CN113778628A - Edge node control method and system - Google Patents

Edge node control method and system Download PDF

Info

Publication number
CN113778628A
CN113778628A CN202111076214.3A CN202111076214A CN113778628A CN 113778628 A CN113778628 A CN 113778628A CN 202111076214 A CN202111076214 A CN 202111076214A CN 113778628 A CN113778628 A CN 113778628A
Authority
CN
China
Prior art keywords
node
control
data
target
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111076214.3A
Other languages
Chinese (zh)
Other versions
CN113778628B (en
Inventor
应健健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinhua Zhiyun Technology Co ltd
Original Assignee
Xinhua Zhiyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinhua Zhiyun Technology Co ltd filed Critical Xinhua Zhiyun Technology Co ltd
Priority to CN202111076214.3A priority Critical patent/CN113778628B/en
Publication of CN113778628A publication Critical patent/CN113778628A/en
Application granted granted Critical
Publication of CN113778628B publication Critical patent/CN113778628B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an edge node control method and system, which are used for controlling edge nodes in a plurality of edge clusters, and the control method comprises the following steps: acquiring control data; generating a corresponding management and control request based on the management and control data; determining an edge node to be controlled based on the control data, obtaining a target node, extracting an encryption certificate of the target node, and obtaining a target certificate; and establishing an encrypted tunnel based on the target certificate, issuing the control request to the target node through the encrypted tunnel, and receiving a control result fed back by the target node in response to the control request. The method is suitable for multi-edge cluster management and control under the situation without public network addresses, the management and control range relates to iaas layers and server layers, and the safety is high.

Description

Edge node control method and system
Technical Field
The invention relates to the technical field of internet, in particular to an edge node management and control technology based on kubernets.
Background
kubernets, K8s for short, is an open source platform that governs modern containerization clusters. Nowadays, a management and control platform based on kubernets is only suitable for a single network plane, and when servers are deployed in a plurality of different physical machine rooms and each physical machine room has no public network address, management and control personnel at a parking place need to be arranged for each physical machine room so as to manage and control all the servers.
The servers correspond to the edge nodes, and the physical machine rooms correspond to the edge clusters.
Disclosure of Invention
The invention provides an edge node control technology aiming at the defect that the edge nodes of multiple network planes can not be controlled when no public network address exists in the prior art.
In order to solve the technical problem, the invention is solved by the following technical scheme:
an edge node management and control method is used for managing and controlling edge nodes in a plurality of edge clusters, and comprises the following steps:
acquiring control data;
generating a corresponding management and control request based on the management and control data;
determining an edge node to be controlled based on the control data, obtaining a target node, extracting an encryption certificate of the target node, and obtaining a target certificate;
and establishing an encrypted tunnel based on the target certificate, issuing the control request to the target node through the encrypted tunnel, and receiving a control result fed back by the target node in response to the control request.
According to the method and the system, through the design of the encryption certificate and the encryption tunnel, data transmission between the management and control platform and each server is achieved, data transmission safety is guaranteed, and management and control on each edge node iaas layer (infrastructure as a service) and a server layer are achieved.
As an implementable manner, before acquiring the management and control data, the method further comprises an edge node registration step, and the specific steps are as follows:
receiving registration information sent by each edge node, performing node registration based on the registration information, and taking the edge node which completes the registration as a registration node;
the registration information includes cluster information of an edge cluster where the edge node is located, and also includes node information corresponding to the edge node.
A person skilled in the art can set cluster information and node information according to actual needs;
for example:
the cluster information comprises a cluster identifier for indicating a machine room area corresponding to the edge cluster;
the node information includes server operating system version information, server ip address information, server version information, and node hardware information (e.g., cpu memory model).
As an implementable manner, the method for acquiring the encryption certificate includes the following steps:
requesting an encryption certificate from each registration node, and receiving certificate information fed back by each registration node;
when the certificate information contains an encryption certificate, storing the encryption certificate;
and when the certificate information does not contain the encryption certificate, generating a corresponding encryption certificate, storing the encryption certificate, and issuing the encryption certificate to the corresponding registration node.
As an implementable manner, the management and control data includes down node data;
when the control data is the downtime node data:
receiving heartbeat data of each registered node, detecting a down edge node according to the heartbeat data, and obtaining corresponding down node data;
generating bmc management requests corresponding to the downtime nodes based on the downtime node data;
taking an edge node located in the same edge cluster with the down node as a target node, extracting an encrypted certificate of the target node, and obtaining a corresponding target certificate;
and establishing an encrypted tunnel based on the target certificate, issuing the bmc management request to the target node through the encrypted tunnel, and logging in the downtime node through a bmc interface of the downtime node by the target node for problem troubleshooting and recovery based on the bmc management request.
In the prior art, the data can only enter the docker containers of all the machine rooms through the rpc channel, enter the namespaces of each host through the docker containers, and then manage and control the services of the hosts, but in the actual use process, the docker process is down due to reasons such as overhigh load of the hosts, the method is not available, and therefore management and control on edge nodes are lost.
The bmc management interface is provided by the server, but for data security, the bmc management interface is only used for a scene of server management in an intranet, and is not suitable for a scene of cluster management.
As an implementable manner, the management and control data includes file transfer data;
when the control data is file transmission data:
acquiring file transmission data, wherein the file transmission data comprises data to be transmitted and transmission target data;
determining edge nodes serving as target nodes based on the transmission target data, and extracting encryption certificates of all the target nodes to obtain corresponding target certificates;
generating a file transmission request containing the data to be transmitted;
and establishing an encryption tunnel based on each target certificate, and transmitting the file transmission request to the corresponding target node through the encryption tunnel.
The file transmission data is any data transmitted from the management system to the server, such as configuration data, upgrade data and files to be transmitted, and can be transmitted singly or in batches based on the method;
in the prior art, because the edge cluster lacks a public network address and cannot directly log in, the corresponding file can only be transmitted to the corresponding container through a tunnel by a cp command, and then the file is placed on the corresponding server from the container, the scheme cannot distribute the file to the corresponding edge node in batches, the transmission process is complex, and the transmission efficiency is low;
the method and the device establish the encryption tunnels corresponding to the servers one by one based on the grpc technology, and directly issue the data to be transmitted to the corresponding servers through the encryption tunnels.
As an implementable manner, the management and control data includes management and control instruction data;
when the control data is control instruction data:
collecting operation information of a control worker, and generating corresponding control instruction data based on the operation information, wherein the control instruction data comprises control task data and control target data;
generating a corresponding task request based on the control task data;
determining edge nodes serving as target nodes based on the control target data, extracting the encryption certificate of each target node, and obtaining corresponding target certificates;
and establishing an encryption tunnel based on each target certificate, transmitting a task request to a corresponding target node through the encryption tunnel, and receiving and processing the task request by the target node.
The management and control platform responds to the operation of management and control personnel, generates corresponding task requests based on the operation of the management and control personnel, and distributes the task requests through the encryption tunnel so as to meet the requirement of the management and control personnel for remotely managing and controlling each server.
The invention also provides an edge node control system, which comprises a control platform, wherein the control platform is respectively communicated with a plurality of edge clusters, and each edge cluster comprises a plurality of edge nodes;
the control platform comprises a processing module and a forwarding module which are connected by signals;
the processing module is used for acquiring management and control data and generating a corresponding management and control request based on the management and control data;
the forwarding module is configured to establish an encrypted tunnel based on a target certificate, issue the control request to a target node through the encrypted tunnel, and receive a control result fed back by the target node in response to the control request, where the target node is an edge node to be controlled, and the target certificate is an encrypted certificate corresponding to the target node.
As an implementable manner, the system further comprises a registration interface;
the registration interface is in signal connection with the processing module and is also in signal connection with each edge node respectively, the registration interface is used for receiving registration information sent by each edge node, and the registration information comprises cluster information of an edge cluster where the edge node is located and node information corresponding to the edge node;
and the processing module is also used for carrying out node registration based on the registration information and taking the edge node which completes the registration as a registration node.
As an implementable manner, further comprising an authentication module:
the processing module is also used for judging whether each registration node has an encrypted certificate or not, generating corresponding certificate request information according to a certificate judgment result and sending the certificate request information to the authentication module;
and the authentication module is used for receiving and responding to the certificate request information, generating a corresponding encrypted certificate, sending the encrypted certificate to the processing module, and storing and issuing the encrypted certificate to the corresponding registration node by the processing module.
As an implementation manner, the method further comprises the following steps:
the heartbeat interface is used for receiving heartbeat data reported by each registered node, sending the heartbeat data to the processing module, judging whether each registered node is down or not by the processing module based on the heartbeat data, and generating a corresponding control request by the processing module based on a down judgment result.
Due to the adoption of the technical scheme, the invention has the remarkable technical effects that:
the method is suitable for multi-edge cluster management and control under the situation without public network addresses, the management and control range relates to iaas layers and server layers, and the safety is high.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating a control flow of an edge node control method according to the present invention;
FIG. 2 is a schematic diagram of the module connection of the edge node management and control system according to the present invention;
fig. 3 is a schematic diagram of module connection of the management platform 100 in fig. 2.
Detailed Description
The present invention will be described in further detail with reference to examples, which are illustrative of the present invention and are not to be construed as being limited thereto.
Embodiment 1, an edge node management and control method is used to manage and control edge nodes 200 in a plurality of edge clusters, where an edge cluster is deployed in a physical machine room, and includes the following steps:
s100, node registration:
receiving registration information sent by each edge node 200, performing node registration based on the registration information, and taking the edge node 200 which completes registration as a registration node;
the registration information includes cluster information of the edge cluster where the edge node 200 is located, and also includes node information corresponding to the edge node 200.
S200, acquiring an encryption certificate corresponding to each registration node:
requesting an encryption certificate from each registration node, and receiving certificate information fed back by each registration node;
when the certificate information contains an encryption certificate, storing the encryption certificate;
and when the certificate information does not contain the encryption certificate, generating and storing the corresponding encryption certificate, and issuing the encryption certificate to the corresponding registration node.
In the actual use process, after the encryption certificate is obtained, node configuration data is issued;
the node configuration data includes encryption certificate and other configuration information, and those skilled in the art can set other configuration information according to actual needs, for example, a custom port tunnel agent.
The node configuration data is directly sent to the edge node 200 initiating the registration, and the server deployed by the edge node 200 dynamically senses the configuration change for hot loading, so that the management is convenient, and the complexity of the server can be reduced.
In this embodiment, after obtaining the encryption certificate (generated or received encryption certificate), based on the node information of the edge node 200, corresponding node configuration data is generated, and the node configuration data is issued to the corresponding edge node 200, that is, the server;
the configuration data corresponding to different servers are different, for example, the data such as ip port are inconsistent, and in the prior art, operation and maintenance personnel are required to log in the corresponding edge cluster for maintenance.
S300, node management and control, as shown in fig. 1, including the following steps:
s310, acquiring control data;
the control data includes data uploaded by a controller, such as file transmission data and a control instruction, and data generated based on the data uploaded by each edge node 200, such as downtime node data;
s320, generating a corresponding management and control request based on the management and control data;
s330, determining the edge node 200 to be controlled based on the control data, obtaining a target node, extracting an encryption certificate of the target node, and obtaining a target certificate;
s340, establishing an encrypted tunnel based on the target certificate, issuing the control request to the target node through the encrypted tunnel, and receiving a control result fed back by the target node in response to the control request.
In the prior art, when an edge cluster lacks a public network address, the management and control platform 100 cannot actively initiate communication to the edge node 200;
in this embodiment, only the edge node 200 needs to be able to communicate with the external network to report the registration information, that is, an encrypted tunnel with the corresponding edge node 200 is established through the node information (server ip address) of the registration node, and the management and control request is transmitted to the corresponding edge node 200 through the encrypted tunnel to manage and control the edge node 200.
The manner of generating the corresponding control request based on the control data is that the control request is determined according to a preset control rule based on the control data, and a person skilled in the art can set the control rule according to actual needs, which is not limited in this embodiment.
When the control data is the downtime node data, the control request is a bmc management request and is used for realizing the control of the downtime node through a bmc management interface of the server;
the bmc management interface can be used for performing forced restart, entering a security mode or performing bios parameter modification under the condition that the corresponding server runs, which is the prior art, and therefore, detailed description is not provided in the specification.
The method specifically comprises the following steps:
the node configuration data comprises heartbeat configuration information, and after each edge node 200 completes node registration and receives the issued node configuration data, the heartbeat data is periodically reported based on the heartbeat configuration information in the node configuration data;
in this embodiment, the edge node 200 reports heartbeat data through the corresponding encrypted tunnel, thereby ensuring the life cycle of the corresponding encrypted tunnel;
receiving heartbeat data of each registered node, detecting the down edge node 200 according to the heartbeat data, and obtaining corresponding down node data;
generating bmc management requests corresponding to the downtime nodes based on the downtime node data;
taking an edge node 200 which is positioned in the same edge cluster with the down node as a target node, extracting an encrypted certificate of the target node, and obtaining a corresponding target certificate;
establishing an encrypted tunnel based on the target certificate, issuing the bmc management request to the target node through the encrypted tunnel, and logging in the downtime node through a bmc interface of the downtime node by the target node for problem troubleshooting and recovery based on the bmc management request;
and the target node takes the investigation and recovery results of the downtime node as the control results to feed back.
Since the registration information includes the node information of the edge node 200 and the cluster information of the cluster where the edge node 200 is located when the node is registered, when the edge node 200 that is currently down is determined based on the heartbeat data, the edge cluster where the edge node 200 is located can be determined based on the registration information;
selecting an edge node 200 from the edge cluster as a target node based on a preset control rule, logging in the target node based on a corresponding encrypted tunnel, and performing problem troubleshooting and recovery on the down edge node 200 by using a bmc management interface, so that the down edge node 200 can recover normal work.
The edge node 200 is divided into an edge control node and an edge computing node, and the control rule corresponding to the downtime control in this embodiment is:
when the edge cluster comprises edge control nodes, taking the edge control nodes as target nodes;
when the edge cluster does not include an edge management and control node, at this time, the edge nodes 200 back up each other, and any one of the edge nodes 200 that normally operate is selected as a target node.
When the control data is file transmission data, the control request is a file transmission request for transmitting the data to one or more edge nodes 200;
the file transmission data comprises data to be transmitted and transmission target data, wherein the data to be transmitted comprises upgrading data, configuration data and a file to be transmitted, and the transmission target data is used for indicating a target node;
the method specifically comprises the following steps:
acquiring file transmission data, wherein the file transmission data comprises data to be transmitted and transmission target data;
determining the edge node 200 as a target node based on the transmission target data, and extracting the encryption certificate of each target node to obtain a corresponding target certificate;
generating a file transmission request containing the data to be transmitted;
and establishing an encryption tunnel based on each target certificate, transmitting the file transmission request to a corresponding target node through the encryption tunnel, and feeding back a file receiving result serving as a control result by the target node.
When the data to be transmitted is upgrading data (such as a yaml file of a pod), the upgrading data is issued to each target node to replace an original file based on an encryption tunnel created by each target certificate, and each target node automatically triggers updating when monitoring that the corresponding file changes, so that batch upgrading of server versions is realized.
Note: after the update is completed, the target node regenerates and reports the registration information to update the node information of the corresponding registration node, so that the validity of the data is ensured, and the newly generated registration information can be used as a corresponding management and control result.
When the control data is control instruction data, the control request is a task request, and is used for controlling the corresponding one or more edge nodes 200 based on the operation of an operator;
the control instruction data comprises control task data and control target data, wherein the control target data is used for indicating a target node;
the method specifically comprises the following steps:
collecting operation information of a control worker, and generating corresponding control instruction data based on the operation information, wherein the control instruction data comprises control task data and control target data;
generating a corresponding task request based on the control task data;
determining an edge node 200 serving as a target node based on the control target data, and extracting an encryption certificate of each target node to obtain a corresponding target certificate;
and establishing an encryption tunnel based on each target certificate, transmitting a task request to a corresponding target node through the encryption tunnel, receiving and processing the task request by the target node, and taking a task processing result as a corresponding management and control result.
The task request includes a query request (for querying the health degree of a single edge node 200), a patrol request (for querying the health degrees of a plurality of edge nodes 200 in batch), and the like, and those skilled in the art can configure themselves according to actual needs, and in this embodiment, the patrol request is taken as an example to be described in detail:
the method comprises the following steps that a manager selects a plurality of edge nodes 200 and sets a plurality of routing inspection items for routing inspection, at the moment, the edge nodes 200 selected by the manager are used as target nodes, and corresponding routing inspection task requests are generated based on routing inspection contents set by the manager;
in this embodiment, the training may include cpu utilization, memory utilization, and health of the container.
Acquiring an encryption certificate of each target node, constructing an encryption tunnel by using the encryption certificate, and issuing a routing inspection task request to the corresponding target node through each encryption tunnel;
at the moment, the target node acquires the cpu utilization rate, the memory utilization rate and the health degree of the container performed by the corresponding server based on the received polling task request, and generates and feeds back a polling result of the current node;
in the actual use process, after receiving the routing inspection results reported by each edge node 200, data integration and reporting are also performed, specifically:
integrating all the inspection results, generating a first inspection report, and feeding the first inspection report back to the management and control personnel;
the first inspection report is used for displaying inspection results corresponding to all the edge nodes 200 to be inspected;
the cluster information also comprises cluster management and control personnel information, the routing inspection results are integrated based on the cluster information, a second routing inspection report corresponding to the edge cluster is generated, and the second routing inspection report is fed back based on the cluster management and control personnel information;
the second polling report is used for displaying the polling report corresponding to the single edge cluster, and in this embodiment, the second polling report is sent to the worker who manages and controls the edge cluster based on the information of the cluster management and control personnel, so that the corresponding worker maintains the corresponding edge node 200 based on the polling result.
If the management and control person a initiates routing inspection on the edge cluster a, the edge cluster b and the edge cluster C, at this time, routing inspection results of each edge node 200 in the edge cluster a, the edge cluster b and the edge cluster C are integrated into a first routing inspection report and fed back to the management and control person a, and meanwhile, routing inspection results of each edge node 200 in the edge cluster a, the edge cluster b and the edge cluster C are integrated into a corresponding second routing inspection report and fed back to the cluster management and control person C, if the cluster management and control person C corresponds to the edge cluster C, the feedback modes include mail feedback, short message feedback, client 300 feedback and other modes.
In summary, the edge node management and control method disclosed in this embodiment can remotely manage and control a plurality of edge clusters without public network addresses, and it is not necessary to arrange field management and control personnel for the physical machine room corresponding to each edge cluster, thereby greatly reducing maintenance and management costs.
Embodiment 2, an edge node management and control system, as shown in fig. 2, includes a management and control platform 100, where the management and control platform 100 is respectively communicated with a plurality of edge clusters, and each edge cluster includes a plurality of edge nodes 200;
the management and control platform 100 comprises a processing module 110 and a forwarding module 120 which are connected through signals;
the processing module 110 is configured to obtain management and control data, and further configured to generate a corresponding management and control request based on the management and control data;
the forwarding module 120 is configured to establish an encrypted tunnel based on a target certificate, issue the control request to a target node through the encrypted tunnel, and receive a control result fed back by the target node in response to the control request, where the target node is an edge node 200 to be controlled, and the target certificate is an encrypted certificate corresponding to the target node.
Further, the method also comprises a registration interface:
the registration interface is in signal connection with the processing module 110, and is also in signal connection with each edge node 200, where the registration interface is configured to receive registration information sent by each edge node 200, where the registration information includes cluster information of an edge cluster where the edge node 200 is located, and also includes node information corresponding to the edge node 200;
the processing module 110 is further configured to perform node registration based on the registration information, and use the edge node 200 that has completed registration as a registration node.
Further, an authentication module 130 is included, which is connected to the processing module 110 by signals:
the processing module 110 is further configured to determine whether each registered node has an encrypted certificate, and generate corresponding certificate request information according to a certificate determination result, and send the certificate request information to the authentication module 130;
the authentication module 130 is configured to receive and respond to the certificate request information, generate a corresponding encrypted certificate, send the encrypted certificate to the processing module 110, and store and issue the encrypted certificate to the corresponding registration node by the processing module 110.
Further, still include the heartbeat interface:
the heartbeat interface is configured to receive heartbeat data reported by each registered node, send the heartbeat data to the processing module 110, determine, by the processing module 110, whether each registered node is down based on the heartbeat data, and generate, by the processing module 110, a corresponding control request based on a determination result of the down.
Further, a plurality of clients 300 are also included;
the client 300 is configured to collect operation information of a management and control worker, generate corresponding management and control instruction data or file transmission data based on the operation information, and send the management and control instruction data or the file transmission data to the management and control platform 100;
further, the forwarding module 120 includes an iptables module and a grpc interface module, both of which are in signal connection with the processing module 110;
the iptables module is configured to generate a corresponding task forwarding rule according to node information (an IP address of a server) of the edge node 200 and a proxy port to be implemented;
the grpc interface module is used for establishing an encryption tunnel and providing a proxy channel, the proxy channel is used for indicating a transmission protocol when data is transmitted through the encryption tunnel, and the proxy channel in the embodiment includes a web service channel, a server ssh channel and a bmc management channel of an iaas layer;
the grpc is a remote process call technology which is based on http2.0, uses long connection, can realize multiplexing and reduce TCP connection, and an encryption tunnel is established through the grpc so that edge node management and control can be carried out under the scene that an edge end has no public network address; and the grpc can start gzipcom data stream compression, and can greatly reduce the bandwidth loss and the pressure of a server side.
In an actual use process, based on a task forwarding rule generated by the iptables module and a preset routing rule, the management and control request is forwarded to the corresponding encrypted tunnel, so that the requirement of the management and control personnel for remotely managing and controlling the edge node 200 is met, wherein the task forwarding rule is used for forwarding management and control data reported by the management and control personnel through the client 300, and the routing rule is used for matching a routing path (a tcp channel or an http channel) corresponding to the client 300.
Based on the bmc management channels, when an edge node 200 is down, the processing module 110 can log in the edge node 200 located in the same edge cluster as the down node through the encrypted tunnel, and log in the down node through the bmc management interface based on the edge node 200, so as to perform problem troubleshooting and recovery on the down node.
Based on the ssh channel, the processing module 110 can issue the data to be transmitted to the corresponding edge node 200 based on the scp command through the encrypted tunnel.
The embodiment also provides a custom port to solve the proxy requirement in actual use. For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that:
reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Thus, the appearances of the phrase "one embodiment" or "an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
In addition, it should be noted that the specific embodiments described in the present specification may differ in the shape of the components, the names of the components, and the like. All equivalent or simple changes of the structure, the characteristics and the principle of the invention which are described in the patent conception of the invention are included in the protection scope of the patent of the invention. Various modifications, additions and substitutions for the specific embodiments described may be made by those skilled in the art without departing from the scope of the invention as defined in the accompanying claims.

Claims (10)

1. An edge node management and control method is used for managing and controlling edge nodes in a plurality of edge clusters, and comprises the following steps:
acquiring control data;
generating a corresponding management and control request based on the management and control data;
determining an edge node to be controlled based on the control data, obtaining a target node, extracting an encryption certificate of the target node, and obtaining a target certificate;
and establishing an encrypted tunnel based on the target certificate, issuing the control request to the target node through the encrypted tunnel, and receiving a control result fed back by the target node in response to the control request.
2. The edge node management and control method according to claim 1, further comprising an edge node registration step before acquiring the management and control data, specifically:
receiving registration information sent by each edge node, performing node registration based on the registration information, and taking the edge node which completes the registration as a registration node;
the registration information includes cluster information of an edge cluster where the edge node is located, and also includes node information corresponding to the edge node.
3. The edge node management and control method according to claim 2, wherein the method for acquiring the encryption certificate includes the steps of:
requesting an encryption certificate from each registration node, and receiving certificate information fed back by each registration node;
when the certificate information contains an encryption certificate, storing the encryption certificate;
and when the certificate information does not contain the encryption certificate, generating a corresponding encryption certificate, storing the encryption certificate, and issuing the encryption certificate to the corresponding registration node.
4. The edge node management and control method according to claim 2 or 3, wherein the management and control data includes down node data;
when the control data is the downtime node data:
receiving heartbeat data of each registered node, detecting a down edge node according to the heartbeat data, and obtaining corresponding down node data;
generating bmc management requests corresponding to the downtime nodes based on the downtime node data;
taking an edge node located in the same edge cluster with the down node as a target node, extracting an encrypted certificate of the target node, and obtaining a corresponding target certificate;
and establishing an encrypted tunnel based on the target certificate, issuing the bmc management request to the target node through the encrypted tunnel, and logging in the downtime node through a bmc interface of the downtime node by the target node for problem troubleshooting and recovery based on the bmc management request.
5. The edge node management and control method according to any one of claims 1 to 3, wherein the management and control data includes file transfer data;
when the control data is file transmission data:
acquiring file transmission data, wherein the file transmission data comprises data to be transmitted and transmission target data;
determining edge nodes serving as target nodes based on the transmission target data, and extracting encryption certificates of all the target nodes to obtain corresponding target certificates;
generating a file transmission request containing the data to be transmitted;
and establishing an encryption tunnel based on each target certificate, and transmitting the file transmission request to the corresponding target node through the encryption tunnel.
6. The edge node management and control method according to any one of claims 1 to 3, wherein the management and control data includes management and control instruction data;
when the control data is control instruction data:
collecting operation information of a control worker, and generating corresponding control instruction data based on the operation information, wherein the control instruction data comprises control task data and control target data;
generating a corresponding task request based on the control task data;
determining edge nodes serving as target nodes based on the control target data, extracting the encryption certificate of each target node, and obtaining corresponding target certificates;
and establishing an encryption tunnel based on each target certificate, transmitting a task request to a corresponding target node through the encryption tunnel, and receiving and processing the task request by the target node.
7. The edge node management and control system is characterized by comprising a management and control platform, wherein the management and control platform is respectively communicated with a plurality of edge clusters, and each edge cluster comprises a plurality of edge nodes;
the control platform comprises a processing module and a forwarding module which are connected by signals;
the processing module is used for acquiring management and control data and generating a corresponding management and control request based on the management and control data;
the forwarding module is configured to establish an encrypted tunnel based on a target certificate, issue the control request to a target node through the encrypted tunnel, and receive a control result fed back by the target node in response to the control request, where the target node is an edge node to be controlled, and the target certificate is an encrypted certificate corresponding to the target node.
8. The edge node management and control system according to claim 7, further comprising a registration interface;
the registration interface is in signal connection with the processing module and is also in signal connection with each edge node respectively, the registration interface is used for receiving registration information sent by each edge node, and the registration information comprises cluster information of an edge cluster where the edge node is located and node information corresponding to the edge node;
and the processing module is also used for carrying out node registration based on the registration information and taking the edge node which completes the registration as a registration node.
9. The edge node management and control system according to claim 8, further comprising an authentication module:
the processing module is also used for judging whether each registration node has an encrypted certificate or not, generating corresponding certificate request information according to a certificate judgment result and sending the certificate request information to the authentication module;
and the authentication module is used for receiving and responding to the certificate request information, generating a corresponding encrypted certificate, sending the encrypted certificate to the processing module, and storing and issuing the encrypted certificate to the corresponding registration node by the processing module.
10. The edge node management and control system according to claim 8, further comprising a heartbeat interface:
the heartbeat interface is used for receiving heartbeat data reported by each registered node, sending the heartbeat data to the processing module, judging whether each registered node is down or not by the processing module based on the heartbeat data, and generating a corresponding control request by the processing module based on a down judgment result.
CN202111076214.3A 2021-09-14 2021-09-14 Edge node control method and system Active CN113778628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111076214.3A CN113778628B (en) 2021-09-14 2021-09-14 Edge node control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111076214.3A CN113778628B (en) 2021-09-14 2021-09-14 Edge node control method and system

Publications (2)

Publication Number Publication Date
CN113778628A true CN113778628A (en) 2021-12-10
CN113778628B CN113778628B (en) 2023-09-05

Family

ID=78843794

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111076214.3A Active CN113778628B (en) 2021-09-14 2021-09-14 Edge node control method and system

Country Status (1)

Country Link
CN (1) CN113778628B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050177749A1 (en) * 2004-02-09 2005-08-11 Shlomo Ovadia Method and architecture for security key generation and distribution within optical switched networks
US20080046987A1 (en) * 2006-08-10 2008-02-21 Intertrust Technologies Corporation Trust Management Systems and Methods
US20180262350A1 (en) * 2016-08-19 2018-09-13 Tencent Technology (Shenzhen) Company Limited Network node encryption method and apparatus
CN110191007A (en) * 2019-06-27 2019-08-30 广州虎牙科技有限公司 Node administration method, system and computer readable storage medium
CN110912892A (en) * 2019-11-22 2020-03-24 腾讯科技(深圳)有限公司 Certificate management method and device, electronic equipment and storage medium
CN111740842A (en) * 2020-06-10 2020-10-02 李彩云 Communication information processing method based on cloud side cooperation and cloud communication server
CN112035215A (en) * 2020-08-31 2020-12-04 腾讯科技(深圳)有限公司 Node autonomous method, system and device of node cluster and electronic equipment
CN112165532A (en) * 2020-10-14 2021-01-01 腾讯科技(深圳)有限公司 Node access method, device, equipment and computer readable storage medium
WO2021004054A1 (en) * 2019-07-05 2021-01-14 创新先进技术有限公司 Certificate application method and apparatus, terminal device, gateway device and server
CN112328372A (en) * 2020-11-27 2021-02-05 新华智云科技有限公司 Kubernetes node self-healing method and system
CN112346821A (en) * 2020-12-01 2021-02-09 新华智云科技有限公司 Application configuration management method and system based on kubernetes
CN113225214A (en) * 2021-05-07 2021-08-06 浪潮软件科技有限公司 Method and device for cooperative management of edge CDN node and computer readable medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050177749A1 (en) * 2004-02-09 2005-08-11 Shlomo Ovadia Method and architecture for security key generation and distribution within optical switched networks
US20080046987A1 (en) * 2006-08-10 2008-02-21 Intertrust Technologies Corporation Trust Management Systems and Methods
US20180262350A1 (en) * 2016-08-19 2018-09-13 Tencent Technology (Shenzhen) Company Limited Network node encryption method and apparatus
CN110191007A (en) * 2019-06-27 2019-08-30 广州虎牙科技有限公司 Node administration method, system and computer readable storage medium
WO2021004054A1 (en) * 2019-07-05 2021-01-14 创新先进技术有限公司 Certificate application method and apparatus, terminal device, gateway device and server
CN110912892A (en) * 2019-11-22 2020-03-24 腾讯科技(深圳)有限公司 Certificate management method and device, electronic equipment and storage medium
CN111740842A (en) * 2020-06-10 2020-10-02 李彩云 Communication information processing method based on cloud side cooperation and cloud communication server
CN112035215A (en) * 2020-08-31 2020-12-04 腾讯科技(深圳)有限公司 Node autonomous method, system and device of node cluster and electronic equipment
CN112165532A (en) * 2020-10-14 2021-01-01 腾讯科技(深圳)有限公司 Node access method, device, equipment and computer readable storage medium
CN112328372A (en) * 2020-11-27 2021-02-05 新华智云科技有限公司 Kubernetes node self-healing method and system
CN112346821A (en) * 2020-12-01 2021-02-09 新华智云科技有限公司 Application configuration management method and system based on kubernetes
CN113225214A (en) * 2021-05-07 2021-08-06 浪潮软件科技有限公司 Method and device for cooperative management of edge CDN node and computer readable medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ROY D\'SOUZA, DAVID JAO: "Publicly Verfiable Secret Sharing for Cloud-Based Key Management", PROGRESS IN CRYPTOLOGY - INDOCRYPT 2011, pages 290 - 309 *
戚建淮;宋晶;: "强制访问控制技术在数据库安全访问中的应用", 通信技术, no. 03, pages 188 - 191 *

Also Published As

Publication number Publication date
CN113778628B (en) 2023-09-05

Similar Documents

Publication Publication Date Title
CN107465767B (en) Data synchronization method and system
WO2022179140A1 (en) Data processing method and system
CN106534107B (en) Message service system of Internet of things
CN109960634B (en) Application program monitoring method, device and system
US20080080438A1 (en) Methods and systems for centralized cluster management in wireless switch architecture
CN106657259B (en) Routing server and routing service method for server cluster
CN107528891B (en) Websocket-based automatic clustering method and system
CN104270604A (en) Method, system and device for obtaining real-time video data of IPC
CN108833565A (en) A kind of method, apparatus of monitoring server, server and storage medium
CN110636127B (en) Communication processing method and system between information data
CN102387028A (en) Network system, network management server, and OAM test method
CN111866063B (en) Online updating system, method and device for AI algorithm of industrial Internet of things
CN112929225B (en) Session exception handling method and device, computer equipment and storage medium
US20180324063A1 (en) Cloud-based system for device monitoring and control
CN101945086A (en) Security system access business platform for video type security gateway and information transmission method
CN105281940B (en) Method, equipment and system for HELLO message interaction based on NETCONF protocol
CN110740355A (en) Equipment monitoring method and device, electronic equipment and storage medium
CN115004650B (en) Node configuration method, node configuration device, distributed system and computer readable medium
WO2016061974A1 (en) Method for processing application software in san storage system, server, host and system
CN109831339B (en) System log management method and log server
CN113778628B (en) Edge node control method and system
JP4673532B2 (en) Comprehensive alignment process in a multi-manager environment
CN108600004B (en) Video server configuration management method and system
CN113194119B (en) Configuration file acquisition method and device
CN113848834A (en) Workshop equipment access system and method based on edge cloud cooperation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant