Enforcement of compliance policies in managed virtual systems

US 9,563,460 B2
Filed: 04/20/2015
Issued: 02/07/2017
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus for enforcing a policy associated with a virtual appliance, the apparatus comprising:

a memory device storing instructions; and

a computing device communicatively coupled to a virtual appliance, the computing device including a processor operably coupled to the memory device, the processor executing the instructions to;

receive a virtual appliance event request;

receive first data from within the virtual appliance in response to receiving the virtual appliance event request, wherein the first data was extracted from within the virtual appliance prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;

receive second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;

determine whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;

determine whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and

in response to determining that at least one of an internal non-compliance and an external non-compliance exists, deny the virtual appliance event request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.

Citations

20 Claims

1. An apparatus for enforcing a policy associated with a virtual appliance, the apparatus comprising:
- a memory device storing instructions; and
  
  a computing device communicatively coupled to a virtual appliance, the computing device including a processor operably coupled to the memory device, the processor executing the instructions to;
  
  receive a virtual appliance event request;
  
  receive first data from within the virtual appliance in response to receiving the virtual appliance event request, wherein the first data was extracted from within the virtual appliance prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receive second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determine whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determine whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of an internal non-compliance and an external non-compliance exists, deny the virtual appliance event request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the virtual appliance event request includes a stop virtual appliance request.
  - 3. The apparatus of claim 1, wherein the virtual appliance event request includes a pause virtual appliance request.
  - 4. The apparatus of claim 1, wherein the virtual appliance event request includes a move virtual appliance request.
  - 5. The apparatus of claim 1, wherein the virtual appliance event request includes a clone virtual appliance request.
  - 6. The apparatus of claim 1, wherein the virtual appliance event request includes a create new virtual appliance request.
  - 7. The apparatus of claim 1, wherein the virtual appliance event request includes a deploy virtual appliance from template request.
  - 8. The apparatus of claim 1, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual appliance, software that has been removed from the virtual appliance, and software that has not been updated on the virtual appliance.
  - 9. The apparatus of claim 1, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.

10. A computer implemented method for enforcing a policy associated with a virtual appliance, the method comprising:
- receiving a virtual appliance event request;
  
  receiving first data from within the virtual appliance in response to receiving the virtual appliance event request, wherein the first data was extracted from within the virtual appliance prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receiving second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determining whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determining whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of an internal non-compliance and an external non-compliance exists, denying the virtual appliance event request.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer implemented method of claim 10, wherein the virtual appliance event request includes a stop virtual appliance request.
  - 12. The computer implemented method of claim 10, wherein the virtual appliance event request includes a pause virtual appliance request.
  - 13. The computer implemented method of claim 10, wherein the virtual appliance event request includes a move virtual appliance request.
  - 14. The computer implemented method of claim 10, wherein the virtual appliance event request includes a clone virtual appliance request.
  - 15. The computer implemented method of claim 10, wherein the virtual appliance event request includes a create new virtual appliance request.
  - 16. The computer implemented method of claim 10, wherein the virtual appliance event request includes a deploy virtual appliance from template request.
  - 17. The computer implemented method of claim 10, wherein the internal non-compliance includes at least one of software that has not been installed on the virtual appliance, software that has been removed from the virtual appliance, and software that has not been updated on the virtual appliance.
  - 18. The computer implemented method of claim 10, wherein the environment is at least one of a virtual machine manager, a host environment, a management agent, and an execution platform.

19. A non-transitory computer readable medium storing instructions for enforcing a policy associated with a virtual appliance, which when executed by a processor, cause the processor to:
- receive a virtual appliance event request;
  
  receive first data from within the virtual appliance in response to receiving the virtual appliance event request, wherein the first data was extracted from within the virtual appliance prior to receiving the virtual appliance event request, and the first data was stored prior to receiving the virtual appliance event request for later processing after receiving the virtual appliance event request;
  
  receive second different data from an environment outside the virtual appliance in response to receiving the virtual appliance event request;
  
  determine whether an internal non-compliance by the virtual appliance of a first policy-based compliance scheme exists based on the first data that was stored prior to receiving the virtual appliance event request;
  
  determine whether an external non-compliance by the virtual appliance as provided in the environment of a second different policy-based compliance scheme exists based on the second different data; and
  
  in response to determining that at least one of an internal non-compliance and an external non-compliance exists, deny the virtual appliance event request.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable medium of claim 19, wherein determining at least one of the internal non-compliance and the external non-compliance includes computing signatures used for comparison using at least one hashing function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
ManageIQ, Inc. (International Business Machines Corporation)
Inventors
Fitzgerald, Joseph, Barenboim, Oleg
Primary Examiner(s)
Wai, Eric C

Application Number

US14/691,034
Publication Number

US 20150227386A1
Time in Patent Office

659 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/0712   in a virtual computing plat...

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0751   Error or fault detection no...

G06F 11/0766   Error or fault reporting or...

G06F 11/0793   Remedial or corrective acti...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

Enforcement of compliance policies in managed virtual systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of compliance policies in managed virtual systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links