Adapt a virtual machine to comply with system enforced policies and derive an optimized variant of the adapted virtual machine

US 9,697,019 B1
Filed: 10/17/2006
Issued: 07/04/2017
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus for enforcing policies to manage and control one or more virtual machines, the apparatus comprising:

a memory storing instructions; and

a processor operably coupled to the memory, the processor configured to execute the instructions to;

receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request of a first virtual machine;

detect non-compliance of the first virtual machine in a pre-execution state by applying a policy-based compliance scheme of a managed system in response to receiving the virtual machine event request, wherein the policy-based compliance scheme of the managed system includes a plurality of compliance policies which are defined to enforce system wide control of execution of virtual machines within the managed system;

adapt the first virtual machine in the pre-execution state to comply with the policy-based compliance scheme;

process the virtual machine event request after adapting the first virtual machine;

detect non-compliance of the first virtual machine in a post-execution state;

adapt the first virtual machine in the post-execution state to comply with the policy-based compliance scheme; and

analyze adaptations made to the first virtual machine in the post-execution state and derive a new optimized variant virtual machine that has at least one adaptation different from (i) the first virtual machine in the pre-execution state and (ii) the adapted first virtual machine in the post-execution state, to create a second different virtual machine, wherein deriving the new optimized variant virtual machine comprises analyzing adaptations made to respective virtual machines of a virtual machine group in post-execution states, wherein the virtual machine group comprises the adapted first virtual machine and multiple other virtual machines, and based on the analyzing, adapting the virtual machine group including the adapted first virtual machine based on commonality of adaptations made to the virtual machine group after a single or multiple executions of each virtual machine in the virtual machine group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.

Citations

25 Claims

1. An apparatus for enforcing policies to manage and control one or more virtual machines, the apparatus comprising:
- a memory storing instructions; and
  
  a processor operably coupled to the memory, the processor configured to execute the instructions to;
  
  receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request of a first virtual machine;
  
  detect non-compliance of the first virtual machine in a pre-execution state by applying a policy-based compliance scheme of a managed system in response to receiving the virtual machine event request, wherein the policy-based compliance scheme of the managed system includes a plurality of compliance policies which are defined to enforce system wide control of execution of virtual machines within the managed system;
  
  adapt the first virtual machine in the pre-execution state to comply with the policy-based compliance scheme;
  
  process the virtual machine event request after adapting the first virtual machine;
  
  detect non-compliance of the first virtual machine in a post-execution state;
  
  adapt the first virtual machine in the post-execution state to comply with the policy-based compliance scheme; and
  
  analyze adaptations made to the first virtual machine in the post-execution state and derive a new optimized variant virtual machine that has at least one adaptation different from (i) the first virtual machine in the pre-execution state and (ii) the adapted first virtual machine in the post-execution state, to create a second different virtual machine, wherein deriving the new optimized variant virtual machine comprises analyzing adaptations made to respective virtual machines of a virtual machine group in post-execution states, wherein the virtual machine group comprises the adapted first virtual machine and multiple other virtual machines, and based on the analyzing, adapting the virtual machine group including the adapted first virtual machine based on commonality of adaptations made to the virtual machine group after a single or multiple executions of each virtual machine in the virtual machine group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The apparatus of claim 1, wherein the non-compliance includes at least one of software that has not been installed on the first virtual machine, software that has been removed from the first virtual machine, and software that has not been updated on the first virtual machine.
  - 3. The apparatus of claim 1, wherein adapting the first virtual machine includes insertion of data into the first virtual machine.
  - 4. The apparatus of claim 1, wherein adapting the first virtual machine includes at least one of updating a virus definition, installing anti-virus software, installing a security patch, executing an anti-virus scanning application, removing malware, and disabling malware.
  - 5. The apparatus of claim 4, wherein the malware includes at least one of a virus, worm, trojan horse, rootkit, spyware, and adware.
  - 6. The apparatus of claim 1, wherein adapting the first virtual machine includes adjusting security settings associated with the first virtual machine.
  - 7. The apparatus of claim 1, wherein adapting the first virtual machine comprises deleting unauthorized content from the first virtual machine.
  - 8. The apparatus of claim 1, wherein adapting the first virtual machine includes at least one of obtaining necessary licensing associated with the first virtual machine and automatically issuing a notification to an administrator to obtain licensing associated with the first virtual machine.
  - 9. The apparatus of claim 1, wherein adapting the first virtual machine includes scheduling at least one of an agent and a process to carryout remedial action.
  - 10. The apparatus of claim 9, wherein scheduling at least one of an agent or process includes at least one of requesting, transferring, downloading, and installing at least one of security updates for the first virtual machine and security patches for the first virtual machine.
  - 11. The apparatus of claim 9, wherein scheduling at least one of an agent or process includes at least one of searching for and eradicating malware associated with the first virtual machine.
  - 12. The apparatus of claim 9, wherein scheduling at least one of an agent or process includes registering the first virtual machine for use in a managed system.
  - 13. The apparatus of claim 1, wherein adapting the first virtual machine includes restricting access permissions, so that the first virtual machine can only access certain content, resources, and areas of a managed system.
  - 14. The apparatus of claim 1, wherein adapting the first virtual machine includes at least one of adding, updating, and deleting user account information, so as to limit account authority associated with the first virtual machine.
  - 15. The apparatus of claim 1 wherein adapting the first virtual machine includes validating adaptations made to the first virtual machine.
  - 16. The apparatus of claim 15, wherein validating adaptations made includes repeating policy-based compliance testing that was used to determine the first virtual machine was non-compliant.
  - 17. The apparatus of claim 1, wherein the first virtual machine is at least one of a virtual application and a virtual appliance.
  - 18. The apparatus of claim 1, wherein the virtual machine group includes a plurality of virtual machines, and the computing device is programmed to include the at least one adaptation in the first virtual machine in the second different virtual machine if a quorum of the plurality of virtual machines have received the at least one adaptation.
  - 19. The apparatus of claim 1, wherein the adaptations made to the first virtual machine include at least a first adaptation which occurred a plurality of times during a plurality of executions of the first virtual machine.
  - 20. The apparatus of claim 19, wherein the first adaptation was consistently made during execution of the first virtual machine.
  - 21. The apparatus of claim 20, wherein the first adaptation is uninstalling an under-utilized application.
  - 22. The apparatus of claim 21, wherein the second different virtual machine is derived without the under-utilized application.

23. An apparatus for enforcing policies to manage and control one or more virtual machines, the apparatus comprising:
- a memory storing instructions; and
  
  a processor operably coupled to the memory, the processor configured to execute the instructions to;
  
  receive a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request of a first virtual machine;
  
  detect non-compliance of the first virtual machine in a pre-execution state by applying a policy-based compliance scheme of a managed system in response to receiving the virtual machine event request, wherein the policy-based compliance scheme of the managed system includes a plurality of compliance policies which are defined to enforce system wide control of execution of virtual machines within the managed system;
  
  adapt the first virtual machine in the pre-execution state to comply with the policy-based compliance scheme;
  
  process the virtual machine event request after adapting the first virtual machine;
  
  detect non-compliance of the first virtual machine in a post-execution state;
  
  adapt the first virtual machine in the post-execution state to comply with the policy-based compliance scheme; and
  
  analyze adaptations made to the first virtual machine in the post-execution state and derive a new optimized variant virtual machine that has at least one adaptation different from (i) the first virtual machine in the pre-execution state and (ii) the adapted first virtual machine in the post-execution state, to create a plurality of different virtual machines including at least a second virtual machine and a third virtual machine, wherein deriving the new optimized variant virtual machine comprises analyzing adaptations made to respective virtual machines of a virtual machine group in post-execution states, wherein the virtual machine group comprises the adapted first virtual machine and multiple other virtual machines, and based on the analyzing, adapting the virtual machine group including the adapted first virtual machine based on commonality of adaptations made to the virtual machine group after a single or multiple executions of each virtual machine in the virtual machine group.
- View Dependent Claims (24)
- - 24. The apparatus of claim 23, wherein the second virtual machine is different from the third virtual machine.

25. A method of enforcing policies to manage and control one or more virtual machines, the method comprising:
- receiving a virtual machine event request, wherein the virtual machine event request includes a start virtual machine request of a first virtual machine;
  
  detecting non-compliance of the first virtual machine in a pre-execution state by applying a policy-based compliance scheme of a managed system in response to receiving the virtual machine event request, wherein the policy-based compliance scheme of the managed system includes a plurality of compliance policies which are defined to enforce system wide control of execution of virtual machines within the managed system;
  
  adapting the first virtual machine in the pre-execution state to comply with the policy-based compliance scheme;
  
  processing the virtual machine event request after adapting the first virtual machine;
  
  detecting non-compliance of the first virtual machine in a post-execution state;
  
  adapting the first virtual machine in the post-execution state to comply with the policy-based compliance scheme; and
  
  analyzing adaptations made to the first virtual machine in the post-execution state and derive a new optimized variant virtual machine that has at least one adaptation different from (i) the first virtual machine in the pre-execution state and (ii) the adapted first virtual machine in the post-execution state, to create a second different virtual machine, wherein deriving the new optimized variant virtual machine comprises analyzing adaptations made to respective virtual machines of a virtual machine group in post-execution states, wherein the virtual machine group comprises the adapted first virtual machine and multiple other virtual machines, and based on the analyzing, adapting the virtual machine group including the adapted first virtual machine based on commonality of adaptations made to the virtual machine group after a single or multiple executions of each virtual machine in the virtual machine group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
ManageIQ, Inc. (International Business Machines Corporation)
Inventors
Fitzgerald, Joseph, Barenboim, Oleg
Primary Examiner(s)
An, Meng
Assistant Examiner(s)
Arcos, Caroline H

Application Number

US11/550,348
Time in Patent Office

3,913 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0712   in a virtual computing plat...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5077   Logical partitioning of res...

H04L 41/08   Configuration management of...

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

Adapt a virtual machine to comply with system enforced policies and derive an optimized variant of the adapted virtual machine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Adapt a virtual machine to comply with system enforced policies and derive an optimized variant of the adapted virtual machine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links