policy setting in a configuration store;

receiving a user request to create the virtual machine in accordance with a parameter;

determining from the policy setting that the user request can be granted;

sending a first instruction to a virtual machine host, the virtual machine host creates the virtual machine in accordance with a parameter in response to receiving the first instruction;

identifying that the virtual machine at the virtual machine host is unauthorized to execute upon the virtual machine host because the virtual machine is operating outside of the policy setting in the configuration store; and

sending a second instruction to the virtual machine host, in response to determining that the virtual machine is unauthorized, the virtual machine host halts the virtual machine from further operation, pauses the virtual machine, or deletes the virtual machine in response to receiving the second instruction.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An administrative authority for virtual machines can send one or more delegated policy settings to a virtual machine manager. The virtual machine manager can in turn send management instructions that include the one or more policy settings to one or more virtual machine hosts. As such, a user'"'"'s request for a virtual machine at a virtual machine host can be granted or denied based on the delegated policy settings. The policy settings can be updated periodically, and can include additional information about starting, stopping, expiring, saving, or even deleting virtual machines by particular users, as well as users accessing from particular locations. In addition, an agent operating at the virtual machine host can monitor and report virtual machine activity, to ensure unauthorized virtual machines are quickly stopped and reviewed until authorized.

144 Citations

19 Claims

1. A method for automatically managing the creation and operation of a virtual machine, comprising:
- receiving electronic control instructions from a virtual machine authority, the control instructions comprising a policy setting, the policy setting authorizing a creation of a virtual machine or an operation of a virtual machine;
  
  storing the policy setting in a configuration store;
  
  receiving a user request to create the virtual machine in accordance with a parameter;
  
  determining from the policy setting that the user request can be granted;
  
  sending a first instruction to a virtual machine host, the virtual machine host creates the virtual machine in accordance with a parameter in response to receiving the first instruction;
  
  identifying that the virtual machine at the virtual machine host is unauthorized to execute upon the virtual machine host because the virtual machine is operating outside of the policy setting in the configuration store; and
  
  sending a second instruction to the virtual machine host, in response to determining that the virtual machine is unauthorized, the virtual machine host halts the virtual machine from further operation, pauses the virtual machine, or deletes the virtual machine in response to receiving the second instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method as recited in claim 1, wherein a virtual machine manager executing on a first physical machine performs the operation of receiving electronic control instructions, and the virtual machine host comprises a second physical machine.
  - 3. The method as recited in claim 1, wherein the policy setting limits operation of the virtual machine at the virtual machine host to any of a storage, memory, or processing resource parameter.
  - 4. The method as recited in claim 1, further comprising:
    - receiving a change to the policy setting from the virtual machine authority.
  - 5. The method as recited in claim 4, further comprising:
    - sending electronic updated management instructions to the virtual machine host, the updated management instructions restricting the virtual machine host differently from the prior management instructions.
  - 6. The method as recited in claim 4, wherein the policy setting defines:
    - a user that can create a virtual machine at the virtual machine host;
      
      a user that can share the virtual machine;
      
      a user that can modify the configuration of the virtual machine;
      
      ora role for a user.
  - 7. The method as recited in claim 4, wherein the policy setting defines:
    - a user that can start operation of a virtual machine at the virtual machine host;
      
      a user that can pause operation of a virtual machine at the virtual machine host;
      
      a user that can resume operation of a virtual machine at the virtual machine host;
      
      ora user that can stop operation of a virtual machine at the virtual machine host.
  - 8. The method as recited in claim 4, wherein the one or more policy settings define at least one of:
    - a user that can save a virtual machine to a virtual machine library;
      
      ora user that can delete a virtual machine from the virtual machine library.
  - 9. The method as recited in claim 4, wherein the policy setting defines an expiration point for the virtual machine at the virtual machine host.
  - 10. The method as recited in claim 4, wherein the policy setting restricts a user to accessing the virtual machine at the virtual machine host from a geographic boundary, a local area network boundary, or a wide area network boundary.
  - 11. The method as recited in claim 4, wherein the virtual machine host is a member of a virtual machine host group that includes a second virtual machine host;
    - wherein the virtual machine manager sends the management instructions to the virtual machine host or the second virtual machine host.
  - 12. The method as recited in claim 11, wherein a user has a first privilege at the virtual machine host, and a second privilege at the second virtual machine host, the user having an aggregation of privileges for the host group comprising the first privilege and the second privilege.
  - 13. The method as recited in claim 1, further comprising:
    - identifying that a second virtual machine at the virtual machine host is unauthorized to execute upon the virtual machine host because the second virtual machine is an unknown virtual machine.
  - 14. The method as recited in claim 1, further comprising:
    - releasing the virtual machine upon identifying that the virtual machine is operating in accordance with an update to the policy setting.

15. A system for automatically managing the creation and operation of a virtual machine, comprising:
- a processor;
  
  a memory communicatively coupled to the processor when the system is operational, the memory bearing instructions that, upon execution by the processor, cause the processor to perform operations comprising;
  
  receiving electronic management instructions from a virtual machine manager, the management instructions comprising a policy setting for a virtual machine host, the policy setting authorizing a creation of a virtual machine or an operation of a virtual machine;
  
  receiving a request to create a virtual machine in accordance with a parameter;
  
  identifying from the policy setting that the request can be granted;
  
  creating the virtual machine in accordance with the request;
  
  identifying an operational characteristic of the virtual machine installed at the virtual machine host;
  
  identifying that the virtual machine at the virtual machine host is unauthorized to execute on the virtual machine host because the operational characteristic of the virtual machine is operating outside of the policy setting; and
  
  halting the virtual machine from further operation, pausing the virtual machine, or deleting the virtual machine in response to determining that the virtual machine is unauthorized.
- View Dependent Claims (16, 17, 18)
- - 16. The system as recited in claim 15, wherein the memory further bears instructions that, upon execution by the processor, cause the processor to perform operations comprising:
    - sending the operating characteristic to the virtual machine manager; and
      
      receiving an electronic instruction to halt operation of the virtual machine.
  - 17. The system as recited in claim 15, wherein a single physical machine comprises both the virtual machine host and the virtual machine manager.
  - 18. The system as recited in claim 15, wherein the memory further bears instructions that, upon execution by the processor, cause the processor to perform operations comprising:
    - receiving the request to create the virtual machine through a web interface provided by the virtual machine host.

19. A computer-readable storage medium having computer-executable instructions stored thereon that upon execution by a processor cause the creation and operation a virtual machine through delegated authority the acts comprising:
- receiving electronic control instructions from a virtual machine authority, the control instructions comprising a policy setting, the policy setting authorizing a creation of a virtual machine or an operation of a virtual machine;
  
  passing the policy setting to a configuration store;
  
  receiving a user request to create the virtual machine in accordance with a parameter;
  
  determining from the policy setting that the user request can be granted;
  
  sending a first instruction to a virtual machine host, the virtual machine host creates the virtual machine in accordance with a parameter in response to receiving the first instruction;
  
  identifying that the virtual machine at the virtual machine host is unauthorized to execute upon the virtual machine host because the virtual machine is operating outside of the policy setting in the configuration store; and
  
  sending a second instruction to the virtual machine host, in response to determining that the virtual machine is unauthorized, the virtual machine host halts the virtual machine from further operation, pauses the virtual machine, or deletes the virtual machine in response to receiving the second instruction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
Microsoft Corporation
Inventors
Yourtee, Kendra, Araujo, Nelson Sampaio Jr., Wahlert, Brian, Giberson, Lloyd Gene, Polonsky, Eugene, Monterrubio, Angel, Parry, John Chad, Dhasmana, Abhishek
Primary Examiner(s)
An; Meng
Assistant Examiner(s)
KUMABE, BLAKE K

Application Number

US11/404,361
Publication Number

US 20070250833A1
Time in Patent Office

1,971 Days
Field of Search

718/1, 713/1
US Class Current

718/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

Managing virtual machines with system-wide policies

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Managing virtual machines with system-wide policies

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others