WO2025140263A1 - Traffic management method, service mesh system, apparatus, and cluster - Google Patents

Abstract

Provided in the present application are a traffic management method, a service mesh system, an apparatus, and a cluster. The method comprises: a first L4 agent receiving a first data packet sent by a first service container group; the first L4 agent sending an identifier of a first tenant and the first data packet to a first L7 agent; the first L7 agent identifying configuration information of a first service among configuration information of a plurality of services on the basis of the identifier of the first tenant, wherein the first service belongs to the first tenant; and the first L7 agent performing traffic management on the first data packet on the basis of the configuration information of the first service. The method can increase a computing resource utilization rate of a service mesh system.

Description

Traffic management method, service grid system, device and cluster

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office of China on December 25, 2023, with application number 202311817785.7 and application name “A service grid system”, and the priority of the Chinese patent application filed with the State Intellectual Property Office of China on March 6, 2024, with application number 202410256865.8 and application name “Traffic management method, service grid system, device and cluster”, all contents of which are incorporated by reference in this application.

Technical Field

The present application relates to the field of data processing technology, and in particular to a traffic management method, a service grid system, a device and a cluster.

Background Art

Currently, typical service mesh technology uses sidecars to implement traffic management between services such as traffic routing, load balancing, and traffic control. Sidecars are injected into container groups. Installing and upgrading sidecars requires restarting the container group, which increases the workload of the node where the container group is located.

The industry has proposed an ambient mode service mesh technology. The ambient mode is also called the sidecarless mode. It splits the functions of the sidecar into the transport layer proxy and the application layer proxy. The transport layer proxy and the application layer proxy are separated from the container group, thus avoiding the defect that the sidecar increases the workload of the node where the container group is located.

In the existing ambient mode, each tenant has an exclusive application layer proxy, and one application layer proxy is only used to manage the traffic of one tenant's service. Since each application layer proxy occupies independent computing resources, a large number of computing resources will inevitably be idle during the idle phase of the tenant's business, resulting in low computing resource utilization.

Summary of the invention

The embodiments of the present application provide a traffic management method, a service grid system, a device and a cluster, which can improve the computing resource utilization of the service grid system.

In a first aspect, a traffic management method is provided, which is applied to a service grid system, wherein the service grid system includes a first service node and an agent cluster; wherein the first service node runs a first transport layer L4 agent and a first service container group of a first tenant; the agent cluster runs a first application layer L7 agent, the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; the method includes: the first L4 agent receives a first data packet sent by the first service container group; the first L4 agent sends an identifier of the first tenant and the first data packet to the first L7 agent; the first L7 agent identifies the configuration information of the first service in the configuration information of multiple services based on the identifier of the first tenant, and the first service belongs to the first tenant; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service.

Through the method provided in the first aspect, the same L7 agent can include the configuration information of services of multiple tenants. When it is necessary to perform traffic management on the data packets of the services of the tenant, the L7 agent obtains the identifier of the tenant, and obtains the configuration information of the services of the tenant from the configuration information of the services of multiple tenants based on the identifier of the tenant, and then can perform traffic management on the data packets of the services of the tenant based on the configuration information of the services of the tenant. In this way, the same L7 agent can perform traffic management on the data packets of the services of multiple tenants, realizing multi-tenant sharing of the L7 agent. Multi-tenant sharing of the L7 agent can improve the computing resource utilization of the L7 agent, reduce the scheduling pressure of the L7 agent, etc., for the following reasons.

First, the idle phases of the services of different tenants are often not completely consistent, that is, the idle phases of different tenants are usually different. When the services of some tenants are in the idle phase, the services of other tenants may be in the busy phase. In this way, the L7 agent can be prevented from being idle, thereby improving the computing resource utilization of the L7 agent.

Secondly, multiple tenants share the L7 proxy, and each tenant does not need to create an L7 proxy, which can reduce the number of L7 proxies in the service grid system. This can not only reduce the computing resources required to deploy the L7 proxy in the service grid system, but also reduce the scheduling pressure of the L7 proxy.

In addition, the L7 proxy is shared by multiple tenants, which means that there is no need to create L7 proxies at the tenant level. The administrator of the service grid system can pre-create one or more L7 proxies in the proxy cluster. Whenever a new service is created, the service grid system console can send the configuration information of the service to the L7 proxy, so that the L7 proxy can manage the traffic of the service data packets based on the configuration information of the service. This improves the timeliness of traffic management for new services.

In addition, L7 proxy is shared by multiple tenants, not exclusive to a certain tenant, which allows L7 proxy to be created uniformly by the administrator, and the redundancy of service configuration information can be controlled. Specifically, whenever a new service is created, the service grid system console can send the configuration information of the service to N L7 proxies, where N is an integer greater than or equal to 1, and the size of N can be set by the administrator. In this way, the configuration information of the service can be avoided from being stored in the L7 proxy with high redundancy, saving the memory resources of the L7 proxy.

In a possible implementation, the first service node also runs a second service container group of a second tenant; the method includes: a first L4 agent receives a second data packet sent by the second service container group; the first L4 agent sends an identifier of the second tenant and the second data packet to a first L7 agent; the first L7 agent identifies, based on the identifier of the second tenant, configuration information of the second service in configuration information of multiple services, and the second service belongs to the second tenant; the first L7 agent performs traffic management on the second data packet based on the configuration information of the second service.

In this implementation, the first L7 agent can perform traffic management on the data packets of the first tenant's service and the data packets of the second tenant's service. In other words, the first tenant and the second tenant can share the first L7 agent, thereby improving the computing resource utilization of the first L7 agent and reducing the scheduling pressure of the L7 agent.

In one possible implementation, the first service includes a service corresponding to the first data packet and other services; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent identifies the configuration information of the service corresponding to the first data packet in the configuration information of the first service based on an identifier of the service corresponding to the first data packet; the first L7 agent performs traffic management on the first data packet based on the configuration information of the service corresponding to the first data packet.

The first L7 proxy can perform traffic management on data packets of multiple services of the first tenant. When the first L7 proxy needs to perform traffic management on data packets of a certain service, it can identify the configuration information of the service in the configuration information of multiple services of the first tenant based on the identifier of the service, and then can perform traffic management on the data packets of the service based on the configuration information of the service.

In one possible implementation, a proxy cluster runs multiple L7 proxies; the first L4 proxy sends the identifier of the first tenant and the first data packet to the first L7 proxy, including: the first L4 proxy identifies the L7 proxy including the configuration information of the service of the first tenant from multiple L7 proxies based on the identifier of the first tenant; the first L4 proxy identifies the L7 proxy including the configuration information of the service corresponding to the first data packet from the L7 proxies including the configuration information of the service of the first tenant based on the identifier of the service corresponding to the first data packet, and obtains the first L7 proxy.

When the proxy cluster runs multiple L7 proxies, the L4 proxy can identify the L7 proxy that includes the configuration information of the first tenant's service from the multiple L7 proxies based on the tenant's identifier, so that the data packets of the first tenant's service can be sent to the L7 proxy that includes the configuration information of the first tenant's service, and then the traffic management of the data packets of the first tenant's service can be performed through the L7 proxy.

In one possible implementation, the proxy cluster also runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; the first L4 proxy sends the identifier and the first data packet of the first tenant to the first L7 proxy, including: when the number of services belonging to the first tenant in multiple services is greater than the number of services belonging to the first tenant in at least one service, the first L4 proxy sends the identifier and the first data packet of the first tenant to the first L7 proxy.

For the convenience of description, the L7 proxy including the configuration information of the service can be referred to as the L7 proxy supporting the service. The L7 proxy supporting more services of the first tenant is preferably selected to manage the traffic of the data packets of the services of the first tenant, which can save the data transmission between the service container groups of the first tenant for the following reasons.

Two or more services of the same tenant may be executed sequentially, that is, the output of one service is the input of the next service. When the L7 agent performs traffic management on data packets of two or more services of the same tenant, the two or more services share a routing cache. Among them, the routing cache saves the addresses of the target service instances (that is, one or some specific business container groups) of two or more services. When two or more services can be provided by the same business container group, by sharing the address of the routing cache, the L7 agent can send the data packets of the two or more services to the same target service instance, thereby scheduling the data packets of the two or more services to the same business container group. In this way, the processing of the data packets of the two or more services can be completed in the same business container group, saving data transmission between business container groups.

The L7 proxy that supports more services of the first tenant is more likely to support two or more services executed sequentially in the first tenant, and the services that need traffic management may belong to two or more services. Therefore, the L7 proxy that supports more services of the first tenant is preferably used to perform traffic management on the data packets of the services of the first tenant, which increases the probability that the data packets of the two or more services of the first tenant are processed by the same service container group, thereby saving data transmission between service container groups.

In one possible implementation, the proxy cluster also runs a second L7 proxy, which also includes configuration information of the first service; the first L4 proxy sends the identifier and the first data packet of the first tenant to the first L7 proxy, including: when the load of the second L7 proxy is greater than the load of the first L7 proxy, the first L4 proxy sends the identifier and the first data packet of the first tenant to the first L7 proxy.

In this implementation, L7 proxies with small loads are preferentially selected to perform traffic management on services that currently require traffic management, thereby ensuring load balancing among multiple L7 proxies and improving the overall resource utilization of multiple L7 proxies.

In one possible implementation, the service grid system also includes: a console connected to the proxy cluster; the method also includes: the console sends configuration information of two or more services to the same L7 proxy in the proxy cluster; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service.

The configuration information of two or more services that need to be executed sequentially is sent to the same L7 agent, so that the same L7 agent can be used to support traffic management of the data packets of the two or more services, so that the data packets of the two or more services can be scheduled to the same service container group, and the data packets of the two or more services are processed by the same service container group, thereby saving data transmission between service container groups.

In a possible implementation, the proxy cluster runs multiple L7 proxies; wherein, among the multiple L7 proxies, the same L7 proxy includes configuration information of the least number of services, or the same L7 proxy includes configuration information of the least number of tenants.

In this implementation, when selecting an L7 proxy to support a newly created service, an L7 proxy that supports fewer services is preferred. In this way, load balancing between multiple L7 proxies can be guaranteed. Alternatively, when selecting an L7 proxy to support a newly created service, an L7 proxy that supports fewer tenants is preferred. In this way, the same L7 proxy can be prevented from becoming an affinity L7 proxy for multiple tenants at the same time, thereby preventing the L7 proxy from being overloaded.

In a possible implementation, the service grid system also includes a second service node, and the second service node runs a second L4 agent and a third service container group; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent selects the third service container group as the target container group of the first data packet; the first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; the method also includes: the second L4 agent confirms that the first tenant and the tenant to which the third service container group belongs are the same tenant based on the identifier of the first tenant; the second L4 agent sends the first data packet to the third service container group.

In this implementation, the L4 proxy in the outbound direction of the service grid sends the data packet to the target service container group only when it confirms that the tenant to which the data packet belongs and the tenant to which the target service container group of the data packet belongs are the same tenant. In this way, the isolation between tenants is guaranteed.

In a second aspect, a service grid system is provided, the service grid system comprising a first business node and an agent cluster; wherein the first business node runs a first L4 agent and a first business container group of a first tenant; the agent cluster runs a first L7 agent, the first L7 agent comprises configuration information of multiple services, different services among the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; wherein the first L4 agent is used to: receive a first data packet sent by the first business container group; the first L4 agent is used to: send an identifier of the first tenant and the first data packet to the first L7 agent; the first L7 agent is used to: based on the identifier of the first tenant, identify the configuration information of the first service in the configuration information of multiple services, the first service belongs to the first tenant; the first L7 agent is used to: based on the configuration information of the first service, perform traffic management on the first data packet.

In a possible implementation, the first service node also runs a second service container group of a second tenant; the first L4 agent is also used to: receive a second data packet sent by the second service container group; the first L4 agent is also used to: send the identifier of the second tenant and the second data packet to the first L7 agent; the first L7 agent is also used to: based on the identifier of the second tenant, identify the configuration information of the second service in the configuration information of multiple services, and the second service belongs to the second tenant; the first L7 agent is also used to: based on the configuration information of the second service, perform traffic management on the second data packet.

In one possible implementation, the first service includes a service corresponding to the first data packet and other services; the first L7 agent is used to: based on an identifier of the service corresponding to the first data packet, identify configuration information of the service corresponding to the first data packet in the configuration information of the first service; and perform traffic management on the first data packet based on the configuration information of the service corresponding to the first data packet.

In one possible implementation, the proxy cluster also runs a second L7 proxy, which includes configuration information of at least one service; the first L4 proxy is used to: when the number of services belonging to the first tenant in multiple services is greater than the number of services belonging to the first tenant in at least one service, send the first tenant's identifier and the first data packet to the first L7 proxy.

In one possible implementation, the proxy cluster also runs a second L7 proxy, which also includes configuration information of the first service; the first L4 proxy is used to: when the load of the second L7 proxy is greater than the load of the first L7 proxy, send the first tenant's identifier and the first data packet to the first L7 proxy.

In one possible implementation, the service grid system also includes: a console connected to the proxy cluster; the console is used to: send configuration information of two or more services to the same L7 proxy in the proxy cluster; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service.

In a possible implementation, the service grid system also includes a second service node, which runs a second L4 agent and a third service container group; the first L7 agent is used to: select the third service container group as the target container group of the first data packet; send the first data packet and the identifier of the first tenant to the second L4 agent; the second L4 agent is used to: confirm, based on the identifier of the first tenant, that the first tenant and the tenant to which the third service container group belongs are the same tenant; and send the first data packet to the third service container group.

In a third aspect, a traffic management method is provided, which is applied to a first L7 agent in a service grid system, wherein the service grid system includes a first business node and an agent cluster; wherein the first business node runs a first L4 agent and a first business container group of a first tenant; the first L7 agent runs in the agent cluster, the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; the method includes: the first L7 agent receives an identifier of the first tenant and a first data packet sent by the first L4 agent, the first data packet is received by the first L4 agent from the first business container group; the first L7 agent identifies the configuration information of the first service in the configuration information of multiple services based on the identifier of the first tenant, and the first service belongs to the first tenant; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service.

In a possible implementation, the first service node also runs a second service container group of a second tenant; the method includes: a first L7 agent receives an identifier of the second tenant and a second data packet sent by a first L4 agent, where the second data packet is received by the first L4 agent from the second service container group; the first L4 agent sends the identifier of the second tenant and the second data packet to the first L7 agent; the first L7 agent identifies configuration information of the second service in configuration information of multiple services based on the identifier of the second tenant, and the second service belongs to the second tenant; the first L7 agent performs traffic management on the second data packet based on the configuration information of the second service.

In one possible implementation, the first service includes a service corresponding to the first data packet and other services; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent identifies the configuration information of the service corresponding to the first data packet in the configuration information of the first service based on an identifier of the service corresponding to the first data packet; the first L7 agent performs traffic management on the first data packet based on the configuration information of the service corresponding to the first data packet.

In a possible implementation, the proxy cluster also runs a second L7 proxy, which includes configuration information of at least one service; the first L7 proxy receives the identifier and the first data packet of the first tenant sent by the first L4 agent, including: when the number of services belonging to the first tenant in multiple services is greater than the number of services belonging to the first tenant in at least one service, the first L7 proxy receives the identifier and the first data packet of the first tenant sent by the first L4 agent.

In one possible implementation, the proxy cluster also runs a second L7 proxy, which also includes configuration information of the first service; the first L7 proxy receives the identifier and the first data packet of the first tenant sent by the first L4 proxy, including: when the load of the second L7 proxy is greater than the load of the first L7 proxy, the first L7 proxy receives the identifier and the first data packet of the first tenant sent by the first L4 proxy.

In one possible implementation, the service grid system also includes: a console connected to the proxy cluster; the method also includes: a first L7 proxy receives and records configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service.

In a possible implementation, the service grid system also includes a second service node, and the second service node runs a second L4 agent and a third service container group; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent selects the third service container group as the target container group of the first data packet; the first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; wherein the second L4 agent is used to: based on the identifier of the first tenant, confirm that the first tenant and the tenant to which the third service container group belongs are the same tenant; and send the first data packet to the third service container group.

In a fourth aspect, a traffic management device is provided, which is configured in a first L7 agent in a service grid system, and the service grid system includes a first business node and an agent cluster; wherein the first business node runs a first L4 agent and a first business container group of a first tenant; the first L7 agent runs in the agent cluster, and the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; the device includes: a receiving module, which is used to receive an identifier of the first tenant and a first data packet sent by the first L4 agent, and the first data packet is received by the first L4 agent from the first business container group; an identification module, which is used to identify the configuration information of the first service in the configuration information of multiple services based on the identifier of the first tenant, and the first service belongs to the first tenant; a management module, which is used to perform traffic management on the first data packet based on the configuration information of the first service.

In a possible implementation, the first service node also runs a second service container group of a second tenant; the receiving module is further used to: receive an identifier of the second tenant and a second data packet sent by the first L4 agent, where the second data packet is received by the first L4 agent from the second service container group; the identification module is further used to: based on the identifier of the second tenant, identify configuration information of the second service in configuration information of multiple services, where the second service belongs to the second tenant; the management module is further used to: perform traffic management on the second data packet based on the configuration information of the second service.

In one possible implementation, the first service includes a service corresponding to the first data packet and other services; the management module is used to: based on an identifier of the service corresponding to the first data packet, identify configuration information of the service corresponding to the first data packet in the configuration information of the first service; and perform traffic management on the first data packet based on the configuration information of the service corresponding to the first data packet.

In one possible implementation, the proxy cluster also runs a second L7 proxy, which includes configuration information of at least one service; the receiving module is used to: when the number of services belonging to the first tenant in multiple services is greater than the number of services belonging to the first tenant in at least one service, receive the identifier of the first tenant and the first data packet sent by the first L4 agent.

In a possible implementation, the proxy cluster also runs a second L7 proxy, which also includes configuration information of the first service; the receiving module is used to: when the load of the second L7 proxy is greater than the load of the first L7 proxy, receive the identifier of the first tenant and the first data packet sent by the first L4 proxy.

In one possible implementation, the service grid system also includes: a console connected to the proxy cluster; a receiving module is used to: receive and record configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service.

In a possible implementation, the service grid system also includes a second service node, and the second service node runs a second L4 agent and a third service container group; the management module is used for: the first L7 agent selects the third service container group as the target container group of the first data packet; the first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; wherein the second L4 agent is used for: based on the identifier of the first tenant, confirming that the first tenant and the tenant to which the third service container group belongs are the same tenant; and sending the first data packet to the third service container group.

In a fifth aspect, a computing device cluster is provided, comprising at least one computing device, each computing device comprising a processor and a memory; the processor of at least one computing device is used to execute instructions stored in the memory of at least one computing device, so that the computing device cluster executes the method provided in the second aspect.

In a sixth aspect, a computer-readable storage medium is provided, comprising computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method provided in the second aspect.

In a seventh aspect, a computer program product comprising instructions is provided. When the instructions are executed by a computer device cluster, the computer device cluster executes the method provided in the second aspect.

The beneficial effects of the second aspect to the seventh aspect can be referred to the above description of the beneficial effects of the first aspect, and will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of the structure of a service grid system provided in an embodiment of the present application;

FIG2 is a schematic diagram of the structure of an L7 proxy provided in an embodiment of the present application;

FIG3 is a schematic diagram of a service configuration method provided in an embodiment of the present application;

FIG4 is a schematic diagram of a service configuration method provided in an embodiment of the present application;

FIG5 is a flow chart of a service configuration method provided in an embodiment of the present application;

FIG6 is a flow chart of a traffic management method provided in an embodiment of the present application;

FIG7 is a flow chart of a traffic management method provided in an embodiment of the present application;

FIG8 is a schematic diagram of the structure of a flow management device provided in an embodiment of the present application;

FIG9 is a schematic diagram of the structure of a computing device provided in an embodiment of the present application;

FIG10 is a schematic diagram of the structure of a computing device cluster provided in an embodiment of the present application;

FIG. 11 is a schematic diagram of a structure in which a computing device cluster is connected via a network, provided in an embodiment of the present application.

DETAILED DESCRIPTION

The scheme provided by the embodiment of the present application will be described below in conjunction with the accompanying drawings. In the embodiment of the present application, "plurality" refers to two or more. "First", "second", etc. are only used to distinguish similar objects and are not necessarily used to describe a specific order or number of objects.

To facilitate understanding of the solutions provided by the embodiments of the present application, the technical terms that may be involved in the embodiments of the present application are first introduced.

Microservice architecture (microservice architecture): It is a service-oriented architecture (SOA) that divides a complex system into multiple small services or applications. The small service or application can be called a microservice. Each microservice is responsible for implementing an independent business logic. Microservices are built around business functions and can be deployed independently. Microservices are interdependent and can provide a range of functions. Microservices are easy to understand and modify, which brings flexibility in language and framework selection. Microservices can run in containers. Among them, the containers where multiple microservices with high interdependence are located can constitute a container group. Among them, in the K8S (kubernetes) system, the container group can be encapsulated into a pod.

Business container: refers to the container that runs microservices.

Business container group: A container group consisting of multiple business container groups. Usually, the microservices running in the business containers in the same container group have high dependencies.

Service mesh: Service mesh is a technology that manages services (such as microservices) provided by business containers through data agents outside business containers. Specifically, the data agent obtains data packets sent by the business container and performs service management (such as traffic management) on the data packets to send the data packets to the data agent of the target container group. The data agent of the target container group sends the data packet to the target container group. Among them, the behavior of the data packet sent by the container group being obtained by the data agent can be called entering the service mesh, and the behavior of the data agent sending the data packet to the target container group is called exiting the service mesh.

Service governance: also known as SOA governance, is a general term for the means to ensure that each microservice instance of the microservice architecture can work normally and that different microservice instances can communicate normally. Among them, microservice instances can also be called service instances or business container instances.

Traffic management: also known as traffic service governance, is a type of service governance. Traffic management usually includes traffic routing, load balancing, traffic control, traffic observation, etc.

Service configuration information: information used by the data proxy to manage the traffic of service data packets. The service data packets are data packets sent to the service instances of the service. The service configuration information may include the number of service instances of the service, the addresses of the service instances, the maximum processing capacity of the service instances, etc. Exemplarily, the maximum processing capacity of the service instances may be the throughput of the service instances.

Data agent: also known as data plane agent, is a module or device used to perform service governance on service instances on the data plane. Data agent can be a process, wherein the data agent process can run in a container. In the sidecar mode, the data agent is a sidecar. In the ambient mode, the data agent includes a transport layer agent and an application layer agent. In the open system interconnection (OSI) network model, the transport layer is the fourth layer (layer 4, L4) and the application layer is the seventh layer (L7). Therefore, the transport layer agent can also be called an L4 agent, and the application layer agent can also be called an L7 agent. Among them, the L4 agent is used to implement low-level traffic management, such as routing data packets based on the transmission control protocol (TCP). The L7 agent is used to implement high-level traffic management, such as routing data packets based on the metadata information of the service in the data packet (such as service name, version, etc.). The functions of the L4 agent and the L7 agent will be specifically introduced below and will not be repeated here.

Node: used to run a business container group and/or a data agent. Typical nodes include virtual machines (VMs), computers (e.g., servers), bare metal servers, etc. Among them, the node used to run a business container group can be called a business node, wherein, in the embodiment of the present application, the L4 agent also runs in the business node. The node used to run the L7 agent can be called an agent node. One or more business nodes can form a business cluster, and one or more agent nodes can form an agent cluster. The agent cluster can also be called a hosting cluster or an agent hosting cluster.

In the related art, in order to achieve isolation between different tenants, each tenant has an exclusive L7 agent. Specifically, the tenant is responsible for creating and maintaining the tenant's L7 agent, and the tenant's L7 agent only performs traffic management on the data packets sent by the tenant's business container group. There are a large number of tenants in the service grid system, and each tenant may create multiple L7 agents, which means that there are a large number of L7 agents in the service grid system. Among them, each L7 agent runs in a separate container, and a large number of agents require a large number of containers. Each container has exclusive fixed computing resources, such as a central processing unit (CPU), memory resources, etc. Usually, a tenant's business has a busy phase and an idle phase. In the idle phase of the tenant's business, the tenant's L7 agent is idle, resulting in low computing resource utilization.

Moreover, the scheduling pressure of a large number of L7 agents is relatively high. For example, a large amount of work is required to select nodes for deploying L7 agents.

Also, since the L7 agent is exclusive to tenants, and the number of services of different tenants may be different, the number of L7 agents required is also different. Therefore, it is difficult for the administrator of the service grid system to create and maintain a unified L7 agent, and tenants need to create and maintain the L7 agent themselves. Tenants maintain the L7 agent, which increases the workload of tenants. In addition, tenants often lack professional knowledge and find it difficult to professionally maintain the L7 agent, resulting in a greater risk of L7 agent failure. For example, when upgrading the L7 agent, due to the lack of professional knowledge of the tenants, there is a great risk of identification of the L7 agent upgrade.

In addition, tenants often create multiple L7 proxies, and the number of L7 proxies exceeds the business needs of tenants, which leads to a waste of computing resources. Moreover, whenever the console in the related art detects the creation of an L7 proxy, it sends the configuration information of all services of the tenant to which the L7 proxy belongs to the L7 proxy. In other words, each L7 proxy of a tenant stores the configuration information of all services of the tenant, which results in the highly redundant storage of the service configuration information in the L7 proxy, consuming a large amount of memory resources.

Referring to FIG. 1 , an embodiment of the present application provides a service grid system, which includes one or more service nodes and an agent cluster. The service node is used to run a service container group and an L4 agent, and the agent cluster is used to run an L7 agent. The L7 agent may include configuration information of multiple services. Different services among the multiple services may belong to different tenants, respectively, that is, the same L7 agent may include configuration information of services of different tenants. The configuration information of the service is used by the L7 agent to perform traffic management on the data packets of the service, that is, the same L7 agent can perform traffic management on the data packets of services of different tenants, that is, multiple tenants can share the L7 agent. When a data packet is sent by a service container group of a tenant, the L4 agent may send the data packet and the identifier of the tenant to the L7 agent. The L7 agent may identify the configuration information of the tenant's service from the configuration information of multiple services based on the identifier of the tenant, and then, the data packet may be traffic managed based on the configuration information of the tenant's service.

In the service grid system provided in the embodiment of the present application, multiple tenants share the L7 proxy, which improves the computing resource utilization of the L7 proxy. Specifically, the idle phases of the services of different tenants are usually different. When the services of some tenants are in the idle phase, the services of other tenants may be in the busy phase. In this way, the L7 proxy can be prevented from being idle, which improves the computing resource utilization of the L7 proxy.

In addition, multiple tenants share the L7 proxy, and each tenant does not need to create an L7 proxy, which can reduce the number of L7 proxies in the service grid system. This can not only reduce the computing resources required to deploy the L7 proxy in the service grid system, but also reduce the scheduling pressure of the L7 proxy.

In addition, the L7 proxy is shared by multiple tenants, which means that there is no need to create L7 proxies at the tenant level. The administrator of the service grid system can pre-create one or more L7 proxies in the proxy cluster. Whenever a new service is created, the service grid system console can send the configuration information of the service to the L7 proxy, so that the L7 proxy can manage the traffic of the service data packets based on the configuration information of the service.

In addition, L7 proxies are created uniformly by administrators, and the redundancy of service configuration information can be controlled. Specifically, whenever a new service is created, the service grid system console can send the service configuration information to N L7 proxies, where N is an integer greater than or equal to 1, and the size of N can be set by the administrator. In this way, the service configuration information can be prevented from being stored in the L7 proxy with high redundancy, saving the memory resources of the L7 proxy.

Next, the service grid system provided in the embodiment of the present application is introduced in detail.

As shown in FIG1 , the service grid system includes a plurality of service nodes, such as service node 100 and service node 200. A service node may be deployed with a plurality of service container groups and at least one L4 agent. For example, service node 100 is deployed with service container group 110, service container group 120, and L4 agent 130, etc. For another example, service node 200 is deployed with service container group 210, service container group 220, and L4 agent 230, etc. Among them, different service container groups in the same service node may belong to different tenants or to the same tenant. The same tenant may deploy service container groups in different service nodes. For example, service container group 110 and service container group 210 belong to tenant A1, and service container group 120 and service container group 220 belong to tenant A2. The L4 agent is at the node level, that is, the L4 agent may manage data packets sent by multiple service container groups in the service node where the L4 agent is located. For example, an L7 agent is selected for a data packet sent by a service container group, and a connection (e.g., a TCP connection) is established between the L4 agent and the selected L7 agent.

The service grid system includes a proxy cluster 300. The proxy cluster 300 is composed of at least one proxy node. The proxy cluster 300 may be deployed with one or more L7 proxies, such as an L7 proxy 310 and/or an L7 proxy 320. Among them, one L7 proxy may run in one or more proxy nodes in the proxy cluster 300. In addition, one proxy node may run one or more L7 proxies.

The L7 proxy may include configuration information of multiple services, and the L7 proxy may perform traffic management on the data packets of the service based on the configuration information of the service. Among them, different services in the multiple services may belong to the same tenant or different tenants. That is, different services in the multiple services may be services provided by the business container group of the same tenant or services provided by the business container group of different tenants. In other words, the L7 proxy no longer performs traffic management at the tenant granularity, but at the service granularity.

In some embodiments, as shown in FIG. 2 , the L4 agent 130 has an interception module 131, an acquisition module 132, and a sending module 133. The interception module 131 can intercept a data packet sent by a service container group in the service node 100, so that the data packet sent by the service container group enters the service grid. For example, the service container group 110 sends a data packet 111, and the interception module 131 intercepts the data packet 111. The acquisition module 132 can parse the data packet 111 to obtain an identifier of the service container group 110. Exemplarily, the identifier of the container group can be an Internet protocol (IP) address of the container group. Among them, the acquisition module 132 can parse the data packet 111 to obtain a source IP (source IP, SrcIP) address, thereby obtaining the IP address of the service container group 110. Then, the acquisition module 132 can obtain the identifier of the tenant to which the service container group 110 belongs from the grid console 400 of the service grid system based on the identifier of the service container group 110.

Among them, the grid console can also be called the grid control plane or console, which is used to control the L7 agent, L4 agent, etc. in the service grid system, and provide administrators of the service grid system with interfaces for managing the service grid system (such as application programming interface (API)).

The sending module 133 in the L4 agent 130 may send the data packet 111 and the identifier of the tenant to the L7 agent 310 .

In some embodiments, as shown in FIG. 2 , the L7 agent 310 includes one or more listeners, such as a listener 311, a listener 312, etc. In one example, the data packet 111 may include a service identifier of a service requested by the data packet 111. In one example, the service identifier may be a service IP (service IP, Svc IP). Different listeners in the L7 agent 310 correspond to different services, and the listener is used to listen to data packets of the service corresponding to the listener. Among them, the listener can detect the service identifier in the data packet sent to the L7 agent 310, and if the service represented by the service identifier is the service corresponding to the listener, the listener receives the data packet.

In some embodiments, as shown in FIG2 , the L7 agent 310 includes multiple tenant listeners. Among the multiple tenant listeners, different tenant listeners are used to listen to and receive data packets of services of different tenants. For example, the listener of tenant A1 is used to listen to and receive data packets of services of tenant A1 (e.g., data packet 111), and the listener of tenant A2 is used to listen to and receive data packets of services of tenant A2 (e.g., data packet 121).

The L7 agent 310 includes multiple tenant service listeners. The tenant service listener is used to listen to and receive a service of a tenant. Since the service identifiers of services of different tenants may be the same, in the L7 agent, the service identifier and the tenant identifier are used to identify the service. In other words, the unique identifier of the service consists of the service identifier of the service and the identifier of the tenant of the service. For example, the unique identifier of service 1 of tenant A1 consists of the identifier of service 1 and the identifier of tenant A1, and the unique identifier of service 2 of tenant A2 consists of the identifier of service 2 and the identifier of tenant A2.

Continuing to refer to FIG. 2 , the L7 proxy 310 includes a traffic management module 313. After receiving the data packet 111, the traffic management module 313 can obtain the configuration information of the service of the tenant A1 from the configuration information of the saved multiple services, and then perform traffic management on the data packet 111 based on the configuration information of the service of the tenant A1, for example, based on the service instance load balancing (LB) strategy, select the target service instance of the data packet 111, and send the data packet 111 to the selected target service instance.

In some embodiments, the L7 agent 310 further includes an observation module 314. The observation module 314 is used to observe and collect statistics on the path, time, and other information of sending a data packet to a certain service instance. The observation module 314 obtains an observation report based on the observed information and reports the observation report to the observation center of the service grid system.

The above article briefly introduces the functions of L7 proxy. Next, we will introduce how to deploy L7 proxy.

In the embodiment of the present application, the L7 proxy deployed in the proxy cluster 300 is created by the administrator of the service grid system. In some embodiments, before the service grid system is officially put into use, the administrator of the service grid system can create one or more L7 proxies in the proxy cluster 300. For example, the administrator of the service grid system can create a corresponding number of L7 proxies based on the capacity of the service grid system. The capacity of the service grid system refers to the maximum number of business container groups that can be deployed by the service grid system.

Referring to FIG3 , whenever a tenant's service is created, the grid console 400 may send the configuration information of the service, the service identifier, and the identifier of A1 to one or more L7 agents, so that the L7 agents can perform traffic management on the data packets of the service based on the configuration information of the service. In some embodiments, as shown in FIG3 , when a service of tenant A1 is created in a service node, the service node may execute step 301 to send the configuration information of the service, the identifier of the service, and the identifier of tenant A1 to the grid console 400. The grid console 400 may execute step 302 to select an L7 agent for the service.

After selecting the L7 agent, the grid console 400 executes step 303a to send the configuration information of the service, the identifier of the service, and the identifier of tenant A1 to the selected L7 agent. When the L7 agent receives the configuration information of the service, the identifier of the service, and the identifier of tenant A1, it can associate the configuration information of the service, the identifier of the service, and the identifier of tenant A1 to obtain an association relationship among the configuration information of the service, the identifier of the service, and the identifier of tenant A1. For example, in the association list, the configuration information of the service, the identifier of the service, and the identifier of tenant A1 are recorded. In this way, the configuration information of the service of tenant A1 can be obtained through the identifier of tenant A1, and the configuration information of the service of tenant A1 can be obtained through the identifier of tenant A1 and the identifier of the service.

The grid console also executes step 303b to send the association relationship between the selected L7 agent and tenant A1 to the L4 agent in each business node in the service grid system, so that the L4 agent can identify the L7 agent including the configuration information of the service of tenant A1 based on the association relationship.

A business container group may include multiple containers. Each container, as a service instance, may provide a service. The services provided by the containers in the same business container group are closely related. For example, the output of a service provided by one container is often the input of a service provided by another container. The containers in the same container group share a storage space, wherein the storage space may be a memory or a cache. In this way, if the data packets of two or more services that need to be executed sequentially are scheduled to the same business container group, the data packets of the two or more services are processed by the containers in the same business container group, and there is no need to transfer related data between container groups. For example, containers B11 and B12 in business container group B1 provide services C1 and C2 respectively, and containers B21 and B22 in business container group B2 also provide services C1 and C2 respectively, and the output of service C1 is the input of service C2. The data packets of service C1 and the data packets of service C2 are data packets that need to be processed sequentially. If the data packets of the two services are both scheduled to business container group B1, the result of container B11 processing the data packets of service C1 (i.e., the output of service C1) can be stored in the storage space shared by containers B11 and B12. When processing the data packet of service C2, container B12 can obtain the output of service C1 from the storage space, thereby saving data transmission between service container groups. If the data packet of service C1 is scheduled to service container group B1, and the data packet of service C2 is scheduled to service container group B2, then when service container group B2 processes the data packet of service C2, it needs to obtain the output of service C1 from service container group B1, which requires data transmission between service container groups.

4 , in step 302 , the grid console 400 selects an L7 agent based on the affinity between services, so as to send configuration information of multiple services with affinity to the same L7 agent.

In some embodiments, there is affinity between the services of the same tenant, so the configuration information of the services of the same tenant can be sent to the same L7 agent. When the L7 agent performs traffic management on data packets of two or more services of the same tenant, the data packets of the two or more services share a routing cache. Among them, the routing cache saves the address of the target service instance (i.e., one or some specific business container groups) of the data packet. When the two or more services can be provided by the same business container group, by sharing the address of the routing cache, the L7 agent can send the data packets of the two or more services to the same target service instance, thereby scheduling the data packets of the two or more services to the same business container group. Among them, the multiple two or more services can be two or more services that need to be executed sequentially, so that data transmission between business container groups can be saved.

In some embodiments, there is affinity between two or more services that need to be executed sequentially, so the configuration information of the two or more services that need to be executed sequentially can be sent to the same L7 agent. When the L7 agent performs traffic management on the data packets of the two or more services, the two or more services share a routing cache. The routing cache stores the address of the target service instance of the data packet. When the two or more services are provided by the same business container group, the L7 agent can send the data packets of the two or more services to the same target service instance by sharing the address of the routing cache, thereby scheduling the data packets of the two or more services to the same business container group. In this way, data transmission between business container groups can be saved.

Among them, the services with affinity refer to the services of the same tenant or the services that need to be executed sequentially. Among them, the services in the services that need to be executed sequentially also belong to the same tenant. Therefore, the services with affinity are tenant-granular. The L7 agent that includes the configuration information of the services with affinity for a tenant can be called the affinity L7 agent of the tenant.

In some embodiments, the proxy cluster 300 runs multiple L7 proxies. In step 302, an L7 proxy including configuration information of the least number of services may be selected from the multiple L7 proxies. That is, when a service is created, the configuration information of the created service is sent to the L7 proxy including configuration information of the least number of services. In one example, when selecting an L7 proxy based on affinity between services, an L7 proxy including configuration information of the least number of services is selected from the multiple L7 proxies to send the configuration information of the created service to the L7 proxy including configuration information of the least number of services, so that the L7 proxy including configuration information of the least number of services performs traffic management on data packets of the created service to achieve load balancing.

In some embodiments, the proxy cluster 300 runs multiple L7 proxies. When selecting an L7 proxy based on the affinity between services, an L7 proxy including configuration information of the least number of tenants is selected from multiple L7 proxies to send the configuration information of the created service to the L7 proxy including configuration information of the least number of tenants, so that the L7 proxy including configuration information of the least number of tenants performs traffic management on the data packets of the created service. The configuration information of the tenant is the configuration information of the tenant's service. Sending a service with affinity to a tenant to the L7 proxy with configuration information of the least number of tenants can avoid the same L7 proxy from becoming an affinity proxy for multiple tenants at the same time, or in other words, reduce the risk of the same L7 proxy becoming an affinity L7 proxy for multiple tenants at the same time.

In some embodiments, the annotation part of the YAML file for creating the service records the affinity between the services. The grid console 400 can obtain the annotation part of the YAML file of the service, and can obtain which services have affinity through the annotation part of the YAML file of the service. Among them, YAML is a markup language and a format for expressing data serialization, which is often used to create services. Among them, creating a service can specifically be creating a container that provides the service.

In some embodiments, the L7 proxy can be deployed by the method shown in FIG. 5 .

First, the administrator of the service grid system may create one or more L7 proxies such as the L7 proxy 310 in the proxy cluster 300 through step 501 .

Tenant A1 can create service A11 in business node 200 through step 502. Creating a service means creating a business container group, and the container in the created business container group provides the service. Business node 200 can send configuration information of service A11, an identifier of service A11, and an identifier of tenant A1 to grid console 400 through step 503.

The grid console 400 may select an L7 proxy for the service A11 in step 504. The L7 proxy may be selected for the service A11 based on the affinity between services. Please refer to the above introduction for details, which will not be repeated here.

It can be assumed that in step 504, the L7 agent selected by the grid console 400 is the L7 agent 310. Then in step 505, the grid console 400 sends the configuration information of the service A11, the identifier of the service A11, and the identifier of the tenant A1 to the L7 agent 310.

The L7 agent 310 can establish an association relationship between the configuration information of service A11, the identifier of service A11, and the identifier of tenant A1. The L7 agent 310 can save the configuration information of service A11 and the association relationship. In some embodiments, the L7 agent 310 can create a tenant A1 listener in step 506. The tenant A1 listener is used to listen to data packets of the service of tenant A1. In some embodiments, the L7 agent 310 can create a tenant A1 service A11 listener in step 507. The tenant A1 service A11 listener is used to listen to data packets of the service A11 of tenant A1.

The L7 agent 310 may also establish an association relationship between the L7 agent and the tenant A1 in step 508, and send the association relationship between the L7 agent and the tenant A1 to the grid console 400 in step 509. The grid console 400 may send the association relationship between the L7 agent and the tenant A1 to each L4 agent in the service grid system. The L4 agent may save the received association relationship.

In some embodiments, the association relationship between the L7 agent and the tenant A1 includes the association relationship between the L7 agent and the service A11 of the tenant A1. In some embodiments, the association relationship between the L7 agent and the tenant A1 is specifically the association relationship between the identifier of the L7 agent and the identifier of the tenant A1. The identifier of the L7 agent and the identifier of the tenant A1 can be recorded in the association list to associate the L7 agent with the tenant A1.

In this way, the deployment of the L7 proxy can be completed, and the L7 proxy can perform traffic management on the data packets of the services of the relevant tenants. Among them, through the traffic management method provided in the embodiment of the present application, the L7 proxy can implement traffic management on the data packets of the services of the relevant tenants.

Next, in combination with Figure 6, taking the L7 agent 310 and tenant A1 as an example, the traffic management method provided in the embodiment of the present application is introduced.

The L7 agent 310 includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the L7 agent 310 to perform traffic management on the data packets of the service. As shown in FIG6 , the method has the following steps.

Step 601: The business container group 110 sends a data packet 111. The business container group 110 belongs to the tenant A1, and the data packet 111 may be a data packet for requesting access to the service A11 of the tenant A1, that is, the data packet 111 is a service request for requesting access to the service A11. The business container group 110 includes at least one business container, and the data packet 111 may be specifically sent by one or more business containers in the at least one business container.

The L4 agent 130 in the business node (i.e., business node 100) where the business container group 110 is located, as the L4 agent in the inbound direction of the service grid, can intercept the data packet 111. When intercepting the data packet 111, the L4 agent 130 can obtain the identifier of the business container group 110. For example, the L4 agent 130 obtains the Src IP of the data packet 111 by parsing the data packet 111. The Src IP of the data packet 111 is the IP address of the business container group 110, which is an identifier of the business container group 110. In step 602, the L4 agent 130 can obtain the identifier of the tenant (i.e., tenant A1) to which the business container group 110 belongs based on the identifier of the business container group 110. Exemplarily, the L4 agent 130 can obtain the identifier of tenant A1 queried in the grid console 400 based on the identifier of the business container group 110.

In step 603, the L4 agent 130 can filter the L7 agent including the configuration information of the service of tenant A1 in the L7 agent deployed in the agent cluster 300 based on the identifier of tenant A1. Usually, the agent cluster 300 is deployed with multiple L7 agents, and some of the L7 agents include the configuration information of the service of tenant A1. Therefore, it is necessary to filter the L7 agent including the configuration information of the service of tenant A1 in the multiple L7 agents based on the identifier of tenant A1. Among them, the L4 agent saves the association relationship between the L7 agent and the tenant, and the L7 agent associated with the tenant includes the configuration information of the service of the tenant. The L4 agent 130 can obtain the L7 agent associated with tenant A1 based on the identifier of tenant A1 and the association relationship between the L7 agent and the tenant, that is, obtain the L7 agent including the configuration information of the service of tenant A1.

In some embodiments, tenant A1 may have multiple services, and the configuration information of the multiple services may be in different L7 proxies. That is, not all L7 proxies that include the services of tenant A1 may include the configuration information of service A11. In step 603, the L7 proxies that include the configuration information of service A11 of tenant A1 are filtered. Among them, the L7 proxies that include the configuration information of the services of tenant A1 can be filtered out based on the identifier of tenant A1. Then, based on the identifier of service A11, the L7 proxies that include the configuration information of the services of tenant A1 are filtered out.

When there is only one L7 proxy including the configuration information of the service A11 , the L7 proxy including the configuration information of the service A11 of the tenant A1 serves as the target L7 proxy of the data packet 111 .

When there are multiple L7 proxies including the configuration information of the service A11 , the L4 agent 130 may select a target L7 agent for the data packet 111 from the multiple L7 proxies.

In some embodiments, the more services the L7 agent supports for tenant A1, the more likely the L7 agent is to be the target L7 agent for data packet 111. The L7 agent supporting services means that the L7 agent includes configuration information for the services. That is, the L7 agent including configuration information for a service can be referred to as the L7 agent supporting the service. For example, L7 agent 310 includes configuration information for N services, L7 agent 320 includes configuration information for M services, and both the N services and the M services include service A11. N and M are both integers greater than or equal to 1. If the number of services belonging to tenant A1 among the N services is greater than the number of services belonging to tenant A1 among the M services, L4 agent 130 selects L7 agent 310 as the target L7 agent for data packet 111. That is, when the number of services belonging to tenant A1 among the services supported by L7 agent 310 is greater than the number of services belonging to tenant A1 among the services supported by L7 agent 320, L7 agent 310 is used as the target L7 agent for data packet 111.

In some embodiments, the lower the load of the L7 agent, the greater the possibility that the L7 agent becomes the target L7 agent of the data packet 111. For example, both L7 agent 310 and L7 agent 320 include configuration information of service A11. When the load of L7 agent 320 is greater than the load of L7 agent 310, L7 agent 310 is used as the target L7 agent of data packet 111. The load of the L7 agent can be represented by the ratio of the used capacity and the maximum capacity of the L7 agent. The ratio is positively correlated with the load of the L7 agent. In one example, the maximum capacity refers to the maximum number of connections, and the used capacity refers to the number of used connections or the actual number of connections. The connection here refers to the connection between the L7 agent and the service container group that sends the data packet. Specifically, the data packet for which the L7 agent performs traffic management is sent by the service container group. When the L4 agent selects the L7 agent to perform traffic management on the data packet sent by a certain service container group, the L4 agent establishes a connection between the L7 agent and the service container group. Therefore, the maximum number of connections can also be referred to as the maximum number of service container groups that the L7 proxy can connect to, and the used number of connections can also be referred to as the number of service container groups that the L7 proxy has connected to. In an example, the maximum capacity refers to the maximum number of data packets that the L7 proxy can receive per unit time, and the used capacity refers to the number of data packets actually received by the L7 proxy per unit time.

In some embodiments, the scheduling coefficient of each L7 proxy including the configuration information of the service A11 may be calculated, and then the L7 proxy with the largest scheduling coefficient is used as the target L7 proxy of the data packet 111. The calculation formula of the scheduling coefficient is as follows.

The scheduling coefficient of the L7 agent = the tenant's weight × (the number of services belonging to tenant A1 among the services supported by the L7 agent/the total number of services supported by the L7 agent) × (1-the used capacity of the L7 agent/the maximum capacity of the L7 agent).

The weight of the tenant may be a preset value. The administrator may set different weights for different L7 proxies for a certain tenant, so as to set the priority of the L7 proxy for traffic management of data packets of the tenant's service.

In the above manner, the target L7 proxy of the data packet 111 can be obtained.

The target L7 agent of the obtained data packet 111 may be set to the L7 agent 310. The L4 agent 130 sends the data packet 111 and the identifier of the tenant A1 to the L7 agent 310 through step 605. In some embodiments, the L4 agent 130 may send the data packet 111 and the identifier of the tenant A1 to the L7 agent 310 through a destination network address translation (DNAT) operation.

In step 606, the L7 agent can identify the configuration information of the service of tenant A1 from the configuration information of multiple services included in the L7 agent 310 based on the identifier of tenant A1. As described above, the identifier of tenant A1 and the configuration information of the service of tenant A1 have an association relationship. The L7 agent can identify the configuration information of the service of tenant A1 based on the association relationship and the identifier of tenant A1.

Next, in step 607 , the L7 agent may perform traffic management on the data packet 111 based on the configuration information of the service of the tenant A1 identified in step 606 .

The data packet 111 is a data packet of the service A11 of the tenant A1. If the configuration information of the service of the tenant A1 identified in step 606 is the configuration information of the service A11, then in step 607, the traffic management of the data packet 111 can be performed directly based on the configuration information of the service of the tenant A1 identified in step 606.

If the configuration information of the service of tenant A1 identified in step 606 includes configuration information of other services of tenant A1 in addition to the configuration information of service A11, in step 607, the configuration information of service A11 is first identified from the configuration information of the service of tenant A1 identified in step 606. Then, traffic management is performed on data packet 111 based on the configuration information of service A11.

Among them, data packet 111 includes the identifier of the service requested by data packet 111, that is, the identifier of service A11. L7 agent 310 can parse data packet 111 to obtain the identifier of service A11. Then, based on the identifier of service A11, L7 agent 310 identifies the configuration information of service A11 in the configuration information of the service of tenant A1 identified in step 606. Specifically, as described above, the identifier of the service and the configuration information of the service have an associated relationship. L7 agent 310 can identify the configuration information of service A11 based on the associated relationship and the identifier of service A11.

In some embodiments, the traffic management of the data packet 111 by the L7 agent 310 may include: selecting a target service instance of the data packet 111. For example, the data packet 111 is a service request, and the L7 agent 310 may select a service instance for executing the service request. The L7 agent 310 may be set to select the service container group 210 as the target service instance of the data packet 111, that is, select the service container in the service container group 210 to process the data packet 111. At this time, the L7 agent 310 may send the data packet 111 to the L4 agent (i.e., the L4 agent 230) in the service node (i.e., the service node 200) where the service container group 210 is located through step 608. In step 610, the L4 agent 230, as the L4 agent in the outbound direction of the service grid, may forward the received data packet 111 to the service container group 210. In some embodiments, the L4 agent 230 may send the data packet 111 to the service container group 210 through a DNAT operation.

In some embodiments, at step 608, the L7 agent 310 sends the data packet 111 and the identifier of the tenant A1 to the L4 agent 230. The L4 agent 230 may perform step 609 to verify that the tenant A1 and the business container group 210 belong to the same tenant based on the identifier of the tenant A1. Specifically, when the L7 agent 310 selects the business container group 210 as the service instance of the data packet 111, the identifier of the business container group 210 may be added to the data packet 111. For example, the identifier of the business container group 210 is the address of the business container group 210, and the L7 agent 310 adds the address of the business container group 210 to the field corresponding to the destination address (destination) of the data packet 111. The L4 agent 230 may parse the data packet 111 to obtain the identifier of the business container group 210. Then, based on the identifier of the business container group 210, the L4 agent 230 may query the tenant to which the business container group 210 belongs in the grid console 400. In step 609, the L4 agent 230 may determine whether the identifier of the tenant A1 is the same as the identifier of the tenant to which the service container group 210 belongs. If they are the same, the tenant A1 and the tenant to which the service container group 210 belongs are the same. If they are not the same, the tenant A1 and the tenant to which the service container group 210 belongs are different.

The L4 agent 230 executes step 610 only when it is confirmed that the tenant A1 and the tenant to which the service container group 210 belongs are the same, thereby further ensuring the isolation between tenants.

In some embodiments, when the L4 agent 230 confirms that the tenant A1 and the tenant to which the service container group 210 belongs are different, the L4 agent 230 may issue an alarm or report an error.

In some embodiments, in addition to supporting the services of tenant A1, L7 agent 310 also performs services of other tenants, such as services of tenant A2. That is, L7 agent 310 also includes configuration information of services of tenant A2. The business container group 120 of tenant A2 can be set to run in the business node 100. When the business container group 120 sends a data packet 121, L4 agent 130 can send the data packet 121 and the identifier of tenant A2 to L7 agent 310. L7 agent 310 can identify the configuration information of tenant A2 in the configuration information of multiple services included in L7 agent 310 based on the identifier of tenant A2. Then, L7 agent 310 can perform traffic management on data packet 121 based on the configuration information of tenant A2. Exemplarily, through traffic management, L7 agent 310 selects business container group 220 in business node 200 as the target service instance of data packet 121. L7 agent 310 sends data packet 121 and the identifier of tenant A2 to L4 agent 230. When the L4 proxy 230 confirms, based on the identifier of the tenant A2, that the tenant A2 and the service container group 220 belong to the same tenant, it sends the data packet 121 to the service container group 220 .

In summary, the same L7 proxy can manage the traffic of data packets of services of multiple tenants, realizing multi-tenant sharing of L7 proxy. This can improve the computing resource utilization of L7 proxy and reduce the scheduling pressure of L7 proxy.

Based on the content described above, an embodiment of the present application also provides a traffic management method. The method can be performed by a first L7 agent in a service grid system. The service grid system includes a first business node and a proxy cluster; wherein the first business node runs a first L4 agent and a first business container group of a first tenant; the first L7 agent runs in the proxy cluster, and the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on the data packets of the service. Wherein, the service grid system here can be the service grid system shown in Figure 1, the proxy cluster can be the proxy cluster 300 described above, the first L7 agent can specifically be the L7 agent 310 described above, the first business node can be the business node 100 described above, the first L4 agent can be the L4 agent 130 described above, and the first tenant can be the tenant A1 described above. As shown in Figure 7, the method includes the following steps.

In step 701, the first L7 agent receives the identifier of the first tenant and the first data packet sent by the first L4 agent, where the first data packet is received by the first L4 agent from the first service container group. The first service container group may be the service container group 110 described above, and the first data packet may be the data packet 111 described above. The specific implementation of step 701 may refer to the introduction of steps 601 to 605 in FIG. 6 above, and will not be repeated here.

In step 702, the first L7 agent identifies configuration information of a first service from the configuration information of the plurality of services based on the identifier of the first tenant, and the first service belongs to the first tenant. The specific implementation of step 702 can refer to the introduction of step 606 in FIG. 6 above, which will not be repeated here.

Step 703: The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service. The specific implementation of step 702 can refer to the above description of step 607 in FIG. 6, which will not be repeated here.

In some embodiments, the first service node also runs a second service container group of a second tenant; the method includes: the first L7 agent receives the identifier of the second tenant and a second data packet sent by the first L4 agent, the second data packet is received by the first L4 agent from the second service container group; the first L4 agent sends the identifier of the second tenant and the second data packet to the first L7 agent; the first L7 agent identifies the configuration information of the second service in the configuration information of the plurality of services based on the identifier of the second tenant, the second service belongs to the second tenant; the first L7 agent performs traffic management on the second data packet based on the configuration information of the second service. The second tenant may be the tenant A2 described above, the second service container group may be the service container group 120 described above, and the second data packet may be the data packet 121 described above.

In some embodiments, the first service includes the service corresponding to the first data packet and other services; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent identifies the configuration information of the service corresponding to the first data packet in the configuration information of the first service based on the identifier of the service corresponding to the first data packet; the first L7 agent performs traffic management on the first data packet based on the configuration information of the service corresponding to the first data packet. The service corresponding to the first data packet may be the service A11 described above. The specific implementation method of this embodiment can refer to the above introduction to step 606 in Figure 6, which will not be repeated here.

In some embodiments, the proxy cluster corresponding to the service of the first data packet also runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; the first L7 proxy receives the identifier of the first tenant and the first data packet sent by the first L4 proxy, including: when the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service, the first L7 proxy receives the identifier of the first tenant and the first data packet sent by the first L4 proxy. The second L7 proxy can be the L7 proxy 320 described above. The specific implementation method of this embodiment can refer to the above introduction to steps 603-605 in Figure 6, which will not be repeated here.

In some embodiments, the proxy cluster also runs a second L7 proxy, and the second L7 proxy also includes the configuration information of the first service; the first L7 proxy receives the identifier of the first tenant and the first data packet sent by the first L4 proxy, including: when the load of the second L7 proxy is greater than the load of the first L7 proxy, the first L7 proxy receives the identifier of the first tenant and the first data packet sent by the first L4 proxy. The second L7 proxy can be the L7 proxy 320 described above. The specific implementation of this embodiment can refer to the above introduction to steps 603-605 in Figure 6, which will not be repeated here.

In some embodiments, the service grid system further comprises: a console connected to the proxy cluster; the method further comprises: the first L7 proxy receives and records configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service. The specific implementation of this embodiment can refer to the above description of the embodiments shown in Figures 3 to 5, which will not be repeated here.

In some embodiments, the service grid system further includes a second service node, the second service node running a second L4 agent and a third service container group; the first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: the first L7 agent selects the third service container group as the target container group of the first data packet; the first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; wherein the second L4 agent is used to: confirm that the tenants to which the first tenant and the third service container group belong are the same tenant based on the identifier of the first tenant; and send the first data packet to the third service container group. The second service node may be the service node 200 described above, and the third service container group may also be the service container group 210 described above. The specific implementation of this embodiment can refer to the above description of steps 608-610 in FIG. 6, which will not be repeated here.

Through the above method, the same L7 agent can include the configuration information of services of multiple tenants. When it is necessary to perform traffic management on the data packets of the tenant's services, the L7 agent obtains the identifier of the tenant, and obtains the configuration information of the tenant's services from the configuration information of the services of multiple tenants based on the identifier of the tenant, and then can perform traffic management on the data packets of the tenant's services based on the configuration information of the tenant's services. In this way, the same L7 agent can perform traffic management on the data packets of the services of multiple tenants, realizing multi-tenant sharing of the L7 agent. Multi-tenant sharing of the L7 agent can improve the computing resource utilization of the L7 agent, reduce the scheduling pressure of the L7 agent, etc.

Referring to FIG8 , an embodiment of the present application provides a traffic management device 800. The device 800 is configured in a first L7 agent in a service grid system, and the service grid system includes a first service node and a proxy cluster; the first service node runs a first L4 agent and a first service container group of a first tenant; the first L7 agent runs in the proxy cluster, and the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on the data packets of the service. As shown in FIG8 , the device 800 includes:

A receiving module 810 is configured to receive an identifier of the first tenant and a first data packet sent by the first L4 agent, where the first data packet is received by the first L4 agent from the first service container group;

an identification module 820, configured to identify, based on the identifier of the first tenant, configuration information of a first service from the configuration information of the plurality of services, the first service belonging to the first tenant;

The management module 830 is used to perform traffic management on the first data packet based on the configuration information of the first service.

In some embodiments, the first service node also runs a second service container group of a second tenant; the receiving module 810 is also used to: receive the identifier of the second tenant and a second data packet sent by the first L4 agent, the second data packet is received by the first L4 agent from the second service container group; the identification module 820 is also used to: based on the identifier of the second tenant, identify the configuration information of the second service in the configuration information of the multiple services, the second service belongs to the second tenant; the management module 830 is also used to: based on the configuration information of the second service, perform traffic management on the second data packet.

In some embodiments, the first service includes the service corresponding to the first data packet and other services; the management module 830 is used to: based on the identifier of the service corresponding to the first data packet, identify the configuration information of the service corresponding to the first data packet in the configuration information of the first service; based on the configuration information of the service corresponding to the first data packet, perform traffic management on the first data packet.

In some embodiments, the proxy cluster also runs a second L7 agent, which includes configuration information of at least one service; the receiving module 810 is used to: when the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service, receive the identifier of the first tenant and the first data packet sent by the first L4 agent.

In some embodiments, the proxy cluster also runs a second L7 proxy, which also includes configuration information of the first service; the receiving module 810 is used to: when the load of the second L7 proxy is greater than the load of the first L7 proxy, receive the identifier of the first tenant and the first data packet sent by the first L4 agent.

In some embodiments, the service grid system also includes: a console connected to the proxy cluster; the receiving module 810 is used to: receive and record configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service.

In some embodiments, the service grid system further includes a second service node, which runs a second L4 agent and a third service container group; the management module 830 is used for: the first L7 agent selects the third service container group as the target container group of the first data packet; the first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; wherein the second L4 agent is used for: based on the identifier of the first tenant, confirming that the tenant to which the first tenant and the third service container group belong is the same tenant; and sending the first data packet to the third service container group.

Among them, the receiving module 810, the identification module 820 and the management module 830 can all be implemented by software, or can be implemented by hardware. Exemplarily, the implementation of the receiving module 810 is introduced below by taking the receiving module 810 as an example. Similarly, the implementation of the identification module 820 and the management module 830 can refer to the implementation of the receiving module 810.

As an example of a software functional unit, the receiving module 810 may include code running on a computing instance. Among them, the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Further, the above-mentioned computing instance may be one or more. For example, the receiving module 810 may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code can be distributed in the same region or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code can be distributed in the same availability zone AZ or in different AZs, and each AZ includes a data center or multiple data centers with close geographical locations. Among them, usually a region can include multiple AZs.

Similarly, multiple hosts/virtual machines/containers used to run the code can be distributed in the same VPC or in multiple VPCs. Usually, a VPC is set up in a region. For cross-region communication between two VPCs in the same region and between VPCs in different regions, a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.

As an example of a hardware functional unit, the receiving module 810 may include at least one computing device, such as a server, etc. Alternatively, the receiving module 810 may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.

The multiple computing devices included in the receiving module 810 can be distributed in the same region or in different regions. The multiple computing devices included in the receiving module 810 can be distributed in the same AZ or in different AZs. Similarly, the multiple computing devices included in the receiving module 810 can be distributed in the same VPC or in multiple VPCs. The multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

It should be noted that, in other embodiments, the receiving module 810 can be used to execute any step in the method shown in Figure 7, the identifying module 820 can be used to execute any step in the method shown in Figure 7, and the management module 830 can be used to execute any step in the method shown in Figure 7. The steps that the receiving module 810, the identifying module 820, and the management module 830 are responsible for implementing can be specified as needed, and the receiving module 810, the identifying module 820, and the management module 830 respectively implement different steps in the method shown in Figure 7 to realize all the functions of the traffic management device 800.

The present application also provides a computing device 900. As shown in FIG9 , the computing device 900 includes: a bus 902, a processor 904, a memory 906, and a communication interface 908. The processor 904, the memory 906, and the communication interface 908 communicate with each other through the bus 902. The computing device 900 can be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 900.

The bus 902 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 9 is represented by only one line, but does not mean that there is only one bus or one type of bus. The bus 902 may include a path for transmitting information between various components of the computing device 900 (e.g., the memory 906, the processor 904, and the communication interface 908).

Processor 904 may include any one or more of a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP).

The memory 906 may include a volatile memory (volatile memory), such as a random access memory (RAM). The memory 906 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).

The memory 906 stores executable program codes, and the processor 904 executes the executable program codes to respectively implement the functions of the aforementioned receiving module 810, identification module 820 and management module 830, thereby implementing the method shown in Figure 7. That is, the memory 906 stores instructions for executing the method shown in Figure 7.

The communication interface 908 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 900 and other devices or communication networks.

The embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.

As shown in Fig. 10, the computing device cluster includes at least one computing device 900. The memory 906 in one or more computing devices 900 in the computing device cluster may store the same instructions for executing the method shown in Fig. 7.

In some possible implementations, the memory 906 of one or more computing devices 900 in the computing device cluster may also respectively store some instructions for executing the method shown in Figure 7. In other words, a combination of one or more computing devices 900 may jointly execute instructions for executing the method shown in Figure 7.

It should be noted that the memory 906 in different computing devices 900 in the computing device cluster may store different instructions, which are respectively used to execute part of the functions of the traffic management device 800. That is, the instructions stored in the memory 906 in different computing devices 900 may implement the functions of one or more modules of the receiving module 810, the identifying module 820 and the managing module 830.

In some possible implementations, one or more computing devices in the computing device cluster may be connected via a network. The network may be a wide area network or a local area network, etc. FIG. 11 shows a possible implementation. As shown in FIG. 11 , two computing devices 900A and 900B are connected via a network. Specifically, the network is connected via a communication interface in each computing device. In this type of possible implementation, the memory 906 in the computing device 900A stores instructions for executing the functions of the receiving module 810. At the same time, the memory 906 in the computing device 900B stores instructions for executing the functions of the identification module 820 and the management module 830.

It should be understood that the functions of the computing device 900A shown in FIG11 may also be completed by multiple computing devices 900. Similarly, the functions of the computing device 900B may also be completed by multiple computing devices 900.

The embodiment of the present application also provides another computing device cluster. The connection relationship between the computing devices in the computing device cluster can be similar to the connection mode of the computing device cluster described in Figures 10 and 11. The difference is that the memory 906 in one or more computing devices 900 in the computing device cluster can store the same instructions for executing the method shown in Figure 7.

In some possible implementations, the memory 906 of one or more computing devices 900 in the computing device cluster may also respectively store some instructions for executing the method shown in Figure 7. In other words, a combination of one or more computing devices 900 may jointly execute instructions for executing the method shown in Figure 7.

The embodiment of the present application also provides a computer program product including instructions. The computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium. When the computer program product is run on at least one computing device, the at least one computing device executes the method shown in FIG. 7 .

The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be stored by a computing device or a host migration device such as a data center that includes one or more available media. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk). The computer-readable storage medium includes instructions that instruct the computing device to execute the method shown in Figure 7.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit it. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the protection scope of the technical solutions of the embodiments of the present application.

Claims (33)

A traffic management method, characterized in that the method is applied to a service grid system, the service grid system includes a first service node and a proxy cluster; wherein the first service node runs a first transport layer L4 proxy and a first service container group of a first tenant; the proxy cluster runs a first application layer L7 proxy, the first L7 proxy includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 proxy to perform traffic management on data packets of the service; the method includes: The first L4 agent receives a first data packet sent by the first service container group; The first L4 agent sends the identifier of the first tenant and the first data packet to the first L7 agent; The first L7 agent identifies, based on the identifier of the first tenant, configuration information of a first service from the configuration information of the plurality of services, the first service belonging to the first tenant; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service. The method according to claim 1 is characterized in that the first service node also runs a second service container group of a second tenant; the method comprises: The first L4 agent receives a second data packet sent by the second service container group; The first L4 agent sends the identifier of the second tenant and the second data packet to the first L7 agent; The first L7 agent identifies, based on the identifier of the second tenant, configuration information of a second service from the configuration information of the plurality of services, where the second service belongs to the second tenant; The first L7 agent performs traffic management on the second data packet based on the configuration information of the second service. The method according to claim 1 or 2, characterized in that the first service includes a service corresponding to the first data packet and other services; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: The first L7 agent identifies, based on the identifier of the service corresponding to the first data packet, the configuration information of the service corresponding to the first data packet in the configuration information of the first service; The first L7 agent performs traffic management on the first data packet based on configuration information of a service corresponding to the first data packet. The method according to claim 3, wherein the proxy cluster runs multiple L7 proxies; and the first L4 proxy sends the identifier of the first tenant and the first data packet to the first L7 proxy, comprising: The first L4 agent identifies, from the plurality of L7 agents, an L7 agent including configuration information of the service of the first tenant based on the identifier of the first tenant; The first L4 agent identifies, based on the identifier of the service corresponding to the first data packet, an L7 agent including the configuration information of the service corresponding to the first data packet from the L7 agents including the configuration information of the service of the first tenant, and obtains the first L7 agent. The method according to any one of claims 1 to 4, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; The first L4 agent sends the identifier of the first tenant and the first data packet to the first L7 agent, including: When the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service, the first L4 agent sends the identifier of the first tenant and the first data packet to the first L7 agent. The method according to any one of claims 1 to 4, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy also includes the configuration information of the first service; The first L4 agent sends the identifier of the first tenant and the first data packet to the first L7 agent, including: When the load of the second L7 agent is greater than the load of the first L7 agent, the first L4 agent sends the identifier of the first tenant and the first data packet to the first L7 agent. The method according to any one of claims 1 to 6, characterized in that the service grid system further comprises: a console connected to the proxy cluster; The method also includes: the console sending configuration information of two or more services to the same L7 agent in the agent cluster; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service. The method according to claim 7 is characterized in that the proxy cluster runs multiple L7 proxies; wherein, among the multiple L7 proxies, the same L7 proxy includes configuration information of a minimum number of services, or the same L7 proxy includes configuration information of a minimum number of tenants. The method according to any one of claims 1 to 8, characterized in that the service grid system further comprises a second service node, and the second service node runs a second L4 proxy and a third service container group; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: The first L7 proxy selects the third service container group as the target container group of the first data packet; The first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; The method further comprises: The second L4 agent confirms, based on the identifier of the first tenant, that the first tenant and the tenant to which the third service container group belongs are the same tenant; The second L4 agent sends the first data packet to the third service container group. A service grid system, characterized in that the service grid system comprises a first service node and an agent cluster; wherein the first service node runs a first L4 agent and a first service container group of a first tenant; the agent cluster runs a first L7 agent, the first L7 agent comprises configuration information of a plurality of services, different services in the plurality of services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; wherein, The first L4 agent is used to: receive a first data packet sent by the first service container group; The first L4 agent is used to: send the identifier of the first tenant and the first data packet to the first L7 agent; The first L7 agent is used to: identify, based on the identifier of the first tenant, configuration information of a first service from the configuration information of the multiple services, the first service belonging to the first tenant; The first L7 agent is used to: perform traffic management on the first data packet based on configuration information of the first service. The service grid system according to claim 10, characterized in that the first service node also runs a second service container group of a second tenant; The first L4 agent is further used to: receive a second data packet sent by the second service container group; The first L4 agent is further used to: send the identifier of the second tenant and the second data packet to the first L7 agent; The first L7 agent is further used to: identify, based on the identifier of the second tenant, configuration information of a second service in the configuration information of the plurality of services, the second service belonging to the second tenant; The first L7 agent is further used to: perform traffic management on the second data packet based on the configuration information of the second service. The service grid system according to claim 10 or 11, characterized in that the first service includes a service corresponding to the first data packet and other services; The first L7 proxy is used to: Based on the identifier of the service corresponding to the first data packet, identifying the configuration information of the service corresponding to the first data packet in the configuration information of the first service; Based on the configuration information of the service corresponding to the first data packet, traffic management is performed on the first data packet. The service grid system according to any one of claims 10 to 12, characterized in that the proxy cluster further runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; The first L4 agent is configured to send the identifier of the first tenant and the first data packet to the first L7 agent when the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service. The service grid system according to any one of claims 10 to 12, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy also includes the configuration information of the first service; The first L4 agent is used for sending the identifier of the first tenant and the first data packet to the first L7 agent when the load of the second L7 agent is greater than the load of the first L7 agent. The service grid system according to any one of claims 10-14, characterized in that the service grid system further comprises: a console connected to the proxy cluster; The console is used to send configuration information of two or more services to the same L7 agent in the agent cluster; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service. The service grid system according to any one of claims 10-15, characterized in that the service grid system further comprises a second service node, the second service node running a second L4 proxy and a third service container group; The first L7 proxy is used to: Selecting the third service container group as the target container group of the first data packet; Sending the first data packet and the identifier of the first tenant to the second L4 agent; The second L4 proxy is used to: Based on the identifier of the first tenant, confirm that the first tenant and the tenant to which the third business container group belongs are the same tenant; The first data packet is sent to the third service container group. A traffic management method, characterized in that the method is applied to a first L7 agent in a service grid system, the service grid system includes a first service node and an agent cluster; wherein the first service node runs a first L4 agent and a first service container group of a first tenant; the first L7 agent runs in the agent cluster, the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; the method includes: The first L7 agent receives the identifier of the first tenant and a first data packet sent by the first L4 agent, where the first data packet is received by the first L4 agent from the first service container group; The first L7 agent identifies, based on the identifier of the first tenant, configuration information of a first service from the configuration information of the plurality of services, the first service belonging to the first tenant; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service. The method according to claim 17 is characterized in that the first service node also runs a second service container group of a second tenant; the method comprising: The first L7 agent receives the identifier of the second tenant and a second data packet sent by the first L4 agent, where the second data packet is received by the first L4 agent from the second service container group; The first L4 agent sends the identifier of the second tenant and the second data packet to the first L7 agent; The first L7 agent identifies, based on the identifier of the second tenant, configuration information of a second service from the configuration information of the plurality of services, where the second service belongs to the second tenant; The first L7 agent performs traffic management on the second data packet based on the configuration information of the second service. The method according to claim 17 or 18, characterized in that the first service includes a service corresponding to the first data packet and other services; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: The first L7 agent identifies, based on the identifier of the service corresponding to the first data packet, the configuration information of the service corresponding to the first data packet in the configuration information of the first service; The first L7 agent performs traffic management on the first data packet based on configuration information of a service corresponding to the first data packet. The method according to any one of claims 17 to 19, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; The first L7 agent receives the identifier of the first tenant and the first data packet sent by the first L4 agent, including: When the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service, the first L7 agent receives the identifier of the first tenant and the first data packet sent by the first L4 agent. The method according to any one of claims 17 to 20, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy also includes configuration information of the first service; The first L7 agent receives the identifier of the first tenant and the first data packet sent by the first L4 agent, including: When the load of the second L7 agent is greater than the load of the first L7 agent, the first L7 agent receives the identifier of the first tenant and the first data packet sent by the first L4 agent. The method according to any one of claims 17-21, characterized in that the service grid system further comprises: a console connected to the proxy cluster; The method also includes: the first L7 agent receives and records configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service. The method according to any one of claims 17 to 22, characterized in that the service grid system further comprises a second service node, the second service node running a second L4 proxy and a third service container group; The first L7 agent performs traffic management on the first data packet based on the configuration information of the first service, including: The first L7 proxy selects the third service container group as the target container group of the first data packet; The first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; Wherein, the second L4 agent is used for: Based on the identifier of the first tenant, confirm that the first tenant and the tenant to which the third business container group belongs are the same tenant; The first data packet is sent to the third service container group. A traffic management device, characterized in that the device is configured in a first L7 agent in a service grid system, the service grid system includes a first service node and an agent cluster; wherein the first service node runs a first L4 agent and a first service container group of a first tenant; the first L7 agent runs in the agent cluster, the first L7 agent includes configuration information of multiple services, different services in the multiple services belong to the same tenant or different tenants, and the configuration information of the service is used by the first L7 agent to perform traffic management on data packets of the service; the device includes: a receiving module, configured to receive an identifier of the first tenant and a first data packet sent by the first L4 agent, where the first data packet is received by the first L4 agent from the first service container group; an identification module, configured to identify, based on the identifier of the first tenant, configuration information of a first service from the configuration information of the plurality of services, the first service belonging to the first tenant; A management module is used to perform traffic management on the first data packet based on the configuration information of the first service. The device according to claim 24, characterized in that the first service node also runs a second service container group of a second tenant; The receiving module is further used to: receive the identifier of the second tenant and a second data packet sent by the first L4 agent, where the second data packet is received by the first L4 agent from the second service container group; The identification module is further used to: identify the configuration information of the second service in the configuration information of the plurality of services based on the identifier of the second tenant, the second service belonging to the second tenant; The management module is further used to: perform traffic management on the second data packet based on the configuration information of the second service. The device according to claim 24 or 25, characterized in that the first service includes a service corresponding to the first data packet and other services; The management module is used for: Based on the identifier of the service corresponding to the first data packet, identifying the configuration information of the service corresponding to the first data packet in the configuration information of the first service; Based on the configuration information of the service corresponding to the first data packet, traffic management is performed on the first data packet. The device according to any one of claims 24-26, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy includes configuration information of at least one service; The receiving module is used to: when the number of services belonging to the first tenant in the multiple services is greater than the number of services belonging to the first tenant in the at least one service, receive the identifier of the first tenant and the first data packet sent by the first L4 agent. The device according to any one of claims 24-26, characterized in that the proxy cluster also runs a second L7 proxy, and the second L7 proxy also includes the configuration information of the first service; The receiving module is used for: when the load of the second L7 agent is greater than the load of the first L7 agent, receiving the identifier of the first tenant and the first data packet sent by the first L4 agent. The device according to any one of claims 24-28, characterized in that the service grid system further comprises: a console connected to the proxy cluster; The receiving module is used to: receive and record configuration information of two or more services from the console; wherein the two or more services belong to the same tenant, or the output of one of the two or more services is the input of another service. The device according to any one of claims 24-29, characterized in that the service grid system further comprises a second service node, the second service node running a second L4 proxy and a third service container group; The management module is used for: The first L7 proxy selects the third service container group as the target container group of the first data packet; The first L7 agent sends the first data packet and the identifier of the first tenant to the second L4 agent; Wherein, the second L4 agent is used for: Based on the identifier of the first tenant, confirm that the first tenant and the tenant to which the third business container group belongs are the same tenant; The first data packet is sent to the third service container group. A computing device cluster, characterized in that it includes at least one computing device, each computing device includes a processor and a memory; The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device, so that the computing device cluster executes the method according to any one of claims 17 to 23. A computer-readable storage medium, characterized in that it includes computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method as described in any one of claims 17 to 23. A computer program product comprising instructions, characterized in that when the instructions are executed by a computer device cluster, the computer device cluster executes the method according to any one of claims 17 to 23.