CN113938474A - Virtual machine access method and device, electronic equipment and storage medium - Google Patents

Virtual machine access method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113938474A
CN113938474A CN202111193005.7A CN202111193005A CN113938474A CN 113938474 A CN113938474 A CN 113938474A CN 202111193005 A CN202111193005 A CN 202111193005A CN 113938474 A CN113938474 A CN 113938474A
Authority
CN
China
Prior art keywords
virtual machine
host
access
proxy server
address information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111193005.7A
Other languages
Chinese (zh)
Other versions
CN113938474B (en
Inventor
伍卓权
陈文钦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Netease Hangzhou Network Co Ltd
Original Assignee
Netease Hangzhou Network Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netease Hangzhou Network Co Ltd filed Critical Netease Hangzhou Network Co Ltd
Priority to CN202111193005.7A priority Critical patent/CN113938474B/en
Publication of CN113938474A publication Critical patent/CN113938474A/en
Application granted granted Critical
Publication of CN113938474B publication Critical patent/CN113938474B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a virtual machine access method, a virtual machine access device, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine; creating a ssh tunnel of the host corresponding to the address information of the host; returning access address information of the proxy server to the cloud platform terminal, so that the cloud platform terminal accesses the proxy server through the access address information, and the proxy server accesses the virtual machine of the host machine through the ssh tunnel; the data stream of the virtual machine is transmitted by using the ssh tunnel, and the vnc ports of the virtual machine are determined before the data stream is transmitted by using the ssh tunnel, so that the vnc ports of all the virtual machines can be prevented from being opened, and the access security of the virtual machines is improved.

Description

Virtual machine access method and device, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of networks, in particular to a virtual machine access method, a virtual machine access device, electronic equipment and a storage medium.
Background
The out-of-band management method of the virtual machine is to open a console of the virtual machine not through the network of the virtual machine itself but through the network of a host, so that the virtual machine can be controlled in a web mode even if the network of the virtual machine is not communicated. A common Network container implementation of a cloud platform, for example, an openstack open source project, is implemented by combining a websocket protocol proxy forwarding vnc (Virtual Network container, Virtual Network console) link based on a noVNC front end.
However, in the current implementation of accessing the network console, the host of the virtual machine needs to open the vnc listening ports of all the virtual machines, and the vnc ports of the virtual machines are not fixed within a certain range, and there is a certain security risk in opening the ports in a large range.
Disclosure of Invention
The embodiment of the invention provides a virtual machine access method, which aims to solve the problem that the access security of a virtual machine is not high in the prior art.
Correspondingly, the embodiment of the invention also provides a virtual machine access device, which is used for ensuring the realization and the application of the method.
In order to solve the above problem, an embodiment of the present invention discloses a virtual machine access method, which is applied to a proxy server, and the method includes:
receiving a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
creating a ssh tunnel of the host corresponding to the address information of the host;
and returning access address information of the proxy server to the cloud platform terminal so that the cloud platform terminal accesses the proxy server through the access address information, and then the proxy server accesses the virtual machine of the host machine through the ssh tunnel.
Optionally, the creating of the ssh tunnel of the host corresponding to the host address information further includes:
randomly selecting an unused proxy server port of the proxy server;
and creating a ssh tunnel of the host machine corresponding to the address information of the host machine and the port of the proxy server, so that the port of the proxy server is connected with a virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel.
Optionally, the first request information further includes a first user identifier, the host address information includes a host domain name of a host of the virtual machine and an ip address of the host of the virtual machine, and the virtual machine address information includes a universal unique identifier of the virtual machine and the ip address of the virtual machine.
Optionally, after the returning of the access address information of the proxy server to the cloud platform terminal, the method further includes:
randomly generating a first identity mark, combining the first identity mark and the first request information into identity verification information and storing the identity verification information in a cache;
returning the access address information carrying the identity authentication information to the cloud platform terminal;
receiving a second access request sent by the cloud platform terminal aiming at the access address information, wherein the second access request comprises a second identity identifier and a second user identifier;
when the second identity identification is the same as the first identity identification in the identity verification information, acquiring the first user identification from the identity verification information;
and when the second user identification is the same as the first user identification, establishing a link with the cloud platform terminal.
Optionally, the method further comprises:
and when the second identity identification is different from the first identity identification in the identity verification information, or when the second user identification is different from the first user identification, returning error prompt information to the cloud platform terminal.
Optionally, after the link is established with the cloud platform terminal, the method further includes:
receiving data sent by the cloud platform terminal;
forwarding the data to the proxy port such that the proxy port forwards the data to the virtual machine port through the ssh tunnel.
Optionally, after the creating of the ssh tunnel of the host corresponding to the host address information, the method further includes:
detecting the link state between the proxy server port and the virtual machine at preset intervals;
and when the link state between the proxy server port and the virtual machine is a disconnection state, destroying the ssh tunnel and clearing the authentication information from the cache.
The embodiment of the invention also discloses a virtual machine access device, which is applied to the proxy server and comprises the following components:
the access request receiving module is used for receiving a first access request of the cloud platform terminal to the virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
the ssh tunnel creating module is used for creating the ssh tunnel of the host machine corresponding to the address information of the host machine;
and the access address information returning module is used for returning the access address information of the proxy server to the cloud platform terminal so that the cloud platform terminal accesses the proxy server through the access address information and then the proxy server accesses the virtual machine of the host machine through the ssh tunnel.
Optionally, the ssh tunnel creating module is configured to randomly select an unused proxy server port of the proxy server; and creating a ssh tunnel of the host machine corresponding to the address information of the host machine and the port of the proxy server, so that the port of the proxy server is connected with a virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel.
Optionally, the first request information further includes a first user identifier, the host address information includes a host domain name of a host of the virtual machine and an ip address of the host of the virtual machine, and the virtual machine address information includes a universal unique identifier of the virtual machine and the ip address of the virtual machine.
Optionally, the link establishing module is configured to randomly generate a first identity identifier, combine the first identity identifier and the first request information into identity verification information, and store the identity verification information in a cache; returning the access address information carrying the identity authentication information to the cloud platform terminal; receiving a second access request sent by the cloud platform terminal aiming at the access address information, wherein the second access request comprises a second identity identifier and a second user identifier; when the second identity identification is the same as the first identity identification in the identity verification information, acquiring the first user identification from the identity verification information; and when the second user identification is the same as the first user identification, establishing a link with the cloud platform terminal.
Optionally, the link establishing module is configured to return an error notification message to the cloud platform terminal when the second identity is different from the first identity in the authentication information, or when the second identity is different from the first identity.
Optionally, the data transmission module is configured to receive data sent by the cloud platform terminal; forwarding the data to the proxy port such that the proxy port forwards the data to the virtual machine port through the ssh tunnel.
Optionally, the link state detection module is configured to detect a link state between the proxy server port and the virtual machine at preset intervals; and when the link state between the proxy server port and the virtual machine is a disconnection state, destroying the ssh tunnel and clearing the authentication information from the cache.
The embodiment of the invention discloses electronic equipment, which comprises a processor, a memory and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the steps of the virtual machine access method are realized.
The embodiment of the invention discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the virtual machine access method are realized.
The embodiment of the invention has the following advantages:
in the embodiment of the invention, a first access request of a cloud platform terminal to a virtual machine is received, and a ssh tunnel of a host corresponding to the address information of the host in the first access request is created, so that after the access address information of a proxy server is returned to the cloud platform terminal, the cloud platform terminal can access the proxy server through the access address information, and then the proxy server accesses the virtual machine of the host through the ssh tunnel. According to the embodiment of the invention, the data stream of the virtual machine is transmitted by using the ssh tunnel, and the vnc ports of the virtual machine are determined before the data stream is transmitted by using the ssh tunnel, so that the vnc ports of all the virtual machines can be prevented from being opened, and the access security of the virtual machines is improved.
Drawings
FIG. 1 is a schematic flow chart of using the network console by openstack;
FIG. 2 is a flowchart illustrating the steps of one embodiment of a virtual machine access method of the present invention;
FIG. 3 is a schematic diagram of the creation of a ssh tunnel in accordance with the present invention;
FIG. 4 is a flow diagram of one virtual machine access of the present invention;
fig. 5 is a block diagram of an embodiment of a virtual machine access apparatus according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Common network console access implementation of a cloud platform, such as openstack open source projects, is implemented by combining a websocket protocol proxy forwarding vnc link based on a nonvnc front end.
The NoVNC is a front-end implementation of a vnc protocol, a websocket protocol is used for transmitting a vnc data stream to a browser of a user in a Web (World Wide Web) mode, and cloud platforms such as openstack are packaged and generate upper management modes such as uuid and the like based on the above technology to provide access to a console service for the user. The websocket is a protocol for full-duplex communication on a single tcp connection, so that data exchange between a client and a server is simpler, the server is allowed to actively push data to the client, and a persistent connection can be directly established between the client and the server for bidirectional data transmission.
Referring to fig. 1, a schematic flow chart of using the network console by the openstack is shown, which specifically includes the following steps:
step 1, a user is connected to a vnc client (client) of a virtual machine from a browser;
step 2, the browser sends a request to the nova-api to request to return to access the url (uniform Resource Locator) of the vnc;
an api (Application Programming Interface) is a predefined Interface (e.g. function, HTTP Interface) or a convention for linking different components of a software system. To provide a set of routines that applications and developers can access based on certain software or hardware without accessing source code or understanding the details of the internal workings.
The nova-api is a unique way for accessing and using various services provided by the nova and serves as an intermediate layer between the client and the nova, the nova-api plays the role of a bridge or an intermediate person, the nova-api transmits the request of the client to the nova, and the processing result is returned to the client after the nova processes the request.
Step 3, calling a get vncconsole (obtaining a vnc console) method of nova-computer by nova-api, and requiring to return information for connecting vnc;
the nova-computer is an entrance for managing and configuring the virtual machine and is used for creating and managing the virtual machine; as a service for directly operating a virtual machine, after receiving a request, the virtual machine integrates the operations of libvirt, openvswitch/bridge, rbd/iscsi and the like to achieve the request.
And calling a get vncconsole (obtaining the vnc console) method to obtain the information of the current vnc console.
Step 4, the nova-computer calls the get vncconsole function of libvirt;
libvirt is an open source api, daemon, and management tool for managing virtualization platforms, providing a convenient way to manage a collection of software for virtual machines and other virtualization functions, such as storage and network interface management.
Step 5, the libvirt obtains the information of the vnc Server (Server) by analyzing the/etc/libvirt/qemu/instance-00000011. xml file of the virtual machine operation;
the information of the vncServer includes host (host/host), port (port) and other information of the virtual machine, and after the information is obtained, the host of the virtual machine can be determined and communication can be performed through the port.
Step 6, the libvirt returns the information of host, port and the like to the nova-computer in json (JavaScript Object Notation) format;
step 7, randomly generating a uuid as token by the nova-computer;
uuid (universal Unique Identifier), which is a 128-bit value, can be calculated by a certain algorithm. To increase efficiency, the usual uuid can be shortened to 16 bits. uuid is used to identify attribute types, and is treated as a unique identifier in all spaces and times. In general, it is guaranteed that no arbitrary uuid generated anywhere that this value is truly unique will have the same value.
tokens (computer identity authentication tokens), which represent objects that are authorized to perform certain operations, are checked before performing an operation or data transfer, and authorization can only be obtained if the token is verified.
Step 8, the nova-computer synthesizes the information returned by libvirt and the information in the configuration file into connect _ info (connection information) and returns the connect _ info to the nova-api;
step 9, the nova-api calls the author _ Console function of the nova-Consoleauth;
step 10(A), nova-associateauth will cache the information of instance- > token, tok en- > connect _ info;
wherein, nova-consoleauth and authority _ console are self-contained interfaces or functions in openstack.
Step 11(B), the nova-api returns the access url (access database url) information in the connect _ info to the browser:
http://192.168.150.10:6080/vnc_auto.htmltoken=7efaee3f-eada-4731-a87c-e173cbd25e98&title=serverA%289169fdb2-5b74-46b1-9803-60d2926bd97c%29
step 12(C), the browser tries to open the link;
step 13(D), the link sends a request to nova-novnproxy;
step 14(E), the nova-novncproxy calls the check _ token function of the nova-consoleauth;
and the nova-consoleauth provides token verification and maintains the mapping of the token with the ip address and the port number.
Openstack self-contained interface or function supports a vnc client based on a browser, and is usually deployed together with the nova-api.
The check token function is used for verifying the token and returning a verification result.
Step 15(F), the nova-consolleauth verifies the token, and returns the connect _ info corresponding to the instance to the nova-novncproxy;
and step 16(G), connecting the nova-novnproxy with the vnserver on the nova-computer node through host, port and other information in the connect _ info, so as to start the work of the console proxy, namely establishing connection with the virtual machine, and transmitting data through the websocket protocol to operate the virtual machine console.
In the above manner, the host machines of the virtual machines need to open the vnc monitoring ports of all the virtual machines, the vnc ports of the virtual machines are not fixed in a certain range, a certain security risk exists when the ports in the large range are opened, the generated uuid is explicitly existed in the token as the token, and other cloud platforms such as openstack only simply check whether the token exists or not and do not perform authentication, which means that as long as the returned url is sent to anyone, the console of the virtual machine can be opened and the root authority can be directly used, the uuid cannot clean the token immediately after the use, the risk of leakage exists, and the security is not high.
In view of the above problems, an embodiment of the present invention provides a virtual machine access method, where a ssh tunnel is used to transmit a data stream of a virtual machine, and since a vnc port of the virtual machine is already determined before data stream transmission in the ssh tunnel, it is possible to avoid opening vnc ports of all virtual machines, and improve security of virtual machine access.
Referring to fig. 2, a flowchart illustrating steps of an embodiment of a virtual machine access method according to the present invention is shown, and applied to a proxy server, the embodiment of the present invention may include the following steps:
step 201, receiving a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
the cloud platform terminal may be a terminal device used by a user, the terminal device may be a terminal that can access the cloud platform, such as a mobile phone, a tablet computer, and a computer, and the user may access the cloud platform by using the terminal device through a browser, a webpage, a front end of the cloud platform, and the like, which is not limited in the present invention.
The first request information further comprises a first user identifier, the host machine address information comprises a host domain name of a host machine of the virtual machine and an ip address of the host machine of the virtual machine, and the virtual machine address information comprises a universal unique identification code of the virtual machine and the ip address of the virtual machine.
The user identification can be a user name, a user number or other marks which can distinguish and determine the user identity; domain Name (Domain Name), which is the Name of a computer or group of computers on the Internet that is composed of a string of names separated by dots, and is used to identify the electronic orientation (sometimes also referred to as geographical location) of the computer during data transmission; the IP Address (Internet Protocol Address) is used to identify each host on the Internet, which is a unique identifier for each host. An IP address is composed of 32 binary digits, and is usually divided into 4 segments, each segment having 8 bits (1 byte), and the IP address is expressed as follows: the value range of each segment (aaa, bbb, ccc or ddd) of aaa, bcc and ddd is 0-255, and the segments are separated by dots.
In specific implementation, a user can access a console of a virtual machine through a cloud platform terminal, and can carry request information when sending an access request to a proxy server, wherein the request information can include host address information of a host of a target virtual machine. After receiving the access request, the proxy server may extract the request information from the access request, and after extracting the address information of the host machine, the proxy server may determine the host machine where the target virtual machine is located according to the address information of the host machine.
An example is that the cloud platform forwards the request to the vnc proxy server, and needs to take url parameter username (user name of user applying for accessing virtual machine console), hostname (host where the virtual machine to be accessed is located, which may be host domain name or ip address), uuid (uuid of virtual machine), vmip (ip address of virtual machine), and url is as follows: (/ vnc)? Username & hostname & uuid & vmip & lt.
Step 202, creating a ssh tunnel of the host corresponding to the address information of the host;
ssh (secure shell protocol), which is a security protocol built on an application layer basis. ssh is a relatively reliable protocol that is dedicated to providing security for telnet sessions and other network services. The information leakage problem in the remote management process can be effectively prevented by utilizing the ssh protocol.
Tunneling is a technology for encapsulating one network protocol into another network protocol for transmission, and is essentially port forwarding, which can forward network data of other tcp ports through ssh links and automatically provide corresponding encryption and decryption services, and ssh tunnels usually bind a local port, and all data packets sent to this port are encrypted and transparently transmitted to a remote system.
In a specific implementation, after receiving the request, the proxy server may extract the hostname of the host of the virtual machine from the request information, and then randomly extract an unused port from the local, and create the ssh tunnel link with the host.
Step 203, returning access address information of the proxy server to the cloud platform terminal, so that the cloud platform terminal accesses the proxy server through the access address information, and the proxy server accesses the virtual machine of the host machine through the ssh tunnel.
After the ssh tunnel is established between the proxy server and the host of the virtual machine, an access address may be generated and returned to the cloud platform terminal, where the access address information may include authentication information used to authenticate a user. After receiving the access address, the cloud platform terminal can jump to access the address. When the cloud platform terminal accesses, the information to be verified corresponding to the verification information in the access address information can be taken for the proxy server to verify. After the verification is passed, the user can access the virtual machine through the ssh tunnel between the proxy server and the host machine of the virtual machine at the cloud platform terminal.
In the embodiment of the invention, a first access request of a cloud platform terminal to a virtual machine is received, and a ssh tunnel of a host corresponding to the address information of the host in the first access request is created, so that after the access address information of a proxy server is returned to the cloud platform terminal, the cloud platform terminal can access the proxy server through the access address information, and then the proxy server accesses the virtual machine of the host through the ssh tunnel. According to the embodiment of the invention, the data stream of the virtual machine is transmitted by using the ssh tunnel, and the vnc ports of the virtual machine are determined before the data stream is transmitted by using the ssh tunnel, so that the vnc ports of all the virtual machines can be prevented from being opened, and the access security of the virtual machines is improved.
In an exemplary embodiment, the creating of the ssh tunnel of the host corresponding to the host address information in step 202 further includes:
randomly selecting an unused proxy server port of the proxy server;
and creating a ssh tunnel of the host machine corresponding to the address information of the host machine and the port of the proxy server, so that the port of the proxy server is connected with a virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel.
ssh tunneling, i.e., ssh port forwarding, is a method of creating an encrypted ssh connection between a client and a server machine. The data can realize the encryption effect by means of the ssh tunnel, and the safety of communication between the server and the client can be improved by means of the ssh tunnel.
Referring to fig. 3, a schematic diagram illustrating creation of a ssh tunnel according to an embodiment of virtual machine access is shown;
as shown in fig. 3, after receiving the request, the proxy server may extract the hostname of the host of the virtual machine from the request information, then randomly extract an unused port from the local, create a ssh tunnel link with the host, and then the vnc monitors the hostname and the randomly extracted local port, so that the local access is "127.0.0.1: and under the condition of a random port, the vnc port of the target virtual machine can be reached through the tunnel.
In the embodiment of the invention, unused proxy server ports of the proxy servers are randomly selected; and creating the ssh tunnel of the host machine corresponding to the address information of the proxy server port and the address information of the host machine, so that the proxy server port is connected with the virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel, and the communication between the proxy server and the host machine can be encrypted through the ssh tunnel, thereby improving the safety of the communication.
In order to make it easier for those skilled in the art to understand the virtual machine access method of the present invention, the following detailed description is made in conjunction with fig. 4, and it should be noted that the steps in the drawings are simplified and do not conflict with the following description.
Referring to fig. 4, a flowchart illustrating an embodiment of accessing a virtual machine according to the present invention is shown, which may specifically include the following steps:
step 401, receiving a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
step 402, creating a ssh tunnel of the host corresponding to the address information of the host;
step 403, randomly generating a first identity identifier, combining the first identity identifier and the first request message into identity verification information, and storing the identity verification information in a cache;
the first identity identifier may be a token, may use a randomly generated uuid as the token, or may use another unique authentication method as the token, which is not limited in the present invention.
In a specific implementation, the proxy server may generate a random token, and the token and the user identifier may be a user name (username), a uuid and a vmip of the virtual machine, a host domain name or an ip address (hostname) of a host of the virtual machine, and a randomly selected port are combined into authentication information for caching, and the token is used as a key, where one possible caching format is as follows:
{ token: { "username" < username >, "uuid" < uuid >, "vmip" < vmip >, "hostname" < hostname >, "port": random port > }
The cached identity authentication information can take tokens as keys, that is, one token corresponds to a group of identity authentication information, when identity authentication is performed, the token can be authenticated, when the identity authentication information corresponding to the token exists, the corresponding identity authentication information can be acquired through the token, and one or more pieces of information to be authenticated are selected from the identity authentication information to perform authentication.
Step 404, returning access address information carrying the identity authentication information to the cloud platform terminal;
after receiving an access request sent by the cloud platform terminal, the proxy server needs to return an access address (url) to the cloud platform terminal, so that the cloud platform terminal can be connected with the proxy server through the access address and further connected and communicated with the target virtual machine.
The proxy server can combine the identity authentication information and the access address into access address information, and then return the access address information to the cloud platform terminal, so that the cloud platform terminal carries corresponding authentication information for the proxy server to authenticate when jumping to open the access address. One combination of accessing address information may be: "/vnc _ lite. htmlton ═ token >", where "/vnc _ lite. html" is the access address and "token ═ token >" is the authentication information.
Step 405, receiving a second access request sent by the cloud platform terminal for the access address information, wherein the second access request includes a second identity identifier and a second user identifier;
after receiving the access address returned by the proxy server, the cloud platform terminal automatically skips to open the link, sends a second access request to the proxy server, and carries authentication information of the cloud platform terminal in the access request, wherein the authentication information may include an identity identifier and a user identifier. Of course, the authentication information may also include other information, and specifically, may be information corresponding to the access address information returned by the proxy server. Specifically, the request headers are attached with authentication information, and the headers are header parsing files in the http request and store basic information of the http access request. The proxy server can compare the second user identification analyzed according to the authentication information in the headers with the cached first user identification, and establish a link after the comparison is passed, otherwise, return error prompt information.
Step 406, when the second identity is the same as the first identity in the authentication information, obtaining the first user identity from the authentication information; when the second user identification is the same as the first user identification, establishing a link with the cloud platform terminal; when the second identity identification is different from the first identity identification in the identity verification information, or when the second user identification is different from the first user identification, returning error prompt information to the cloud platform terminal;
after receiving the second access request of the cloud platform terminal, the proxy server may extract the carried authentication information, such as a second identity and a second user identity, from the second access request. Wherein the second identity may actually be extracted from the access address information, i.e. the same as the first identity of the authentication information in the proxy cache. Since the identity is a unique identification code generated randomly, the second identity is verified, and the access address returned by the proxy server can be prevented from being tampered.
In the specific implementation, the proxy server firstly verifies the identity identifier, extracts the second identity identifier from the second request, compares the second identity identifier with the first identity identifier in the cache, and returns error information to the cloud platform terminal if the first identity identifier corresponding to the second identity identifier is not found in the cache. And if the first identity identification corresponding to the second identity identification is found in the cache, acquiring the identity verification information corresponding to the first identity identification.
One example is that, the access address information returned by the proxy server is "/vnc _ lite. html1234 ═ authentication information a >", where "1234" is an identity and "< authentication information a >" is authentication information corresponding to the identity; during information verification, if the second identity is "1234", the identity which is the same as the second identity can be found from the cache, and then "< identity verification information a >" corresponding to the second identity is obtained; otherwise, the access address information or the second identity mark is possibly tampered, and error prompt information is returned.
When the identity identification passes the verification and the corresponding identity verification information is acquired, whether the second access request is from the same user as the first access request or not can be further verified, and the fact that other people access the virtual machine due to the fact that the access address is leaked is prevented. The username (username) in the second access request may be verified, or other information in the authentication information may be verified.
One example is that, if the identity "1234" corresponds to authentication information { 1234: { "username": < Tony >, "uuid": uuid >, "vmip >," hostname ": hostname >," port ": random port > }; if the user name is "Tony", it indicates that the user applies for accessing the virtual machine in the first access request, and the authentication is passed; and if the user name is not consistent with the user name in the authentication information, returning error prompt information.
After the identity authentication is passed, the proxy server may establish a link with the cloud platform terminal, where the established link may be a websocket link.
Step 407, receiving data sent by the cloud platform terminal; forwarding the data to the proxy port such that the proxy port forwards the data to the virtual machine port through the ssh tunnel;
after the link is established between the proxy server and the cloud platform terminal, data can be forwarded to a proxy server port, the port is actually connected with a vnc port of a corresponding virtual machine on the host machine through the ssh tunnel, so that data forwarding is achieved, and a user can normally open a websession of the virtual machine through the cloud platform terminal to achieve safe access to the virtual machine.
Step 408, detecting the link state between the proxy server port and the virtual machine at preset intervals;
and when the link state between the proxy server port and the virtual machine is a disconnection state, destroying the ssh tunnel and clearing the authentication information from the cache.
After the link between the proxy server and the host machine of the virtual machine is established, a subprocess is automatically started to detect whether the link is active or not at a preset time interval, namely whether a request is sent or data is transmitted or not; if the time interval is set to 60 seconds, the state of the link is detected every 60 seconds.
After the cloud platform terminal breaks the link, if the sub-process detects that the link between the proxy server port and the virtual machine has no data transmission, the created ssh tunnel is destroyed, resources of the ssh tunnel are recycled, the identity authentication information in the cache is removed, and the identity authentication information is guaranteed to be effective only in one link.
In the embodiment of the invention, the data stream of the virtual machine is opened by using the ssh tunnel, and because the vnc ports of the virtual machine are determined before the ssh tunnel transmits the data stream, the vnc ports of all the virtual machines can be prevented from being opened, and the proxy server selects the ports locally, so that the virtual machine only needs to monitor the address of 127.0.0.1; the access request is authenticated, the fact that the access address can only be used by an applicant is guaranteed, the risk of access address leakage is avoided, the access address carries the identity verification information, the identity verification information is automatically cleared after the link is disconnected, the fact that the access address information is only used once is guaranteed, resources are recycled, system resources are saved, and safety of virtual machine access is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 5, a block diagram illustrating a structure of an embodiment of a virtual machine access apparatus according to the present invention is shown, where the embodiment of the present invention may specifically include the following modules:
the access request receiving module 501 is configured to receive a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
an ssh tunnel creating module 502, configured to create an ssh tunnel of the host corresponding to the host address information;
an access address information returning module 503, configured to return the access address information of the proxy server to the cloud platform terminal, so that the cloud platform terminal accesses the proxy server through the access address information, and the proxy server accesses the virtual machine of the host through the ssh tunnel.
In an exemplary embodiment, the ssh tunnel creating module 502 is configured to randomly select an unused proxy server port of the proxy server; and creating a ssh tunnel of the host machine corresponding to the address information of the host machine and the port of the proxy server, so that the port of the proxy server is connected with a virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel.
In an exemplary embodiment, the first request information further includes a first user identifier, the host address information includes a host domain name of a host of the virtual machine and an ip address of the host of the virtual machine, and the virtual machine address information includes a universally unique identifier of the virtual machine and the ip address of the virtual machine.
In an exemplary embodiment, the link establishing module is configured to randomly generate a first identity identifier, combine the first identity identifier and the first request message into authentication information, and store the authentication information in a cache; returning the access address information carrying the identity authentication information to the cloud platform terminal; receiving a second access request sent by the cloud platform terminal aiming at the access address information, wherein the second access request comprises a second identity identifier and a second user identifier; when the second identity identification is the same as the first identity identification in the identity verification information, acquiring the first user identification from the identity verification information; and when the second user identification is the same as the first user identification, establishing a link with the cloud platform terminal.
In an exemplary embodiment, the link establishing module is configured to return an error notification message to the cloud platform terminal when the second identity is different from the first identity in the authentication information or when the second user identity is different from the first user identity.
In an exemplary embodiment, the data transmission module is configured to receive data sent by the cloud platform terminal; forwarding the data to the proxy port such that the proxy port forwards the data to the virtual machine port through the ssh tunnel.
In an exemplary embodiment, the link status detection module is configured to detect a link status between the proxy server port and the virtual machine at preset intervals; and when the link state between the proxy server port and the virtual machine is a disconnection state, destroying the ssh tunnel and clearing the authentication information from the cache.
In summary, in the embodiment of the present invention, a first access request from a cloud platform terminal to a virtual machine is received, and a ssh tunnel of a host corresponding to address information of the host in the first access request is created, so that after the access address information of a proxy server is returned to the cloud platform terminal, the cloud platform terminal can access the proxy server through the access address information, and then the proxy server accesses the virtual machine of the host through the ssh tunnel. According to the embodiment of the invention, the data stream of the virtual machine is transmitted by using the ssh tunnel, and the vnc ports of the virtual machine are determined before the data stream is transmitted by using the ssh tunnel, so that the vnc ports of all the virtual machines can be prevented from being opened, and the access security of the virtual machines is improved.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiment of the invention discloses electronic equipment, which comprises a processor, a memory and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the steps of the virtual machine access method embodiment are realized.
The embodiment of the invention discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the embodiment of the virtual machine access method are realized.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The foregoing detailed description is provided for a virtual machine access method, a virtual machine access device, an electronic device, and a storage medium, and specific examples are applied herein to explain the principles and embodiments of the present invention, and the descriptions of the foregoing embodiments are only used to help understand the method and the core ideas of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A virtual machine access method applied to a proxy server is characterized by comprising the following steps:
receiving a first access request of a cloud platform terminal to a virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
creating a ssh tunnel of the host corresponding to the address information of the host;
and returning access address information of the proxy server to the cloud platform terminal so that the cloud platform terminal accesses the proxy server through the access address information, and then the proxy server accesses the virtual machine of the host machine through the ssh tunnel.
2. The method according to claim 1, wherein the first request message further includes virtual machine address information of a virtual machine, and the creating of the ssh tunnel of the host corresponding to the host address information includes:
randomly selecting an unused proxy server port of the proxy server;
and creating a ssh tunnel of the host machine corresponding to the address information of the host machine and the port of the proxy server, so that the port of the proxy server is connected with a virtual machine port of the virtual machine corresponding to the address information of the virtual machine of the host machine through the ssh tunnel.
3. The method according to claim 2, wherein the first request information further includes a first user identifier, the host address information includes a host domain name of a host of the virtual machine, an ip address of the host of the virtual machine, and the virtual machine address information includes a universally unique identifier of the virtual machine and the ip address of the virtual machine.
4. The method according to claim 3, wherein after the returning of the access address information of the proxy server to the cloud platform terminal, the method further comprises:
randomly generating a first identity mark, combining the first identity mark and the first request information into identity verification information and storing the identity verification information in a cache;
returning the access address information carrying the identity authentication information to the cloud platform terminal;
receiving a second access request sent by the cloud platform terminal aiming at the access address information, wherein the second access request comprises a second identity identifier and a second user identifier;
when the second identity identification is the same as the first identity identification in the identity verification information, acquiring the first user identification from the identity verification information;
and when the second user identification is the same as the first user identification, establishing a link with the cloud platform terminal.
5. The method of claim 4, further comprising:
and when the second identity identification is different from the first identity identification in the identity verification information, or when the second user identification is different from the first user identification, returning error prompt information to the cloud platform terminal.
6. The method according to claim 4, wherein after the link is established with the cloud platform terminal, the method further comprises:
receiving data sent by the cloud platform terminal;
forwarding the data to the proxy port such that the proxy port forwards the data to the virtual machine port through the ssh tunnel.
7. The method according to claim 4, wherein after the creating of the ssh tunnel of the host corresponding to the host address information, further comprising:
detecting the link state between the proxy server port and the virtual machine at preset intervals;
and when the link state between the proxy server port and the virtual machine is a disconnection state, destroying the ssh tunnel and clearing the authentication information from the cache.
8. A virtual machine access apparatus applied to a proxy server, the apparatus comprising:
the access request receiving module is used for receiving a first access request of the cloud platform terminal to the virtual machine; the first access request comprises first request information, and the first request information comprises host machine address information of a host machine of the virtual machine;
the ssh tunnel creating module is used for creating the ssh tunnel of the host machine corresponding to the address information of the host machine;
and the access address information returning module is used for returning the access address information of the proxy server to the cloud platform terminal so that the cloud platform terminal accesses the proxy server through the access address information and then the proxy server accesses the virtual machine of the host machine through the ssh tunnel.
9. An electronic device comprising a processor, a memory, and a computer program stored on the memory and capable of running on the processor, the computer program, when executed by the processor, implementing the steps of the virtual machine access method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the virtual machine access method according to any one of claims 1 to 7.
CN202111193005.7A 2021-10-13 2021-10-13 Virtual machine access method and device, electronic equipment and storage medium Active CN113938474B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111193005.7A CN113938474B (en) 2021-10-13 2021-10-13 Virtual machine access method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111193005.7A CN113938474B (en) 2021-10-13 2021-10-13 Virtual machine access method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113938474A true CN113938474A (en) 2022-01-14
CN113938474B CN113938474B (en) 2024-05-10

Family

ID=79278901

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111193005.7A Active CN113938474B (en) 2021-10-13 2021-10-13 Virtual machine access method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113938474B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117591246A (en) * 2024-01-18 2024-02-23 杭州优云科技股份有限公司 Method and device for realizing WEB terminal of KVM (keyboard video mouse) virtual machine
CN117591248A (en) * 2024-01-18 2024-02-23 杭州筋斗腾云科技有限公司 Terminal system processing method based on containerized virtual machine and electronic equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8607067B1 (en) * 2011-03-01 2013-12-10 Amazon Technologies, Inc. Techniques for attesting to information
CN105376216A (en) * 2015-10-12 2016-03-02 华为技术有限公司 Remote access method, agent server and client end
US20160099948A1 (en) * 2013-06-14 2016-04-07 Tocario Gmbh Method and system for enabling access of a client device to a remote desktop
CN106302504A (en) * 2016-08-31 2017-01-04 浪潮电子信息产业股份有限公司 Xenserver security-based vnc implementation method
CN107193634A (en) * 2017-05-23 2017-09-22 郑州云海信息技术有限公司 The access method and device of a kind of virtual machine
CN107634892A (en) * 2017-09-08 2018-01-26 郑州云海信息技术有限公司 A kind of Xenserver realizes the method and device of console based on novnc
WO2019237576A1 (en) * 2018-06-13 2019-12-19 平安科技(深圳)有限公司 Method and apparatus for verifying communication performance of virtual machine
CN112165532A (en) * 2020-10-14 2021-01-01 腾讯科技(深圳)有限公司 Node access method, device, equipment and computer readable storage medium
US20210224092A1 (en) * 2020-01-17 2021-07-22 Vmware, Inc. Remote access control of vm console located in cloud from on-premises computer device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8607067B1 (en) * 2011-03-01 2013-12-10 Amazon Technologies, Inc. Techniques for attesting to information
US20160099948A1 (en) * 2013-06-14 2016-04-07 Tocario Gmbh Method and system for enabling access of a client device to a remote desktop
CN105376216A (en) * 2015-10-12 2016-03-02 华为技术有限公司 Remote access method, agent server and client end
CN106302504A (en) * 2016-08-31 2017-01-04 浪潮电子信息产业股份有限公司 Xenserver security-based vnc implementation method
CN107193634A (en) * 2017-05-23 2017-09-22 郑州云海信息技术有限公司 The access method and device of a kind of virtual machine
CN107634892A (en) * 2017-09-08 2018-01-26 郑州云海信息技术有限公司 A kind of Xenserver realizes the method and device of console based on novnc
WO2019237576A1 (en) * 2018-06-13 2019-12-19 平安科技(深圳)有限公司 Method and apparatus for verifying communication performance of virtual machine
US20210224092A1 (en) * 2020-01-17 2021-07-22 Vmware, Inc. Remote access control of vm console located in cloud from on-premises computer device
CN112165532A (en) * 2020-10-14 2021-01-01 腾讯科技(深圳)有限公司 Node access method, device, equipment and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
韩玲;蔡皖东;: "面向Microsoft Virtual PC的虚拟机远程检测方法", 计算机技术与发展, no. 12 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117591246A (en) * 2024-01-18 2024-02-23 杭州优云科技股份有限公司 Method and device for realizing WEB terminal of KVM (keyboard video mouse) virtual machine
CN117591248A (en) * 2024-01-18 2024-02-23 杭州筋斗腾云科技有限公司 Terminal system processing method based on containerized virtual machine and electronic equipment
CN117591246B (en) * 2024-01-18 2024-05-03 杭州优云科技股份有限公司 Method and device for realizing WEB terminal of KVM (keyboard video mouse) virtual machine
CN117591248B (en) * 2024-01-18 2024-05-03 杭州筋斗腾云科技有限公司 Terminal system processing method based on containerized virtual machine and electronic equipment

Also Published As

Publication number Publication date
CN113938474B (en) 2024-05-10

Similar Documents

Publication Publication Date Title
EP3142327B1 (en) Intermediate network entity
CN102378170B (en) Method, device and system of authentication and service calling
CN108243176B (en) Data transmission method and device
CN110020955B (en) Online medical insurance information processing method and device, server and user terminal
CN104753674B (en) A kind of verification method and equipment of application identity
US11689514B2 (en) User authentication in communication systems
CN105554098A (en) Device configuration method, server and system
CN113938474B (en) Virtual machine access method and device, electronic equipment and storage medium
CN102356620A (en) Web application access
CN107172001B (en) Control method and device of website proxy server and key proxy server
CN107508847A (en) One kind connection method for building up, device and equipment
CN106559405B (en) Portal authentication method and equipment
CN103168450B (en) The method of accesses virtual dedicated network, device and gateway device
CN105359480A (en) Key establishment for constrained resource devices
US20170070486A1 (en) Server public key pinning by url
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
CN111447184A (en) Single sign-on method, device, system and computer readable storage medium
CN102271136A (en) Access control method and equipment under NAT (Network Address Translation) network environment
CN107508822A (en) Access control method and device
CN110213247A (en) A kind of method and system improving pushed information safety
CN110392128A (en) The quasi- zero-address IPv6 method and system for disclosing web services are provided
CN105722072A (en) Business authorization method, device, system and router
CN110730189B (en) Communication authentication method, device, equipment and storage medium
CN107026828B (en) Anti-stealing-link method based on Internet cache and Internet cache
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant