CN107770095B - Method and equipment for controlling virtual machine metadata access - Google Patents

Method and equipment for controlling virtual machine metadata access Download PDF

Info

Publication number
CN107770095B
CN107770095B CN201610703900.1A CN201610703900A CN107770095B CN 107770095 B CN107770095 B CN 107770095B CN 201610703900 A CN201610703900 A CN 201610703900A CN 107770095 B CN107770095 B CN 107770095B
Authority
CN
China
Prior art keywords
virtual machine
metadata
tunnel
identification information
created
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610703900.1A
Other languages
Chinese (zh)
Other versions
CN107770095A (en
Inventor
马斌达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610703900.1A priority Critical patent/CN107770095B/en
Publication of CN107770095A publication Critical patent/CN107770095A/en
Application granted granted Critical
Publication of CN107770095B publication Critical patent/CN107770095B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/82Miscellaneous aspects
    • H04L47/825Involving tunnels, e.g. MPLS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application aims to provide a method and equipment for controlling metadata access of a virtual machine. Compared with the prior art, the virtual machine physical equipment performs tunnel encapsulation processing on the metadata access request according to the tunnel identification information corresponding to the target virtual machine to obtain the corresponding first data message, and the metadata service equipment performs tunnel decapsulation processing on the first data message after acquiring the first data message sent by the corresponding virtual machine physical equipment to obtain the metadata access request of the target virtual machine and the tunnel identification information corresponding to the target virtual machine, and acquires the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine; the method and the device have the advantages that the metadata access request and the request response result are encapsulated or decapsulated by using a network tunnel technology, so that identity recognition is realized, and a user can safely and quickly access the required metadata information.

Description

Method and equipment for controlling virtual machine metadata access
Technical Field
The present application relates to the field of computers, and more particularly, to a technique for controlling access to virtual machine metadata.
Background
A Virtual Machine (Virtual Machine) refers to a complete computer system with complete hardware system functionality, which is emulated by software and runs in a completely isolated environment. The virtual machine metadata (metadata) is a key-value pair of the attribute of the virtual machine itself, such as IP, MAC, disk size, number of CPUs, mirror name, etc. of the virtual machine.
In the existing virtual machines provided by the cloud service, each virtual machine has a plurality of attributes stored in the cloud service, and a user cannot directly obtain the attributes from the virtual machine. But the actual user wants to know these attributes, such as the ID and mirror name of the user's machine, to automatically start the corresponding service. HTTP request (which refers to a request message from a client to a server) is a simple and transparent request method, and is currently the most common scheme for acquiring data.
However, the conventional HTTP interface service needs to consider many security policies to secure user data, and generally adopts the following method: a pair of asymmetric encrypted key certificates is held by a user side (virtual machine) and a server side; the user end uses a private key to encrypt and sign parameters of the request HTTP and sends the HTTP request; and the server side uses the corresponding public key to carry out signature decryption.
However, the security policy implemented by the certificate encryption signature method mainly has the following problems:
1) the use is inconvenient, the user is required to download the installation certificate, and all requests are required after adding the signature through the program script. Downloading certificates requires additional security mechanisms to ensure that certificates are not compromised or misappropriated.
2) Most file certificates are reproducible (copy) resulting in insecure user data.
Disclosure of Invention
An object of the present application is to provide a method and apparatus for controlling access to metadata of a virtual machine, so as to solve the problem that a user can access the required metadata safely and quickly.
According to one aspect of the application, a method for controlling metadata access of a virtual machine is provided, and the method is used for a physical device side of the virtual machine, wherein the method comprises the following steps:
acquiring a metadata access request;
performing tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data message;
sending the first data message to corresponding metadata service equipment;
receiving a second data message returned by the metadata service equipment based on the first data message;
and performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine.
According to another aspect of the present application, a method for controlling virtual machine metadata access is provided, where the method is used for a metadata service device side, and includes:
acquiring a first data message sent by corresponding virtual machine physical equipment;
performing tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
acquiring metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
performing tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data message;
and sending the second data message to the virtual machine physical equipment.
According to another aspect of the present application, a method for controlling metadata access of a virtual machine is provided, where the method is used for a virtual machine management device side, and includes:
distributing corresponding tunnel identification information for the virtual machine to be created;
sending a virtual machine creating instruction about the virtual machine to be created to corresponding virtual machine physical equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
and sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
According to yet another aspect of the present application, there is provided a virtual machine physical device for controlling virtual machine metadata access, wherein the device includes:
metadata access request acquisition means for acquiring a metadata access request;
a first data packet obtaining device, configured to perform tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data packet;
the first data message sending device is used for sending the first data message to corresponding metadata service equipment;
the second data message receiving device is used for receiving a second data message returned by the metadata service equipment based on the first data message;
and the second data message decapsulating device is used for performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine.
According to still another aspect of the present application, there is provided a metadata service apparatus for controlling access to metadata of a virtual machine, wherein the apparatus includes:
the first data message acquisition device is used for acquiring a first data message sent by the corresponding virtual machine physical equipment;
the first data message decapsulation device is used for performing tunnel decapsulation processing on the first data message to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
the metadata information acquisition device is used for acquiring the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
a second data packet obtaining device, configured to perform tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data packet;
and the second data message sending device is used for sending the second data message to the virtual machine physical equipment.
According to still another aspect of the present application, there is provided a virtual machine management apparatus for controlling access to virtual machine metadata, wherein the apparatus includes:
the tunnel identification information distribution device is used for distributing corresponding tunnel identification information for the virtual machine to be created;
a virtual machine creation instruction sending device, configured to send a virtual machine creation instruction about the virtual machine to be created to a corresponding virtual machine physical device, where the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created;
and the metadata information sending device is used for sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
According to yet another aspect of the present application, there is also provided a virtual machine physical device for controlling virtual machine metadata access, wherein the device includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a metadata access request;
performing tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data message;
sending the first data message to corresponding metadata service equipment;
receiving a second data message returned by the metadata service equipment based on the first data message;
and performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine.
According to still another aspect of the present application, there is also provided a metadata service apparatus for controlling virtual machine metadata access, wherein the apparatus includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a first data message sent by corresponding virtual machine physical equipment;
performing tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
acquiring metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
performing tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data message;
and sending the second data message to the virtual machine physical equipment.
According to still another aspect of the present application, there is also provided a virtual machine management apparatus for controlling virtual machine metadata access, wherein the apparatus includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
distributing corresponding tunnel identification information for the virtual machine to be created;
sending a virtual machine creating instruction about the virtual machine to be created to corresponding virtual machine physical equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
and sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
Compared with the prior art, after acquiring a metadata access request, the virtual machine physical device performs tunnel encapsulation processing on the metadata access request according to tunnel identification information corresponding to a target virtual machine to obtain a corresponding first data message, and then sends the first data message to a corresponding metadata service device; the virtual machine is uniquely identified by the tunnel identification information, and the metadata access request and the request response result are encapsulated or decapsulated by using a network tunnel technology, so that identity recognition is realized, and a user can safely and quickly access the required metadata information. Further, if the frequency of the metadata access request exceeds a predetermined threshold, the virtual machine physical device limits the metadata access request, and prevents a user from maliciously attacking the metadata service device.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a system topology for controlling virtual machine metadata access in accordance with an aspect of the subject application;
FIG. 2 illustrates a schematic diagram of a virtual machine physical device and a metadata service device for controlling virtual machine metadata access in accordance with another aspect of the subject application;
FIG. 3 is a diagram illustrating a virtual machine physical device, a metadata service device, and a virtual machine management device according to a preferred embodiment of the present application;
FIG. 4 is a diagram illustrating a data message format in accordance with a preferred embodiment of the present application;
FIG. 5 is a diagram illustrating a virtual machine management device, a virtual machine physical device, and a metadata service device for controlling virtual machine metadata access in accordance with another preferred embodiment of the present application;
FIG. 6 illustrates a flowchart of a method for controlling virtual machine metadata access at a physical device side and a metadata service device side of a virtual machine according to yet another aspect of the present application;
fig. 7 is a flowchart illustrating a method for controlling metadata access of a virtual machine at a virtual machine management device side, a virtual machine physical device side, and a metadata service device side according to another preferred embodiment of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
Fig. 1 shows a system topology for controlling access to virtual machine metadata according to an aspect of the present application, which includes a virtual machine management device 3, a metadata service device 2, and a virtual machine physical device 1.
In this application, the virtual machine management device 3 is configured to create a virtual machine, the virtual machine physical device 1 is a host device of the virtual machine, and the metadata service device 2 provides an access service for metadata information; moreover, the virtual machine management device 3 and the metadata service device 2 may be located in the same or different physical devices or may be located in the same or different server clusters, and fig. 1 only shows a case where the virtual machine management device 3 and the metadata service device 2 are located in the same server cluster. In the present application, a network module is deployed in each of the virtual machine physical device 1 and the metadata service device 2, and is used for tunneling processing of data packets. Here, the tunneling technology processing of the data packet by the network module may be implemented by using the existing network tunneling technology, and several mainstream modes include xvlan, NVGRE, STT, and the like.
It will be appreciated by those skilled in the art that the number of various network elements shown in fig. 1 for simplicity only may be less than that in an actual network, but such omissions are clearly not to be premised on a clear and complete disclosure of the present invention. For the sake of simplicity, the following description will be made by taking a system composed of one virtual machine physical device 1, one metadata service device 2, and one virtual machine management device 3 as an example.
Fig. 2 shows a schematic diagram of a virtual machine physical device and a metadata service device for controlling virtual machine metadata access according to another aspect of the present application, including a virtual machine physical device 1 and a metadata service device 2. The virtual machine physical device 1 comprises a metadata access request obtaining device 11, a first data packet obtaining device 12, a first data packet sending device 13, a second data packet receiving device 14 and a second data packet decapsulating device 15; the metadata service device 2 includes a first data packet obtaining device 21, a first data packet decapsulating device 22, a metadata information obtaining device 23, a second data packet obtaining device 24, and a second data packet sending device 25.
Specifically, the metadata access request obtaining device 11 of the virtual machine physical device 1 obtains a metadata access request; the first data packet obtaining device 12 of the virtual machine physical device 1 performs tunnel encapsulation processing on the access request according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data packet; a first data message sending device 13 of the virtual machine physical device 1 sends the first data message to a corresponding metadata service device 2; the first data message obtaining device 21 of the metadata service device 2 obtains a first data message sent by the corresponding virtual machine physical device 1; a first data packet decapsulating device 22 of the metadata service device 2 decapsulates the first data packet to obtain a metadata access request of a target virtual machine and tunnel identifier information corresponding to the target virtual machine; the metadata information obtaining device 23 of the metadata service equipment 2 obtains the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine; the second data packet obtaining device 24 of the metadata service device 2 performs tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data packet; the second data message sending device 25 of the metadata service device 2 sends the second data message to the virtual machine physical device 1; a second data message receiving device 14 of the virtual machine physical device 1 receives a second data message returned by the metadata service device 2 based on the first data message; and the second data packet decapsulating device 15 of the virtual machine physical device 1 performs tunnel decapsulation processing on the second data packet according to the tunnel identification information corresponding to the target virtual machine, so as to obtain metadata information of the target virtual machine.
For example, referring to fig. 3, the user device may be a virtual machine, and if the virtual machine needs to access its metadata information, the target virtual machine is itself; a metadata access request sent by a virtual machine is sent to a network module of the metadata service device 2 via a network module of the virtual machine physical device 1, and the network module of the virtual machine physical device 1 performs tunnel encapsulation processing (i.e., performs packet processing by using a network tunnel technology) on the metadata access request, and uses the metadata access request as a data packet of the first data packet, where the first data packet further includes tunnel identification information corresponding to the virtual machine, where the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; after the network module of the metadata service device 2 acquires the first data packet, it performs tunnel decapsulation processing (i.e. decapsulation processing by using network tunnel technology) to strip out the metadata access request and the tunnel identification information, then, the source identity of the metadata access request is identified according to the tunnel identification information, the requested metadata information (namely a request response result) is obtained by inquiring after identity identification, the network module of the metadata service device 2 performs tunnel encapsulation processing on the metadata information to obtain a corresponding second data packet, and then, sending the second data packet to the virtual machine physical device 1, where a network module of the virtual machine physical device 1 performs tunnel decapsulation processing on the second data packet to obtain the metadata information, and returns the metadata information to the virtual machine (i.e., the user equipment). Here, the first data packet and the second data packet may be in the format shown in fig. 4, where in the tunnel encapsulation processing process, the request or the request response result is used as a data packet (i.e., two-layer original data in fig. 4) in the data packet shown in the figure, fig. 4 shows that Network tunnel processing is implemented by using an xvlan technology standard, a vxlan head in fig. 4 includes a Network tunnel ID, and a vxlan protocol header includes a vni (vxlan Network identifier) with a length of 24 bits, which is the Network tunnel ID.
Preferably, the virtual machine physical device 1 further includes a metadata information providing device (not shown in the figure); and the metadata information providing device provides the metadata information corresponding to the target virtual machine to the application corresponding to the metadata access request.
For example, if there is an application that needs metadata information corresponding to the target virtual machine, for example, in some cases, the corresponding service needs to be started according to metadata information such as an ID and an image name of the machine. Here, the corresponding metadata information is provided to the application corresponding to the metadata access request.
Preferably, the metadata access request comprises an access request to a predetermined address.
For example, if the target is a request of a predetermined IP address of the metadata service device 2, the next hop address of the first data packet is the predetermined IP address. For example, assuming the predetermined IP address is 100.100.100.100, a curl can be passedhttp://100.100.100.100/laster/meta-data/am-idAnd acquiring the ID of the target virtual machine.
Preferably, the virtual machine physical device 1 further comprises a metadata access request limiting device (not shown in the figure); the metadata access request limiting means limits the metadata access request if the frequency of the metadata access request exceeds a predetermined threshold.
Here, for a request whose target address is the metadata service device 2, the network module of the virtual machine physical device 1 may provide a QOS current limiting function, so as to prevent a user from maliciously attacking the metadata service device 2.
Fig. 5 is a schematic diagram of a virtual machine management device, a virtual machine physical device and a metadata service device for controlling virtual machine metadata access according to another preferred embodiment of the present application, including a virtual machine management device 3, a virtual machine physical device 1 and a metadata service device 2. Wherein the virtual machine management apparatus 3 includes tunnel identification information assigning means 31 ', virtual machine creation instruction transmitting means 32 ', and metadata information transmitting means 33 '; the virtual machine physical device 1 comprises a virtual machine creation instruction receiving device 16 ', a virtual machine creation device 17 ', a metadata access request obtaining device 11 ', a first data message obtaining device 12 ', a first data message sending device 13 ', a second data message receiving device 14 ' and a second data message de-encapsulation device 15 '; the metadata service device 2 comprises metadata information receiving means 26 ', storage means 27 ', first data packet obtaining means 21 ', first data packet de-encapsulation means 22 ', metadata information obtaining means 23 ', second data packet obtaining means 24 ' and second data packet sending means 25 '.
Here, the metadata access request obtaining device 11 ', the first data packet obtaining device 12', the first data packet transmitting device 13 ', the second data packet receiving device 14', and the second data packet decapsulating device 15 'of the virtual machine physical device 1 are the same as or substantially the same as the metadata access request obtaining device 11, the first data packet obtaining device 12, the first data packet transmitting device 13, the second data packet receiving device 14, and the second data packet decapsulating device 15 in fig. 2, and the first data packet obtaining device 21', the first data packet decapsulating device 22 ', the metadata information obtaining device 23', the second data packet obtaining device 24 ', and the second data packet transmitting device 25' of the metadata service device 2 are the same as the first data packet obtaining device 21, the first data packet decapsulating device 22, and the second data packet decapsulating device 22 in fig. 2, The contents of the metadata information obtaining device 23, the second data message obtaining device 24, and the second data message sending device 25 are the same or substantially the same, and for the sake of brevity, the details are not repeated.
Specifically, the tunnel identifier information allocating device 31' of the virtual machine management device 3 allocates corresponding tunnel identifier information to the virtual machine to be created; a virtual machine creation instruction sending device 32' of the virtual machine management device 3 sends a virtual machine creation instruction about the virtual machine to be created to the corresponding virtual machine physical device 1, where the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created; a virtual machine creation instruction receiving device 16' of the virtual machine physical device 1 receives a virtual machine creation instruction about a virtual machine to be created, which is sent by a corresponding virtual machine management device 3, wherein the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created; the virtual machine creating device 17' of the virtual machine physical device 1 creates the virtual machine to be created according to the virtual machine creating instruction, and stores the tunnel identification information corresponding to the virtual machine to be created; the metadata information sending device 33' of the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2; the metadata information receiving device 26' of the metadata service device 2 receives the metadata information of the newly created virtual machine sent by the corresponding virtual machine management device 3 and the tunnel identification information corresponding to the newly created virtual machine; the storage device 27' of the metadata service apparatus 2 stores the tunnel identification information corresponding to the newly created virtual machine and the metadata information of the newly created virtual machine.
For example, referring to fig. 3, in the virtual machine creation phase, corresponding tunnel identification information is allocated to the virtual machine to be created, where the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card, so as to identify a unique identity of the newly created virtual machine. Then, the corresponding virtual machine physical device 1 creates a new virtual machine according to the virtual machine creation instruction of the virtual machine management device 3, and the corresponding virtual machine physical device 1 records tunnel identification information corresponding to the newly created virtual machine. Moreover, the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2; the corresponding metadata service equipment 2 receives and stores the metadata information of the virtual machine to be created and the corresponding tunnel identification information thereof, so as to identify the identity and respond to the metadata access request according to the tunnel identification information in the following.
Preferably, the virtual machine physical device 1 further includes a creation success information sending means (not shown in the figure); when the virtual machine to be created is successfully created, the creation success information sending device sends corresponding creation success information to the virtual machine management device 3.
Preferably, when receiving the creation success information returned by the virtual machine physical device 1 based on the virtual machine creation instruction, the metadata information sending device 33' of the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2. Then, the corresponding metadata service device 2 receives and stores the metadata information of the virtual machine to be created and the corresponding tunnel identification information thereof, so as to identify the identity and respond to the metadata access request according to the tunnel identification information in the following.
Fig. 6 shows a flowchart of a method for controlling access to virtual machine metadata at a virtual machine physical device side and a metadata service device side according to another aspect of the present application, where the method includes steps S11, S12, S13, S14 and S15 at the virtual machine physical device side, and steps S21, S22, S23, S24 and S25 at the metadata service device side.
Specifically, in step S11, the virtual machine physical device 1 acquires a metadata access request; in step S12, the virtual machine physical device 1 performs tunnel encapsulation processing on the access request according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data packet; in step S13, the virtual machine physical device 1 sends the first data packet to the corresponding metadata service device 2; in step S21, the metadata service device 2 obtains a first data packet sent by the corresponding virtual machine physical device 1; in step S22, the metadata service device 2 performs tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identifier information corresponding to the target virtual machine; in step S23, the metadata service device 2 obtains metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine; in step S24, the metadata service device 2 performs tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data packet; in step S25, the metadata service device 2 sends the second data packet to the virtual machine physical device 1; in step S14, the virtual machine physical device 1 receives a second data packet returned by the metadata service device 2 based on the first data packet; in step S15, the virtual machine physical device 1 performs tunnel decapsulation processing on the second data packet according to the tunnel identification information corresponding to the target virtual machine, so as to obtain metadata information of the target virtual machine.
For example, referring to fig. 3, the user device may be a virtual machine, and if the virtual machine needs to access its metadata information, the target virtual machine is itself; a metadata access request sent by a virtual machine is sent to a network module of the metadata service device 2 via a network module of the virtual machine physical device 1, and the network module of the virtual machine physical device 1 performs tunnel encapsulation processing (i.e., performs packet processing by using a network tunnel technology) on the metadata access request, and uses the metadata access request as a data packet of the first data packet, where the first data packet further includes tunnel identification information corresponding to the virtual machine, where the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; after the network module of the metadata service device 2 acquires the first data packet, it performs tunnel decapsulation processing (i.e. decapsulation processing by using network tunnel technology) to strip out the metadata access request and the tunnel identification information, then, the source identity of the metadata access request is identified according to the tunnel identification information, the requested metadata information (namely a request response result) is obtained by inquiring after identity identification, the network module of the metadata service device 2 performs tunnel encapsulation processing on the metadata information to obtain a corresponding second data packet, and then, sending the second data packet to the virtual machine physical device 1, where a network module of the virtual machine physical device 1 performs tunnel decapsulation processing on the second data packet to obtain the metadata information, and returns the metadata information to the virtual machine (i.e., the user equipment). Here, the first data packet and the second data packet may be in the format shown in fig. 4, where in the tunnel encapsulation processing process, the request or the request response result is used as a data packet (i.e., two-layer original data in fig. 4) in the data packet shown in the figure, fig. 4 shows that Network tunnel processing is implemented by using an xvlan technology standard, a vxlan head in fig. 4 includes a Network tunnel ID, and a vxlan protocol header includes a vni (vxlan Network identifier) with a length of 24 bits, which is the Network tunnel ID.
Preferably, the method further comprises: and the virtual machine physical device 1 provides the metadata information corresponding to the target virtual machine to the application corresponding to the metadata access request.
For example, if there is an application that needs metadata information corresponding to the target virtual machine, for example, in some cases, the corresponding service needs to be started according to metadata information such as an ID and an image name of the machine. Here, the corresponding metadata information is provided to the application corresponding to the metadata access request.
Preferably, the metadata access request comprises an access request to a predetermined address.
For example, if the target is a request of a predetermined IP address of the metadata service device 2, the next hop address of the first data packet is the predetermined IP address. For example, assuming the predetermined IP address is 100.100.100.100, a curl can be passedhttp://100.100.100.100/laster/meta-data/am-idAnd acquiring the ID of the target virtual machine.
Preferably, the method further comprises: and if the frequency of the metadata access request exceeds a preset threshold value, the virtual machine physical device 1 limits the metadata access request.
Here, for a request whose target address is the metadata service device 2, the network module of the virtual machine physical device 1 may provide a QOS current limiting function, so as to prevent a user from maliciously attacking the metadata service device 2.
Fig. 7 is a flowchart illustrating a method for controlling metadata access of a virtual machine at a virtual machine management device side, a virtual machine physical device side, and a metadata service device side according to another preferred embodiment of the present application, where the method includes steps S31 ', S32', and S33 'of the virtual machine management device side, and steps S16', S17 ', S11', S12 ', S13', S14 ', and S15' of the virtual machine physical device side; step S26 ', step S27 ', step S21 ', step S22 ', step S23 ', step S24 ' and step S25 ' of the metadata service apparatus side.
Here, the steps S11 ', S12', S13 ', S14', S15 ', S21', S22 ', S23', S24 'and S25' are the same as or substantially the same as the steps S11, S12, S13, S14, S15, S21, S22, S23, S24 and S25 in fig. 6, and thus, for brevity, description is omitted.
Specifically, in step S31', the virtual machine management device 3 allocates corresponding tunnel identification information to the virtual machine to be created; in step S32', the virtual machine management device 3 sends a virtual machine creation instruction about the virtual machine to be created to the corresponding virtual machine physical device 1, where the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created; in step S16', the virtual machine physical device 1 receives a virtual machine creation instruction about a virtual machine to be created, which is sent by the corresponding virtual machine management device 3, where the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created; in step S17', the virtual machine physical device 1 creates the virtual machine to be created according to the virtual machine creation instruction, and stores the tunnel identification information corresponding to the virtual machine to be created; in step S33', the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2; in step S26', the metadata service device 2 receives the metadata information of the newly created virtual machine sent by the corresponding virtual machine management device 3 and the tunnel identification information corresponding to the newly created virtual machine; in step S27', the metadata service device 2 stores the tunnel identification information corresponding to the newly created virtual machine and the metadata information of the newly created virtual machine.
For example, referring to fig. 3, in the virtual machine creation phase, corresponding tunnel identification information is allocated to the virtual machine to be created, where the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card, so as to identify a unique identity of the newly created virtual machine. Then, the corresponding virtual machine physical device 1 creates a new virtual machine according to the virtual machine creation instruction of the virtual machine management device 3, and the corresponding virtual machine physical device 1 records tunnel identification information corresponding to the newly created virtual machine. Moreover, the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2; the corresponding metadata service equipment 2 receives and stores the metadata information of the virtual machine to be created and the corresponding tunnel identification information thereof, so as to identify the identity and respond to the metadata access request according to the tunnel identification information in the following.
Preferably, the method further comprises: when the virtual machine physical device 1 successfully creates the virtual machine to be created, it sends corresponding creation success information to the virtual machine management device 3.
Preferably, when receiving creation success information returned by the virtual machine physical device 1 based on the virtual machine creation instruction, the virtual machine management device 3 sends the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to the corresponding metadata service device 2. Then, the corresponding metadata service device 2 receives and stores the metadata information of the virtual machine to be created and the corresponding tunnel identification information thereof, so as to identify the identity and respond to the metadata access request according to the tunnel identification information in the following.
According to yet another aspect of the present application, there is also provided a virtual machine physical device for controlling virtual machine metadata access, wherein the device includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a metadata access request;
performing tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data message;
sending the first data message to corresponding metadata service equipment;
receiving a second data message returned by the metadata service equipment based on the first data message;
and performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine.
According to still another aspect of the present application, there is also provided a metadata service apparatus for controlling virtual machine metadata access, wherein the apparatus includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a first data message sent by corresponding virtual machine physical equipment;
performing tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
acquiring metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
performing tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data message;
and sending the second data message to the virtual machine physical equipment.
According to still another aspect of the present application, there is also provided a virtual machine management apparatus for controlling virtual machine metadata access, wherein the apparatus includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
distributing corresponding tunnel identification information for the virtual machine to be created;
sending a virtual machine creating instruction about the virtual machine to be created to corresponding virtual machine physical equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
and sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
Compared with the prior art, after acquiring a metadata access request, the virtual machine physical device performs tunnel encapsulation processing on the metadata access request according to tunnel identification information corresponding to a target virtual machine to obtain a corresponding first data message, and then sends the first data message to a corresponding metadata service device; the virtual machine is uniquely identified by the tunnel identification information, and the metadata access request and the request response result are encapsulated or decapsulated by using a network tunnel technology, so that identity recognition is realized, and a user can safely and quickly access the required metadata information. Further, if the frequency of the metadata access request exceeds a predetermined threshold, the virtual machine physical device limits the metadata access request, and prevents a user from maliciously attacking the metadata service device.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (23)

1. A method for controlling metadata access of a virtual machine is used for a physical device side of the virtual machine, wherein the method comprises the following steps:
acquiring a metadata access request;
performing tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data message;
sending the first data message to corresponding metadata service equipment;
receiving a second data message returned by the metadata service equipment based on the first data message;
performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
2. The method of claim 1, wherein the method further comprises:
and providing the metadata information corresponding to the target virtual machine to the application corresponding to the metadata access request.
3. The method of claim 1, wherein the metadata access request comprises an access request to a predetermined address.
4. The method of claim 1, wherein the method further comprises:
receiving a virtual machine creating instruction about a virtual machine to be created, which is sent by corresponding virtual machine management equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
and creating the virtual machine to be created according to the virtual machine creating instruction, and storing the tunnel identification information corresponding to the virtual machine to be created.
5. The method of claim 4, wherein the method further comprises:
and when the virtual machine to be created is successfully created, sending corresponding creation success information to the virtual machine management equipment.
6. The method of any of claims 1-5, wherein the method further comprises:
and if the frequency of the metadata access requests exceeds a preset threshold value, limiting the metadata access requests.
7. A method for controlling virtual machine metadata access is used for a metadata service device side, wherein the method comprises the following steps:
acquiring a first data message sent by corresponding virtual machine physical equipment;
performing tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
acquiring metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
performing tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data message;
sending the second data message to the virtual machine physical device;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
8. The method of claim 7, wherein the method further comprises:
receiving metadata information of a newly created virtual machine sent by corresponding virtual machine management equipment and tunnel identification information corresponding to the newly created virtual machine;
and storing the tunnel identification information corresponding to the newly created virtual machine and the metadata information of the newly created virtual machine.
9. A method for controlling metadata access of a virtual machine is used for a virtual machine management device side, wherein the method comprises the following steps:
distributing corresponding tunnel identification information for the virtual machine to be created;
sending a virtual machine creating instruction about the virtual machine to be created to corresponding virtual machine physical equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
10. The method of claim 9, wherein the sending metadata information of the virtual machine to be created and tunnel identification information corresponding to the virtual machine to be created to a corresponding metadata service device includes:
and when receiving creation success information returned by the virtual machine physical equipment based on the virtual machine creation instruction, sending metadata information of the virtual machine to be created and tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
11. A virtual machine physical device for controlling virtual machine metadata access, wherein the device comprises:
metadata access request acquisition means for acquiring a metadata access request;
a first data packet obtaining device, configured to perform tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data packet;
the first data message sending device is used for sending the first data message to corresponding metadata service equipment;
the second data message receiving device is used for receiving a second data message returned by the metadata service equipment based on the first data message;
a second data message decapsulation device, configured to perform tunnel decapsulation processing on the second data message according to tunnel identification information corresponding to the target virtual machine, so as to obtain metadata information of the target virtual machine;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
12. The apparatus of claim 11, wherein the apparatus further comprises:
and the metadata information providing device is used for providing the metadata information corresponding to the target virtual machine to the application corresponding to the metadata access request.
13. The apparatus of claim 11, wherein the metadata access request comprises an access request to a predetermined address.
14. The apparatus of claim 11, wherein the apparatus further comprises:
the virtual machine creating instruction receiving device is used for receiving a virtual machine creating instruction which is sent by corresponding virtual machine management equipment and is about to create a virtual machine, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
and the virtual machine creating device is used for creating the virtual machine to be created according to the virtual machine creating instruction and storing the tunnel identification information corresponding to the virtual machine to be created.
15. The apparatus of claim 14, wherein the apparatus further comprises:
and the creation success information sending device is used for sending corresponding creation success information to the virtual machine management equipment when the virtual machine to be created is successfully created.
16. The apparatus of any of claims 11 to 15, wherein the apparatus further comprises:
metadata access request limiting means for limiting the metadata access request if the frequency of the metadata access request exceeds a predetermined threshold.
17. A metadata service apparatus for controlling access to virtual machine metadata, wherein the apparatus comprises:
the first data message acquisition device is used for acquiring a first data message sent by the corresponding virtual machine physical equipment;
the first data message decapsulation device is used for performing tunnel decapsulation processing on the first data message to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
the metadata information acquisition device is used for acquiring the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
a second data packet obtaining device, configured to perform tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data packet;
a second data packet sending device, configured to send the second data packet to the virtual machine physical device;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
18. The apparatus of claim 17, wherein the apparatus further comprises:
the metadata information receiving device is used for receiving metadata information of a newly created virtual machine sent by corresponding virtual machine management equipment and tunnel identification information corresponding to the newly created virtual machine;
and the storage device is used for storing the tunnel identification information corresponding to the newly created virtual machine and the metadata information of the newly created virtual machine.
19. A virtual machine management appliance for controlling virtual machine metadata access, wherein the appliance comprises:
the tunnel identification information distribution device is used for distributing corresponding tunnel identification information for the virtual machine to be created;
a virtual machine creation instruction sending device, configured to send a virtual machine creation instruction about the virtual machine to be created to a corresponding virtual machine physical device, where the virtual machine creation instruction includes tunnel identification information corresponding to the virtual machine to be created;
the metadata information sending device is used for sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
20. The apparatus of claim 19, wherein the metadata information transmitting means is configured to:
and when receiving creation success information returned by the virtual machine physical equipment based on the virtual machine creation instruction, sending metadata information of the virtual machine to be created and tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment.
21. A virtual machine physical device for controlling virtual machine metadata access, wherein the device comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a metadata access request;
performing tunnel encapsulation processing on the access request according to tunnel identification information corresponding to the target virtual machine to obtain a corresponding first data message;
sending the first data message to corresponding metadata service equipment;
receiving a second data message returned by the metadata service equipment based on the first data message;
performing tunnel decapsulation processing on the second data message according to the tunnel identification information corresponding to the target virtual machine to obtain metadata information of the target virtual machine;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
22. A metadata service apparatus for controlling access to virtual machine metadata, wherein the apparatus comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring a first data message sent by corresponding virtual machine physical equipment;
performing tunnel decapsulation processing on the first data packet to obtain a metadata access request of a target virtual machine and tunnel identification information corresponding to the target virtual machine;
acquiring metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine;
performing tunnel encapsulation processing on the metadata information of the target virtual machine according to the tunnel identification information corresponding to the target virtual machine to obtain a corresponding second data message;
sending the second data message to the virtual machine physical device;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
23. A virtual machine management appliance for controlling virtual machine metadata access, wherein the appliance comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
distributing corresponding tunnel identification information for the virtual machine to be created;
sending a virtual machine creating instruction about the virtual machine to be created to corresponding virtual machine physical equipment, wherein the virtual machine creating instruction comprises tunnel identification information corresponding to the virtual machine to be created;
sending the metadata information of the virtual machine to be created and the tunnel identification information corresponding to the virtual machine to be created to corresponding metadata service equipment;
the tunnel identification information may include a network tunnel ID and an IP address of a virtual machine network card; the network tunnel ID includes: VNI field of vxlan protocol header.
CN201610703900.1A 2016-08-22 2016-08-22 Method and equipment for controlling virtual machine metadata access Active CN107770095B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610703900.1A CN107770095B (en) 2016-08-22 2016-08-22 Method and equipment for controlling virtual machine metadata access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610703900.1A CN107770095B (en) 2016-08-22 2016-08-22 Method and equipment for controlling virtual machine metadata access

Publications (2)

Publication Number Publication Date
CN107770095A CN107770095A (en) 2018-03-06
CN107770095B true CN107770095B (en) 2021-07-06

Family

ID=61264104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610703900.1A Active CN107770095B (en) 2016-08-22 2016-08-22 Method and equipment for controlling virtual machine metadata access

Country Status (1)

Country Link
CN (1) CN107770095B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601133B1 (en) * 2010-12-14 2013-12-03 Juniper Networks, Inc. Highly scalable data center architecture with address resolution protocol (ARP)-free servers
CN103631638A (en) * 2012-08-27 2014-03-12 国际商业机器公司 Method, system and computer program product for optimizing virtual machine deployment
CN103957160A (en) * 2014-05-12 2014-07-30 华为技术有限公司 Message sending method and device
CN104823163A (en) * 2012-10-31 2015-08-05 谷歌公司 Metadata-based virtual machine configuration
CN105354076A (en) * 2015-10-23 2016-02-24 深圳前海达闼云端智能科技有限公司 Application deployment method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021027B (en) * 2013-02-28 2017-04-12 国际商业机器公司 Method and equipment for providing virtual device
US9692698B2 (en) * 2014-06-30 2017-06-27 Nicira, Inc. Methods and systems to offload overlay network packet encapsulation to hardware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601133B1 (en) * 2010-12-14 2013-12-03 Juniper Networks, Inc. Highly scalable data center architecture with address resolution protocol (ARP)-free servers
CN103631638A (en) * 2012-08-27 2014-03-12 国际商业机器公司 Method, system and computer program product for optimizing virtual machine deployment
CN104823163A (en) * 2012-10-31 2015-08-05 谷歌公司 Metadata-based virtual machine configuration
CN103957160A (en) * 2014-05-12 2014-07-30 华为技术有限公司 Message sending method and device
CN105354076A (en) * 2015-10-23 2016-02-24 深圳前海达闼云端智能科技有限公司 Application deployment method and device

Also Published As

Publication number Publication date
CN107770095A (en) 2018-03-06

Similar Documents

Publication Publication Date Title
US10409990B2 (en) Encryption and decryption method and apparatus in virtualization system, and system
CN108632074B (en) Service configuration file issuing method and device
US11303431B2 (en) Method and system for performing SSL handshake
US10698940B2 (en) Method for searching for multimedia file, terminal device, and server
US9871850B1 (en) Enhanced browsing using CDN routing capabilities
CN108243079B (en) Method and equipment for network access based on VPC
CN107317792B (en) Method and equipment for realizing access control in virtual private network
US10200469B2 (en) Method and system for information synchronization between cloud storage gateways, and cloud storage gateway
CN109347839B (en) Centralized password management method and device, electronic equipment and computer storage medium
US9942050B2 (en) Method and apparatus for bulk authentication and load balancing of networked devices
US11057821B2 (en) Method and device for connecting to hidden wireless access point
US20140256286A1 (en) Intelligent Protocol Selection
US10659440B2 (en) Optimizing utilization of security parameter index (SPI) space
WO2018001065A1 (en) Method, device and system for managing application
US20220141191A1 (en) Secure distribution of configuration to facilitate a privacy-preserving virtual private network system
US20120166793A1 (en) Apparatus and method for sharing and using comment on content in distributed network system
EP3417367B1 (en) Implementing a storage system using a personal user device and a data distribution device
US20170374014A1 (en) Dynamic credential based addressing
CN113647113A (en) Network-based media processing security
US10326588B2 (en) Ensuring information security in data transfers by dividing and encrypting data blocks
US10691815B2 (en) Attribute linkage apparatus, transfer system, attribute linkage method and computer readable medium
CN107770095B (en) Method and equipment for controlling virtual machine metadata access
US20240114013A1 (en) Packet processing method, client end device, server end device, and computer-readable medium
US9071596B2 (en) Securely establishing a communication channel between a switch and a network-based application using a unique identifier for the network-based application
US20180225225A1 (en) Secure Data Management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant