U.S. patent application number 15/941114 was filed with the patent office on 2019-02-14 for technologies for providing efficient sharing of encrypted data in a disaggregated architecture.
The applicant listed for this patent is Intel Corporation. Invention is credited to Patrick Connor, Scott Dubal, James R. Hearn, Andrew J. Herdrich, Kapil Sood.
Application Number | 20190052457 15/941114 |
Document ID | / |
Family ID | 65037934 |
Filed Date | 2019-02-14 |
View All Diagrams
United States Patent
Application |
20190052457 |
Kind Code |
A1 |
Connor; Patrick ; et
al. |
February 14, 2019 |
TECHNOLOGIES FOR PROVIDING EFFICIENT SHARING OF ENCRYPTED DATA IN A
DISAGGREGATED ARCHITECTURE
Abstract
Technologies for providing efficient sharing of encrypted data
in a disaggregated architecture include a sled. The sled includes a
set of memory devices and a controller connected to the set of
memory devices. The memory controller is to receive, from a first
application executed by a compute sled, a data access request to
share a data set between the first application and a second
application. The data set is encrypted in one or more of the memory
devices. Additionally, the controller is to determine, in response
to the data access request, a key identifier that uniquely
identifies a key that is usable to perform cryptographic operations
on the data set. Further, the controller is to send, to an
encryption key manager, a request to provide the key corresponding
to the key identifier to be used by the second application to
decrypt the data set and send, to the second application, a handle
associated with an address in the set of memory devices where the
data set is located.
Inventors: |
Connor; Patrick; (Beaverton,
OR) ; Dubal; Scott; (Beaverton, OR) ;
Herdrich; Andrew J.; (Hillsboro, OR) ; Hearn; James
R.; (Hillsboro, OR) ; Sood; Kapil; (Portland,
OR) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Intel Corporation |
Santa Clara |
CA |
US |
|
|
Family ID: |
65037934 |
Appl. No.: |
15/941114 |
Filed: |
March 30, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
62584401 |
Nov 10, 2017 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 3/0604 20130101;
G06F 2209/509 20130101; G06F 9/5088 20130101; G06F 12/023 20130101;
G06F 16/119 20190101; G06F 30/34 20200101; H04L 69/32 20130101;
G06F 9/28 20130101; G06F 16/25 20190101; G06F 2212/601 20130101;
G11C 29/44 20130101; H04L 69/22 20130101; G06F 9/4494 20180201;
H04L 69/321 20130101; G06F 16/2365 20190101; H04L 41/0896 20130101;
G06F 3/0613 20130101; G06F 3/0632 20130101; G06F 3/065 20130101;
G06F 15/161 20130101; G06F 2201/85 20130101; G06F 2212/1052
20130101; G06F 13/42 20130101; G06F 16/2455 20190101; G06F 13/1663
20130101; G11C 8/12 20130101; H04L 41/0893 20130101; H04L 45/28
20130101; H04L 45/7453 20130101; G06F 3/0629 20130101; G11C 29/36
20130101; G06F 3/0631 20130101; G06F 9/4411 20130101; G06F 12/1054
20130101; H04L 9/0819 20130101; G06F 3/0605 20130101; G06F 12/0607
20130101; G11C 29/028 20130101; H04L 41/0677 20130101; G06F 3/0647
20130101; G06F 9/4401 20130101; H04L 41/0668 20130101; H04L 49/351
20130101; Y02D 10/00 20180101; G06F 9/5044 20130101; H04L 9/0894
20130101; G06F 3/0673 20130101; G06F 13/4068 20130101; G06F
15/17331 20130101; G06F 16/248 20190101; G06F 16/2255 20190101;
H04L 69/12 20130101; G06F 2212/1044 20130101; G06F 16/221 20190101;
G06F 16/2237 20190101; G06F 16/2282 20190101; G06F 3/0611 20130101;
G06F 12/14 20130101; G06F 16/24553 20190101; G06F 9/445 20130101;
G06F 12/06 20130101; G06F 13/1668 20130101; H04L 47/125 20130101;
G06F 3/0659 20130101; G06F 2213/0064 20130101; G06F 3/067 20130101;
G06F 3/0683 20130101; H04L 47/11 20130101; H04L 49/30 20130101;
G06F 9/4406 20130101; G06F 12/1063 20130101; H04L 41/0213 20130101;
G06F 3/0644 20130101; G06F 12/0802 20130101; G06F 16/9014 20190101;
G06F 3/0685 20130101; G06F 16/2453 20190101; G11C 29/38 20130101;
H04L 49/9005 20130101 |
International
Class: |
H04L 9/08 20060101
H04L009/08; G06F 3/06 20060101 G06F003/06; G06F 12/06 20060101
G06F012/06; G06F 17/30 20060101 G06F017/30 |
Foreign Application Data
Date |
Code |
Application Number |
Aug 30, 2017 |
IN |
201741030632 |
Claims
1. A sled comprising: a set of memory devices; and a controller
connected to the set of memory devices, wherein the controller is
to: receive, from a first application executed by a compute sled, a
data access request to share a data set between the first
application and a second application, wherein the data set is
encrypted in one or more of the memory devices; determine, in
response to the data access request, a key identifier that uniquely
identifies a key that is usable to perform cryptographic operations
on the data set; send, to an encryption key manager, a request to
provide the key corresponding to the key identifier to be used by
the second application to decrypt the data set; and send, to the
second application, a handle associated with an address in the set
of memory devices where the data set is located.
2. The sled of claim 1, wherein the controller is further to:
determine whether the data set has been accessed with at least a
predefined frequency over a predefined period of time; move, in
response to a determination that the data set has not been accessed
with at least the predefined frequency over the predefined period
of time, the data set to a data storage device; and store, with the
data set, access control data indicative of credentials that are
usable to access the data set.
3. The sled of claim 1, wherein the controller is further to:
receive a request to migrate working data of the first application,
wherein the first application is to be moved from a first compute
sled to a second compute sled; and send, to the second compute
sled, a handle to the working data of the first application.
4. The sled of claim 1, wherein sled is located in a data center
and the controller is further map an address of memory that is
present on at least one other sled in the data center.
5. The sled of claim 1, wherein the controller is further to:
receive a write request to write data to the data set; determine,
in response to the write request, whether the data set is shared by
multiple applications; fork, in response to a determination that
the data set is shared by multiple applications, the data set to
another location in the set of memory devices; write the data from
the write request to the forked data set; and send, in response to
the write request, a handle to the forked data set.
6. The sled of claim 1, wherein to determine the key identifier
comprises to: determine a memory address associated with a handle
included in the data access request; and determine the key
identifier as a function of the determined memory address.
7. The sled of claim 6, wherein to determine the key identifier as
a function of the determined memory address comprises to determine
the key identifier as a subset of the memory address.
8. The sled of claim 6, wherein to determine the key identifier as
a function of the determined memory address comprises to look up
the key identifier in a database that associates memory addresses
with key identifiers.
9. The sled of claim 1, wherein to determine the key identifier
comprises obtain the key identifier from a predefined register or a
data structure associated with a compute sled on which the first
application is executed.
10. The sled of claim 1, wherein to send, to an encryption key
manager, a request to provide the key comprises to send the key
identifier with the request.
11. The sled of claim 10, wherein to send, to an encryption key
manager, a request to provide the key comprises to send a request
for a key that is escrowed with the encryption key manager by a
memory encryption engine of a sled that sent the data access
request.
12. The sled of claim 10, wherein to send, to an encryption key
manager, a request to provide the key comprises to send the request
to an encryption key manager hosted by a compute sled from which
the data access request was received.
13. The sled of claim 10, wherein to send, to an encryption key
manager, a request to provide the key comprises to send the request
to an encryption key manager hosted by an orchestrator server.
14. One or more non-transitory machine-readable storage media
comprising a plurality of instructions stored thereon that, in
response to being executed, cause a sled to: receive, from a first
application executed by a compute sled, a data access request to
share a data set between the first application and a second
application, wherein the data set is encrypted in one or more
memory devices of a set of memory devices connected to the sled;
determine, in response to the data access request, a key identifier
that uniquely identifies a key that is usable to perform
cryptographic operations on the data set; send, to an encryption
key manager, a request to provide the key corresponding to the key
identifier to be used by the second application to decrypt the data
set; and send, to the second application, a handle associated with
an address in the set of memory devices where the data set is
located.
15. The one or more non-transitory machine-readable storage media
of claim 14, wherein, when executed, the plurality of instructions
further cause the sled to: determine whether the data set has been
accessed with at least a predefined frequency over a predefined
period of time; move, in response to a determination that the data
set has not been accessed with at least the predefined frequency
over the predefined period of time, the data set to a data storage
device; and store, with the data set, access control data
indicative of credentials that are usable to access the data
set.
16. The one or more non-transitory machine-readable storage media
of claim 14, wherein, when executed, the plurality of instructions
further cause the sled to: receive a request to migrate working
data of the first application, wherein the first application is to
be moved from a first compute sled to a second compute sled; and
send, to the second compute sled, a handle to the working data of
the first application.
17. The one or more non-transitory machine-readable storage media
of claim 14, wherein the sled is located in a data center and
wherein, when executed, the plurality of instructions further cause
the sled to map an address of memory that is present on at least
one other sled in the data center.
18. The one or more non-transitory machine-readable storage media
of claim 14, wherein, when executed, the plurality of instructions
further cause the sled to: receive a write request to write data to
the data set; determine, in response to the write request, whether
the data set is shared by multiple applications; fork, in response
to a determination that the data set is shared by multiple
applications, the data set to another location in the set of memory
devices; write the data from the write request to the forked data
set; and send, in response to the write request, a handle to the
forked data set.
19. The one or more non-transitory machine-readable storage media
of claim 14, wherein to determine the key identifier comprises to:
determine a memory address associated with a handle included in the
data access request; and determine the key identifier as a function
of the determined memory address.
20. The one or more non-transitory machine-readable storage media
of claim 19, wherein to determine the key identifier as a function
of the determined memory address comprises to determine the key
identifier as a subset of the memory address.
21. The one or more non-transitory machine-readable storage media
of claim 19, wherein to determine the key identifier as a function
of the determined memory address comprises to look up the key
identifier in a database that associates memory addresses with key
identifiers.
22. A method comprising: receiving, by a memory controller, from a
first application executed by a compute device, a data access
request to share a data set between the first application and a
second application, wherein the data set is encrypted in one or
more memory devices of a set of memory devices connected to the
memory controller; determining, by the memory controller and in
response to the data access request, a key identifier that uniquely
identifies a key that is usable to perform cryptographic operations
on the data set; sending, by the memory controller and to an
encryption key manager, a request to provide the key corresponding
to the key identifier to be used by the second application to
decrypt the data set; and sending, by the memory controller and to
the second application, a handle associated with an address in the
set of memory devices where the data set is located.
23. The method of claim 22, further comprising: determining, by the
memory controller, whether the data set has been accessed with at
least a predefined frequency over a predefined period of time;
moving, by the memory controller and in response to a determination
that the data set has not been accessed with at least the
predefined frequency over the predefined period of time, the data
set to a data storage device; and storing, with the data set,
access control data indicative of credentials that are usable to
access the data set.
24. The method of claim 22, further comprising: receiving, by the
memory controller, a request to migrate working data of the first
application, wherein the first application is to be moved from a
first compute sled to a second compute sled; and sending, by the
memory controller and to the second compute sled, a handle to the
working data of the first application.
25. The method of claim 22, wherein the memory controller is in a
sled that is located in a data center, the method further
comprising mapping, by the memory controller, an address of memory
that is present on at least one other sled in the data center.
26. A sled comprising: means for receiving, from a first
application executed by a compute device, a data access request to
share a data set between the first application and a second
application, wherein the data set is encrypted in one or more
memory devices of a set of memory devices connected to the sled;
means for determining, in response to the data access request, a
key identifier that uniquely identifies a key that is usable to
perform cryptographic operations on the data set; means for
sending, to an encryption key manager, a request to provide the key
corresponding to the key identifier to be used by the second
application to decrypt the data set; and means for sending, to the
second application, a handle associated with an address in the set
of memory devices where the data set is located.
27. A controller connected to a set of memory devices, the
controller comprising: circuitry to: receive, from a first
application executed by a compute sled, a data access request to
share a data set between the first application and a second
application, wherein the data set is encrypted in one or more of
the memory devices; determine, in response to the data access
request, a key identifier that uniquely identifies a key that is
usable to perform cryptographic operations on the data set; send,
to an encryption key manager, a request to provide the key
corresponding to the key identifier to be used by the second
application to decrypt the data set; and send, to the second
application, a handle associated with an address in the set of
memory devices where the data set is located.
28. The controller of claim 27, wherein the circuitry is further
to: determine whether the data set has been accessed with at least
a predefined frequency over a predefined period of time; move, in
response to a determination that the data set has not been accessed
with at least the predefined frequency over the predefined period
of time, the data set to a data storage device; and store, with the
data set, access control data indicative of credentials that are
usable to access the data set.
29. The controller of claim 27, wherein the circuitry is further
to: receive a request to migrate working data of the first
application, wherein the first application is to be moved from a
first compute sled to a second compute sled; and send, to the
second compute sled, a handle to the working data of the first
application.
30. The controller of claim 27, wherein the controller is located
in a sled in a data center and the circuitry is further to map an
address of memory that is present on at least one other sled in the
data center.
31. The controller of claim 27, wherein the circuitry is further
to: receive a write request to write data to the data set;
determine, in response to the write request, whether the data set
is shared by multiple applications; fork, in response to a
determination that the data set is shared by multiple applications,
the data set to another location in the set of memory devices;
write the data from the write request to the forked data set; and
send, in response to the write request, a handle to the forked data
set.
32. The controller of claim 27, wherein to determine the key
identifier comprises to: determine a memory address associated with
a handle included in the data access request; and determine the key
identifier as a function of the determined memory address.
33. The controller of claim 32, wherein to determine the key
identifier as a function of the determined memory address comprises
to determine the key identifier as a subset of the memory
address.
34. The controller of claim 32, wherein to determine the key
identifier as a function of the determined memory address comprises
to look up the key identifier in a database that associates memory
addresses with key identifiers.
35. The controller of claim 27, wherein to determine the key
identifier comprises obtain the key identifier from a predefined
register or a data structure associated with a compute sled on
which the first application is executed.
36. The controller of claim 27, wherein to send, to an encryption
key manager, a request to provide the key comprises to send the key
identifier with the request.
37. The controller of claim 36, wherein to send, to an encryption
key manager, a request to provide the key comprises to send a
request for a key that is escrowed with the encryption key manager
by a memory encryption engine of a sled that sent the data access
request.
38. The controller of claim 36, wherein to send, to an encryption
key manager, a request to provide the key comprises to send the
request to an encryption key manager hosted by a compute sled from
which the data access request was received.
39. The controller of claim 36, wherein to send, to an encryption
key manager, a request to provide the key comprises to send the
request to an encryption key manager hosted by an orchestrator
server.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present application claims the benefit of Indian
Provisional Patent Application No. 201741030632, filed Aug. 30,
2017 and U.S. Provisional Patent Application No. 62/584,401, filed
Nov. 10, 2017.
BACKGROUND
[0002] Large data centers may deploy thousands of virtual machines
(VMs) to execute applications on behalf of customers (e.g.,
tenants). The applications, in operation, may access data from
numerous sources during the performance of various functions (e.g.,
convolution operations, data compression or decompression
operations, packet inspection operations, etc.). Increasingly, in
such data centers, the data is encrypted on a per-VM or per-tenant
basis to secure the data from being accessed maliciously by other
users of the data center. However, when data is to be copied
between VMs, the copy operation may incur significant overhead,
including additional time, memory, and compute resources for
decrypting the data used by one VM, performing a bit-for-bit
transfer of the data to another memory location used by another VM,
and re-encrypting the data for use by the other VM.
BRIEF DESCRIPTION OF THE DRAWINGS
[0003] The concepts described herein are illustrated by way of
example and not by way of limitation in the accompanying figures.
For simplicity and clarity of illustration, elements illustrated in
the figures are not necessarily drawn to scale. Where considered
appropriate, reference labels have been repeated among the figures
to indicate corresponding or analogous elements.
[0004] FIG. 1 is a simplified diagram of at least one embodiment of
a data center for executing workloads with disaggregated
resources;
[0005] FIG. 2 is a simplified diagram of at least one embodiment of
a pod that may be included in the data center of FIG. 1;
[0006] FIG. 3 is a perspective view of at least one embodiment of a
rack that may be included in the pod of FIG. 2;
[0007] FIG. 4 is a side elevation view of the rack of FIG. 3;
[0008] FIG. 5 is a perspective view of the rack of FIG. 3 having a
sled mounted therein;
[0009] FIG. 6 is a is a simplified block diagram of at least one
embodiment of a top side of the sled of FIG. 5;
[0010] FIG. 7 is a simplified block diagram of at least one
embodiment of a bottom side of the sled of FIG. 6;
[0011] FIG. 8 is a simplified block diagram of at least one
embodiment of a compute sled usable in the data center of FIG.
1;
[0012] FIG. 9 is a top perspective view of at least one embodiment
of the compute sled of FIG. 8;
[0013] FIG. 10 is a simplified block diagram of at least one
embodiment of an accelerator sled usable in the data center of FIG.
1;
[0014] FIG. 11 is a top perspective view of at least one embodiment
of the accelerator sled of FIG. 10;
[0015] FIG. 12 is a simplified block diagram of at least one
embodiment of a storage sled usable in the data center of FIG.
1;
[0016] FIG. 13 is a top perspective view of at least one embodiment
of the storage sled of FIG. 12;
[0017] FIG. 14 is a simplified block diagram of at least one
embodiment of a memory sled usable in the data center of FIG.
1;
[0018] FIG. 15 is a simplified block diagram of a system that may
be established within the data center of FIG. 1 to execute
workloads with managed nodes composed of disaggregated
resources;
[0019] FIG. 16 is a simplified block diagram of at least one
embodiment of a system for providing efficient sharing of encrypted
data in a disaggregated architecture; and
[0020] FIGS. 17-20 are a simplified block diagram of at least one
embodiment of a method for providing efficient sharing of encrypted
data that may be performed by a memory sled of FIG. 16.
DETAILED DESCRIPTION OF THE DRAWINGS
[0021] While the concepts of the present disclosure are susceptible
to various modifications and alternative forms, specific
embodiments thereof have been shown by way of example in the
drawings and will be described herein in detail. It should be
understood, however, that there is no intent to limit the concepts
of the present disclosure to the particular forms disclosed, but on
the contrary, the intention is to cover all modifications,
equivalents, and alternatives consistent with the present
disclosure and the appended claims.
[0022] References in the specification to "one embodiment," "an
embodiment," "an illustrative embodiment," etc., indicate that the
embodiment described may include a particular feature, structure,
or characteristic, but every embodiment may or may not necessarily
include that particular feature, structure, or characteristic.
Moreover, such phrases are not necessarily referring to the same
embodiment. Further, when a particular feature, structure, or
characteristic is described in connection with an embodiment, it is
submitted that it is within the knowledge of one skilled in the art
to effect such feature, structure, or characteristic in connection
with other embodiments whether or not explicitly described.
Additionally, it should be appreciated that items included in a
list in the form of "at least one A, B, and C" can mean (A); (B);
(C); (A and B); (A and C); (B and C); or (A, B, and C). Similarly,
items listed in the form of "at least one of A, B, or C" can mean
(A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and
C).
[0023] The disclosed embodiments may be implemented, in some cases,
in hardware, firmware, software, or any combination thereof. The
disclosed embodiments may also be implemented as instructions
carried by or stored on a transitory or non-transitory
machine-readable (e.g., computer-readable) storage medium, which
may be read and executed by one or more processors. A
machine-readable storage medium may be embodied as any storage
device, mechanism, or other physical structure for storing or
transmitting information in a form readable by a machine (e.g., a
volatile or non-volatile memory, a media disc, or other media
device).
[0024] In the drawings, some structural or method features may be
shown in specific arrangements and/or orderings. However, it should
be appreciated that such specific arrangements and/or orderings may
not be required. Rather, in some embodiments, such features may be
arranged in a different manner and/or order than shown in the
illustrative figures. Additionally, the inclusion of a structural
or method feature in a particular figure is not meant to imply that
such feature is required in all embodiments and, in some
embodiments, may not be included or may be combined with other
features.
[0025] Referring now to FIG. 1, a data center 100 in which
disaggregated resources may cooperatively execute one or more
workloads (e.g., applications on behalf of customers) includes
multiple pods 110, 120, 130, 140, each of which includes one or
more rows of racks. Of course, although data center 100 is shown
with multiple pods, in some embodiments, the data center 100 may be
embodied as a single pod. As described in more detail herein, each
rack houses multiple sleds, each of which may be primarily equipped
with a particular type of resource (e.g., memory devices, data
storage devices, accelerator devices, general purpose processors),
i.e., resources that can be logically coupled to form a composed
node, which can act as, for example, a server. In the illustrative
embodiment, the sleds in each pod 110, 120, 130, 140 are connected
to multiple pod switches (e.g., switches that route data
communications to and from sleds within the pod). The pod switches,
in turn, connect with spine switches 150 that switch communications
among pods (e.g., the pods 110, 120, 130, 140) in the data center
100. In some embodiments, the sleds may be connected with a fabric
using Intel Omni-Path technology. In other embodiments, the sleds
may be connected with other fabrics, such as InfiniBand or
Ethernet. As described in more detail herein, resources within
sleds in the data center 100 may be allocated to a group (referred
to herein as a "managed node") containing resources from one or
more sleds to be collectively utilized in the execution of a
workload. The workload can execute as if the resources belonging to
the managed node were located on the same sled. The resources in a
managed node may belong to sleds belonging to different racks, and
even to different pods 110, 120, 130, 140. As such, some resources
of a single sled may be allocated to one managed node while other
resources of the same sled are allocated to a different managed
node (e.g., one processor assigned to one managed node and another
processor of the same sled assigned to a different managed
node).
[0026] A data center comprising disaggregated resources, such as
data center 100, can be used in a wide variety of contexts, such as
enterprise, government, cloud service provider, and communications
service provider (e.g., Telco's), as well in a wide variety of
sizes, from cloud service provider mega-data centers that consume
over 100,000 sq. ft. to single- or multi-rack installations for use
in base stations.
[0027] The disaggregation of resources to sleds comprised
predominantly of a single type of resource (e.g., compute sleds
comprising primarily compute resources, memory sleds containing
primarily memory resources), and the selective allocation and
deallocation of the disaggregated resources to form a managed node
assigned to execute a workload improves the operation and resource
usage of the data center 100 relative to typical data centers
comprised of hyperconverged servers containing compute, memory,
storage and perhaps additional resources in a single chassis. For
example, because sleds predominantly contain resources of a
particular type, resources of a given type can be upgraded
independently of other resources. Additionally, because different
resources types (processors, storage, accelerators, etc.) typically
have different refresh rates, greater resource utilization and
reduced total cost of ownership may be achieved. For example, a
data center operator can upgrade the processors throughout their
facility by only swapping out the compute sleds. In such a case,
accelerator and storage resources may not be contemporaneously
upgraded and, rather, may be allowed to continue operating until
those resources are scheduled for their own refresh. Resource
utilization may also increase. For example, if managed nodes are
composed based on requirements of the workloads that will be
running on them, resources within a node are more likely to be
fully utilized. Such utilization may allow for more managed nodes
to run in a data center with a given set of resources, or for a
data center expected to run a given set of workloads, to be built
using fewer resources.
[0028] Referring now to FIG. 2, the pod 110, in the illustrative
embodiment, includes a set of rows 200, 210, 220, 230 of racks 240.
Each rack 240 may house multiple sleds (e.g., sixteen sleds) and
provide power and data connections to the housed sleds, as
described in more detail herein. In the illustrative embodiment,
the racks in each row 200, 210, 220, 230 are connected to multiple
pod switches 250, 260. The pod switch 250 includes a set of ports
252 to which the sleds of the racks of the pod 110 are connected
and another set of ports 254 that connect the pod 110 to the spine
switches 150 to provide connectivity to other pods in the data
center 100. Similarly, the pod switch 260 includes a set of ports
262 to which the sleds of the racks of the pod 110 are connected
and a set of ports 264 that connect the pod 110 to the spine
switches 150. As such, the use of the pair of switches 250, 260
provides an amount of redundancy to the pod 110. For example, if
either of the switches 250, 260 fails, the sleds in the pod 110 may
still maintain data communication with the remainder of the data
center 100 (e.g., sleds of other pods) through the other switch
250, 260. Furthermore, in the illustrative embodiment, the switches
150, 250, 260 may be embodied as dual-mode optical switches,
capable of routing both Ethernet protocol communications carrying
Internet Protocol (IP) packets and communications according to a
second, high-performance link-layer protocol (e.g., Intel's
Omni-Path Architecture's, InfiniBand, PCI Express) via optical
signaling media of an optical fabric.
[0029] It should be appreciated that each of the other pods 120,
130, 140 (as well as any additional pods of the data center 100)
may be similarly structured as, and have components similar to, the
pod 110 shown in and described in regard to FIG. 2 (e.g., each pod
may have rows of racks housing multiple sleds as described above).
Additionally, while two pod switches 250, 260 are shown, it should
be understood that in other embodiments, each pod 110, 120, 130,
140 may be connected to a different number of pod switches,
providing even more failover capacity. Of course, in other
embodiments, pods may be arranged differently than the
rows-of-racks configuration shown in FIGS. 1-2. For example, a pod
may be embodied as multiple sets of racks in which each set of
racks is arranged radially, i.e., the racks are equidistant from a
center switch.
[0030] Referring now to FIGS. 3-5, each illustrative rack 240 of
the data center 100 includes two elongated support posts 302, 304,
which are arranged vertically. For example, the elongated support
posts 302, 304 may extend upwardly from a floor of the data center
100 when deployed. The rack 240 also includes one or more
horizontal pairs 310 of elongated support arms 312 (identified in
FIG. 3 via a dashed ellipse) configured to support a sled of the
data center 100 as discussed below. One elongated support arm 312
of the pair of elongated support arms 312 extends outwardly from
the elongated support post 302 and the other elongated support arm
312 extends outwardly from the elongated support post 304.
[0031] In the illustrative embodiments, each sled of the data
center 100 is embodied as a chassis-less sled. That is, each sled
has a chassis-less circuit board substrate on which physical
resources (e.g., processors, memory, accelerators, storage, etc.)
are mounted as discussed in more detail below. As such, the rack
240 is configured to receive the chassis-less sleds. For example,
each pair 310 of elongated support arms 312 defines a sled slot 320
of the rack 240, which is configured to receive a corresponding
chassis-less sled. To do so, each illustrative elongated support
arm 312 includes a circuit board guide 330 configured to receive
the chassis-less circuit board substrate of the sled. Each circuit
board guide 330 is secured to, or otherwise mounted to, a top side
332 of the corresponding elongated support arm 312. For example, in
the illustrative embodiment, each circuit board guide 330 is
mounted at a distal end of the corresponding elongated support arm
312 relative to the corresponding elongated support post 302, 304.
For clarity of the Figures, not every circuit board guide 330 may
be referenced in each Figure.
[0032] Each circuit board guide 330 includes an inner wall that
defines a circuit board slot 380 configured to receive the
chassis-less circuit board substrate of a sled 400 when the sled
400 is received in the corresponding sled slot 320 of the rack 240.
To do so, as shown in FIG. 4, a user (or robot) aligns the
chassis-less circuit board substrate of an illustrative
chassis-less sled 400 to a sled slot 320. The user, or robot, may
then slide the chassis-less circuit board substrate forward into
the sled slot 320 such that each side edge 414 of the chassis-less
circuit board substrate is received in a corresponding circuit
board slot 380 of the circuit board guides 330 of the pair 310 of
elongated support arms 312 that define the corresponding sled slot
320 as shown in FIG. 4. By having robotically accessible and
robotically manipulable sleds comprising disaggregated resources,
each type of resource can be upgraded independently of each other
and at their own optimized refresh rate. Furthermore, the sleds are
configured to blindly mate with power and data communication cables
in each rack 240, enhancing their ability to be quickly removed,
upgraded, reinstalled, and/or replaced. As such, in some
embodiments, the data center 100 may operate (e.g., execute
workloads, undergo maintenance and/or upgrades, etc.) without human
involvement on the data center floor. In other embodiments, a human
may facilitate one or more maintenance or upgrade operations in the
data center 100.
[0033] It should be appreciated that each circuit board guide 330
is dual sided. That is, each circuit board guide 330 includes an
inner wall that defines a circuit board slot 380 on each side of
the circuit board guide 330. In this way, each circuit board guide
330 can support a chassis-less circuit board substrate on either
side. As such, a single additional elongated support post may be
added to the rack 240 to turn the rack 240 into a two-rack solution
that can hold twice as many sled slots 320 as shown in FIG. 3. The
illustrative rack 240 includes seven pairs 310 of elongated support
arms 312 that define a corresponding seven sled slots 320, each
configured to receive and support a corresponding sled 400 as
discussed above. Of course, in other embodiments, the rack 240 may
include additional or fewer pairs 310 of elongated support arms 312
(i.e., additional or fewer sled slots 320). It should be
appreciated that because the sled 400 is chassis-less, the sled 400
may have an overall height that is different than typical servers.
As such, in some embodiments, the height of each sled slot 320 may
be shorter than the height of a typical server (e.g., shorter than
a single rank unit, "1 U"). That is, the vertical distance between
each pair 310 of elongated support arms 312 may be less than a
standard rack unit "1 U." Additionally, due to the relative
decrease in height of the sled slots 320, the overall height of the
rack 240 in some embodiments may be shorter than the height of
traditional rack enclosures. For example, in some embodiments, each
of the elongated support posts 302, 304 may have a length of six
feet or less. Again, in other embodiments, the rack 240 may have
different dimensions. For example, in some embodiments, the
vertical distance between each pair 310 of elongated support arms
312 may be greater than a standard rack until "1 U". In such
embodiments, the increased vertical distance between the sleds
allows for larger heat sinks to be attached to the physical
resources and for larger fans to be used (e.g., in the fan array
370 described below) for cooling each sled, which in turn can allow
the physical resources to operate at increased power levels.
Further, it should be appreciated that the rack 240 does not
include any walls, enclosures, or the like. Rather, the rack 240 is
an enclosure-less rack that is opened to the local environment. Of
course, in some cases, an end plate may be attached to one of the
elongated support posts 302, 304 in those situations in which the
rack 240 forms an end-of-row rack in the data center 100.
[0034] In some embodiments, various interconnects may be routed
upwardly or downwardly through the elongated support posts 302,
304. To facilitate such routing, each elongated support post 302,
304 includes an inner wall that defines an inner chamber in which
interconnects may be located. The interconnects routed through the
elongated support posts 302, 304 may be embodied as any type of
interconnects including, but not limited to, data or communication
interconnects to provide communication connections to each sled
slot 320, power interconnects to provide power to each sled slot
320, and/or other types of interconnects.
[0035] The rack 240, in the illustrative embodiment, includes a
support platform on which a corresponding optical data connector
(not shown) is mounted. Each optical data connector is associated
with a corresponding sled slot 320 and is configured to mate with
an optical data connector of a corresponding sled 400 when the sled
400 is received in the corresponding sled slot 320. In some
embodiments, optical connections between components (e.g., sleds,
racks, and switches) in the data center 100 are made with a blind
mate optical connection. For example, a door on each cable may
prevent dust from contaminating the fiber inside the cable. In the
process of connecting to a blind mate optical connector mechanism,
the door is pushed open when the end of the cable approaches or
enters the connector mechanism. Subsequently, the optical fiber
inside the cable may enter a gel within the connector mechanism and
the optical fiber of one cable comes into contact with the optical
fiber of another cable within the gel inside the connector
mechanism.
[0036] The illustrative rack 240 also includes a fan array 370
coupled to the cross-support arms of the rack 240. The fan array
370 includes one or more rows of cooling fans 372, which are
aligned in a horizontal line between the elongated support posts
302, 304. In the illustrative embodiment, the fan array 370
includes a row of cooling fans 372 for each sled slot 320 of the
rack 240. As discussed above, each sled 400 does not include any
on-board cooling system in the illustrative embodiment and, as
such, the fan array 370 provides cooling for each sled 400 received
in the rack 240. Each rack 240, in the illustrative embodiment,
also includes a power supply associated with each sled slot 320.
Each power supply is secured to one of the elongated support arms
312 of the pair 310 of elongated support arms 312 that define the
corresponding sled slot 320. For example, the rack 240 may include
a power supply coupled or secured to each elongated support arm 312
extending from the elongated support post 302. Each power supply
includes a power connector configured to mate with a power
connector of the sled 400 when the sled 400 is received in the
corresponding sled slot 320. In the illustrative embodiment, the
sled 400 does not include any on-board power supply and, as such,
the power supplies provided in the rack 240 supply power to
corresponding sleds 400 when mounted to the rack 240. Each power
supply is configured to satisfy the power requirements for its
associated sled, which can vary from sled to sled. Additionally,
the power supplies provided in the rack 240 can operate independent
of each other. That is, within a single rack, a first power supply
providing power to a compute sled can provide power levels that are
different than power levels supplied by a second power supply
providing power to an accelerator sled. The power supplies may be
controllable at the sled level or rack level, and may be controlled
locally by components on the associated sled or remotely, such as
by another sled or an orchestrator.
[0037] Referring now to FIG. 6, the sled 400, in the illustrative
embodiment, is configured to be mounted in a corresponding rack 240
of the data center 100 as discussed above. In some embodiments,
each sled 400 may be optimized or otherwise configured for
performing particular tasks, such as compute tasks, acceleration
tasks, data storage tasks, etc. For example, the sled 400 may be
embodied as a compute sled 800 as discussed below in regard to
FIGS. 8-9, an accelerator sled 1000 as discussed below in regard to
FIGS. 10-11, a storage sled 1200 as discussed below in regard to
FIGS. 12-13, or as a sled optimized or otherwise configured to
perform other specialized tasks, such as a memory sled 1400,
discussed below in regard to FIG. 14.
[0038] As discussed above, the illustrative sled 400 includes a
chassis-less circuit board substrate 602, which supports various
physical resources (e.g., electrical components) mounted thereon.
It should be appreciated that the circuit board substrate 602 is
"chassis-less" in that the sled 400 does not include a housing or
enclosure. Rather, the chassis-less circuit board substrate 602 is
open to the local environment. The chassis-less circuit board
substrate 602 may be formed from any material capable of supporting
the various electrical components mounted thereon. For example, in
an illustrative embodiment, the chassis-less circuit board
substrate 602 is formed from an FR-4 glass-reinforced epoxy
laminate material. Of course, other materials may be used to form
the chassis-less circuit board substrate 602 in other
embodiments.
[0039] As discussed in more detail below, the chassis-less circuit
board substrate 602 includes multiple features that improve the
thermal cooling characteristics of the various electrical
components mounted on the chassis-less circuit board substrate 602.
As discussed, the chassis-less circuit board substrate 602 does not
include a housing or enclosure, which may improve the airflow over
the electrical components of the sled 400 by reducing those
structures that may inhibit air flow. For example, because the
chassis-less circuit board substrate 602 is not positioned in an
individual housing or enclosure, there is no vertically-arranged
backplane (e.g., a backplate of the chassis) attached to the
chassis-less circuit board substrate 602, which could inhibit air
flow across the electrical components. Additionally, the
chassis-less circuit board substrate 602 has a geometric shape
configured to reduce the length of the airflow path across the
electrical components mounted to the chassis-less circuit board
substrate 602. For example, the illustrative chassis-less circuit
board substrate 602 has a width 604 that is greater than a depth
606 of the chassis-less circuit board substrate 602. In one
particular embodiment, for example, the chassis-less circuit board
substrate 602 has a width of about 21 inches and a depth of about 9
inches, compared to a typical server that has a width of about 17
inches and a depth of about 39 inches. As such, an airflow path 608
that extends from a front edge 610 of the chassis-less circuit
board substrate 602 toward a rear edge 612 has a shorter distance
relative to typical servers, which may improve the thermal cooling
characteristics of the sled 400. Furthermore, although not
illustrated in FIG. 6, the various physical resources mounted to
the chassis-less circuit board substrate 602 are mounted in
corresponding locations such that no two substantively
heat-producing electrical components shadow each other as discussed
in more detail below. That is, no two electrical components, which
produce appreciable heat during operation (i.e., greater than a
nominal heat sufficient enough to adversely impact the cooling of
another electrical component), are mounted to the chassis-less
circuit board substrate 602 linearly in-line with each other along
the direction of the airflow path 608 (i.e., along a direction
extending from the front edge 610 toward the rear edge 612 of the
chassis-less circuit board substrate 602).
[0040] As discussed above, the illustrative sled 400 includes one
or more physical resources 620 mounted to a top side 650 of the
chassis-less circuit board substrate 602. Although two physical
resources 620 are shown in FIG. 6, it should be appreciated that
the sled 400 may include one, two, or more physical resources 620
in other embodiments. The physical resources 620 may be embodied as
any type of processor, controller, or other compute circuit capable
of performing various tasks such as compute functions and/or
controlling the functions of the sled 400 depending on, for
example, the type or intended functionality of the sled 400. For
example, as discussed in more detail below, the physical resources
620 may be embodied as high-performance processors in embodiments
in which the sled 400 is embodied as a compute sled, as accelerator
co-processors or circuits in embodiments in which the sled 400 is
embodied as an accelerator sled, storage controllers in embodiments
in which the sled 400 is embodied as a storage sled, or a set of
memory devices in embodiments in which the sled 400 is embodied as
a memory sled.
[0041] The sled 400 also includes one or more additional physical
resources 630 mounted to the top side 650 of the chassis-less
circuit board substrate 602. In the illustrative embodiment, the
additional physical resources include a network interface
controller (NIC) as discussed in more detail below. Of course,
depending on the type and functionality of the sled 400, the
physical resources 630 may include additional or other electrical
components, circuits, and/or devices in other embodiments.
[0042] The physical resources 620 are communicatively coupled to
the physical resources 630 via an input/output (1/0) subsystem 622.
The I/O subsystem 622 may be embodied as circuitry and/or
components to facilitate input/output operations with the physical
resources 620, the physical resources 630, and/or other components
of the sled 400. For example, the I/O subsystem 622 may be embodied
as, or otherwise include, memory controller hubs, input/output
control hubs, integrated sensor hubs, firmware devices,
communication links (e.g., point-to-point links, bus links, wires,
cables, waveguides, light guides, printed circuit board traces,
etc.), and/or other components and subsystems to facilitate the
input/output operations. In the illustrative embodiment, the I/O
subsystem 622 is embodied as, or otherwise includes, a double data
rate 4 (DDR4) data bus or a DDR5 data bus.
[0043] In some embodiments, the sled 400 may also include a
resource-to-resource interconnect 624. The resource-to-resource
interconnect 624 may be embodied as any type of communication
interconnect capable of facilitating resource-to-resource
communications. In the illustrative embodiment, the
resource-to-resource interconnect 624 is embodied as a high-speed
point-to-point interconnect (e.g., faster than the I/O subsystem
622). For example, the resource-to-resource interconnect 624 may be
embodied as a QuickPath Interconnect (QPI), an UltraPath
Interconnect (UPI), or other high-speed point-to-point interconnect
dedicated to resource-to-resource communications.
[0044] The sled 400 also includes a power connector 640 configured
to mate with a corresponding power connector of the rack 240 when
the sled 400 is mounted in the corresponding rack 240. The sled 400
receives power from a power supply of the rack 240 via the power
connector 640 to supply power to the various electrical components
of the sled 400. That is, the sled 400 does not include any local
power supply (i.e., an on-board power supply) to provide power to
the electrical components of the sled 400. The exclusion of a local
or on-board power supply facilitates the reduction in the overall
footprint of the chassis-less circuit board substrate 602, which
may increase the thermal cooling characteristics of the various
electrical components mounted on the chassis-less circuit board
substrate 602 as discussed above. In some embodiments, voltage
regulators are placed on a bottom side 750 (see FIG. 7) of the
chassis-less circuit board substrate 602 directly opposite of the
processors 820 (see FIG. 8), and power is routed from the voltage
regulators to the processors 820 by vias extending through the
circuit board substrate 602. Such a configuration provides an
increased thermal budget, additional current and/or voltage, and
better voltage control relative to typical printed circuit boards
in which processor power is delivered from a voltage regulator, in
part, by printed circuit traces.
[0045] In some embodiments, the sled 400 may also include mounting
features 642 configured to mate with a mounting arm, or other
structure, of a robot to facilitate the placement of the sled 600
in a rack 240 by the robot. The mounting features 642 may be
embodied as any type of physical structures that allow the robot to
grasp the sled 400 without damaging the chassis-less circuit board
substrate 602 or the electrical components mounted thereto. For
example, in some embodiments, the mounting features 642 may be
embodied as non-conductive pads attached to the chassis-less
circuit board substrate 602. In other embodiments, the mounting
features may be embodied as brackets, braces, or other similar
structures attached to the chassis-less circuit board substrate
602. The particular number, shape, size, and/or make-up of the
mounting feature 642 may depend on the design of the robot
configured to manage the sled 400.
[0046] Referring now to FIG. 7, in addition to the physical
resources 630 mounted on the top side 650 of the chassis-less
circuit board substrate 602, the sled 400 also includes one or more
memory devices 720 mounted to a bottom side 750 of the chassis-less
circuit board substrate 602. That is, the chassis-less circuit
board substrate 602 is embodied as a double-sided circuit board.
The physical resources 620 are communicatively coupled to the
memory devices 720 via the I/O subsystem 622. For example, the
physical resources 620 and the memory devices 720 may be
communicatively coupled by one or more vias extending through the
chassis-less circuit board substrate 602. Each physical resource
620 may be communicatively coupled to a different set of one or
more memory devices 720 in some embodiments. Alternatively, in
other embodiments, each physical resource 620 may be
communicatively coupled to each memory device 720.
[0047] The memory devices 720 may be embodied as any type of memory
device capable of storing data for the physical resources 620
during operation of the sled 400, such as any type of volatile
(e.g., dynamic random access memory (DRAM), etc.) or non-volatile
memory. Volatile memory may be a storage medium that requires power
to maintain the state of data stored by the medium. Non-limiting
examples of volatile memory may include various types of random
access memory (RAM), such as dynamic random access memory (DRAM) or
static random access memory (SRAM). One particular type of DRAM
that may be used in a memory module is synchronous dynamic random
access memory (SDRAM). In particular embodiments, DRAM of a memory
component may comply with a standard promulgated by JEDEC, such as
JESD79F for DDR SDRAM, JESD79-2F for DDR2 SDRAM, JESD79-3F for DDR3
SDRAM, JESD79-4A for DDR4 SDRAM, JESD209 for Low Power DDR (LPDDR),
JESD209-2 for LPDDR2, JESD209-3 for LPDDR3, and JESD209-4 for
LPDDR4. Such standards (and similar standards) may be referred to
as DDR-based standards and communication interfaces of the storage
devices that implement such standards may be referred to as
DDR-based interfaces.
[0048] In one embodiment, the memory device is a block addressable
memory device, such as those based on NAND or NOR technologies. A
memory device may also include next-generation nonvolatile devices,
such as Intel 3D XPoint.TM. memory or other byte addressable
write-in-place nonvolatile memory devices. In one embodiment, the
memory device may be or may include memory devices that use
chalcogenide glass, multi-threshold level NAND flash memory, NOR
flash memory, single or multi-level Phase Change Memory (PCM), a
resistive memory, nanowire memory, ferroelectric transistor random
access memory (FeTRAM), anti-ferroelectric memory, magnetoresistive
random access memory (MRAM) memory that incorporates memristor
technology, resistive memory including the metal oxide base, the
oxygen vacancy base and the conductive bridge Random Access Memory
(CB-RAM), or spin transfer torque (STT)-MRAM, a spintronic magnetic
junction memory based device, a magnetic tunneling junction (MTJ)
based device, a DW (Domain Wall) and SOT (Spin Orbit Transfer)
based device, a thyristor based memory device, or a combination of
any of the above, or other memory. The memory device may refer to
the die itself and/or to a packaged memory product. In some
embodiments, the memory device may comprise a transistor-less
stackable cross point architecture in which memory cells sit at the
intersection of word lines and bit lines and are individually
addressable and in which bit storage is based on a change in bulk
resistance.
[0049] Referring now to FIG. 8, in some embodiments, the sled 400
may be embodied as a compute sled 800. The compute sled 800 is
optimized, or otherwise configured, to perform compute tasks. Of
course, as discussed above, the compute sled 800 may rely on other
sleds, such as acceleration sleds and/or storage sleds, to perform
such compute tasks. The compute sled 800 includes various physical
resources (e.g., electrical components) similar to the physical
resources of the sled 400, which have been identified in FIG. 8
using the same reference numbers. The description of such
components provided above in regard to FIGS. 6 and 7 applies to the
corresponding components of the compute sled 800 and is not
repeated herein for clarity of the description of the compute sled
800.
[0050] In the illustrative compute sled 800, the physical resources
620 are embodied as processors 820. Although only two processors
820 are shown in FIG. 8, it should be appreciated that the compute
sled 800 may include additional processors 820 in other
embodiments. Illustratively, the processors 820 are embodied as
high-performance processors 820 and may be configured to operate at
a relatively high power rating. Although the processors 820
generate additional heat operating at power ratings greater than
typical processors (which operate at around 155-230 W), the
enhanced thermal cooling characteristics of the chassis-less
circuit board substrate 602 discussed above facilitate the higher
power operation. For example, in the illustrative embodiment, the
processors 820 are configured to operate at a power rating of at
least 250 W. In some embodiments, the processors 820 may be
configured to operate at a power rating of at least 350 W.
[0051] In some embodiments, the compute sled 800 may also include a
processor-to-processor interconnect 842. Similar to the
resource-to-resource interconnect 624 of the sled 400 discussed
above, the processor-to-processor interconnect 842 may be embodied
as any type of communication interconnect capable of facilitating
processor-to-processor interconnect 842 communications. In the
illustrative embodiment, the processor-to-processor interconnect
842 is embodied as a high-speed point-to-point interconnect (e.g.,
faster than the 110 subsystem 622). For example, the
processor-to-processor interconnect 842 may be embodied as a
QuickPath Interconnect (QPI), an UltraPath Interconnect (UPI), or
other high-speed point-to-point interconnect dedicated to
processor-to-processor communications.
[0052] The compute sled 800 also includes a communication circuit
830. The illustrative communication circuit 830 includes a network
interface controller (NIC) 832, which may also be referred to as a
host fabric interface (HFI). The NIC 832 may be embodied as, or
otherwise include, any type of integrated circuit, discrete
circuits, controller chips, chipsets, add-in-boards, daughtercards,
network interface cards, or other devices that may be used by the
compute sled 800 to connect with another compute device (e.g., with
other sleds 400). In some embodiments, the NIC 832 may be embodied
as part of a system-on-a-chip (SoC) that includes one or more
processors, or included on a multichip package that also contains
one or more processors. In some embodiments, the NIC 832 may
include a local processor (not shown) and/or a local memory (not
shown) that are both local to the NIC 832. In such embodiments, the
local processor of the NIC 832 may be capable of performing one or
more of the functions of the processors 820. Additionally or
alternatively, in such embodiments, the local memory of the NIC 832
may be integrated into one or more components of the compute sled
at the board level, socket level, chip level, and/or other
levels.
[0053] The communication circuit 830 is communicatively coupled to
an optical data connector 834. The optical data connector 834 is
configured to mate with a corresponding optical data connector of
the rack 240 when the compute sled 800 is mounted in the rack 240.
Illustratively, the optical data connector 834 includes a plurality
of optical fibers which lead from a mating surface of the optical
data connector 834 to an optical transceiver 836. The optical
transceiver 836 is configured to convert incoming optical signals
from the rack-side optical data connector to electrical signals and
to convert electrical signals to outgoing optical signals to the
rack-side optical data connector. Although shown as forming part of
the optical data connector 834 in the illustrative embodiment, the
optical transceiver 836 may form a portion of the communication
circuit 830 in other embodiments.
[0054] In some embodiments, the compute sled 800 may also include
an expansion connector 840. In such embodiments, the expansion
connector 840 is configured to mate with a corresponding connector
of an expansion chassis-less circuit board substrate to provide
additional physical resources to the compute sled 800. The
additional physical resources may be used, for example, by the
processors 820 during operation of the compute sled 800. The
expansion chassis-less circuit board substrate may be substantially
similar to the chassis-less circuit board substrate, 602 discussed
above and may include various electrical components mounted
thereto. The particular electrical components mounted to the
expansion chassis-less circuit board substrate may depend on the
intended functionality of the expansion chassis-less circuit board
substrate. For example, the expansion chassis-less circuit board
substrate may provide additional compute resources, memory
resources, and/or storage resources. As such, the additional
physical resources of the expansion chassis-less circuit board
substrate may include, but is not limited to, processors, memory
devices, storage devices, and/or accelerator circuits including,
for example, field programmable gate arrays (FPGA),
application-specific integrated circuits (ASICs), security
co-processors, graphics processing units (GPUs), machine learning
circuits, or other specialized processors, controllers, devices,
and/or circuits.
[0055] Referring now to FIG. 9, an illustrative embodiment of the
compute sled 800 is shown. As shown, the processors 820,
communication circuit 830, and optical data connector 834 are
mounted to the top side 650 of the chassis-less circuit board
substrate 602. Any suitable attachment or mounting technology may
be used to mount the physical resources of the compute sled 800 to
the chassis-less circuit board substrate 602. For example, the
various physical resources may be mounted in corresponding sockets
(e.g., a processor socket), holders, or brackets. In some cases,
some of the electrical components may be directly mounted to the
chassis-less circuit board substrate 602 via soldering or similar
techniques.
[0056] As discussed above, the individual processors 820 and
communication circuit 830 are mounted to the top side 650 of the
chassis-less circuit board substrate 602 such that no two
heat-producing, electrical components shadow each other. In the
illustrative embodiment, the processors 820 and communication
circuit 830 are mounted in corresponding locations on the top side
650 of the chassis-less circuit board substrate 602 such that no
two of those physical resources are linearly in-line with others
along the direction of the airflow path 608. It should be
appreciated that, although the optical data connector 834 is
in-line with the communication circuit 830, the optical data
connector 834 produces no or nominal heat during operation.
[0057] The memory devices 720 of the compute sled 800 are mounted
to the bottom side 750 of the of the chassis-less circuit board
substrate 602 as discussed above in regard to the sled 400.
Although mounted to the bottom side 750, the memory devices 720 are
communicatively coupled to the processors 820 located on the top
side 650 via the I/O subsystem 622. Because the chassis-less
circuit board substrate 602 is embodied as a double-sided circuit
board, the memory devices 720 and the processors 820 may be
communicatively coupled by one or more vias, connectors, or other
mechanisms extending through the chassis-less circuit board
substrate 602. Of course, each processor 820 may be communicatively
coupled to a different set of one or more memory devices 720 in
some embodiments. Alternatively, in other embodiments, each
processor 820 may be communicatively coupled to each memory device
720. In some embodiments, the memory devices 720 may be mounted to
one or more memory mezzanines on the bottom side of the
chassis-less circuit board substrate 602 and may interconnect with
a corresponding processor 820 through a ball-grid array.
[0058] Each of the processors 820 includes a heatsink 850 secured
thereto. Due to the mounting of the memory devices 720 to the
bottom side 750 of the chassis-less circuit board substrate 602 (as
well as the vertical spacing of the sleds 400 in the corresponding
rack 240), the top side 650 of the chassis-less circuit board
substrate 602 includes additional "free" area or space that
facilitates the use of heatsinks 850 having a larger size relative
to traditional heatsinks used in typical servers. Additionally, due
to the improved thermal cooling characteristics of the chassis-less
circuit board substrate 602, none of the processor heatsinks 850
include cooling fans attached thereto. That is, each of the
heatsinks 850 is embodied as a fan-less heatsink. In some
embodiments, the heat sinks 850 mounted atop the processors 820 may
overlap with the heat sink attached to the communication circuit
830 in the direction of the airflow path 608 due to their increased
size, as illustratively suggested by FIG. 9.
[0059] Referring now to FIG. 10, in some embodiments, the sled 400
may be embodied as an accelerator sled 1000. The accelerator sled
1000 is configured, to perform specialized compute tasks, such as
machine learning, encryption, hashing, or other
computational-intensive task. In some embodiments, for example, a
compute sled 800 may offload tasks to the accelerator sled 1000
during operation. The accelerator sled 1000 includes various
components similar to components of the sled 400 and/or compute
sled 800, which have been identified in FIG. 10 using the same
reference numbers. The description of such components provided
above in regard to FIGS. 6, 7, and 8 apply to the corresponding
components of the accelerator sled 1000 and is not repeated herein
for clarity of the description of the accelerator sled 1000.
[0060] In the illustrative accelerator sled 1000, the physical
resources 620 are embodied as accelerator circuits 1020. Although
only two accelerator circuits 1020 are shown in FIG. 10, it should
be appreciated that the accelerator sled 1000 may include
additional accelerator circuits 1020 in other embodiments. For
example, as shown in FIG. 11, the accelerator sled 1000 may include
four accelerator circuits 1020 in some embodiments. The accelerator
circuits 1020 may be embodied as any type of processor,
co-processor, compute circuit, or other device capable of
performing compute or processing operations. For example, the
accelerator circuits 1020 may be embodied as, for example, field
programmable gate arrays (FPGA), application-specific integrated
circuits (ASICs), security co-processors, graphics processing units
(GPUs), neuromorphic processor units, quantum computers, machine
learning circuits, or other specialized processors, controllers,
devices, and/or circuits.
[0061] In some embodiments, the accelerator sled 1000 may also
include an accelerator-to-accelerator interconnect 1042. Similar to
the resource-to-resource interconnect 624 of the sled 600 discussed
above, the accelerator-to-accelerator interconnect 1042 may be
embodied as any type of communication interconnect capable of
facilitating accelerator-to-accelerator communications. In the
illustrative embodiment, the accelerator-to-accelerator
interconnect 1042 is embodied as a high-speed point-to-point
interconnect (e.g., faster than the I/O subsystem 622). For
example, the accelerator-to-accelerator interconnect 1042 may be
embodied as a QuickPath Interconnect (QPI), an UltraPath
Interconnect (UPI), or other high-speed point-to-point interconnect
dedicated to processor-to-processor communications. In some
embodiments, the accelerator circuits 1020 may be daisy-chained
with a primary accelerator circuit 1020 connected to the NIC 832
and memory 720 through the I/O subsystem 622 and a secondary
accelerator circuit 1020 connected to the NIC 832 and memory 720
through a primary accelerator circuit 1020.
[0062] Referring now to FIG. 11, an illustrative embodiment of the
accelerator sled 1000 is shown. As discussed above, the accelerator
circuits 1020, communication circuit 830, and optical data
connector 834 are mounted to the top side 650 of the chassis-less
circuit board substrate 602. Again, the individual accelerator
circuits 1020 and communication circuit 830 are mounted to the top
side 650 of the chassis-less circuit board substrate 602 such that
no two heat-producing, electrical components shadow each other as
discussed above. The memory devices 720 of the accelerator sled
1000 are mounted to the bottom side 750 of the of the chassis-less
circuit board substrate 602 as discussed above in regard to the
sled 600. Although mounted to the bottom side 750, the memory
devices 720 are communicatively coupled to the accelerator circuits
1020 located on the top side 650 via the I/O subsystem 622 (e.g.,
through vias). Further, each of the accelerator circuits 1020 may
include a heatsink 1070 that is larger than a traditional heatsink
used in a server. As discussed above with reference to the
heatsinks 870, the heatsinks 1070 may be larger than traditional
heatsinks because of the "free" area provided by the memory
resources 720 being located on the bottom side 750 of the
chassis-less circuit board substrate 602 rather than on the top
side 650.
[0063] Referring now to FIG. 12, in some embodiments, the sled 400
may be embodied as a storage sled 1200. The storage sled 1200 is
configured, to store data in a data storage 1250 local to the
storage sled 1200. For example, during operation, a compute sled
800 or an accelerator sled 1000 may store and retrieve data from
the data storage 1250 of the storage sled 1200. The storage sled
1200 includes various components similar to components of the sled
400 and/or the compute sled 800, which have been identified in FIG.
12 using the same reference numbers. The description of such
components provided above in regard to FIGS. 6, 7, and 8 apply to
the corresponding components of the storage sled 1200 and is not
repeated herein for clarity of the description of the storage sled
1200.
[0064] In the illustrative storage sled 1200, the physical
resources 620 are embodied as storage controllers 1220. Although
only two storage controllers 1220 are shown in FIG. 12, it should
be appreciated that the storage sled 1200 may include additional
storage controllers 1220 in other embodiments. The storage
controllers 1220 may be embodied as any type of processor,
controller, or control circuit capable of controlling the storage
and retrieval of data into the data storage 1250 based on requests
received via the communication circuit 830. In the illustrative
embodiment, the storage controllers 1220 are embodied as relatively
low-power processors or controllers. For example, in some
embodiments, the storage controllers 1220 may be configured to
operate at a power rating of about 75 watts.
[0065] In some embodiments, the storage sled 1200 may also include
a controller-to-controller interconnect 1242. Similar to the
resource-to-resource interconnect 624 of the sled 400 discussed
above, the controller-to-controller interconnect 1242 may be
embodied as any type of communication interconnect capable of
facilitating controller-to-controller communications. In the
illustrative embodiment, the controller-to-controller interconnect
1242 is embodied as a high-speed point-to-point interconnect (e.g.,
faster than the I/O subsystem 622). For example, the
controller-to-controller interconnect 1242 may be embodied as a
QuickPath Interconnect (QPI), an UltraPath Interconnect (UPI), or
other high-speed point-to-point interconnect dedicated to
processor-to-processor communications.
[0066] Referring now to FIG. 13, an illustrative embodiment of the
storage sled 1200 is shown. In the illustrative embodiment, the
data storage 1250 is embodied as, or otherwise includes, a storage
cage 1252 configured to house one or more solid state drives (SSDs)
1254. To do so, the storage cage 1252 includes a number of mounting
slots 1256, each of which is configured to receive a corresponding
solid state drive 1254. Each of the mounting slots 1256 includes a
number of drive guides 1258 that cooperate to define an access
opening 1260 of the corresponding mounting slot 1256. The storage
cage 1252 is secured to the chassis-less circuit board substrate
602 such that the access openings face away from (i.e., toward the
front of) the chassis-less circuit board substrate 602. As such,
solid state drives 1254 are accessible while the storage sled 1200
is mounted in a corresponding rack 204. For example, a solid state
drive 1254 may be swapped out of a rack 240 (e.g., via a robot)
while the storage sled 1200 remains mounted in the corresponding
rack 240.
[0067] The storage cage 1252 illustratively includes sixteen
mounting slots 1256 and is capable of mounting and storing sixteen
solid state drives 1254. Of course, the storage cage 1252 may be
configured to store additional or fewer solid state drives 1254 in
other embodiments. Additionally, in the illustrative embodiment,
the solid state drivers are mounted vertically in the storage cage
1252, but may be mounted in the storage cage 1252 in a different
orientation in other embodiments. Each solid state drive 1254 may
be embodied as any type of data storage device capable of storing
long term data. To do so, the solid state drives 1254 may include
volatile and non-volatile memory devices discussed above.
[0068] As shown in FIG. 13, the storage controllers 1220, the
communication circuit 830, and the optical data connector 834 are
illustratively mounted to the top side 650 of the chassis-less
circuit board substrate 602. Again, as discussed above, any
suitable attachment or mounting technology may be used to mount the
electrical components of the storage sled 1200 to the chassis-less
circuit board substrate 602 including, for example, sockets (e.g.,
a processor socket), holders, brackets, soldered connections,
and/or other mounting or securing techniques.
[0069] As discussed above, the individual storage controllers 1220
and the communication circuit 830 are mounted to the top side 650
of the chassis-less circuit board substrate 602 such that no two
heat-producing, electrical components shadow each other. For
example, the storage controllers 1220 and the communication circuit
830 are mounted in corresponding locations on the top side 650 of
the chassis-less circuit board substrate 602 such that no two of
those electrical components are linearly in-line with each other
along the direction of the airflow path 608.
[0070] The memory devices 720 of the storage sled 1200 are mounted
to the bottom side 750 of the of the chassis-less circuit board
substrate 602 as discussed above in regard to the sled 400.
Although mounted to the bottom side 750, the memory devices 720 are
communicatively coupled to the storage controllers 1220 located on
the top side 650 via the I/O subsystem 622. Again, because the
chassis-less circuit board substrate 602 is embodied as a
double-sided circuit board, the memory devices 720 and the storage
controllers 1220 may be communicatively coupled by one or more
vias, connectors, or other mechanisms extending through the
chassis-less circuit board substrate 602. Each of the storage
controllers 1220 includes a heatsink 1270 secured thereto. As
discussed above, due to the improved thermal cooling
characteristics of the chassis-less circuit board substrate 602 of
the storage sled 1200, none of the heatsinks 1270 include cooling
fans attached thereto. That is, each of the heatsinks 1270 is
embodied as a fan-less heatsink.
[0071] Referring now to FIG. 14, in some embodiments, the sled 400
may be embodied as a memory sled 1400. The storage sled 1400 is
optimized, or otherwise configured, to provide other sleds 400
(e.g., compute sleds 800, accelerator sleds 1000, etc.) with access
to a pool of memory (e.g., in two or more sets 1430, 1432 of memory
devices 720) local to the memory sled 1200. For example, during
operation, a compute sled 800 or an accelerator sled 1000 may
remotely write to and/or read from one or more of the memory sets
1430, 1432 of the memory sled 1200 using a logical address space
that maps to physical addresses in the memory sets 1430, 1432. The
memory sled 1400 includes various components similar to components
of the sled 400 and/or the compute sled 800, which have been
identified in FIG. 14 using the same reference numbers. The
description of such components provided above in regard to FIGS. 6,
7, and 8 apply to the corresponding components of the memory sled
1400 and is not repeated herein for clarity of the description of
the memory sled 1400.
[0072] In the illustrative memory sled 1400, the physical resources
620 are embodied as memory controllers 1420. Although only two
memory controllers 1420 are shown in FIG. 14, it should be
appreciated that the memory sled 1400 may include additional memory
controllers 1420 in other embodiments. The memory controllers 1420
may be embodied as any type of processor, controller, or control
circuit capable of controlling the writing and reading of data into
the memory sets 1430, 1432 based on requests received via the
communication circuit 830. In the illustrative embodiment, each
memory controller 1420 is connected to a corresponding memory set
1430, 1432 to write to and read from memory devices 720 within the
corresponding memory set 1430, 1432 and enforce any permissions
(e.g., read, write, etc.) associated with sled 400 that has sent a
request to the memory sled 1400 to perform a memory access
operation (e.g., read or write).
[0073] In some embodiments, the memory sled 1400 may also include a
controller-to-controller interconnect 1442. Similar to the
resource-to-resource interconnect 624 of the sled 400 discussed
above, the controller-to-controller interconnect 1442 may be
embodied as any type of communication interconnect capable of
facilitating controller-to-controller communications. In the
illustrative embodiment, the controller-to-controller interconnect
1442 is embodied as a high-speed point-to-point interconnect (e.g.,
faster than the I/O subsystem 622). For example, the
controller-to-controller interconnect 1442 may be embodied as a
QuickPath Interconnect (QPI), an UltraPath Interconnect (UPI), or
other high-speed point-to-point interconnect dedicated to
processor-to-processor communications. As such, in some
embodiments, a memory controller 1420 may access, through the
controller-to-controller interconnect 1442, memory that is within
the memory set 1432 associated with another memory controller 1420.
In some embodiments, a scalable memory controller is made of
multiple smaller memory controllers, referred to herein as
"chiplets", on a memory sled (e.g., the memory sled 1400). The
chiplets may be interconnected (e.g., using EMIB (Embedded
Multi-Die Interconnect Bridge)). The combined chiplet memory
controller may scale up to a relatively large number of memory
controllers and I/O ports, (e.g., up to 16 memory channels). In
some embodiments, the memory controllers 1420 may implement a
memory interleave (e.g., one memory address is mapped to the memory
set 1430, the next memory address is mapped to the memory set 1432,
and the third address is mapped to the memory set 1430, etc.). The
interleaving may be managed within the memory controllers 1420, or
from CPU sockets (e.g., of the compute sled 800) across network
links to the memory sets 1430, 1432, and may improve the latency
associated with performing memory access operations as compared to
accessing contiguous memory addresses from the same memory
device.
[0074] Further, in some embodiments, the memory sled 1400 may be
connected to one or more other sleds 400 (e.g., in the same rack
240 or an adjacent rack 240) through a waveguide, using the
waveguide connector 1480. In the illustrative embodiment, the
waveguides are 64 millimeter waveguides that provide 16 Rx (i.e.,
receive) lanes and 16 Tx (i.e., transmit) lanes. Each lane, in the
illustrative embodiment, is either 16 GHz or 32 GHz. In other
embodiments, the frequencies may be different. Using a waveguide
may provide high throughput access to the memory pool (e.g., the
memory sets 1430, 1432) to another sled (e.g., a sled 400 in the
same rack 240 or an adjacent rack 240 as the memory sled 1400)
without adding to the load on the optical data connector 834.
[0075] Referring now to FIG. 15, a system for executing one or more
workloads (e.g., applications) may be implemented in accordance
with the data center 100. In the illustrative embodiment, the
system 1510 includes an orchestrator server 1520, which may be
embodied as a managed node comprising a compute device (e.g., a
processor 820 on a compute sled 800) executing management software
(e.g., a cloud operating environment, such as OpenStack) that is
communicatively coupled to multiple sleds 400 including a large
number of compute sleds 1530 (e.g., each similar to the compute
sled 800), memory sleds 1540 (e.g., each similar to the memory sled
1400), accelerator sleds 1550 (e.g., each similar to the memory
sled 1000), and storage sleds 1560 (e.g., each similar to the
storage sled 1200). One or more of the sleds 1530, 1540, 1550, 1560
may be grouped into a managed node 1570, such as by the
orchestrator server 1520, to collectively perform a workload (e.g.,
an application 1532 executed in a virtual machine or in a
container). The managed node 1570 may be embodied as an assembly of
physical resources 620, such as processors 820, memory resources
720, accelerator circuits 1020, or data storage 1250, from the same
or different sleds 400. Further, the managed node may be
established, defined, or "spun up" by the orchestrator server 1520
at the time a workload is to be assigned to the managed node or at
any other time, and may exist regardless of whether any workloads
are presently assigned to the managed node. In the illustrative
embodiment, the orchestrator server 1520 may selectively allocate
and/or deallocate physical resources 620 from the sleds 400 and/or
add or remove one or more sleds 400 from the managed node 1570 as a
function of quality of service (QoS) targets (e.g., performance
targets associated with a throughput, latency, instructions per
second, etc.) associated with a service level agreement for the
workload (e.g., the application 1532). In doing so, the
orchestrator server 1520 may receive telemetry data indicative of
performance conditions (e.g., throughput, latency, instructions per
second, etc.) in each sled 400 of the managed node 1570 and compare
the telemetry data to the quality of service targets to determine
whether the quality of service targets are being satisfied. The
orchestrator server 1520 may additionally determine whether one or
more physical resources may be deallocated from the managed node
1570 while still satisfying the QoS targets, thereby freeing up
those physical resources for use in another managed node (e.g., to
execute a different workload). Alternatively, if the QoS targets
are not presently satisfied, the orchestrator server 1520 may
determine to dynamically allocate additional physical resources to
assist in the execution of the workload (e.g., the application
1532) while the workload is executing. Similarly, the orchestrator
server 1520 may determine to dynamically deallocate physical
resources from a managed node if the orchestrator server 1520
determines that deallocating the physical resource would result in
QoS targets still being met.
[0076] Additionally, in some embodiments, the orchestrator server
1520 may identify trends in the resource utilization of the
workload (e.g., the application 1532), such as by identifying
phases of execution (e.g., time periods in which different
operations, each having different resource utilizations
characteristics, are performed) of the workload (e.g., the
application 1532) and pre-emptively identifying available resources
in the data center 100 and allocating them to the managed node 1570
(e.g., within a predefined time period of the associated phase
beginning). In some embodiments, the orchestrator server 1520 may
model performance based on various latencies and a distribution
scheme to place workloads among compute sleds and other resources
(e.g., accelerator sleds, memory sleds, storage sleds) in the data
center 100. For example, the orchestrator server 1520 may utilize a
model that accounts for the performance of resources on the sleds
400 (e.g., FPGA performance, memory access latency, etc.) and the
performance (e.g., congestion, latency, bandwidth) of the path
through the network to the resource (e.g., FPGA). As such, the
orchestrator server 1520 may determine which resource(s) should be
used with which workloads based on the total latency associated
with each potential resource available in the data center 100
(e.g., the latency associated with the performance of the resource
itself in addition to the latency associated with the path through
the network between the compute sled executing the workload and the
sled 400 on which the resource is located).
[0077] In some embodiments, the orchestrator server 1520 may
generate a map of heat generation in the data center 100 using
telemetry data (e.g., temperatures, fan speeds, etc.) reported from
the sleds 400 and allocate resources to managed nodes as a function
of the map of heat generation and predicted heat generation
associated with different workloads, to maintain a target
temperature and heat distribution in the data center 100.
Additionally or alternatively, in some embodiments, the
orchestrator server 1520 may organize received telemetry data into
a hierarchical model that is indicative of a relationship between
the managed nodes (e.g., a spatial relationship such as the
physical locations of the resources of the managed nodes within the
data center 100 and/or a functional relationship, such as groupings
of the managed nodes by the customers the managed nodes provide
services for, the types of functions typically performed by the
managed nodes, managed nodes that typically share or exchange
workloads among each other, etc.). Based on differences in the
physical locations and resources in the managed nodes, a given
workload may exhibit different resource utilizations (e.g., cause a
different internal temperature, use a different percentage of
processor or memory capacity) across the resources of different
managed nodes. The orchestrator server 1520 may determine the
differences based on the telemetry data stored in the hierarchical
model and factor the differences into a prediction of future
resource utilization of a workload if the workload is reassigned
from one managed node to another managed node, to accurately
balance resource utilization in the data center 100.
[0078] To reduce the computational load on the orchestrator server
1520 and the data transfer load on the network, in some
embodiments, the orchestrator server 1520 may send self-test
information to the sleds 400 to enable each sled 400 to locally
(e.g., on the sled 400) determine whether telemetry data generated
by the sled 400 satisfies one or more conditions (e.g., an
available capacity that satisfies a predefined threshold, a
temperature that satisfies a predefined threshold, etc.). Each sled
400 may then report back a simplified result (e.g., yes or no) to
the orchestrator server 1520, which the orchestrator server 1520
may utilize in determining the allocation of resources to managed
nodes.
[0079] Referring now to FIG. 16, a system 1610 for providing
efficient sharing of encrypted data in a disaggregated architecture
includes an orchestrator server 1620 similar to the orchestrator
server 1520, in communication with multiple sleds 1616, including a
compute sled 1630 that executes applications 1650, 1652 (e.g., each
a workload), similar to the application 1532, on behalf of a client
device 1614. Similarly, another compute sled 1632 executes multiple
applications 1654, 1656. Each application 1650, 1652, 1654, 1656
may be executed in a virtual machine (VM) and each application may
be associated with a corresponding tenant (e.g., a customer of the
system 1610 for whom applications are executed). The system 1610
additionally includes memory sleds 1640, 1642, each of which
includes a memory controller 1670, 1672, similar to the memory
controller 1420 of FIG. 14 and corresponding memory devices 1680,
1682, which are similar to the memory resources 720 of FIG. 7. In
operation, one or more of the memory sleds 1640, 1642 (e.g., the
memory sled 1640) coordinates the sharing (e.g., copying or moving)
of data sets between applications 1650, 1652, 1654, and 1656 by
providing, to an application that is to receive access to the data
set, a handle to the data set that is to be shared, rather than
performing a bit-for-bit transfer of the data set to the working
memory of the receiving application. The data set, in the
illustrative embodiment, is present in the memory devices 1680
and/or 1682. Moreover, in the illustrative embodiment, the data
set, and all other data residing in the memory devices 1680, 1682
used by the applications 1650, 1652, 1654, 1656 is encrypted with a
key that is associated with the application, the VM executing the
application, and/or the tenant for whom the application is
executed. As such, when a data set is to be shared across
applications that use different encryption keys, the memory sled
1640 coordinates with an encryption key manager 1622 to provide the
corresponding key to the application that is to receive access to
the data set. The encryption key manager 1622 may be embodied as
software or any circuitry (e.g., a co-processor, an application
specific integrated circuit (ASIC), etc.) that selectively provides
keys to applications to enable those applications to utilize (e.g.,
decrypted and/or encrypt) a corresponding data set. As indicated in
FIG. 16, the encryption key manager 1622 may be hosted by one of
the compute sleds 1630, 1632 executing the corresponding
applications 1650, 1652, 1654, 1656, by the orchestrator server
1620, and/or by another compute sled 1634 that is dedicated to
hosting the encryption key manager 1622. In other embodiments, the
encryption key manager 1622 may be hosted on another sled 1616.
[0080] By sharing handles to encrypted data sets among different
applications and selectively providing the corresponding keys to
those applications, on an as needed basis, the system 1610 avoids
the latency and processing overhead that would otherwise be
incurred in performing bit-for-bit transfers of data sets between
different applications and performing corresponding decryption
(e.g., with one key) and re-encryption (e.g., with another key)
operations with keys that are confined to each corresponding
tenant, application, or VM. Further, and as described in more
detail herein, by a using handle to a data set, which may be the
entire working memory of a particular application, the memory sled
1640 may greatly increase the speed at which an application
migration may occur (e.g., from one compute sled to another compute
sled). The memory sled 1640 may also perform operations to move
relatively infrequently used data sets to cold storage (e.g.,
infrequently used data storage devices on a data storage sled) and
to store access control data (e.g., data indicative of credentials
usable to access the data set) with the data set in the cold
storage, as described in more detail herein. While the following
description uses a memory sled 1640 as an example, it should be
understood that the operations may alternatively be performed by a
data storage sled 1560 and the corresponding non-volatile memory in
the data storage 1250.
[0081] The orchestrator server 1620, the sleds 1616, and the client
device 1614 are illustratively in communication via a network 1612,
which may be embodied as any type of wired or wireless
communication network, including global networks (e.g., the
Internet), local area networks (LANs) or wide area networks (WANs),
cellular networks (e.g., Global System for Mobile Communications
(GSM), 3G, Long Term Evolution (LTE), Worldwide Interoperability
for Microwave Access (WiMAX), etc.), digital subscriber line (DSL)
networks, cable networks (e.g., coaxial networks, fiber networks,
etc.), or any combination thereof.
[0082] Referring now to FIG. 17, the memory sled 1640, in
operation, may execute a method 1700 for providing efficient
sharing of encrypted data (e.g., in the system 1610). The method
1700 begins with block 1702, in which the memory sled 1640 is
powered on. In response to being powered on, the memory sled 1704
may detect any sleds 1616 that are compatible with the encrypted
data sharing scheme described herein. For example, the memory sled
1640 may query other sleds (e.g., other memory sleds 1642) in the
system 1610 to determine whether those sleds have memory devices
1682 that are configured to store encrypted data (e.g., in a shared
pool) for one or more applications 1650, 1652, 1654, 1656. Further,
as indicated in block 1706, the memory sled 1640 may map memory
addresses of the available memory (e.g., memory devices 1680, 1682)
of the present memory sled 1640 and other sleds 1616 (e.g., the
memory sled 1642) that are compatible with the encrypted memory
sharing scheme. In block 1708, the memory sled 1640 may move a cold
data set (e.g., a relatively infrequently accessed file or other
set of data) to cold storage (e.g., one or more data storage
devices 1250 used for archiving data on a data storage sled 1560).
In doing so, the memory sled 1640 may move, to cold storage, a data
set that has not been accessed with at least a predefined frequency
(e.g., at least once a week) over a predefined time period (e.g.,
one month), as indicated in block 1710. The memory sled 1640 may do
so by sending the data set to the corresponding data storage sled
1560 for storage thereon. Further, in the illustrative embodiment,
the memory sled 1640 causes the data storage sled 1560 to store,
with the data set, access control data, which may be embodied as
any data indicative of credentials (e.g., a key identifier, a list
of identifiers of tenants allowed to access the data set, etc.)
usable to access the data set, as indicated in block 1712.
[0083] In block 1714, the memory sled 1640 receives a data access
request from another sled 1616 (e.g., a request initiated by the
application 1650 executed by the compute sled 1630). As indicated
in block 1716, the data access request may be a request to share
(e.g., copy or move) a data set present in the memory 1680, 1682.
For example, and as indicated in block 1718, the memory sled 1640
may receive a data access request to copy a data set between
applications (e.g., copy a data set used by the application 1650 to
the application 1654) or the memory sled 1640 may receive a data
access request to move a data set between applications (e.g., from
the application 1650 to the application 1654), as indicated in
block 1720. As indicated in block 1722, the data access request may
be to move the entire working data of an application that is to be
migrated from one sled (e.g., the compute sled 1630) to another
sled (e.g., the compute sled 1632). Alternatively, the data access
request may be a request to write data, as indicated in block 1724
or may be a request to read data, as indicated in block 1726. In
block 1728, the memory sled 1640 determines the subsequent course
of action to take as a function of whether a data access request
has been received by the memory sled 1640. If the memory sled 1640
has not received a memory access request, the method 1700 loops
back to block 1704, in which the memory sled 1640 continues to
detect sleds 1616 that are compatible with the efficient memory
sharing scheme. Otherwise, the method 1700 advances to block 1730
of FIG. 18, in which the memory sled 1640 determines the subsequent
actions to take based on whether the data access request is a data
share request (e.g., a request to share a data set).
[0084] Referring now to FIG. 18, in response to a determination
that the data access request is a data share request, the method
1700 advances to block 1732, in which the memory sled 1640
determines a key identifier (e.g., any data such as a number or
alphanumeric code) that is associated with the data set to be
shared and that uniquely identifies a key (e.g., a code) that is
usable to perform cryptographic operations on the data set. In
doing so, the memory sled 1640 may determine a key identifier
associated with a memory address for the data share request, as
indicated in block 1734. For example, and as indicated in block
1736, the memory sled 1640 may determine the memory address from a
handle (e.g., data that uniquely identifies the data set) included
in the data share request, as indicated in block 1736. In doing so,
the memory sled 1640 may determine the memory address from a
database that associates handles to memory addresses and the
corresponding sleds on which the memory is located (e.g., an
address corresponding to a section of a memory device 1682 of the
memory sled 1642), as indicated in block 1738. As indicated in
block 1740, in determining the key identifier, the memory sled 1640
may determine one or more memory addresses (e.g., a range of memory
addresses) for the working memory of an application that is to be
migrated from one compute sled (e.g., the compute sled 1630) to
another compute sled (e.g., the compute sled 1632), which may have
a more powerful processor or otherwise may be more suitable for the
present operations of the application. In determining the key
identifier, the memory sled 1640 may look up the key identifier in
a database that associates memory addresses with key identifiers,
as indicated in block 1742. As indicated in block 1744, the memory
sled 1640 may determine the key identifier as a subset of the
memory address (e.g., a subset of the highest order bits, a subset
of the lowest order bits, etc.). Alternatively, the memory sled
1640 may obtain the key identifier from a predefined register or
data structure associated with a compute sled of the requesting
application (e.g., a model specific register of the compute sled
1630 executing the application 1650, a data structure present in a
section of the memory 1680, 1682 utilized by the application 1650,
etc.), as indicated in block 1746. Subsequently, the method 1700
advances to block 1748 of FIG. 19 in which the memory sled 1640
requests the corresponding key from an encryption key manager
(e.g., the encryption key manager 1622).
[0085] Referring now to FIG. 19, in requesting the corresponding
key from the encryption key manager 1622, the memory sled 1640 may
send the key identifier (e.g., the key identifier determined in
block 1732) in a request to the encryption key manager 1622, as
indicated in block 1750. As indicated in block 1752, the memory
sled 1640 may request a key that has been escrowed with the
encryption key manager 1622 by a memory encryption engine (not
shown) of the sled 1616 (e.g., the compute sled 1630) that sent the
data share request to the memory sled 1640. In requesting the key,
the memory sled 1640 may send the request to an encryption key
manager 1622 hosted by the orchestrator server 1620, as indicated
in block 1754. Alternatively, the encryption key manager 1622 may
be hosted on a different sled. For example, and as indicated in
block 1756, the memory sled 1640 may send the key request to an
encryption key manager 1622 in a compute sled 1630, 1632 associated
with the data share request (e.g., the data share request from
block 1716). In doing so, the memory sled 1640 may send the key
request to an encryption key manager 1622 hosted by a compute sled
that is to share the data set, as indicated in block 1758. For
example, if the application 1650, executed by the compute sled
1630, initiated the share request to share a data set with the
application 1654, which is executed by the compute sled 1632, the
memory sled 1640 may send the key request to the encryption key
manager 1622 hosted by the compute sled 1630. Alternatively, and as
indicated in block 1760, the memory sled 1640 may send the key
request to an encryption key manager 1622 hosted by the compute
sled that is to receive access to the data set, as indicated in
block 1760. For example, in the scenario described above, the
memory sled 1640 may send the key request to the compute sled 1632
executing the application 1654. In other embodiments, the
encryption key manager 1622 may be hosted on a different sled than
the compute sleds 1630, 1632 or the orchestrator server 1620, and
instead may be hosted by a separate compute sled 1634 (e.g., a
compute sled that is dedicated to hosting the encryption key
manager 1622) for use in all data sharing operations in the rack,
pod, or across the data center, as indicated in block 1762.
[0086] As indicated in block 1764, the memory sled 1640 may obtain
the key from the encryption key manager 1622 and, in block 1766,
may send the obtained key to the sled (e.g., the sled 1632) that is
to access the data set to be shared. In doing so, the memory sled
1640 may send the obtained key to a target application (e.g., the
application 1654, in the scenario described above) executed on the
compute sled 1632, as indicated in block 1768. In other
embodiments, the encryption key manager 1622 provides the requested
key directly to the application that is to access the data set
(e.g., rather than relaying the key through the memory sled 1640).
Regardless, in block 1770, the memory sled 1640 sends, to the sled
that is to access the data set, a handle associated with an address
where the data set is physically located in the memory 1680, 1682.
In the illustrative embodiment, the handle is a level of
indirection away from the logical or physical address of where the
data set resides in the memory 1680, 1682. As such, while the
logical or physical address of the data set may change (e.g., as a
result of the memory management operations carried out by one or
more of the controllers 1670, 1672), the handle will still point to
the data set (e.g., the handle will be remapped to the new
address). Subsequently, the method 1700 loops hack to block 1704 of
FIG. 17, in which the memory sled 1640 again detects any previously
undetected sleds 1616 (e.g., sleds 1616 that have been added to the
system 1610) that are compatible with the efficient memory sharing
scheme.
[0087] Referring back to block 1730 of FIG. 18, if the data access
request is not a data share request, the method 1700 instead
advances to block 1772 of FIG. 20, in which the memory sled 1640
determines whether the request is a write request. If so, the
method 1700 advances to block 1774, in which the memory sled 1640
determines whether the data set is presently shared by multiple
tenants (e.g., the applications of different customers are
concurrently accessing the same data set). If not, the method 1700
advances to block 1776, in which the memory sled 1776 writes data
(e.g., an encrypted payload) from the write request to the data set
identified in the write request (e.g., by a handle). Otherwise, if
the data set is shared by multiple tenants, the method 1700 instead
advances to block 1778 in which the memory sled 1640 forks the data
set (e.g., makes a copy of the data set in the memory 1680, 1682),
and writes the data (e.g., encrypted data) from the write request
to the forked data set, as indicated in block 1780. Subsequently,
in block 1782, the memory sled 1640 sends a handle associated with
the forked data set to the requesting sled 1616 (e.g., the compute
sled 1630) to be used by the requesting sled 1616 in place of the
original handle (e.g., the handle that was included in the write
request). Subsequently, the method 1700 loops back to block 1704,
in which the memory sled 1640 detects any previously undetected
sleds 1616 that are compatible with the efficient memory sharing
scheme. Referring back to block 1772, if the data access request is
not a write request (e.g., the data access request is a read
request), the method 1700 advances to block 1784, in which the
memory sled 1640 reads a data set at an address associated with a
handle included in the read request. Subsequently, the memory sled
1640 sends the read data set (e.g., in its encrypted form) to the
requesting sled (e.g., the compute sled 1630), as indicated in
block 1786. Afterwards, the method 1700 loops back to block 1704,
in which the memory sled 1640 again detects any previously
undetected sleds 1616 that are compatible with the efficient memory
sharing scheme.
EXAMPLES
[0088] Illustrative examples of the technologies disclosed herein
are provided below. An embodiment of the technologies may include
any one or more, and any combination of, the examples described
below.
[0089] Example 1 includes a sled comprising a set of memory
devices; and a controller connected to the set of memory devices,
wherein the controller is to receive, from a first application
executed by a compute sled, a data access request to share a data
set between the first application and a second application, wherein
the data set is encrypted in one or more of the memory devices;
determine, in response to the data access request, a key identifier
that uniquely identifies a key that is usable to perform
cryptographic operations on the data set; send, to an encryption
key manager, a request to provide the key corresponding to the key
identifier to be used by the second application to decrypt the data
set; and send, to the second application, a handle associated with
an address in the set of memory devices where the data set is
located.
[0090] Example 2 includes the subject matter of Example 1, and
wherein the controller is further to determine whether the data set
has been accessed with at least a predefined frequency over a
predefined period of time; move, in response to a determination
that the data set has not been accessed with at least the
predefined frequency over the predefined period of time, the data
set to a data storage device; and store, with the data set, access
control data indicative of credentials that are usable to access
the data set.
[0091] Example 3 includes the subject matter of any of Examples 1
and 2, and wherein the controller is further to receive a request
to migrate working data of the first application, wherein the first
application is to be moved from a first compute sled to a second
compute sled; and send, to the second compute sled, a handle to the
working data of the first application.
[0092] Example 4 includes the subject matter of any of Examples
1-3, and wherein sled is located in a data center and the
controller is further map an address of memory that is present on
at least one other sled in the data center.
[0093] Example 5 includes the subject matter of any of Examples
1-4, and wherein the controller is further to receive a write
request to write data to the data set; determine, in response to
the write request, whether the data set is shared by multiple
applications; fork, in response to a determination that the data
set is shared by multiple applications, the data set to another
location in the set of memory devices; write the data from the
write request to the forked data set; and send, in response to the
write request, a handle to the forked data set.
[0094] Example 6 includes the subject matter of any of Examples
1-5, and wherein to determine the key identifier comprises to
determine a memory address associated with a handle included in the
data access request; and determine the key identifier as a function
of the determined memory address.
[0095] Example 7 includes the subject matter of any of Examples
1-6, and wherein to determine the key identifier as a function of
the determined memory address comprises to determine the key
identifier as a subset of the memory address.
[0096] Example 8 includes the subject matter of any of Examples
1-7, and wherein to determine the key identifier as a function of
the determined memory address comprises to look up the key
identifier in a database that associates memory addresses with key
identifiers.
[0097] Example 9 includes the subject matter of any of Examples
1-8, and wherein to determine the key identifier comprises obtain
the key identifier from a predefined register or a data structure
associated with a compute sled on which the first application is
executed.
[0098] Example 10 includes the subject matter of any of Examples
1-9, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the key identifier with the
request.
[0099] Example 11 includes the subject matter of any of Examples
1-10, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send a request for a key that is
escrowed with the encryption key manager by a memory encryption
engine of a sled that sent the data access request.
[0100] Example 12 includes the subject matter of any of Examples
1-11, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the request to an encryption
key manager hosted by a compute sled from which the data access
request was received.
[0101] Example 13 includes the subject matter of any of Examples
1-12, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the request to an encryption
key manager hosted by an orchestrator server.
[0102] Example 14 includes one or more non-transitory
machine-readable storage media comprising a plurality of
instructions stored thereon that, in response to being executed,
cause a sled to receive, from a first application executed by a
compute sled, a data access request to share a data set between the
first application and a second application, wherein the data set is
encrypted in one or more memory devices of a set of memory devices
connected to the sled; determine, in response to the data access
request, a key identifier that uniquely identifies a key that is
usable to perform cryptographic operations on the data set; send,
to an encryption key manager, a request to provide the key
corresponding to the key identifier to be used by the second
application to decrypt the data set; and send, to the second
application, a handle associated with an address in the set of
memory devices where the data set is located.
[0103] Example 15 includes the subject matter of Example 14, and
wherein, when executed, the plurality of instructions further cause
the sled to determine whether the data set has been accessed with
at least a predefined frequency over a predefined period of time;
move, in response to a determination that the data set has not been
accessed with at least the predefined frequency over the predefined
period of time, the data set to a data storage device; and store,
with the data set, access control data indicative of credentials
that are usable to access the data set.
[0104] Example 16 includes the subject matter of any of Examples 14
and 15, and wherein, when executed, the plurality of instructions
further cause the sled to receive a request to migrate working data
of the first application, wherein the first application is to be
moved from a first compute sled to a second compute sled; and send,
to the second compute sled, a handle to the working data of the
first application.
[0105] Example 17 includes the subject matter of any of Examples
14-16, and wherein the sled is located in a data center and
wherein, when executed, the plurality of instructions further cause
the sled to map an address of memory that is present on at least
one other sled in the data center.
[0106] Example 18 includes the subject matter of any of Examples
14-17, and wherein, when executed, the plurality of instructions
further cause the sled to receive a write request to write data to
the data set; determine, in response to the write request, whether
the data set is shared by multiple applications; fork, in response
to a determination that the data set is shared by multiple
applications, the data set to another location in the set of memory
devices; write the data from the write request to the forked data
set; and send, in response to the write request, a handle to the
forked data set.
[0107] Example 19 includes the subject matter of any of Examples
14-18, and wherein to determine the key identifier comprises to
determine a memory address associated with a handle included in the
data access request; and determine the key identifier as a function
of the determined memory address.
[0108] Example 20 includes the subject matter of any of Examples
14-19, and wherein to determine the key identifier as a function of
the determined memory address comprises to determine the key
identifier as a subset of the memory address.
[0109] Example 21 includes the subject matter of any of Examples
14-20, and wherein to determine the key identifier as a function of
the determined memory address comprises to look up the key
identifier in a database that associates memory addresses with key
identifiers.
[0110] Example 22 includes a method comprising receiving, by a
memory controller, from a first application executed by a compute
device, a data access request to share a data set between the first
application and a second application, wherein the data set is
encrypted in one or more memory devices of a set of memory devices
connected to the memory controller; determining, by the memory
controller and in response to the data access request, a key
identifier that uniquely identifies a key that is usable to perform
cryptographic operations on the data set; sending, by the memory
controller and to an encryption key manager, a request to provide
the key corresponding to the key identifier to be used by the
second application to decrypt the data set; and sending, by the
memory controller and to the second application, a handle
associated with an address in the set of memory devices where the
data set is located.
[0111] Example 23 includes the subject matter of Example 22, and
further including determining, by the memory controller, whether
the data set has been accessed with at least a predefined frequency
over a predefined period of time; moving, by the memory controller
and in response to a determination that the data set has not been
accessed with at least the predefined frequency over the predefined
period of time, the data set to a data storage device; and storing,
with the data set, access control data indicative of credentials
that are usable to access the data set.
[0112] Example 24 includes the subject matter of any of Examples 22
and 23, and further including receiving, by the memory controller,
a request to migrate working data of the first application, wherein
the first application is to be moved from a first compute sled to a
second compute sled; and sending, by the memory controller and to
the second compute sled, a handle to the working data of the first
application.
[0113] Example 25 includes the subject matter of any of Examples
22-24, and wherein the memory controller is in a sled that is
located in a data center, the method further comprising mapping, by
the memory controller, an address of memory that is present on at
least one other sled in the data center.
[0114] Example 26 includes a sled comprising means for receiving,
from a first application executed by a compute device, a data
access request to share a data set between the first application
and a second application, wherein the data set is encrypted in one
or more memory devices of a set of memory devices connected to the
sled; means for determining, in response to the data access
request, a key identifier that uniquely identifies a key that is
usable to perform cryptographic operations on the data set; means
for sending, to an encryption key manager, a request to provide the
key corresponding to the key identifier to be used by the second
application to decrypt the data set; and means for sending, to the
second application, a handle associated with an address in the set
of memory devices where the data set is located.
[0115] Example 27 includes a controller connected to a set of
memory devices, the controller comprising circuitry to receive,
from a first application executed by a compute sled, a data access
request to share a data set between the first application and a
second application, wherein the data set is encrypted in one or
more of the memory devices; determine, in response to the data
access request, a key identifier that uniquely identifies a key
that is usable to perform cryptographic operations on the data set;
send, to an encryption key manager, a request to provide the key
corresponding to the key identifier to be used by the second
application to decrypt the data set; and send, to the second
application, a handle associated with an address in the set of
memory devices where the data set is located.
[0116] Example 28 includes the subject matter of Example 27, and
wherein the circuitry is further to determine whether the data set
has been accessed with at least a predefined frequency over a
predefined period of time; move, in response to a determination
that the data set has not been accessed with at least the
predefined frequency over the predefined period of time, the data
set to a data storage device; and store, with the data set, access
control data indicative of credentials that are usable to access
the data set.
[0117] Example 29 includes the subject matter of any of Examples 27
and 28, and wherein the circuitry is further to receive a request
to migrate working data of the first application, wherein the first
application is to be moved from a first compute sled to a second
compute sled; and send, to the second compute sled, a handle to the
working data of the first application.
[0118] Example 30 includes the subject matter of any of Examples
27-29, and wherein the controller is located in a sled in a data
center and the circuitry is further to map an address of memory
that is present on at least one other sled in the data center.
[0119] Example 31 includes the subject matter of any of Examples
27-30, and wherein the circuitry is further to receive a write
request to write data to the data set; determine, in response to
the write request, whether the data set is shared by multiple
applications; fork, in response to a determination that the data
set is shared by multiple applications, the data set to another
location in the set of memory devices; write the data from the
write request to the forked data set; and send, in response to the
write request, a handle to the forked data set.
[0120] Example 32 includes the subject matter of any of Examples
27-31, and wherein to determine the key identifier comprises to
determine a memory address associated with a handle included in the
data access request; and determine the key identifier as a function
of the determined memory address.
[0121] Example 33 includes the subject matter of any of Examples
27-32, and wherein to determine the key identifier as a function of
the determined memory address comprises to determine the key
identifier as a subset of the memory address.
[0122] Example 34 includes the subject matter of any of Examples
27-33, and wherein to determine the key identifier as a function of
the determined memory address comprises to look up the key
identifier in a database that associates memory addresses with key
identifiers.
[0123] Example 35 includes the subject matter of any of Examples
27-34, and wherein to determine the key identifier comprises obtain
the key identifier from a predefined register or a data structure
associated with a compute sled on which the first application is
executed.
[0124] Example 36 includes the subject matter of any of Examples
27-35, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the key identifier with the
request.
[0125] Example 37 includes the subject matter of any of Examples
27-36, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send a request for a key that is
escrowed with the encryption key manager by a memory encryption
engine of a sled that sent the data access request.
[0126] Example 38 includes the subject matter of any of Examples
27-37, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the request to an encryption
key manager hosted by a compute sled from which the data access
request was received.
[0127] Example 39 includes the subject matter of any of Examples
27-38, and wherein to send, to an encryption key manager, a request
to provide the key comprises to send the request to an encryption
key manager hosted by an orchestrator server.
* * * * *