CN106933648A - For the method and system of multi-tenant container resource management - Google Patents

For the method and system of multi-tenant container resource management Download PDF

Info

Publication number
CN106933648A
CN106933648A CN201511026623.7A CN201511026623A CN106933648A CN 106933648 A CN106933648 A CN 106933648A CN 201511026623 A CN201511026623 A CN 201511026623A CN 106933648 A CN106933648 A CN 106933648A
Authority
CN
China
Prior art keywords
resource
container
tenant
identification
namespace
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201511026623.7A
Other languages
Chinese (zh)
Other versions
CN106933648B (en
Inventor
何震苇
杨新章
陆钢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201511026623.7A priority Critical patent/CN106933648B/en
Publication of CN106933648A publication Critical patent/CN106933648A/en
Application granted granted Critical
Publication of CN106933648B publication Critical patent/CN106933648B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • G06F9/548Object oriented; Remote method invocation [RMI]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/50Indexing scheme relating to G06F9/50
    • G06F2209/504Resource capping
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/549Remote execution

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a kind of method and system for multi-tenant container resource management, it is related to field of cloud calculation.Wherein method includes:Resource interface proxy module receives the resource access request that tenant sends;Resource interface proxy module extracts tenant identification and container resource identification from resource access request;Resource interface proxy module is authenticated according to tenant identification and container resource identification, and authenticating result and resource access request are sent to resource interface module;Resource interface module is operated accordingly according to resource access request to the container resource of tenant.By increasing resource interface proxy module, the operation requests to tenant are authenticated the present invention, improve the security of system;To tenant's open source interface module, tenant can in mandate and quota limit the resource such as more flexible configuration mirroring, book, port and subnet;The resource of IPC mechanism is attributed to same NameSpace simultaneously, the communication efficiency of container is improved.

Description

For the method and system of multi-tenant container resource management
Technical field
It is used for multi-tenant container resource management the present invention relates to field of cloud calculation, more particularly to one kind Method and system.
Background technology
In field of cloud calculation, the container technique such as Docker, LXC is that the one kind risen this year is total to Enjoy the lightweight Intel Virtualization Technology of linux kernel, calculating on the shared host of multiple containers, The resources such as storage, network, by machines such as the NameSpaces (Namespace) of linux kernel System carries out resource isolation by granularity of container, compared with conventional virtual machine is managed, container resource Management granularity is thinner, and management difficulty is also bigger.
But under multi-tenant environment, either still existing multi-tenant is empty in itself for container engine Intend resource management scheme to have the following disadvantages:
The container engine of the main flows such as Docker, Rocket, LXC is not supported many in itself Tenant, lacks the security management and control mechanism of tenant's level.In existing multi-tenant resource management scheme, Generally using a kind of container as computing resource, such as OpenStack cloud computings management platform, Container is leased resource, this scheme as a kind of virtual machine using the multi-tenant model of virtual machine Tenant is shielded container engine API (Application Programming Interface, Application programming interface), allow tenant cannot dynamic configuration container mirror image, storage, port And Service Source, the very flexible of container resource management.
Container engine is usually the NameSpace of each the container allocation independence on host, each NameSpace possesses independent resource view (process, IPC, user etc.), and each name is empty Between resource be all transparent for other names space, therefore cannot be direct between container Use IPC (Inter-Process Communication, interprocess communication) mechanism (process Between communicate, such as shared drive, semaphore, pipeline) carry out efficient communication.In the prior art Container resource management system architecture as shown in figure 1, including resources of virtual machine manager 101, Virtual machine tenant manager 102 and container main frame 100, wherein container main frame 100 include container Engine 103, container engine 103 includes container resource API service and container resource distribution device 105, container configuration 1051, storage configuration 1052 and network configuration 1053 are provided to container respectively Source carries out relevant configuration, even if the container of same tenant is on same host, for example when When container 1 and container 2 belong to same tenant, efficient IPC cannot be also used between them Mechanism communicate, can only using relative inefficiencies RPC (Remote Procedure Call, far The journey invocation of procedure) mechanism (telecommunication, file, Socket sockets) communication, it is identical Communication efficiency is relatively low between the container of tenant, lacks the effective administrative mechanism under multi-tenant.
The content of the invention
The inventors found that above-mentioned have problem in the prior art, and therefore for upper State at least one of problem problem and propose a kind of new technical scheme.
According to an aspect of the present invention, disclose a kind of for multi-tenant container resource management Method, including:
Resource interface proxy module receives the resource access request that tenant sends;
Resource interface proxy module extracts tenant identification and container resource from resource access request Mark;
Resource interface proxy module is authenticated according to tenant identification and container resource identification, will be reflected Power result and resource access request are sent to resource interface module;
Resource interface module is carried out accordingly according to resource access request to the container resource of tenant Operation.
In one embodiment, resource interface module according to resource access request to the container of tenant The step of resource is operated accordingly includes:
Resource interface module is the resource under the main NameSpace of tenant using the communication between process IPC mechanism is communicated, and remote process call RPC mechanism is used to the resource between different tenants Communication.
In one embodiment, resource interface proxy module is according to tenant identification and container resource mark The step of knowledge is authenticated includes:
Resource interface proxy module judges whether to be cached with tenant identification and container resource identification Binding relationship;
If being cached with binding relationship, resource interface proxy module is reflected according to binding relationship Power.
In one embodiment, also include:If not caching binding relationship, resource interface generation Tenant identification and container resource identification are sent to explorer and are authenticated by reason module;
Authenticating result is sent to resource interface proxy module by explorer;
Resource proxy modules are cached authenticating result.
In one embodiment, also include:
Resource interface proxy module receives the container request to create that tenant sends;
Resource interface proxy module extracts tenant identification from container request to create and generates container Resource identification;
Resource interface proxy module is bound tenant identification and container resource identification, and will be tied up Determine relation to preserve to explorer;
Resource interface proxy module passes through container request to create, tenant identification and container resource identification Resource interface module is sent to Resource Scheduler;
Resource Scheduler indicates resource distribution device to configure container resource.
In one embodiment, Resource Scheduler indicates resource distribution device to match somebody with somebody container resource Put including container configuration, storage configuration, network configuration and IPC configuration.
In one embodiment, the step of IPC is configured includes:
Resource distribution device judges whether the main NameSpace of tenant;
When in the absence of main NameSpace, then resource distribution device creates main NameSpace, by IPC Resource is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to In sub- NameSpace.
In one embodiment, also include:
When there is main NameSpace, then IPC resources are mounted to main name by resource distribution device In space;Sub- NameSpace is created, non-IPC resources are mounted in sub- NameSpace.
According to another aspect of the present invention, there is provided a kind of for multi-tenant container resource management System, including:
Resource interface proxy module, the resource access request for receiving tenant's transmission;From resource Tenant identification and container resource identification are extracted in access request;According to tenant identification and container resource Mark is authenticated, and authenticating result and resource access request are sent to resource interface module;
Resource interface module, for carrying out phase to the container resource of tenant according to resource access request The operation answered.
In one embodiment, resource interface module, specifically under the main NameSpace of tenant Resource using the communication IPC mechanism communication between process, the resource between different tenants is adopted Communicated with remote process call RPC mechanism.
In one embodiment, resource interface proxy module, specifically for judging whether to be cached with The binding relationship of tenant identification and container resource identification;If being cached with binding relationship, basis is tied up Determine relation to be authenticated.
In one embodiment, also including explorer,
Resource interface proxy module, if being additionally operable to not cache binding relationship, by tenant identification Explorer is sent to container resource identification to be authenticated;The authenticating result of reception is carried out Caching;
Explorer, for being authenticated according to tenant identification and container resource identification;Will mirror Power result is sent to resource interface proxy module.
In one embodiment, also including Resource Scheduler and resource distribution device, wherein,
Resource interface proxy module, is additionally operable to receive the container request to create that tenant sends;Calmly Tenant identification is extracted in device request to create and container resource identification is generated;By tenant identification and container Resource identification is bound, and binding relationship is preserved to explorer;Container is created please Ask, tenant identification and container resource identification are sent to Resource Scheduler through resource interface module;
Explorer, is additionally operable to preserve the binding relationship of tenant identification and container resource identification;
Resource Scheduler, for indicating resource distribution device to configure container resource;
Resource distribution device, configures for the instruction according to Resource Scheduler to container resource.
In one embodiment, resource distribution device includes:
Container configuration module, for the container configuration of container resource;
Storage configuration module, for the storage configuration of container resource;
Network conf iotag. module, for the network configuration of container resource;
IPC configuration modules, for the IPC configurations of container resource.
In one embodiment, IPC configuration modules, specifically for judging whether tenant's Main NameSpace;When in the absence of main NameSpace, then main NameSpace is created, by IPC Resource is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to In sub- NameSpace.
In one embodiment, IPC configuration modules, are additionally operable to when there is main NameSpace, Then IPC resources are mounted in main NameSpace;Sub- NameSpace is created, by non-IPC moneys Source is mounted in sub- NameSpace.
Method and system for multi-tenant container resource management of the invention, by increasing resource Interface proxy module, the operation requests to tenant are authenticated, and improve the security of system; To tenant's open source interface module, tenant can be more flexible in mandate and quota limit The resources such as configuration mirroring, book, port and subnet;The resource of IPC mechanism is returned simultaneously In same NameSpace, the communication efficiency of container is improved.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will to embodiment or The accompanying drawing to be used needed for description is briefly described, it should be apparent that, it is attached in describing below Figure is only some embodiments of the present invention, for those of ordinary skill in the art, is not being paid On the premise of going out creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the system architecture diagram of container resource management in the prior art.
Fig. 2 is flow chart of the present invention for method one embodiment of multi-tenant container resource management.
Fig. 3 is the flow chart of authentication process in the present invention.
Fig. 4 is the flow chart of container asset creation in the present invention.
Fig. 5 is the flow chart of IPC resource distributions in container asset creation in the present invention.
Fig. 6 is the schematic diagram of system one embodiment of multi-tenant container resource management of the invention.
Fig. 7 is the system architecture diagram of multi-tenant container resource management of the invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the technical scheme in the embodiment of the present invention It is clearly and completely described, it is clear that described embodiment is only a real part of the invention Example is applied, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill The every other embodiment that personnel are obtained under the premise of creative work is not made, belongs to this Invent the scope of protection.
Fig. 2 is stream of the present invention for method one embodiment of multi-tenant container resource management Cheng Tu.Fig. 7 is the system architecture diagram of multi-tenant container resource management of the invention.With reference to Fig. 2 and Fig. 7, illustrates to method of the present invention step.
Step 201, resource interface proxy module 701 (such as container resource API service agency) Receive the resource access request that tenant sends.
Step 202, resource interface proxy module 701 extracts tenant's mark from resource access request Know and container resource identification.Container resource under tenant includes but is not limited to mirror image, container, clothes Business, book and subnet etc..Each container resource possesses GUID (Globally Unique Identifier, globally unique identifier), i.e. container resource identification.
Step 203, resource interface proxy module 701 is according to tenant identification and container resource identification Authenticated, authenticating result and resource access request are sent to (the example of resource interface module 702 Such as container resource API service).In the present embodiment, resource interface proxy module 701 and money Source interface module 702 is located in the container engine in container main frame 700.
Step 204, resource interface module 702 is provided according to resource access request to the container of tenant Source is operated accordingly.Compared with prior art, it is of the invention by resource interface module 702 Open to tenant, after tenant's authentication passes through, tenant can be by resource interface module 702 Its container is operated accordingly.
In one embodiment, after tenant's authentication passes through, resource interface module 702 is to tenant Resource under main NameSpace is communicated using IPC mechanism, and the resource between different tenants is adopted Communicated with RPC mechanism.That is, by different NameSpaces by the IPC resources of tenant's container Divided with non-IPC resources, the IPC resources of same tenant can be shared, non-IPC Resource is isolated, and the container of different tenants is also carried out isolation.Wherein IPC resources include pipe The system kernel communication mechanism such as road, semaphore, shared drive;RPC resources mainly include The network communication mechanisms such as socket, message queue.
As shown in fig. 7, tenant A has container resource container 1 and container 2, its lower IPC money Source is IPC_A, and the resource of container 1 and the carry of container 2 under main NameSpace passes through IPC The IPC_A communications of mechanism, are communicated with the resource between tenant B by RPC mechanism.Rent Family B has container resource 3, has resource IPC_B under its main NameSpace, when the money of tenant A When source IP C_A is communicated with the resource IPC_B of resource B, communicated using RPC mechanism.
Thus, it is possible to so that IPC resources by IPC mechanism communicate, efficiency is than RPC mechanism It is higher.Authentication mechanism is added simultaneously, the security of system is improve.
Fig. 3 is the flow chart of authentication process in the present invention.As shown in Figure 3 and Figure 7, this implementation The method and step of example is as follows:
Step 301, resource interface proxy module 701 (such as container resource API service agency) Receive the resource access request that tenant sends.
Step 302, resource interface proxy module 701 extracts tenant's mark from resource access request Know and container resource identification.
Step 303, resource interface proxy module 701 judges whether to be cached with tenant identification and appearance The binding relationship of device resource identification.When the binding for being cached with tenant identification and container resource identification is closed When being, into step 304;During without caching, into step 305.
Step 304, resource interface proxy module 701 is authenticated according to the binding relationship of caching, Enter step 308 afterwards.
Step 305, resource interface proxy module 701 sends out tenant identification and container resource identification Explorer 800 (such as tenant's explorer) is given to be authenticated.
Wherein, the binding relationship of tenant identification and container resource identification is stored in explorer In 800 Resource TOC.When resource interface proxy module 701 has cached binding relationship, then Can be authenticated according to the binding relationship of caching, be shortened Authentication time, be improve authentication effect Rate.When binding relationship is not cached with, then authenticated by explorer 800.
Authenticating result is sent to resource interface proxy module by step 306, explorer 800 701。
Step 307, resource interface proxy module 701 is cached authenticating result.
Step 308, resource interface module 702 is provided according to resource access request to the container of tenant Source is operated accordingly.
In embodiment illustrated in fig. 3, the resource of tenant is visited by resource interface proxy module 701 Ask that request is authenticated, it is ensured that after each tenant is only capable of operating the resource of oneself, authentication to pass through Corresponding resource operation can be just carried out, the security of tenant's process container resource is enhanced.
Fig. 4 is the flow chart of container asset creation in the present invention.With reference to Fig. 4 and Fig. 7 Method and step to the present embodiment is illustrated, including:
Step 401, resource interface proxy module 701 receives the container request to create that tenant sends.
Step 402, resource interface proxy module 701 extracts tenant's mark from container request to create Know and generate container resource identification.The container resource that tenant can create including but not limited to mirror image, Container, service, book and subnet etc..Resource interface proxy module 701 is provided for each container Source creates GUID (Globally Unique Identifier, globally unique identifier), that is, hold Device resource identification.
Step 403, resource interface proxy module 701 enters tenant identification and container resource identification Row binding, and binding relationship is preserved to explorer 800.
In one embodiment, resource interface proxy module 701 can be incited somebody to action using following four kinds of modes Tenant identification and container resource identification are bound:
Mode one, extension HTTP (HyperText Transfer Protocol, hypertext biography Defeated agreement) head, increase HTTP tenantID for carrying tenant identification.
Mode two, extension URI (Uniform Resource Identifier, unified resource mark Know symbol), increase the URI prefixes for carrying tenant identification.
Mode three, extension Query parameters, increase the query argument for carrying tenant identification.
Mode four, the resource identification parameter for extending existing API, in container resource identification parameter In value increase tenant identification prefix, i.e. container resource identification=<Tenant identification prefix>:<Resource mark Know>.
Step 404, resource interface proxy module 701 by container request to create, tenant identification and Container resource identification is sent to Resource Scheduler 703 through resource interface module 702.
Step 405, the instruction resource distribution of Resource Scheduler 703 device 704 is carried out to container resource Configuration.Container configuration module 7041 in one embodiment, in resource distribution device 704, Storage configuration module 7042, Network conf iotag. module 7043 and IPC configuration modules 7044 are distinguished Carry out container configuration, storage configuration, network configuration and IPC configuration.
In embodiment illustrated in fig. 4, by the extension of above-mentioned four kinds of modes, by tenant identification and appearance Device resource identification is bound, and is authenticated when tenant calls container resource after being easy to.Enhance rent The security of family process container resource.
Fig. 5 is the flow chart of IPC resource distributions in container asset creation in the present invention.With reference to Fig. 5 and Fig. 7, the method and step to the present embodiment is illustrated:
Step 501, the IPC configuration modules 7044 in resource distribution device 704 judge whether to deposit Submit to container request to create tenant main NameSpace, when in the absence of when, into step 502;In the presence of, into step 503.
Step 502, when the main NameSpace in the absence of tenant, IPC configuration modules 7044 For tenant creates main NameSpace, IPC resources are mounted in main NameSpace so that IPC Resource in the tenant A for example shown in Fig. 7, be able to will be held by IPC mechanism efficient communication Resource IPC_A in device 1 and container 2 is mounted in the main NameSpace of tenant A;Create Sub- NameSpace, non-IPC resources is mounted in sub- NameSpace, such as tenant in Fig. 7 The resources such as the process 1 of A containers 1 and container 2, file 1, process 2 and file 2 are mounted to In corresponding sub- NameSpace.
Step 503, when there is the main NameSpace of tenant, IPC configuration modules 7044 will The IPC resources are mounted in the main NameSpace;Sub- NameSpace is created, will be described Non- IPC resources are mounted in the sub- NameSpace.
Those skilled in the art are by the present invention it will be appreciated that can be container if necessary Binding network port mapping so that container can be across main-machine communication.
Method for multi-tenant container resource management of the invention, by tenant's open source Interface module, improves the flexibility of tenant's resource operation, and tenant can be after authentication passes through The voluntarily container resource such as configuration mirroring, book, port and subnet, ensures within the scope of authority The security of tenant's operation.By by IPC resources carry in main NameSpace so that tenant Container between can be communicated by efficient IPC mechanism, while present system can To use aggregated structure, extension is smoothed.
Fig. 6 is the one embodiment of the present invention for the system of multi-tenant container resource management Schematic diagram.As shown in fig. 6, system of the invention includes:
Resource interface proxy module 601 is used to receive the resource access request of tenant's transmission;From money Tenant identification and container resource identification are extracted in the access request of source;Provided according to tenant identification and container Source mark is authenticated, and authenticating result and resource access request are sent to resource interface module 602。
Resource interface module 602 is used to enter the container resource of tenant according to resource access request The corresponding operation of row.For example, logical using IPC mechanism to the resource under the main NameSpace of tenant Letter, is communicated to the resource between different tenants using RPC mechanism.
By the division of main NameSpace and sub- NameSpace so that tenant IPC resources can be with Communicated using IPC mechanism, improve volumetric efficiency.
Fig. 7 is system architecture diagram of the invention.As described in Figure 7, including resource interface acts on behalf of mould Block 701, resource interface module 702, with the resource interface proxy module 601 shown in Fig. 6, Resource interface module 602 is same or like, also including explorer 800, wherein,
Resource interface proxy module 701 is specifically for judging whether to be cached with the tenant identification With the binding relationship of container resource identification;If being cached with the binding relationship, tied up according to Determine relation to be authenticated.If not caching binding relationship, by tenant identification and container resource mark Knowledge is sent to explorer 800 and is authenticated;The authenticating result of reception is cached.
Explorer 800 is used to be authenticated according to tenant identification and container resource identification;Will Authenticating result is sent to resource interface proxy module 702.
In one embodiment, system of the invention also includes that Resource Scheduler 703 and resource are matched somebody with somebody Device 704 is put, wherein:
Resource interface proxy module 701 is additionally operable to receive the container request to create that tenant sends;From Tenant identification is extracted in container request to create and container resource identification is generated;By tenant identification and appearance Device resource identification is bound, and binding relationship is preserved to explorer 800;By container Request to create, tenant identification and container resource identification are sent to scheduling of resource through resource interface module Device 703.
Explorer 800 is additionally operable to preserve tenant identification and the binding of container resource identification is closed System.
Resource Scheduler 703 is used to indicate resource distribution device 704 to configure container resource.
Resource distribution device 704 is used to carry out container resource according to the instruction of Resource Scheduler 800 Configuration.Wherein resource distribution device 704 include, container configuration module 7041, storage match somebody with somebody Module 7042, Network conf iotag. module 7043 and IPC configuration modules 7044 is put to be held respectively Device configuration, storage configuration, network configuration and IPC configuration.
IPC configuration modules 7044 are specifically for judging whether the main NameSpace of tenant; When in the absence of main NameSpace, then main NameSpace is created, IPC resources are mounted to master In NameSpace;Sub- NameSpace is created, it is empty that non-IPC resources are mounted into the sub- name Between in.
IPC configuration modules 7044 are additionally operable to when there is main NameSpace, then by IPC resources It is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to sub- life In the name space.
System for multi-tenant container resource management of the invention, by tenant's open source Interface module, improves the flexibility of tenant's resource operation, and tenant can be after authentication passes through The voluntarily container resource such as configuration mirroring, book, port and subnet, ensures within the scope of authority The security of tenant's operation.By by IPC resources carry in main NameSpace so that tenant Container between can be communicated by efficient IPC mechanism, while present system can To use aggregated structure, extension is smoothed.
One of ordinary skill in the art will appreciate that realizing all or part of step of above-described embodiment Suddenly can be completed by hardware, it is also possible to instruct the hardware of correlation to complete by program, institute The program stated can be stored in a kind of computer-readable recording medium, and storage mentioned above is situated between Matter can be read-only storage, disk or CD etc..
Description of the invention is given for the sake of example and description, and is not exhaustively Or limit the invention to disclosed form.Common skill of many modifications and variations for this area It is obvious for art personnel.Selection and description embodiment are to more preferably illustrate principle of the invention And practical application, and make one of ordinary skill in the art it will be appreciated that the present invention is suitable so as to design In the various embodiments with various modifications of special-purpose.

Claims (16)

1. a kind of method for multi-tenant container resource management, it is characterised in that including:
Resource interface proxy module receives the resource access request that tenant sends;
The resource interface proxy module extracted from the resource access request tenant identification and Container resource identification;
The resource interface proxy module is according to the tenant identification and the container resource identification Authenticated, authenticating result and the resource access request are sent to resource interface module;
The resource interface module is provided according to the resource access request to the container of the tenant Source is operated accordingly.
2. method according to claim 1, it is characterised in that the resource interface mould Root tuber carries out corresponding operation to the container resource of the tenant according to the resource access request Step includes:
The resource interface module is the resource under the main NameSpace of the tenant using between process Communication IPC mechanism communication, remote process call is used to the resource between different tenants RPC mechanism communicates.
3. method according to claim 1, it is characterised in that the resource interface generation The step of reason module is authenticated according to the tenant identification and the container resource identification includes:
The resource interface proxy module judges whether to be cached with the tenant identification and the appearance The binding relationship of device resource identification;
If being cached with the binding relationship, the resource interface proxy module is according to the binding Relation is authenticated.
4. the method according to claim 3, it is characterised in that also include:
If not caching the binding relationship, the resource interface proxy module is by the tenant Mark and the container resource identification are sent to explorer and are authenticated;
Authenticating result is sent to the resource interface proxy module by the explorer;
The resource proxy modules are cached the authenticating result.
5. method according to claim 1, it is characterised in that also include:
The resource interface proxy module receives the container request to create that tenant sends;
The resource interface proxy module extracts tenant identification simultaneously from the container request to create Generation container resource identification;
The resource interface proxy module enters the tenant identification and the container resource identification Row binding, and the binding relationship is preserved to the explorer;
The resource interface proxy module is by the container request to create, the tenant identification and institute State container resource identification and be sent to Resource Scheduler through the resource interface module;
The Resource Scheduler indicates resource distribution device to configure the container resource.
6. method according to claim 5, it is characterised in that the Resource Scheduler Indicate resource distribution device to the container resource carry out configuration include container configuration, storage configuration, Network configuration and IPC are configured.
7. method according to claim 6, it is characterised in that the IPC configurations Step includes:
The resource distribution device judges whether the main NameSpace of the tenant;
When in the absence of the main NameSpace, then the resource distribution device creates main name sky Between, IPC resources are mounted in the main NameSpace;Sub- NameSpace is created, will be non- IPC resources are mounted in the sub- NameSpace.
8. method according to claim 6, it is characterised in that also include:
When there is the main NameSpace, then the resource distribution device is by the IPC resources It is mounted in the main NameSpace;Sub- NameSpace is created, the non-IPC resources are hung It is downloaded in the sub- NameSpace.
9. a kind of system for multi-tenant container resource management, it is characterised in that including:
Resource interface proxy module, the resource access request for receiving tenant's transmission;From described Tenant identification and container resource identification are extracted in resource access request;According to the tenant identification and The container resource identification is authenticated, by authenticating result and the resource access request send to Resource interface module;
Resource interface module, for being provided to the container of the tenant according to the resource access request Source is operated accordingly.
10. system according to claim 9, it is characterised in that the resource interface mould Block, specifically for the communication IPC using process to the resource under the main NameSpace of the tenant Mechanism is communicated, and the resource between different tenants is communicated using remote process call RPC mechanism.
11. systems according to claim 9, it is characterised in that the resource interface generation Reason module, specifically for judging whether to be cached with the tenant identification and the container resource identification Binding relationship;If being cached with the binding relationship, authenticated according to the binding relationship.
12. systems according to claim 10, it is characterised in that also including resource pipe Reason device,
The resource interface proxy module, if being additionally operable to not cache the binding relationship, will The tenant identification and the container resource identification are sent to explorer and are authenticated;To connect The authenticating result of receipts is cached;
The explorer, for being entered according to the tenant identification and the container resource identification Row authentication;Authenticating result is sent to the resource interface proxy module.
13. systems according to claim 9, it is characterised in that also including scheduling of resource Device and resource distribution device, wherein,
The resource interface proxy module, is additionally operable to receive the container request to create that tenant sends; Tenant identification is extracted from the container request to create and container resource identification is generated;By the rent Family is identified and the container resource identification is bound, and the binding relationship is preserved to described Explorer;By the container request to create, the tenant identification and the container resource mark Knowledge is sent to Resource Scheduler through the resource interface module;
The explorer, is additionally operable to preserve the tenant identification and the container resource identification Binding relationship;
The Resource Scheduler, for indicating resource distribution device to match somebody with somebody the container resource Put;
The resource distribution device, provides for the instruction according to the Resource Scheduler to the container Source is configured.
14. systems according to claim 13, it is characterised in that the resource distribution Device includes:
Container configuration module, for the container configuration of the container resource;
Storage configuration module, for the storage configuration of the container resource;
Network conf iotag. module, for the network configuration of the container resource;
IPC configuration modules, for the IPC configurations of the container resource.
15. systems according to claim 14, it is characterised in that
The IPC configuration modules, the main name specifically for judging whether the tenant Space;When in the absence of the main NameSpace, then main NameSpace is created, IPC is provided Source is mounted in the main NameSpace;Sub- NameSpace is created, by non-IPC resources carry To in the sub- NameSpace.
16. systems according to claim 14, it is characterised in that
The IPC configuration modules, are additionally operable to when there is the main NameSpace, then by institute IPC resources are stated to be mounted in the main NameSpace;Sub- NameSpace is created, will be described non- IPC resources are mounted in the sub- NameSpace.
CN201511026623.7A 2015-12-31 2015-12-31 Method and system for multi-tenant container resource management Active CN106933648B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511026623.7A CN106933648B (en) 2015-12-31 2015-12-31 Method and system for multi-tenant container resource management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511026623.7A CN106933648B (en) 2015-12-31 2015-12-31 Method and system for multi-tenant container resource management

Publications (2)

Publication Number Publication Date
CN106933648A true CN106933648A (en) 2017-07-07
CN106933648B CN106933648B (en) 2020-11-03

Family

ID=59441229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511026623.7A Active CN106933648B (en) 2015-12-31 2015-12-31 Method and system for multi-tenant container resource management

Country Status (1)

Country Link
CN (1) CN106933648B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108089925A (en) * 2017-12-29 2018-05-29 北京元心科技有限公司 Management and control process occupies the method and device of resource
CN108345505A (en) * 2018-02-02 2018-07-31 珠海金山网络游戏科技有限公司 A kind of multithreading method for managing resource and system
CN109542590A (en) * 2018-11-28 2019-03-29 上海酷栈科技有限公司 The method of virtual Socket communication under Docker cluster multi-tenant
WO2019062536A1 (en) * 2017-09-30 2019-04-04 腾讯科技(深圳)有限公司 Resource processing method, device and system and computer-readable medium
CN110019475A (en) * 2017-12-21 2019-07-16 杭州华为数字技术有限公司 Data persistence processing method, apparatus and system
CN110392053A (en) * 2019-07-22 2019-10-29 中国工商银行股份有限公司 Container access control method, device, client and server
CN110769075A (en) * 2018-07-25 2020-02-07 中国电信股份有限公司 Container communication method, system, controller and computer readable storage medium
CN111190738A (en) * 2019-12-31 2020-05-22 北京仁科互动网络技术有限公司 User mirroring method, device and system under multi-tenant system
WO2020211652A1 (en) * 2019-04-18 2020-10-22 华为技术有限公司 Tenant resource management method and device in multi-tenant scenario
CN112019475A (en) * 2019-05-28 2020-12-01 阿里巴巴集团控股有限公司 Resource access method, device, system and storage medium under server-free architecture
CN112416593A (en) * 2020-11-30 2021-02-26 北京百度网讯科技有限公司 Resource management method and device, electronic equipment and computer readable medium
CN114462069A (en) * 2022-04-12 2022-05-10 北京天维信通科技有限公司 Multi-level tenant resource access management method, system, intelligent terminal and storage medium
US11647100B2 (en) 2018-09-30 2023-05-09 China Mobile Communication Co., Ltd Research Inst Resource query method and apparatus, device, and storage medium
WO2023125480A1 (en) * 2021-12-27 2023-07-06 华为技术有限公司 Access object authentication method, apparatus and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102456028A (en) * 2010-10-27 2012-05-16 金蝶软件(中国)有限公司 Multi-tenant-oriented data acquisition method, device and system
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN104050201A (en) * 2013-03-15 2014-09-17 伊姆西公司 Method and equipment for managing data in multi-tenant distributive environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102456028A (en) * 2010-10-27 2012-05-16 金蝶软件(中国)有限公司 Multi-tenant-oriented data acquisition method, device and system
CN104050201A (en) * 2013-03-15 2014-09-17 伊姆西公司 Method and equipment for managing data in multi-tenant distributive environment
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高蕾等: "面向多租户的门户资源管理框架", 《计算机工程与设计》 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600337B (en) * 2017-09-30 2020-12-15 腾讯科技(深圳)有限公司 Resource processing method, device, system and computer readable medium
WO2019062536A1 (en) * 2017-09-30 2019-04-04 腾讯科技(深圳)有限公司 Resource processing method, device and system and computer-readable medium
CN109600337A (en) * 2017-09-30 2019-04-09 腾讯科技(深圳)有限公司 Method for processing resource, device, system and computer-readable medium
US11190503B2 (en) 2017-09-30 2021-11-30 Tencent Technology (Shenzhen) Company Limited Resource processing method, apparatus, and system, and computer-readable medium
CN110019475A (en) * 2017-12-21 2019-07-16 杭州华为数字技术有限公司 Data persistence processing method, apparatus and system
CN108089925A (en) * 2017-12-29 2018-05-29 北京元心科技有限公司 Management and control process occupies the method and device of resource
CN108345505A (en) * 2018-02-02 2018-07-31 珠海金山网络游戏科技有限公司 A kind of multithreading method for managing resource and system
CN108345505B (en) * 2018-02-02 2022-08-30 珠海金山网络游戏科技有限公司 Multithreading resource management method and system
CN110769075A (en) * 2018-07-25 2020-02-07 中国电信股份有限公司 Container communication method, system, controller and computer readable storage medium
US11647100B2 (en) 2018-09-30 2023-05-09 China Mobile Communication Co., Ltd Research Inst Resource query method and apparatus, device, and storage medium
CN109542590B (en) * 2018-11-28 2022-12-20 上海酷栈科技有限公司 Method for virtual Socket communication under multiple tenants of Docker cluster
CN109542590A (en) * 2018-11-28 2019-03-29 上海酷栈科技有限公司 The method of virtual Socket communication under Docker cluster multi-tenant
WO2020211652A1 (en) * 2019-04-18 2020-10-22 华为技术有限公司 Tenant resource management method and device in multi-tenant scenario
CN112019475A (en) * 2019-05-28 2020-12-01 阿里巴巴集团控股有限公司 Resource access method, device, system and storage medium under server-free architecture
CN112019475B (en) * 2019-05-28 2021-12-21 阿里巴巴集团控股有限公司 Resource access method, device, system and storage medium under server-free architecture
WO2020238751A1 (en) * 2019-05-28 2020-12-03 阿里巴巴集团控股有限公司 Resource access method under serverless architecture, device, system, and storage medium
CN110392053A (en) * 2019-07-22 2019-10-29 中国工商银行股份有限公司 Container access control method, device, client and server
CN111190738A (en) * 2019-12-31 2020-05-22 北京仁科互动网络技术有限公司 User mirroring method, device and system under multi-tenant system
CN111190738B (en) * 2019-12-31 2023-09-08 北京仁科互动网络技术有限公司 User mirroring method, device and system under multi-tenant system
CN112416593A (en) * 2020-11-30 2021-02-26 北京百度网讯科技有限公司 Resource management method and device, electronic equipment and computer readable medium
CN112416593B (en) * 2020-11-30 2024-01-12 北京百度网讯科技有限公司 Resource management method and device, electronic equipment and computer readable medium
WO2023125480A1 (en) * 2021-12-27 2023-07-06 华为技术有限公司 Access object authentication method, apparatus and system
CN114462069A (en) * 2022-04-12 2022-05-10 北京天维信通科技有限公司 Multi-level tenant resource access management method, system, intelligent terminal and storage medium

Also Published As

Publication number Publication date
CN106933648B (en) 2020-11-03

Similar Documents

Publication Publication Date Title
CN106933648A (en) For the method and system of multi-tenant container resource management
CN105897688B (en) So that the method and apparatus that the application disposed in cloud is able to access that internal resource
JP2020129800A (en) Virtual network interface object
EP2849064B1 (en) Method and apparatus for network virtualization
CN108062248B (en) Resource management method, system, equipment and storage medium of heterogeneous virtualization platform
CN104718723B (en) For the networking in virtual network and the frame of security service
CN110531987A (en) Management method, device and computer readable storage medium based on Kubernetes cluster
CN105684357B (en) The management of address in virtual machine
CN103368768B (en) The method of the auto zoom network coverage, device and equipment in mixed cloud environment
CN103688505B (en) Network filtering in virtualized environment
CN104767649B (en) Dispose the method and device of bare metal server
EP2827245B1 (en) Enabling multi-tenant virtual servers in a cloud system
WO2017113201A1 (en) Network service lifecycle management method and device
JP2017520823A (en) Migrating applications between enterprise-based and multi-tenant networks
CN105589731B (en) A kind of virtual machine migration method and device
CN103685608A (en) Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine
CN105554176B (en) Send the method, apparatus and communication system of message
CN108989071B (en) Virtual service providing method, gateway device, and storage medium
US10652283B1 (en) Deriving system architecture from security group relationships
CN107979627A (en) A kind of processing method and processing device of network request
US11316947B2 (en) Multi-level cache-mesh-system for multi-tenant serverless environments
US20230138867A1 (en) Methods for application deployment across multiple computing domains and devices thereof
CN107688441A (en) The implementation method and device of a kind of Storage Virtualization
WO2019005408A1 (en) Protecting restricted information when importing and exporting resources
Łaskawiec et al. New solutions for exposing clustered applications deployed in the cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant