[go: up one dir, main page]

CN118590330B - A communication method and service node for containers - Google Patents

A communication method and service node for containers Download PDF

Info

Publication number
CN118590330B
CN118590330B CN202411074114.0A CN202411074114A CN118590330B CN 118590330 B CN118590330 B CN 118590330B CN 202411074114 A CN202411074114 A CN 202411074114A CN 118590330 B CN118590330 B CN 118590330B
Authority
CN
China
Prior art keywords
container
network
service node
communication
virtual network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411074114.0A
Other languages
Chinese (zh)
Other versions
CN118590330A (en
Inventor
彭驿翔
李飞翔
王文昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Ningsi Software Co ltd
Original Assignee
Sichuan Ningsi Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Ningsi Software Co ltd filed Critical Sichuan Ningsi Software Co ltd
Priority to CN202411074114.0A priority Critical patent/CN118590330B/en
Publication of CN118590330A publication Critical patent/CN118590330A/en
Application granted granted Critical
Publication of CN118590330B publication Critical patent/CN118590330B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种容器的通信方法和服务节点,该方法通过容器集群中的服务节点获取配置规则,以根据配置规则创建服务节点的虚拟网桥与本地容器之间的虚拟网卡对以及服务节点与其他服务节点之间的虚拟网络,当本地容器基于虚拟网卡对和虚拟网络与其他目标容器进行网络通信时,通过安全网络域的通信密钥在本地容器的网络协议栈上对本地容器的通信数据进行加解密处理。本申请提供的通信方法,为跨节点的容器进行通信时创造了一个隔离的网路环境;另外,还在容器的网络协议栈上对容器的通信数据进行加解密处理,通过从源头上对数据进行加解密,能够避免代理加密的安全风险,不仅达到了节约资源的目的,还能够实现本申请适应多应用场景的技术效果。

The present application discloses a communication method and service node for a container. The method obtains configuration rules through the service node in the container cluster to create a virtual network card pair between the virtual bridge of the service node and the local container and a virtual network between the service node and other service nodes according to the configuration rules. When the local container communicates with other target containers based on the virtual network card pair and the virtual network, the communication data of the local container is encrypted and decrypted on the network protocol stack of the local container through the communication key of the secure network domain. The communication method provided by the present application creates an isolated network environment for cross-node containers to communicate; in addition, the communication data of the container is encrypted and decrypted on the network protocol stack of the container. By encrypting and decrypting the data from the source, the security risks of proxy encryption can be avoided, which not only achieves the purpose of saving resources, but also can achieve the technical effect of the present application to adapt to multiple application scenarios.

Description

一种容器的通信方法和服务节点A communication method and service node for containers

技术领域Technical Field

本公开一般涉及通信技术领域,具体涉及一种容器的通信方法和服务节点。The present disclosure generally relates to the field of communication technology and in particular to a communication method and service node of a container.

背景技术Background Art

在当前的云计算和容器化技术环境中,容器因其轻量级和高效的特点,被广泛应用于应用程序的开发和部署。然而,随着应用程序复杂度的提升,在对应用进行容器化部署时往往要将其划分为业务入口容器和业务应用容器,容器数量和容器集群数量的增加急剧加大,同时容器多网卡的使用进一步加深了容器网络的复杂度,容器间的网络通信安全问题逐渐显现。In the current cloud computing and containerization technology environment, containers are widely used in application development and deployment due to their lightweight and efficient features. However, with the increasing complexity of applications, applications are often divided into business entry containers and business application containers when they are deployed in containers. The number of containers and container clusters has increased dramatically. At the same time, the use of multiple network cards in containers has further deepened the complexity of container networks, and network communication security issues between containers have gradually emerged.

发明内容Summary of the invention

鉴于现有技术中的上述缺陷或不足,期望提供一种容器的通信方法和服务节点。In view of the above defects or deficiencies in the prior art, it is desirable to provide a communication method and a service node for a container.

第一方面提供了一种容器的通信方法,应用于容器集群网络,所述容器集群网络包括至少一个容器集群,所述容器集群包括至少一个服务节点,所述服务节点上部署有至少一个容器和虚拟网桥,所述方法包括:In a first aspect, a container communication method is provided, which is applied to a container cluster network, wherein the container cluster network includes at least one container cluster, the container cluster includes at least one service node, and at least one container and a virtual bridge are deployed on the service node. The method includes:

所述服务节点获取配置规则;所述配置规则用于指示为至少两个目标容器构建安全网络域,所述至少两个目标容器部署在不同的服务节点上;The service node acquires a configuration rule; the configuration rule is used to indicate building a secure network domain for at least two target containers, and the at least two target containers are deployed on different service nodes;

基于所述配置规则创建所述服务节点的虚拟网桥与本地容器之间的虚拟网卡对,通过所述虚拟网卡对建立所述虚拟网桥与所述本地容器之间的连接;Creating a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rule, and establishing a connection between the virtual network bridge and the local container through the virtual network card pair;

基于所述配置规则创建所述服务节点与其他服务节点之间的虚拟网络;所述其他服务节点为所述至少两个目标容器中除所述本地容器之外的其他目标容器对应的服务节点,所述本地容器为所述至少两个目标容器中部署于所述服务节点上的容器;Creating a virtual network between the service node and other service nodes based on the configuration rule; the other service nodes are service nodes corresponding to other target containers among the at least two target containers except the local container, and the local container is a container among the at least two target containers deployed on the service node;

在所述本地容器基于所述虚拟网卡对和所述虚拟网络与其他目标容器进行网络通信时,通过所述安全网络域的通信密钥在所述本地容器的网络协议栈上对所述本地容器的通信数据进行加解密处理,所述其他目标容器为所述至少两个目标容器中部署于所述其他服务节点上的容器。When the local container performs network communication with other target containers based on the virtual network card pair and the virtual network, communication data of the local container is encrypted and decrypted on the network protocol stack of the local container by using the communication key of the secure network domain, and the other target container is a container deployed on the other service node among the at least two target containers.

本申请提供的容器的通信方法,考虑到目前容器数量和容器集群数量的增加急剧加大,同时容器多网卡的使用进一步加深了容器网络的复杂度,容器间的网络通信安全问题逐渐显现的问题。本申请提供了一种容器的通信方法,该方法通过容器集群中的服务节点获取配置规则,以根据配置规则创建服务节点的虚拟网桥与本地容器之间的虚拟网卡对以及服务节点与其他服务节点之间的虚拟网络,然后通过虚拟网卡对建立虚拟网桥与本地容器之间的连接,当本地容器基于虚拟网卡对和虚拟网络与其他目标容器进行网络通信时,通过安全网络域的通信密钥在本地容器的网络协议栈上对本地容器的通信数据进行加解密处理。本申请提供的通信方法,通过设置虚拟网卡对、虚拟网络为跨节点的容器进行通信时创造了一个隔离的网路环境,外部网络无法截获、监听其内的网络流量;另外,本申请中的容器在隔离的网络环境中通信时,还在容器的网络协议栈上对容器的通信数据进行加解密处理,通过从源头上对数据进行加解密,能够避免代理加密的安全风险,进一步的保障了容器跨节点通信的安全性,且以上改进均与应用本身无关,不仅达到了节约资源的目的,还能够实现本申请适应多应用场景的技术效果。The container communication method provided by the present application takes into account the fact that the number of containers and the number of container clusters are increasing dramatically, and the use of multiple network cards in containers further deepens the complexity of the container network, and the network communication security issues between containers are gradually emerging. The present application provides a container communication method, which obtains configuration rules through the service nodes in the container cluster to create a virtual network card pair between the virtual bridge of the service node and the local container and a virtual network between the service node and other service nodes according to the configuration rules, and then establishes a connection between the virtual bridge and the local container through the virtual network card pair. When the local container communicates with other target containers based on the virtual network card pair and the virtual network, the communication data of the local container is encrypted and decrypted on the network protocol stack of the local container through the communication key of the security network domain. The communication method provided by the present application creates an isolated network environment when containers communicate across nodes by setting up virtual network card pairs and virtual networks, and the external network cannot intercept or monitor the network traffic therein; in addition, when the container in the present application communicates in an isolated network environment, the communication data of the container is also encrypted and decrypted on the network protocol stack of the container. By encrypting and decrypting the data from the source, the security risks of proxy encryption can be avoided, and the security of container cross-node communication is further guaranteed. The above improvements are all unrelated to the application itself, which not only achieves the purpose of saving resources, but also can achieve the technical effect of the present application to adapt to multiple application scenarios.

第一方面提供了一种服务节点,所述服务节点包括:A first aspect provides a service node, the service node comprising:

安全网络域控制器,获取配置规则;所述配置规则用于指示为至少两个目标容器构建安全网络域,所述至少两个目标容器部署在不同的服务节点上;The security network domain controller obtains a configuration rule; the configuration rule is used to instruct to build a security network domain for at least two target containers, and the at least two target containers are deployed on different service nodes;

容器执行器,用于基于所述配置规则创建所述服务节点的虚拟网桥与本地容器之间的虚拟网卡对,通过所述虚拟网卡对建立所述虚拟网桥与所述本地容器之间的连接;A container executor, configured to create a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rule, and establish a connection between the virtual network bridge and the local container through the virtual network card pair;

容器执行器,还用于基于所述配置规则创建所述服务节点与其他服务节点之间的虚拟网络;所述其他服务节点为所述至少两个目标容器中除所述本地容器之外的其他目标容器对应的服务节点,所述本地容器为所述至少两个目标容器中部署于所述服务节点上的容器;The container executor is further used to create a virtual network between the service node and other service nodes based on the configuration rule; the other service nodes are service nodes corresponding to other target containers in the at least two target containers except the local container, and the local container is a container in the at least two target containers deployed on the service node;

安全网络域执行器,用于在所述本地容器基于所述虚拟网卡对和所述虚拟网络与其他目标容器进行网络通信时,通过所述安全网络域的通信密钥在对所述本地容器的网络协议栈上对所述本地容器的通信数据进行加解密处理,所述其他目标容器为所述至少两个目标容器中部署于所述其他服务节点上的容器。A secure network domain executor is used to encrypt and decrypt communication data of the local container on the network protocol stack of the local container by using the communication key of the secure network domain when the local container communicates with other target containers based on the virtual network card pair and the virtual network, and the other target container is a container deployed on the other service node among the at least two target containers.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects and advantages of the present application will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:

图1为本申请提供的一种容器的通信方法的应用场景图;FIG1 is an application scenario diagram of a container communication method provided by the present application;

图2为本申请提供的一种容器的通信方法的步骤流程图;FIG2 is a flow chart of the steps of a communication method for a container provided by the present application;

图3为本申请提供的一种容器的通信方法的步骤流程图;FIG3 is a flowchart of a communication method for a container provided by the present application;

图4为本申请提供的一种容器的通信方法的步骤流程图;FIG4 is a flowchart of a communication method for a container provided by the present application;

图5为本申请提供的一种容器的通信方法的步骤流程图;FIG5 is a flowchart of a communication method for a container provided by the present application;

图6为本申请提供的一种容器的通信方法的步骤流程图;FIG6 is a flowchart of a communication method for a container provided by the present application;

图7为本申请提供的一种服务节点的计算机系统的结构示意图。FIG. 7 is a schematic diagram of the structure of a computer system of a service node provided in the present application.

具体实施方式DETAILED DESCRIPTION

下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与发明相关的部分。The present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are only used to explain the relevant inventions, rather than to limit the inventions. It should also be noted that, for ease of description, only the parts related to the invention are shown in the accompanying drawings.

需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that, in the absence of conflict, the embodiments and features in the embodiments of the present application can be combined with each other. The present application will be described in detail below with reference to the accompanying drawings and in combination with the embodiments.

请参考图1,图1为本申请提供的一种容器的通信方法的应用场景图,该应用场景图中包括容器集群网络,容器集群网络包括至少一个容器集群,容器集群包括两个服务节点(服务节点和其他服务节点),服务节点上部署有本地容器、虚拟网桥;其他服务节点上部署有其他目标容器、虚拟网桥和通信网卡。Please refer to Figure 1, which is an application scenario diagram of a container communication method provided by the present application, wherein the application scenario diagram includes a container cluster network, the container cluster network includes at least one container cluster, the container cluster includes two service nodes (a service node and other service nodes), and a local container and a virtual bridge are deployed on the service node; other target containers, virtual bridges and communication network cards are deployed on other service nodes.

需要说明的是,服务节点和其他服务节点之间通过通信网卡与物理交换机进行通信。It should be noted that the service node communicates with other service nodes through a communication network card and a physical switch.

本地容器和服务节点的虚拟网桥之间设置有第一虚拟网卡对,其他目标容器和其他服务节点的虚拟网桥之间设置有第二虚拟网卡对。本地容器将通信数据发送至容器协议栈进行加密后发送至第一虚拟网卡对的第一子网卡上,第一子网卡将通信数据发送至第一虚拟网卡对的第二子网卡上,第二子网卡将通信数据发送至服务节点的虚拟网桥上,服务节点的虚拟网桥通过设置的虚拟网络将通信数据发送至其他服务节点的虚拟网桥上,其他服务节点的虚拟网桥继续通过第二虚拟网卡传输至其他目标容器的容器协议栈上,在容器协议栈上进行解密后,从而实现本地容器和其他目标容器之间的跨节点通信。A first virtual network card pair is set between the local container and the virtual bridge of the service node, and a second virtual network card pair is set between the virtual bridges of other target containers and other service nodes. The local container sends communication data to the container protocol stack for encryption and then sends it to the first subnet card of the first virtual network card pair. The first subnet card sends the communication data to the second subnet card of the first virtual network card pair. The second subnet card sends the communication data to the virtual bridge of the service node. The virtual bridge of the service node sends the communication data to the virtual bridge of other service nodes through the set virtual network. The virtual bridge of other service nodes continues to transmit the communication data to the container protocol stack of other target containers through the second virtual network card. After decryption on the container protocol stack, cross-node communication between the local container and other target containers is realized.

下面结合图2对本申请提供的容器的通信进行示例性的说明,图2为本申请提供的一种容器的通信的步骤流程图,以该方法应用于图1中的服务节点为例对该方法进行说明,该方法包括如下步骤:The communication of the container provided by the present application is exemplarily described below in conjunction with FIG. 2 . FIG. 2 is a flowchart of the steps of communication of a container provided by the present application. The method is described by taking the method applied to the service node in FIG. 1 as an example. The method includes the following steps:

步骤S20,服务节点获取配置规则;配置规则用于指示为至少两个目标容器构建安全网络域,至少两个目标容器部署在不同的服务节点上;Step S20, the service node obtains a configuration rule; the configuration rule is used to indicate that a secure network domain is constructed for at least two target containers, and the at least two target containers are deployed on different service nodes;

其中,容器集群网络中还包括容器管理系统和配置中心,容器管理系统和配置中心对应多个容器集群。容器管理系统为用户提供有操作界面,用户可以通过容器管理系统的操作界面通过界面操作方式创建配置规则。The container cluster network also includes a container management system and a configuration center, and the container management system and the configuration center correspond to multiple container clusters. The container management system provides an operation interface for users, and users can create configuration rules through the operation interface of the container management system through interface operation.

容器管理系统在获得配置规则后,可以是下发至容器集群网络的配置中心。容器管理集群网络中的各容器集群可以实时访问该配置中心,以获得配置规则。具体地,可以是各容器集群中的各服务节点实时访问该配置中心,获得配置规则。进一步的,容器集群的各服务节点上还部署有安全网络域控制器,各服务节点上部署的安全网络域控制器实时从配置中心读取配置规则。After obtaining the configuration rules, the container management system can send them to the configuration center of the container cluster network. Each container cluster in the container management cluster network can access the configuration center in real time to obtain the configuration rules. Specifically, each service node in each container cluster can access the configuration center in real time to obtain the configuration rules. Furthermore, a security network domain controller is deployed on each service node of the container cluster, and the security network domain controller deployed on each service node reads the configuration rules from the configuration center in real time.

配置规则用于指示为至少两个目标容器构建安全网络域。也就是说,配置规则用于在部署于不同服务节点上的至少两个目标容器进行通信时,为至少两个目标容器构建一个安全的通信环境,以避免或者改善至少两个目标容器的通信数据发生泄漏、被监听、被攻击的情况。The configuration rule is used to instruct to build a secure network domain for at least two target containers. That is, the configuration rule is used to build a secure communication environment for at least two target containers when at least two target containers deployed on different service nodes communicate, so as to avoid or improve the leakage, monitoring, and attack of the communication data of the at least two target containers.

基于配置规则的作用,可以理解的是配置规则可以是包括容器集群的唯一标识、服务节点的唯一标识以及容器的唯一标识。Based on the role of the configuration rule, it can be understood that the configuration rule may include a unique identifier of the container cluster, a unique identifier of the service node, and a unique identifier of the container.

各服务节点上部署的安全网络域控制器在从配置中心获取到配置规则后,对配置规则进行解析获得对应的容器集群的唯一标识、服务节点的唯一标识以及容器的唯一标识,以便服务节点上部署的安全网络域控制器确定该配置规则是否与对应的服务节点以及服务节点上部署的容器相关。After obtaining the configuration rules from the configuration center, the security network domain controller deployed on each service node parses the configuration rules to obtain the unique identifier of the corresponding container cluster, the unique identifier of the service node, and the unique identifier of the container, so that the security network domain controller deployed on the service node can determine whether the configuration rules are related to the corresponding service node and the container deployed on the service node.

示例性的,容器集群A上部署的第一服务节点、第二服务节点;第一服务节点和第二服务节点上部署的安全网络域控制器分别从配置中心读取到配置规则后,通过对该配置规则解析,第一服务节点的安全网络域控制器确定容器集群的唯一标识与容器集群A的唯一标识相同,服务节点的唯一标识包括第一服务节点的唯一标识,那么第一服务节点的安全网络域控制器可以是根据该配置规则的指示执行下一步的操作。同样地,第二服务节点的安全网络域控制器确定容器集群的唯一标识与容器集群A的唯一标识相同,服务节点的唯一标识包括第二服务节点的唯一标识,那么第二服务节点的安全网络域控制器可以是根据该配置规则的指示执行下一步的操作。也就是说,当第一服务节点获取到该配置规则后,就可以获得需要为自身上部署的目标容器与第二服务节点上部署的目标容器构建安全网络域的信息;第二服务节点根据对配置规则的解析,同样可以获得需要为自身上部署的目标容器与第一服务节点上部署的目标容器构建安全网络域的信息。Exemplarily, the first service node and the second service node deployed on the container cluster A; the security network domain controller deployed on the first service node and the second service node respectively read the configuration rules from the configuration center, and by parsing the configuration rules, the security network domain controller of the first service node determines that the unique identifier of the container cluster is the same as the unique identifier of the container cluster A, and the unique identifier of the service node includes the unique identifier of the first service node, then the security network domain controller of the first service node can be performed according to the instructions of the configuration rule. Similarly, the security network domain controller of the second service node determines that the unique identifier of the container cluster is the same as the unique identifier of the container cluster A, and the unique identifier of the service node includes the unique identifier of the second service node, then the security network domain controller of the second service node can be performed according to the instructions of the configuration rule. In other words, when the first service node obtains the configuration rule, it can obtain the information needed to build a security network domain for the target container deployed on itself and the target container deployed on the second service node; the second service node can also obtain the information needed to build a security network domain for the target container deployed on itself and the target container deployed on the first service node based on the parsing of the configuration rules.

可以理解的是,若安全网络域控制器对配置规则进行解析后,确定容器集群的唯一标识与容器集群A的唯一标识不相同,那么安全网络域控制器可以是删除该配置规则,或者不进行任何操作。It is understandable that if the security network domain controller parses the configuration rule and determines that the unique identifier of the container cluster is different from the unique identifier of container cluster A, then the security network domain controller can delete the configuration rule or perform no operation.

可选地,安全网络域控制器可以是以list-watch的工作方式实时地监听配置中心存储的配置规则。通过监听的方式可以及时的获取配置规则,以进一步的根据配置规则及时的为用户所需的目标容器构建安全网络域,提升用户的使用体验。Optionally, the secure network domain controller can monitor the configuration rules stored in the configuration center in real time in a list-watch working mode. The configuration rules can be obtained in a timely manner by monitoring, so as to further build a secure network domain for the target container required by the user in a timely manner according to the configuration rules, thereby improving the user experience.

在另一个可选的实施例中,服务节点上还部署有安全网络域执行器,当安全网络域控制器从配置中心读取到配置规则,可以是进行将配置规则进行协议转换为命令的处理以获得容器网络配置信息,并将容器网络配置信息下发到安全网络域执行器,以通过安全网络执行器执行对应的配置操作。In another optional embodiment, a secure network domain executor is also deployed on the service node. When the secure network domain controller reads the configuration rules from the configuration center, it can convert the configuration rules into commands through protocol to obtain container network configuration information, and send the container network configuration information to the secure network domain executor to execute the corresponding configuration operations through the secure network executor.

在又一个可选的实施例中,当安全网络域控制器确定配置规则存在更新(例如需要新增容器或者删除某一容器)或者配置规则被删除,则会重新为安全网络域执行器下发新的配置规则,或者指示安全网络域执行器将原始的配置规则删除。那么,服务节点可以是执行根据更新后的配置规则删除当前服务节点的虚拟网桥与容器之间的虚拟网卡对、删除虚拟网络,或者,为虚拟网桥添加新的虚拟网卡对等操作。In another optional embodiment, when the security network domain controller determines that there is an update to the configuration rule (for example, a new container needs to be added or a container needs to be deleted) or the configuration rule is deleted, it will re-issue a new configuration rule to the security network domain executor, or instruct the security network domain executor to delete the original configuration rule. Then, the service node can perform operations such as deleting the virtual network card pair between the virtual bridge and the container of the current service node, deleting the virtual network, or adding a new virtual network card pair to the virtual bridge according to the updated configuration rule.

