[go: up one dir, main page]

CN105190545B - Virtual method and device and computer equipment - Google Patents

Virtual method and device and computer equipment Download PDF

Info

Publication number
CN105190545B
CN105190545B CN201480000300.8A CN201480000300A CN105190545B CN 105190545 B CN105190545 B CN 105190545B CN 201480000300 A CN201480000300 A CN 201480000300A CN 105190545 B CN105190545 B CN 105190545B
Authority
CN
China
Prior art keywords
container
file
operating system
vfs
document structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201480000300.8A
Other languages
Chinese (zh)
Other versions
CN105190545A (en
Inventor
詹卿
王伟
陈克平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN105190545A publication Critical patent/CN105190545A/en
Application granted granted Critical
Publication of CN105190545B publication Critical patent/CN105190545B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/188Virtual file systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

一种虚拟化方法和装置及计算机设备,用于解决现有的容器虚拟化技术不能对容器间的文件进行真正隔离,安全性不够;以及,操作复杂,开销较大的缺陷。在本发明一些可行的实施方式中,方法包括:操作系统为多个容器中的每个容器创建一个独立的VFS实例,并通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得多个容器分别被配置相互独立的VFS实例,且多个容器分别被配置相互独立的文件管理结构;操作系统收到多个容器中的第一容器中的应用程序发出的文件操作请求时,通过第一容器的VFS实例调用第一容器的文件管理结构对文件操作请求涉及的文件进行操作。

A virtualization method and device and computer equipment are used to solve the defects that the existing container virtualization technology cannot truly isolate files between containers, and the security is not enough; and the operation is complicated and the cost is large. In some feasible implementations of the present invention, the method includes: the operating system creates an independent VFS instance for each of the multiple containers, and configures an independent VFS instance for each container in the file system through the VFS instance of each container. The file management structure enables multiple containers to be configured with mutually independent VFS instances, and multiple containers are respectively configured with mutually independent file management structures; the operating system receives the files sent by the application in the first container among the multiple containers When an operation request is made, the VFS instance of the first container invokes the file management structure of the first container to operate on the files involved in the file operation request.

Description

虚拟化方法和装置及计算机设备Virtualization method and device and computer equipment

技术领域technical field

本发明涉及计算机技术领域,具体涉及虚拟化方法和装置及计算机设备。The invention relates to the field of computer technology, in particular to a virtualization method and device and computer equipment.

背景技术Background technique

操作系统虚拟化是一种新兴的计算机虚拟化技术。Gartner(高德纳,又译顾能公司)定义的操作系统虚拟化是指:共享的操作系统允许多个不同应用在一份操作系统拷贝的控制下隔离运行。Operating system virtualization is an emerging computer virtualization technology. The operating system virtualization defined by Gartner (Gartner, also translated by Gu Neng Company) means that a shared operating system allows multiple different applications to run in isolation under the control of a copy of the operating system.

容器(container)是一种轻量级操作系统虚拟化技术,容器由在内核态实现的进程访问控制隔离技术和进程组管理控制技术,再加上一套完善的用户态管理工具组成。容器有效地将由单个操作系统管理的资源划分到孤立的资源组中,以更好地在孤立的组之间平衡有冲突的资源使用需求。容器通过提供一种创建和进入容器的方式,让容器中的应用程序就像在独立的操作系统上运行一样,但又能共享很多底层的系统资源。针对容器,目前有许多成熟的产品,例如用于Linux系统的LXC(Linux Container,Linux容器)等。A container is a lightweight operating system virtualization technology. The container is composed of process access control isolation technology and process group management control technology implemented in the kernel mode, plus a complete set of user mode management tools. Containers effectively divide the resources managed by a single operating system into isolated resource groups to better balance conflicting resource usage needs among the isolated groups. By providing a way to create and enter the container, the container allows the applications in the container to run on an independent operating system, but can share many underlying system resources. For containers, there are currently many mature products, such as LXC (Linux Container, Linux container) for Linux systems.

现有技术的基于容器的操作系统虚拟化技术中,多个容器共享虚拟文件系统(Virtual File Systems,VFS)和底层的文件系统(File Systems,FS),容器间的文件隔离通过文件路径的转换加访问权限控制策略结合的方式实现。In the existing container-based operating system virtualization technology, multiple containers share the virtual file system (Virtual File Systems, VFS) and the underlying file system (File Systems, FS), and the file isolation between containers is through the conversion of file paths It is implemented by combining access control policies.

其中,VFS是文件系统与服务之间的一个接口层。VFS可对Linux的每个文件系统的所有细节进行抽象,使得不同的文件系统在Linux核心以及系统中运行的其他进程看来,都是相同的。涉及到针对文件的操作时,VFS把这些操作影射到对应的文件系统。底层的文件系统是指Ext4等实际的文件系统,这些文件系统负责管理数据在磁盘上的读取、存放等。Among them, VFS is an interface layer between the file system and the service. VFS can abstract all the details of each file system of Linux, making different file systems look the same to the Linux kernel and other processes running in the system. When it comes to operations on files, VFS maps these operations to the corresponding file system. The underlying file system refers to the actual file system such as Ext4, which is responsible for managing the reading and storage of data on the disk.

实践发现,由于容器间共享底层的文件系统,容器间的文件并没有真正隔离开,因此,现有的容器虚拟化技术不能完全屏蔽容器间的文件操作,安全性不够;一些特殊的情况下,上层用户或者内核可能突破这种限制,操作其他容器的文件。并且,针对涉及文件的操作,现有容器虚拟化技术需要进行文件路径的转换和访问权限控制及校验,操作复杂,开销较大。Practice has found that because the underlying file system is shared between containers, the files between containers are not really isolated. Therefore, the existing container virtualization technology cannot completely shield the file operations between containers, and the security is not enough; in some special cases, Upper-level users or the kernel may break through this limitation and operate files in other containers. Moreover, for operations involving files, the existing container virtualization technology needs to perform file path conversion, access control and verification, and the operation is complex and expensive.

发明内容Contents of the invention

本发明实施例提供一种虚拟化方法和装置及计算机设备,以解决现有的容器虚拟化技术不能对容器间的文件进行真正隔离,安全性不够;以及,操作复杂,开销较大的缺陷。Embodiments of the present invention provide a virtualization method and device and computer equipment to solve the defects that the existing container virtualization technology cannot truly isolate files between containers, and the security is not enough; and the operation is complicated and the cost is large.

本发明第一方面提供一种虚拟化方法,用于虚拟化系统;所述虚拟化系统包括:硬件层,运行于硬件层之上的操作系统和文件系统,所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器,所述第一容器是所述多个容器中的任一个容器;所述文件系统能够被划分为相互独立的多个文件管理结构;虚拟化方法包括:所述操作系统为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,并通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构;所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。The first aspect of the present invention provides a virtualization method for a virtualization system; the virtualization system includes: a hardware layer, an operating system and a file system running on the hardware layer, and the operating systems are divided into mutually isolated a plurality of containers, each of which is an isolated operation execution environment for application programs to run; the plurality of containers includes a first container, and the first container is any one of the plurality of containers container; the file system can be divided into multiple independent file management structures; the virtualization method includes: the operating system creates an independent virtual file system VFS instance for each container in the multiple containers, and Configure an independent file management structure for each container in the file system through the VFS instance of each container, so that the multiple containers are respectively configured with mutually independent VFS instances, and the multiple containers are respectively configured with mutually independent files Management structure: when the operating system receives a file operation request from an application in the first container, it invokes the file management structure of the first container through the VFS instance of the first container to perform the file operation request involved files.

在第一种可能的实现方式中,所述方法还包括:所述操作系统为所述第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操作处理完毕后,释放所述第一容器专用的处理线程。In a first possible implementation manner, the method further includes: the operating system assigning a dedicated processing thread to the first container, and using the dedicated processing thread of the first container to process the first container The operation of the application program in the first container is processed, and after all the operations corresponding to the application program in the first container are processed, the processing thread dedicated to the first container is released.

结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述方法还包括:所述操作系统接收到所述第一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;所述操作系统收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解锁。With reference to the first possible implementation of the first aspect, in a second possible implementation, the method further includes: the operating system receives the message sent by the processing thread dedicated to the first container when it starts working. After the lock request, lock the file management structure of the first container to prohibit other processing threads from accessing the file management structure of the first container; After the unlock request is sent during work, the file management structure of the first container is unlocked.

结合第一方面或者第一方面的第一种或第二种可能的实现方式,在第三种可能的实现方式中,所述通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作包括:通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。With reference to the first aspect or the first or second possible implementation of the first aspect, in a third possible implementation, calling the file of the first container through the VFS instance of the first container The management structure operating the file involved in the file operation request includes: calling the file system through the VFS instance of the first container, and sending the file operation request to the file system; so that the file system can identify When finding out that the file operation request originates from the first container, perform operations on the files involved in the file operation request in the file management structure of the first container.

本发明第二方面提供一种虚拟化装置,应用于虚拟化系统;所述虚拟化系统包括:硬件层,运行于硬件层之上的操作系统和文件系统,所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器,所述第一容器是所述多个容器中的任一个容器;所述文件系统能够被划分为相互独立的多个文件管理结构;所述虚拟化装置嵌入在所述操作系统中;虚拟化装置包括:配置模块,用于使所述操作系统为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,使所述操作系统通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构;操作模块,用于使所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,使所述操作系统通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。The second aspect of the present invention provides a virtualization device, which is applied to a virtualization system; the virtualization system includes: a hardware layer, an operating system and a file system running on the hardware layer, and the operating systems are divided into mutually isolated a plurality of containers, each of which is an isolated operation execution environment for application programs to run; the plurality of containers includes a first container, and the first container is any one of the plurality of containers container; the file system can be divided into multiple file management structures independent of each other; the virtualization device is embedded in the operating system; the virtualization device includes: a configuration module for making the operating system the Each of the multiple containers creates an independent virtual file system VFS instance, so that the operating system configures an independent file management structure for each container in the file system through the VFS instance of each container, so that the multiple The containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures; the operation module is configured to enable the operating system to receive the files sent by the application in the first container When an operation request is made, the operating system is made to call the file management structure of the first container through the VFS instance of the first container to operate on the files involved in the file operation request.

在第一种可能的实现方式中,所述配置模块,还用于使所述操作系统为所述第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序的所有操作处理完毕后,使所述操作系统释放所述第一容器专用的处理线程。In a first possible implementation manner, the configuration module is further configured to enable the operating system to assign a dedicated processing thread to the first container, and the dedicated processing thread of the first container performs the processing on the The operation of the application program in the first container is processed, and after all the operations corresponding to the application program in the first container are processed, the operating system is made to release the processing thread dedicated to the first container.

结合第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述装置还包括:加锁和解锁模块,用于使所述操作系统接收到所述第一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;以及,使所述操作系统接收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解锁。With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner, the device further includes: a locking and unlocking module, configured to enable the operating system to receive the first container-specific After the processing thread sends the lock request when starting to work, the file management structure of the first container is locked, and other processing threads are prohibited from accessing the file management structure of the first container; and, the operating system receives The file management structure of the first container is unlocked after the unlock request sent by the processing thread dedicated to the first container is finished.

结合第二方面或者第二方面的第一种或第二种可能的实现方式,在第三种可能的实现方式中,所述操作模块,具体用于使所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,使所述操作系统通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。With reference to the second aspect or the first or second possible implementation manner of the second aspect, in a third possible implementation manner, the operation module is specifically configured to enable the operating system to receive the first When an application in the container sends a file operation request, the operating system is made to call the file system through the VFS instance of the first container, and the file operation request is sent to the file system; so that the file When the system recognizes that the file operation request originates from the first container, it operates on the file involved in the file operation request in the file management structure of the first container.

本发明第三方面提供一种计算机设备,包括:硬件层,运行于硬件层之上的操作系统和文件系统;所述硬件层包括处理器,存储器,通信接口,总线,所述处理器,存储器,通信接口通过所述总线相互的通信;所述通信接口,用于接收和发送数据;所述存储器用于存储程序;所述处理器用于执行所述存储器中的所述程序;所述操作系统运行在所述处理器中;所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器,所述第一容器是所述多个容器中的任一个容器;所述文件系统能够被划分为相互独立的多个文件管理结构;其中,所述处理器执行如下步骤:为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,并通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构;收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。The third aspect of the present invention provides a computer device, including: a hardware layer, an operating system and a file system running on the hardware layer; the hardware layer includes a processor, a memory, a communication interface, a bus, the processor, and a memory , the communication interface communicates with each other through the bus; the communication interface is used to receive and send data; the memory is used to store programs; the processor is used to execute the programs in the memory; the operating system run in the processor; the operating system is divided into a plurality of containers isolated from each other, each of which is an isolated operation execution environment for application programs to run; the plurality of containers include the first container, the first container is any one of the plurality of containers; the file system can be divided into multiple file management structures independent of each other; wherein, the processor performs the following steps: for the multiple Each container in the container creates an independent virtual file system VFS instance, and configures an independent file management structure for each container in the file system through the VFS instance of each container, so that the multiple containers are configured with each other Independent VFS instance, and the plurality of containers are respectively configured with independent file management structures; when receiving a file operation request from the application program in the first container, the VFS instance of the first container is used to call the The file management structure of the first container operates on the files involved in the file operation request.

在第一种可能的实现方式中,所述处理器还执行如下步骤:为所述第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操作处理完毕后,释放所述第一容器专用的处理线程。In a first possible implementation manner, the processor further performs the following steps: allocating a dedicated processing thread to the first container, and using the dedicated processing thread of the first container to process the The operation of the application program is processed, and after all the operations corresponding to the application program in the first container are processed, the processing thread dedicated to the first container is released.

结合第三方面的第一种可能的实现方式,在第二种可能的实现方式中,所述处理器还执行如下步骤:收到所述第一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解锁。With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner, the processor further executes the following step: receiving an add message sent by the processing thread dedicated to the first container when it starts working; After the lock request, the file management structure of the first container is locked, and other processing threads are prohibited from accessing the file management structure of the first container; the unlocking message sent by the processing thread dedicated to the first container when finishing work is received After the request, the file management structure of the first container is unlocked.

结合第三方面或者第三方面的第一种或第二种可能的实现方式,在第三种可能的实现方式中,所述处理器还执行如下步骤:收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。With reference to the third aspect or the first or second possible implementation manner of the third aspect, in a third possible implementation manner, the processor further performs the following steps: receiving the application in the first container When a file operation request is issued by the program, the file system is invoked through the VFS instance of the first container, and the file operation request is sent to the file system; so that the file system can identify the source of the file operation request In the first container, operate the file involved in the file operation request in the file management structure of the first container.

由上可见,本发明实施例采用为每个容器配置独立的VFS实例,以及,在底层的文件系统中为每个容器配置独立的文件管理结构,进行涉及文件的操作时,通过容器的VFS实例调用所述容器的文件管理结构对涉及的文件进行操作的技术方案,取得了以下技术效果:It can be seen from the above that the embodiment of the present invention configures an independent VFS instance for each container, and configures an independent file management structure for each container in the underlying file system. When performing operations involving files, the VFS instance of the container The technical solution of invoking the file management structure of the container to operate the involved files has achieved the following technical effects:

一方面,通过为每个容器配置独立的VFS实例和独立的文件管理结构,在容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性;On the one hand, by configuring an independent VFS instance and an independent file management structure for each container, real file isolation is realized between containers, which can completely shield file operations between containers and improve security;

另一方面,通过为每个容器配置独立的VFS实例和独立的文件管理结构,每个容器可具有专用的文件系统路径,针对涉及文件的操作,不用进行文件路径的转换和访问权限控制及校验,降低了操作复杂性和系统开销。On the other hand, by configuring an independent VFS instance and an independent file management structure for each container, each container can have a dedicated file system path. For operations involving files, there is no need to perform file path conversion and access control and collation. experience, reducing operational complexity and system overhead.

附图说明Description of drawings

为了更清楚地说明本发明实施例技术方案,下面将对实施例和现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that are required in the description of the embodiments and prior art. Obviously, the accompanying drawings in the following description are only some implementations of the present invention For example, those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本发明实施例提供的虚拟化方法的流程图;FIG. 1 is a flowchart of a virtualization method provided by an embodiment of the present invention;

图2是本发明实施例中容器及文件系统的架构示意图;FIG. 2 is a schematic diagram of the architecture of a container and a file system in an embodiment of the present invention;

图3是本发明实施例中文件系统的示意图;FIG. 3 is a schematic diagram of a file system in an embodiment of the present invention;

图4a是本发明一个实施例提供的虚拟化装置的示意图;Fig. 4a is a schematic diagram of a virtualization device provided by an embodiment of the present invention;

图4b是本发明另一实施例提供的虚拟化装置的示意图;Fig. 4b is a schematic diagram of a virtualization device provided by another embodiment of the present invention;

图5是本发明实施例提供的一种计算机设备的示意图。Fig. 5 is a schematic diagram of a computer device provided by an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供一种虚拟化方法和装置及计算机设备,以解决现有的容器虚拟化技术不能对容器间的文件进行真正隔离,安全性不够;以及,操作复杂,开销较大的缺陷。Embodiments of the present invention provide a virtualization method and device and computer equipment to solve the defects that the existing container virtualization technology cannot truly isolate files between containers, and the security is not enough; and the operation is complicated and the cost is large.

为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the following will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

下面通过具体实施例,分别进行详细的说明。In the following, specific examples will be used to describe in detail respectively.

首先对本发明技术方案涉及的虚拟化系统做简单介绍。本实施例中所说的虚拟化系统是一个计算机系统,包括:硬件层,运行于硬件层之上的操作系统和文件系统,所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述文件系统能够被划分为相互独立的多个文件管理结构。其中:First, a brief introduction is made to the virtualization system involved in the technical solution of the present invention. The virtualization system mentioned in this embodiment is a computer system, including: a hardware layer, an operating system and a file system running on the hardware layer, the operating system is divided into multiple containers isolated from each other, and each The container is an isolated operation execution environment for application programs to run; the file system can be divided into multiple independent file management structures. in:

硬件层是虚拟化环境运行的硬件平台。硬件层可包括多种硬件,例如某计算节点的硬件层可包括处理器(例如CPU)和存储器(例如内存),还可以包括网卡、存储器等等高速/低速输入/输出(I/O,Input/Output)设备,及具有特定处理功能的其它设备,如输入输出内存管理单元(IOMMU,Input/Output Memory Management Unit),其中IOMMU可用于虚拟机物理地址和Host物理地址的转换。The hardware layer is the hardware platform on which the virtualization environment runs. The hardware layer can include a variety of hardware. For example, the hardware layer of a computing node can include a processor (such as CPU) and memory (such as memory), and can also include high-speed/low-speed input/output (I/O, Input /Output) device, and other devices with specific processing functions, such as IOMMU (Input/Output Memory Management Unit), where the IOMMU can be used for the translation of the physical address of the virtual machine and the physical address of the Host.

容器是从操作系统中划分出来的一个隔离的操作执行环境,每个容器可视为操作系统(例如Linux系统)的一部分。不同用户或组织的应用程序分别在不同的容器中执行。容器之间可以提供数据上的隔离。与传统的虚拟化相比,容器既不需要指令级模拟,也不需要即时翻译。容器可以在核心CPU本地运行指令,而不需要任何专门的解释机制。此外,容器也避免了准虚拟化(paravirtualization)和系统调用替换中的复杂性。为方便描述,本文假设上述多个容器包括第一容器,该第一容器可以是所说的多个容器中的任一个容器。The container is an isolated operation execution environment separated from the operating system, and each container can be regarded as a part of the operating system (such as a Linux system). Applications of different users or organizations are executed in different containers. Data isolation can be provided between containers. In contrast to traditional virtualization, containers require neither instruction-level emulation nor on-the-fly translation. Containers can run instructions locally on the core CPU without any special interpretation mechanism. Additionally, containers avoid the complexities of paravirtualization and system call replacement. For the convenience of description, it is assumed herein that the above-mentioned multiple containers include the first container, and the first container may be any one of the multiple containers.

所说的文件系统,可以是集成在操作系统中的文件系统,也可以外部挂载的文件系统。本发明实施例中,需要对文件系统进行改进,使每个文件系统都支持这样的特性:文件系统应允许被划分为多个相互独立的文件管理结构,或者说,允许被划分为多个相互独立的存储空间。The said file system may be a file system integrated in the operating system, or an externally mounted file system. In the embodiment of the present invention, it is necessary to improve the file system so that each file system supports such a feature: the file system should be allowed to be divided into multiple mutually independent file management structures, or in other words, allowed to be divided into multiple mutually independent file management structures. Independent storage space.

计算机系统中,底层可包括多个物理的文件系统,例如Ext4等,为了使多个底层的文件系统可统一工作,底层文件系统之上可设有虚拟文件系统(VFS),VFS可将多个底层文件系统统一抽象成一个文件系统供用户使用。上层应用可利用API(ApplicationProgramming Interface,应用编程接口)通过库的方式调用VFS层,VFS再把操作影射到对应的底层文件系统。VFS是文件系统的管理者,初始化时由操作系统在内存中创建。VFS只存在于内存中,不存在于任何外存空间。并且,VFS在系统启动时建立,在系统关闭时消亡。In the computer system, the bottom layer can include multiple physical file systems, such as Ext4, etc. In order to make the multiple bottom file systems work uniformly, a virtual file system (VFS) can be provided on the bottom file system, and the VFS can combine multiple The underlying file system is unified and abstracted into a file system for users to use. The upper-layer application can use the API (Application Programming Interface, application programming interface) to call the VFS layer through the library, and the VFS then maps the operation to the corresponding underlying file system. VFS is the manager of the file system, which is created in memory by the operating system during initialization. VFS only exists in memory and does not exist in any external storage space. Moreover, the VFS is established when the system starts and dies when the system is shut down.

请参考图1,本发明实施例提供一种虚拟化方法,用于上述的虚拟化系统。方法可包括:Referring to FIG. 1 , an embodiment of the present invention provides a virtualization method for the above virtualization system. Methods can include:

110、所述操作系统为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,并通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构。110. The operating system creates an independent virtual file system VFS instance for each of the plurality of containers, and configures an independent file management structure for each container in the file system through the VFS instance of each container, The multiple containers are respectively configured with mutually independent VFS instances, and the multiple containers are respectively configured with mutually independent file management structures.

如图2所示,是本发明实施例中容器及文件系统的架构示意图。相对于现有技术中所有的容器共享一个VFS实例,本发明实施例中,计算机操作系统例如Linux系统可创建多个VFS实例,从而为每个容器配置一个独立的VFS实例。通过将为每个容器配置的VFS实例挂载在容器中,使每个容器和每个VFS实例建立起唯一对应的匹配关系,每个容器内的应用只能调用挂载在该容器内的VFS实例,而不能调用其他容器的VFS实例。例如,以图2为例,可分别为容器Container1配置VFS1,为容器Container1配置VFS2。As shown in FIG. 2 , it is a schematic diagram of the architecture of the container and the file system in the embodiment of the present invention. Compared with all containers sharing one VFS instance in the prior art, in the embodiment of the present invention, a computer operating system such as a Linux system can create multiple VFS instances, so as to configure an independent VFS instance for each container. By mounting the VFS instance configured for each container in the container, a unique matching relationship is established between each container and each VFS instance, and the application in each container can only call the VFS mounted in the container instance, but cannot call VFS instances of other containers. For example, taking Figure 2 as an example, VFS1 can be configured for Container1, and VFS2 can be configured for Container1.

如图3所示,是本发明实施例文件系统的示意图,文件系统一般采用文件管理树的方式组织。现有计算机系统中的文件系统,只包括一颗文件管理树,共享给多个容器使用,多个容器的数据可交错存放在文件管理树的任意位置。如图3所示,本发明实施例的文件系统,以容器为单位,划分出多颗相互独立的文件管理树,从而为每个容器配置一个独立的文件管理树,作为配置给容器的文件管理结构。每个文件管理结构可被计算机操作系统赋予唯一的标识符号,例如,可以用序列号标识各个文件管理结构。As shown in FIG. 3 , it is a schematic diagram of a file system according to an embodiment of the present invention. The file system is generally organized in a file management tree. The file system in the existing computer system includes only one file management tree, which is shared by multiple containers, and the data of multiple containers can be interleavedly stored in any position of the file management tree. As shown in Figure 3, the file system of the embodiment of the present invention divides a plurality of mutually independent file management trees with the container as the unit, thereby configuring an independent file management tree for each container as the file management tree configured for the container structure. Each file management structure can be assigned a unique identification symbol by the computer operating system, for example, a serial number can be used to identify each file management structure.

其中,每个容器的文件管理结构,是由操作系统通过该容器的VFS实例在文件系统内配置给该容器的。某个容器的VFS实例,对该容器的文件管理结构的所有细节进行抽象,因此,每个容器的VFS实例和文件管理结构具有唯一对应的匹配关系,每个容器的VFS实例只能调用该容器的文件管理结构,而不能调用其他容器的文件管理结构。Wherein, the file management structure of each container is configured to the container by the operating system through the VFS instance of the container in the file system. The VFS instance of a container abstracts all the details of the container's file management structure. Therefore, each container's VFS instance and file management structure have a unique matching relationship, and each container's VFS instance can only call the container. The file management structure of the container, but cannot call the file management structure of other containers.

由上可见,本发明技术方案是从文件系统的角度为容器虚拟化进行设计、适配。通过为容器设置独立的VFS实例和独立的文件管理结构,使每个容器只可以操作各自的文件。It can be seen from the above that the technical solution of the present invention is designed and adapted for container virtualization from the perspective of the file system. By setting independent VFS instances and independent file management structures for containers, each container can only operate its own files.

需要说明的是,本发明实施例中,采用将传统的单一的文件管理树划分为多树的结构,实现将文件系统划分为多个文件管理结构。但是,在以其它形式组织的文件系统中,也可以采用其它形式划分文件管理结构。It should be noted that, in the embodiment of the present invention, a structure in which a traditional single file management tree is divided into multiple trees is adopted to realize dividing a file system into multiple file management structures. However, in file systems organized in other forms, the file management structure can also be divided in other forms.

本发明实施例中,计算机系统支持挂载外部文件系统。所挂载的外部文件系统,需要按照上文所述,支持如下特性:在文件系统内部,允许以容器为单位,划分为多个相互独立的文件管理结构,以支持在文件系统内为每个容器配置一个独立的文件管理结构。本发明实施例中,所挂载的外部文件系统会被视为独立的底层文件系统,挂载到容器中来。挂载外部文件系统是Linux文件系统的一大特点,本发明实施例通过支持该特性,以实现对文件系统的扩展。In the embodiment of the present invention, the computer system supports mounting an external file system. The mounted external file system needs to support the following features as described above: inside the file system, it is allowed to divide the container into multiple independent file management structures to support each A container configures an independent file management structure. In the embodiment of the present invention, the mounted external file system will be regarded as an independent underlying file system and mounted into the container. Mounting an external file system is a major feature of the Linux file system, and the embodiment of the present invention implements the extension of the file system by supporting this feature.

本发明实施例中,为了提高系统性能,以及提供对容器并行操作的支持,优选采用具有多核或众核处理器的计算机系统,计算机操作系统可为每个容器配置置一个专用的处理线程,使各个容器的任务分别由不同的处理线程执行,从而使多个容器具有并行处理的能力。其中,某个容器的处理线程在任务完成后,会被释放回资源池中。例如:所述操作系统可以为上述多个容器中的第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序的所有操作处理完毕后,释放所述第一容器专用的处理线程。In the embodiment of the present invention, in order to improve system performance and provide support for parallel container operations, it is preferable to use a computer system with multi-core or many-core processors. The computer operating system can configure a dedicated processing thread for each container, so that The tasks of each container are executed by different processing threads, so that multiple containers have the capability of parallel processing. Among them, the processing thread of a certain container will be released back to the resource pool after the task is completed. For example: the operating system may assign a dedicated processing thread to the first container among the plurality of containers, and the processing thread dedicated to the first container processes the operation of the application program in the first container, and After all the operations corresponding to the application program in the first container are processed, the processing thread dedicated to the first container is released.

120、所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。120. When the operating system receives a file operation request from an application program in the first container, it invokes the file management structure of the first container through the VFS instance of the first container to perform operations on the file operation request. file to operate.

现有技术中,由于多个容器共享VFS和底层文件系统,因此,针对涉及文件的操作,VFS需要为每个容器设置一个文件系统的路径转换功能,例如:将/->/home/lxc1/,/root->/home/lxc1/root,等。In the prior art, since multiple containers share the VFS and the underlying file system, for operations involving files, the VFS needs to set a file system path conversion function for each container, for example: /->/home/lxc1/ , /root->/home/lxc1/root, etc.

而本发明实施例中,由于每个容器配置有各自独立的VFS实例,并通过每个容器的VFS实例为每个容器配置有独立的文件管理结构;因此,不需要配置路径转换,每个容器都有自己固定的文件系统路径。In the embodiment of the present invention, since each container is configured with its own independent VFS instance, and each container is configured with an independent file management structure through the VFS instance of each container; therefore, there is no need to configure path conversion, and each container Each has its own fixed file system path.

当一个容器例如第一容器中的应用程序需要进行涉及文件的操作时,会发出文件操作请求给第一容器的VFS实例,第一容器的VFS实例收到文件操作请求后,无需进行路径转换,可直接调用第一容器的文件管理结构对文件操作请求涉及的文件进行操作。When a container such as the application program in the first container needs to perform operations involving files, it will send a file operation request to the VFS instance of the first container. After receiving the file operation request, the VFS instance of the first container does not need to perform path conversion. The file management structure of the first container may be directly invoked to operate on the files involved in the file operation request.

其中,所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作,具体可以包括:所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。Wherein, when the operating system receives the file operation request from the application program in the first container, it invokes the file management structure of the first container through the VFS instance of the first container to perform the file operation request related to Specifically, it may include: when the operating system receives a file operation request from an application program in the first container, calling the file system through the VFS instance of the first container, and transferring the Sending the file operation request to the file system; so that when the file system recognizes that the file operation request originates from the first container, the file operation request involved in the file management structure of the first container file to operate.

假定为容器1配置有独立的VFS实例1,VFS实例1在文件系统1中为该容器1划分有独立的文件管理结构1,则,容器1的文件都会被放置在对应的文件管理结构1中。那么,如果容器1中的应用需要对文件1进行操作时,会发出文件操作请求,调用VFS实例1,并通过VFS实例1调用文件系统1,文件操作请求中可包含容器1或文件管理结构1的标识,以便文件系统1识别,则文件系统1可以在文件管理结构1中对文件1进行操作。Assuming that container 1 is configured with an independent VFS instance 1, and VFS instance 1 has an independent file management structure 1 for the container 1 in file system 1, then the files of container 1 will be placed in the corresponding file management structure 1 . Then, if the application in container 1 needs to operate on file 1, it will issue a file operation request, call VFS instance 1, and call file system 1 through VFS instance 1, and the file operation request can include container 1 or file management structure 1 so that the file system 1 can identify it, and then the file system 1 can operate on the file 1 in the file management structure 1.

可见,每个容器的文件会被放置在该容器对应的文件管理结构中,每个容器的应用只能通过该容器的VFS实例,调用文件系统对该容器的文件管理结构中的文件进行操作,而不能对其它文件管理结构进行操作。因此,本方案可以提供容器间完全的隔离。It can be seen that the files of each container will be placed in the file management structure corresponding to the container, and the application of each container can only use the VFS instance of the container to call the file system to operate on the files in the file management structure of the container. It cannot operate on other file management structures. Therefore, this solution can provide complete isolation between containers.

需要说明的是,本发明技术方案中,假设两个或多个容器有相同命名的文件,虽然文件的名字是相同的,但是两个文件会属于不同的容器和不同的文件管理结构,会被分配在不同的存储空间内;即,同名的文件被作为不同的文件,分别被各个容器独立操作。It should be noted that, in the technical solution of the present invention, it is assumed that two or more containers have files with the same name. Although the names of the files are the same, the two files will belong to different containers and different file management structures, and will be classified as Allocated in different storage spaces; that is, files with the same name are treated as different files and operated independently by each container.

并且,本发明技术方案不会影响单独容器内文件系统的性能,因为在一个文件系统内部,为每个容器配置独立的文件管理结构,开辟独立的存储空间,具有独立的索引节点(inode)和目录项(dentry),每个容器只能操作属于自己的部分,这种操作不会增加单个容器内的负载。Moreover, the technical solution of the present invention will not affect the performance of the file system in a separate container, because within a file system, an independent file management structure is configured for each container, an independent storage space is opened up, and an independent index node (inode) and Directory items (dentry), each container can only operate its own part, and this operation will not increase the load in a single container.

另外,本发明技术方案可以提高文件系统的并行性。In addition, the technical solution of the present invention can improve the parallelism of the file system.

现有技术中,对于多个容器而言,底层文件系统是完全共享的,所以一个容器中的文件操作会对整个文件系统加锁,造成另一个容器的处理线程有任务时只能等待,两个容器不能完全并行。In the prior art, for multiple containers, the underlying file system is completely shared, so the file operation in one container will lock the entire file system, causing the processing thread of another container to wait when there is a task. Containers cannot be fully parallelized.

而本发明技术方案将底层文件系统以容器为单位,划分成多个文件管理结构,每个文件管理结构在逻辑上是完全独立的。而操作系统内核可以配置多个内核处理线程,专门处理内核相关的事物,这里,可为每个容器配置一个专门的处理线程,处理容器内文件操作事务。However, the technical solution of the present invention divides the underlying file system into multiple file management structures with containers as units, and each file management structure is logically completely independent. The operating system kernel can configure multiple kernel processing threads to handle kernel-related matters. Here, each container can be configured with a dedicated processing thread to handle file operations in the container.

由于为每个容器配置独立的文件管理结构和独立的处理线程,一个容器的处理线程工作时,仅会对该容器的文件管理结构加锁,不会影响其它文件管理结构,因此,其它容器的处理线程完全可以同时工作,使系统中容器间的文件操作完全可以是并行的。Since each container is configured with an independent file management structure and an independent processing thread, when the processing thread of a container is working, it will only lock the file management structure of the container and will not affect other file management structures. The processing threads can work at the same time, so that the file operations between containers in the system can be completely parallel.

具体的,上述多个容器中的第一容器专用的处理线程在开始工作时,可以发送加锁请求给所述操作系统,所述操作系统可在收到该加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;并且,所述第一容器专用的处理线程在结束工作时,可以发送解锁请求给所述操作系统,所述操作系统可在收到该解锁请求后,对所述第一容器的文件管理结构解锁。Specifically, when the processing thread dedicated to the first container among the above multiple containers starts working, it may send a lock request to the operating system, and the operating system may, after receiving the lock request, issue a lock request to the first container. The file management structure of a container is locked, and other processing threads are prohibited from accessing the file management structure of the first container; and, when the processing thread dedicated to the first container finishes working, it can send an unlock request to the operating system, The operating system may unlock the file management structure of the first container after receiving the unlock request.

需要说明的是,本发明实施例中,虽然各个容器之间是相互隔离的,不能直接操作其它容器的文件,但是,允许各个容器之间可以通过网络共享或类似的共享方式实现对文件的共享。It should be noted that, in the embodiment of the present invention, although each container is isolated from each other and cannot directly manipulate the files of other containers, it is allowed to share files between each container through network sharing or similar sharing methods .

可以理解,本发明实施例上述方案例如可以在计算机设备具体实施。It can be understood that the above solutions of the embodiments of the present invention may be specifically implemented in computer equipment, for example.

由上可见,本发明实施例采用为每个容器配置独立的VFS实例,并在文件系统中为每个容器配置独立的文件管理结构,任一个容器中的应用进行涉及文件的操作时,通过该容器的VFS实例调用该容器的文件管理结构对涉及的文件进行操作的技术方案,取得了以下技术效果:As can be seen from the above, the embodiment of the present invention configures an independent VFS instance for each container, and configures an independent file management structure for each container in the file system. When an application in any container performs an operation involving a file, through the The VFS instance of the container calls the file management structure of the container to operate the technical solution on the involved files, which has achieved the following technical effects:

一方面,通过为每个容器配置独立的VFS实例和独立的文件管理结构,在容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性;现有技术中,容器间共享文件系统,容器间的隔离是在操作系统层面实现的,因此隔离性不好,容易被突破;而本发明实施例中,容器间的隔离是在文件系统层面实现的,是真正完全的隔离。On the one hand, by configuring an independent VFS instance and an independent file management structure for each container, real file isolation is realized between containers, which can completely shield file operations between containers and improve security; in the prior art, container The file system is shared between the containers, and the isolation between the containers is realized at the operating system level, so the isolation is not good and it is easy to be broken through; however, in the embodiment of the present invention, the isolation between the containers is realized at the file system level, which is truly complete isolation.

另一方面,每个容器配置独立的VFS实例和独立的文件管理结构,从而具有固定的文件系统路径,针对涉及文件的操作,不用进行文件路径的转换和访问权限控制及校验,降低了操作复杂性和系统开销;On the other hand, each container is configured with an independent VFS instance and an independent file management structure, so it has a fixed file system path. For operations involving files, there is no need to perform file path conversion and access control and verification, which reduces the number of operations. complexity and system overhead;

又一方面,在为每个容器配置独立的VFS实例和文件管理结构的基础上,再为每个容器配置独立的处理线程,使多个容器可以实现完全的并行操作;On the other hand, on the basis of configuring an independent VFS instance and file management structure for each container, and then configuring an independent processing thread for each container, so that multiple containers can achieve complete parallel operation;

再一方面,本发明技术方案可共享操作系统的存储空间,最大化利用文件系统的存储空间。In another aspect, the technical solution of the present invention can share the storage space of the operating system and maximize the utilization of the storage space of the file system.

为了更好的实施本发明实施例的上述方案,下面还提供用于配合实施上述方案的相关装置。In order to better implement the above solutions of the embodiments of the present invention, related devices for coordinating the implementation of the above solutions are also provided below.

请参考图4a,本发明实施例提供一种虚拟化装置,用于虚拟化系统,所述虚拟化系统包括:硬件层,运行于硬件层之上的操作系统和文件系统,所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器,所述第一容器是所述多个容器中的任一个容器;所述文件系统能够被划分为相互独立的多个文件管理结构;所述虚拟化装置嵌入(或集成)在所述操作系统中;Please refer to FIG. 4a, an embodiment of the present invention provides a virtualization device for a virtualization system, the virtualization system includes: a hardware layer, an operating system and a file system running on the hardware layer, and the operating system is Divided into a plurality of containers isolated from each other, each of the containers is an isolated operation execution environment for application programs to run; the plurality of containers include a first container, and the first container is the plurality of containers Any one container in; the file system can be divided into multiple file management structures independent of each other; the virtualization device is embedded (or integrated) in the operating system;

虚拟化装置可包括:Virtualization appliances can include:

配置模块410,用于使所述操作系统为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,使所述操作系统通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构;The configuration module 410 is configured to enable the operating system to create an independent virtual file system VFS instance for each of the plurality of containers, so that the operating system can create an independent virtual file system VFS instance for each container in the file system through the VFS instance of each container. Each container is configured with an independent file management structure, so that the multiple containers are respectively configured with mutually independent VFS instances, and the multiple containers are respectively configured with mutually independent file management structures;

操作模块420,用于使所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,使所述操作系统通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。An operation module 420, configured to enable the operating system to call the first container's The file management structure operates on the files involved in the file operation request.

本发明的一些实施例中,所述配置模块420,还用于使所述操作系统为所述第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序的所有操作处理完毕后,使所述操作系统释放所述第一容器专用的处理线程。In some embodiments of the present invention, the configuration module 420 is further configured to enable the operating system to allocate a dedicated processing thread for the first container, and the dedicated processing thread for the first container performs the processing for the first container. The operation of the application program in a container is processed, and after all the operations corresponding to the application program in the first container are processed, the operating system is made to release the processing thread dedicated to the first container.

如图4b所示,本发明的一些实施例中,系统还可以包括:加锁和解锁模块430,用于使所述操作系统接收到所述第一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;以及,使所述操作系统接收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解锁。As shown in Figure 4b, in some embodiments of the present invention, the system may further include: a locking and unlocking module 430, configured to enable the operating system to receive the message sent by the processing thread dedicated to the first container when it starts working. After the lock request, lock the file management structure of the first container to prohibit other processing threads from accessing the file management structure of the first container; and make the operating system receive the processing dedicated to the first container The thread unlocks the file management structure of the first container after completing the unlock request sent during the work.

本发明的一些实施例中,所述操作模块420,具体用于使所述操作系统收到所述第一容器中的应用程序发出的文件操作请求时,使所述操作系统通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。In some embodiments of the present invention, the operation module 420 is specifically configured to enable the operating system to pass the first The VFS instance of the container calls the file system, and sends the file operation request to the file system; so that when the file system recognizes that the file operation request originates from the first container, the first The file involved in the file operation request is operated in the file management structure of the container.

可以理解,本发明实施例的虚拟化装置的各个功能模块的功能可根据上述方法实施例中的方法具体实现,其具体实现过程可参照上述方法实施例中的相关描述,此处不再赘述。It can be understood that the functions of each functional module of the virtualization device in the embodiment of the present invention can be specifically implemented according to the method in the above method embodiment, and the specific implementation process can refer to the relevant description in the above method embodiment, and will not be repeated here.

由上可见,本发明实施例采用为每个容器配置独立的VFS实例,在文件系统中为每个容器配置独立的文件管理结构,任一个容器中的应用进行涉及文件的操作时,通过该容器的VFS实例调用该容器的文件管理结构对涉及的文件进行操作的技术方案,取得了以下技术效果:As can be seen from the above, the embodiment of the present invention configures an independent VFS instance for each container, and configures an independent file management structure for each container in the file system. When an application in any container performs operations involving files, the The VFS instance calls the file management structure of the container to operate the technical solution on the involved files, and has achieved the following technical effects:

一方面,通过为每个容器配置独立的VFS实例和独立的文件管理结构,在容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性;On the one hand, by configuring an independent VFS instance and an independent file management structure for each container, real file isolation is realized between containers, which can completely shield file operations between containers and improve security;

另一方面,每个容器配置独立的VFS实例和独立的文件管理结构,从而具有固定的文件系统路径,针对涉及文件的操作,不用进行文件路径的转换和访问权限控制及校验,降低了操作复杂性和系统开销;On the other hand, each container is configured with an independent VFS instance and an independent file management structure, so it has a fixed file system path. For operations involving files, there is no need to perform file path conversion and access control and verification, which reduces the number of operations. complexity and system overhead;

又一方面,在为每个容器配置独立的VFS实例和文件管理结构的基础上,再为每个容器配置独立的处理线程,使多个容器可以实现完全的并行操作;On the other hand, on the basis of configuring an independent VFS instance and file management structure for each container, and then configuring an independent processing thread for each container, so that multiple containers can achieve complete parallel operation;

再一方面,本发明技术方案可共享操作系统的存储空间,最大化利用文件系统的存储空间。In another aspect, the technical solution of the present invention can share the storage space of the operating system and maximize the utilization of the storage space of the file system.

本发明实施例还提供一种计算机存储介质,该计算机存储介质可存储有程序,该程序执行时包括上述方法实施例中记载的虚拟化方法的部分或全部步骤。An embodiment of the present invention also provides a computer storage medium, which can store a program, and when the program is executed, some or all of the steps of the virtualization method described in the above method embodiments are included.

请参考图5,本发明实施例还提供一种计算机设备500,可包括:Please refer to FIG. 5, the embodiment of the present invention also provides a computer device 500, which may include:

硬件层,硬件层包括:处理器510,存储器520,通信接口530,总线540,所述处理器510,存储器520,通信接口530通过所述总线540相互的通信;所述通信接口530,用于接收和发送数据;所述存储器520用于存储程序;所述处理器510用于执行所述存储器中的所述程序;所述操作系统运行在所述处理器510中。所述操作系统被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器,所述第一容器是所述多个容器中的任一个容器;所述文件系统能够被划分为相互独立的多个文件管理结构。The hardware layer, the hardware layer includes: a processor 510, a memory 520, a communication interface 530, and a bus 540, the processor 510, the memory 520, and the communication interface 530 communicate with each other through the bus 540; the communication interface 530 is used for receiving and sending data; the memory 520 is used to store programs; the processor 510 is used to execute the programs in the memory; the operating system runs in the processor 510 . The operating system is divided into a plurality of containers isolated from each other, each of which is an isolated operation execution environment for application programs to run; the plurality of containers include a first container, and the first container is Any one of the plurality of containers; the file system can be divided into a plurality of independent file management structures.

其中,处理器510执行如下步骤:为所述多个容器中的每个容器创建一个独立的虚拟文件系统VFS实例,并通过每个容器的VFS实例在文件系统中为每个容器配置独立的文件管理结构,使得所述多个容器分别被配置相互独立的VFS实例,且所述多个容器分别被配置相互独立的文件管理结构;收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。Wherein, the processor 510 performs the following steps: create an independent virtual file system VFS instance for each container in the plurality of containers, and configure an independent file for each container in the file system through the VFS instance of each container management structure, so that the multiple containers are respectively configured with mutually independent VFS instances, and the multiple containers are respectively configured with mutually independent file management structures; receiving a file operation request from an application program in the first container At this time, the file management structure of the first container is invoked through the VFS instance of the first container to operate on the file involved in the file operation request.

在本发明的一些实施例中,处理器510还可以执行如下步骤:为所述第一容器分配一个专用的处理线程,由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操作处理完毕后,释放所述第一容器专用的处理线程。In some embodiments of the present invention, the processor 510 may also perform the following steps: assign a dedicated processing thread to the first container, and use the dedicated processing thread of the first container to process the application in the first container The operation of the program is processed, and after all the operations corresponding to the application program in the first container are processed, the processing thread dedicated to the first container is released.

在本发明的一些实施例中,处理器510还可以执行如下步骤:收到所述第一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管理结构;收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解锁。In some embodiments of the present invention, the processor 510 may also perform the following steps: after receiving the lock request sent by the processing thread dedicated to the first container when starting to work, the file management structure of the first container Locking, prohibiting other processing threads from accessing the file management structure of the first container; after receiving the unlock request sent by the processing thread dedicated to the first container when finishing work, unlocking the file management structure of the first container .

在本发明的一些实施例中,处理器510还可以执行如下步骤:收到所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的VFS实例调用所述文件系统,并将所述文件操作请求发送给所述文件系统;以便所述文件系统识别出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。In some embodiments of the present invention, the processor 510 may also perform the following steps: when receiving a file operation request from an application program in the first container, call the file system through the VFS instance of the first container , and send the file operation request to the file system; so that when the file system recognizes that the file operation request comes from the first container, in the file management structure of the first container, the The file involved in the file operation request is operated.

在本发明的一些实施例中,若两个或两个以上容器的操作涉及相同命名的文件时,每个容器的文件管理结构在各自的存储空间对各自涉及的文件进行独立操作。In some embodiments of the present invention, if the operations of two or more containers involve files with the same name, the file management structure of each container performs independent operations on the files involved in their respective storage spaces.

可以理解,本发明实施例的计算机设备的各个功能模块的功能可根据上述方法实施例中的方法具体实现,其具体实现过程可参照上述方法实施例中的相关描述,此处不再赘述。It can be understood that the functions of each functional module of the computer device in the embodiment of the present invention can be specifically implemented according to the method in the above method embodiment, and the specific implementation process can refer to the relevant description in the above method embodiment, and will not be repeated here.

由上可见,在本发明的一些可行的实施方式中,本发明实施例采用为每个容器配置独立的VFS实例,在文件系统中为每个容器配置独立的文件管理结构,任一个容器中的应用进行涉及文件的操作时,该容器的VFS实例调用该容器的文件管理结构对涉及的文件进行操作的技术方案,取得了以下技术效果:It can be seen from the above that in some feasible implementations of the present invention, the embodiment of the present invention adopts an independent VFS instance for each container, and configures an independent file management structure for each container in the file system. When the application performs operations involving files, the VFS instance of the container invokes the technical solution of the container's file management structure to operate the involved files, achieving the following technical effects:

一方面,通过为每个容器配置独立的VFS实例和独立的文件管理结构,在容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性;On the one hand, by configuring an independent VFS instance and an independent file management structure for each container, real file isolation is realized between containers, which can completely shield file operations between containers and improve security;

另一方面,每个容器配置独立的VFS实例和独立的文件管理结构,从而具有固定的文件系统路径,针对涉及文件的操作,不用进行文件路径的转换和访问权限控制及校验,降低了操作复杂性和系统开销;On the other hand, each container is configured with an independent VFS instance and an independent file management structure, so it has a fixed file system path. For operations involving files, there is no need to perform file path conversion and access control and verification, which reduces the number of operations. complexity and system overhead;

又一方面,在为每个容器配置独立的VFS实例和文件管理结构的基础上,再为每个容器配置独立的处理线程,使多个容器可以实现完全的并行操作;On the other hand, on the basis of configuring an independent VFS instance and file management structure for each container, and then configuring an independent processing thread for each container, so that multiple containers can achieve complete parallel operation;

再一方面,本发明技术方案可共享操作系统的存储空间,最大化利用文件系统的存储空间。In another aspect, the technical solution of the present invention can share the storage space of the operating system and maximize the utilization of the storage space of the file system.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详细描述的部分,可以参见其它实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述动作顺序的限制,因为依据本发明,某些步骤可以采用其它顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that for the foregoing method embodiments, for the sake of simple description, they are expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action sequence, because Certain steps may be performed in other orders or simultaneously in accordance with the present invention. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:ROM、RAM、磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the storage medium can include: ROM, RAM, disk or CD, etc.

以上对本发明实施例所提供的一种虚拟化方法和装置及计算机设备进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The above is a detailed introduction of a virtualization method and device and computer equipment provided by the embodiment of the present invention. In this paper, specific examples are used to illustrate the principle and implementation of the present invention. The description of the above embodiment is only for helping Understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary, the content of this specification is not It should be understood as a limitation of the present invention.

Claims (9)

1. a kind of virtual method, which is characterized in that be used for virtualization system;
The virtualization system includes: hardware layer, runs on operating system and file system on hardware layer, the operation system System is divided into the multiple containers being isolated from each other, each described container is the operation performing environment of an isolation, for supplying It is run with program;The multiple container includes the first container, and the first container is any one container in the multiple container; The file system can be divided into mutually independent multiple document structure managements;
The virtual method includes:
The operating system is that each container in the multiple container creates an independent Virtual File System VFS example, And the VFS example for passing through each container is that each container configures independent document structure management in file system, so that described Multiple containers are configured mutually independent VFS example respectively, and the multiple container is configured mutually independent file pipe respectively Manage structure;
When the operating system receives the file operation requests of the sending of the application program in the first container, pass through described first The file that the VFS example of container calls the document structure management of the first container to be related to the file operation requests is grasped Make;
After the operating system receives the locking request that the dedicated processing thread of the first container is sent when starting to work, The document structure management of the first container is locked, the file management knot of the first container described in other processing thread accesses is forbidden Structure;
It is right after the operating system receives the unlocking request that the dedicated processing thread of the first container is sent in power cut-off The document structure management of the first container unlocks.
2. the method according to claim 1, wherein the operating system receives the application in the first container Before the file operation requests that program issues, further includes:
The operating system is that the first container distributes a dedicated processing thread, by the dedicated processing of the first container Thread handles the operation of application program in the first container, the application program in corresponding to the first container After all operation processings, the dedicated processing thread of the first container is discharged.
3. method according to claim 1 or 2, which is characterized in that the VFS example by the first container is called The document structure management of the first container carries out operation to the file that the file operation requests are related to
The file system is called by the VFS example of the first container, and the file operation requests are sent to described File system;When identifying the file operation requests from the first container so as to the file system, described the The file being related in the document structure management of one container to the file operation requests operates.
4. a kind of virtualization apparatus, which is characterized in that be applied to virtualization system;
The virtualization system includes: hardware layer, runs on operating system and file system on hardware layer, the operation system System is divided into the multiple containers being isolated from each other, each described container is the operation performing environment of an isolation, for supplying It is run with program;The multiple container includes the first container, and the first container is any one container in the multiple container; The file system can be divided into mutually independent multiple document structure managements;The virtualization apparatus is embedded in the behaviour Make in system;
The virtualization apparatus includes:
Configuration module, for making each container in the multiple container of the operating system create an independent virtual text Part system VFS example, the VFS example for making the operating system pass through each container are that each container configuration is only in file system Vertical document structure management, so that the multiple container is configured mutually independent VFS example, and the multiple container point respectively It is not configured mutually independent document structure management;
Operation module, for making the operating system receive the file operation requests that the application program in the first container issues When, make the operating system call the document structure management of the first container to institute by the VFS example of the first container The file that file operation requests are related to is stated to be operated;
Locking and unlocked state are starting work for making the operating system receive the dedicated processing thread of the first container As when the locking request that sends after, the document structure management of the first container is locked, other processing thread accesses institute is forbidden State the document structure management of the first container;And the operating system is made to receive the dedicated processing thread of the first container After the unlocking request sent in power cut-off, the document structure management of the first container is unlocked.
5. device according to claim 4, it is characterised in that:
The configuration module is also used to that the operating system the first container is made to distribute a dedicated processing thread, by The dedicated processing thread of the first container, is handled the operation of application program in the first container, and corresponding to In the first container after all operation processings of application program, the operating system is set to discharge the first container dedicated Processing thread.
6. device according to claim 4 or 5, it is characterised in that:
The operation module, specifically for making the operating system receive the file that the application program in the first container issues When operation requests, the operating system is made to call the file system by the VFS example of the first container, and by the text Part operation requests are sent to the file system;So that the file system identifies the file operation requests from described When the first container, the file being related in the document structure management of the first container to the file operation requests is grasped Make.
7. a kind of computer equipment characterized by comprising
Hardware layer runs on operating system and file system on hardware layer;The hardware layer includes processor, memory, Communication interface, bus, the processor, memory, the communication interface communication mutual by the bus;The communication interface, For sending and receiving data;The memory is for storing program;
The processor is used to execute the described program in the memory;The operating system is in the processor; The operating system is divided into the multiple containers being isolated from each other, each described container is that the operation of an isolation executes ring Border, for being run for application program;The multiple container includes the first container, and the first container is in the multiple container Any one container;The file system can be divided into mutually independent multiple document structure managements;
Wherein, the processor executes following steps: independent virtual for each container creation one in the multiple container File system VFS example, and the VFS example for passing through each container is that each container configures independent file pipe in file system Structure is managed, so that the multiple container is configured mutually independent VFS example respectively, and the multiple container is configured phase respectively Mutual independent document structure management;When receiving the file operation requests that the application program in the first container issues, pass through institute State the file that the VFS example of the first container calls the document structure management of the first container to be related to the file operation requests It is operated;
The processor, which also executes the following steps:, receives what the dedicated processing thread of the first container was sent when starting to work After locking request, the document structure management of the first container is locked, the first container described in other processing thread accesses is forbidden Document structure management;It is right after receiving the unlocking request that the dedicated processing thread of the first container is sent in power cut-off The document structure management of the first container unlocks.
8. computer equipment according to claim 7, it is characterised in that:
The processor, which also executes the following steps:, distributes a dedicated processing thread for the first container, by described first The dedicated processing thread of container, handles the operation of application program in the first container, holds corresponding to described first In device after all operation processings of application program, the dedicated processing thread of the first container is discharged.
9. computer equipment according to claim 7 or 8, it is characterised in that:
The processor also executes the following steps: the file operation requests for receiving the sending of the application program in the first container When, the file system is called by the VFS example of the first container, and the file operation requests are sent to the text Part system;When identifying the file operation requests from the first container so as to the file system, described first The file being related in the document structure management of container to the file operation requests operates.
CN201480000300.8A 2014-01-27 2014-01-27 Virtual method and device and computer equipment Active CN105190545B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/071552 WO2015109593A1 (en) 2014-01-27 2014-01-27 Virtualization method and apparatus, and computer device

Publications (2)

Publication Number Publication Date
CN105190545A CN105190545A (en) 2015-12-23
CN105190545B true CN105190545B (en) 2018-12-14

Family

ID=53680694

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480000300.8A Active CN105190545B (en) 2014-01-27 2014-01-27 Virtual method and device and computer equipment

Country Status (2)

Country Link
CN (1) CN105190545B (en)
WO (1) WO2015109593A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11533234B2 (en) * 2015-03-09 2022-12-20 Vapor IO Inc. Autonomous distributed workload and infrastructure scheduling

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105099706A (en) 2015-08-25 2015-11-25 华为技术有限公司 Data communication method, user equipment and server
US10452419B2 (en) * 2016-09-09 2019-10-22 Huawei Technologies Co., Ltd. Device virtualization for containers
CN106330984B (en) * 2016-11-29 2019-12-24 北京元心科技有限公司 Dynamic updating method and device of access control strategy
CN106534148B (en) * 2016-11-29 2020-02-14 北京元心科技有限公司 Access control method and device for application
CN108319849B (en) * 2017-01-16 2021-12-07 中标软件有限公司 Equipment policy management system based on android dual-container system and management domain implementation method
CN107608757B (en) * 2017-08-29 2021-01-08 华为技术有限公司 Container-based isolation processing method and related equipment
CN109388454A (en) * 2018-09-14 2019-02-26 珠海国芯云科技有限公司 Virtual desktop method and system based on container
CN109343974A (en) * 2018-09-14 2019-02-15 珠海国芯云科技有限公司 The inter-process communication methods and device of virtual desktop based on container
CN109213561A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment scheduling method and device of virtual desktop based on container
CN109213573A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment blocking method and device of virtual desktop based on container
WO2020231392A1 (en) * 2019-05-10 2020-11-19 Futurewei Technologies, Inc. Distributed virtual file system with shared page cache
CN110647380B (en) * 2019-08-06 2020-07-03 上海孚典智能科技有限公司 Hyperconverged Server System for Edge Computing
CN112650713A (en) * 2019-10-12 2021-04-13 中兴通讯股份有限公司 File system operation method, device, equipment and storage medium
CN110780817B (en) * 2019-10-18 2021-12-07 腾讯科技(深圳)有限公司 Data recording method and apparatus, storage medium, and electronic apparatus
CN114911574A (en) * 2022-05-16 2022-08-16 联想(北京)有限公司 A data processing method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101828170A (en) * 2007-10-16 2010-09-08 国际商业机器公司 Creating a virtual machine containing third party code
CN103067425A (en) * 2011-10-20 2013-04-24 中国移动通信集团公司 Creation method of virtual machine, management system of virtual machine and related equipment thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8589947B2 (en) * 2010-05-11 2013-11-19 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for application fault containment
US9286182B2 (en) * 2011-06-17 2016-03-15 Microsoft Technology Licensing, Llc Virtual machine snapshotting and analysis

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101828170A (en) * 2007-10-16 2010-09-08 国际商业机器公司 Creating a virtual machine containing third party code
CN103067425A (en) * 2011-10-20 2013-04-24 中国移动通信集团公司 Creation method of virtual machine, management system of virtual machine and related equipment thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11533234B2 (en) * 2015-03-09 2022-12-20 Vapor IO Inc. Autonomous distributed workload and infrastructure scheduling

Also Published As

Publication number Publication date
WO2015109593A1 (en) 2015-07-30
CN105190545A (en) 2015-12-23

Similar Documents

Publication Publication Date Title
CN105190545B (en) Virtual method and device and computer equipment
Celesti et al. Exploring container virtualization in IoT clouds
CN111324571B (en) Container cluster management method, device and system
JP7400105B2 (en) Data processing methods, devices, distributed data flow programming frameworks and related components
US8904386B2 (en) Running a plurality of instances of an application
Kulkarni et al. Survey on Hadoop and Introduction to YARN.
US9086902B2 (en) Sending tasks between virtual machines based on expiration times
WO2017067016A1 (en) Extension of resource constraints for service-defined containers
US9563474B2 (en) Methods for managing threads within an application and devices thereof
Katyal et al. Application of selective algorithm for effective resource provisioning in cloud computing environment
CN102609295A (en) Dynamic operation scheduling system of virtual machine
CN108205461A (en) The virtual platform and dispositions method of a kind of mixed deployment
CN106250211A (en) A kind of virtualization implementation method based on SR_IOV
US9804882B2 (en) Configuration manager and method for configuring a host system for processing a processing job in a virtual data-processing environment
CN108399094A (en) A kind of dispositions method of application, its dispose device and edge data center
WO2017181829A1 (en) Virtualization platform operation method and virtualization platform
CN115617456A (en) Method and device for hybrid operation of virtual machine and container, electronic equipment and readable storage medium
US10572421B2 (en) Topology-aware parallel reduction in an accelerator
CN115878257A (en) Method and computing device for optimizing network equipment queue management
Miceli et al. Programming abstractions for data intensive computing on clouds and grids
US10241838B2 (en) Domain based resource isolation in multi-core systems
US9471363B2 (en) Preemptive guest merging for virtualization hypervisors
Wu et al. An automatic artificial intelligence training platform based on kubernetes
CN105100180A (en) Cluster node dynamic loading method, device and system
CN109522111B (en) Calling method and device of heterogeneous ecosystem, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant