CN111988263B

CN111988263B - Container service management method, container manager, virtual network function instance and virtual network function manager

Info

Publication number: CN111988263B
Application number: CN201910429966.XA
Authority: CN
Inventors: 李飞; 夏海涛
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-05-22
Filing date: 2019-05-22
Publication date: 2021-07-16
Anticipated expiration: 2039-05-22
Also published as: WO2020233205A1; CN111988263A

Abstract

When VNFI needs to use services provided by a container service instance, a token request carrying identification information of the VNFI and identification information of VNFM is sent to a container manager from the container manager. The token generated by the container manager according to the token request also includes identification information of the VNFI and identification information of the VNFM. Therefore, the token generated by the container manager aiming at a certain VNFI can not be used after being stolen by the VNFIs managed by different VNFM, and the safety performance of the token used when the VNFI requests the service provided by the container service instance in the NFV system is further improved.

Description

Container service management method, container manager, virtual network function instance and virtual network function manager

Technical Field

The present application relates to communications technologies, and in particular, to a method and an apparatus for managing container services.

Background

Network Function Virtualization (NFV) is a technology for constructing a communication network system using general hardware and network virtualization, and can be used to carry a software processing function in a communication network, implement virtualization, flexible deployment and flexible capacity expansion of the communication network, and reduce expensive equipment cost of the communication network system. A Virtual Network Function (VNF) instance (VNFI) obtained by instantiating a Virtual Network Function (VNF) in the NFV system can be deployed on a virtual machine and used as a network element after software implementation to execute a network element related function. For example, the VNFI may correspond to a network element having a physical network function in a conventional non-virtualized communication network, and is used to implement functions such as a Mobile Management Entity (MME), a Serving Gateway (SGW), and a packet data network gateway (PGW). A Virtual Network Function Manager (VNFM) in the NFV system is used for VNFI management. Meanwhile, container service (container service) instances in the NFV system can provide high-performance scalable container application management services for each VNFI, which are packaged into a portable container (docker), while a container manager (container manager) in the NFV system is used to manage each container service instance in the NFV system.

In the prior art, when the VNFI needs to use a service provided by a container service instance, the VNFI needs to send a token application to a container manager through a VNFM; when the container manager receives a token application of the VNFI, generating a token (token) corresponding to the VNFI, wherein the token comprises identification information (instance id) of the VNFI, a container service instance which can be used by the VNF and an expiration time (expiration time) for which the VNF can use the container service instance; and then the token is sent to the VNFI by the container manager through the VNFM, so that after the VNFI receives the token sent by the container manager, the corresponding container service instance can be requested to provide service according to the token within the deadline.

However, the token requested by the existing VNFI to the container manager can still be used when being stolen by a VNFI belonging to a different VNFM management, resulting in a lower security performance of the token. Therefore, how to improve the security performance of the token used when the VNFI requests the service provided by the container service instance is a technical problem to be solved in the art.

Disclosure of Invention

The application provides a container service management method and device, which are used for improving the security performance of a token used when a VNFI requests a service provided by a container service instance.

A first aspect of the present application provides a container management method, including: if a Virtual Network Function Instance (VNFI) needs to use a service provided by a container service instance, the VNFI sends a token request to a container manager for managing the container service instance; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the VNFI receives a token sent by the container manager; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In summary, in this embodiment, when the VNFI needs to use the service provided by the container service instance, the VNFI sends a token request to the container manager, and the token generated by the container manager according to the token request includes the identification information of the VNFI and the identification information of the VNFM. Because the generated token includes the identification information of the VNFM, when the VNFI requests the container service instance for service according to the token, the container service instance verifies the identification information of the VNFI in the token and also verifies the identification information of the VNFM in the token, thereby ensuring that the token generated by a container manager for a certain VNFI cannot be used after being stolen by the VNFI belonging to different VNFM management, and further improving the security performance of the token used when the VNFI requests the service provided by the container service instance in the NFV system.

In an embodiment of the first aspect of the present application, after the VNFI receives the token sent by the container manager, the method further includes: the VNFI sends a service request to the container service instance, wherein the service request comprises the token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; if the verification is successful, the VNFI uses the service provided by the container service instance.

In summary, in this embodiment, when the VNFI requests the container service instance for service according to the token, the container service instance verifies the identification information of the VNFI in the token and also verifies the identification information of the VNFM in the token, and only after the identification information of the VNFI and the identification information of the VNFM are both verified, the container service instance provides the service to the VNFI. Even if two different VNFIs managed by two VNFMs have the same identification information of the VNFI, because the identification information of the two VNFMs is different, and the container service instance also verifies the identification information of the VNFM when the VNFI requests the container service, when one VNFI applies for a token to the container manager, even if the token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stealing VNFI is different from the identification information of the actual VNFM of the VNFI, the container service instance cannot verify the token, and the container service instance will not provide the container service to the VNFI which steals the token. Therefore, even if the token is stolen by other VNFIs across the VNFM, the VNFI embezzled by the token cannot use the service provided by the container service instance according to the token, namely, the token generated by the container manager aiming at a certain VNFI is ensured to be stolen and cannot be used after being stolen by the VNFIs managed by different VNFM, and further, the security performance of the token used when the VNFI requests the service provided by the container service instance in the NFV system is improved.

In an embodiment of the first aspect of the present application, the token further includes: identification information of the container service instance;

the VNFI sends a service request to the container service instance according to the token, including: and the VNFI sends a service request to the container service instance corresponding to the identification information of the container service instance according to the token.

In summary, in this embodiment, when the container manager generates a token of the VNFI, the container manager directly carries, in the token, the identifier information of the container service instance that the VNFI can request according to the token, and limits the range of the container service instance that can be provided to the VNFI. Therefore, the VNFI needs to request service from the container service instance specified by the container manager in the token, and once the token is stolen by the cross-VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, so that the security performance of the token can be enhanced, and the token cannot be used after being stolen by the cross-VNFM.

In an embodiment of the first aspect of the present application, the VNFI sending a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager;

alternatively, after the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager.

A second aspect of the present application provides a container service management method, including:

the method comprises the steps that a container manager receives a token request sent by a Virtual Network Function Instance (VNFI); wherein the VNFI needs to use a service provided by a container service instance managed by the container manager, and the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the container manager generates a token according to the token request; the token comprises identification information of the VNFI and identification information of the VNFM, wherein the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance;

the container manager sends the token to the VNFI.

In an embodiment of the second aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

A third aspect of the present application provides a container service management method, including: if a virtual network function instance VNFI managed by a virtual network function manager VNFM needs to use a service provided by a container service instance, the VNFM sends a token request to a container manager for managing the container service instance; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the VNFM receiving a token sent by the container manager and sending the token to the VNFI; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In an embodiment of the third aspect of the present application, the token further includes: identification information of the container service instance;

the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

In an embodiment of the third aspect of the present application, the sending, by the VNFM, a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager;

alternatively, after the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager.

A fourth aspect of the present application provides a container service management method, including: the method comprises the steps that a container manager receives a token request sent by a Virtual Network Function Manager (VNFM); the virtual network function instance VNFI managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of a virtual network function manager VNFM used for managing the VNFI;

the container manager sends the token to the VNFM to cause the VNFM to send the token to the VNFI.

In an embodiment of the fourth aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

A fifth aspect of the present application provides a container service management apparatus, including:

the virtual network function instance VNFI is used for sending a token request to a container manager for managing the container service instance if the VNFI needs to use the service provided by the container service instance; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the receiving module is used for receiving the token sent by the container manager; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In an embodiment of the fifth aspect of the present application, the method further includes: a processing module;

the sending module is further configured to send a service request to the container service instance, where the service request includes the token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token;

the processing module is used for using the service provided by the container service instance if the verification is successful.

In an embodiment of the fifth aspect of the present application, the token further includes: identification information of the container service instance;

the sending module is specifically configured to send a service request to the container service instance corresponding to the identification information of the container service instance according to the token.

In an embodiment of the fifth aspect of the present application, the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, sending the token request to the container manager.

A sixth aspect of the present application provides a container service management apparatus, including:

the receiving module is used for receiving a token request sent by a VNFI; wherein the VNFI needs to use a service provided by a container service instance managed by the container manager, and the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the processing module is used for generating a token according to the token request; the token comprises identification information of the VNFI and identification information of the VNFM, wherein the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance;

a sending module, configured to send the token to the VNFI.

In an embodiment of the sixth aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

A seventh aspect of the present application provides a container service management apparatus, including:

the virtual network function instance VNFI management module is used for sending a token request to a container manager for managing the container service instance if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the receiving module is used for receiving the token sent by the container manager and sending the token to the VNFI through the sending module; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In an embodiment of the seventh aspect of the present application, the token further includes: identification information of the container service instance;

In an embodiment of the seventh aspect of the present application, the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, sending the token request to the container manager.

An eighth aspect of the present application provides a container management service apparatus, including:

the receiving module is used for receiving a token request sent by a VNFM; the virtual network function instance VNFI managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of a virtual network function manager VNFM used for managing the VNFI;

a sending module, configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.

In an embodiment of the eighth aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

A ninth aspect of the present application provides a VNFI, comprising: a processor and a communication interface;

if the VNFI needs to use the service provided by the container service instance, the processor is used for sending a token request to the communication interface; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the communication interface is configured to send the token request to a container manager configured to manage the container service instance;

the communication interface is further used for receiving a token sent by the container manager and sending the token to the processor; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In an embodiment of the ninth aspect of the present application, the processor is further configured to send a service request to the communication interface, where the service request includes the token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token;

the communication interface is further configured to send the service request to the container service instance;

if the verification is successful, the processor is further configured to use a service provided by the container service instance.

In an embodiment of the ninth aspect of the present application, the token further includes: identification information of a container service instance pair;

the communication interface is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance.

In an embodiment of the ninth aspect of the present application, the processor is specifically configured to send the token request to the communication interface when the VNFI is instantiated by the VNFM; or the processor is specifically configured to send the token request to the communication interface after the VNFI is instantiated by the VNFM.

A tenth aspect of the present application provides a container manager comprising: a communication interface and a processor;

the communication interface is used for receiving a token request sent by a Virtual Network Function Instance (VNFI) and sending the token request to the processor; wherein the VNFI needs to use a service provided by a container service instance managed by the container manager, and the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the processor is used for generating a token according to the token request and sending the token to the communication interface; the token comprises identification information of the VNFI and identification information of the VNFM, wherein the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance;

the communication interface is further configured to send the token to the VNFI.

In an embodiment of the tenth aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

An eleventh aspect of the present application provides a VNFM, comprising: a communication interface and a processor;

if the VNFI managed by the VNFM needs to use the service provided by the container service instance, the processor is used for sending a token request to the communication interface; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the communication interface is to send the token request to a container manager to manage the service instance;

the communication interface is further configured to receive a token sent by the container manager and send the token to the VNFI; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

In an embodiment of the eleventh aspect of the present application, the token further includes: identification information of the container service instance;

A twelfth aspect of the present application provides a container manager comprising: a communication interface and a processor;

the communication interface is used for receiving a token request sent by a VNFM and sending the token request to the processor; the virtual network function instance VNFI managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of a virtual network function manager VNFM used for managing the VNFI;

the processor is used for generating a token according to the token request and sending the token to the communication interface; the token comprises identification information of the VNFI and identification information of the VNFM, wherein the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance; the communication interface is further configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.

In an embodiment of the twelfth aspect of the present application, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

In a thirteenth aspect, embodiments of the present application further provide a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to perform the method of any one of the first, second, third, or fourth aspects of the present application.

In a fourteenth aspect, an embodiment of the present application provides an NFV system, where the system includes the apparatus in the fifth aspect and the apparatus in the sixth aspect; alternatively, the system comprises the apparatus of the seventh aspect and the communication apparatus of the eighth aspect; alternatively, the system comprises the VNFI of the ninth aspect and the container manager of the tenth aspect; alternatively, the system comprises the VNFM of the eleventh aspect and the container manager of the twelfth aspect.

Drawings

FIG. 1 is a schematic diagram of an embodiment of an NFV system;

fig. 2 is a schematic flowchart of an embodiment of a container service management method provided in the present application;

fig. 3 is a schematic flowchart of an embodiment of a container service management method provided in the present application;

fig. 4 is a schematic flowchart of an embodiment of a container service management method provided in the present application;

fig. 5 is a schematic flowchart of an embodiment of a container service management method provided in the present application;

FIG. 6 is a schematic structural diagram of another embodiment of an NFV system;

fig. 7 is a schematic structural diagram of a container service management apparatus provided in the present application;

fig. 8 is a schematic structural diagram of an apparatus for performing a container management method provided in the present application.

Detailed Description

The container service management method and device provided by each embodiment of the application can be applied to a Network Function Virtualization (NFV) system. Before the present application is fully described, the NFV system applied to the embodiments of the present application and the problems of the prior art will be described with reference to fig. 1.

Fig. 1 is a schematic structural diagram of the NFV system. As shown in fig. 1, the NFV system is a technology for constructing a communication network system using general-purpose hardware and network virtualization, wherein the NFV system includes: operation support system/service support system (OSS/BSS) 11, Element Management System (EMS), Virtual Network Function Instance (VNFI), container service instance, network function virtualization infrastructure: a Virtual Machine (VM), a Network Function Virtualization Orchestrator (NFVO) 16, a Virtual Network Function Manager (VNFM) 17, a container manager 18, and a Virtualized Infrastructure Manager (VIM) 19.

The VNFM17 is used to manage the VNFI, perform various management functions such as initializing, updating, querying, and/or terminating the VNFI. The VNFI is obtained by instantiating a virtual network function (virtualized network function) VNF by the VNFM17, and one VNFM can manage at least one VNFI, for example, the VNFM17 in fig. 1 can manage the VNFI131, the VNFI132, and the VNFI 133.

When the VNFM17 instantiates the VNF, it is obtained that the VNFI can be deployed on the virtual machine VM, and performs its related function as a network element after being software-implemented. For example, as in the example shown in fig. 1, VNFI131 is deployed on VM151, VNFI132 is deployed on VM152, and VNFI133 is deployed on VM 153.

The OSS/BSS11 provides integrated network management and service operation functions to the carrier, including network management (e.g., fault monitoring, network information collection, etc.), billing management, and customer service management.

The NFVO16 is used for managing the lifecycle of the VNFI, orchestrating management resources to implement services of the VNFI, and monitoring the VNFI, network function virtualization infrastructure resources, and operation status information in real time according to service requests of the OSS/BSS 11.

Each VNFI corresponds to a Physical Network Function (PNF) in a conventional non-virtualized network, such as an virtualized Evolved Packet Core (EPC) node. For example: the virtualized EPC node includes: a Mobile Management Entity (MME), a Serving Gateway (SGW), a packet data network gateway (PGW), and the like.

The EMS may be used to manage one or more VNFIs, and implement, for each managed VNF13, Fault Management, Configuration Management, billing Management, Performance Management, and Security Management (Fault Management, Accounting Management, Performance Management, Security Management, FCAPS) functions of VNF 13. For example, in the example shown in fig. 1, EMS121 is used to manage VNFI131, EMS122 is used to manage VNFI132, and EMS123 is used to manage VNFI 133.

VIM19 may be used to control and manage a network function virtualization infrastructure corresponding to a VNFI, which may include computing hardware, storage hardware, a hardware resource layer comprised of network hardware, a virtualization layer, and a virtual resource layer comprised of virtual computing (e.g., virtual machines), virtual storage, and virtual networks. In the system example shown in fig. 1, the network function virtualization infrastructure is implemented by a Virtual Machine (VM).

The NFV system mainly includes the following related interfaces:

Ve-Vnfm: and the VNFM and the EMS, and the VNFM and the VNFI are used for VNF life cycle management and configuration information interaction.

Or-Vnfm: and the NFVO and the VNFM are used for managing request resources, sending configuration information and collecting state information of the VNF lifecycle.

Vi-Vnfm: and the VNFM and the VIM are used for resource allocation request, virtualized resource configuration and state information interaction.

Or-Vi: and the NFVO and the VIM are used for resource reservation, allocation request, virtualized resource configuration and state information interaction.

Nf-Vi: and the VIM and the VM are used for specific resource allocation, virtual resource state information interaction and hardware resource configuration.

Vn-Nf: and the VM is used for providing the actual execution environment for the VNF.

Os-Ma: VNFI lifecycle management, NS lifecycle management, policy management, and the like.

Cm-Vnfm: and the VNFM and the container manager are used for management of calling, inquiring and the like of the container service.

Nf-K8S: and the container service instance and the container manager are used for management of creation, deletion, update and the like of the container service.

Vi-K8S: and the container manager and the VIM are used for requesting and calling container resources and the like.

Meanwhile, the container service instance 14 can provide services such as load balancing to the VNFI in the form of virtualized containers. Then when the VNFI uses the services provided by the container service instance 14, the container service instance 14 needs to be requested from the container manager 18 for managing the container service instance 14 to provide the services for the VNFI. In the existing NFV system, the oauth2.0 based mechanism is generally adopted to serve the authorization mechanism.

For example, in the NFV system shown in fig. 1, when VNFI131 needs to use a service provided by a container service instance, VNFI131 sends a token application to container manager 18 through VNFM17 to obtain a token available for use in using the container service from container manager 18. After the container manager 18 receives the service application of the VNFI, the container service available to the VNFI131 is authorized, a token (token) corresponding to the VNFI131 requesting the service is generated and returned to the VNFI131 sending the service application through the VNFM 17; the token includes identification information (instance id) of the VNFI131, a container service instance that the VNF can use, and an expiration time (expiration time) that the VNF can use the container service instance, and is used to ensure that the VNFI is verified when the VNFI uses the container service instance, and that the container service instance can only provide service to the VNFI corresponding to the token (i.e., the VNFI 131). Subsequently, the VNFI13 sends the service request to the corresponding container service instance 141 according to the received token, and carries the token in the service request. When the container service instance 141 receives the service request sent by the VNFI131, the token in the service request is verified, and after the token is verified, the container service instance 141 provides the container service to the VNFI 131.

In the prior art, a provider of an NFV system sets a plurality of VNFMs to manage respective VNFIs according to business requirements; and, the VNFMs set by the vendors of different NFV systems are necessarily different, and the VNFMs set by different vendors manage the respective VNFIs, respectively. However, in the prior art, even though different VNFMs manage different VNFI, all VNFMs allocate instant IDs to VNFI managed by the VNFM itself according to the same rule and sequence, so that VNFI managed by different VNFMs may have the same instant ID. For example: the instant IDs assigned by VNFM1 in an NFV system to the VNFI it manages are a1, B2, and C3; and the instant IDs assigned by VNFM2 in another NFV system to the VNFI it manages are also a1, B2, and C3.

Therefore, in the above scenario, it is resulted that, after the token requested by VNFI11 managed by VNFM1 to the container manager is stolen by VNFI21 managed by VNFM2, if the instance ID allocated by VNFM1 to VNFI11 is the same as the instance ID allocated by VNFM2 to VNFI21, VNFI21 obtained by stealing token can directly use the token allocated by the container manager to VNFI11 to request service from the container service instance, and the container service instance will provide container service to VNFI21 stolen by using token after the token is verified, thereby resulting in lower security performance of token.

Therefore, based on the above technical problem, the present application provides a container service management method and apparatus to improve the security performance of a token used when a VNFI requests a service provided by a container service instance in an NFV system.

The following describes a container service management method and apparatus provided in the present application with reference to the accompanying drawings.

Fig. 2 is a schematic flowchart of an embodiment of a container service management method provided in the present application, where the embodiment shown in fig. 2 is applicable to the NFV system shown in fig. 1, and an object in the NFV system executes a corresponding method, where the container service management method provided in this embodiment includes:

s101: the VNFI sends a token request to the container manager, and the token request is used for requesting the VNFI to request the token used when the VNFI requests the container service instance for service; wherein the token request includes identification information of the VNFI and identification information of a VNFM for managing the VNFI.

Specifically, when the VNFI determines that the container service provided by the container service instance needs to be used, a token request needs to be sent to a container manager for managing the container service instance, so that the container manager authorizes the container service provided by the VNFI using the container service instance, and generates a token. Wherein the token request is to request, from a container manager, a token to be used by the VNFI to request service from the container service instance. Correspondingly, the container manager receives in S101 a token request sent by the VNFI.

Specifically, the token request in this embodiment includes: identification information of the VNFI, and identification information of a VNFM for managing the VNFI. The identification information of the VNFI may be VNFM for managing the VNFI, and instant ID allocated to the VNFI when the VNF is instantiated as the VNFI. Alternatively, the instant ID assigned by the VNFM to the VNFI may be a string of characters, such as "vnf-AMF-123", or may be a string of random numbers, such as "0 x 4257369973". The present application does not limit a specific representation manner of the instant ID assigned by the VNFM to the VNFI. The identification information of the VNFM may be a VNFM ID used in the NFV system to identify the VNFM. Alternatively, the VNFM ID may be a character such as "VNFM-EPC-123", or may be a string of random numbers such as "0 x 4257369973". The present application does not limit the specific representation manner of VNFM ID in the NFV system.

Optionally, in a specific implementation manner of this embodiment, the token request specifically includes: "identification information of VNFI, identification information of VNFM, requested service name (requested service name), and expiration time (expiration) of requested token".

For example, if a VNFI needs to obtain authorization to use a container service instance from a container manager that manages a target container service instance when the VNFI needs to use a load balancing service provided by the target container service instance, the VNFI may send a token request to the container manager to request the container manager to authorize the VNFI to use the load balancing service provided by the target container service instance, and provide the token for the VNFI. Meanwhile, the token sent by the VNFI to the container manager needs to carry the deadline of the requested token, and before the deadline, when the VNFI can use the token to send a service request to the target container service instance, the target container service instance can provide load balancing service to the VNFI; after the deadline, if the VNFI continues to use the token to send the service request to the target container service instance, the target container service instance will not provide the load balancing service to the VNFI any more.

For example, the token sent by the VNFI to the container manager in this embodiment may include: "instant ID of VNFI (vnf-AMF-123), VNFM ID of VNFM (VNFM-EPC-123), load balance service name (load balance) requested by VNFI, and deadline (2020-01-01)".

Optionally, during or after the specific instantiation process of the VNFI, a token request is sent to the container manager in S101. The VNF is instantiated by the VNFM to obtain the VNFI. The VNFM instantiations VNFs may be implemented and principle according to the prior art, and this embodiment is not limited.

S102: after the container manager receives a token request sent by the VNFI through S101, authorizing the VNFI to use the service provided by the container service instance according to the token request, and generating a token corresponding to the VNFI; wherein, token includes: identification information of the VNFI and identification information of the VNFM.

Specifically, the token generated by the container manager in this embodiment includes: identification information of the VNFI and identification information of the VNFM. The identification information of the VNFI may be a VNFM for managing the VNFI, an instant ID allocated to the VNFI when the VNF is instantiated as the VNFI, and the identification information of the VNFM may be a VNFM ID for identifying the VNFM in the NFV system. the identification information of the VNFI and the identification information of the VNFM included in the token are used for the container service instance to verify the VNFI that uses the token to request the service.

Alternatively, the container manager may determine the identification information of the VNFI and the identification information of the VNFM specifically through the token request received in S101.

In a specific implementation manner, the token generated by the container manager in S102 specifically includes: the token is obtained by the container manager signing after the container manager generates the claim part according to the token request. The container manager can use the symmetric key shared by the container manager and the container service instance to sign, and the subsequent container service instance can verify the token according to the symmetric key; alternatively, the container management may be signed using the private key of the container manager, and the subsequent container service instance may verify the token according to the public key of the container manager.

For example, in this embodiment, the container in the token generated by the container manager includes:

1. ID of service management: the ID of the container service instance manager. I.e., identification information of the container manager, for identifying the container manager that generated the token.

2. VNF Instance ID of the service provider and VNFM ID of the service provider: identification information of a VNFI requesting a container service and identification information of a VNFM for managing the VNFI. Namely, the Instance ID of VNFI, and the VNFM ID of VNFM.

3. Service name of the products: a service name of a container service instance of the container service may be provided. In the NFV system, because the container service instance requested by the VNFI is usually a resource pool scenario such as load balancing, the VNFI may request a container service from a plurality of different container service instances through a token. The token generated by the container manager usually only carries the service name that can be provided by the container service instance, and the VNFI specifically determines to apply for the service from one or more container service instances.

4. Expiration time: the cut-off time. That is, before the deadline, when the VNFI sends a service request to the container service instance using token, the container service instance provides the container service to the VNFI; and after the expiration time, when the token is expired and the VNFI uses the token to send the service request to the container service instance, the container service instance will not provide the container service to the VNFI.

S103: the container manager sends the token generated in S102 to the VNFI, so that the VNFI can request the container service from the container service instance according to the token received by the VNFI.

Subsequently, after the container manager authorizes the VNFI according to the token request in S102 and generates a token of the VNFI, the container manager transmits the generated token to the VNFI, so that the VNFI can request a container service from a corresponding container service instance according to the token after obtaining the token of the container manager.

Further, in order to implement the embodiment shown in fig. 2, the present application also provides an NFV system, where fig. 6 is a schematic structural diagram of another embodiment of the NFV system. In the NFV system shown in fig. 6, on the basis of the NFV system shown in fig. 1, a Ve-Cm interface is further included between the VNFI and the container manager, so that when the VNFI requests the container manager to authorize a container service instance, the VNFI may send a token application to the container manager through the Ve-Cm interface and receive the token sent by the container manager through the Ve-Cm interface.

In summary, in the container service management method provided in this embodiment, when the VNFI needs to use the service provided by the container service instance, a token request carrying the identification information of the VNFI and the identification information of the VNFM is sent to the container manager. After the container manager receives the token request sent by the VNFI, the token generated according to the token request also includes the identification information of the VNFI and the identification information of the VNFM. Finally, after the container manager sends the generated token to the VNFI, the VNFI can request a service from the container service instance according to the received token.

In particular, because the token generated in this embodiment includes the identification information of the VNFM, when the VNFI requests the container service instance for service according to the token, the container service instance verifies the identification information of the VNFI in the token and also verifies the identification information of the VNFM in the token, and only after the identification information of the VNFI and the identification information of the VNFM are both verified, the container service instance provides the service to the VNFI. Even if two different VNFIs managed by two VNFMs have the same identification information of the VNFI, because the identification information of the two VNFMs is different, and the container service instance also verifies the identification information of the VNFM when the VNFI requests the container service, when one VNFI applies for a token to the container manager, even if the token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stealing VNFI is different from the identification information of the actual VNFM of the VNFI, the container service instance cannot verify the token, and the container service instance will not provide the container service to the VNFI which steals the token.

Therefore, even if the token is stolen by other VNFIs across the VNFM, the VNFI embezzled by the token cannot use the service provided by the container service instance according to the token, namely, the token generated by the container manager aiming at a certain VNFI is ensured to be stolen and cannot be used after being stolen by the VNFIs managed by different VNFM, and further, the security performance of the token used when the VNFI requests the service provided by the container service instance in the NFV system is improved.

In the present embodiment, a description is given below with reference to fig. 3, where after the VNFI obtains the token through the embodiment shown in fig. 2, a flow of the VNFI requesting a service from the container service instance by using the token is described.

Fig. 3 is a flowchart illustrating an embodiment of a container service management method provided by the present application, where the embodiment may be applied to the VNF system shown in fig. 1, and a VNFI requests a service from a container service instance. As shown in fig. 3, the method for managing a container service according to this embodiment further includes, after S103 shown in fig. 1:

s104: the VNFI sends a service request to the container service instance; the token requested in S103 is carried in the service request.

Specifically, after the VNFI receives the token in S103, the VNFI may request a service from the container service instance corresponding to the token. And the VNFI sends a service request to the container service instance capable of providing the requested service according to the service name of the container service instance capable of providing the container service and included in the token, so as to request the container service instance to provide the service for the VNFI. The service request sent by the VNFI to the container service instance carries a token applied by the first device to the container manager in the embodiment shown in fig. 2.

S105: after the container service instance receives the service request sent by the VNFI, the token may be verified according to the public key of the container manager, and it is determined whether the token is generated by the container manager. In addition, in this embodiment, the container service instance further determines whether the identification information of the VNFI and the identification information of the VNFM, which are included in the token in the service request, are consistent with each other according to the identification information of the VNFI and the identification information of the VNFM that manages the VNFI that send the service request.

For example, in this embodiment, the identification information of the VNFI that sends the service request to the container service instance is denoted as a, and the identification information of the VNFM that manages the VNFI is denoted as B; marking the identification information of the VNFI included in the token as C, and marking the identification information of the VNFM recorded in the token as D. Subsequently, the container service instance determines whether a is consistent with C and B is consistent with D, and only after a is consistent with C and B is consistent with D, the container service instance performs the subsequent S203, that is, the container service instance provides service to the VNFI.

It can be understood that, since the VNFI requests the container manager to authorize the service provided by the container service instance, as shown in fig. 3, the container manager generates a token containing the identification information of the VNFI and the identification information of the VNFM for the VNFI. Therefore, after the VNFI obtains the token generated and sent by the container manager, the token can be carried when requesting service from the container service instance. At this time, the container service instance can successfully verify the identification information of the VNFI, the identification information of the VNFM, the identification information of the VNFI in token, and the identification information of the VNMF. Accordingly, in S106 the container service instance provides services to the VNFI, which correspondingly uses the services provided by the container service instance.

In particular, as in the embodiment shown in FIG. 3, the VNFIs that request tokens from the container manager are shown requesting services from the container service instance using the requested tokens. Fig. 4 shows a process of requesting a service from a container service instance by using a VNFI of a token, where fig. 4 is a flowchart of an embodiment of a container service management method provided in the present application.

If the VNFI shown in fig. 3 applies for the token to the container manager and is stolen by the VNFI shown in fig. 4, the VNFI stealing the token may send a service request to the container service instance through S201 and carry the stolen token.

At this time, in S202, after receiving the service request through S201, the container service instance also verifies the token, and verifies whether the identification information of the VNFI and the identification information of the VNMF included in the token are the same as the identification information of the VNFI and the identification information of the VNFM that send the service request.

Obviously, if the VNFI identification information of the VNFI that misappropriates the token is different from the VNFI identification information of the original VNFI, the container service instance fails to verify the token, and no service is provided for the VNFI that misappropriates the token, that is, the step S203 in the figure is not executed. If the VNFI identification information of the VNFI that embezzles the token is the same as the VNFI identification information of the original VNFI, because the two different VNFMs are respectively the VNFI identification information allocated to the two VNFIs, the identification information of the VNFM that embezzles the VNFI of the token is different from the identification information of the VNFM of the original VNFI, the verification of the token by the container service instance fails, and the container service instance also does not provide services to the VNFI that embezzles the token.

In summary, as can be seen from the embodiments shown in fig. 3 and fig. 4, after the VNFI acquires the token provided by the container manager, the VNFI may request a service from the corresponding container service instance according to the token; the corresponding container service instance needs to validate the token to determine if the VNFI can be serviced. Because the token includes the identification information of the VNFI and the identification information of the VNFM, when the token is verified by the container service instance, the identification information of the VNFI and the identification information of the VNFM need to be verified, and only after the two are verified to be consistent, the container service instance determines that the service can be provided for the VNFI. Therefore, the authentication of the token is strengthened through the identification information of the VNFI and the identification information of the VNFM carried in the token, so that even if the identification information of the VNFI is the same after the token is stolen by the VNFI across the VNFM, the container service instance cannot be authenticated due to the fact that the identification information of the VNFM is different, and the security performance of the token used when the VNFI requests the service provided by the container service instance is improved.

Further, on the basis of the foregoing embodiments, the present application also provides another specific implementation manner of the close in the token generated by the container manager. Wherein, the container in the token generated by the container manager comprises:

1. ID of service management: the ID of the container service instance manager.

2. VNF Instance ID of the service provider and VNFM ID of the service provider: identification information of the VNFI and identification information of the VNFM requesting the container service.

3. Service ID of the products: identification information of a container service instance of the container service may be provided. The identification information of the CONTAINER service instance is set by the CONTAINER manager, and may be a string of characters allocated by the CONTAINER manager when managing the CONTAINER service instance, such as "LB-continue-service", or may also be a string of random numbers, such as "0 x 254830203", where the specific representation manner of the identification information of the CONTAINER service instance is not limited in this application.

4. Expiration time: the cut-off time.

Specifically, in the specific implementation manner of the container in the token provided in this embodiment, the specific descriptions of 1,2, and 4 included in the container and the specific method for generating the token by the container management server may refer to the embodiment shown in fig. 2, and are not described again.

What is different is that the container in this embodiment includes identification information of a container service instance that can provide a container service, that is, when the container manager performs container service instance authorization on the VNFI, the container manager further determines identification information of a specific container service instance that the VNFI can use, and restricts that the VNFI can only request a service from a specific container service instance to the identification information included in token.

Optionally, the token provided in this example may be applied to the embodiment shown in fig. 3, and the VNFI needs to request a service from a corresponding container service instance according to the identification information of the container service instance in the token. For the container service instance to verify whether the VNFI is provided with the service, the identification information of the container service instance included in the token needs to be verified.

For example, in S105 shown in fig. 3, after the container service instance acquires the token carried in the service request sent by the VNFI, the identifier information of the container service instance included in the token is verified, and if the container service instance determines that the token includes the identifier information of the container service instance, it is determined that the VNFI can be provided with a service; and if the container service instance judges that the token does not include the identification information of the container service instance, which indicates that the VNFI does not apply for the service from the correct container service instance, the container service instance does not provide the service to the VNFI.

Therefore, in a specific implementation manner of the container provided in this embodiment, when the container manager generates a token of the VNFI, the container manager directly carries, in the token, the identifier information of the container service instance that the VNFI can request according to the token, and limits a range of the container service instance that can be provided to the VNFI. Therefore, the VNFI needs to request service from the container service instance specified by the container manager in the token, and once the token is stolen by the cross-VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, so that the security performance of the token can be enhanced, and the token cannot be used after being stolen by the cross-VNFM.

Further, in the embodiments of the present application described above and illustrated in fig. 2-4, a method is provided for the VNFI to send a token request to the container manager and directly receive the token sent by the container manager. In another implementation manner of the present application, a token request may be sent to the container manager by a VNFM that manages the VNFI instead of the VNFI, and the received token may be forwarded to the VNFI, so that the VNFI requests the container service instance for service.

Fig. 4 is a schematic flow chart of an embodiment of a container service management method provided by the present application, where the method provided by the embodiment includes:

s301: if the VNFI managed by the VNMF needs to use the service provided by the container service instance, the VNFM sends a token request to a container manager managing the container service instance, where the token request is used to request, from the container manager, a token used when the VNFI requests the container service instance for service. Correspondingly, the container manager receives in S301 a token request sent by the VNFM.

Specifically, the token request in this embodiment includes: identification information of the VNFI, and identification information of a VNFM for managing the VNFI.

Optionally, during or after the VNFM instantiates the VNFI, the VNFM sends a token request to the container manager through S301. The VNF is instantiated by the VNFM to obtain the VNFI. The VNFM instantiations VNFs may be implemented and principle according to the prior art, and this embodiment is not limited.

It should be noted that, in this embodiment, it is emphasized that the VNFM replaces the VNFI to send the token request to the container server, and for the specific implementation manner of the identification information of the VNFI and the identification information of the VNFM included in the token request, reference may be made to the description in the embodiment of fig. 2, and details are not described again.

Optionally, since the VNFM allocates identification information, for example, an instant ID of the VNFI, to the VNFI when instantiating the VNFI, before the VNFM sends a token request to the container manager, the identification information allocated to the VNFI may be determined, in S301, the VNFM combines the identification information of the VNFM itself, and the VNFM may simultaneously carry the identification information of the VNFI and the identification information of the VNFM together in the token and send the information to the container manager. In this embodiment, the VNFM plays a role of applying for the token from the container manager instead of the VNFI, and forwarding the token generated by the container manager from the VNFI.

S302: after the container manager receives a token request sent by the VNFM through S301, authorizing the VNFI to use the service provided by the container service instance according to the token request, and generating a token corresponding to the VNFI; wherein, token includes: identification information of the VNFI and identification information of the VNFM.

The specific implementation manner of the identification information of the VNFI and the identification information of the VNFM included in the token in this embodiment may refer to the description in the embodiment of fig. 2, and is not described again.

Subsequently, after generating the token, the container manager sends the token to the VNFM through S303.

After the VNFM receives the token sent by the container manager, the VNFM is further sent to the VNFI through S304, and accordingly, after the VNFI receives the token sent by the VNFM in S305, the VNFI may request service from the container service instance according to the token, and a specific process of requesting service from the container service instance by the VNFI may refer to the embodiment of S104 to S106 shown in fig. 3, which is not described in detail.

It can be understood that the container service management method provided by this embodiment may be applied to the NFV system shown in fig. 1, and after the VNFM instantiates the VNF to obtain the VNFI specifically through the Ve-VNFM interface, the VNFM sends a token request to the container manager through the Cm-VNFM interface; the VNFM also receives a token sent by the container manager through the Cm-Vnfm interface and sends the token to the VNFI through the Ve-Vnfm interface.

In the embodiments provided by the present application, the methods provided by the present application are introduced and described from the perspective of the VNFI, the VNFM and the container manager, respectively, and in order to implement the functions in the methods provided by the embodiments of the present application, the VNFI, the VNFM and the container manager may include a hardware structure and/or a software module, and implement the functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether any of the above-described functions is implemented as a hardware structure, a software module, or a hardware structure plus a software module depends upon the particular application and design constraints imposed on the technical solution.

For example, fig. 7 is a schematic structural diagram of a container service management device provided in the present application, where the device shown in fig. 7 includes: a receiving module 701, a processing module 702 and a sending module 703.

When the container service management apparatus shown in fig. 7 is a VNFI in the embodiment shown in fig. 2 to 3, the sending module 703 is configured to send a token request to a container manager for managing the container service instance if the virtual network function instance VNFI needs to use a service provided by the container service instance; the token request comprises identification information of VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

the receiving module 701 is configured to receive a token sent by a container manager; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

Optionally, the sending module is further configured to send a service request to the container service instance, where the service request includes a token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; the processing module is used for using the service provided by the container service instance if the verification is successful.

Optionally, the token further includes: identification information of the container service instance; the sending module is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance according to the token.

Optionally, the sending module 703 is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; alternatively, after the VNFM instantiates the VNFI, a token request is sent to the container manager.

The container service management apparatus provided in this embodiment may specifically implement the container service management method in the embodiments shown in fig. 2 to 3, and the implementation manner and principle thereof are the same, and are not described again.

When the container service management apparatus shown in fig. 7 is a container manager in the embodiment shown in fig. 2 to 3, the receiving module 701 is configured to receive a token request sent by a virtual network function instance VNFI; the VNFI needs to use services provided by container service instances managed by a container manager, and the token request comprises identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) used for managing the VNFI; the processing module 702 is configured to generate a token according to the token request; the token comprises identification information of VNFI and identification information of VNFM, and the identification information of VNFI and the identification information of VNFM are used for verifying the VNFI which uses the token to request service by the container service instance; the sending module 703 is configured to send the token to the VNFI.

Optionally, the token further includes: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request the service from the container service instance corresponding to the identification information of the container service instance.

When the container service management apparatus shown in fig. 7 is the VNFM in the embodiment shown in fig. 5, the sending module 703 is configured to send a token request to a container manager for managing a container service instance if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use a service provided by the container service instance; the token request comprises identification information of VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI; the receiving module 701 is configured to receive a token sent by the container manager, and send the token to the VNFI through the sending module; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

Optionally, the sending module is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; alternatively, after the VNFM instantiates the VNFI, a token request is sent to the container manager.

The container service management apparatus provided in this embodiment may specifically implement the container service management method in the embodiment shown in fig. 5, and the implementation manner and principle thereof are the same, and are not described again.

When the container service management apparatus shown in fig. 7 is a container manager in the embodiment shown in fig. 5, the receiving module 701 is configured to receive a token request sent by a virtual network function manager VNFM; the VNFI of the virtual network function instance managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of the VNFM of the virtual network function manager for managing the VNFI; the processing module 702 is configured to generate a token according to the token request; the token comprises identification information of VNFI and identification information of VNFM, and the identification information of VNFI and the identification information of VNFM are used for verifying the VNFI which uses the token to request service by the container service instance; the sending module 703 is configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.

The division of the modules in the foregoing embodiments of the present application is schematic, and only one logical function division is used, and in actual implementation, there may be another division manner, and in addition, each functional module in the embodiments of the present application may be integrated in one processor, may also exist alone physically, or may also be integrated in one module by two or more modules. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.

Further, fig. 8 is a schematic structural diagram of an apparatus for performing the container management method provided in the present application. The apparatus shown in fig. 8 comprises: a communication interface 1010, a processor 1020, and a memory 1030. The communication interface 1010 may be a transceiver, a circuit, a bus, or other interface for communicating with other devices via a transmission medium; the communication interface 1010, the processor 1020 and the memory 1030 are coupled, in this embodiment, indirectly coupled or communicatively connected between the devices, units or modules, and may be in an electrical, mechanical or other form, so as to exchange information between the devices, units or modules.

The specific connection medium among the communication interface 1010, the processor 1020 and the memory 1030 is not limited in the embodiments of the present application. In the embodiment of the present application, the communication interface 1010, the memory 1030, and the processor 1020 are connected by a bus 1040 in fig. 8, the bus is represented by a thick line in fig. 8, and the connection manner between other components is merely illustrative and not limited. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.

Illustratively, if the device shown in fig. 8 is a VNFI as shown in fig. 2-3, then the memory 1030 has code stored therein, and when the processor 1020 calls and executes the instruction, if the VNFI needs to use the service provided by the container service instance, the processor 1020 sends a token request to the communication interface; the token request comprises identification information of VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI; the communication interface 1010 receives the token request sent by the processor 1020 and sends the token request to a container manager for managing container service instances; the communication interface 1010 is further configured to receive a token sent by the container manager, and send the token to the processor 1020; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

Optionally, when the processor 1020 calls and executes the instruction, the processor 1020 is further configured to send a service request to the communication interface 1010, where the service request includes a token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token;

the communication interface 1010 is further configured to receive a service request sent by the processor 1020 and send the service request to the container service instance; if the verification is successful, the processor 1020 is also configured to use the services provided by the container service instance.

Optionally, the token further includes: identification information of a container service instance pair; the communication interface 1010 is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance.

Optionally, the processor 1020 is specifically configured to send a token request to the communication interface when the VNFI is instantiated by the VNFM; alternatively, the processor 1020 is specifically configured to send the token request to the communication interface after the VNFI is instantiated by the VNFM.

As another example, if the apparatus shown in fig. 8 is a container manager as shown in fig. 2 to 3, the communication interface 1010 is configured to receive a token request sent by a virtual network function instance VNFI, and send the token request to the processor 1020; the VNFI needs to use services provided by container service instances managed by a container manager, and the token request comprises identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) used for managing the VNFI; the memory 1030 has code stored therein, and when the processor 1020 invokes and executes the instruction, the processor 1020 is configured to generate a token according to the token request and send the token to the communication interface 1010; the token comprises identification information of VNFI and identification information of VNFM, and the identification information of VNFI and the identification information of VNFM are used for verifying the VNFI which uses the token to request service by the container service instance; the communication interface 1010 is further configured to send a token to the VNFI.

Illustratively, if the device shown in fig. 8 is a VNFM as shown in fig. 5, the memory 1030 has code stored therein, and when the processor 1020 calls and executes the instruction, if the VNFI of the virtual network function instance managed by the VNFM needs to use the service provided by the container service instance, the processor 1020 is configured to send a token request to the communication interface 1010; the token request comprises identification information of VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI; the communication interface 1010 is used to send token requests to a container manager for managing service instances; the communication interface 1010 is further configured to receive a token sent by the container manager and send the token to the VNFI; the token comprises identification information of the VNFI and identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for verifying the VNFI which uses the token to request service by the container service instance.

For example, if the device shown in fig. 8 is a container manager as shown in fig. 5, the communication interface 1010 is configured to receive a token request sent by a virtual network function manager VNFM and send the token request to the processor 1020; the VNFI of the virtual network function instance managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of the VNFM of the virtual network function manager for managing the VNFI; the memory 1030 has code stored therein, and when the processor 1020 invokes and executes the instruction, the processor 1020 is configured to generate a token according to the token request and send the token to the communication interface 1010; the token comprises identification information of VNFI and identification information of VNFM, and the identification information of VNFI and the identification information of VNFM are used for verifying the VNFI which uses the token to request service by the container service instance; the communication interface 1010 is further configured to send the token to the VNFM, such that the VNFM sends the token to the VNFI.

In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.

In the embodiment of the present application, the memory may be a nonvolatile memory, such as a Hard Disk Drive (HDD) or a solid-state drive (SSD), and may also be a volatile memory, for example, a random-access memory (RAM). The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.

The methods provided by the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance, a user device, or other programmable apparatus. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., an SSD), among others.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A container service management method, comprising:

if a Virtual Network Function Instance (VNFI) needs to use a service provided by a container service instance, the VNFI sends a token request to a container manager for managing the container service instance; wherein the token request includes identification information of the VNFI and identification information of a Virtual Network Function Manager (VNFM) for managing the VNFI;

2. The method of claim 1, wherein after the VNFI receives the token sent by the container manager, further comprising:

the VNFI sends a service request to the container service instance, wherein the service request comprises the token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token;

if the verification is successful, the VNFI uses the service provided by the container service instance.

3. The method of claim 2,

the token further comprises: identification information of the container service instance;

the VNFI sends a service request to the container service instance according to the token, including:

and the VNFI sends a service request to the container service instance corresponding to the identification information of the container service instance according to the token.

4. The method of any of claims 1-3, wherein the VNFI sends a token request to the container manager, comprising:

when the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager;

alternatively, the first and second electrodes may be,

after the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager.

5. A container service management method, comprising:

the container manager sends the token to the VNFI.

6. The method of claim 5,

the token further comprises: identification information of the container service instance; the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.

7. A container service management method, comprising:

if a virtual network function instance VNFI managed by a virtual network function manager VNFM needs to use a service provided by a container service instance, the VNFM sends a token request to a container manager for managing the container service instance; wherein the token request includes identification information of the VNFI and identification information of the VNFM used for managing the VNFI;

8. The method of claim 7,

9. The method of claim 7 or 8, wherein the VNFM sends a token request to the container manager, comprising:

when the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager;

alternatively, the first and second electrodes may be,

after the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager.

10. A container service management method, comprising:

the method comprises the steps that a container manager receives a token request sent by a Virtual Network Function Manager (VNFM); the virtual network function instance VNFI managed by the VNFM needs to use services provided by the container service instance managed by the container manager, and the token request comprises identification information of the VNFI and identification information of a virtual network function manager VNFM used for managing the VNFI;

11. The method of claim 10,

12. A Virtual Network Function Instance (VNFI), comprising: a processor and a communication interface;

13. The VNFI of claim 12,

the processor is further configured to send a service request to the communication interface, where the service request includes the token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token;

14. The VNFI of claim 13,

15. The VNFI of any one of claims 12-14,

the processor is specifically configured to send the token request to the communication interface when the VNFM instantiates the VNFI;

or the processor is specifically configured to send the token request to the communication interface after the VNFI is instantiated by the VNFM.

16. A container manager, comprising: a communication interface and a processor;

17. The container manager according to claim 16,

18. A virtual network function manager, VNFM, comprising: a communication interface and a processor;

19. The VNFM of claim 18,

20. A container manager, comprising: a communication interface and a processor;

the communication interface is further configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.

21. The container manager according to claim 20,