由于为跨节点的目标容器构建安全网络域需要不同服务节点的参与,但各服务节点所需执行的操作相同,下面就以该配置规则用于指示为服务节点上的本地容器和其他目标容器上的其他目标容器构建安全网络域为例进行说明,且仅以服务节点执行的操作为例进行说明。Since building a secure network domain for a cross-node target container requires the participation of different service nodes, but the operations that each service node needs to perform are the same, the following will use the configuration rule used to indicate the construction of a secure network domain for a local container on a service node and other target containers on other target containers as an example, and only the operations performed by the service node will be used as an example.

步骤S30,基于配置规则创建服务节点与其他服务节点之间的虚拟网络;其他服务节点为至少两个目标容器中除本地容器之外的其他目标容器对应的服务节点,本地容器为至少两个目标容器中部署于服务节点上的容器;Step S30, creating a virtual network between the service node and other service nodes based on the configuration rules; the other service nodes are service nodes corresponding to other target containers in at least two target containers except the local container, and the local container is a container in at least two target containers deployed on the service node;

其中,由于本地容器和其他目标容器之间的通信需要与其他容器的通信进行网络隔离,那么本地容器和其他目标容器之间的通信就需要通过有别于与其他容器进行通信的网络(例如服务节点上部署的通信网卡)进行数据的交互。通俗来讲就是本地容器和其他目标容器之间的通信需要不同于现有通信通路的其他通路来实现,所以我们需要为服务节点和其他服务节点之间构建虚拟网络。Among them, since the communication between the local container and other target containers needs to be network isolated from the communication with other containers, the communication between the local container and other target containers needs to be carried out through a network different from the communication with other containers (such as the communication network card deployed on the service node) to exchange data. In layman's terms, the communication between the local container and other target containers needs to be realized through a channel different from the existing communication channel, so we need to build a virtual network between the service node and other service nodes.

在一个可选的实施例中,如图3所示,图3为本申请一示例性实施例提供的构建虚拟网络的一种可选的方法实施例,该方法实施例包括如下步骤:In an optional embodiment, as shown in FIG. 3 , FIG. 3 is an optional method embodiment of building a virtual network provided by an exemplary embodiment of the present application, and the method embodiment includes the following steps:

步骤S301,解析配置规则,获得网络密钥;Step S301, parsing the configuration rules to obtain the network key;

其中,据上所述,配置规则中包括容器集群的唯一标识、服务节点的唯一标识、目标容器的唯一标识,另外,配置规则还包括网络密钥,该网络密钥一方面用于构建服务节点与其他服务节点之间的虚拟网络,另一方面可以对虚拟网络进行加密,也就是说其他容器不能通过该虚拟网络进行通信。Among them, as mentioned above, the configuration rules include the unique identifier of the container cluster, the unique identifier of the service node, and the unique identifier of the target container. In addition, the configuration rules also include a network key, which is used to build a virtual network between the service node and other service nodes on the one hand, and to encrypt the virtual network on the other hand, that is, other containers cannot communicate through the virtual network.

所以服务节点以及其他服务节点在获得了配置规则,对配置规则进行解析后,就可以获得对应的网络密钥。基于配置规则是为部署在服务节点和部署在其他服务节点上的目标容器构建安全网络域,可以理解的是服务节点和其他服务节点解析后获得的网络密钥相同。Therefore, after obtaining the configuration rules, the service node and other service nodes can obtain the corresponding network key after parsing the configuration rules. Based on the configuration rules, a secure network domain is built for the target container deployed on the service node and other service nodes. It can be understood that the network key obtained by the service node and other service nodes after parsing is the same.

步骤S302,服务节点通过服务节点的通信网卡对数据包进行广播,数据包包括网络密钥;Step S302, the service node broadcasts a data packet through the communication network card of the service node, where the data packet includes a network key;

其中,服务节点的通信网卡是服务节点原本配置的网卡,与虚拟网桥不同,能够为服务节点与其他服务节点进行通信的提供硬件支持,不同服务节点上部署的通信网卡通过在物理交换机上进行数据通信的方式实现服务节点之间的通信。服务节点在对配置规则解析获得网络密钥后,可以是通过通信网卡以广播的形式将包括网络密钥的数据包通过物理交换机发送到其他的多个服务节点上,可以理解的是其他服务节点也可以接收到该数据包。多个服务节点在接收到该数据包后,由于仅有其他服务节点从配置规则中获得了网络密钥,其他的服务节点均没有获得该网络密钥,所以当其他服务节点接收到数据包后,对数据包进行解析获得服务节点发送的网络密钥,并确定该网络密钥与从配置规则中解析获得的网络密钥相同,就可以获得需要与服务节点建立虚拟网络的信息。可以理解的是,由于其他的服务节点并没有获取配置规则,从配置规则中解析出网络密钥,所以即使从数据包中获取到网络密钥,也不能获得其需要执行何操作的信息。Among them, the communication network card of the service node is the network card originally configured by the service node. Unlike the virtual bridge, it can provide hardware support for the service node to communicate with other service nodes. The communication network cards deployed on different service nodes realize the communication between service nodes by performing data communication on the physical switch. After the service node parses the configuration rules to obtain the network key, it can send the data packet including the network key to other multiple service nodes through the physical switch in the form of broadcast through the communication network card. It can be understood that other service nodes can also receive the data packet. After receiving the data packet, since only other service nodes obtain the network key from the configuration rules, other service nodes do not obtain the network key. Therefore, when other service nodes receive the data packet, they parse the data packet to obtain the network key sent by the service node, and determine that the network key is the same as the network key obtained from the configuration rules, so that the information that needs to establish a virtual network with the service node can be obtained. It can be understood that since other service nodes do not obtain the configuration rules and parse the network key from the configuration rules, even if the network key is obtained from the data packet, the information on what operations they need to perform cannot be obtained.

步骤S303,接收其他服务节点基于广播对服务节点发起的连接请求,连接请求携带连接密钥;Step S303, receiving a connection request initiated by other service nodes to the service node based on broadcast, where the connection request carries a connection key;

其中,服务节点经过对网络密钥进行广播后,会接收到来自其他服务节点发送的连接请求,该连接请求用于向服务节点发送建立虚拟网络通信的请求。服务节点需要根据连接请求中携带的连接密钥对该连接请求进行验证,以确保虚拟网络建立的准确性。After broadcasting the network key, the service node will receive a connection request from other service nodes, which is used to send a request to establish virtual network communication to the service node. The service node needs to verify the connection request based on the connection key carried in the connection request to ensure the accuracy of the virtual network establishment.

服务节点对连接请求进行验证的方法是将其他服务节点发送的连接密钥与网络密钥进行比对,若比对成功,则确定网络密钥对连接密钥验证成功,进一步的对该连接请求验证成功;反之,则验证失败。可以理解的是,只有在比对成功的情况下,服务节点与其他服务节点才能建立虚拟网络。The method by which the service node verifies the connection request is to compare the connection key sent by other service nodes with the network key. If the comparison is successful, it is determined that the network key has successfully verified the connection key, and the further verification of the connection request is successful; otherwise, the verification fails. It can be understood that only when the comparison is successful can the service node and other service nodes establish a virtual network.

步骤S304,若服务节点根据网络密钥对连接密钥验证成功,则基于服务节点与其他服务节点的连接建立虚拟网络。Step S304: If the service node successfully verifies the connection key according to the network key, a virtual network is established based on the connection between the service node and other service nodes.

其中,服务节点在根据网络密钥对连接密钥验证成功的情况下,也就说明了服务节点和其他服务节点成功加入到同一网络中,在这里我们将该网络称为虚拟网络。另外,在网络密钥的加持下,可以使得该虚拟网络具有私密性,能够提升本地容器和其他目标容器在虚拟网络上通信的安全性。When the service node successfully verifies the connection key based on the network key, it means that the service node and other service nodes have successfully joined the same network, which we call a virtual network. In addition, with the support of the network key, the virtual network can be made private, which can improve the security of communication between the local container and other target containers on the virtual network.

本申请通过构建虚拟网络能够为容器之间的跨节点通信提供与其他外部网络隔离的网络通信环境,避免了容器之间通过例如为服务节点上设置的通信网卡进行通信,使得容器之间的通信不会被暴露在外部网络环境下,能够减少容器跨节点通信时的受攻击面,提升容器跨节点通信的安全性。By constructing a virtual network, the present application can provide a network communication environment that is isolated from other external networks for cross-node communication between containers, thereby avoiding communication between containers through, for example, communication network cards set up on service nodes, so that communication between containers will not be exposed to the external network environment, which can reduce the attack surface of containers during cross-node communication and improve the security of cross-node communication between containers.

步骤S40,基于配置规则创建服务节点的虚拟网桥与本地容器之间的虚拟网卡对,通过虚拟网卡对建立虚拟网桥与本地容器之间的连接;Step S40, creating a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rule, and establishing a connection between the virtual network bridge and the local container through the virtual network card pair;

其中,服务节点上还部署有虚拟网桥,虚拟网桥涉及数据帧的处理和转发,以及在虚拟化环境中的应用。在虚拟化技术中,虚拟网桥用于可扩展局域网或实现容器与宿主机之间的网络通信,也就是虚拟网桥能够将容器与宿主机网络连接起来,实现容器间的通信以及容器与外部网络的通信。在这里需要说明的是,要实现容器与宿主机之间的通信还需要为虚拟网桥和容器之间创建虚拟网卡对。以通过虚拟网卡对实现虚拟网桥与容器之间的通信,虚拟网卡对顾名思义是一对网卡,一对网卡中的其中一个部署在容器上,另一个网卡则部署在虚拟网桥上,且虚拟网卡对之间可以直接进行通信。Among them, a virtual bridge is also deployed on the service node. The virtual bridge involves the processing and forwarding of data frames, as well as its application in a virtualized environment. In virtualization technology, a virtual bridge is used to expand a local area network or to realize network communication between a container and a host machine, that is, a virtual bridge can connect a container to a host network to realize communication between containers and between containers and external networks. It should be noted here that to realize communication between a container and a host machine, it is also necessary to create a virtual network card pair between the virtual bridge and the container. The communication between the virtual bridge and the container can be realized through a virtual network card pair. As the name implies, a virtual network card pair is a pair of network cards. One of the network cards in a pair is deployed on the container, and the other network card is deployed on the virtual bridge. The virtual network card pair can communicate directly with each other.

在一个可选的实施例中,如图4所示,图4为本申请一示例性实施例提供的创建虚拟网卡对的一种可选的方法实施例,该方法实施例包括如下步骤:In an optional embodiment, as shown in FIG. 4 , FIG. 4 is an optional method embodiment of creating a virtual network card pair provided by an exemplary embodiment of the present application, and the method embodiment includes the following steps:

步骤S401,解析配置规则,获得本地容器的唯一标识;Step S401, parsing the configuration rules to obtain a unique identifier of the local container;

其中,服务节点上可以是部署有多个容器,配置规则可以是仅指示对服务节点的多个容器中的其中一个容器与其他服务节点上的容器构建安全网络域。所以服务节点需要从部署的多个容器中确定目标容器,在这里我们称为本地容器。There may be multiple containers deployed on the service node, and the configuration rule may be to instruct only one of the multiple containers of the service node to build a secure network domain with containers on other service nodes. Therefore, the service node needs to determine the target container from the multiple deployed containers, which we call the local container here.

基于上述描述可知,配置规则中包括构建安全网络域的容器的唯一标识。所以,服务节点对配置规则进行解析后就可以获得本地容器的唯一标识。Based on the above description, it can be known that the configuration rule includes the unique identifier of the container for constructing the secure network domain. Therefore, the service node can obtain the unique identifier of the local container after parsing the configuration rule.

步骤S402,根据本地容器的唯一标识从服务节点中确定本地容器;Step S402, determining the local container from the service node according to the unique identifier of the local container;

其中,服务节点通过解析配置规则获得部署于服务节点上的容器的唯一标识后,就可以从服务节点上部署的多个容器中确定本地容器。After the service node obtains the unique identifier of the container deployed on the service node by parsing the configuration rule, the local container can be determined from multiple containers deployed on the service node.

步骤S403,创建虚拟网桥与本地容器之间的虚拟网卡对。Step S403: Create a virtual network card pair between the virtual bridge and the local container.

其中,虚拟网卡对是一个成对的端口,所有从一个端口流入的数据包都将从另一端口流出,反之也是如此。但是虚拟网卡对仅能实现两个网络接口之间的通信。但是,本地容器与其他目标容器之间的通信设置多接口之间的通信,所以我们需要创建虚拟网桥与本地容器之间的虚拟网卡对,虚拟网桥可以实现若干个网络接口的通信,也就是说若虚拟网桥中的一个网络接口接收到数据后,会被复制给虚拟网桥的其他接口,这样数据才能从其他接口转发出去。Among them, the virtual network card pair is a pair of ports. All data packets flowing in from one port will flow out from the other port, and vice versa. However, the virtual network card pair can only realize communication between two network interfaces. However, the communication between the local container and other target containers sets up communication between multiple interfaces, so we need to create a virtual network card pair between the virtual bridge and the local container. The virtual bridge can realize communication between several network interfaces. That is to say, if one network interface in the virtual bridge receives data, it will be copied to other interfaces of the virtual bridge, so that the data can be forwarded from other interfaces.

所以,服务节点上部署的虚拟网桥与创建的虚拟网卡对相互配合,才能实现本地容器与其他目标容器之间的通信。Therefore, the virtual bridge deployed on the service node and the created virtual network card pair cooperate with each other to realize the communication between the local container and other target containers.

示例性的,可以是使用下述命令创建虚拟网桥与本地容器之间的虚拟网卡对:For example, the following command may be used to create a virtual network card pair between the virtual bridge and the local container:

ip link add<p1-name>type veth peer name<p2-name>ip link add<p1-name>type veth peer name<p2-name>

服务节点根据上述方式创建了服务节点上部署的虚拟网桥和本地容器之间的虚拟网卡对后,若不进行对应的设置,无法实现虚拟网桥与本地容器之间的通信。所以需要进行以下设置,才能通过虚拟网卡对建立虚拟网桥与本地容器之间的连接,也即实现两者的通信:After the service node creates a virtual network card pair between the virtual bridge deployed on the service node and the local container according to the above method, if the corresponding settings are not made, the communication between the virtual bridge and the local container cannot be realized. Therefore, the following settings are required to establish a connection between the virtual bridge and the local container through the virtual network card pair, that is, to realize the communication between the two:

为了对虚拟网卡对进行区分,将虚拟网卡对的两个网卡称为第一网卡和第二网卡,实现虚拟网桥与本地容器之间的通信连接的具体操作为:In order to distinguish the virtual network card pair, the two network cards of the virtual network card pair are called the first network card and the second network card. The specific operations to achieve the communication connection between the virtual bridge and the local container are:

将第一网卡设置为虚拟网桥的子设备;Setting the first network card as a sub-device of the virtual network bridge;

将第二网卡的命名空间设置为本地容器的命名空间。Set the namespace of the second network card to the namespace of the local container.

其中,将第一网卡设置为虚拟网桥的子设备也就是建立虚拟网桥中的其中一个接口与第一网卡之间的映射关系,以使虚拟网桥上的其中一个接口与第一网卡之间能够进行通信。Setting the first network card as a sub-device of the virtual network bridge means establishing a mapping relationship between one of the interfaces in the virtual network bridge and the first network card, so that one of the interfaces on the virtual network bridge and the first network card can communicate.

通常来说,命名空间是唯一识别的一套名字,这样当对象来自不同的地方但是名字相同的时候就不会含糊不清了。命名空间可以标记访问路径,所以将第二网卡的命名空间设置为本地容器的命名空间,就可以实现两者的互相访问。Generally speaking, a namespace is a set of uniquely identified names, so that there is no ambiguity when objects come from different places but have the same name. Namespaces can mark access paths, so setting the namespace of the second network card to the namespace of the local container allows the two to access each other.

另外基于虚拟网卡对的本身属性,可知第一网卡和第二网卡之间本身是可以直接进行通信的,经过上述设置,就可以建立本地容器与虚拟网桥之间的连接,本地容器就可以实现与虚拟网桥之间的通信。In addition, based on the properties of the virtual network card pair itself, it can be known that the first network card and the second network card can communicate directly. After the above settings, a connection between the local container and the virtual bridge can be established, and the local container can communicate with the virtual bridge.

针对上述设置,下面对本地容器与虚拟网桥之间的通信进行说明。In view of the above settings, the communication between the local container and the virtual bridge is described below.

由于通信时双向的,下面对两者之间的其中一种通信方式进行说明:Since the communication is bidirectional, one of the communication methods between the two is described below:

本地容器需要发送的通信数据需要在本地容器的网络协议栈上经过封装和处理。需要说明的是,网路协议栈是计算机网络中各层协议的总和,工作原理是网路协议栈上的每一层负责将上一层的数据进行封装和处理,并传递到下一层,接收端则按相反的顺序进行解封装和处理,最终将数据传递到应用层。所以本地容器通过网络协议栈对需要进行通信的数据进行封装和处理后再发送出去。The communication data that the local container needs to send needs to be encapsulated and processed on the local container's network protocol stack. It should be noted that the network protocol stack is the sum of all layers of protocols in a computer network. The working principle is that each layer on the network protocol stack is responsible for encapsulating and processing the data of the previous layer and passing it to the next layer. The receiving end decapsulates and processes it in the opposite order and finally passes the data to the application layer. Therefore, the local container encapsulates and processes the data that needs to be communicated through the network protocol stack before sending it out.

本地容器通过网络协议栈对通信数据进行封装和处理后,将数据传输至第二网卡上,由于虚拟网卡对是一个成对的端口,所有从一个端口流入的数据包都将从另一端口流出,也就是说流入到第二网卡上的数据均要从第一网卡上流出,所以通信数据传输至第一网卡上,由于第一网卡和虚拟网桥的其中一个接口之间具有映射关系,所以虚拟网络的其中一个接口可以从第一网卡上读取到该通信数据。After the local container encapsulates and processes the communication data through the network protocol stack, the data is transmitted to the second network card. Since the virtual network card pair is a paired port, all data packets flowing into one port will flow out from the other port, that is, the data flowing into the second network card must flow out from the first network card, so the communication data is transmitted to the first network card. Since there is a mapping relationship between the first network card and one of the interfaces of the virtual bridge, one of the interfaces of the virtual network can read the communication data from the first network card.

另外一种通信方式为:Another way of communication is:

虚拟网桥的其他网口接收到通信数据,由于虚拟网桥中的一个网络接口接收到数据后,会被复制给虚拟网桥的其他接口,所以虚拟网桥中与第一网卡建立映射关系的接口就会获得该通信数据,第一网卡就可以从该接口上获取到该通信数据,并从第二网卡上流入容器的网络协议栈上,经过网络协议栈的层层解封和处理,最终获得该通信数据。The other network ports of the virtual bridge receive the communication data. Since a network interface in the virtual bridge will copy the data to other interfaces of the virtual bridge after receiving it, the interface in the virtual bridge that establishes a mapping relationship with the first network card will obtain the communication data. The first network card can obtain the communication data from the interface and flow it into the network protocol stack of the container from the second network card. After being unpacked and processed layer by layer in the network protocol stack, the communication data is finally obtained.

上述仅介绍了基于当前的设置,本地容器与服务节点上部署的虚拟网桥之间的通信,由于其他服务节点会执行与服务节点相同的设置操作,所以其他服务节点也会建立其他目标容器与其他服务节点上部署的虚拟网桥之间的虚拟网卡对,借助服务节点与其他服务节点之间建立的虚拟网络,就可以实现本地容器与其他目标容器之间的通信,下面基于服务节点和其他服务节点的设置,对本地容器与其他目标容器之间的通信进行说明:The above only introduces the communication between the local container and the virtual bridge deployed on the service node based on the current settings. Since other service nodes will perform the same setting operations as the service node, other service nodes will also establish virtual network card pairs between other target containers and virtual bridges deployed on other service nodes. With the help of the virtual network established between the service node and other service nodes, the communication between the local container and other target containers can be realized. The following is an explanation of the communication between the local container and other target containers based on the settings of the service node and other service nodes:

第一种,通信数据的传输方向为从本地容器传输至其他目标容器。The first one is that the communication data is transmitted from the local container to other target containers.

本地容器将通信数据发送至与虚拟网桥之间的虚拟网卡对,以通过虚拟网卡对发送至虚拟网卡的接口上;The local container sends the communication data to the virtual network card pair between the virtual network bridge, so as to be sent to the interface of the virtual network card through the virtual network card pair;

安全网络域执行器从虚拟网卡的接口中获取通信数据;The secure network domain executor obtains communication data from the interface of the virtual network card;

安全网络域执行器通过虚拟网络将通信数据传输至其他服务节点上部署的安全网络域执行器中,以使其他目标容器从其他服务节点上部署的安全网络域执行器和虚拟网卡与其他目标容器之间的虚拟网卡上获取通信数据。The secure network domain executor transmits communication data to the secure network domain executors deployed on other service nodes through the virtual network, so that other target containers obtain communication data from the secure network domain executors deployed on other service nodes and the virtual network cards between the virtual network cards and other target containers.

具体地,本地容器通过网络协议栈对通信数据进行封装和处理后,将通信数据发送至第二网卡上,通信数据从第一网卡流出;Specifically, the local container encapsulates and processes the communication data through the network protocol stack, and sends the communication data to the second network card, and the communication data flows out from the first network card;

虚拟网桥的其中一个接口读取到第一网卡上流出的通信数据,虚拟网桥将通信数据复制给虚拟网桥的其他接口,服务节点上部署的安全网络域执行器从虚拟网桥的其他接口上读取到通信数据,通过虚拟网络发送给其他服务节点的安全网络域执行器;One of the interfaces of the virtual bridge reads the communication data flowing out of the first network card, and the virtual bridge copies the communication data to other interfaces of the virtual bridge. The security network domain executor deployed on the service node reads the communication data from other interfaces of the virtual bridge, and sends it to the security network domain executors of other service nodes through the virtual network;

其他服务节点的安全网络域执行器将通信数据发送到其他服务节点上部署的虚拟网桥的其中一个接口上,其他服务节点上部署的虚拟网桥将通信数据复制到其他接口上,其他服务节点上部署的虚拟网桥对应的第一网卡从其中一个接口上获取到通信数据后通过其他服务节点上部署的其他目标容器对应的第二网卡中流出至其他目标容器的网路协议栈上,经过层层解封和处理,使得其他目标容器获得该通信数据。The security network domain executor of other service nodes sends the communication data to one of the interfaces of the virtual bridge deployed on other service nodes. The virtual bridge deployed on other service nodes copies the communication data to other interfaces. After the first network card corresponding to the virtual bridge deployed on other service nodes obtains the communication data from one of the interfaces, it flows out to the network protocol stack of other target containers through the second network card corresponding to other target containers deployed on other service nodes. After layers of unpacking and processing, other target containers obtain the communication data.

第二种,通信数据的传输方向为从其他目标容器传输至本地容器。The second type is that the communication data is transmitted from other target containers to the local container.

本地容器通过与虚拟网桥之间的虚拟网卡对获取虚拟网卡的接口上的通信数据,虚拟网卡的接口上的通信数据是从服务节点上部署的安全网络域执行器获取的数据,安全网络域执行器获取的数据是根据虚拟网络接收的其他目标容器通过其他服务节点上部署的安全网络域执行器和虚拟网卡与其他目标容器之间的虚拟网卡发送的数据。The local container obtains the communication data on the interface of the virtual network card through the virtual network card pair between the virtual bridge. The communication data on the interface of the virtual network card is data obtained from the security network domain executor deployed on the service node. The data obtained by the security network domain executor is data received by other target containers based on the virtual network through the security network domain executors deployed on other service nodes and the virtual network card sent by the virtual network card between the virtual network card and other target containers.

也就是说,其他目标容器先通过网络协议栈对通信数据进行封装和处理后,然后将通信数据发送至其他目标容器对应的第二网卡上并从其他服务节点上部署的虚拟网桥对应的第一网卡上流出;That is to say, the other target containers first encapsulate and process the communication data through the network protocol stack, and then send the communication data to the second network card corresponding to the other target containers and flow out from the first network card corresponding to the virtual bridge deployed on other service nodes;

其他服务节点上部署的虚拟网桥与第一网卡具有映射关系的其中一个接口读取到第一网卡上流出的通信数据,虚拟网桥将通信数据复制给虚拟网桥的其他接口,其他服务节点上部署的安全网络域执行器从虚拟网桥的其他接口上读取到通信数据,通过虚拟网络发送给服务节点的安全网络域执行器;One of the interfaces of the virtual bridge deployed on other service nodes that has a mapping relationship with the first network card reads the communication data flowing out of the first network card, and the virtual bridge copies the communication data to other interfaces of the virtual bridge. The security network domain executor deployed on other service nodes reads the communication data from other interfaces of the virtual bridge, and sends the communication data to the security network domain executor of the service node through the virtual network;

服务节点的安全网络域执行器将通信数据发送到服务节点上部署的虚拟网桥的其中一个接口上,服务节点上部署的虚拟网桥将通信数据复制到其他接口上,服务节点上部署的虚拟网桥对应的第一网卡从其中一个接口上获取到通信数据后通过服务节点上部署的本地容器对应的第二网卡中流出至本地容器的网路协议栈上,经过层层解封和处理,使得本地容器获得该通信数据。The security network domain executor of the service node sends the communication data to one of the interfaces of the virtual bridge deployed on the service node. The virtual bridge deployed on the service node copies the communication data to other interfaces. After the first network card corresponding to the virtual bridge deployed on the service node obtains the communication data from one of the interfaces, it flows out to the network protocol stack of the local container through the second network card corresponding to the local container deployed on the service node. After layers of unpacking and processing, the local container obtains the communication data.

步骤S50,在本地容器基于虚拟网卡对和虚拟网络与其他目标容器进行网络通信时,通过安全网络域的通信密钥在本地容器的网络协议栈上对本地容器的通信数据进行加解密处理,其他目标容器为至少两个目标容器中部署于其他服务节点上的容器。Step S50, when the local container communicates with other target containers based on the virtual network card pair and the virtual network, the communication data of the local container is encrypted and decrypted on the network protocol stack of the local container through the communication key of the secure network domain, and the other target containers are containers deployed on other service nodes among at least two target containers.

其中,本申请为了进一步的对本地容器与其他目标容器的通信环境进行安全加固,使得本地容器和其他目标容器之间隔离出安全网络域,以实现最小范围的网络访问,减少了核心关键业务的容器被监听、攻击等风险,会通过安全网络域的通信密钥对本地容器的通信数据进行加解密处理。另外,本申请在容器的网络协议栈对通信数据进行封装和处理的过程中,对通信数据进行加解密,能够从源头上实现对数据的加密和解密,从而能够避免代理加密的安全风险,进一步的保障了容器跨节点通信的安全性。Among them, in order to further strengthen the security of the communication environment between the local container and other target containers, the present application isolates a secure network domain between the local container and other target containers to achieve the minimum range of network access, reducing the risk of core key business containers being monitored and attacked, etc., and the communication data of the local container will be encrypted and decrypted through the communication key of the secure network domain. In addition, the present application encrypts and decrypts the communication data during the process of encapsulating and processing the communication data by the network protocol stack of the container, which can realize the encryption and decryption of the data from the source, thereby avoiding the security risks of proxy encryption and further ensuring the security of cross-node communication of the container.

在对加解密处理进行说明之前,需要还对加密密钥和解密密钥的由来进行说明。Before explaining the encryption and decryption processing, it is necessary to explain the origin of the encryption key and the decryption key.

配置规则中包括用于加密密钥和解密密钥,当服务节点对配置规则进行解析后,服务节点上部署的安全网络执行器会将加密密钥和解密密钥存储到基于map实现的network namespace ID与加解密协议/密钥的映射表(在这里称为目标映射关系信息)中。目标映射关系信息包括本地容器的命名空间地址、本地容器的网卡地址与本地容器的网卡地址对应的加密密钥、解密密钥。The configuration rules include encryption keys and decryption keys. After the service node parses the configuration rules, the secure network executor deployed on the service node will store the encryption keys and decryption keys in the mapping table of network namespace ID and encryption/decryption protocol/key based on map implementation (referred to as target mapping relationship information here). The target mapping relationship information includes the namespace address of the local container, the network card address of the local container, and the encryption key and decryption key corresponding to the network card address of the local container.

服务节点在运行容器时,服务节点上部署的安全网络执行器通过系统调用更新map映射表将容器的命名空间加入目标映射关系信息;当有容器销毁时,执行器将容器的命名空间移出目标映射关系信息。这样就可以将容器与对应的加密密钥、解密密钥进行相互对应。When a service node runs a container, the secure network executor deployed on the service node updates the map table through a system call to add the container's namespace to the target mapping relationship information; when a container is destroyed, the executor removes the container's namespace from the target mapping relationship information. In this way, the container can be mapped to the corresponding encryption key and decryption key.

所以,当本地容器需要进行加解密时,从目标映射关系信息中读取与本地容器对应的加密密钥、解密密钥即可。Therefore, when the local container needs to be encrypted or decrypted, the encryption key and decryption key corresponding to the local container can be read from the target mapping relationship information.

可以理解的是,若通信数据的传输方向为从本地容器到其他目标容器,本地容器需要根据通信密钥中的加密密钥对通信数据进行加密处理;反之,若通信数据的传输方向为从其他目标容器到本地容器,则根据通信密钥中的加密密钥对通信数据进行解密处理。It can be understood that if the transmission direction of the communication data is from the local container to other target containers, the local container needs to encrypt the communication data according to the encryption key in the communication key; conversely, if the transmission direction of the communication data is from other target containers to the local container, the communication data is decrypted according to the encryption key in the communication key.

在一个可选的实施例中,如图5所示,图5为本申请一示例性实施例提供的根据通信密钥中的加密密钥对通信数据进行加密处理的一种可选的方法实施例,该方法实施例包括如下步骤:In an optional embodiment, as shown in FIG. 5 , FIG. 5 is an optional method embodiment of encrypting communication data according to an encryption key in a communication key provided by an exemplary embodiment of the present application, and the method embodiment includes the following steps:

步骤S501,根据本地容器的命名空间地址和本地容器的网卡地址从目标映射关系信息中获取加密密钥,目标映射关系信息包括容器的命名空间地址、容器的网卡地址与容器的命名空间地址、网卡地址对应的加密密钥、解密密钥;Step S501, obtaining an encryption key from target mapping relationship information according to the namespace address of the local container and the network card address of the local container, where the target mapping relationship information includes the namespace address of the container, the network card address of the container, and the encryption key and decryption key corresponding to the namespace address and network card address of the container;

步骤S502,在本地容器的网络协议栈上对通信数据的数据段部分进行封装处理的过程中通过加密密钥对通信数据的数据段部分进行加密处理。Step S502: encrypting the data segment of the communication data by using an encryption key during encapsulation of the data segment of the communication data on the network protocol stack of the local container.

在一个可选的实施例中,如图6所示,图6为本申请一示例性实施例提供的根据通信密钥中的解密密钥对通信数据进行解密处理的一种可选的方法实施例,该方法实施例包括如下步骤:In an optional embodiment, as shown in FIG. 6 , FIG. 6 is an optional method embodiment of decrypting communication data according to a decryption key in a communication key provided by an exemplary embodiment of the present application, and the method embodiment includes the following steps:

步骤S601,根据本地容器的命名空间地址和本地容器的网卡地址从目标映射关系信息中获取解密密钥;Step S601, obtaining a decryption key from target mapping relationship information according to the namespace address of the local container and the network card address of the local container;

步骤S602,在本地容器的网络协议栈上对通信数据的数据段部分进行解封处理的过程中通过解密密钥对通信数据的数据段部分进行解密处理。Step S602: decrypting the data segment of the communication data using a decryption key during the process of decrypting the data segment of the communication data on the network protocol stack of the local container.

其中,由于本地容器的通信数据需要经过本地容器的网络协议栈对通信数据进行封装和处理,所以对通信数据进行加解密的过程可以是在本地容器的网路协议栈上进行。本申请通过在容器的网络协议栈对通信数据进行封装和处理的过程中,对通信数据进行加解密,能够从源头上实现对数据的加密和解密,从而能够避免代理加密的安全风险,进一步的保障了容器跨节点通信的安全性。Among them, since the communication data of the local container needs to be encapsulated and processed by the network protocol stack of the local container, the process of encrypting and decrypting the communication data can be performed on the network protocol stack of the local container. This application can encrypt and decrypt the data from the source by encrypting and decrypting the communication data during the process of encapsulating and processing the communication data by the network protocol stack of the container, thereby avoiding the security risks of proxy encryption and further ensuring the security of cross-node communication of the container.

本申请提供的容器的通信方法,考虑到目前容器数量和容器集群数量的增加急剧加大,同时容器多网卡的使用进一步加深了容器网络的复杂度,容器间的网络通信安全问题逐渐显现的问题。本申请提供了一种容器的通信方法,该方法通过容器集群中的服务节点获取配置规则,以根据配置规则创建服务节点的虚拟网桥与本地容器之间的虚拟网卡对以及服务节点与其他服务节点之间的虚拟网络,然后通过虚拟网卡对建立虚拟网桥与本地容器之间的连接,当本地容器基于虚拟网卡对和虚拟网络与其他目标容器进行网络通信时,通过安全网络域的通信密钥在本地容器的网络协议栈上对本地容器的通信数据进行加解密处理。本申请提供的通信方法,通过设置虚拟网卡对、虚拟网络为跨节点的容器进行通信时创造了一个隔离的网路环境,外部网络无法截获、监听其内的网络流量;另外,本申请中的容器在隔离的网络环境中通信时,还在容器的网络协议栈上对容器的通信数据进行加解密处理,通过从源头上对数据进行加解密,能够避免代理加密的安全风险,进一步的保障了容器跨节点通信的安全性,且以上改进均与应用本身无关,不仅达到了节约资源的目的,还能够实现本申请适应多应用场景的技术效果。The container communication method provided by the present application takes into account the fact that the number of containers and the number of container clusters are increasing dramatically, and the use of multiple network cards in containers further deepens the complexity of the container network, and the network communication security issues between containers are gradually emerging. The present application provides a container communication method, which obtains configuration rules through the service nodes in the container cluster to create a virtual network card pair between the virtual bridge of the service node and the local container and a virtual network between the service node and other service nodes according to the configuration rules, and then establishes a connection between the virtual bridge and the local container through the virtual network card pair. When the local container communicates with other target containers based on the virtual network card pair and the virtual network, the communication data of the local container is encrypted and decrypted on the network protocol stack of the local container through the communication key of the security network domain. The communication method provided by the present application creates an isolated network environment when containers communicate across nodes by setting up virtual network card pairs and virtual networks, and the external network cannot intercept or monitor the network traffic therein; in addition, when the container in the present application communicates in an isolated network environment, the communication data of the container is also encrypted and decrypted on the network protocol stack of the container. By encrypting and decrypting the data from the source, the security risks of proxy encryption can be avoided, and the security of container cross-node communication is further guaranteed. The above improvements are all unrelated to the application itself, which not only achieves the purpose of saving resources, but also can achieve the technical effect of the present application to adapt to multiple application scenarios.

应当注意,尽管在附图中以特定顺序描述了本发明方法的操作,但是,这并非要求或者暗示必须按照该特定顺序来执行这些操作,或是必须执行全部所示的操作才能实现期望的结果。相反,流程图中描绘的步骤可以改变执行顺序。It should be noted that although the operations of the method of the present invention are described in a specific order in the accompanying drawings, this does not require or imply that these operations must be performed in this specific order, or that all the operations shown must be performed to achieve the desired results. On the contrary, the steps depicted in the flow chart can change the execution order.

进一步,结合图1,本申请还提供了一种服务节点,服务节点包括:Further, in conjunction with FIG1 , the present application also provides a service node, the service node comprising:

安全网络域控制器,获取配置规则;配置规则用于指示为至少两个目标容器构建安全网络域,至少两个目标容器部署在不同的服务节点上;The secure network domain controller obtains a configuration rule; the configuration rule is used to indicate building a secure network domain for at least two target containers, and the at least two target containers are deployed on different service nodes;

容器执行器,用于基于配置规则创建服务节点的虚拟网桥与本地容器之间的虚拟网卡对,通过虚拟网卡对建立虚拟网桥与本地容器之间的连接;The container executor is used to create a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rules, and establish a connection between the virtual network bridge and the local container through the virtual network card pair;

容器执行器,还用于基于配置规则创建服务节点与其他服务节点之间的虚拟网络;其他服务节点为至少两个目标容器中除本地容器之外的其他目标容器对应的服务节点,本地容器为至少两个目标容器中部署于服务节点上的容器;The container executor is further used to create a virtual network between the service node and other service nodes based on the configuration rules; the other service nodes are service nodes corresponding to other target containers other than the local container in at least two target containers, and the local container is a container deployed on the service node in at least two target containers;

安全网络域执行器,用于在本地容器基于虚拟网卡对和虚拟网络与其他目标容器进行网络通信时,通过安全网络域的通信密钥在对本地容器的网络协议栈上对本地容器的通信数据进行加解密处理,其他目标容器为至少两个目标容器中部署于其他服务节点上的容器。The secure network domain executor is used to encrypt and decrypt the communication data of the local container on the network protocol stack of the local container through the communication key of the secure network domain when the local container communicates with other target containers based on the virtual network card pair and the virtual network. The other target containers are containers deployed on other service nodes among at least two target containers.

在一个可选的实施例中,容器执行器,具体用于解析配置规则,获得网络密钥;In an optional embodiment, the container executor is specifically used to parse the configuration rule and obtain the network key;

服务节点通过服务节点的通信网卡对数据包进行广播,数据包括网络密钥;The service node broadcasts the data packet through the communication network card of the service node, and the data includes the network key;

接收其他服务节点基于广播对服务节点发起的连接请求,连接请求携带连接密钥;Receive connection requests initiated by other service nodes to the service node based on broadcast, where the connection requests carry a connection key;

若服务节点根据网络密钥对连接密钥验证成功,则基于服务节点与其他服务节点的连接建立虚拟网络。If the service node successfully verifies the connection key based on the network key, a virtual network is established based on the connection between the service node and other service nodes.

在一个可选的实施例中,容器执行器,具体还用于解析配置规则,获得本地容器的唯一标识;In an optional embodiment, the container executor is further configured to parse the configuration rule and obtain a unique identifier of the local container;

根据本地容器的唯一标识从服务节点中确定本地容器;Determine the local container from the service node according to the unique identifier of the local container;

创建虚拟网桥与本地容器之间的虚拟网卡对。Create a virtual network adapter pair between the virtual network bridge and the local container.

在一个可选的实施例中,容器执行器,具体还用于将第一网卡设置为虚拟网桥的子设备;In an optional embodiment, the container executor is further configured to set the first network card as a sub-device of the virtual network bridge;

将第二网卡的命名空间设置为本地容器的命名空间。Set the namespace of the second network card to the namespace of the local container.

在一个可选的实施例中,容器执行器,具体还用于建立虚拟网桥中的其中一个接口与第一网卡之间的映射关系。In an optional embodiment, the container executor is further configured to establish a mapping relationship between one of the interfaces in the virtual network bridge and the first network card.

在一个可选的实施例中,安全网络域执行器,具体用于从虚拟网卡的接口中获取通信数据,通过虚拟网络将通信数据传输至其他服务节点上部署的安全网络域执行器中,以使其他目标容器从其他服务节点上部署的安全网络域执行器和虚拟网卡与其他目标容器之间的虚拟网卡上获取通信数据。In an optional embodiment, the secure network domain executor is specifically used to obtain communication data from the interface of the virtual network card, and transmit the communication data to the secure network domain executor deployed on other service nodes through the virtual network, so that other target containers obtain communication data from the secure network domain executor deployed on other service nodes and the virtual network card between the virtual network card and other target containers.

在一个可选的实施例中,容器执行器,具体还用于若通信数据的传输方向为从本地容器到其他目标容器,则根据通信密钥中的加密密钥在本地容器的网络协议栈上对通信数据进行加密处理;In an optional embodiment, the container executor is further configured to encrypt the communication data on the network protocol stack of the local container according to the encryption key in the communication key if the transmission direction of the communication data is from the local container to other target containers;

若通信数据的传输方向为从其他目标容器到本地容器,则根据通信密钥中的解密密钥在本地容器的网络协议栈上对通信数据进行解密处理。If the transmission direction of the communication data is from other target containers to the local container, the communication data is decrypted on the network protocol stack of the local container according to the decryption key in the communication key.

在一个可选的实施例中,容器执行器,具体还用于根据本地容器的命名空间地址和本地容器的网卡地址从目标映射关系信息中获取加密密钥,目标映射关系信息包括本地容器的命名空间地址、本地容器的网卡地址与本地容器的网卡地址对应的加密密钥、解密密钥;In an optional embodiment, the container executor is further configured to obtain an encryption key from target mapping relationship information according to a namespace address of the local container and a network card address of the local container, wherein the target mapping relationship information includes an encryption key and a decryption key corresponding to the namespace address of the local container, the network card address of the local container, and the network card address of the local container;

在本地容器的网络协议栈上对通信数据的数据段部分进行封装处理的过程中通过加密密钥对通信数据的数据段部分进行加密处理。In the process of encapsulating the data segment part of the communication data on the network protocol stack of the local container, the data segment part of the communication data is encrypted by using the encryption key.

在一个可选的实施例中,容器执行器,具体还用于从目标映射关系信息中获取解密密钥;In an optional embodiment, the container executor is further configured to obtain a decryption key from the target mapping relationship information;

在本地容器的网络协议栈上对通信数据的数据段部分进行解封处理的过程中通过解密密钥对通信数据的数据段部分进行解密处理。In the process of decrypting the data segment portion of the communication data on the network protocol stack of the local container, the data segment portion of the communication data is decrypted using the decryption key.

在一个可选的实施例中,安全网络域执行器,具体还用于若服务节点确定配置规则更新,则根据更新后的配置规则删除服务节点的虚拟网桥与本地容器之间的虚拟网卡对,或者,为虚拟网桥建立新的虚拟网卡对。In an optional embodiment, the secure network domain executor is further used to delete the virtual network card pair between the virtual bridge of the service node and the local container according to the updated configuration rules if the service node determines that the configuration rules are updated, or to establish a new virtual network card pair for the virtual bridge.

在一个可选的实施例中,安全网络域控制器,具体还用于对配置规则进行协议转换为命令的处理。In an optional embodiment, the secure network domain controller is further configured to process the configuration rules by converting the protocol into commands.

下面参考图7,其示出了适于用来实现本申请实施例的服务节点的计算机系统700的结构示意图。Reference is made to FIG7 , which shows a schematic diagram of the structure of a computer system 700 suitable for implementing a service node in an embodiment of the present application.

如图7所示,计算机系统700包括中央处理单元(CPU)701,其可以根据存储在只读存储器(ROM)702中的程序或者从存储部分708加载到随机访问存储器(RAM)703中的程序而执行各种适当的动作和处理。在RAM 703中,还存储有系统700操作所需的各种程序和数据。CPU 701、ROM 702以及RAM 703通过总线704彼此相连。输入/输出(I/O)接口705也连接至总线704。As shown in FIG7 , the computer system 700 includes a central processing unit (CPU) 701, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 702 or a program loaded from a storage portion 708 into a random access memory (RAM) 703. In the RAM 703, various programs and data required for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to the bus 704.

以下部件连接至I/O接口707:包括键盘、鼠标等的输入部分706;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分707;包括硬盘等的存储部分708;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分709。通信部分709经由诸如因特网的网络执行通信处理。驱动器710也根据需要连接至I/O接口705。可拆卸介质711,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器710上,以便于从其上读出的计算机程序根据需要被安装入存储部分708。The following components are connected to the I/O interface 707: an input section 706 including a keyboard, a mouse, etc.; an output section 707 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 708 including a hard disk, etc.; and a communication section 709 including a network interface card such as a LAN card, a modem, etc. The communication section 709 performs communication processing via a network such as the Internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 710 as needed, so that a computer program read therefrom is installed into the storage section 708 as needed.

特别地,根据本公开的实施例,上文参考图2-6描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,所述计算机程序包含用于执行图2-6的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分709从网络上被下载和安装,和/或从可拆卸介质711被安装。In particular, according to an embodiment of the present disclosure, the processes described above with reference to Figures 2-6 can be implemented as a computer software program. For example, an embodiment of the present disclosure includes a computer program product, which includes a computer program tangibly contained on a machine-readable medium, and the computer program includes program code for executing the method of Figures 2-6. In such an embodiment, the computer program can be downloaded and installed from a network through the communication portion 709, and/or installed from a removable medium 711.

附图中的流程图和框图,图示了按照本发明各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,所述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present invention. In this regard, each square box in the flow chart or block diagram can represent a module, a program segment or a part of a code, and the module, program segment or a part of a code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some alternative implementations, the functions marked in the square box can also occur in a sequence different from that marked in the accompanying drawings. For example, two square boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each square box in the block diagram and/or flow chart, and the combination of the square boxes in the block diagram and/or flow chart can be implemented with a dedicated hardware-based system that performs a specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.

描述于本申请实施例中所涉及到的单元或模块可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元或模块也可以设置在处理器中,例如,可以描述为:一种处理器包括XX单元、YY单元以及ZZ单元。其中,这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定,例如,XX单元还可以被描述为“用于XX的单元”。The units or modules involved in the embodiments described in the present application may be implemented by software or hardware. The units or modules described may also be arranged in a processor, for example, may be described as: a processor includes an XX unit, a YY unit, and a ZZ unit. The names of these units or modules do not, in some cases, constitute limitations on the units or modules themselves, for example, the XX unit may also be described as a "unit for XX".

作为另一方面,本申请还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例中所述装置中所包含的计算机可读存储介质;也可以是单独存在,未装配入设备中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序,所述程序被一个或者一个以上的处理器用来执行描述于本申请的公式输入方法。As another aspect, the present application further provides a computer-readable storage medium, which may be a computer-readable storage medium included in the device described in the above embodiment; or a computer-readable storage medium that exists independently and is not assembled into the device. The computer-readable storage medium stores one or more programs, and the programs are used by one or more processors to execute the formula input method described in the present application.

以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其他技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an explanation of the technical principles used. Those skilled in the art should understand that the scope of the invention involved in the present application is not limited to the technical solution formed by a specific combination of the above technical features, but should also cover other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the inventive concept. For example, the above features are replaced with the technical features with similar functions disclosed in this application (but not limited to) by each other.

Claims (12)

1.一种容器的通信方法,其特征在于,应用于容器集群网络,所述容器集群网络包括至少一个容器集群,所述容器集群包括至少一个服务节点,所述服务节点上部署有至少一个容器、虚拟网桥,所述方法包括:1. A container communication method, characterized in that it is applied to a container cluster network, the container cluster network includes at least one container cluster, the container cluster includes at least one service node, and at least one container and a virtual bridge are deployed on the service node. The method includes: 所述服务节点获取配置规则;所述配置规则用于指示为至少两个目标容器构建安全网络域,所述至少两个目标容器部署在不同的服务节点上;The service node acquires a configuration rule; the configuration rule is used to indicate building a secure network domain for at least two target containers, and the at least two target containers are deployed on different service nodes; 基于所述配置规则创建所述服务节点与其他服务节点之间的虚拟网络;所述其他服务节点为所述至少两个目标容器中除本地容器之外的其他目标容器对应的服务节点,所述本地容器为所述至少两个目标容器中部署于所述服务节点上的容器;Creating a virtual network between the service node and other service nodes based on the configuration rule; the other service nodes are service nodes corresponding to other target containers other than the local container among the at least two target containers, and the local container is a container deployed on the service node among the at least two target containers; 基于所述配置规则创建所述服务节点的虚拟网桥与所述本地容器之间的虚拟网卡对,通过所述虚拟网卡对建立所述虚拟网桥与所述本地容器之间的连接;Creating a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rule, and establishing a connection between the virtual network bridge and the local container through the virtual network card pair; 在所述本地容器基于所述虚拟网卡对和所述虚拟网络与所述其他目标容器进行网络通信时,通过所述安全网络域的通信密钥在所述本地容器的网络协议栈上对所述本地容器的通信数据进行加解密处理,所述其他目标容器为所述至少两个目标容器中部署于所述其他服务节点上的容器;When the local container performs network communication with the other target container based on the virtual network card pair and the virtual network, communication data of the local container is encrypted and decrypted on the network protocol stack of the local container by using the communication key of the secure network domain, and the other target container is a container deployed on the other service node among the at least two target containers; 其中,所述基于所述配置规则和所述服务节点的通信网卡建立所述服务节点与其他服务节点之间的虚拟网络,包括:The step of establishing a virtual network between the service node and other service nodes based on the configuration rule and the communication network card of the service node includes: 解析所述配置规则,获得网络密钥;Parsing the configuration rules to obtain a network key; 所述服务节点通过所述服务节点的通信网卡对数据包进行广播,所述数据包括所述网络密钥;The service node broadcasts a data packet through a communication network card of the service node, wherein the data includes the network key; 接收其他服务节点基于所述广播对所述服务节点发起的连接请求,所述连接请求携带连接密钥;receiving a connection request initiated by another service node to the service node based on the broadcast, wherein the connection request carries a connection key; 若所述服务节点根据所述网络密钥对所述连接密钥验证成功,则基于所述服务节点与所述其他服务节点的连接建立所述虚拟网络。If the service node successfully verifies the connection key according to the network key, the virtual network is established based on the connection between the service node and the other service nodes. 2.根据权利要求1所述的通信方法,其特征在于,所述基于所述配置规则创建所述服务节点的虚拟网桥与本地容器之间的虚拟网卡对,包括:2. The communication method according to claim 1, characterized in that the step of creating a virtual network card pair between the virtual bridge of the service node and the local container based on the configuration rule comprises: 解析所述配置规则,获得所述本地容器的唯一标识;Parsing the configuration rule to obtain a unique identifier of the local container; 根据所述本地容器的唯一标识从所述服务节点中确定所述本地容器;Determine the local container from the service node according to the unique identifier of the local container; 创建所述虚拟网桥与所述本地容器之间的虚拟网卡对。A virtual network card pair is created between the virtual network bridge and the local container. 3.根据权利要求2所述的通信方法,其特征在于,所述虚拟网卡对包括第一网卡和第二网卡,所述第一网卡和所述第二网卡通信连接,所述通过所述虚拟网卡对建立所述虚拟网桥与本地容器之间的连接,包括:3. The communication method according to claim 2, wherein the virtual network card pair comprises a first network card and a second network card, the first network card and the second network card are in communication connection, and the establishing a connection between the virtual bridge and the local container through the virtual network card pair comprises: 将所述第一网卡设置为所述虚拟网桥的子设备;Setting the first network card as a sub-device of the virtual network bridge; 将所述第二网卡的命名空间设置为所述本地容器的命名空间。The namespace of the second network card is set as the namespace of the local container. 4.根据权利要求3所述的通信方法,其特征在于,所述将所述第一网卡设置为所述虚拟网桥的子设备,包括:4. The communication method according to claim 3, wherein the step of setting the first network card as a sub-device of the virtual network bridge comprises: 建立所述虚拟网桥中的其中一个接口与所述第一网卡之间的映射关系。A mapping relationship is established between one of the interfaces in the virtual network bridge and the first network card. 5.根据权利要求1所述的通信方法,其特征在于,所述服务节点上还部署有安全网络域执行器,所述本地容器基于所述虚拟网卡和所述虚拟网络与所述其他目标容器进行网络通信,包括:5. The communication method according to claim 1, characterized in that a secure network domain executor is also deployed on the service node, and the local container performs network communication with the other target container based on the virtual network card and the virtual network, comprising: 所述本地容器将所述通信数据发送至与所述虚拟网桥之间的虚拟网卡对,以通过所述虚拟网卡对发送至所述虚拟网卡的接口上;The local container sends the communication data to the virtual network card pair between the local container and the virtual network bridge, so as to send the communication data to the interface of the virtual network card through the virtual network card pair; 所述安全网络域执行器从所述虚拟网卡的接口中获取所述通信数据;The secure network domain executor obtains the communication data from the interface of the virtual network card; 所述安全网络域执行器通过所述虚拟网络将所述通信数据传输至所述其他服务节点上部署的安全网络域执行器中,以使所述其他目标容器从所述其他服务节点上部署的安全网络域执行器和所述虚拟网卡与所述其他目标容器之间的虚拟网卡上获取所述通信数据;The secure network domain executor transmits the communication data to the secure network domain executor deployed on the other service node through the virtual network, so that the other target container obtains the communication data from the secure network domain executor deployed on the other service node and the virtual network card between the virtual network card and the other target container; 或者,or, 所述本地容器通过与所述虚拟网桥之间的虚拟网卡对获取所述虚拟网卡的接口上的所述通信数据,所述虚拟网卡的接口上的所述通信数据是从所述服务节点上部署的所述安全网络域执行器获取的数据,所述安全网络域执行器获取的数据是根据所述虚拟网络接收的所述其他目标容器通过所述其他服务节点上部署的所述安全网络域执行器和所述虚拟网桥与所述其他目标容器之间的虚拟网卡对发送的数据。The local container obtains the communication data on the interface of the virtual network card through the virtual network card pair between the local container and the virtual bridge. The communication data on the interface of the virtual network card is data obtained from the security network domain executor deployed on the service node. The data obtained by the security network domain executor is data sent by the other target container through the security network domain executor deployed on the other service node and the virtual network card pair between the virtual bridge and the other target container according to the virtual network. 6.根据权利要求5所述的通信方法,其特征在于,所述通过所述安全网络域的通信密钥对所述本地容器的通信数据进行加解密处理,包括:6. The communication method according to claim 5, characterized in that the encryption and decryption of the communication data of the local container by using the communication key of the secure network domain comprises: 若所述通信数据的传输方向为从所述本地容器到所述其他目标容器,则根据所述通信密钥中的加密密钥在所述本地容器的网络协议栈上对所述通信数据进行加密处理;If the transmission direction of the communication data is from the local container to the other target container, encrypting the communication data on the network protocol stack of the local container according to the encryption key in the communication key; 若所述通信数据的传输方向为从所述其他目标容器到所述本地容器,则根据所述通信密钥中的解密密钥在所述本地容器的网络协议栈上对所述通信数据进行解密处理。If the transmission direction of the communication data is from the other target container to the local container, the communication data is decrypted on the network protocol stack of the local container according to the decryption key in the communication key. 7.根据权利要求6所述的通信方法,其特征在于,所述根据所述通信密钥中的加密密钥对所述通信数据进行加密处理,包括:7. The communication method according to claim 6, wherein the step of encrypting the communication data according to the encryption key in the communication key comprises: 根据所述本地容器的命名空间地址和所述本地容器的网卡地址从目标映射关系信息中获取所述加密密钥,所述目标映射关系信息包括容器的命名空间地址、容器的网卡地址与容器的命名空间地址、网卡地址对应的加密密钥、解密密钥;Obtaining the encryption key from target mapping relationship information according to the namespace address of the local container and the network card address of the local container, wherein the target mapping relationship information includes the namespace address of the container, the network card address of the container, and the encryption key and decryption key corresponding to the namespace address and the network card address of the container; 在所述本地容器的网络协议栈上对所述通信数据的数据段部分进行封装处理的过程中通过所述加密密钥对所述通信数据的数据段部分进行加密处理。In the process of encapsulating the data segment portion of the communication data on the network protocol stack of the local container, the data segment portion of the communication data is encrypted using the encryption key. 8.根据权利要求7所述的通信方法,其特征在于,所述根据所述通信密钥中的加密密钥对所述通信数据进行解密处理,包括:8. The communication method according to claim 7, wherein the decrypting the communication data according to the encryption key in the communication key comprises: 根据所述本地容器的命名空间地址和所述本地容器的网卡地址从目标映射关系信息中获取所述解密密钥;Acquire the decryption key from the target mapping relationship information according to the namespace address of the local container and the network card address of the local container; 在所述本地容器的网络协议栈上对所述通信数据的数据段部分进行解封处理的过程中通过所述解密密钥对所述通信数据的数据段部分进行解密处理。In the process of decrypting the data segment portion of the communication data on the network protocol stack of the local container, the data segment portion of the communication data is decrypted using the decryption key. 9.根据权利要求1所述的通信方法,其特征在于,所述配置规则通过界面操作方式创建。9. The communication method according to claim 1, characterized in that the configuration rules are created through interface operation. 10.根据权利要求1所述的通信方法,其特征在于,所述方法还包括:10. The communication method according to claim 1, characterized in that the method further comprises: 若所述服务节点确定所述配置规则更新,则根据更新后的配置规则删除所述服务节点的虚拟网桥与本地容器之间的虚拟网卡对,或者,为所述虚拟网桥建立新的虚拟网卡对。If the service node determines that the configuration rule is updated, the virtual network card pair between the virtual network bridge of the service node and the local container is deleted according to the updated configuration rule, or a new virtual network card pair is established for the virtual network bridge. 11.根据权利要求1所述的通信方法,其特征在于,所述方法还包括:11. The communication method according to claim 1, characterized in that the method further comprises: 对所述配置规则进行协议转换为命令的处理。The configuration rules are converted into commands by protocol conversion. 12.一种服务节点,其特征在于,所述服务节点包括:12. A service node, characterized in that the service node comprises: 安全网络域控制器,获取配置规则;所述配置规则用于指示为至少两个目标容器构建安全网络域,所述至少两个目标容器部署在不同的服务节点上;The security network domain controller obtains a configuration rule; the configuration rule is used to instruct to build a security network domain for at least two target containers, and the at least two target containers are deployed on different service nodes; 容器执行器,用于基于所述配置规则创建所述服务节点的虚拟网桥与本地容器之间的虚拟网卡对,通过所述虚拟网卡对建立所述虚拟网桥与所述本地容器之间的连接;A container executor, configured to create a virtual network card pair between the virtual network bridge of the service node and the local container based on the configuration rule, and establish a connection between the virtual network bridge and the local container through the virtual network card pair; 所述容器执行器,还用于基于所述配置规则创建所述服务节点与其他服务节点之间的虚拟网络;所述其他服务节点为所述至少两个目标容器中除本地容器之外的其他目标容器对应的服务节点,所述本地容器为所述至少两个目标容器中部署于所述服务节点上的容器;The container executor is further used to create a virtual network between the service node and other service nodes based on the configuration rule; the other service nodes are service nodes corresponding to other target containers other than the local container in the at least two target containers, and the local container is a container deployed on the service node in the at least two target containers; 安全网络域执行器,用于在所述本地容器基于所述虚拟网卡对和所述虚拟网络与所述其他目标容器进行网络通信时,通过所述安全网络域的通信密钥在对所述本地容器的网络协议栈上对所述本地容器的通信数据进行加解密处理,所述其他目标容器为所述至少两个目标容器中部署于所述其他服务节点上的容器;a secure network domain executor, configured to encrypt and decrypt communication data of the local container on a network protocol stack of the local container using a communication key of the secure network domain when the local container performs network communication with the other target container based on the virtual network card pair and the virtual network, wherein the other target container is a container deployed on the other service node among the at least two target containers; 所述容器执行器,还用于解析所述配置规则,获得网络密钥;The container executor is further used to parse the configuration rule and obtain the network key; 所述服务节点通过所述服务节点的通信网卡对数据包进行广播,所述数据包括所述网络密钥;The service node broadcasts a data packet through a communication network card of the service node, wherein the data includes the network key; 接收其他服务节点基于所述广播对所述服务节点发起的连接请求,所述连接请求携带连接密钥;receiving a connection request initiated by another service node to the service node based on the broadcast, wherein the connection request carries a connection key; 若所述服务节点根据所述网络密钥对所述连接密钥验证成功,则基于所述服务节点与所述其他服务节点的连接建立所述虚拟网络。If the service node successfully verifies the connection key according to the network key, the virtual network is established based on the connection between the service node and the other service nodes.
CN202411074114.0A 2024-08-07 2024-08-07 A communication method and service node for containers Active CN118590330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411074114.0A CN118590330B (en) 2024-08-07 2024-08-07 A communication method and service node for containers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411074114.0A CN118590330B (en) 2024-08-07 2024-08-07 A communication method and service node for containers

Publications (2)

Publication Number Publication Date
CN118590330A CN118590330A (en) 2024-09-03
CN118590330B true CN118590330B (en) 2024-10-01

Family

ID=92537040

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411074114.0A Active CN118590330B (en) 2024-08-07 2024-08-07 A communication method and service node for containers

Country Status (1)

Country Link
CN (1) CN118590330B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119652644A (en) * 2024-12-24 2025-03-18 新华三信息安全技术有限公司 Security management method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637037A (en) * 2021-03-10 2021-04-09 北京瑞莱智慧科技有限公司 Cross-region container communication system, method, storage medium and computer equipment
CN115987778A (en) * 2022-12-23 2023-04-18 安超云软件有限公司 Container communication method based on Kubernetes cluster

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7966355B2 (en) * 2007-02-13 2011-06-21 Modu Ltd. Interface for extending functionality of memory cards
US20240103926A1 (en) * 2022-09-28 2024-03-28 Citrix Systems, Inc. Systems and methods for managing autoscaled user space networking stack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637037A (en) * 2021-03-10 2021-04-09 北京瑞莱智慧科技有限公司 Cross-region container communication system, method, storage medium and computer equipment
CN115987778A (en) * 2022-12-23 2023-04-18 安超云软件有限公司 Container communication method based on Kubernetes cluster

Also Published As

Publication number Publication date
CN118590330A (en) 2024-09-03

Similar Documents

Publication Publication Date Title
US11804984B2 (en) Intelligent and dynamic overlay tunnel formation via automatic discovery of citrivity/SDWAN peer in the datapath in a pure plug and play environment with zero networking configuration
JP7641276B2 (en) Method, system, and computer-readable medium for providing a multi-tenant software-defined wide area network (SD-WAN) node
US20220030095A1 (en) Methods and apparatus for sharing and arbitration of host stack information with user space communication stacks
CN113132201B (en) Communication method and device between VPCs
US10630654B2 (en) Hardware-accelerated secure communication management
US8032742B2 (en) Dynamic updating of trusted certificates and certificate revocation lists in a computing system
US10250571B2 (en) Systems and methods for offloading IPSEC processing to an embedded networking device
US11316837B2 (en) Supporting unknown unicast traffic using policy-based encryption virtualized networks
WO2019024880A1 (en) Message sending method and network device
US20040015966A1 (en) Virtual machine operating system LAN
CN108028827B (en) Certificate management method and device in network function virtualization architecture
US8042156B2 (en) Mapping proprietary SSL APIs onto openssl APIs
US20060002388A1 (en) System and method for supporting secured communication by an aliased cluster
CN114500351B (en) Network performance test method, device, equipment and storage medium
CN118590330B (en) A communication method and service node for containers
CN114362976A (en) A bare metal docking storage method, device and system
CN116647425B (en) An IPSec-VPN implementation method, device, electronic device and storage medium of OVN architecture
WO2023244914A1 (en) Encryption network interface controller
EP3288235B1 (en) System and apparatus for enforcing a service level agreement (sla) in a cloud environment using digital signatures
US20240356909A1 (en) Signing messages using public key cryptography and certificate verification
US20240314209A1 (en) Addressing and routing for devices using connectivity framework for embedded connectivity
CN108111461A (en) Realize method, apparatus, gateway and the system of virtual machine Access Management Access network
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN117749785A (en) Data transmission method and related equipment
CN112994928B (en) A virtual machine management method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant