[go: up one dir, main page]

CN106169994A - The method of controlling security communicated between container and device - Google Patents

The method of controlling security communicated between container and device Download PDF

Info

Publication number
CN106169994A
CN106169994A CN201610503071.2A CN201610503071A CN106169994A CN 106169994 A CN106169994 A CN 106169994A CN 201610503071 A CN201610503071 A CN 201610503071A CN 106169994 A CN106169994 A CN 106169994A
Authority
CN
China
Prior art keywords
container
gateway
docker
virtual
virtual container
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610503071.2A
Other languages
Chinese (zh)
Other versions
CN106169994B (en
Inventor
田新雪
马书惠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201610503071.2A priority Critical patent/CN106169994B/en
Publication of CN106169994A publication Critical patent/CN106169994A/en
Application granted granted Critical
Publication of CN106169994B publication Critical patent/CN106169994B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供一种容器间通信的安全控制方法及装置。该方法包括:第一虚拟容器网关接收源Docker容器发送的访问请求;第一虚拟容器网关获取与第一虚拟容器网关对应的第二虚拟容器网关的地址信息,第二虚拟容器网关与目标Docker容器对应;第一虚拟容器网关根据第二虚拟容器网关的地址信息,将访问请求发送给第二虚拟容器网关,以使第二虚拟容器网关将访问请求转发给目标Docker容器。本发明实施例通过虚拟容器网关之间的定向通信,可以实现Docker容器之间的定向通信,保证了Docker容器之间通信的可靠性。

Embodiments of the present invention provide a security control method and device for inter-container communication. The method includes: the first virtual container gateway receives the access request sent by the source Docker container; the first virtual container gateway obtains the address information of the second virtual container gateway corresponding to the first virtual container gateway, and the second virtual container gateway and the target Docker container Correspondingly: the first virtual container gateway sends the access request to the second virtual container gateway according to the address information of the second virtual container gateway, so that the second virtual container gateway forwards the access request to the target Docker container. The embodiments of the present invention can realize the directional communication between Docker containers through the directional communication between the virtual container gateways, and ensure the reliability of the communication between the Docker containers.

Description

容器间通信的安全控制方法及装置Security control method and device for inter-container communication

技术领域technical field

本发明实施例涉及通信技术领域,尤其涉及一种容器间通信的安全控制方法及装置。Embodiments of the present invention relate to the technical field of communication, and in particular, to a security control method and device for inter-container communication.

背景技术Background technique

Docker是一个开源的应用容器引擎,在物理主机上安装Docker后,可在Docker的基础上承载多个容器,多个容器之间相互隔离,多个容器共享物理主机的操作系统,各容器可放置并执行不同的应用程序。Docker is an open source application container engine. After installing Docker on a physical host, multiple containers can be hosted on the basis of Docker. Multiple containers are isolated from each other. Multiple containers share the operating system of the physical host, and each container can be placed and execute different applications.

将安装有Docker容器的物理主机称为Docker服务器,例如Docker容器1在Docker服务器1中,Docker容器2在Docker服务器2中,当Docker容器1作为客户端需要访问Docker容器2时,Docker容器1创建请求报文,该请求报文的源IP地址是Docker服务器1的IP地址,目的IP地址是Docker服务器2的IP地址。The physical host on which the Docker container is installed is called a Docker server. For example, Docker container 1 is in Docker server 1, and Docker container 2 is in Docker server 2. When Docker container 1 needs to access Docker container 2 as a client, Docker container 1 is created Request message, the source IP address of the request message is the IP address of Docker server 1, and the destination IP address is the IP address of Docker server 2.

但是,当Docker容器2从Docker服务器2迁移到其他Docker服务器后,Docker容器1将无法与Docker容器2进行通信,降低了Docker容器之间通信的可靠性,进而无法保证Docker容器之间的定向通信。However, when Docker container 2 is migrated from Docker server 2 to other Docker servers, Docker container 1 will not be able to communicate with Docker container 2, which reduces the reliability of communication between Docker containers, and thus cannot guarantee the directional communication between Docker containers .

发明内容Contents of the invention

本发明实施例提供一种容器间通信的安全控制方法及装置,以提高Docker容器之间通信的可靠性,保证Docker容器之间的定向通信。Embodiments of the present invention provide a security control method and device for inter-container communication, so as to improve the reliability of communication between Docker containers and ensure directional communication between Docker containers.

本发明实施例的一个方面是提供一种容器间通信的安全控制方法,包括:An aspect of the embodiments of the present invention is to provide a security control method for inter-container communication, including:

第一虚拟容器网关接收源Docker容器发送的访问请求,所述访问请求包括目标Docker容器的第一子网地址;The first virtual container gateway receives the access request sent by the source Docker container, and the access request includes the first subnet address of the target Docker container;

所述第一虚拟容器网关获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述第二虚拟容器网关与所述目标Docker容器对应;The first virtual container gateway obtains address information of a second virtual container gateway corresponding to the first virtual container gateway, where the second virtual container gateway corresponds to the target Docker container;

所述第一虚拟容器网关根据所述第二虚拟容器网关的地址信息,将所述访问请求发送给所述第二虚拟容器网关,以使所述第二虚拟容器网关将所述访问请求转发给所述目标Docker容器。The first virtual container gateway sends the access request to the second virtual container gateway according to the address information of the second virtual container gateway, so that the second virtual container gateway forwards the access request to The target Docker container.

本发明实施例的另一个方面是提供一种容器间通信的安全控制装置,包括:Another aspect of the embodiments of the present invention is to provide a security control device for inter-container communication, including:

接收模块,用于接收源Docker容器发送的访问请求,所述访问请求包括目标Docker容器的第一子网地址;The receiving module is used to receive the access request sent by the source Docker container, and the access request includes the first subnet address of the target Docker container;

获取模块,用于获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述第二虚拟容器网关与所述目标Docker容器对应;An obtaining module, configured to obtain address information of a second virtual container gateway corresponding to the first virtual container gateway, where the second virtual container gateway corresponds to the target Docker container;

发送模块,用于根据所述第二虚拟容器网关的地址信息,将所述访问请求发送给所述第二虚拟容器网关,以使所述第二虚拟容器网关将所述访问请求转发给所述目标Docker容器。A sending module, configured to send the access request to the second virtual container gateway according to the address information of the second virtual container gateway, so that the second virtual container gateway forwards the access request to the Target Docker container.

本发明实施例提供的容器间通信的安全控制方法及装置,通过虚拟容器网关之间的定向通信,即时源Docker容器和目标Docker容器均发生了迁移,从一个Docker服务器迁移到了另一个Docker服务器,迁移之后源Docker容器和目标Docker容器分别对应的虚拟容器网关发生了变化,但是通过虚拟容器网关之间的定向通信,依然可以实现Docker容器之间的定向通信,保证了Docker容器之间通信的可靠性。The security control method and device for inter-container communication provided by the embodiments of the present invention, through directional communication between virtual container gateways, both the source Docker container and the target Docker container are migrated from one Docker server to another Docker server, After the migration, the virtual container gateways corresponding to the source Docker container and the target Docker container have changed, but through the directional communication between the virtual container gateways, the directional communication between the Docker containers can still be realized, ensuring the reliability of the communication between the Docker containers sex.

附图说明Description of drawings

图1为本发明实施例提供的容器间通信的安全控制方法流程图;FIG. 1 is a flowchart of a security control method for inter-container communication provided by an embodiment of the present invention;

图2为本发明实施例提供的容器间通信的安全控制方法适用的网络结构图;Fig. 2 is a network structure diagram applicable to the security control method for inter-container communication provided by the embodiment of the present invention;

图3为本发明另一实施例提供的容器间通信的安全控制方法流程图;FIG. 3 is a flowchart of a security control method for inter-container communication provided by another embodiment of the present invention;

图4为本发明实施例提供的容器间通信的安全控制装置的结构图;FIG. 4 is a structural diagram of a security control device for inter-container communication provided by an embodiment of the present invention;

图5为本发明另一实施例提供的容器间通信的安全控制装置的结构图。Fig. 5 is a structural diagram of a security control device for inter-container communication provided by another embodiment of the present invention.

具体实施方式detailed description

图1为本发明实施例提供的容器间通信的安全控制方法流程图;图2为本发明实施例提供的容器间通信的安全控制方法适用的网络结构图。本发明实施例针对当Docker容器2从Docker服务器2迁移到其他Docker服务器后,Docker容器1将无法与Docker容器2进行通信,降低了Docker容器之间通信的可靠性,进而无法保证Docker容器之间的定向通信,提供了容器间通信的安全控制方法,该方法步骤如下:FIG. 1 is a flowchart of a security control method for inter-container communication provided by an embodiment of the present invention; FIG. 2 is a network structure diagram applicable to the security control method for inter-container communication provided by an embodiment of the present invention. The embodiment of the present invention aims at that when the Docker container 2 is migrated from the Docker server 2 to other Docker servers, the Docker container 1 will not be able to communicate with the Docker container 2, which reduces the reliability of the communication between the Docker containers, and thus cannot guarantee the communication between the Docker containers. Directed communication provides a security control method for inter-container communication. The steps of the method are as follows:

步骤S101、第一虚拟容器网关接收源Docker容器发送的访问请求,所述访问请求包括目标Docker容器的第一子网地址;Step S101, the first virtual container gateway receives the access request sent by the source Docker container, and the access request includes the first subnet address of the target Docker container;

如图2所示,Docker容器21、Docker容器22和Docker引擎31位于Docker服务器11,Docker引擎32位于Docker服务器12,Docker容器22可从Docker服务器11迁移到Docker服务器12,容器网关40可分别与Docker引擎31和Docker引擎32通信,编排器30可分别与Docker服务器11和Docker服务器12通信。As shown in Figure 2, the Docker container 21, the Docker container 22 and the Docker engine 31 are located at the Docker server 11, the Docker engine 32 is located at the Docker server 12, the Docker container 22 can be migrated from the Docker server 11 to the Docker server 12, and the container gateway 40 can be connected with the Docker server 12 respectively. The Docker engine 31 communicates with the Docker engine 32 , and the orchestrator 30 can communicate with the Docker server 11 and the Docker server 12 respectively.

在本实施例中,容器网关40中可包括多个虚拟容器网关,且容器网关40中虚拟容器网关的个数根据与容器网关40连接的容器所属的子网的个数确定,例如,Docker容器21的子网地址是192.168.0.X,Docker容器22的子网地址是192.168.1.X,若192.168.0.X和192.168.1.X属于不同的子网时,容器网关40中可包括两个虚拟容器网关,两个虚拟容器网关包括第一虚拟容器网关和第二虚拟容器网关,假设第一虚拟容器网关对应Docker容器21,第二虚拟容器网关对应Docker容器22。In this embodiment, the container gateway 40 may include multiple virtual container gateways, and the number of virtual container gateways in the container gateway 40 is determined according to the number of subnets to which the containers connected to the container gateway 40 belong, for example, a Docker container The subnet address of 21 is 192.168.0.X, and the subnet address of Docker container 22 is 192.168.1.X. If 192.168.0.X and 192.168.1.X belong to different subnets, the container gateway 40 can Two virtual container gateways are included, and the two virtual container gateways include a first virtual container gateway and a second virtual container gateway. It is assumed that the first virtual container gateway corresponds to the Docker container 21 and the second virtual container gateway corresponds to the Docker container 22 .

本实施例中,Docker容器21是源Docker容器,Docker容器22是目标Docker容器,目标Docker容器的第一子网地址是Docker容器22的子网地址即192.168.1.X。Docker容器21访问Docker容器22,与Docker容器22进行通信。具体的,Docker容器21预先存储有第一虚拟容器网关的IP地址和端口号,Docker容器21向第一虚拟容器网发送访问请求,该访问请求中包括Docker容器22的子网地址即192.168.1.X。In this embodiment, the Docker container 21 is the source Docker container, the Docker container 22 is the target Docker container, and the first subnet address of the target Docker container is the subnet address of the Docker container 22, namely 192.168.1.X. The Docker container 21 accesses the Docker container 22 and communicates with the Docker container 22 . Specifically, the Docker container 21 pre-stores the IP address and port number of the first virtual container gateway, and the Docker container 21 sends an access request to the first virtual container network, and the access request includes the subnet address of the Docker container 22, namely 192.168.1 .X.

步骤S102、所述第一虚拟容器网关获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述第二虚拟容器网关与所述目标Docker容器对应;Step S102, the first virtual container gateway obtains address information of a second virtual container gateway corresponding to the first virtual container gateway, the second virtual container gateway corresponding to the target Docker container;

具体地,所述第一虚拟容器网关查询ACL规则,获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述ACL规则包括所述第一虚拟容器网关的地址信息与所述第二虚拟容器网关的地址信息的对应关系。Specifically, the first virtual container gateway queries the ACL rule to obtain the address information of the second virtual container gateway corresponding to the first virtual container gateway, and the ACL rule includes the address information of the first virtual container gateway and The corresponding relationship of the address information of the second virtual container gateway.

本实施例中可预先在编排器30中设定第一虚拟容器网关和第二虚拟容器网关通信的访问控制列表(Access Control List,简称ACL)规则,例如该ACL规则允许第一虚拟容器网关和第二虚拟容器网关通信,另外,该ACL规则还可包括第一虚拟容器网关的地址信息与第二虚拟容器网关的地址信息的对应关系,表示第一虚拟容器网关的地址信息与第二虚拟容器网关的地址信息之间可进行通信。In this embodiment, an Access Control List (ACL) rule for communication between the first virtual container gateway and the second virtual container gateway can be set in advance in the orchestrator 30, for example, the ACL rule allows the first virtual container gateway and the second virtual container gateway to communicate with each other. The second virtual container gateway communicates. In addition, the ACL rule can also include the correspondence between the address information of the first virtual container gateway and the address information of the second virtual container gateway, indicating that the address information of the first virtual container gateway and the second virtual container Gateway address information can be communicated with each other.

步骤S103、所述第一虚拟容器网关根据所述第二虚拟容器网关的地址信息,将所述访问请求发送给所述第二虚拟容器网关,以使所述第二虚拟容器网关将所述访问请求转发给所述目标Docker容器。Step S103, the first virtual container gateway sends the access request to the second virtual container gateway according to the address information of the second virtual container gateway, so that the second virtual container gateway The request is forwarded to the target Docker container.

第一虚拟容器网关获取到第二虚拟容器网关的地址信息后,将访问请求发送给第二虚拟容器网关,第二虚拟容器网关查看访问请求中的目标地址是Docker容器22的子网地址即192.168.1.X,则将该访问请求发送给Docker容器22。After the first virtual container gateway obtains the address information of the second virtual container gateway, it sends the access request to the second virtual container gateway, and the second virtual container gateway checks that the target address in the access request is the subnet address of the Docker container 22, which is 192.168 .1.X, the access request is sent to the Docker container 22.

另外,本实施例中,第一虚拟容器网关和源Docker容器之间的通信方式可以是隧道方式,第二虚拟容器网关和目标Docker容器之间的通信方式也可以是隧道方式。In addition, in this embodiment, the communication mode between the first virtual container gateway and the source Docker container may be a tunnel mode, and the communication mode between the second virtual container gateway and the target Docker container may also be a tunnel mode.

本发明实施例通过虚拟容器网关之间的定向通信,即时源Docker容器和目标Docker容器均发生了迁移,从一个Docker服务器迁移到了另一个Docker服务器,迁移之后源Docker容器和目标Docker容器分别对应的虚拟容器网关发生了变化,但是通过虚拟容器网关之间的定向通信,依然可以实现Docker容器之间的定向通信,保证了Docker容器之间通信的可靠性。In the embodiment of the present invention, through the directional communication between the virtual container gateways, both the source Docker container and the target Docker container are migrated, and migrated from one Docker server to another Docker server. After the migration, the source Docker container and the target Docker container respectively correspond to The virtual container gateway has changed, but through the directional communication between virtual container gateways, the directional communication between Docker containers can still be realized, ensuring the reliability of communication between Docker containers.

图3为本发明另一实施例提供的容器间通信的安全控制方法流程图;如图3所示,在图1所示实施例的基础上,本实施例提供的容器间通信的安全控制方法的具体步骤如下:Fig. 3 is a flowchart of a security control method for inter-container communication provided by another embodiment of the present invention; as shown in Fig. 3, on the basis of the embodiment shown in Fig. 1, the security control method for inter-container communication provided by this embodiment The specific steps are as follows:

步骤S301、所述第一虚拟容器网关给所述源Docker容器分配第二子网地址;Step S301, the first virtual container gateway assigns a second subnet address to the source Docker container;

在本实施例中,Docker容器21和Docker容器22在同一个子网中,则第一虚拟容器网关可以给Docker容器21分配第二子网地址如192.168.0.1,也可以给Docker容器22分配第一子网地址如192.168.0.2。In this embodiment, the Docker container 21 and the Docker container 22 are in the same subnet, then the first virtual container gateway can assign the second subnet address such as 192.168.0.1 to the Docker container 21, or assign the first subnet address to the Docker container 22. Subnet address such as 192.168.0.2.

步骤S302、所述第一虚拟容器网关存储所述源Docker容器的第二子网地址;Step S302, the first virtual container gateway stores the second subnet address of the source Docker container;

第一虚拟容器网关存储Docker容器21的第二子网地址192.168.0.1,以及Docker容器22的第一子网地址192.168.0.2。The first virtual container gateway stores the second subnet address 192.168.0.1 of the Docker container 21 and the first subnet address 192.168.0.2 of the Docker container 22 .

步骤S303、第一虚拟容器网关接收源Docker容器发送的访问请求,所述访问请求包括目标Docker容器的第一子网地址;Step S303, the first virtual container gateway receives the access request sent by the source Docker container, and the access request includes the first subnet address of the target Docker container;

当源Docker容器即Docker容器21需要和目标Docker容器即Docker容器22通信时,通过隧道方式向第一虚拟容器网关发送访问请求,访问请求中包括目标Docker容器的第一子网地址即192.168.0.2,以及源Docker容器的第二子网地址即192.168.0.1。When the source Docker container, that is, the Docker container 21, needs to communicate with the target Docker container, that is, the Docker container 22, an access request is sent to the first virtual container gateway through a tunnel, and the access request includes the first subnet address of the target Docker container, that is, 192.168.0.2 , and the second subnet address of the source Docker container, which is 192.168.0.1.

步骤S304、所述第一虚拟容器网关根据所述目标Docker容器的第一子网地址,确定所述目标Docker容器和所述源Docker容器是否在同一子网内;Step S304, the first virtual container gateway determines whether the target Docker container and the source Docker container are in the same subnet according to the first subnet address of the target Docker container;

第一虚拟容器网关接收到该访问请求后,从访问请求获取目标Docker容器的第一子网地址即192.168.0.2,以及源Docker容器的第二子网地址即192.168.0.1,确定目标Docker容器的第一子网地址和源Docker容器的第二子网地址是否在同一个子网内。After the first virtual container gateway receives the access request, it obtains the first subnet address of the target Docker container, namely 192.168.0.2, and the second subnet address of the source Docker container, namely 192.168.0.1, from the access request, and determines the address of the target Docker container. Whether the first subnet address and the second subnet address of the source Docker container are in the same subnet.

步骤S305、若所述目标Docker容器和所述源Docker容器在同一子网内,则将所述访问请求发送给所述目标Docker容器。Step S305, if the target Docker container and the source Docker container are in the same subnet, then send the access request to the target Docker container.

由于192.168.0.2和192.168.0.1在同一个子网内,则第一虚拟容器网关不需要查询与第一虚拟容器网关对应的第二虚拟容器网关,直接将访问请求发送给目标Docker容器即可。Since 192.168.0.2 and 192.168.0.1 are in the same subnet, the first virtual container gateway does not need to query the second virtual container gateway corresponding to the first virtual container gateway, and just sends the access request to the target Docker container directly.

本实施例中,第一虚拟容器网关接收到源Docker容器发送的访问请求后,获取目标Docker容器的第一子网地址,根据目标Docker容器的第一子网地址和源Docker容器的第二子网地址,确定目标Docker容器和源Docker容器是否在同一个子网中,若在,则将访问请求直接发送给目标Docker容器,不需要查询与第一虚拟容器网关对应的第二虚拟容器网关,提高了访问请求的转发效率。In this embodiment, after receiving the access request sent by the source Docker container, the first virtual container gateway obtains the first subnet address of the target Docker container, and according to the first subnet address of the target Docker container and the second subnet address of the source Docker container network address, determine whether the target Docker container and the source Docker container are in the same subnet, and if so, directly send the access request to the target Docker container without querying the second virtual container gateway corresponding to the first virtual container gateway, improving Improve the forwarding efficiency of access requests.

图4为本发明实施例提供的容器间通信的安全控制装置的结构图。本发明实施例提供的容器间通信的安全控制装置可以执行容器间通信的安全控制方法实施例提供的处理流程,如图4所示,容器间通信的安全控制装置40包括:接收模块41、获取模块42、发送模块43,其中,接收模块41用于接收源Docker容器发送的访问请求,所述访问请求包括目标Docker容器的第一子网地址;获取模块42用于获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述第二虚拟容器网关与所述目标Docker容器对应;发送模块43用于根据所述第二虚拟容器网关的地址信息,将所述访问请求发送给所述第二虚拟容器网关,以使所述第二虚拟容器网关将所述访问请求转发给所述目标Docker容器。Fig. 4 is a structural diagram of a security control device for inter-container communication provided by an embodiment of the present invention. The security control device for inter-container communication provided by the embodiment of the present invention can execute the processing flow provided by the embodiment of the security control method for inter-container communication. As shown in FIG. 4 , the security control device 40 for inter-container communication includes: a receiving module 41, an Module 42, sending module 43, wherein, receiving module 41 is used for receiving the access request that source Docker container sends, and described access request includes the first subnet address of target Docker container; Obtaining module 42 is used for obtaining and described first virtual The address information of the second virtual container gateway corresponding to the container gateway, the second virtual container gateway corresponding to the target Docker container; the sending module 43 is configured to send the access request to the second virtual container gateway according to the address information of the second virtual container gateway sent to the second virtual container gateway, so that the second virtual container gateway forwards the access request to the target Docker container.

本发明实施例提供的容器间通信的安全控制装置可以具体用于执行上述图1所提供的方法实施例,具体功能此处不再赘述。The security control device for inter-container communication provided by the embodiment of the present invention can be specifically used to execute the method embodiment provided in FIG. 1 above, and the specific functions will not be repeated here.

本发明实施例通过虚拟容器网关之间的定向通信,即时源Docker容器和目标Docker容器均发生了迁移,从一个Docker服务器迁移到了另一个Docker服务器,迁移之后源Docker容器和目标Docker容器分别对应的虚拟容器网关发生了变化,但是通过虚拟容器网关之间的定向通信,依然可以实现Docker容器之间的定向通信,保证了Docker容器之间通信的可靠性。In the embodiment of the present invention, through the directional communication between the virtual container gateways, both the source Docker container and the target Docker container are migrated, and migrated from one Docker server to another Docker server. After the migration, the source Docker container and the target Docker container respectively correspond to The virtual container gateway has changed, but through the directional communication between virtual container gateways, the directional communication between Docker containers can still be realized, ensuring the reliability of communication between Docker containers.

图5为本发明另一实施例提供的容器间通信的安全控制装置的结构图。如图5所示,在图4所示实施例的基础上,获取模块42包括查询单元421、获取单元422,其中,查询单元421用于查询ACL规则;获取单元422用于获取与所述第一虚拟容器网关对应的第二虚拟容器网关的地址信息,所述ACL规则包括所述第一虚拟容器网关的地址信息与所述第二虚拟容器网关的地址信息的对应关系。Fig. 5 is a structural diagram of a security control device for inter-container communication provided by another embodiment of the present invention. As shown in Figure 5, on the basis of the embodiment shown in Figure 4, the acquisition module 42 includes a query unit 421 and an acquisition unit 422, wherein the query unit 421 is used to query the ACL rule; Address information of a second virtual container gateway corresponding to a virtual container gateway, wherein the ACL rule includes a correspondence relationship between the address information of the first virtual container gateway and the address information of the second virtual container gateway.

容器间通信的安全控制装置40还包括分配模块44和存储模块45,其中,分配模块44用于给所述源Docker容器分配第二子网地址,存储模块45用于存储所述源Docker容器的第二子网地址。The security control device 40 for inter-container communication also includes an assignment module 44 and a storage module 45, wherein the assignment module 44 is used to assign a second subnet address to the source Docker container, and the storage module 45 is used to store the address of the source Docker container. Second subnet address.

进一步地,所述访问请求还包括所述源Docker容器的第二子网地址;容器间通信的安全控制装置40还包括确定模块46,确定模块46用于根据所述目标Docker容器的第一子网地址,确定所述目标Docker容器和所述源Docker容器是否在同一子网内。Further, the access request also includes the second subnet address of the source Docker container; the security control device 40 for inter-container communication also includes a determination module 46, and the determination module 46 is configured to network address, and determine whether the target Docker container and the source Docker container are in the same subnet.

发送模块43还用于所述目标Docker容器和所述源Docker容器在同一子网内时,将所述访问请求发送给所述目标Docker容器。The sending module 43 is further configured to send the access request to the target Docker container when the target Docker container and the source Docker container are in the same subnet.

本发明实施例提供的容器间通信的安全控制装置可以具体用于执行上述图3所提供的方法实施例,具体功能此处不再赘述。The security control device for inter-container communication provided by the embodiment of the present invention can be specifically used to execute the method embodiment provided in FIG. 3 above, and the specific functions will not be repeated here.

本实施例中,第一虚拟容器网关接收到源Docker容器发送的访问请求后,获取目标Docker容器的第一子网地址,根据目标Docker容器的第一子网地址和源Docker容器的第二子网地址,确定目标Docker容器和源Docker容器是否在同一个子网中,若在,则将访问请求直接发送给目标Docker容器,不需要查询与第一虚拟容器网关对应的第二虚拟容器网关,提高了访问请求的转发效率。In this embodiment, after receiving the access request sent by the source Docker container, the first virtual container gateway obtains the first subnet address of the target Docker container, and according to the first subnet address of the target Docker container and the second subnet address of the source Docker container network address, determine whether the target Docker container and the source Docker container are in the same subnet, and if so, directly send the access request to the target Docker container without querying the second virtual container gateway corresponding to the first virtual container gateway, improving Improve the forwarding efficiency of access requests.

综上所述,本发明实施例通过虚拟容器网关之间的定向通信,即时源Docker容器和目标Docker容器均发生了迁移,从一个Docker服务器迁移到了另一个Docker服务器,迁移之后源Docker容器和目标Docker容器分别对应的虚拟容器网关发生了变化,但是通过虚拟容器网关之间的定向通信,依然可以实现Docker容器之间的定向通信,保证了Docker容器之间通信的可靠性;第一虚拟容器网关接收到源Docker容器发送的访问请求后,获取目标Docker容器的第一子网地址,根据目标Docker容器的第一子网地址和源Docker容器的第二子网地址,确定目标Docker容器和源Docker容器是否在同一个子网中,若在,则将访问请求直接发送给目标Docker容器,不需要查询与第一虚拟容器网关对应的第二虚拟容器网关,提高了访问请求的转发效率。In summary, the embodiment of the present invention uses directional communication between virtual container gateways, and both the source Docker container and the target Docker container are migrated from one Docker server to another Docker server. After the migration, the source Docker container and the target Docker container The virtual container gateways corresponding to the Docker containers have changed, but through the directional communication between the virtual container gateways, the directional communication between the Docker containers can still be realized, ensuring the reliability of the communication between the Docker containers; the first virtual container gateway After receiving the access request sent by the source Docker container, obtain the first subnet address of the target Docker container, and determine the target Docker container and the source Docker container according to the first subnet address of the target Docker container and the second subnet address of the source Docker container. Whether the container is in the same subnet, and if so, the access request is directly sent to the target Docker container without querying the second virtual container gateway corresponding to the first virtual container gateway, which improves the forwarding efficiency of the access request.

在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) or a processor (processor) execute the methods described in various embodiments of the present invention. partial steps. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other various media that can store program codes. .

本领域技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of description, only the division of the above-mentioned functional modules is used as an example for illustration. The internal structure of the system is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiments, and details are not repeated here.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (10)

1. the method for controlling security of communication between a container, it is characterised in that including:
First virtual container gateway receives the access request that source Docker container sends, and described access request includes target Docker First subnet address of container;
Described first virtual container gateway obtains the ground of the second virtual container gateway corresponding with described first virtual container gateway Location information, described second virtual container gateway is corresponding with described target Docker container;
Described access request, according to the address information of described second virtual container gateway, is sent by described first virtual container gateway To described second virtual container gateway, so that described access request is transmitted to described target by described second virtual container gateway Docker container.
Method the most according to claim 1, it is characterised in that described first virtual container gateway obtains empty with described first Intend the address information of the second virtual container gateway corresponding to container gateway, including:
Described first virtual container gateway inquiry acl rule, obtains second corresponding with described first virtual container gateway virtual The address information of container gateway, described acl rule includes that the address information of described first virtual container gateway is empty with described second Intend the corresponding relation of the address information of container gateway.
Method the most according to claim 2, it is characterised in that described first virtual container gateway receives source Docker container Before the access request sent, also include:
Described first virtual container gateway gives Docker container allocation the second subnet address, described source;
Described first virtual container gateway stores the second subnet address of described source Docker container.
Method the most according to claim 3, it is characterised in that described access request also includes described source Docker container Second subnet address;
After described first virtual container gateway receives the access request that source Docker container sends, also include:
Described first virtual container gateway, according to the first subnet address of described target Docker container, determines described target Whether Docker container and described source Docker container be in same subnet.
Method the most according to claim 4, it is characterised in that described determine described target Docker container and described source After whether Docker container is in same subnet, including:
If described target Docker container and described source Docker container are in same subnet, the most described first virtual container gateway Described access request is sent to described target Docker container.
6. the safety control of communication between a container, it is characterised in that including:
Receiver module, for receiving the access request that source Docker container sends, described access request includes that target Docker is held First subnet address of device;
Acquisition module, for obtaining the address information of the second virtual container gateway corresponding with described first virtual container gateway, Described second virtual container gateway is corresponding with described target Docker container;
Sending module, for the address information according to described second virtual container gateway, is sent to described by described access request Second virtual container gateway, so that described access request is transmitted to described target Docker and holds by described second virtual container gateway Device.
The safety control of communication between container the most according to claim 6, it is characterised in that described acquisition module bag Include:
Query unit, is used for inquiring about acl rule;
Acquiring unit, for obtaining the address information of the second virtual container gateway corresponding with described first virtual container gateway, Described acl rule includes the address information of described first virtual container gateway and the address information of described second virtual container gateway Corresponding relation.
The safety control of communication between container the most according to claim 7, it is characterised in that also include:
Distribution module, for Docker container allocation the second subnet address, described source;
Memory module, for storing the second subnet address of described source Docker container.
The safety control of communication between container the most according to claim 8, it is characterised in that described access request is also wrapped Include the second subnet address of described source Docker container;
Between described container, the safety control of communication also includes:
Determine module, for the first subnet address according to described target Docker container, determine described target Docker container With described source Docker container whether in same subnet.
The safety control of communication between container the most according to claim 9, it is characterised in that described sending module is also When described target Docker container and described source Docker container are in same subnet, described access request is sent to institute State target Docker container.
CN201610503071.2A 2016-06-29 2016-06-29 Security control method and device for communication between containers Active CN106169994B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610503071.2A CN106169994B (en) 2016-06-29 2016-06-29 Security control method and device for communication between containers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610503071.2A CN106169994B (en) 2016-06-29 2016-06-29 Security control method and device for communication between containers

Publications (2)

Publication Number Publication Date
CN106169994A true CN106169994A (en) 2016-11-30
CN106169994B CN106169994B (en) 2019-02-26

Family

ID=58064731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610503071.2A Active CN106169994B (en) 2016-06-29 2016-06-29 Security control method and device for communication between containers

Country Status (1)

Country Link
CN (1) CN106169994B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508795A (en) * 2017-07-26 2017-12-22 中国联合网络通信集团有限公司 Across the access process device and method of container cluster
CN108234215A (en) * 2018-01-12 2018-06-29 平安科技(深圳)有限公司 A kind of creation method of gateway, device, computer equipment and storage medium
CN108390812A (en) * 2018-05-30 2018-08-10 新华三技术有限公司 Message forwarding method and device
CN110622138A (en) * 2017-02-23 2019-12-27 华为技术有限公司 A data migration method and device
CN110858821A (en) * 2018-08-23 2020-03-03 阿里巴巴集团控股有限公司 Container communication method and device
CN111917588A (en) * 2020-08-10 2020-11-10 南方电网数字电网研究院有限公司 Edge device management method, device, edge gateway device and storage medium
CN113489770A (en) * 2021-06-30 2021-10-08 深圳壹账通智能科技有限公司 Inter-container communication method, electronic device, and computer-readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150256481A1 (en) * 2014-03-06 2015-09-10 Jisto Inc. Elastic Compute Cloud Based On Underutilized Server Resources Using A Distributed Container System
CN105376303A (en) * 2015-10-23 2016-03-02 深圳前海达闼云端智能科技有限公司 Docker implementation system and communication method thereof
CN105491123A (en) * 2015-12-04 2016-04-13 北京航空航天大学 Communication method and device among containers
CN105591820A (en) * 2015-12-31 2016-05-18 北京轻元科技有限公司 A highly scalable container network management system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150256481A1 (en) * 2014-03-06 2015-09-10 Jisto Inc. Elastic Compute Cloud Based On Underutilized Server Resources Using A Distributed Container System
CN105376303A (en) * 2015-10-23 2016-03-02 深圳前海达闼云端智能科技有限公司 Docker implementation system and communication method thereof
CN105491123A (en) * 2015-12-04 2016-04-13 北京航空航天大学 Communication method and device among containers
CN105591820A (en) * 2015-12-31 2016-05-18 北京轻元科技有限公司 A highly scalable container network management system and method

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110622138A (en) * 2017-02-23 2019-12-27 华为技术有限公司 A data migration method and device
US11347542B2 (en) 2017-02-23 2022-05-31 Huawei Technologies Co., Ltd. Data migration method and apparatus
CN107508795B (en) * 2017-07-26 2020-03-13 中国联合网络通信集团有限公司 Cross-container cluster access processing device and method
CN107508795A (en) * 2017-07-26 2017-12-22 中国联合网络通信集团有限公司 Across the access process device and method of container cluster
CN108234215B (en) * 2018-01-12 2019-12-31 平安科技(深圳)有限公司 Gateway creating method and device, computer equipment and storage medium
CN108234215A (en) * 2018-01-12 2018-06-29 平安科技(深圳)有限公司 A kind of creation method of gateway, device, computer equipment and storage medium
CN108390812A (en) * 2018-05-30 2018-08-10 新华三技术有限公司 Message forwarding method and device
CN108390812B (en) * 2018-05-30 2020-07-07 新华三技术有限公司 Message forwarding method and device
CN110858821A (en) * 2018-08-23 2020-03-03 阿里巴巴集团控股有限公司 Container communication method and device
CN110858821B (en) * 2018-08-23 2022-01-07 阿里巴巴集团控股有限公司 Container communication method and device
CN111917588A (en) * 2020-08-10 2020-11-10 南方电网数字电网研究院有限公司 Edge device management method, device, edge gateway device and storage medium
CN111917588B (en) * 2020-08-10 2023-06-06 南方电网数字电网科技(广东)有限公司 Edge device management method, device, edge gateway device and storage medium
CN113489770A (en) * 2021-06-30 2021-10-08 深圳壹账通智能科技有限公司 Inter-container communication method, electronic device, and computer-readable storage medium
CN113489770B (en) * 2021-06-30 2022-08-19 深圳壹账通智能科技有限公司 Inter-container communication method, electronic device, and computer-readable storage medium

Also Published As

Publication number Publication date
CN106169994B (en) 2019-02-26

Similar Documents

Publication Publication Date Title
US12047287B2 (en) Data transmission method and apparatus, network adapter, and storage medium
CN106169994A (en) The method of controlling security communicated between container and device
EP3993347B1 (en) Application migration
US11003639B2 (en) Database data migration method, apparatus, terminal, system, and storage medium
US10805268B2 (en) Method and apparatuses for enabling routing of data packets between a wireless device and a service provider based in the local service cloud
CN107508795B (en) Cross-container cluster access processing device and method
CN106130990A (en) The control method of container access and device
US8819211B2 (en) Distributed policy service
US8767737B2 (en) Data center network system and packet forwarding method thereof
CN106533890B (en) A message processing method, device and system
CN106933648B (en) Method and system for multi-tenant container resource management
US20120291024A1 (en) Virtual Managed Network
US20140254603A1 (en) Interoperability for distributed overlay virtual environments
CN102075537B (en) Method and system for realizing data transmission between virtual machines
CN106686085A (en) A load balancing method, device and system
CN105591820A (en) A highly scalable container network management system and method
CN110012118B (en) Method and controller for providing Network Address Translation (NAT) service
CN106067858A (en) Communication means between container, Apparatus and system
CN106095533A (en) Method of server expansion and device
CN105847108A (en) Method and apparatus for communication between containers
CN103229489B (en) The collocation method of virtual machine control strategy and switch
CN112583655B (en) Data transmission method, device, electronic device and readable storage medium
US20190173790A1 (en) Method and system for forwarding data, virtual load balancer, and readable storage medium
CN106101297B (en) A kind of message answer method and device
CN102970387A (en) Domain name resolution method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant