WO2015109593A1 - Virtualization method and apparatus, and computer device - Google Patents

Virtualization method and apparatus, and computer device Download PDF

Info

Publication number
WO2015109593A1
WO2015109593A1 PCT/CN2014/071552 CN2014071552W WO2015109593A1 WO 2015109593 A1 WO2015109593 A1 WO 2015109593A1 CN 2014071552 W CN2014071552 W CN 2014071552W WO 2015109593 A1 WO2015109593 A1 WO 2015109593A1
Authority
WO
WIPO (PCT)
Prior art keywords
container
file
containers
operating system
management structure
Prior art date
Application number
PCT/CN2014/071552
Other languages
French (fr)
Chinese (zh)
Inventor
詹卿
王伟
陈克平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/071552 priority Critical patent/WO2015109593A1/en
Priority to CN201480000300.8A priority patent/CN105190545B/en
Publication of WO2015109593A1 publication Critical patent/WO2015109593A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/188Virtual file systems

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a virtualization method and apparatus, and a computer device. Background technique
  • Operating system virtualization is an emerging computer virtualization technology.
  • Operating system virtualization as defined by Gartner, refers to: A shared operating system allows multiple different applications to run in isolation under the control of an operating system copy.
  • Container is a lightweight operating system virtualization technology.
  • the container consists of process access control isolation technology and process group management control technology implemented in kernel mode, plus a complete set of user state management tools.
  • Containers effectively partition resources managed by a single operating system into isolated resource groups to better balance conflicting resource usage requirements between isolated groups.
  • Containers allow applications in a container to behave as if they were running on a separate operating system, but share many of the underlying system resources by providing a way to create and enter the container.
  • LXC Linux Container
  • VFS is an interface layer between the file system and the service.
  • VFS abstracts all the details of each file system in Linux, making different file systems look the same on the Linux kernel and other processes running on the system. When it comes to operations on files, VFS maps these operations to the corresponding file system.
  • the underlying file system refers to the actual file system such as Ext4, which is responsible for managing the reading and storage of data on the disk.
  • the embodiment of the invention provides a virtualization method and device, and a computer device, to solve the defects that the existing container virtualization technology cannot truly isolate the files between the containers, and the security is insufficient; and the operation is complicated and the overhead is large.
  • a first aspect of the present invention provides a virtualization method for a virtualization system.
  • the virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, and the operating systems are divided into each other. a plurality of containers, each of said containers being an isolated operational execution environment for supplying a program; said plurality of containers including a first container, said first container being any one of said plurality of containers
  • the file system can be divided into a plurality of file management structures independent of each other;
  • the virtualization method includes: the operating system creates a separate virtual file system VFS instance for each of the plurality of containers, and A separate file management structure is configured for each container in the file system by the VFS instance of each container, so that the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent files.
  • a management structure when the operating system receives a file operation request sent by an application in the first container, VFS said first container vessel instance invoking the first file management structure
  • the method further includes: the operating system allocates a dedicated processing thread to the first container, and the processing thread of the first container is dedicated to the first container The operation of the middle application is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
  • the method further includes: the operating system receiving, by the operating system, the first processing thread dedicated to the first container After the lock request is requested, the file management structure of the first container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; the operating system receives the processing thread dedicated to the first container at the end After the unlock request sent during work, the file management structure of the first container is unlocked.
  • the calling, by the VFS instance of the first container, the text of the first container includes: calling the file system by the VFS instance of the first container, and sending the file operation request to the file system; When it is recognized that the file operation request originates from the first container, the file involved in the file operation request is operated in a file management structure of the first container.
  • a second aspect of the present invention provides a virtualization apparatus, which is applied to a virtualization system.
  • the virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, and the operating system is divided into each other.
  • a plurality of containers each of said containers being an isolated operational execution environment for supplying a program; said plurality of containers including a first container, said first container being any one of said plurality of containers a container system; the file system can be divided into a plurality of file management structures independent of each other;
  • the virtualization device is embedded in the operating system;
  • the virtualization device includes: a configuration module, configured to: Each of the plurality of containers creates a separate virtual file system VFS instance, causing the operating system to configure a separate file management structure for each container in the file system through each container's VFS instance, such that the plurality The containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent file management structures.
  • An operation module configured to: when the operating system receives a file operation request issued by an application in the first container, causing the operating system to invoke a file of the first container by using a VFS instance of the first container;
  • the management structure operates on the files involved in the file operation request.
  • the configuration module is further configured to: enable the operating system to allocate a dedicated processing thread to the first container, by using a processing thread dedicated to the first container, The operation of the application in the first container is processed, and after the operations corresponding to the application in the first container are processed, the operating system is caused to release the processing thread dedicated to the first container.
  • the device further includes: a locking and unlocking module, configured to: receive, by the operating system, the first container After the processing thread sends a lock request, the file management structure of the first container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; and the operating system is received by the operating system.
  • the file management structure of the first container is unlocked after the unlocking request sent by the first container-specific processing thread at the end of the work.
  • the operation module is specifically configured to: when the operating system receives a file operation request sent by an application in the first container, to enable the operating system to pass the first container
  • the VFS instance invokes the file system and sends the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in the first container
  • the file management structure operates on the file involved in the file operation request.
  • a third aspect of the present invention provides a computer device, including: a hardware layer, an operating system and a file system running on a hardware layer;
  • the hardware layer includes a processor, a memory, a communication interface, a bus, the processor, and a memory Communicating with each other through the bus;
  • the communication interface is configured to receive and transmit data;
  • the memory is configured to store a program;
  • the processor is configured to execute the program in the memory;
  • the operating system is divided into a plurality of containers isolated from each other, each of the containers being an isolated operation execution environment for running by a program;
  • the plurality of containers including the first a container, the first container is any one of the plurality of containers;
  • the file system can be divided into a plurality of file management structures independent of each other; wherein the processor performs the following steps:
  • Each container in the container creates a separate virtual file system VFS instance and passes each container's VFS real Configuring a separate file management structure for each container in the
  • the processor further performs the following steps: allocating, by the first container, a dedicated processing thread, by the first container-specific processing thread, in the first container The operation of the application is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
  • the processor is further configured to: receive, when the processing thread dedicated to the first container starts sending After the lock request, locking the file management structure of the first container, prohibiting other processing threads from accessing the file management structure of the first container; and receiving the unlocking sent by the processing thread dedicated to the first container at the end of the work After the request, the file management structure of the first container is unlocked.
  • the processor further performs the following steps: when receiving a file operation request issued by an application in the first container, calling the file system by using a VFS instance of the first container, and Sending the file operation request to the file system; and when the file system recognizes that the file operation request is from the first container, operating the file in a file management structure of the first container Request the file involved to operate.
  • the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the underlying file system, and implements a technical solution involving file operations, and obtains the following Technical effect:
  • each container is configured with a separate VFS instance and a separate file management structure.
  • Each container can have a dedicated file system path. For file-related operations, file path conversion and access control and verification are not required, which reduces the complexity of operations. Sex and system overhead.
  • FIG. 1 is a flowchart of a virtualization method according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a container and a file system according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a file system in an embodiment of the present invention.
  • FIG. 4a is a schematic diagram of a virtualization device according to an embodiment of the present invention.
  • FIG. 4b is a schematic diagram of a virtualization device according to another embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a computer device according to an embodiment of the present invention.
  • the embodiment of the invention provides a virtualization method and device, and a computer device, so as to solve the problem that the existing container virtualization technology cannot truly isolate the files between the containers, and the security is insufficient; Miscellaneous, high-cost defects.
  • the virtualization system in this embodiment is a computer system, including: a hardware layer, an operating system and a file system running on the hardware layer, and the operating system is divided into a plurality of containers isolated from each other, each of which is The container is an isolated operation execution environment for the application program to run; the file system can be divided into multiple file management structures independent of each other. among them:
  • the hardware layer is the hardware platform in which the virtualized environment runs.
  • the hardware layer may include various hardware.
  • the hardware layer of a certain computing node may include a processor (such as a CPU) and a memory (such as a memory), and may also include a network card, a memory, and the like, high speed/low speed input/output (I/O, Input). /Output ) device, and other devices with specific processing functions, such as input and output memory management unit (IOMMU, Input/Output
  • IOMMU input and output memory management unit
  • IOMMU Memory Management Unit
  • a container is an isolated operational execution environment that is partitioned from the operating system, and each container can be considered part of an operating system (such as a Linux system). Applications from different users or organizations are executed in separate containers. Data isolation between containers can be provided. Compared to traditional virtualization, containers do not require instruction-level simulation or instant translation. The container can run instructions locally on the core CPU without any special interpretation mechanism. In addition, the container also avoids paravirtualization
  • the plurality of containers described above include a first container, and the first container may be any one of the plurality of containers.
  • the file system can be a file system integrated in the operating system or an externally mounted file system.
  • the file system needs to be improved so that each file system supports such a feature:
  • the file system should be allowed to be divided into multiple independent file management structures, or It is said that the partition is allowed to be divided into a plurality of mutually independent storage spaces.
  • the bottom layer may include multiple physical file systems, such as Ext4, etc.
  • a virtual file system (VFS) may be provided on the underlying file system, and multiple VFSs may be used.
  • the underlying file system is unified into a file system for users to use.
  • the upper layer application can use the API (Application Programming Interface) to call the VFS layer through the library.
  • the VFS then maps the operation to the corresponding underlying file system.
  • VFS is the administrator of the file system and is created by the operating system in memory during initialization. VFS only exists in memory and does not exist in any external storage space. Also, VFS is established at system startup and dies when the system is shut down. Referring to FIG. 1, an embodiment of the present invention provides a virtualization method for the above virtualization system. Methods can include:
  • the operating system creates a separate virtual file system VFS instance for each of the plurality of containers, and configures a separate file management structure for each container in the file system by using a VFS instance of each container.
  • the plurality of containers are respectively configured to be mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures.
  • FIG. 2 it is a schematic diagram of the architecture of a container and a file system in the embodiment of the present invention.
  • a computer operating system such as a Linux system
  • VFS instances By mounting the VFS instances configured for each container in the container, each container and each VFS instance establish a unique matching relationship, and the application in each container can only call the VFS mounted in the container. Instances, but not VFS instances of other containers.
  • VFS1 can be configured for Container1 and VFS2 for Container1.
  • FIG. 3 it is a schematic diagram of a file system according to an embodiment of the present invention.
  • the file system is generally organized by means of a file management tree.
  • the file system in the existing computer system includes only one file management tree, which is shared for use by multiple containers, and data of multiple containers can be interleaved anywhere in the file management tree.
  • the file system of the embodiment of the present invention divides a plurality of mutually independent file management trees by a container, thereby configuring an independent file management tree for each container as a file management configured for the container. structure.
  • Each file management structure can be given a unique identification symbol by the computer operating system. For example, each file management structure can be identified by a serial number.
  • the file management structure of each container is configured by the operating system to the container in the file system through the VFS instance of the container.
  • a VFS instance of a container abstracts all the details of the container's file management structure. Therefore, each container's VFS instance and file management structure have a unique matching relationship, and each container's VFS instance can only call the container. The file management structure, and can not call the file management structure of other containers.
  • the traditional single file management tree is divided into multiple tree structures, and the file system is divided into multiple file management structures.
  • the file management structure can also be divided in other forms.
  • the computer system supports mounting an external file system.
  • the external file system to be mounted needs to support the following features as described above: Within the file system, it is allowed to be divided into multiple independent file management structures in units of containers to support each file system.
  • the container is configured with a separate file management structure.
  • the mounted external file system is regarded as an independent underlying file system and is mounted in the container. Mounting an external file system is a major feature of the Linux file system.
  • the embodiment of the present invention supports the expansion of the file system by supporting the feature.
  • the computer operating system can configure a dedicated processing thread for each container configuration.
  • the tasks of the various containers are each executed by different processing threads, thereby enabling multiple containers to have parallel processing capabilities.
  • the processing thread of a container is released back into the resource pool after the task is completed.
  • the operating system may allocate a dedicated processing thread to the first container of the plurality of containers, and process the operation of the application in the first container by the processing thread dedicated to the first container, and After processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
  • VFS needs to set a file system path conversion function for each container, for example: Will / -> /home/lxcl/ , /root -> /home/lxcl/root, and so on.
  • each container is configured with a separate VFS instance, and each container is configured with a separate file management structure by using a VFS instance of each container; therefore, no path conversion is required, and each container is not required. Have their own fixed file system path.
  • a file operation request is issued to the VFS instance of the first container, and the VFS instance of the first container does not need to perform path conversion after receiving the file operation request.
  • the file management structure of the first container can be directly invoked to operate on the file involved in the file operation request.
  • the operation of the file may include: when the operating system receives the file operation request issued by the application in the first container, calling the file system by using the VFS instance of the first container, and a file operation request is sent to the file system; wherein, when the file system recognizes that the file operation request originates from the first container, the file operation request in the file management structure of the first container relates to The file is operated.
  • container 1 is configured with a separate VFS instance 1 , which is the container in file system 1
  • the files of container 1 will be placed in the corresponding file management structure 1. Then, if the application in the container 1 needs to operate on the file 1, a file operation request is issued, the VFS instance 1 is called, and the file system 1 is called through the VFS instance 1, and the file operation request may include the container 1 or the file management structure 1
  • the file system 1 can operate on the file 1 in the file management structure 1 so that the file system 1 recognizes it.
  • each container file is placed in the corresponding file management structure of the container, and each container application can only operate the file in the file management structure of the container through the VFS instance of the container. It is not possible to operate on other file management structures. Therefore, this solution can provide complete isolation between containers.
  • the technical solution of the present invention does not affect the performance of the file system in a separate container, because within a file system, a separate file management structure is configured for each container, and a separate storage space is opened, having independent inodes and Directory entries (dentry), each container can only operate on its own part, this operation does not increase the load within a single container.
  • the technical solution of the present invention can improve the parallelism of the file system.
  • the technical solution of the present invention divides the underlying file system into a plurality of file management structures in units of containers, and each file management structure is logically completely independent.
  • the operating system kernel can be configured with multiple kernel processing threads to handle kernel-related things.
  • each container can be configured with a dedicated processing thread to handle file operations in the container.
  • each container is configured with a separate file management structure and a separate processing thread, when a container's processing thread works, only the file management structure of the container is locked, and other file management structures are not affected. Therefore, other containers are The processing thread can work at the same time, so that the file operations between the containers in the system can be completely parallel.
  • the first container-specific processing thread of the plurality of containers may send a lock request to the operating system when the work starts, and the operating system may, after receiving the lock request, the The file management structure of a container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; and the processing thread dedicated to the first container may send an unlock request to the operating system when the work ends.
  • the operating system may unlock the file management structure of the first container after receiving the unlock request.
  • the embodiment of the present invention adopts an independent VFS instance for each container, and configures a separate file management structure for each container in the file system, and the application in any container performs the operation involving the file.
  • the technical solution of the VFS instance of the container calling the file management structure of the container to operate on the file involved achieves the following technical effects:
  • each container is configured with a separate VFS instance and a separate file management structure, thus having a fixed file system path.
  • VFS instance For file-related operations, there is no need to perform file path conversion and access control and verification, which reduces operations. Complexity and system overhead;
  • an embodiment of the present invention provides a virtualization device, where the virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, where the operating system is Dividing into a plurality of containers isolated from each other, each of the containers being an isolated operation execution environment for supplying a program; the plurality of containers including a first container, the first container being the plurality of containers Any one of the containers; the file system can be divided into a plurality of file management structures independent of each other; the virtualization device is embedded (or integrated) in the operating system;
  • the virtualization device can include:
  • the configuration module 410 is configured to enable the operating system to create a separate virtual file system VFS instance for each of the plurality of containers, so that the operating system passes the VFS instance of each container. Configuring a separate file management structure for each container in the file system, so that the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent file management structures;
  • the operation module 420 is configured to enable the operating system to invoke the first container by using a VFS instance of the first container when the operating system receives a file operation request issued by an application in the first container.
  • the file management structure operates on files involved in the file operation request.
  • the configuration module 420 is further configured to: the operating system allocates a dedicated processing thread to the first container, and the processing thread dedicated by the first container The operation of the application in a container is processed, and after the operations corresponding to the application in the first container are processed, the operating system is caused to release the processing thread dedicated to the first container.
  • the system may further include: a locking and unlocking module 430, configured to enable the operating system to receive the first container-specific processing thread to send when starting work After the lock request, locking the file management structure of the first container, prohibiting other processing threads from accessing the file management structure of the first container; and causing the operating system to receive the processing specific to the first container After the thread unlocks the request sent by the work, the file management structure of the first container is unlocked.
  • a locking and unlocking module 430 configured to enable the operating system to receive the first container-specific processing thread to send when starting work After the lock request, locking the file management structure of the first container, prohibiting other processing threads from accessing the file management structure of the first container; and causing the operating system to receive the processing specific to the first container After the thread unlocks the request sent by the work, the file management structure of the first container is unlocked.
  • the operating module 420 is specifically configured to: when the operating system receives a file operation request sent by an application in the first container, to enable the operating system to pass the first The VFS instance of the container calls the file system and sends the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in the The file involved in the file operation request is operated in a file management structure of a container.
  • the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the file system, and the application in any container performs the operation involving the file, through the container.
  • the VFS instance calls the container's file management structure to the files involved
  • each The container is configured with a separate VFS instance and a separate file management structure, so that it has a fixed file system path. For file-related operations, file path conversion and access control and verification are not required, which reduces operational complexity and system overhead.
  • an embodiment of the present invention further provides a computer storage medium, wherein the computer storage medium can store a program, and the program includes some or all of the steps of the virtualization method described in the foregoing method embodiments.
  • a computer device 500 which may include:
  • the hardware layer includes: a processor 510, a memory 520, a communication interface 530, a bus 540, the processor 510, a memory 520, and a communication interface 530 communicating with each other through the bus 540.
  • the communication interface 530 is configured to: Receiving and transmitting data; the memory 520 is for storing a program; the processor 510 is configured to execute the program in the memory; and the operating system is running in the processor 510.
  • the operating system is divided into a plurality of containers that are isolated from each other, each of the containers being an isolated operation execution environment for running by a program; the plurality of containers including a first container, the first container being Any one of the plurality of containers; the file system can be divided into a plurality of file management structures independent of each other.
  • the processor 510 performs the following steps: Create a separate virtual file system VFS instance for each of the multiple containers, and configure a separate file for each container in the file system through the VFS instance of each container. a management structure, wherein the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures; receiving a file operation request issued by an application in the first container Attempting to invoke the file management structure of the first container by the VFS instance of the first container to operate the file involved in the file operation request.
  • the processor 510 may further perform the following steps: assigning, to the first container, a dedicated processing thread, by the first container-specific processing thread, applying to the first container The operation of the program is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
  • the processor 510 may further perform the following steps: receiving a file management structure of the first container after receiving a lock request sent by the first container-specific processing thread when starting the work Locking, prohibiting other processing threads from accessing the file management structure of the first container; receiving the unlocking request sent by the processing thread dedicated to the first container after unlocking the work, unlocking the file management structure of the first container .
  • the processor 510 may further perform the following steps: when the file operation request issued by the application in the first container is received, the file system is invoked by the VFS instance of the first container And sending the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in a file management structure of the first container The file involved in the file operation request operates.
  • the file management structure of each container operates independently of the respective files involved in their respective storage spaces.
  • the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the file system, in any container.
  • the VFS instance of the container calls the file management structure of the container to operate the file involved, and the following technical effects are obtained:
  • each container is configured with a separate VFS instance and a separate file management structure, thus Has a fixed file system path, for file-related operations, without file path conversion and access Asking for permission control and verification reduces operational complexity and system overhead;
  • the program may be stored in a computer readable storage medium, and the storage medium may include: ROM, RAM, disk or CD, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A virtualization method and apparatus and a computer device, so as to solve defects that files between containers cannot be really isolated in an existing container virtualization technology, the security is not enough, operations are complex and overheads are great. In some feasible embodiments of the present invention, the method comprises: an operating system creating an independent VFS instance for each of multiple containers, and configuring an independent file management structure for each of the containers in a file system by means of the VFS instance of each of the containers, so that VFS instances independent to each other are separately configured to the multiple containers, and file management structures independent to each other are separately configured to the multiple containers; and when the operating system receives a file operation request sent by an application program in a first container in the multiple containers, and operating, by means of the VFS instance of the first container, a file related to the file operation request by scheduling the file management structure of the first container.

Description

虚拟化方法和装置及计算机设备 技术领域  Virtualization method and device and computer equipment
本发明涉及计算机技术领域, 具体涉及虚拟化方法和装置及计算机设备。 背景技术  The present invention relates to the field of computer technologies, and in particular, to a virtualization method and apparatus, and a computer device. Background technique
操作***虚拟化是一种新兴的计算机虚拟化技术。 Gartner (高德纳, 又 译顾能公司)定义的操作***虚拟化是指: 共享的操作***允许多个不同应用 在一份操作***拷贝的控制下隔离运行。  Operating system virtualization is an emerging computer virtualization technology. Operating system virtualization, as defined by Gartner, refers to: A shared operating system allows multiple different applications to run in isolation under the control of an operating system copy.
容器(container )是一种轻量级操作***虚拟化技术, 容器由在内核态实 现的进程访问控制隔离技术和进程组管理控制技术,再加上一套完善的用户态 管理工具组成。容器有效地将由单个操作***管理的资源划分到孤立的资源组 中, 以更好地在孤立的组之间平衡有沖突的资源使用需求。容器通过提供一种 创建和进入容器的方式,让容器中的应用程序就像在独立的操作***上运行一 样, 但又能共享很多底层的***资源。 针对容器, 目前有许多成熟的产品, 例 如用于 Linux***的 LXC ( Linux Container, Linux容器)等。  Container is a lightweight operating system virtualization technology. The container consists of process access control isolation technology and process group management control technology implemented in kernel mode, plus a complete set of user state management tools. Containers effectively partition resources managed by a single operating system into isolated resource groups to better balance conflicting resource usage requirements between isolated groups. Containers allow applications in a container to behave as if they were running on a separate operating system, but share many of the underlying system resources by providing a way to create and enter the container. For containers, there are many mature products, such as LXC (Linux Container, Linux Container) for Linux systems.
现有技术的基于容器的操作***虚拟化技术中,多个容器共享虚拟文件系 统(Virtual File Systems, VFS )和底层的文件***( File Systems , FS ), 容器 间的文件隔离通过文件路径的转换加访问权限控制策略结合的方式实现。  In the prior art container-based operating system virtualization technology, multiple containers share a virtual file system (VFS) and an underlying file system (File Systems, FS), and file isolation between containers is converted by a file path. The access control policy is combined with the implementation of the method.
其中, VFS是文件***与服务之间的一个接口层。 VFS可对 Linux的每个 文件***的所有细节进行抽象,使得不同的文件***在 Linux核心以及***中 运行的其他进程看来, 都是相同的。 涉及到针对文件的操作时, VFS把这些操 作影射到对应的文件***。 底层的文件***是指 Ext4等实际的文件***, 这 些文件***负责管理数据在磁盘上的读取、 存放等。  Among them, VFS is an interface layer between the file system and the service. VFS abstracts all the details of each file system in Linux, making different file systems look the same on the Linux kernel and other processes running on the system. When it comes to operations on files, VFS maps these operations to the corresponding file system. The underlying file system refers to the actual file system such as Ext4, which is responsible for managing the reading and storage of data on the disk.
实践发现, 由于容器间共享底层的文件***, 容器间的文件并没有真正隔 离开, 因此, 现有的容器虚拟化技术不能完全屏蔽容器间的文件操作, 安全性 不够; 一些特殊的情况下, 上层用户或者内核可能突破这种限制, 操作其他容 器的文件。 并且, 针对涉及文件的操作, 现有容器虚拟化技术需要进行文件路 径的转换和访问权限控制及校验, 操作复杂, 开销较大。 发明内容 Practice has found that because the underlying file system is shared between containers, the files between the containers are not really isolated. Therefore, the existing container virtualization technology cannot completely shield the file operations between the containers, and the security is insufficient; in some special cases, Upper-level users or the kernel may break through this limitation and manipulate files from other containers. Moreover, for the operation involving files, the existing container virtualization technology needs to perform file path conversion and access authority control and verification, and the operation is complicated and the overhead is large. Summary of the invention
本发明实施例提供一种虚拟化方法和装置及计算机设备,以解决现有的容 器虚拟化技术不能对容器间的文件进行真正隔离, 安全性不够; 以及, 操作复 杂, 开销较大的缺陷。  The embodiment of the invention provides a virtualization method and device, and a computer device, to solve the defects that the existing container virtualization technology cannot truly isolate the files between the containers, and the security is insufficient; and the operation is complicated and the overhead is large.
本发明第一方面提供一种虚拟化方法, 用于虚拟化***; 所述虚拟化*** 包括: 硬件层, 运行于硬件层之上的操作***和文件***, 所述操作***被划 分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境, 用于 供应用程序运行; 所述多个容器包括第一容器, 所述第一容器是所述多个容器 中的任一个容器; 所述文件***能够被划分为相互独立的多个文件管理结构; 虚拟化方法包括:所述操作***为所述多个容器中的每个容器创建一个独立的 虚拟文件*** VFS实例, 并通过每个容器的 VFS实例在文件***中为每个容器 配置独立的文件管理结构, 使得所述多个容器分別被配置相互独立的 VFS实 例,且所述多个容器分別被配置相互独立的文件管理结构; 所述操作***收到 所述第一容器中的应用程序发出的文件操作请求时,通过所述第一容器的 VFS 实例调用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行 操作。  A first aspect of the present invention provides a virtualization method for a virtualization system. The virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, and the operating systems are divided into each other. a plurality of containers, each of said containers being an isolated operational execution environment for supplying a program; said plurality of containers including a first container, said first container being any one of said plurality of containers The file system can be divided into a plurality of file management structures independent of each other; the virtualization method includes: the operating system creates a separate virtual file system VFS instance for each of the plurality of containers, and A separate file management structure is configured for each container in the file system by the VFS instance of each container, so that the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent files. a management structure; when the operating system receives a file operation request sent by an application in the first container, VFS said first container vessel instance invoking the first file management structure of a file operation according to the file operation request.
在第一种可能的实现方式中, 所述方法还包括: 所述操作***为所述第一 容器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所述第一 容器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操 作处理完毕后, 释放所述第一容器专用的处理线程。  In a first possible implementation manner, the method further includes: the operating system allocates a dedicated processing thread to the first container, and the processing thread of the first container is dedicated to the first container The operation of the middle application is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中, 所 述方法还包括:所述操作***接收到所述第一容器专用的处理线程在开始工作 时发送的加锁请求后,对所述第一容器的文件管理结构加锁, 禁止其它处理线 程访问所述第一容器的文件管理结构;所述操作***收到所述第一容器专用的 处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管理结构解 锁。  In conjunction with the first possible implementation of the first aspect, in a second possible implementation, the method further includes: the operating system receiving, by the operating system, the first processing thread dedicated to the first container After the lock request is requested, the file management structure of the first container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; the operating system receives the processing thread dedicated to the first container at the end After the unlock request sent during work, the file management structure of the first container is unlocked.
结合第一方面或者第一方面的第一种或第二种可能的实现方式,在第三种 可能的实现方式中,所述通过所述第一容器的 VFS实例调用所述第一容器的文 件管理结构对所述文件操作请求涉及的文件进行操作包括:通过所述第一容器 的 VFS实例调用所述文件***, 并将所述文件操作请求发送给所述文件***; 以便所述文件***识別出所述文件操作请求来源于所述第一容器时,在所述第 一容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。 With reference to the first aspect or the first or second possible implementation manner of the first aspect, in a third possible implementation, the calling, by the VFS instance of the first container, the text of the first container The operation of the file management operation on the file involved in the file operation request includes: calling the file system by the VFS instance of the first container, and sending the file operation request to the file system; When it is recognized that the file operation request originates from the first container, the file involved in the file operation request is operated in a file management structure of the first container.
本发明第二方面提供一种虚拟化装置,应用于虚拟化***; 所述虚拟化系 统包括: 硬件层, 运行于硬件层之上的操作***和文件***, 所述操作***被 划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境, 用 于供应用程序运行; 所述多个容器包括第一容器, 所述第一容器是所述多个容 器中的任一个容器; 所述文件***能够被划分为相互独立的多个文件管理结 构; 所述虚拟化装置嵌入在所述操作***中; 虚拟化装置包括: 配置模块, 用 于使所述操作***为所述多个容器中的每个容器创建一个独立的虚拟文件系 统 VFS实例, 使所述操作***通过每个容器的 VFS实例在文件***中为每个容 器配置独立的文件管理结构,使得所述多个容器分別被配置相互独立的 VFS实 例, 且所述多个容器分別被配置相互独立的文件管理结构; 操作模块, 用于使 所述操作***收到所述第一容器中的应用程序发出的文件操作请求时,使所述 操作***通过所述第一容器的 VFS实例调用所述第一容器的文件管理结构对 所述文件操作请求涉及的文件进行操作。  A second aspect of the present invention provides a virtualization apparatus, which is applied to a virtualization system. The virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, and the operating system is divided into each other. a plurality of containers, each of said containers being an isolated operational execution environment for supplying a program; said plurality of containers including a first container, said first container being any one of said plurality of containers a container system; the file system can be divided into a plurality of file management structures independent of each other; the virtualization device is embedded in the operating system; the virtualization device includes: a configuration module, configured to: Each of the plurality of containers creates a separate virtual file system VFS instance, causing the operating system to configure a separate file management structure for each container in the file system through each container's VFS instance, such that the plurality The containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent file management structures. An operation module, configured to: when the operating system receives a file operation request issued by an application in the first container, causing the operating system to invoke a file of the first container by using a VFS instance of the first container; The management structure operates on the files involved in the file operation request.
在第一种可能的实现方式中, 所述配置模块,还用于使所述操作***为所 述第一容器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所 述第一容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序 的所有操作处理完毕后, 使所述操作***释放所述第一容器专用的处理线程。  In a first possible implementation, the configuration module is further configured to: enable the operating system to allocate a dedicated processing thread to the first container, by using a processing thread dedicated to the first container, The operation of the application in the first container is processed, and after the operations corresponding to the application in the first container are processed, the operating system is caused to release the processing thread dedicated to the first container.
结合第二方面的第一种可能的实现方式,在第二种可能的实现方式中, 所 述装置还包括: 加锁和解锁模块, 用于使所述操作***接收到所述第一容器专 用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结 构加锁, 禁止其它处理线程访问所述第一容器的文件管理结构; 以及, 使所述 操作***接收到所述第一容器专用的处理线程在结束工作时发送的解锁请求 后, 对所述第一容器的文件管理结构解锁。  With reference to the first possible implementation of the second aspect, in a second possible implementation, the device further includes: a locking and unlocking module, configured to: receive, by the operating system, the first container After the processing thread sends a lock request, the file management structure of the first container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; and the operating system is received by the operating system. The file management structure of the first container is unlocked after the unlocking request sent by the first container-specific processing thread at the end of the work.
结合第二方面或者第二方面的第一种或第二种可能的实现方式,在第三种 可能的实现方式中, 所述操作模块, 具体用于使所述操作***收到所述第一容 器中的应用程序发出的文件操作请求时,使所述操作***通过所述第一容器的In combination with the second aspect or the first or second possible implementation of the second aspect, in the third In a possible implementation manner, the operation module is specifically configured to: when the operating system receives a file operation request sent by an application in the first container, to enable the operating system to pass the first container
VFS实例调用所述文件***, 并将所述文件操作请求发送给所述文件***; 以 便所述文件***识別出所述文件操作请求来源于所述第一容器时,在所述第一 容器的文件管理结构中对所述文件操作请求涉及的文件进行操作。 The VFS instance invokes the file system and sends the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in the first container The file management structure operates on the file involved in the file operation request.
本发明第三方面提供一种计算机设备, 包括: 硬件层, 运行于硬件层之上 的操作***和文件***; 所述硬件层包括处理器, 存储器, 通信接口, 总线, 所述处理器, 存储器, 通信接口通过所述总线相互的通信; 所述通信接口, 用 于接收和发送数据; 所述存储器用于存储程序; 所述处理器用于执行所述存储 器中的所述程序; 所述操作***运行在所述处理器中; 所述操作***被划分为 彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行环境, 用于供应 用程序运行; 所述多个容器包括第一容器, 所述第一容器是所述多个容器中的 任一个容器;所述文件***能够被划分为相互独立的多个文件管理结构;其中, 所述处理器执行如下步骤:为所述多个容器中的每个容器创建一个独立的虚拟 文件*** VFS实例, 并通过每个容器的 VFS实例在文件***中为每个容器配 置独立的文件管理结构,使得所述多个容器分別被配置相互独立的 VFS实例, 且所述多个容器分別被配置相互独立的文件管理结构;收到所述第一容器中的 应用程序发出的文件操作请求时, 通过所述第一容器的 VFS实例调用所述第 一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。  A third aspect of the present invention provides a computer device, including: a hardware layer, an operating system and a file system running on a hardware layer; the hardware layer includes a processor, a memory, a communication interface, a bus, the processor, and a memory Communicating with each other through the bus; the communication interface is configured to receive and transmit data; the memory is configured to store a program; the processor is configured to execute the program in the memory; Running in the processor; the operating system is divided into a plurality of containers isolated from each other, each of the containers being an isolated operation execution environment for running by a program; the plurality of containers including the first a container, the first container is any one of the plurality of containers; the file system can be divided into a plurality of file management structures independent of each other; wherein the processor performs the following steps: Each container in the container creates a separate virtual file system VFS instance and passes each container's VFS real Configuring a separate file management structure for each container in the file system, such that the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures; When the file operation request is issued by the application in the first container, the file management structure of the first container is invoked by the VFS instance of the first container to operate the file involved in the file operation request.
在第一种可能的实现方式中, 所述处理器还执行如下步骤: 为所述第一容 器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所述第一容 器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操作 处理完毕后, 释放所述第一容器专用的处理线程。  In a first possible implementation manner, the processor further performs the following steps: allocating, by the first container, a dedicated processing thread, by the first container-specific processing thread, in the first container The operation of the application is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
结合第三方面的第一种可能的实现方式,在第二种可能的实现方式中, 所 述处理器还执行如下步骤:收到所述第一容器专用的处理线程在开始工作时发 送的加锁请求后,对所述第一容器的文件管理结构加锁, 禁止其它处理线程访 问所述第一容器的文件管理结构;收到所述第一容器专用的处理线程在结束工 作时发送的解锁请求后, 对所述第一容器的文件管理结构解锁。  With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner, the processor is further configured to: receive, when the processing thread dedicated to the first container starts sending After the lock request, locking the file management structure of the first container, prohibiting other processing threads from accessing the file management structure of the first container; and receiving the unlocking sent by the processing thread dedicated to the first container at the end of the work After the request, the file management structure of the first container is unlocked.
结合第三方面或者第三方面的第一种或第二种可能的实现方式,在第三种 可能的实现方式中, 所述处理器还执行如下步骤: 收到所述第一容器中的应用 程序发出的文件操作请求时, 通过所述第一容器的 VFS实例调用所述文件系 统, 并将所述文件操作请求发送给所述文件***; 以便所述文件***识別出所 述文件操作请求来源于所述第一容器时,在所述第一容器的文件管理结构中对 所述文件操作请求涉及的文件进行操作。 In combination with the third aspect or the first or second possible implementation of the third aspect, in the third In a possible implementation manner, the processor further performs the following steps: when receiving a file operation request issued by an application in the first container, calling the file system by using a VFS instance of the first container, and Sending the file operation request to the file system; and when the file system recognizes that the file operation request is from the first container, operating the file in a file management structure of the first container Request the file involved to operate.
由上可见, 本发明实施例采用为每个容器配置独立的 VFS实例, 以及, 在 底层的文件***中为每个容器配置独立的文件管理结构,进行涉及文件的操作 的技术方案, 取得了以下技术效果:  It can be seen that the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the underlying file system, and implements a technical solution involving file operations, and obtains the following Technical effect:
一方面, 通过为每个容器配置独立的 VFS实例和独立的文件管理结构, 在 容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性; 另一方面,通过为每个容器配置独立的 VFS实例和独立的文件管理结构, 每个容器可具有专用的文件***路径,针对涉及文件的操作, 不用进行文件路 径的转换和访问权限控制及校验, 降低了操作复杂性和***开销。  On the one hand, by configuring a separate VFS instance and a separate file management structure for each container, real file isolation between containers is achieved, which completely shields file operations between containers and improves security; Each container is configured with a separate VFS instance and a separate file management structure. Each container can have a dedicated file system path. For file-related operations, file path conversion and access control and verification are not required, which reduces the complexity of operations. Sex and system overhead.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例技术方案,下面将对实施例和现有技术描 述中所需要使用的附图作筒单地介绍, 显而易见地, 下面描述中的附图仅仅是 本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的 前提下, 还可以根据这些附图获得其它的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments and the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图 1是本发明实施例提供的虚拟化方法的流程图;  FIG. 1 is a flowchart of a virtualization method according to an embodiment of the present invention;
图 2是本发明实施例中容器及文件***的架构示意图;  2 is a schematic structural diagram of a container and a file system according to an embodiment of the present invention;
图 3是本发明实施例中文件***的示意图;  3 is a schematic diagram of a file system in an embodiment of the present invention;
图 4a是本发明一个实施例提供的虚拟化装置的示意图;  4a is a schematic diagram of a virtualization device according to an embodiment of the present invention;
图 4b是本发明另一实施例提供的虚拟化装置的示意图;  FIG. 4b is a schematic diagram of a virtualization device according to another embodiment of the present invention; FIG.
图 5是本发明实施例提供的一种计算机设备的示意图。  FIG. 5 is a schematic diagram of a computer device according to an embodiment of the present invention.
具体实施方式 detailed description
本发明实施例提供一种虚拟化方法和装置及计算机设备,以解决现有的容 器虚拟化技术不能对容器间的文件进行真正隔离, 安全性不够; 以及, 操作复 杂, 开销较大的缺陷。 The embodiment of the invention provides a virtualization method and device, and a computer device, so as to solve the problem that the existing container virtualization technology cannot truly isolate the files between the containers, and the security is insufficient; Miscellaneous, high-cost defects.
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施 例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所 描述的实施例仅仅是本发明一部分的实施例, 而不是全部的实施例。基于本发 明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所 有其他实施例, 都应当属于本发明保护的范围。  The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is an embodiment of the invention, but not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope should fall within the scope of the present invention.
下面通过具体实施例, 分別进行详细的说明。 首先对本发明技术方案涉及的虚拟化***做筒单介绍。本实施例中所说的 虚拟化***是一个计算机***, 包括: 硬件层, 运行于硬件层之上的操作*** 和文件***, 所述操作***被划分为彼此隔离的多个容器,每一个所述容器是 一个隔离的操作执行环境, 用于供应用程序运行; 所述文件***能够被划分为 相互独立的多个文件管理结构。 其中:  The detailed description will be respectively made below through specific embodiments. First, the virtualization system involved in the technical solution of the present invention is introduced. The virtualization system in this embodiment is a computer system, including: a hardware layer, an operating system and a file system running on the hardware layer, and the operating system is divided into a plurality of containers isolated from each other, each of which is The container is an isolated operation execution environment for the application program to run; the file system can be divided into multiple file management structures independent of each other. among them:
硬件层是虚拟化环境运行的硬件平台。硬件层可包括多种硬件, 例如某计 算节点的硬件层可包括处理器(例如 CPU )和存储器(例如内存), 还可以包 括网卡、 存储器等等高速 /低速输入 /输出 (I/O, Input/Output )设备, 及具有特 定处理功能的其它设备, 如输入输出内存管理单元 (IOMMU, Input/Output The hardware layer is the hardware platform in which the virtualized environment runs. The hardware layer may include various hardware. For example, the hardware layer of a certain computing node may include a processor (such as a CPU) and a memory (such as a memory), and may also include a network card, a memory, and the like, high speed/low speed input/output (I/O, Input). /Output ) device, and other devices with specific processing functions, such as input and output memory management unit (IOMMU, Input/Output
Memory Management Unit ),其中 IOMMU可用于虚拟机物理地址和 Host物理地 址的转换。 Memory Management Unit), where IOMMU can be used to convert virtual machine physical addresses and Host physical addresses.
容器是从操作***中划分出来的一个隔离的操作执行环境,每个容器可视 为操作***(例如 Linux***) 的一部分。 不同用户或组织的应用程序分別在 不同的容器中执行。 容器之间可以提供数据上的隔离。 与传统的虚拟化相比, 容器既不需要指令级模拟, 也不需要即时翻译。 容器可以在核心 CPU本地运行 指令, 而不需要任何专门的解释机制。 此外, 容器也避免了准虚拟化 A container is an isolated operational execution environment that is partitioned from the operating system, and each container can be considered part of an operating system (such as a Linux system). Applications from different users or organizations are executed in separate containers. Data isolation between containers can be provided. Compared to traditional virtualization, containers do not require instruction-level simulation or instant translation. The container can run instructions locally on the core CPU without any special interpretation mechanism. In addition, the container also avoids paravirtualization
( paravirtualization )和***调用替换中的复杂性。 为方便描述, 本文^殳上述 多个容器包括第一容器, 该第一容器可以是所说的多个容器中的任一个容器。 (paravirtualization) and complexity in system call substitution. For convenience of description, the plurality of containers described above include a first container, and the first container may be any one of the plurality of containers.
所说的文件***, 可以是集成在操作***中的文件***,也可以外部挂载 的文件***。 本发明实施例中, 需要对文件***进行改进, 使每个文件***都 支持这样的特性: 文件***应允许被划分为多个相互独立的文件管理结构, 或 者说, 允许被划分为多个相互独立的存储空间。 The file system can be a file system integrated in the operating system or an externally mounted file system. In the embodiment of the present invention, the file system needs to be improved so that each file system supports such a feature: The file system should be allowed to be divided into multiple independent file management structures, or It is said that the partition is allowed to be divided into a plurality of mutually independent storage spaces.
计算机***中, 底层可包括多个物理的文件***, 例如 Ext4等, 为了使多 个底层的文件***可统一工作, 底层文件***之上可设有虚拟文件*** ( VFS ), VFS可将多个底层文件***统一抽象成一个文件***供用户使用。 上层应用可利用 API ( Application Programming Interface , 应用编程接口)通过 库的方式调用 VFS层, VFS再把操作影射到对应的底层文件***。 VFS是文件 ***的管理者, 初始化时由操作***在内存中创建。 VFS只存在于内存中, 不 存在于任何外存空间。 并且, VFS在***启动时建立, 在***关闭时消亡。 请参考图 1 , 本发明实施例提供一种虚拟化方法, 用于上述的虚拟化***。 方法可包括:  In a computer system, the bottom layer may include multiple physical file systems, such as Ext4, etc. In order to enable multiple underlying file systems to work in unison, a virtual file system (VFS) may be provided on the underlying file system, and multiple VFSs may be used. The underlying file system is unified into a file system for users to use. The upper layer application can use the API (Application Programming Interface) to call the VFS layer through the library. The VFS then maps the operation to the corresponding underlying file system. VFS is the administrator of the file system and is created by the operating system in memory during initialization. VFS only exists in memory and does not exist in any external storage space. Also, VFS is established at system startup and dies when the system is shut down. Referring to FIG. 1, an embodiment of the present invention provides a virtualization method for the above virtualization system. Methods can include:
110、 所述操作***为所述多个容器中的每个容器创建一个独立的虚拟文 件*** VFS实例, 并通过每个容器的 VFS实例在文件***中为每个容器配置独 立的文件管理结构, 使得所述多个容器分別被配置相互独立的 VFS实例, 且所 述多个容器分別被配置相互独立的文件管理结构。  110. The operating system creates a separate virtual file system VFS instance for each of the plurality of containers, and configures a separate file management structure for each container in the file system by using a VFS instance of each container. The plurality of containers are respectively configured to be mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures.
如图 2所示, 是本发明实施例中容器及文件***的架构示意图。 相对于现 有技术中所有的容器共享一个 VFS实例, 本发明实施例中, 计算机操作***例 如 Linux***可创建多个 VFS实例, 从而为每个容器配置一个独立的 VFS实例。 通过将为每个容器配置的 VFS实例挂载在容器中, 使每个容器和每个 VFS实例 建立起唯一对应的匹配关系, 每个容器内的应用只能调用挂载在该容器内的 VFS实例, 而不能调用其他容器的 VFS实例。 例如, 以图 2为例, 可分別为容 器 Containerl配置 VFS1 , 为容器 Containerl配置 VFS2。  As shown in FIG. 2, it is a schematic diagram of the architecture of a container and a file system in the embodiment of the present invention. In the embodiment of the present invention, a computer operating system, such as a Linux system, can create multiple VFS instances to configure a separate VFS instance for each container. By mounting the VFS instances configured for each container in the container, each container and each VFS instance establish a unique matching relationship, and the application in each container can only call the VFS mounted in the container. Instances, but not VFS instances of other containers. For example, as shown in Figure 2, VFS1 can be configured for Container1 and VFS2 for Container1.
如图 3所示, 是本发明实施例文件***的示意图, 文件***一般采用文件 管理树的方式组织。 现有计算机***中的文件***, 只包括一颗文件管理树, 共享给多个容器使用, 多个容器的数据可交错存放在文件管理树的任意位置。 如图 3所示, 本发明实施例的文件***, 以容器为单位, 划分出多颗相互独立 的文件管理树,从而为每个容器配置一个独立的文件管理树,作为配置给容器 的文件管理结构。 每个文件管理结构可被计算机操作***赋予唯一的标识符 号, 例如, 可以用序列号标识各个文件管理结构。 其中, 每个容器的文件管理结构, 是由操作***通过该容器的 VFS实例在 文件***内配置给该容器的。 某个容器的 VFS实例, 对该容器的文件管理结构 的所有细节进行抽象, 因此, 每个容器的 VFS实例和文件管理结构具有唯一对 应的匹配关系, 每个容器的 VFS实例只能调用该容器的文件管理结构, 而不能 调用其他容器的文件管理结构。 As shown in FIG. 3, it is a schematic diagram of a file system according to an embodiment of the present invention. The file system is generally organized by means of a file management tree. The file system in the existing computer system includes only one file management tree, which is shared for use by multiple containers, and data of multiple containers can be interleaved anywhere in the file management tree. As shown in FIG. 3, the file system of the embodiment of the present invention divides a plurality of mutually independent file management trees by a container, thereby configuring an independent file management tree for each container as a file management configured for the container. structure. Each file management structure can be given a unique identification symbol by the computer operating system. For example, each file management structure can be identified by a serial number. The file management structure of each container is configured by the operating system to the container in the file system through the VFS instance of the container. A VFS instance of a container abstracts all the details of the container's file management structure. Therefore, each container's VFS instance and file management structure have a unique matching relationship, and each container's VFS instance can only call the container. The file management structure, and can not call the file management structure of other containers.
由上可见, 本发明技术方案是从文件***的角度为容器虚拟化进行设计、 适配。 通过为容器设置独立的 VFS实例和独立的文件管理结构, 使每个容器只 可以操作各自的文件。  It can be seen from the above that the technical solution of the present invention designs and adapts container virtualization from the perspective of a file system. By setting up separate VFS instances and separate file management structures for the container, each container can only manipulate its own files.
需要说明的是, 本发明实施例中, 采用将传统的单一的文件管理树划分为 多树的结构, 实现将文件***划分为多个文件管理结构。 但是, 在以其它形式 组织的文件***中, 也可以采用其它形式划分文件管理结构。  It should be noted that, in the embodiment of the present invention, the traditional single file management tree is divided into multiple tree structures, and the file system is divided into multiple file management structures. However, in a file system organized in other forms, the file management structure can also be divided in other forms.
本发明实施例中,计算机***支持挂载外部文件***。所挂载的外部文件 ***, 需要按照上文所述, 支持如下特性: 在文件***内部, 允许以容器为单 位, 划分为多个相互独立的文件管理结构, 以支持在文件***内为每个容器配 置一个独立的文件管理结构。 本发明实施例中, 所挂载的外部文件***会被视 为独立的底层文件***, 挂载到容器中来。 挂载外部文件***是 Linux文件系 统的一大特点, 本发明实施例通过支持该特性, 以实现对文件***的扩展。  In the embodiment of the invention, the computer system supports mounting an external file system. The external file system to be mounted needs to support the following features as described above: Within the file system, it is allowed to be divided into multiple independent file management structures in units of containers to support each file system. The container is configured with a separate file management structure. In the embodiment of the present invention, the mounted external file system is regarded as an independent underlying file system and is mounted in the container. Mounting an external file system is a major feature of the Linux file system. The embodiment of the present invention supports the expansion of the file system by supporting the feature.
本发明实施例中, 为了提高***性能, 以及提供对容器并行操作的支持, 优选采用具有多核或众核处理器的计算机***,计算机操作***可为每个容器 配置置一个专用的处理线程, 使各个容器的任务分別由不同的处理线程执行, 从而使多个容器具有并行处理的能力。其中, 某个容器的处理线程在任务完成 后, 会被释放回资源池中。 例如: 所述操作***可以为上述多个容器中的第一 容器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所述第一 容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序的所有 操作处理完毕后, 释放所述第一容器专用的处理线程。  In the embodiment of the present invention, in order to improve system performance and provide support for parallel operation of the container, it is preferable to use a computer system having a multi-core or many-core processor, and the computer operating system can configure a dedicated processing thread for each container configuration. The tasks of the various containers are each executed by different processing threads, thereby enabling multiple containers to have parallel processing capabilities. The processing thread of a container is released back into the resource pool after the task is completed. For example: the operating system may allocate a dedicated processing thread to the first container of the plurality of containers, and process the operation of the application in the first container by the processing thread dedicated to the first container, and After processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
120、 所述操作***收到所述第一容器中的应用程序发出的文件操作请求 时,通过所述第一容器的 VFS实例调用所述第一容器的文件管理结构对所述文 件操作请求涉及的文件进行操作。 现有技术中, 由于多个容器共享 VFS和底层文件***, 因此, 针对涉及文 件的操作, VFS需要为每个容器设置一个文件***的路径转换功能, 例如: 将 / -> /home/lxcl/, /root -> /home/lxcl/root, 等。 120. When the operating system receives the file operation request sent by the application in the first container, calling the file management structure of the first container by using the VFS instance of the first container to request the file operation The file is operated. In the prior art, since multiple containers share the VFS and the underlying file system, for the operations involving files, VFS needs to set a file system path conversion function for each container, for example: Will / -> /home/lxcl/ , /root -> /home/lxcl/root, and so on.
而本发明实施例中, 由于每个容器配置有各自独立的 VFS实例, 并通过每 个容器的 VFS实例为每个容器配置有独立的文件管理结构; 因此, 不需要配置 路径转换, 每个容器都有自己固定的文件***路径。  In the embodiment of the present invention, each container is configured with a separate VFS instance, and each container is configured with a separate file management structure by using a VFS instance of each container; therefore, no path conversion is required, and each container is not required. Have their own fixed file system path.
当一个容器例如第一容器中的应用程序需要进行涉及文件的操作时,会发 出文件操作请求给第一容器的 VFS实例, 第一容器的 VFS实例收到文件操作请 求后, 无需进行路径转换, 可直接调用第一容器的文件管理结构对文件操作请 求涉及的文件进行操作。  When a container, for example, an application in the first container needs to perform operations involving a file, a file operation request is issued to the VFS instance of the first container, and the VFS instance of the first container does not need to perform path conversion after receiving the file operation request. The file management structure of the first container can be directly invoked to operate on the file involved in the file operation request.
其中,所述操作***收到所述第一容器中的应用程序发出的文件操作请求 时,通过所述第一容器的 VFS实例调用所述第一容器的文件管理结构对所述文 件操作请求涉及的文件进行操作, 具体可以包括: 所述操作***收到所述第一 容器中的应用程序发出的文件操作请求时,通过所述第一容器的 VFS实例调用 所述文件***, 并将所述文件操作请求发送给所述文件***; 以便所述文件系 统识別出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管 理结构中对所述文件操作请求涉及的文件进行操作。  When the operating system receives the file operation request issued by the application in the first container, calling the file management structure of the first container by using the VFS instance of the first container to process the file operation request The operation of the file may include: when the operating system receives the file operation request issued by the application in the first container, calling the file system by using the VFS instance of the first container, and a file operation request is sent to the file system; wherein, when the file system recognizes that the file operation request originates from the first container, the file operation request in the file management structure of the first container relates to The file is operated.
假定为容器 1配置有独立的 VFS实例 1 , VFS实例 1在文件*** 1中为该容器 Assume that container 1 is configured with a separate VFS instance 1 , which is the container in file system 1
1划分有独立的文件管理结构 1 , 则, 容器 1的文件都会被放置在对应的文件管 理结构 1中。 那么, 如果容器 1中的应用需要对文件 1进行操作时, 会发出文件 操作请求, 调用 VFS实例 1 , 并通过 VFS实例 1调用文件*** 1 , 文件操作请求 中可包含容器 1或文件管理结构 1的标识, 以便文件*** 1识別, 则文件*** 1 可以在文件管理结构 1中对文件 1进行操作。 1 is divided into separate file management structures 1 , then the files of container 1 will be placed in the corresponding file management structure 1. Then, if the application in the container 1 needs to operate on the file 1, a file operation request is issued, the VFS instance 1 is called, and the file system 1 is called through the VFS instance 1, and the file operation request may include the container 1 or the file management structure 1 The file system 1 can operate on the file 1 in the file management structure 1 so that the file system 1 recognizes it.
可见,每个容器的文件会被放置在该容器对应的文件管理结构中,每个容 器的应用只能通过该容器的 VFS实例,调用文件***对该容器的文件管理结构 中的文件进行操作, 而不能对其它文件管理结构进行操作。 因此, 本方案可以 提供容器间完全的隔离。  It can be seen that each container file is placed in the corresponding file management structure of the container, and each container application can only operate the file in the file management structure of the container through the VFS instance of the container. It is not possible to operate on other file management structures. Therefore, this solution can provide complete isolation between containers.
需要说明的是, 本发明技术方案中,假设两个或多个容器有相同命名的文 件, 虽然文件的名字是相同的,但是两个文件会属于不同的容器和不同的文件 管理结构,会被分配在不同的存储空间内; 即, 同名的文件被作为不同的文件, 分別被各个容器独立操作。 It should be noted that, in the technical solution of the present invention, it is assumed that two or more containers have the same named text. Although the names of the files are the same, the two files will belong to different containers and different file management structures, and will be allocated in different storage spaces; that is, files of the same name are treated as different files, respectively The container operates independently.
并且, 本发明技术方案不会影响单独容器内文件***的性能, 因为在一个 文件***内部, 为每个容器配置独立的文件管理结构, 开辟独立的存储空间, 具有独立的索引节点 (inode )和目录项 (dentry ), 每个容器只能操作属于自 己的部分, 这种操作不会增加单个容器内的负载。  Moreover, the technical solution of the present invention does not affect the performance of the file system in a separate container, because within a file system, a separate file management structure is configured for each container, and a separate storage space is opened, having independent inodes and Directory entries (dentry), each container can only operate on its own part, this operation does not increase the load within a single container.
另外, 本发明技术方案可以提高文件***的并行性。  In addition, the technical solution of the present invention can improve the parallelism of the file system.
现有技术中, 对于多个容器而言, 底层文件***是完全共享的, 所以一个 容器中的文件操作会对整个文件***加锁,造成另一个容器的处理线程有任务 时只能等待, 两个容器不能完全并行。  In the prior art, for multiple containers, the underlying file system is completely shared, so the file operation in one container locks the entire file system, causing the processing thread of another container to wait only when there are tasks. Containers cannot be completely parallel.
而本发明技术方案将底层文件***以容器为单位,划分成多个文件管理结 构,每个文件管理结构在逻辑上是完全独立的。 而操作***内核可以配置多个 内核处理线程, 专门处理内核相关的事物, 这里, 可为每个容器配置一个专门 的处理线程, 处理容器内文件操作事务。  The technical solution of the present invention divides the underlying file system into a plurality of file management structures in units of containers, and each file management structure is logically completely independent. The operating system kernel can be configured with multiple kernel processing threads to handle kernel-related things. Here, each container can be configured with a dedicated processing thread to handle file operations in the container.
由于为每个容器配置独立的文件管理结构和独立的处理线程,一个容器的 处理线程工作时,仅会对该容器的文件管理结构加锁, 不会影响其它文件管理 结构, 因此, 其它容器的处理线程完全可以同时工作, 使***中容器间的文件 操作完全可以是并行的。  Since each container is configured with a separate file management structure and a separate processing thread, when a container's processing thread works, only the file management structure of the container is locked, and other file management structures are not affected. Therefore, other containers are The processing thread can work at the same time, so that the file operations between the containers in the system can be completely parallel.
具体的, 上述多个容器中的第一容器专用的处理线程在开始工作时, 可以 发送加锁请求给所述操作***, 所述操作***可在收到该加锁请求后,对所述 第一容器的文件管理结构加锁,禁止其它处理线程访问所述第一容器的文件管 理结构; 并且, 所述第一容器专用的处理线程在结束工作时, 可以发送解锁请 求给所述操作***, 所述操作***可在收到该解锁请求后,对所述第一容器的 文件管理结构解锁。  Specifically, the first container-specific processing thread of the plurality of containers may send a lock request to the operating system when the work starts, and the operating system may, after receiving the lock request, the The file management structure of a container is locked, and the other processing thread is prohibited from accessing the file management structure of the first container; and the processing thread dedicated to the first container may send an unlock request to the operating system when the work ends. The operating system may unlock the file management structure of the first container after receiving the unlock request.
需要说明的是, 本发明实施例中, 虽然各个容器之间是相互隔离的, 不能 直接操作其它容器的文件,但是, 允许各个容器之间可以通过网络共享或类似 的共享方式实现对文件的共享。 可以理解, 本发明实施例上述方案例如可以在计算机设备具体实施。 It should be noted that, in the embodiment of the present invention, although the containers are isolated from each other, the files of other containers cannot be directly manipulated, but the sharing of files can be realized by network sharing or similar sharing between the containers. . It is to be understood that the above-described aspects of the embodiments of the present invention may be embodied in a computer device, for example.
由上可见, 本发明实施例采用为每个容器配置独立的 VFS实例, 并在文件 ***中为每个容器配置独立的文件管理结构,任一个容器中的应用进行涉及文 件的操作时,通过该容器的 VFS实例调用该容器的文件管理结构对涉及的文件 进行操作的技术方案, 取得了以下技术效果:  It can be seen that the embodiment of the present invention adopts an independent VFS instance for each container, and configures a separate file management structure for each container in the file system, and the application in any container performs the operation involving the file. The technical solution of the VFS instance of the container calling the file management structure of the container to operate on the file involved achieves the following technical effects:
一方面, 通过为每个容器配置独立的 VFS实例和独立的文件管理结构, 在 容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性; 现有技术中, 容器间共享文件***, 容器间的隔离是在操作***层面实现的, 因此隔离性不好, 容易被突破; 而本发明实施例中, 容器间的隔离是在文件系 统层面实现的, 是真正完全的隔离。  On the one hand, by configuring a separate VFS instance and a separate file management structure for each container, real file isolation is achieved between containers, which completely shields file operations between containers and improves security; in the prior art, containers In the shared file system, the isolation between the containers is implemented at the operating system level, so the isolation is not good and easy to be broken. In the embodiment of the present invention, the isolation between the containers is implemented at the file system level, which is truly complete. isolation.
另一方面, 每个容器配置独立的 VFS实例和独立的文件管理结构, 从而具 有固定的文件***路径,针对涉及文件的操作, 不用进行文件路径的转换和访 问权限控制及校验, 降低了操作复杂性和***开销;  On the other hand, each container is configured with a separate VFS instance and a separate file management structure, thus having a fixed file system path. For file-related operations, there is no need to perform file path conversion and access control and verification, which reduces operations. Complexity and system overhead;
又一方面, 在为每个容器配置独立的 VFS实例和文件管理结构的基石出上, 再为每个容器配置独立的处理线程, 使多个容器可以实现完全的并行操作; 再一方面, 本发明技术方案可共享操作***的存储空间, 最大化利用文件 ***的存储空间。 为了更好的实施本发明实施例的上述方案,下面还提供用于配合实施上述 方案的相关装置。  On the other hand, in the configuration of a separate VFS instance and file management structure for each container, and then configure a separate processing thread for each container, so that multiple containers can achieve complete parallel operation; The technical solution of the invention can share the storage space of the operating system and maximize the storage space of the file system. In order to better implement the above-described aspects of the embodiments of the present invention, related apparatuses for cooperating to implement the above aspects are also provided below.
请参考图 4a, 本发明实施例提供一种虚拟化装置, 用于虚拟化***, 所述 虚拟化***包括: 硬件层, 运行于硬件层之上的操作***和文件***, 所述操 作***被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操作执行 环境, 用于供应用程序运行; 所述多个容器包括第一容器, 所述第一容器是所 述多个容器中的任一个容器;所述文件***能够被划分为相互独立的多个文件 管理结构; 所述虚拟化装置嵌入(或集成)在所述操作***中;  Referring to FIG. 4a, an embodiment of the present invention provides a virtualization device, where the virtualization system includes: a hardware layer, an operating system and a file system running on a hardware layer, where the operating system is Dividing into a plurality of containers isolated from each other, each of the containers being an isolated operation execution environment for supplying a program; the plurality of containers including a first container, the first container being the plurality of containers Any one of the containers; the file system can be divided into a plurality of file management structures independent of each other; the virtualization device is embedded (or integrated) in the operating system;
虚拟化装置可包括:  The virtualization device can include:
配置模块 410 , 用于使所述操作***为所述多个容器中的每个容器创建一 个独立的虚拟文件*** VFS实例, 使所述操作***通过每个容器的 VFS实例在 文件***中为每个容器配置独立的文件管理结构,使得所述多个容器分別被配 置相互独立的 VFS实例, 且所述多个容器分別被配置相互独立的文件管理结 构; The configuration module 410 is configured to enable the operating system to create a separate virtual file system VFS instance for each of the plurality of containers, so that the operating system passes the VFS instance of each container. Configuring a separate file management structure for each container in the file system, so that the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with independent file management structures;
操作模块 420 , 用于使所述操作***收到所述第一容器中的应用程序发出 的文件操作请求时,使所述操作***通过所述第一容器的 VFS实例调用所述第 一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。  The operation module 420 is configured to enable the operating system to invoke the first container by using a VFS instance of the first container when the operating system receives a file operation request issued by an application in the first container. The file management structure operates on files involved in the file operation request.
本发明的一些实施例中, 所述配置模块 420, 还用于使所述操作***为所 述第一容器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所 述第一容器中应用程序的操作进行处理,并在对应于所述第一容器中应用程序 的所有操作处理完毕后, 使所述操作***释放所述第一容器专用的处理线程。  In some embodiments of the present invention, the configuration module 420 is further configured to: the operating system allocates a dedicated processing thread to the first container, and the processing thread dedicated by the first container The operation of the application in a container is processed, and after the operations corresponding to the application in the first container are processed, the operating system is caused to release the processing thread dedicated to the first container.
如图 4b所示, 本发明的一些实施例中, ***还可以包括: 加锁和解锁模块 430, 用于使所述操作***接收到所述第一容器专用的处理线程在开始工作时 发送的加锁请求后,对所述第一容器的文件管理结构加锁, 禁止其它处理线程 访问所述第一容器的文件管理结构; 以及,使所述操作***接收到所述第一容 器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容器的文件管 理结构解锁。  As shown in FIG. 4b, in some embodiments of the present invention, the system may further include: a locking and unlocking module 430, configured to enable the operating system to receive the first container-specific processing thread to send when starting work After the lock request, locking the file management structure of the first container, prohibiting other processing threads from accessing the file management structure of the first container; and causing the operating system to receive the processing specific to the first container After the thread unlocks the request sent by the work, the file management structure of the first container is unlocked.
本发明的一些实施例中, 所述操作模块 420, 具体用于使所述操作***收 到所述第一容器中的应用程序发出的文件操作请求时,使所述操作***通过所 述第一容器的 VFS实例调用所述文件***,并将所述文件操作请求发送给所述 文件***; 以便所述文件***识別出所述文件操作请求来源于所述第一容器 时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文件进行操 作。  In some embodiments of the present invention, the operating module 420 is specifically configured to: when the operating system receives a file operation request sent by an application in the first container, to enable the operating system to pass the first The VFS instance of the container calls the file system and sends the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in the The file involved in the file operation request is operated in a file management structure of a container.
可以理解,本发明实施例的虚拟化装置的各个功能模块的功能可根据上述 方法实施例中的方法具体实现,其具体实现过程可参照上述方法实施例中的相 关描述, 此处不再赘述。  It is to be understood that the functions of the various functional modules of the virtualization device in the embodiments of the present invention may be specifically implemented according to the method in the foregoing method embodiments. For the specific implementation process, reference may be made to the related description in the foregoing method embodiments, and details are not described herein again.
由上可见, 本发明实施例采用为每个容器配置独立的 VFS实例, 在文件系 统中为每个容器配置独立的文件管理结构,任一个容器中的应用进行涉及文件 的操作时,通过该容器的 VFS实例调用该容器的文件管理结构对涉及的文件进 行操作的技术方案, 取得了以下技术效果: It can be seen that the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the file system, and the application in any container performs the operation involving the file, through the container. The VFS instance calls the container's file management structure to the files involved The technical solution of the operation has achieved the following technical effects:
一方面, 通过为每个容器配置独立的 VFS实例和独立的文件管理结构, 在 容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性; 另一方面, 每个容器配置独立的 VFS实例和独立的文件管理结构, 从而具 有固定的文件***路径,针对涉及文件的操作, 不用进行文件路径的转换和访 问权限控制及校验, 降低了操作复杂性和***开销;  On the one hand, by configuring a separate VFS instance and a separate file management structure for each container, real file isolation between containers is achieved, which completely shields file operations between containers and improves security; on the other hand, each The container is configured with a separate VFS instance and a separate file management structure, so that it has a fixed file system path. For file-related operations, file path conversion and access control and verification are not required, which reduces operational complexity and system overhead.
又一方面, 在为每个容器配置独立的 VFS实例和文件管理结构的基石出上, 再为每个容器配置独立的处理线程, 使多个容器可以实现完全的并行操作; 再一方面, 本发明技术方案可共享操作***的存储空间, 最大化利用文件 ***的存储空间。 本发明实施例还提供一种计算机存储介质,该计算机存储介质可存储有程 序, 该程序执行时包括上述方法实施例中记载的虚拟化方法的部分或全部步 骤。 请参考图 5 , 本发明实施例还提供一种计算机设备 500, 可包括:  On the other hand, in the configuration of a separate VFS instance and file management structure for each container, and then configure a separate processing thread for each container, so that multiple containers can achieve complete parallel operation; The technical solution of the invention can share the storage space of the operating system and maximize the storage space of the file system. The embodiment of the present invention further provides a computer storage medium, wherein the computer storage medium can store a program, and the program includes some or all of the steps of the virtualization method described in the foregoing method embodiments. Referring to FIG. 5, an embodiment of the present invention further provides a computer device 500, which may include:
硬件层,硬件层包括: 处理器 510,存储器 520, 通信接口 530, 总线 540, 所述处理器 510, 存储器 520, 通信接口 530通过所述总线 540相互的通信; 所述通信接口 530, 用于接收和发送数据; 所述存储器 520用于存储程序; 所 述处理器 510用于执行所述存储器中的所述程序;所述操作***运行在所述处 理器 510中。所述操作***被划分为彼此隔离的多个容器,每一个所述容器是 一个隔离的操作执行环境,用于供应用程序运行;所述多个容器包括第一容器, 所述第一容器是所述多个容器中的任一个容器;所述文件***能够被划分为相 互独立的多个文件管理结构。  The hardware layer includes: a processor 510, a memory 520, a communication interface 530, a bus 540, the processor 510, a memory 520, and a communication interface 530 communicating with each other through the bus 540. The communication interface 530 is configured to: Receiving and transmitting data; the memory 520 is for storing a program; the processor 510 is configured to execute the program in the memory; and the operating system is running in the processor 510. The operating system is divided into a plurality of containers that are isolated from each other, each of the containers being an isolated operation execution environment for running by a program; the plurality of containers including a first container, the first container being Any one of the plurality of containers; the file system can be divided into a plurality of file management structures independent of each other.
其中, 处理器 510执行如下步骤: 为所述多个容器中的每个容器创建一个 独立的虚拟文件*** VFS实例, 并通过每个容器的 VFS实例在文件***中为每 个容器配置独立的文件管理结构, 使得所述多个容器分別被配置相互独立的 VFS实例, 且所述多个容器分別被配置相互独立的文件管理结构; 收到所述第 一容器中的应用程序发出的文件操作请求时,通过所述第一容器的 VFS实例调 用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。 在本发明的一些实施例中, 处理器 510还可以执行如下步骤: 为所述第一 容器分配一个专用的处理线程, 由所述第一容器专用的处理线程,对所述第一 容器中应用程序的操作进行处理,在对应于所述第一容器中应用程序的所有操 作处理完毕后, 释放所述第一容器专用的处理线程。 The processor 510 performs the following steps: Create a separate virtual file system VFS instance for each of the multiple containers, and configure a separate file for each container in the file system through the VFS instance of each container. a management structure, wherein the plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures; receiving a file operation request issued by an application in the first container Attempting to invoke the file management structure of the first container by the VFS instance of the first container to operate the file involved in the file operation request. In some embodiments of the present invention, the processor 510 may further perform the following steps: assigning, to the first container, a dedicated processing thread, by the first container-specific processing thread, applying to the first container The operation of the program is processed, and after processing all operations corresponding to the application in the first container, the processing thread dedicated to the first container is released.
在本发明的一些实施例中, 处理器 510还可以执行如下步骤: 收到所述第 一容器专用的处理线程在开始工作时发送的加锁请求后,对所述第一容器的文 件管理结构加锁, 禁止其它处理线程访问所述第一容器的文件管理结构; 收到 所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第一容 器的文件管理结构解锁。  In some embodiments of the present invention, the processor 510 may further perform the following steps: receiving a file management structure of the first container after receiving a lock request sent by the first container-specific processing thread when starting the work Locking, prohibiting other processing threads from accessing the file management structure of the first container; receiving the unlocking request sent by the processing thread dedicated to the first container after unlocking the work, unlocking the file management structure of the first container .
在本发明的一些实施例中, 处理器 510还可以执行如下步骤: 收到所述第 一容器中的应用程序发出的文件操作请求时,通过所述第一容器的 VFS实例调 用所述文件***, 并将所述文件操作请求发送给所述文件***; 以便所述文件 ***识別出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件 管理结构中对所述文件操作请求涉及的文件进行操作。  In some embodiments of the present invention, the processor 510 may further perform the following steps: when the file operation request issued by the application in the first container is received, the file system is invoked by the VFS instance of the first container And sending the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container, in a file management structure of the first container The file involved in the file operation request operates.
在本发明的一些实施例中,若两个或两个以上容器的操作涉及相同命名的 文件时,每个容器的文件管理结构在各自的存储空间对各自涉及的文件进行独 立操作。  In some embodiments of the invention, if the operations of two or more containers involve files of the same name, the file management structure of each container operates independently of the respective files involved in their respective storage spaces.
可以理解,本发明实施例的计算机设备的各个功能模块的功能可根据上述 方法实施例中的方法具体实现,其具体实现过程可参照上述方法实施例中的相 关描述, 此处不再赘述。  It is to be understood that the functions of the various functional modules of the computer device of the embodiments of the present invention may be specifically implemented according to the method in the foregoing method embodiments. For the specific implementation process, reference may be made to the related description in the foregoing method embodiments, and details are not described herein again.
由上可见,在本发明的一些可行的实施方式中, 本发明实施例采用为每个 容器配置独立的 VFS实例, 在文件***中为每个容器配置独立的文件管理结 构, 任一个容器中的应用进行涉及文件的操作时, 该容器的 VFS实例调用该容 器的文件管理结构对涉及的文件进行操作的技术方案, 取得了以下技术效果: 一方面, 通过为每个容器配置独立的 VFS实例和独立的文件管理结构, 在 容器间实现了真正的文件隔离,可完全屏蔽容器间的文件操作,提高了安全性; 另一方面, 每个容器配置独立的 VFS实例和独立的文件管理结构, 从而具 有固定的文件***路径,针对涉及文件的操作, 不用进行文件路径的转换和访 问权限控制及校验, 降低了操作复杂性和***开销; It can be seen from the above that in some feasible embodiments of the present invention, the embodiment of the present invention adopts a separate VFS instance for each container, and configures a separate file management structure for each container in the file system, in any container. When an application performs a file-related operation, the VFS instance of the container calls the file management structure of the container to operate the file involved, and the following technical effects are obtained: On the one hand, by configuring a separate VFS instance for each container and Independent file management structure, real file isolation between containers, completely shields file operations between containers and improves security; on the other hand, each container is configured with a separate VFS instance and a separate file management structure, thus Has a fixed file system path, for file-related operations, without file path conversion and access Asking for permission control and verification reduces operational complexity and system overhead;
又一方面, 在为每个容器配置独立的 VFS实例和文件管理结构的基石出上, 再为每个容器配置独立的处理线程, 使多个容器可以实现完全的并行操作; 再一方面, 本发明技术方案可共享操作***的存储空间, 最大化利用文件 ***的存储空间。 在上述实施例中,对各个实施例的描述都各有侧重, 某个实施例中没有详 细描述的部分, 可以参见其它实施例的相关描述。  On the other hand, in the configuration of a separate VFS instance and file management structure for each container, and then configure a separate processing thread for each container, so that multiple containers can achieve complete parallel operation; The technical solution of the invention can share the storage space of the operating system and maximize the storage space of the file system. In the above embodiments, the descriptions of the various embodiments are different, and the parts that are not described in detail in a certain embodiment can be referred to the related descriptions of other embodiments.
需要说明的是, 对于前述的各方法实施例, 为了筒单描述, 故将其都表述 为一系列的动作组合,但是本领域技术人员应该知悉, 本发明并不受所描述动 作顺序的限制, 因为依据本发明, 某些步骤可以采用其它顺序或者同时进行。 其次, 本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施 例, 所涉及的动作和模块并不一定是本发明所必须的。  It should be noted that, for each of the foregoing method embodiments, for the sake of description, it is expressed as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present invention. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步 骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读 存储介质中, 存储介质可以包括: ROM、 RAM, 磁盘或光盘等。  A person skilled in the art may understand that all or part of the various steps of the foregoing embodiments may be completed by a program instructing related hardware. The program may be stored in a computer readable storage medium, and the storage medium may include: ROM, RAM, disk or CD, etc.
以上对本发明实施例所提供的一种虚拟化方法和装置及计算机设备进行 以上实施例的说明只是用于帮助理解本发明的方法及其核心思想; 同时,对于 本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均 会有改变之处, 综上所述, 本说明书内容不应理解为对本发明的限制。  The foregoing description of the foregoing embodiments of the present invention is merely for facilitating understanding of the method and the core idea of the present invention; and for those of ordinary skill in the art, The present invention is not limited by the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种虚拟化方法, 其特征在于, 用于虚拟化***; 1. A virtualization method, characterized in that it is used in a virtualized system;
所述虚拟化***包括:硬件层,运行于硬件层之上的操作***和文件***, 所述操作***被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操 作执行环境, 用于供应用程序运行; 所述多个容器包括第一容器, 所述第一容 器是所述多个容器中的任一个容器;所述文件***能够被划分为相互独立的多 个文件管理结构; The virtualization system includes: a hardware layer, an operating system and a file system running on the hardware layer. The operating system is divided into multiple containers that are isolated from each other. Each of the containers is an isolated operation execution environment. Used for running application programs; the plurality of containers include a first container, and the first container is any container among the plurality of containers; the file system can be divided into a plurality of mutually independent file management structures ;
所述虚拟化方法包括: The virtualization method includes:
所述操作***为所述多个容器中的每个容器创建一个独立的虚拟文件系 统 VFS实例, 并通过每个容器的 VFS实例在文件***中为每个容器配置独立的 文件管理结构, 使得所述多个容器分別被配置相互独立的 VFS实例, 且所述多 个容器分別被配置相互独立的文件管理结构; The operating system creates an independent virtual file system VFS instance for each container in the plurality of containers, and configures an independent file management structure for each container in the file system through the VFS instance of each container, so that all The plurality of containers are respectively configured with mutually independent VFS instances, and the plurality of containers are respectively configured with mutually independent file management structures;
所述操作***收到所述第一容器中的应用程序发出的文件操作请求时,通 过所述第一容器的 VFS实例调用所述第一容器的文件管理结构对所述文件操 作请求涉及的文件进行操作。 When the operating system receives a file operation request issued by an application in the first container, it calls the file management structure of the first container through the VFS instance of the first container to process the files involved in the file operation request. Perform operations.
2、 根据权利要求 1所述的方法, 其特征在于, 还包括: 2. The method according to claim 1, further comprising:
所述操作***为所述第一容器分配一个专用的处理线程,由所述第一容器 专用的处理线程,对所述第一容器中应用程序的操作进行处理,在对应于所述 第一容器中应用程序的所有操作处理完毕后,释放所述第一容器专用的处理线 程。 The operating system allocates a dedicated processing thread to the first container, and the dedicated processing thread of the first container processes the operation of the application program in the first container. After all operations in the application are processed, the dedicated processing thread of the first container is released.
3、 根据权利要求 2所述的方法, 其特征在于: 3. The method according to claim 2, characterized in that:
所述操作***接收到所述第一容器专用的处理线程在开始工作时发送的 加锁请求后,对所述第一容器的文件管理结构加锁, 禁止其它处理线程访问所 述第一容器的文件管理结构; After receiving the lock request sent by the dedicated processing thread of the first container when starting work, the operating system locks the file management structure of the first container and prohibits other processing threads from accessing the first container. Document management structure;
所述操作***收到所述第一容器专用的处理线程在结束工作时发送的解 锁请求后, 对所述第一容器的文件管理结构解锁。 After receiving the unlock request sent by the dedicated processing thread of the first container when finishing its work, the operating system unlocks the file management structure of the first container.
4、 根据权利要求 1至 3中任一项所述的方法, 其特征在于, 所述通过所述 第一容器的 VFS实例调用所述第一容器的文件管理结构对所述文件操作请求 涉及的文件进行操作包括: 4. The method according to any one of claims 1 to 3, characterized in that: the VFS instance of the first container calls the file management structure of the first container to request the file operation. The files involved include:
通过所述第一容器的 VFS实例调用所述文件***, 并将所述文件操作请求 发送给所述文件***;以便所述文件***识別出所述文件操作请求来源于所述 第一容器时,在所述第一容器的文件管理结构中对所述文件操作请求涉及的文 件进行操作。 Call the file system through the VFS instance of the first container, and send the file operation request to the file system; so that the file system recognizes that the file operation request originates from the first container , operating the file involved in the file operation request in the file management structure of the first container.
5、 一种虚拟化装置, 其特征在于, 应用于虚拟化***; 5. A virtualization device, characterized in that it is applied to a virtualization system;
所述虚拟化***包括:硬件层,运行于硬件层之上的操作***和文件***, 所述操作***被划分为彼此隔离的多个容器,每一个所述容器是一个隔离的操 作执行环境, 用于供应用程序运行; 所述多个容器包括第一容器, 所述第一容 器是所述多个容器中的任一个容器;所述文件***能够被划分为相互独立的多 个文件管理结构; 所述虚拟化装置嵌入在所述操作***中; The virtualization system includes: a hardware layer, an operating system and a file system running on the hardware layer. The operating system is divided into multiple containers that are isolated from each other. Each of the containers is an isolated operation execution environment. Used for running application programs; the plurality of containers include a first container, and the first container is any container among the plurality of containers; the file system can be divided into a plurality of mutually independent file management structures ; The virtualization device is embedded in the operating system;
所述虚拟化装置包括: The virtualization device includes:
配置模块,用于使所述操作***为所述多个容器中的每个容器创建一个独 立的虚拟文件*** VFS实例, 使所述操作***通过每个容器的 VFS实例在文件 ***中为每个容器配置独立的文件管理结构,使得所述多个容器分別被配置相 互独立的 VFS实例, 且所述多个容器分別被配置相互独立的文件管理结构; 操作模块,用于使所述操作***收到所述第一容器中的应用程序发出的文 件操作请求时,使所述操作***通过所述第一容器的 VFS实例调用所述第一容 器的文件管理结构对所述文件操作请求涉及的文件进行操作。 A configuration module configured to enable the operating system to create an independent virtual file system VFS instance for each container in the plurality of containers, and enable the operating system to create an independent virtual file system VFS instance for each container in the file system through the VFS instance of each container. The container is configured with an independent file management structure, so that the multiple containers are configured with mutually independent VFS instances, and the multiple containers are configured with mutually independent file management structures; an operation module is used to enable the operating system to collect When a file operation request is issued by an application program in the first container, the operating system calls the file management structure of the first container through the VFS instance of the first container to process the file involved in the file operation request. Perform operations.
6、 根据权利要求 5所述的装置, 其特征在于: 6. The device according to claim 5, characterized in that:
所述配置模块,还用于使所述操作***为所述第一容器分配一个专用的处 理线程, 由所述第一容器专用的处理线程,对所述第一容器中应用程序的操作 进行处理, 并在对应于所述第一容器中应用程序的所有操作处理完毕后,使所 述操作***释放所述第一容器专用的处理线程。 The configuration module is also configured to cause the operating system to allocate a dedicated processing thread to the first container, and use the dedicated processing thread of the first container to process the operations of the application program in the first container. , and after all operations corresponding to the application program in the first container are processed, the operating system releases the processing thread dedicated to the first container.
7、 根据权利要求 6所述的装置, 其特征在于, 还包括: 7. The device according to claim 6, further comprising:
加锁和解锁模块,用于使所述操作***接收到所述第一容器专用的处理线 程在开始工作时发送的加锁请求后,对所述第一容器的文件管理结构加锁, 禁 止其它处理线程访问所述第一容器的文件管理结构; 以及,使所述操作***接 收到所述第一容器专用的处理线程在结束工作时发送的解锁请求后,对所述第 一容器的文件管理结构解锁。 The locking and unlocking module is used to enable the operating system to lock the file management structure of the first container after receiving the locking request sent by the dedicated processing thread of the first container when it starts working, and prohibit other The processing thread accesses the file management structure of the first container; and, causes the operating system to access After receiving the unlocking request sent by the dedicated processing thread of the first container when finishing its work, the file management structure of the first container is unlocked.
8、 根据权利要求 5至 6中任一项所述的装置, 其特征在于: 8. The device according to any one of claims 5 to 6, characterized in that:
所述操作模块,具体用于使所述操作***收到所述第一容器中的应用程序 发出的文件操作请求时, 使所述操作***通过所述第一容器的 VFS 实例调用 所述文件***, 并将所述文件操作请求发送给所述文件***; 以便所述文件系 统识別出所述文件操作请求来源于所述第一容器时,在所述第一容器的文件管 理结构中对所述文件操作请求涉及的文件进行操作。 The operation module is specifically configured to cause the operating system to call the file system through the VFS instance of the first container when the operating system receives a file operation request issued by the application in the first container. , and sends the file operation request to the file system; so that when the file system recognizes that the file operation request originates from the first container, all the files in the file management structure of the first container are Perform operations on the files involved in the above file operation request.
9、 一种计算机设备, 其特征在于, 包括: 9. A computer device, characterized by including:
硬件层,运行于硬件层之上的操作***和文件***; 所述硬件层包括处理 器, 存储器, 通信接口, 总线, 所述处理器, 存储器, 通信接口通过所述总线 相互的通信;所述通信接口,用于接收和发送数据;所述存储器用于存储程序; 所述处理器用于执行所述存储器中的所述程序;所述操作***运行在所述 处理器中; 所述操作***被划分为彼此隔离的多个容器,每一个所述容器是一 个隔离的操作执行环境, 用于供应用程序运行; 所述多个容器包括第一容器, 所述第一容器是所述多个容器中的任一个容器;所述文件***能够被划分为相 互独立的多个文件管理结构; The hardware layer is an operating system and file system running on the hardware layer; the hardware layer includes a processor, a memory, a communication interface, and a bus, and the processor, memory, and communication interface communicate with each other through the bus; The communication interface is used to receive and send data; the memory is used to store programs; the processor is used to execute the program in the memory; the operating system runs in the processor; the operating system is Divided into multiple containers that are isolated from each other, each of the containers is an isolated operation execution environment for running application programs; the multiple containers include a first container, and the first container is one of the multiple containers Any container in; the file system can be divided into multiple independent file management structures;
其中, 所述处理器执行如下步骤: 为所述多个容器中的每个容器创建一个 独立的虚拟文件*** VFS实例, 并通过每个容器的 VFS实例在文件***中为每 个容器配置独立的文件管理结构, 使得所述多个容器分別被配置相互独立的 VFS实例, 且所述多个容器分別被配置相互独立的文件管理结构; 收到所述第 一容器中的应用程序发出的文件操作请求时,通过所述第一容器的 VFS实例调 用所述第一容器的文件管理结构对所述文件操作请求涉及的文件进行操作。 Wherein, the processor performs the following steps: Create an independent virtual file system VFS instance for each container in the plurality of containers, and configure an independent virtual file system VFS instance for each container in the file system through the VFS instance of each container. The file management structure is such that the multiple containers are configured with mutually independent VFS instances, and the multiple containers are configured with mutually independent file management structures; receiving a file operation issued by the application in the first container When requesting, the file management structure of the first container is called through the VFS instance of the first container to operate the file involved in the file operation request.
10、 根据权利要求 9所述的计算机设备, 其特征在于: 10. The computer equipment according to claim 9, characterized in that:
所述处理器还执行如下步骤: 为所述第一容器分配一个专用的处理线程, 由所述第一容器专用的处理线程, 对所述第一容器中应用程序的操作进行处 理,在对应于所述第一容器中应用程序的所有操作处理完毕后,释放所述第一 容器专用的处理线程。 The processor also performs the following steps: allocate a dedicated processing thread to the first container, and use the dedicated processing thread of the first container to process the operation of the application program in the first container. After all operations of the application program in the first container are processed, the dedicated processing thread of the first container is released.
11、 根据权利要求 10所述的计算机设备, 其特征在于: 所述处理器还执行如下步骤:收到所述第一容器专用的处理线程在开始工 作时发送的加锁请求后,对所述第一容器的文件管理结构加锁, 禁止其它处理 线程访问所述第一容器的文件管理结构;收到所述第一容器专用的处理线程在 结束工作时发送的解锁请求后, 对所述第一容器的文件管理结构解锁。 11. The computer device according to claim 10, characterized in that: The processor also performs the following steps: after receiving a lock request sent by the dedicated processing thread of the first container when starting work, locks the file management structure of the first container and prohibits other processing threads from accessing all the files. The file management structure of the first container is unlocked; after receiving the unlocking request sent by the dedicated processing thread of the first container when finishing the work, the file management structure of the first container is unlocked.
12、 根据权利要求 9至 11中任一所述的计算机设备, 其特征在于: 所述处理器还执行如下步骤:收到所述第一容器中的应用程序发出的文件 操作请求时, 通过所述第一容器的 VFS实例调用所述文件***, 并将所述文 件操作请求发送给所述文件***;以便所述文件***识別出所述文件操作请求 来源于所述第一容器时,在所述第一容器的文件管理结构中对所述文件操作请 求涉及的文件进行操作。 12. The computer device according to any one of claims 9 to 11, characterized in that: the processor further performs the following steps: when receiving a file operation request issued by the application program in the first container, through the The VFS instance of the first container calls the file system and sends the file operation request to the file system; so that when the file system recognizes that the file operation request originates from the first container, The file involved in the file operation request is operated on in the file management structure of the first container.
PCT/CN2014/071552 2014-01-27 2014-01-27 Virtualization method and apparatus, and computer device WO2015109593A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/071552 WO2015109593A1 (en) 2014-01-27 2014-01-27 Virtualization method and apparatus, and computer device
CN201480000300.8A CN105190545B (en) 2014-01-27 2014-01-27 Virtual method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/071552 WO2015109593A1 (en) 2014-01-27 2014-01-27 Virtualization method and apparatus, and computer device

Publications (1)

Publication Number Publication Date
WO2015109593A1 true WO2015109593A1 (en) 2015-07-30

Family

ID=53680694

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/071552 WO2015109593A1 (en) 2014-01-27 2014-01-27 Virtualization method and apparatus, and computer device

Country Status (2)

Country Link
CN (1) CN105190545B (en)
WO (1) WO2015109593A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330984A (en) * 2016-11-29 2017-01-11 北京元心科技有限公司 Dynamic updating method and device of access control strategy
WO2017031954A1 (en) * 2015-08-25 2017-03-02 华为技术有限公司 Data communication method, user equipment, and server
CN106534148A (en) * 2016-11-29 2017-03-22 北京元心科技有限公司 Access control method and device for application
CN107608757A (en) * 2017-08-29 2018-01-19 华为技术有限公司 A kind of isolation processing method and relevant device based on container
CN108319849A (en) * 2017-01-16 2018-07-24 中标软件有限公司 Equipment strategy management system based on Android twin containers system and management domain implementation method
CN109213573A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment blocking method and device of virtual desktop based on container
CN109213561A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment scheduling method and device of virtual desktop based on container
CN109343974A (en) * 2018-09-14 2019-02-15 珠海国芯云科技有限公司 The inter-process communication methods and device of virtual desktop based on container
CN109388454A (en) * 2018-09-14 2019-02-26 珠海国芯云科技有限公司 Virtual desktop method and system based on container

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10833940B2 (en) * 2015-03-09 2020-11-10 Vapor IO Inc. Autonomous distributed workload and infrastructure scheduling
US10452419B2 (en) * 2016-09-09 2019-10-22 Huawei Technologies Co., Ltd. Device virtualization for containers
WO2020231392A1 (en) * 2019-05-10 2020-11-19 Futurewei Technologies, Inc. Distributed virtual file system with shared page cache
CN110647380B (en) * 2019-08-06 2020-07-03 上海孚典智能科技有限公司 Hyper-converged server system for supporting edge computing
CN110780817B (en) * 2019-10-18 2021-12-07 腾讯科技(深圳)有限公司 Data recording method and apparatus, storage medium, and electronic apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101828170A (en) * 2007-10-16 2010-09-08 国际商业机器公司 Creating a virtual machine containing third party code
US20120323853A1 (en) * 2011-06-17 2012-12-20 Microsoft Corporation Virtual machine snapshotting and analysis
CN103067425A (en) * 2011-10-20 2013-04-24 ***通信集团公司 Creation method of virtual machine, management system of virtual machine and related equipment thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8589947B2 (en) * 2010-05-11 2013-11-19 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for application fault containment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101828170A (en) * 2007-10-16 2010-09-08 国际商业机器公司 Creating a virtual machine containing third party code
US20120323853A1 (en) * 2011-06-17 2012-12-20 Microsoft Corporation Virtual machine snapshotting and analysis
CN103067425A (en) * 2011-10-20 2013-04-24 ***通信集团公司 Creation method of virtual machine, management system of virtual machine and related equipment thereof

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017031954A1 (en) * 2015-08-25 2017-03-02 华为技术有限公司 Data communication method, user equipment, and server
US10735393B2 (en) 2015-08-25 2020-08-04 Huawei Technologies Co., Ltd. Data communication method, user equipment, and server
CN106330984A (en) * 2016-11-29 2017-01-11 北京元心科技有限公司 Dynamic updating method and device of access control strategy
CN106534148A (en) * 2016-11-29 2017-03-22 北京元心科技有限公司 Access control method and device for application
CN106330984B (en) * 2016-11-29 2019-12-24 北京元心科技有限公司 Dynamic updating method and device of access control strategy
CN108319849A (en) * 2017-01-16 2018-07-24 中标软件有限公司 Equipment strategy management system based on Android twin containers system and management domain implementation method
CN107608757A (en) * 2017-08-29 2018-01-19 华为技术有限公司 A kind of isolation processing method and relevant device based on container
CN109213573A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment blocking method and device of virtual desktop based on container
CN109213561A (en) * 2018-09-14 2019-01-15 珠海国芯云科技有限公司 The equipment scheduling method and device of virtual desktop based on container
CN109343974A (en) * 2018-09-14 2019-02-15 珠海国芯云科技有限公司 The inter-process communication methods and device of virtual desktop based on container
CN109388454A (en) * 2018-09-14 2019-02-26 珠海国芯云科技有限公司 Virtual desktop method and system based on container

Also Published As

Publication number Publication date
CN105190545B (en) 2018-12-14
CN105190545A (en) 2015-12-23

Similar Documents

Publication Publication Date Title
WO2015109593A1 (en) Virtualization method and apparatus, and computer device
US10909066B2 (en) Virtual RDMA switching for containerized applications
Luckow et al. Saga bigjob: An extensible and interoperable pilot-job abstraction for distributed applications and systems
US11334396B2 (en) Host specific containerized application configuration generation
US8904386B2 (en) Running a plurality of instances of an application
US10922123B2 (en) Container migration in computing systems
US8930507B2 (en) Physical memory shared among logical partitions in a VLAN
US20140282547A1 (en) Extending functionality of legacy services in computing system environment
US20120110275A1 (en) Supporting Virtual Input/Output (I/O) Server (VIOS) Active Memory Sharing in a Cluster Environment
Thomas et al. Particle: ephemeral endpoints for serverless networking
Barbalace et al. Popcorn: a replicated-kernel OS based on Linux
WO2018040525A1 (en) Method, device, and equipment for processing resource pool
US10866814B2 (en) Efficient instantiation of encrypted guests
US20200242263A1 (en) Secure and efficient access to host memory for guests
Jha et al. Understanding scientific applications for cloud environments
US9804882B2 (en) Configuration manager and method for configuring a host system for processing a processing job in a virtual data-processing environment
WO2017181829A1 (en) Virtualization platform operation method and virtualization platform
CN113342711A (en) Page table updating method, device and related equipment
Sparks Enabling docker for HPC
Zheng et al. A multi-tenant framework for cloud container services
US10241838B2 (en) Domain based resource isolation in multi-core systems
KR101765723B1 (en) apparatus and method for interaction between a coarse-grained GPU resource scheduler and a GPU aware scheduler
Kijsipongse et al. Autonomic resource provisioning in rocks clusters using eucalyptus cloud computing
Merzky et al. Application level interoperability between clouds and grids
US20230244601A1 (en) Computer memory management in computing devices

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480000300.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14880116

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14880116

Country of ref document: EP

Kind code of ref document: A1