Enforcement of compliance policies in managed virtual systems

US 8,949,825 B1
Filed: 10/17/2006
Issued: 02/03/2015
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus for enforcing a policy associated with a virtual machine, the apparatus comprising:

a memory device storing instructions; and

a computing device communicatively coupled to a newly created virtual machine, the computing device including a processor operably coupled to the memory device, the processor executing the instructions to;

receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request for the virtual machine, which is prevented from being started from when the virtual machine is newly created until the virtual machine is determined to be compliant with a plurality of compliance based schemes;

receive first data from within the virtual machine in response to receiving the virtual machine event request;

receive second different data from an environment outside the virtual machine in response to receiving the virtual machine event request;

determine whether an internal non-compliance by the virtual machine of a first policy-based compliance scheme exists based on the first data;

determine whether an external non-compliance by the virtual machine as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and

in response to determining that at least one of an internal non-compliance and an external non-compliance exists, deny the virtual machine event request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.

Citations

14 Claims

1. An apparatus for enforcing a policy associated with a virtual machine, the apparatus comprising:
- a memory device storing instructions; and
  
  a computing device communicatively coupled to a newly created virtual machine, the computing device including a processor operably coupled to the memory device, the processor executing the instructions to;
  
  receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request for the virtual machine, which is prevented from being started from when the virtual machine is newly created until the virtual machine is determined to be compliant with a plurality of compliance based schemes;
  
  receive first data from within the virtual machine in response to receiving the virtual machine event request;
  
  receive second different data from an environment outside the virtual machine in response to receiving the virtual machine event request;
  
  determine whether an internal non-compliance by the virtual machine of a first policy-based compliance scheme exists based on the first data;
  
  determine whether an external non-compliance by the virtual machine as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of an internal non-compliance and an external non-compliance exists, deny the virtual machine event request.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus of claim 1, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual machine, software that has been removed from the virtual machine, and software that has not been updated on the virtual machine.
  - 3. The apparatus of claim 1, wherein the virtual machine is at least one of a virtual application and a virtual appliance.
  - 4. The apparatus of claim 1, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.

5. A computer implemented method for enforcing a policy associated with a virtual machine, comprising:
- storing a plurality of policies associated with a newly created virtual machine, including at least a first policy and a second policy, the virtual machine including;
  
  at least one virtual disk, andat least one configuration file;
  
  receiving a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request for the virtual machine, which is prevented from being started from when the virtual machine is newly created until the virtual machine is determined to be compliant with a plurality of compliance based schemes; and
  
  enforcing the plurality of policies associated with the virtual machine, after the virtual machine event request is received and prior to executing the virtual machine, by;
  
  receiving first data from within the virtual machine in response to receiving the virtual machine event request;
  
  applying the first policy to the first data to determine whether non-compliance exists within the first virtual machine of the first policy;
  
  receiving second data from outside the virtual machine in response to receiving the virtual machine event request;
  
  applying the second policy to the second data to determine whether non-compliance exists outside the first virtual machine of the second policy; and
  
  in response to determining that non-compliance exists at least one of within the first virtual machine and outside the first virtual machine, denying the virtual machine event request.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer implemented method of claim 5, wherein at least one of applying the first policy to the first data and applying the second policy to the second data includes performing a pattern matching comparison.
  - 7. The computer implemented method of claim 6, wherein the pattern matching comparison is an exact pattern matching comparison.
  - 8. The computer implemented method of claim 6, wherein the pattern matching comparison is a fuzzy pattern matching comparison.
  - 9. The computer implemented method of claim 5, wherein the first data received from within the virtual machine is content metadata associated with the first virtual machine.
  - 10. The computer implemented method of claim 9, wherein applying the first policy to the first data includes comparing at least one signature of the first data against at least one signature based policy.
  - 11. The computer implemented method of claim 5, wherein signatures used for comparison are computed using at least one hashing function.
  - 12. The computer implemented method of claim 5, wherein the second data received from outside the virtual machine is at least one of registry data associated with the first virtual machine and license data associated with the first virtual machine.
  - 13. The computer implemented method of claim 5, wherein the request is denied in response to an execution platform being non-compliant.

14. A system for enforcing a policy associated with a virtual machine, the system comprising:
- at least one processor; and
  
  at least one computer readable medium encoded with instructions, which when executed by the at least one processor, cause the at least one processor to;
  
  store a plurality of policies associated with a newly created virtual machine, including at least a first policy and a second policy, the virtual machine including;
  
  at least one virtual disk, andat least one configuration file;
  
  receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request for the virtual machine, which is prevented from being started from when the virtual machine is newly created until the virtual machine is determined to be compliant with a plurality of compliance based schemes; and
  
  enforce the plurality of policies associated with the virtual machine, after the virtual machine event request is received and prior to executing the virtual machine, by;
  
  receiving first data from within the virtual machine in response to receiving the virtual machine event request;
  
  applying the first policy to the first data to determine whether non-compliance exists within the first virtual machine of the first policy;
  
  receiving second data from outside the virtual machine in response to receiving the virtual machine event request;
  
  applying the second policy to the second data to determine whether non-compliance exists outside the first virtual machine of the second policy; and
  
  in response to determining that non-compliance exists at least one of within the first virtual machine and outside the first virtual machine, denying the virtual machine event request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
ManageIQ, Inc. (International Business Machines Corporation)
Inventors
Fitzgerald, Joseph, Barenboim, Oleg
Primary Examiner(s)
Wai, Eric C

Application Number

US11/550,364
Time in Patent Office

3,031 Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 11/0712   in a virtual computing plat...

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0751   Error or fault detection no...

G06F 11/0766   Error or fault reporting or...

G06F 11/0793   Remedial or corrective acti...

G06F 16/188   Virtual file systems

G06F 21/53   by executing in a restricte...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45537   Provision of facilities of ...

Enforcement of compliance policies in managed virtual systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of compliance policies in managed virtual systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links