CN106933648A - For the method and system of multi-tenant container resource management - Google Patents
For the method and system of multi-tenant container resource management Download PDFInfo
- Publication number
- CN106933648A CN106933648A CN201511026623.7A CN201511026623A CN106933648A CN 106933648 A CN106933648 A CN 106933648A CN 201511026623 A CN201511026623 A CN 201511026623A CN 106933648 A CN106933648 A CN 106933648A
- Authority
- CN
- China
- Prior art keywords
- resource
- container
- tenant
- identification
- namespace
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
- G06F9/548—Object oriented; Remote method invocation [RMI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/50—Indexing scheme relating to G06F9/50
- G06F2209/504—Resource capping
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/549—Remote execution
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of method and system for multi-tenant container resource management, it is related to field of cloud calculation.Wherein method includes:Resource interface proxy module receives the resource access request that tenant sends;Resource interface proxy module extracts tenant identification and container resource identification from resource access request;Resource interface proxy module is authenticated according to tenant identification and container resource identification, and authenticating result and resource access request are sent to resource interface module;Resource interface module is operated accordingly according to resource access request to the container resource of tenant.By increasing resource interface proxy module, the operation requests to tenant are authenticated the present invention, improve the security of system;To tenant's open source interface module, tenant can in mandate and quota limit the resource such as more flexible configuration mirroring, book, port and subnet;The resource of IPC mechanism is attributed to same NameSpace simultaneously, the communication efficiency of container is improved.
Description
Technical field
It is used for multi-tenant container resource management the present invention relates to field of cloud calculation, more particularly to one kind
Method and system.
Background technology
In field of cloud calculation, the container technique such as Docker, LXC is that the one kind risen this year is total to
Enjoy the lightweight Intel Virtualization Technology of linux kernel, calculating on the shared host of multiple containers,
The resources such as storage, network, by machines such as the NameSpaces (Namespace) of linux kernel
System carries out resource isolation by granularity of container, compared with conventional virtual machine is managed, container resource
Management granularity is thinner, and management difficulty is also bigger.
But under multi-tenant environment, either still existing multi-tenant is empty in itself for container engine
Intend resource management scheme to have the following disadvantages:
The container engine of the main flows such as Docker, Rocket, LXC is not supported many in itself
Tenant, lacks the security management and control mechanism of tenant's level.In existing multi-tenant resource management scheme,
Generally using a kind of container as computing resource, such as OpenStack cloud computings management platform,
Container is leased resource, this scheme as a kind of virtual machine using the multi-tenant model of virtual machine
Tenant is shielded container engine API (Application Programming Interface,
Application programming interface), allow tenant cannot dynamic configuration container mirror image, storage, port
And Service Source, the very flexible of container resource management.
Container engine is usually the NameSpace of each the container allocation independence on host, each
NameSpace possesses independent resource view (process, IPC, user etc.), and each name is empty
Between resource be all transparent for other names space, therefore cannot be direct between container
Use IPC (Inter-Process Communication, interprocess communication) mechanism (process
Between communicate, such as shared drive, semaphore, pipeline) carry out efficient communication.In the prior art
Container resource management system architecture as shown in figure 1, including resources of virtual machine manager 101,
Virtual machine tenant manager 102 and container main frame 100, wherein container main frame 100 include container
Engine 103, container engine 103 includes container resource API service and container resource distribution device
105, container configuration 1051, storage configuration 1052 and network configuration 1053 are provided to container respectively
Source carries out relevant configuration, even if the container of same tenant is on same host, for example when
When container 1 and container 2 belong to same tenant, efficient IPC cannot be also used between them
Mechanism communicate, can only using relative inefficiencies RPC (Remote Procedure Call, far
The journey invocation of procedure) mechanism (telecommunication, file, Socket sockets) communication, it is identical
Communication efficiency is relatively low between the container of tenant, lacks the effective administrative mechanism under multi-tenant.
The content of the invention
The inventors found that above-mentioned have problem in the prior art, and therefore for upper
State at least one of problem problem and propose a kind of new technical scheme.
According to an aspect of the present invention, disclose a kind of for multi-tenant container resource management
Method, including:
Resource interface proxy module receives the resource access request that tenant sends;
Resource interface proxy module extracts tenant identification and container resource from resource access request
Mark;
Resource interface proxy module is authenticated according to tenant identification and container resource identification, will be reflected
Power result and resource access request are sent to resource interface module;
Resource interface module is carried out accordingly according to resource access request to the container resource of tenant
Operation.
In one embodiment, resource interface module according to resource access request to the container of tenant
The step of resource is operated accordingly includes:
Resource interface module is the resource under the main NameSpace of tenant using the communication between process
IPC mechanism is communicated, and remote process call RPC mechanism is used to the resource between different tenants
Communication.
In one embodiment, resource interface proxy module is according to tenant identification and container resource mark
The step of knowledge is authenticated includes:
Resource interface proxy module judges whether to be cached with tenant identification and container resource identification
Binding relationship;
If being cached with binding relationship, resource interface proxy module is reflected according to binding relationship
Power.
In one embodiment, also include:If not caching binding relationship, resource interface generation
Tenant identification and container resource identification are sent to explorer and are authenticated by reason module;
Authenticating result is sent to resource interface proxy module by explorer;
Resource proxy modules are cached authenticating result.
In one embodiment, also include:
Resource interface proxy module receives the container request to create that tenant sends;
Resource interface proxy module extracts tenant identification from container request to create and generates container
Resource identification;
Resource interface proxy module is bound tenant identification and container resource identification, and will be tied up
Determine relation to preserve to explorer;
Resource interface proxy module passes through container request to create, tenant identification and container resource identification
Resource interface module is sent to Resource Scheduler;
Resource Scheduler indicates resource distribution device to configure container resource.
In one embodiment, Resource Scheduler indicates resource distribution device to match somebody with somebody container resource
Put including container configuration, storage configuration, network configuration and IPC configuration.
In one embodiment, the step of IPC is configured includes:
Resource distribution device judges whether the main NameSpace of tenant;
When in the absence of main NameSpace, then resource distribution device creates main NameSpace, by IPC
Resource is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to
In sub- NameSpace.
In one embodiment, also include:
When there is main NameSpace, then IPC resources are mounted to main name by resource distribution device
In space;Sub- NameSpace is created, non-IPC resources are mounted in sub- NameSpace.
According to another aspect of the present invention, there is provided a kind of for multi-tenant container resource management
System, including:
Resource interface proxy module, the resource access request for receiving tenant's transmission;From resource
Tenant identification and container resource identification are extracted in access request;According to tenant identification and container resource
Mark is authenticated, and authenticating result and resource access request are sent to resource interface module;
Resource interface module, for carrying out phase to the container resource of tenant according to resource access request
The operation answered.
In one embodiment, resource interface module, specifically under the main NameSpace of tenant
Resource using the communication IPC mechanism communication between process, the resource between different tenants is adopted
Communicated with remote process call RPC mechanism.
In one embodiment, resource interface proxy module, specifically for judging whether to be cached with
The binding relationship of tenant identification and container resource identification;If being cached with binding relationship, basis is tied up
Determine relation to be authenticated.
In one embodiment, also including explorer,
Resource interface proxy module, if being additionally operable to not cache binding relationship, by tenant identification
Explorer is sent to container resource identification to be authenticated;The authenticating result of reception is carried out
Caching;
Explorer, for being authenticated according to tenant identification and container resource identification;Will mirror
Power result is sent to resource interface proxy module.
In one embodiment, also including Resource Scheduler and resource distribution device, wherein,
Resource interface proxy module, is additionally operable to receive the container request to create that tenant sends;Calmly
Tenant identification is extracted in device request to create and container resource identification is generated;By tenant identification and container
Resource identification is bound, and binding relationship is preserved to explorer;Container is created please
Ask, tenant identification and container resource identification are sent to Resource Scheduler through resource interface module;
Explorer, is additionally operable to preserve the binding relationship of tenant identification and container resource identification;
Resource Scheduler, for indicating resource distribution device to configure container resource;
Resource distribution device, configures for the instruction according to Resource Scheduler to container resource.
In one embodiment, resource distribution device includes:
Container configuration module, for the container configuration of container resource;
Storage configuration module, for the storage configuration of container resource;
Network conf iotag. module, for the network configuration of container resource;
IPC configuration modules, for the IPC configurations of container resource.
In one embodiment, IPC configuration modules, specifically for judging whether tenant's
Main NameSpace;When in the absence of main NameSpace, then main NameSpace is created, by IPC
Resource is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to
In sub- NameSpace.
In one embodiment, IPC configuration modules, are additionally operable to when there is main NameSpace,
Then IPC resources are mounted in main NameSpace;Sub- NameSpace is created, by non-IPC moneys
Source is mounted in sub- NameSpace.
Method and system for multi-tenant container resource management of the invention, by increasing resource
Interface proxy module, the operation requests to tenant are authenticated, and improve the security of system;
To tenant's open source interface module, tenant can be more flexible in mandate and quota limit
The resources such as configuration mirroring, book, port and subnet;The resource of IPC mechanism is returned simultaneously
In same NameSpace, the communication efficiency of container is improved.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will to embodiment or
The accompanying drawing to be used needed for description is briefly described, it should be apparent that, it is attached in describing below
Figure is only some embodiments of the present invention, for those of ordinary skill in the art, is not being paid
On the premise of going out creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the system architecture diagram of container resource management in the prior art.
Fig. 2 is flow chart of the present invention for method one embodiment of multi-tenant container resource management.
Fig. 3 is the flow chart of authentication process in the present invention.
Fig. 4 is the flow chart of container asset creation in the present invention.
Fig. 5 is the flow chart of IPC resource distributions in container asset creation in the present invention.
Fig. 6 is the schematic diagram of system one embodiment of multi-tenant container resource management of the invention.
Fig. 7 is the system architecture diagram of multi-tenant container resource management of the invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the technical scheme in the embodiment of the present invention
It is clearly and completely described, it is clear that described embodiment is only a real part of the invention
Example is applied, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill
The every other embodiment that personnel are obtained under the premise of creative work is not made, belongs to this
Invent the scope of protection.
Fig. 2 is stream of the present invention for method one embodiment of multi-tenant container resource management
Cheng Tu.Fig. 7 is the system architecture diagram of multi-tenant container resource management of the invention.With reference to
Fig. 2 and Fig. 7, illustrates to method of the present invention step.
Step 201, resource interface proxy module 701 (such as container resource API service agency)
Receive the resource access request that tenant sends.
Step 202, resource interface proxy module 701 extracts tenant's mark from resource access request
Know and container resource identification.Container resource under tenant includes but is not limited to mirror image, container, clothes
Business, book and subnet etc..Each container resource possesses GUID (Globally Unique
Identifier, globally unique identifier), i.e. container resource identification.
Step 203, resource interface proxy module 701 is according to tenant identification and container resource identification
Authenticated, authenticating result and resource access request are sent to (the example of resource interface module 702
Such as container resource API service).In the present embodiment, resource interface proxy module 701 and money
Source interface module 702 is located in the container engine in container main frame 700.
Step 204, resource interface module 702 is provided according to resource access request to the container of tenant
Source is operated accordingly.Compared with prior art, it is of the invention by resource interface module 702
Open to tenant, after tenant's authentication passes through, tenant can be by resource interface module 702
Its container is operated accordingly.
In one embodiment, after tenant's authentication passes through, resource interface module 702 is to tenant
Resource under main NameSpace is communicated using IPC mechanism, and the resource between different tenants is adopted
Communicated with RPC mechanism.That is, by different NameSpaces by the IPC resources of tenant's container
Divided with non-IPC resources, the IPC resources of same tenant can be shared, non-IPC
Resource is isolated, and the container of different tenants is also carried out isolation.Wherein IPC resources include pipe
The system kernel communication mechanism such as road, semaphore, shared drive;RPC resources mainly include
The network communication mechanisms such as socket, message queue.
As shown in fig. 7, tenant A has container resource container 1 and container 2, its lower IPC money
Source is IPC_A, and the resource of container 1 and the carry of container 2 under main NameSpace passes through IPC
The IPC_A communications of mechanism, are communicated with the resource between tenant B by RPC mechanism.Rent
Family B has container resource 3, has resource IPC_B under its main NameSpace, when the money of tenant A
When source IP C_A is communicated with the resource IPC_B of resource B, communicated using RPC mechanism.
Thus, it is possible to so that IPC resources by IPC mechanism communicate, efficiency is than RPC mechanism
It is higher.Authentication mechanism is added simultaneously, the security of system is improve.
Fig. 3 is the flow chart of authentication process in the present invention.As shown in Figure 3 and Figure 7, this implementation
The method and step of example is as follows:
Step 301, resource interface proxy module 701 (such as container resource API service agency)
Receive the resource access request that tenant sends.
Step 302, resource interface proxy module 701 extracts tenant's mark from resource access request
Know and container resource identification.
Step 303, resource interface proxy module 701 judges whether to be cached with tenant identification and appearance
The binding relationship of device resource identification.When the binding for being cached with tenant identification and container resource identification is closed
When being, into step 304;During without caching, into step 305.
Step 304, resource interface proxy module 701 is authenticated according to the binding relationship of caching,
Enter step 308 afterwards.
Step 305, resource interface proxy module 701 sends out tenant identification and container resource identification
Explorer 800 (such as tenant's explorer) is given to be authenticated.
Wherein, the binding relationship of tenant identification and container resource identification is stored in explorer
In 800 Resource TOC.When resource interface proxy module 701 has cached binding relationship, then
Can be authenticated according to the binding relationship of caching, be shortened Authentication time, be improve authentication effect
Rate.When binding relationship is not cached with, then authenticated by explorer 800.
Authenticating result is sent to resource interface proxy module by step 306, explorer 800
701。
Step 307, resource interface proxy module 701 is cached authenticating result.
Step 308, resource interface module 702 is provided according to resource access request to the container of tenant
Source is operated accordingly.
In embodiment illustrated in fig. 3, the resource of tenant is visited by resource interface proxy module 701
Ask that request is authenticated, it is ensured that after each tenant is only capable of operating the resource of oneself, authentication to pass through
Corresponding resource operation can be just carried out, the security of tenant's process container resource is enhanced.
Fig. 4 is the flow chart of container asset creation in the present invention.With reference to Fig. 4 and Fig. 7
Method and step to the present embodiment is illustrated, including:
Step 401, resource interface proxy module 701 receives the container request to create that tenant sends.
Step 402, resource interface proxy module 701 extracts tenant's mark from container request to create
Know and generate container resource identification.The container resource that tenant can create including but not limited to mirror image,
Container, service, book and subnet etc..Resource interface proxy module 701 is provided for each container
Source creates GUID (Globally Unique Identifier, globally unique identifier), that is, hold
Device resource identification.
Step 403, resource interface proxy module 701 enters tenant identification and container resource identification
Row binding, and binding relationship is preserved to explorer 800.
In one embodiment, resource interface proxy module 701 can be incited somebody to action using following four kinds of modes
Tenant identification and container resource identification are bound:
Mode one, extension HTTP (HyperText Transfer Protocol, hypertext biography
Defeated agreement) head, increase HTTP tenantID for carrying tenant identification.
Mode two, extension URI (Uniform Resource Identifier, unified resource mark
Know symbol), increase the URI prefixes for carrying tenant identification.
Mode three, extension Query parameters, increase the query argument for carrying tenant identification.
Mode four, the resource identification parameter for extending existing API, in container resource identification parameter
In value increase tenant identification prefix, i.e. container resource identification=<Tenant identification prefix>:<Resource mark
Know>.
Step 404, resource interface proxy module 701 by container request to create, tenant identification and
Container resource identification is sent to Resource Scheduler 703 through resource interface module 702.
Step 405, the instruction resource distribution of Resource Scheduler 703 device 704 is carried out to container resource
Configuration.Container configuration module 7041 in one embodiment, in resource distribution device 704,
Storage configuration module 7042, Network conf iotag. module 7043 and IPC configuration modules 7044 are distinguished
Carry out container configuration, storage configuration, network configuration and IPC configuration.
In embodiment illustrated in fig. 4, by the extension of above-mentioned four kinds of modes, by tenant identification and appearance
Device resource identification is bound, and is authenticated when tenant calls container resource after being easy to.Enhance rent
The security of family process container resource.
Fig. 5 is the flow chart of IPC resource distributions in container asset creation in the present invention.With reference to
Fig. 5 and Fig. 7, the method and step to the present embodiment is illustrated:
Step 501, the IPC configuration modules 7044 in resource distribution device 704 judge whether to deposit
Submit to container request to create tenant main NameSpace, when in the absence of when, into step
502;In the presence of, into step 503.
Step 502, when the main NameSpace in the absence of tenant, IPC configuration modules 7044
For tenant creates main NameSpace, IPC resources are mounted in main NameSpace so that IPC
Resource in the tenant A for example shown in Fig. 7, be able to will be held by IPC mechanism efficient communication
Resource IPC_A in device 1 and container 2 is mounted in the main NameSpace of tenant A;Create
Sub- NameSpace, non-IPC resources is mounted in sub- NameSpace, such as tenant in Fig. 7
The resources such as the process 1 of A containers 1 and container 2, file 1, process 2 and file 2 are mounted to
In corresponding sub- NameSpace.
Step 503, when there is the main NameSpace of tenant, IPC configuration modules 7044 will
The IPC resources are mounted in the main NameSpace;Sub- NameSpace is created, will be described
Non- IPC resources are mounted in the sub- NameSpace.
Those skilled in the art are by the present invention it will be appreciated that can be container if necessary
Binding network port mapping so that container can be across main-machine communication.
Method for multi-tenant container resource management of the invention, by tenant's open source
Interface module, improves the flexibility of tenant's resource operation, and tenant can be after authentication passes through
The voluntarily container resource such as configuration mirroring, book, port and subnet, ensures within the scope of authority
The security of tenant's operation.By by IPC resources carry in main NameSpace so that tenant
Container between can be communicated by efficient IPC mechanism, while present system can
To use aggregated structure, extension is smoothed.
Fig. 6 is the one embodiment of the present invention for the system of multi-tenant container resource management
Schematic diagram.As shown in fig. 6, system of the invention includes:
Resource interface proxy module 601 is used to receive the resource access request of tenant's transmission;From money
Tenant identification and container resource identification are extracted in the access request of source;Provided according to tenant identification and container
Source mark is authenticated, and authenticating result and resource access request are sent to resource interface module
602。
Resource interface module 602 is used to enter the container resource of tenant according to resource access request
The corresponding operation of row.For example, logical using IPC mechanism to the resource under the main NameSpace of tenant
Letter, is communicated to the resource between different tenants using RPC mechanism.
By the division of main NameSpace and sub- NameSpace so that tenant IPC resources can be with
Communicated using IPC mechanism, improve volumetric efficiency.
Fig. 7 is system architecture diagram of the invention.As described in Figure 7, including resource interface acts on behalf of mould
Block 701, resource interface module 702, with the resource interface proxy module 601 shown in Fig. 6,
Resource interface module 602 is same or like, also including explorer 800, wherein,
Resource interface proxy module 701 is specifically for judging whether to be cached with the tenant identification
With the binding relationship of container resource identification;If being cached with the binding relationship, tied up according to
Determine relation to be authenticated.If not caching binding relationship, by tenant identification and container resource mark
Knowledge is sent to explorer 800 and is authenticated;The authenticating result of reception is cached.
Explorer 800 is used to be authenticated according to tenant identification and container resource identification;Will
Authenticating result is sent to resource interface proxy module 702.
In one embodiment, system of the invention also includes that Resource Scheduler 703 and resource are matched somebody with somebody
Device 704 is put, wherein:
Resource interface proxy module 701 is additionally operable to receive the container request to create that tenant sends;From
Tenant identification is extracted in container request to create and container resource identification is generated;By tenant identification and appearance
Device resource identification is bound, and binding relationship is preserved to explorer 800;By container
Request to create, tenant identification and container resource identification are sent to scheduling of resource through resource interface module
Device 703.
Explorer 800 is additionally operable to preserve tenant identification and the binding of container resource identification is closed
System.
Resource Scheduler 703 is used to indicate resource distribution device 704 to configure container resource.
Resource distribution device 704 is used to carry out container resource according to the instruction of Resource Scheduler 800
Configuration.Wherein resource distribution device 704 include, container configuration module 7041, storage match somebody with somebody
Module 7042, Network conf iotag. module 7043 and IPC configuration modules 7044 is put to be held respectively
Device configuration, storage configuration, network configuration and IPC configuration.
IPC configuration modules 7044 are specifically for judging whether the main NameSpace of tenant;
When in the absence of main NameSpace, then main NameSpace is created, IPC resources are mounted to master
In NameSpace;Sub- NameSpace is created, it is empty that non-IPC resources are mounted into the sub- name
Between in.
IPC configuration modules 7044 are additionally operable to when there is main NameSpace, then by IPC resources
It is mounted in main NameSpace;Sub- NameSpace is created, non-IPC resources are mounted to sub- life
In the name space.
System for multi-tenant container resource management of the invention, by tenant's open source
Interface module, improves the flexibility of tenant's resource operation, and tenant can be after authentication passes through
The voluntarily container resource such as configuration mirroring, book, port and subnet, ensures within the scope of authority
The security of tenant's operation.By by IPC resources carry in main NameSpace so that tenant
Container between can be communicated by efficient IPC mechanism, while present system can
To use aggregated structure, extension is smoothed.
One of ordinary skill in the art will appreciate that realizing all or part of step of above-described embodiment
Suddenly can be completed by hardware, it is also possible to instruct the hardware of correlation to complete by program, institute
The program stated can be stored in a kind of computer-readable recording medium, and storage mentioned above is situated between
Matter can be read-only storage, disk or CD etc..
Description of the invention is given for the sake of example and description, and is not exhaustively
Or limit the invention to disclosed form.Common skill of many modifications and variations for this area
It is obvious for art personnel.Selection and description embodiment are to more preferably illustrate principle of the invention
And practical application, and make one of ordinary skill in the art it will be appreciated that the present invention is suitable so as to design
In the various embodiments with various modifications of special-purpose.
Claims (16)
1. a kind of method for multi-tenant container resource management, it is characterised in that including:
Resource interface proxy module receives the resource access request that tenant sends;
The resource interface proxy module extracted from the resource access request tenant identification and
Container resource identification;
The resource interface proxy module is according to the tenant identification and the container resource identification
Authenticated, authenticating result and the resource access request are sent to resource interface module;
The resource interface module is provided according to the resource access request to the container of the tenant
Source is operated accordingly.
2. method according to claim 1, it is characterised in that the resource interface mould
Root tuber carries out corresponding operation to the container resource of the tenant according to the resource access request
Step includes:
The resource interface module is the resource under the main NameSpace of the tenant using between process
Communication IPC mechanism communication, remote process call is used to the resource between different tenants
RPC mechanism communicates.
3. method according to claim 1, it is characterised in that the resource interface generation
The step of reason module is authenticated according to the tenant identification and the container resource identification includes:
The resource interface proxy module judges whether to be cached with the tenant identification and the appearance
The binding relationship of device resource identification;
If being cached with the binding relationship, the resource interface proxy module is according to the binding
Relation is authenticated.
4. the method according to claim 3, it is characterised in that also include:
If not caching the binding relationship, the resource interface proxy module is by the tenant
Mark and the container resource identification are sent to explorer and are authenticated;
Authenticating result is sent to the resource interface proxy module by the explorer;
The resource proxy modules are cached the authenticating result.
5. method according to claim 1, it is characterised in that also include:
The resource interface proxy module receives the container request to create that tenant sends;
The resource interface proxy module extracts tenant identification simultaneously from the container request to create
Generation container resource identification;
The resource interface proxy module enters the tenant identification and the container resource identification
Row binding, and the binding relationship is preserved to the explorer;
The resource interface proxy module is by the container request to create, the tenant identification and institute
State container resource identification and be sent to Resource Scheduler through the resource interface module;
The Resource Scheduler indicates resource distribution device to configure the container resource.
6. method according to claim 5, it is characterised in that the Resource Scheduler
Indicate resource distribution device to the container resource carry out configuration include container configuration, storage configuration,
Network configuration and IPC are configured.
7. method according to claim 6, it is characterised in that the IPC configurations
Step includes:
The resource distribution device judges whether the main NameSpace of the tenant;
When in the absence of the main NameSpace, then the resource distribution device creates main name sky
Between, IPC resources are mounted in the main NameSpace;Sub- NameSpace is created, will be non-
IPC resources are mounted in the sub- NameSpace.
8. method according to claim 6, it is characterised in that also include:
When there is the main NameSpace, then the resource distribution device is by the IPC resources
It is mounted in the main NameSpace;Sub- NameSpace is created, the non-IPC resources are hung
It is downloaded in the sub- NameSpace.
9. a kind of system for multi-tenant container resource management, it is characterised in that including:
Resource interface proxy module, the resource access request for receiving tenant's transmission;From described
Tenant identification and container resource identification are extracted in resource access request;According to the tenant identification and
The container resource identification is authenticated, by authenticating result and the resource access request send to
Resource interface module;
Resource interface module, for being provided to the container of the tenant according to the resource access request
Source is operated accordingly.
10. system according to claim 9, it is characterised in that the resource interface mould
Block, specifically for the communication IPC using process to the resource under the main NameSpace of the tenant
Mechanism is communicated, and the resource between different tenants is communicated using remote process call RPC mechanism.
11. systems according to claim 9, it is characterised in that the resource interface generation
Reason module, specifically for judging whether to be cached with the tenant identification and the container resource identification
Binding relationship;If being cached with the binding relationship, authenticated according to the binding relationship.
12. systems according to claim 10, it is characterised in that also including resource pipe
Reason device,
The resource interface proxy module, if being additionally operable to not cache the binding relationship, will
The tenant identification and the container resource identification are sent to explorer and are authenticated;To connect
The authenticating result of receipts is cached;
The explorer, for being entered according to the tenant identification and the container resource identification
Row authentication;Authenticating result is sent to the resource interface proxy module.
13. systems according to claim 9, it is characterised in that also including scheduling of resource
Device and resource distribution device, wherein,
The resource interface proxy module, is additionally operable to receive the container request to create that tenant sends;
Tenant identification is extracted from the container request to create and container resource identification is generated;By the rent
Family is identified and the container resource identification is bound, and the binding relationship is preserved to described
Explorer;By the container request to create, the tenant identification and the container resource mark
Knowledge is sent to Resource Scheduler through the resource interface module;
The explorer, is additionally operable to preserve the tenant identification and the container resource identification
Binding relationship;
The Resource Scheduler, for indicating resource distribution device to match somebody with somebody the container resource
Put;
The resource distribution device, provides for the instruction according to the Resource Scheduler to the container
Source is configured.
14. systems according to claim 13, it is characterised in that the resource distribution
Device includes:
Container configuration module, for the container configuration of the container resource;
Storage configuration module, for the storage configuration of the container resource;
Network conf iotag. module, for the network configuration of the container resource;
IPC configuration modules, for the IPC configurations of the container resource.
15. systems according to claim 14, it is characterised in that
The IPC configuration modules, the main name specifically for judging whether the tenant
Space;When in the absence of the main NameSpace, then main NameSpace is created, IPC is provided
Source is mounted in the main NameSpace;Sub- NameSpace is created, by non-IPC resources carry
To in the sub- NameSpace.
16. systems according to claim 14, it is characterised in that
The IPC configuration modules, are additionally operable to when there is the main NameSpace, then by institute
IPC resources are stated to be mounted in the main NameSpace;Sub- NameSpace is created, will be described non-
IPC resources are mounted in the sub- NameSpace.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511026623.7A CN106933648B (en) | 2015-12-31 | 2015-12-31 | Method and system for multi-tenant container resource management |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511026623.7A CN106933648B (en) | 2015-12-31 | 2015-12-31 | Method and system for multi-tenant container resource management |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106933648A true CN106933648A (en) | 2017-07-07 |
CN106933648B CN106933648B (en) | 2020-11-03 |
Family
ID=59441229
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511026623.7A Active CN106933648B (en) | 2015-12-31 | 2015-12-31 | Method and system for multi-tenant container resource management |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106933648B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108089925A (en) * | 2017-12-29 | 2018-05-29 | 北京元心科技有限公司 | Management and control process occupies the method and device of resource |
CN108345505A (en) * | 2018-02-02 | 2018-07-31 | 珠海金山网络游戏科技有限公司 | A kind of multithreading method for managing resource and system |
CN109542590A (en) * | 2018-11-28 | 2019-03-29 | 上海酷栈科技有限公司 | The method of virtual Socket communication under Docker cluster multi-tenant |
WO2019062536A1 (en) * | 2017-09-30 | 2019-04-04 | 腾讯科技(深圳)有限公司 | Resource processing method, device and system and computer-readable medium |
CN110019475A (en) * | 2017-12-21 | 2019-07-16 | 杭州华为数字技术有限公司 | Data persistence processing method, apparatus and system |
CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
CN111190738A (en) * | 2019-12-31 | 2020-05-22 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
WO2020211652A1 (en) * | 2019-04-18 | 2020-10-22 | 华为技术有限公司 | Tenant resource management method and device in multi-tenant scenario |
CN112019475A (en) * | 2019-05-28 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Resource access method, device, system and storage medium under server-free architecture |
CN112416593A (en) * | 2020-11-30 | 2021-02-26 | 北京百度网讯科技有限公司 | Resource management method and device, electronic equipment and computer readable medium |
CN114462069A (en) * | 2022-04-12 | 2022-05-10 | 北京天维信通科技有限公司 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
US11647100B2 (en) | 2018-09-30 | 2023-05-09 | China Mobile Communication Co., Ltd Research Inst | Resource query method and apparatus, device, and storage medium |
WO2023125480A1 (en) * | 2021-12-27 | 2023-07-06 | 华为技术有限公司 | Access object authentication method, apparatus and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102456028A (en) * | 2010-10-27 | 2012-05-16 | 金蝶软件(中国)有限公司 | Multi-tenant-oriented data acquisition method, device and system |
CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
-
2015
- 2015-12-31 CN CN201511026623.7A patent/CN106933648B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102456028A (en) * | 2010-10-27 | 2012-05-16 | 金蝶软件(中国)有限公司 | Multi-tenant-oriented data acquisition method, device and system |
CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
Non-Patent Citations (1)
Title |
---|
高蕾等: "面向多租户的门户资源管理框架", 《计算机工程与设计》 * |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600337B (en) * | 2017-09-30 | 2020-12-15 | 腾讯科技(深圳)有限公司 | Resource processing method, device, system and computer readable medium |
WO2019062536A1 (en) * | 2017-09-30 | 2019-04-04 | 腾讯科技(深圳)有限公司 | Resource processing method, device and system and computer-readable medium |
CN109600337A (en) * | 2017-09-30 | 2019-04-09 | 腾讯科技(深圳)有限公司 | Method for processing resource, device, system and computer-readable medium |
US11190503B2 (en) | 2017-09-30 | 2021-11-30 | Tencent Technology (Shenzhen) Company Limited | Resource processing method, apparatus, and system, and computer-readable medium |
CN110019475A (en) * | 2017-12-21 | 2019-07-16 | 杭州华为数字技术有限公司 | Data persistence processing method, apparatus and system |
CN108089925A (en) * | 2017-12-29 | 2018-05-29 | 北京元心科技有限公司 | Management and control process occupies the method and device of resource |
CN108345505A (en) * | 2018-02-02 | 2018-07-31 | 珠海金山网络游戏科技有限公司 | A kind of multithreading method for managing resource and system |
CN108345505B (en) * | 2018-02-02 | 2022-08-30 | 珠海金山网络游戏科技有限公司 | Multithreading resource management method and system |
CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
US11647100B2 (en) | 2018-09-30 | 2023-05-09 | China Mobile Communication Co., Ltd Research Inst | Resource query method and apparatus, device, and storage medium |
CN109542590B (en) * | 2018-11-28 | 2022-12-20 | 上海酷栈科技有限公司 | Method for virtual Socket communication under multiple tenants of Docker cluster |
CN109542590A (en) * | 2018-11-28 | 2019-03-29 | 上海酷栈科技有限公司 | The method of virtual Socket communication under Docker cluster multi-tenant |
WO2020211652A1 (en) * | 2019-04-18 | 2020-10-22 | 华为技术有限公司 | Tenant resource management method and device in multi-tenant scenario |
CN112019475A (en) * | 2019-05-28 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Resource access method, device, system and storage medium under server-free architecture |
CN112019475B (en) * | 2019-05-28 | 2021-12-21 | 阿里巴巴集团控股有限公司 | Resource access method, device, system and storage medium under server-free architecture |
WO2020238751A1 (en) * | 2019-05-28 | 2020-12-03 | 阿里巴巴集团控股有限公司 | Resource access method under serverless architecture, device, system, and storage medium |
CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
CN111190738A (en) * | 2019-12-31 | 2020-05-22 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
CN111190738B (en) * | 2019-12-31 | 2023-09-08 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
CN112416593A (en) * | 2020-11-30 | 2021-02-26 | 北京百度网讯科技有限公司 | Resource management method and device, electronic equipment and computer readable medium |
CN112416593B (en) * | 2020-11-30 | 2024-01-12 | 北京百度网讯科技有限公司 | Resource management method and device, electronic equipment and computer readable medium |
WO2023125480A1 (en) * | 2021-12-27 | 2023-07-06 | 华为技术有限公司 | Access object authentication method, apparatus and system |
CN114462069A (en) * | 2022-04-12 | 2022-05-10 | 北京天维信通科技有限公司 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106933648B (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106933648A (en) | For the method and system of multi-tenant container resource management | |
CN105897688B (en) | So that the method and apparatus that the application disposed in cloud is able to access that internal resource | |
JP2020129800A (en) | Virtual network interface object | |
EP2849064B1 (en) | Method and apparatus for network virtualization | |
CN108062248B (en) | Resource management method, system, equipment and storage medium of heterogeneous virtualization platform | |
CN104718723B (en) | For the networking in virtual network and the frame of security service | |
CN110531987A (en) | Management method, device and computer readable storage medium based on Kubernetes cluster | |
CN105684357B (en) | The management of address in virtual machine | |
CN103368768B (en) | The method of the auto zoom network coverage, device and equipment in mixed cloud environment | |
CN103688505B (en) | Network filtering in virtualized environment | |
CN104767649B (en) | Dispose the method and device of bare metal server | |
EP2827245B1 (en) | Enabling multi-tenant virtual servers in a cloud system | |
WO2017113201A1 (en) | Network service lifecycle management method and device | |
JP2017520823A (en) | Migrating applications between enterprise-based and multi-tenant networks | |
CN105589731B (en) | A kind of virtual machine migration method and device | |
CN103685608A (en) | Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine | |
CN105554176B (en) | Send the method, apparatus and communication system of message | |
CN108989071B (en) | Virtual service providing method, gateway device, and storage medium | |
US10652283B1 (en) | Deriving system architecture from security group relationships | |
CN107979627A (en) | A kind of processing method and processing device of network request | |
US11316947B2 (en) | Multi-level cache-mesh-system for multi-tenant serverless environments | |
US20230138867A1 (en) | Methods for application deployment across multiple computing domains and devices thereof | |
CN107688441A (en) | The implementation method and device of a kind of Storage Virtualization | |
WO2019005408A1 (en) | Protecting restricted information when importing and exporting resources | |
Łaskawiec et al. | New solutions for exposing clustered applications deployed in the cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |