Determining virtual adapter access controls in a computing environment

US 9,888,012 B2
Filed: 05/13/2016
Issued: 02/06/2018
Est. Priority Date: 03/14/2014
Status: Active Grant

First Claim

Patent Images

1. A computer program product, comprising:

a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;

initiating, by a control component of a computing environment, sending of one or more requests over a network of the computing environment by an activated virtual adapter, the activated virtual adapter being hosted on a physical adapter of a host system coupled to the network, the activated virtual adapter for use by a guest, hosted by the host system, in performing data input and output, wherein the one or more requests retrieve, via responses provided to and received by the virtual adapter in response to the one or more requests, access control information from the network, the access control information indicative of one or more access controls enforced by the network in controlling access by the activated virtual adapter to one or more network components of the network, and wherein the initiating comprises the control component providing one or more indications to the physical adapter, absent involvement of the guest, that the one or more requests be sent by the virtual adapter;

based on the initiating, obtaining, by the control component, the access control information from the physical adapter, wherein the initiating, the sending of the one or more requests by the activated virtual adapter, and the obtaining occur absent involvement of the guest;

determining, by the control component, based on the obtained access control information, the one or more access controls being enforced by the network in controlling access by the activated virtual adapter to the one or more network components; and

initiating return of the virtual adapter to a state of the virtual adapter prior to the activating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control component of a computing environment initiates sending of request(s) over a network of the computing environment by an activated virtual adapter. The activated virtual adapter is hosted on a physical adapter of a host system coupled to the network, and is for use by a guest, hosted by the host system, in performing data input and output. The request(s) retrieve access control information from the network indicative of access control(s) enforced in controlling access by the activated virtual adapter to network component(s). The initiating provides indication(s) to the physical adapter, absent involvement of the guest, that the request(s) be sent by the virtual adapter. Based on the initiating, the control component obtains the access control information from the physical adapter, and determines, based on that information, the access control(s) being enforced by the network in controlling access by the activated virtual adapter to the network component(s).

Citations

19 Claims

1. A computer program product, comprising:
- a non-transitory computer readable storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  initiating, by a control component of a computing environment, sending of one or more requests over a network of the computing environment by an activated virtual adapter, the activated virtual adapter being hosted on a physical adapter of a host system coupled to the network, the activated virtual adapter for use by a guest, hosted by the host system, in performing data input and output, wherein the one or more requests retrieve, via responses provided to and received by the virtual adapter in response to the one or more requests, access control information from the network, the access control information indicative of one or more access controls enforced by the network in controlling access by the activated virtual adapter to one or more network components of the network, and wherein the initiating comprises the control component providing one or more indications to the physical adapter, absent involvement of the guest, that the one or more requests be sent by the virtual adapter;
  
  based on the initiating, obtaining, by the control component, the access control information from the physical adapter, wherein the initiating, the sending of the one or more requests by the activated virtual adapter, and the obtaining occur absent involvement of the guest;
  
  determining, by the control component, based on the obtained access control information, the one or more access controls being enforced by the network in controlling access by the activated virtual adapter to the one or more network components; and
  
  initiating return of the virtual adapter to a state of the virtual adapter prior to the activating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer program product of claim 1, wherein the initiating and the obtaining by the activated virtual adapter is non-disruptive of use of the activated virtual adapter by the guest in performing data input and output, and wherein use of the activated virtual adapter in performing data input and output by the guest is non-disruptive of the initiating and the obtaining by the control component.
  - 3. The computer program product of claim 1, wherein the initiating, obtaining, and determining occur prior to an initial program load of the guest.
  - 4. The computer program product of claim 1, wherein the host system is a separate system from the control component, wherein the host system executes on a first set of one or more processors and the control component executes on a second set of one or more processors different from the first set of one or more processors.
  - 5. The computer program product of claim 1, wherein the initiating initiates sending of a request, of the one or more requests, to log the activated virtual adapter into the network.
  - 6. The computer program product of claim 1, wherein the initiating initiates sending a request, of the one or more requests, to determine remote ports of the network that are accessible to the activated virtual adapter, wherein the retrieved access control information comprises an indication of one or more remote ports of the network that are accessible to the activated virtual adapter.
  - 7. The computer program product of claim 1, wherein the initiating initiates sending a request, of the one or more requests, to log into a remote port accessible to the activated virtual adapter.
  - 8. The computer program product of claim 1, wherein a remote port accessible to the activated virtual adapter is a remote port of a storage device hosting a storage array, wherein a logical unit of the storage array is indicated by a logical unit number, and wherein a request of the one or more requests comprises a logical unit number interrogation request.
  - 9. The computer program product of claim 1, wherein the one or more network components comprise a storage area network, and wherein the retrieved access control information comprises logical unit number masking data or zoning configuration data for controlling zones of the storage area network, wherein the determining determines one or more storage arrays to which the activated virtual adapter has access, or determines one or more zones of which the activated virtual adapter is a member.
  - 10. The computer program product of claim 1, wherein the determined one or more access controls comprise an access control preventing access by the activated virtual adapter to a network component of the one or more network components.
  - 11. The computer program product of claim 1, wherein the method further comprises:
    - determining, based on at least some of the obtained access control information, whether an access control of the determined one or more access controls is appropriate for controlling access by the activated virtual adapter to the one or more network components, wherein the determining is performed while the guest remains inactive; and
      
      based on determining that the access control is not appropriate for controlling access by the activated virtual adapter to the one or more network components, reconfiguring the activated virtual adapter or a network component of the network prior to activating the guest.
  - 12. The computer program product of claim 1, wherein the guest comprises a guest virtual machine hosted by the host system.

13. A computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is configured to perform a method, the method comprising;
  
  initiating, by a control component of a computing environment, sending of one or more requests over a network of the computing environment by an activated virtual adapter, the activated virtual adapter being hosted on a physical adapter of a host system coupled to the network, the activated virtual adapter for use by a guest, hosted by the host system, in performing data input and output, wherein the one or more requests retrieve, via responses provided to and received by the virtual adapter in response to the one or more requests, access control information from the network, the access control information indicative of one or more access controls enforced by the network in controlling access by the activated virtual adapter to one or more network components of the network, and wherein the initiating comprises the control component providing one or more indications to the physical adapter, absent involvement of the guest, that the one or more requests be sent by the virtual adapter;
  
  based on the initiating, obtaining, by the control component, the access control information from the physical adapter, wherein the initiating, the sending of the one or more requests by the activated virtual adapter, and the obtaining occur absent involvement of the guest;
  
  determining, by the control component, based on the obtained access control information, the one or more access controls being enforced by the network in controlling access by the activated virtual adapter to the one or more network components; and
  
  initiating return of the virtual adapter to a state of the virtual adapter prior to the activating.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the initiating, obtaining, and determining occur prior to an initial program load of the guest.
  - 15. The system of claim 13, wherein the initiating initiates sending a request, of the one or more requests, to determine remote ports of the network that are accessible to the activated virtual adapter, wherein the retrieved access control information comprises an indication of one or more remote ports of the network that are accessible to the activated virtual adapter.
  - 16. The system of claim 13, wherein the initiating initiates sending a request, of the one or more requests, to log into a remote port accessible to the activated virtual adapter.
  - 17. The system of claim 13, wherein a remote port accessible to the activated virtual adapter is a remote port of a storage device hosting a storage array, wherein a logical unit of the storage array is indicated by a logical unit number, and wherein a request of the one or more requests comprises a logical unit number interrogation request.
  - 18. The system of claim 13, wherein the one or more network components comprise a storage area network, and wherein the retrieved access control information comprises logical unit number masking data or zoning configuration data for controlling zones of the storage area network, wherein the determining determines one or more storage arrays to which the activated virtual adapter has access, or determines one or more zones of which the activated virtual adapter is a member.
  - 19. The system of claim 13, wherein the system is further configured to perform:
    - determining, based on at least some of the obtained access control information, whether an access control of the determined one or more access controls is appropriate for controlling access by the activated virtual adapter to the one or more network components, wherein the determining is performed while the guest remains inactive; and
      
      based on determining that the access control is not appropriate for controlling access by the activated virtual adapter to the one or more network components, reconfiguring the activated virtual adapter or a network component of the network prior to activating the guest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Friedrich, Ralph, Higgs, Raymond M., Kuch, George P., Moore, Elizabeth A., Pandich, Johnathon R., Sczepczenski, Richard M.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
KHAN, HASSAN ABDUR-RAHMAN

Application Number

US15/154,225
Publication Number

US 20160255094A1
Time in Patent Office

634 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/28   Restricting access to netwo...

H04L 49/3054   Auto-negotiation, e.g. acce...

H04L 49/354   for supporting virtual loca...

H04L 63/102   Entity profiles

Determining virtual adapter access controls in a computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Determining virtual adapter access controls in a computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links