CN105303102A - Secure access method for virtual machine and virtual machine system - Google Patents
Secure access method for virtual machine and virtual machine system Download PDFInfo
- Publication number
- CN105303102A CN105303102A CN201510738195.4A CN201510738195A CN105303102A CN 105303102 A CN105303102 A CN 105303102A CN 201510738195 A CN201510738195 A CN 201510738195A CN 105303102 A CN105303102 A CN 105303102A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- virtual
- computing node
- identification information
- virtual resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Embodiments of the invention provide a secure access method for a virtual machine and a virtual machine system, which relate to the field of cloud computing and realize security protection of virtual resources in a cloud computing virtual machine platform. The method comprises the steps that: a cloud computing control node configures corresponding identifier information for the virtual machine and the virtual resources of the virtual machine when the virtual machine is established; the computing node receives a virtual resource access request message; the computing node determines whether the virtual machine has a right of accessing to the virtual resources corresponding to the identifier information of the virtual resources or not according to the identifier information of the virtual machine and the identifier information of the virtual resources required to be accessed; when it is determined that the virtual machine has the right of accessing to the virtual resources corresponding to the identifier information of the virtual resources, the computing node allows the virtual machine to access to the virtual resources corresponding to the identifier information of the virtual resources; and when it is determined that the virtual machine does not have the right of accessing to the virtual resources corresponding to the identifier information of the virtual resources, the computing node prevents the virtual machine from accessing to the virtual resources corresponding to the identifier information of the virtual resources.
Description
Technical field
The present invention relates to field of cloud computer technology, particularly relate to a kind of safety access method and dummy machine system of virtual machine.
Background technology
Cloud computing brings a commercial field new technique (IT, the InformationTechnology) New Times that service provides and consumes.Cloud computing enhances collaborative, agility, extendability, availability, and by optimize, feature that more efficient calculating reduces costs.In particular, cloud describes the use of service that calculating, network, the information and storage etc. changed by " resource pool " forms, application, information and infrastructure etc.Form assembly in cloud computing to purchase rapidly, to dispose and retired, and can sequentially expand or reduce, provide as required, distribute and consumption mode with like effectiveness compute classes.
Why cloud computing system can certain resource of serving of control and optimize use automatically, is because make use of warning measurement capability abstract to a certain degree.In cloud computing, Intel Virtualization Technology is by one of important selection technique of Resource Abstract.
In virtual machine technology, according to treating that virtual entity is different, can be divided into dissimilar virtual.System virtualization technology is by a kind of Intel Virtualization Technology be extensively familiar with.
The core concept of system virtualization is that virtualization software fictionalizes one or more virtual machine in a physical machine.Virtual machine operates in an isolation environment, is the logic computer system with complete hardware function, and it comprises client operating system and application program wherein.In dummy machine system, multiple operating system can be run independently in same physical machine simultaneously, multiplexed physical resource.
Although Intel Virtualization Technology obtains fast development, the safety technique of dummy machine system is but seriously delayed.Run various service on a virtual machine and safeguards system safety, than complicated many on a single computer.The security threat of dummy machine system is a lot, such as, attack between virtual machine, resource occupation conflict and threat etc. of escaping.Therefore, while use virtual machine brings application and administrative convenience, should more pay attention to solving virtual secure problem, research virtual secure mechanism.
At present, the virtual machine monitoring software (VMM, VirtualMachineMonitor) in Intel Virtualization Technology, or be called Hypervisor, it can all hardware equipment on access services device.When startup of server and when calling Hypervisor, it can load the operating system on all virtual machine client ends, distribute the physical resources such as appropriate network, CPU, disk and internal memory to each virtual machine simultaneously.Hypervisor is responsible for the access coordinating these hardware resources, also between each virtual machine, applies security protection simultaneously.In traditional virtual technology, escape for virtual machine and mostly adopt the mode of monitoring to find and stop dangerous generation.A kind of thinking of monitoring mechanism is the Hypervisor layer that provided by virtual machine environment from environment part residing for guest virtual machine, monitors it.This kind of mechanism can effectively be protected safety component to exempt from and distort, and the impact of this mode on monitoring environment is less simultaneously, facilitates transparent realization, the compatibility of system also has superiority.But semantic tomography problem can be there is in aforesaid way.
Different due to cloud computing and conventional individual virtualized environment framework, in cloud computing, control is shifted to cloud Controlling vertex Controller by Hypervisor.And traditional virtual machine monitoring Mechanism Design is in computing node Hypervisor, be difficult to effectively be connected with Virtual Machine Manager control flow on cloud Controlling vertex, there will be theft-resistant link chain fracture and the safety of the whole life cycle of virtual machine cannot be ensured, can not play a role in cloud computing scene well.
Summary of the invention
Embodiments of the invention provide a kind of safety access method and dummy machine system of virtual machine, in order to realize the safeguard protection of virtual resource in cloud computing virtual machine platform.
For achieving the above object, embodiments of the invention adopt following technical scheme:
Embodiments provide a kind of safety access method of virtual machine, be applied to dummy machine system, described dummy machine system comprises: computing node, cloud computing Controlling vertex, virtual machine, described method comprises: described cloud computing Controlling vertex, when described virtual machine is set up, is described virtual machine and identification information corresponding to virtual resource configuration corresponding to described virtual machine; The virtual resource access request message that described computing node sink virtual machine sends; Wherein, the identification information carrying virtual machine in described virtual resource access request message and the identification information of virtual resource that need access; Described computing node is according to the identification information of described virtual machine, and the identification information of the virtual resource that need access, and determines whether described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource; When determining that described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described computing node allows described virtual machine to access virtual resource corresponding to the identification information of described virtual resource; When determining that described virtual machine does not have the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described computing node stops described virtual machine to access virtual resource corresponding to the identification information of described virtual resource.
Further, before the virtual resource access request message that described computing node sink virtual machine sends, also comprise: cloud computing Controlling vertex, according to the benefits information of user, determines the computing node running virtual machine; Described cloud computing Controlling vertex is to the message of the operational relation between the computing node transmission foundation and described virtual machine of described operation virtual machine; Described computing node receives the message of the operational relation between the foundation of cloud computing Controlling vertex transmission and described virtual machine; Described computing node, according to the message of the operational relation between described foundation and described virtual machine, runs resource for described virtual machine distributes, sets up operational relation with described virtual machine.
Further, at described cloud computing Controlling vertex according to the benefits information of user, before determining the computing node of operation virtual machine, also comprise: described cloud computing Controlling vertex, according to the load information of the computing node at described virtual machine place, determines whether to move described virtual machine; Described cloud computing Controlling vertex, according to the benefits information of user, determines that the computing node running virtual machine comprises: when described cloud computing Controlling vertex is determined to move described virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
Further, described cloud computing Controlling vertex is according to the benefits information of user, determine that the computing node running virtual machine comprises: when described cloud computing Controlling vertex is determined to create virtual machine, described cloud computing Controlling vertex, according to the benefits information of user, determines the computing node running virtual machine.
Further, embodiments provide a kind of dummy machine system, comprising: computing node, cloud computing Controlling vertex, virtual machine; Wherein, described cloud computing Controlling vertex, for when described virtual machine is set up, is described virtual machine and identification information corresponding to virtual resource configuration corresponding to described virtual machine; Described computing node, for the virtual resource access request message that sink virtual machine sends; Wherein, the identification information carrying virtual machine in described virtual resource access request message and the identification information of virtual resource that need access; Described computing node, also for the identification information according to described virtual machine, and the identification information of the virtual resource that need access, determines whether described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource; When determining that described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described virtual machine is allowed to access virtual resource corresponding to the identification information of described virtual resource; When determining that described virtual machine does not have the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described virtual machine is stoped to access virtual resource corresponding to the identification information of described virtual resource.
Further, cloud computing Controlling vertex, also for the benefits information according to user, determines the computing node running virtual machine; Described cloud computing Controlling vertex, also for sending the message of the operational relation set up and between described virtual machine to the computing node of described operation virtual machine; Described computing node, also for receiving the message of the operational relation between the foundation of cloud computing Controlling vertex transmission and described virtual machine; Described computing node, also for the message according to the operational relation between described foundation and described virtual machine, runs resource for described virtual machine distributes, sets up operational relation with described virtual machine.
Further, described cloud computing Controlling vertex, also for the load information of the computing node according to described virtual machine place, determines whether to move described virtual machine; Described cloud computing Controlling vertex, during specifically for determining to move described virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
Further, described cloud computing Controlling vertex, specifically for when determining to create virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
Embodiments provide a kind of safety access method and dummy machine system of virtual machine, dummy machine system comprises computing node, cloud computing Controlling vertex, virtual machine, described method comprises: cloud computing Controlling vertex, when virtual machine is set up, is virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine; The virtual resource access request message that computing node sink virtual machine sends, wherein, the identification information carrying virtual machine in virtual resource access request message and the identification information of virtual resource that need access; Computing node is according to the identification information of virtual machine, and the identification information of the virtual resource that need access, and determines whether virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource; When determining that virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node allows the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding; When determining that virtual machine does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node stops the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding.Like this, cloud computing Controlling vertex is when virtual machine creating, after virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine, computing node is when virtual machine needs accesses virtual resource, according to the identification information of the identification information of this virtual machine and the virtual resource that need access thereof, can determine whether this virtual machine has permission.When virtual machine has permission the virtual resource of accessing and need access, this virtual machine is just allowed to access.Thus the probability that malicious user accesses the situation generation of the virtual resource of other users can be reduced, realize the protection to virtual resource, and then achieve the safeguard protection of virtual resource in cloud computing virtual machine platform.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The schematic flow sheet of the safety access method of a kind of virtual machine that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet of the safety access method of the another kind of virtual machine that Fig. 2 provides for the embodiment of the present invention;
The schematic flow sheet of the safety access method of the another kind of virtual machine that Fig. 3 provides for the embodiment of the present invention;
The structural representation of a kind of dummy machine system that Fig. 4 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiments provide a kind of safety access method of virtual machine, be applied to dummy machine system, dummy machine system comprises: computing node, cloud computing Controlling vertex, virtual machine.Described method, as shown in Figure 1, comprising:
Step 101, cloud computing Controlling vertex, when virtual machine is set up, are virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine.
Concrete, when virtual machine creating, cloud computing Controlling vertex, in order to realize the protection to virtual resource, needs the identification information to the virtual resource configuration correspondence that virtual machine and this virtual machine can be accessed.
Further, the identification information that different virtual machine is corresponding is different.
Further, when virtual machine creating, cloud computing Controlling vertex can resource needed for virtual machine, and configuration information determines the virtual resource that this virtual machine is corresponding, and then the identification information that the virtual resource configuration can be able to accessed for its virtual machine and this virtual machine is corresponding.
Further, cloud computing Controlling vertex is that the virtual resource that virtual machine and this virtual machine can be accessed configures identical identification information.
The virtual resource access request message that step 102, computing node sink virtual machine send.
Wherein, the identification information carrying virtual machine in virtual resource access request message and the identification information of virtual resource that need access.
Concrete, virtual machine, when needs accesses virtual resource, sends virtual resource access request message to computing node.And carry the identification information of himself in this virtual resource access request message, the identification information of the identification information being virtual machine and the resource needing access thereof.
Further, also the identification information of the virtual resource that need access can not be carried in virtual resource access request message, now need to carry other information that can indicate the virtual resource that need access, like this, be convenient to computing node can indicate the virtual resource that need access other information according to this, determine the identification information of virtual resource.
Step 103, computing node are according to the identification information of described virtual machine, and the identification information of the virtual resource that need access, and determine whether virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource.
Concrete, computing node is after receiving virtual resource access request message, parse the identification information of the virtual resource carried in it and the identification information of virtual machine, the identification information of virtual resource and the identification information of virtual machine are compared, and then whether can have the access rights of its virtual resource that need access of access according to comparison result determination virtual machine.
Further, if in a step 101, cloud computing Controlling vertex is that virtual resource that virtual machine and this virtual machine can be accessed is when configuring identical identification information, the identification information of the identification information of the virtual machine parsed and virtual resource can be compared by computing node, whether the identification information detecting virtual machine is consistent with the identification information of virtual resource, if consistent, then can determine that virtual machine has the access rights of virtual resource corresponding to the identification information of accesses virtual resource.If inconsistent, then can determine that virtual machine does not have the access rights of virtual resource corresponding to the identification information of accesses virtual resource.
It should be noted that, different according to the determination result of step 103, the step performed below is also different.When computing node determination virtual machine has the access rights of virtual resource corresponding to the identification information of accesses virtual resource, then perform step 104a.When computing node determination virtual machine does not have the access rights of virtual resource corresponding to the identification information of accesses virtual resource, then perform step 104b.
Step 104a, when determining that virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node allows virtual machine to access virtual resource corresponding to the identification information of described virtual resource.
Concrete, computing node is when determining that virtual machine has the authority of the virtual resource of the mark correspondence of accesses virtual resource, illustrate that virtual machine is legal, it is not the virtual machine that malicious user controls, therefore computing node can run virtual machine and access virtual resource corresponding to the identification information of described virtual resource, makes virtual machine obtain information needed for it.
Step 104b, when determining that virtual machine does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node stops the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding.
Concrete, computing node is when determining that virtual machine does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, illustrate that virtual machine is illegal, it may be the virtual machine that malicious user controls, and therefore computing node stops the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding.Be, computing node does not respond this virtual resource access request message sent of virtual machine.
Like this, cloud computing Controlling vertex is when virtual machine creating, after virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine, computing node is when virtual machine needs accesses virtual resource, according to the identification information of the identification information of this virtual machine and the virtual resource that need access thereof, can determine whether this virtual machine has permission.When virtual machine has permission the virtual resource of accessing and need access, this virtual machine is just allowed to access.Thus the probability that malicious user accesses the situation generation of the virtual resource of other users can be reduced, realize the protection to virtual resource, and then achieve the safeguard protection of virtual resource in cloud computing virtual machine platform.
Further, before step 101, as shown in Figure 2, also comprise:
Step 105, cloud computing Controlling vertex, according to the benefits information of user, determine the computing node running virtual machine.
Concrete, the benefits information of user, when virtual machine creating, is sent to cloud computing Controlling vertex by user.Wherein, what the benefits information of user referred to that user provides may with the information of other users that oneself there are interest relations.Now, cloud computing Controlling vertex according to the benefits information of the user obtained, can determine the computing node running virtual machine, so that the computing node running this virtual machine does not run the virtual machine of the user of other interest relations.Be, cloud computing Controlling vertex, according to the benefits information of user, in all computing nodes, select the computing node of the virtual machine not running the user that user therewith has interests relations, using the moving calculation node of this computing node as above-mentioned virtual machine.
It should be noted that, if the computing node not running the virtual machine of the user that user therewith has interests relations selected has at least two, then can not run in the computing node of the virtual machine of the user that user therewith has interests relations at above-mentioned at least two, determine arbitrarily the moving calculation node of a computing node as virtual machine.Certainly, can not run in the computing node of the virtual machine of the user that user therewith has interests relations at above-mentioned at least two according to other rules, determine the computing node running virtual machine, such as according to the loading condition of computing node, computing node little for load is defined as the computing node running virtual machine.Certainly, can also be other rules, the present invention be restricted this.
Exemplary, in dummy machine system, there is computing node a, b, c and d tetra-computing nodes.Cloud computing Controlling vertex need determine the computing node of virtual machine 1.Now, cloud computing Controlling vertex first can get the benefits information of the user of virtual machine 1 correspondence of storage.Be, get the benefits information of user corresponding to the user that sets up virtual machine 1.Like this, cloud computing Controlling vertex is according to the benefits information of this user, determine computing node a, b, computing node a in c and d tetra-computing nodes, b has all run the virtual machine of the user had interests relations with the user of virtual machine 1, and in computing node c, d, do not have the virtual machine running the user had interests relations with the user of virtual machine 1.Now, computing node c less for load can be defined as the computing node of virtual machine 1 by cloud computing Controlling vertex.
Step 106, cloud computing Controlling vertex send the message of the operational relation set up and between virtual machine to the computing node running virtual machine.Computing node receives the message of the operational relation between the foundation of cloud computing Controlling vertex transmission and virtual machine.
Concrete, cloud computing Controlling vertex, after determining the computing node running virtual machine, sends the message of the operational relation set up and between virtual machine to this computing node, so that the operational relation between computing node foundation and virtual machine.This computing node receives the message of the operational relation between this foundation and virtual machine.
As above, described in example, cloud computing node, after determining that computing node c is the moving calculation node of virtual machine 1, sends the message of the operational relation set up and between virtual machine 1 to computing node c.Computing node c can receive the message of the operational relation between this foundation and virtual machine 1.
Step 107, computing node, according to the message of the operational relation set up and between virtual machine, run resource for virtual machine distributes, set up operational relation with virtual machine.
Concrete, computing node, after the message receiving the operational relation between foundation and virtual machine, can resolve this message, and then knows and which virtual machine to set up operational relation with, then virtual machine distribution can run resource accordingly for this reason, and then set up the operational relation of virtual machine therewith.
As above described in example, computing node c is after the message receiving the operational relation between this foundation and virtual machine 1, the message of the operational relation between this foundation and virtual machine 1 can be resolved, know the virtual machine 1 need setting up operational relation, thus distribute the resource of the operation needed for it for virtual machine 1, and then set up and the operational relation of virtual machine 1.
Further, step 105 is that cloud computing Controlling vertex just performs when virtual machine creating or migration.When virtual machine creating, illustrate that user needs to create virtual machine, now user can trigger cloud computing Controlling vertex and create virtual machine.When user triggers cloud computing Controlling vertex establishment virtual machine, the benefits information of user can be sent to cloud computing Controlling vertex.
Now, cloud computing Controlling vertex is according to the benefits information of user, determine that the computing node running virtual machine comprises: when cloud computing Controlling vertex is determined to create virtual machine, cloud computing Controlling vertex, according to the benefits information of user, determines the computing node running virtual machine.
That is, when user needs to create virtual machine, send the Trigger message creating virtual machine to cloud computing Controlling vertex, and the benefits information of user is sent to cloud computing Controlling vertex.Now, cloud computing Controlling vertex, after receiving the Trigger message creating virtual machine, can get the benefits information of user, and then cloud computing Controlling vertex is when creating virtual machine, need determine the computing node running virtual machine.
When virtual machine moves, before step 105, as shown in Figure 3, also comprise:
Step 108, cloud computing Controlling vertex, according to the load information of the computing node at described virtual machine place, determine whether to move virtual machine.
Concrete, the various information of what cloud computing Controlling vertex can be real-time know each computing node, such as loading condition, resource utilization etc.Cloud computing Controlling vertex according to the various information of each computing node, can determine whether that computing node needs to move virtual machine.
As above described in example, cloud computing Controlling vertex can obtain computing node a, b, c, and the various information of d tetra-computing nodes.If find, the load of computing node a is larger, and the load of computing node c is less, and resource utilization is lower, such cloud computing Controlling vertex can determine that computing node a needs to move virtual machine, is the virtual machine that the virtual machine in computing node a can be defined as moving.
Now, step 105 cloud computing Controlling vertex, according to the benefits information of user, determines that the computing node running virtual machine comprises: when cloud computing Controlling vertex is determined to move described virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
That is, when cloud computing Controlling vertex determines migration virtual machine, cloud computing Controlling vertex can determine the computing node running this virtual machine by virtual machine for this reason.Now, cloud computing Controlling vertex can determine according to the benefits information of user the computing node running virtual machine.
Embodiments provide a kind of safety access method of virtual machine, dummy machine system comprises computing node, cloud computing Controlling vertex, virtual machine, described method comprises: cloud computing Controlling vertex, when virtual machine is set up, is virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine; The virtual resource access request message that computing node sink virtual machine sends, wherein, the identification information carrying virtual machine in virtual resource access request message and the identification information of virtual resource that need access; Computing node is according to the identification information of virtual machine, and the identification information of the virtual resource that need access, and determines whether virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource; When determining that virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node allows the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding; When determining that virtual machine does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node stops the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding.Like this, cloud computing Controlling vertex is when virtual machine creating, after virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine, computing node is when virtual machine needs accesses virtual resource, according to the identification information of the identification information of this virtual machine and the virtual resource that need access thereof, can determine whether this virtual machine has permission.When virtual machine has permission the virtual resource of accessing and need access, this virtual machine is just allowed to access.Thus the probability that malicious user accesses the situation generation of the virtual resource of other users can be reduced, realize the protection to virtual resource, and then achieve the safeguard protection of virtual resource in cloud computing virtual machine platform.
Embodiments provide a kind of dummy machine system, as shown in Figure 4, comprising: computing node 401, cloud computing Controlling vertex 402, virtual machine 403.
Cloud computing Controlling vertex 402, for when virtual machine 403 is set up, for the virtual resource of virtual machine 403 and virtual machine 403 correspondence configures corresponding identification information.
Computing node 401, for the virtual resource access request message that sink virtual machine 403 sends.
Wherein, the identification information carrying virtual machine in virtual resource access request message and the identification information of virtual resource that need access.
Computing node 401, also for the identification information according to virtual machine 403, and the identification information of the virtual resource that need access, determines whether virtual machine 403 has the authority of virtual resource corresponding to the identification information of accesses virtual resource.When determining that virtual machine 403 has the authority of virtual resource corresponding to the identification information of accesses virtual resource, allow the virtual resource that the identification information of virtual machine 403 accesses virtual resource is corresponding.When determining that virtual machine 403 does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, stop the virtual resource that the identification information of virtual machine 403 accesses virtual resource is corresponding.
Further, cloud computing Controlling vertex 402, also for the benefits information according to user, determines the computing node running virtual machine.
Cloud computing Controlling vertex 402, also for sending the message of the operational relation set up and between virtual machine 403 to the computing node running virtual machine 403.
Computing node 401, also for receiving the message of the operational relation between the foundation of cloud computing Controlling vertex 402 transmission and virtual machine 403.
Computing node 401, also for the message according to the operational relation set up and between virtual machine 403, runs resource for virtual machine 403 distributes, sets up operational relation with virtual machine 403.
Further, cloud computing Controlling vertex 402, also for the load information of the computing node according to virtual machine 403 place, determines whether to move virtual machine 403.
Cloud computing Controlling vertex 402, during specifically for determining migration virtual machine 403, according to the benefits information of user, determines the computing node 401 running virtual machine 403.
Or cloud computing Controlling vertex 402, specifically for determining to create virtual machine, according to the benefits information of user, determines the computing node running virtual machine 403.
Embodiments provide a kind of dummy machine system, dummy machine system comprises computing node, cloud computing Controlling vertex, virtual machine, described method comprises: cloud computing Controlling vertex, when virtual machine is set up, is virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine; The virtual resource access request message that computing node sink virtual machine sends, wherein, the identification information carrying virtual machine in virtual resource access request message and the identification information of virtual resource that need access; Computing node is according to the identification information of virtual machine, and the identification information of the virtual resource that need access, and determines whether virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource; When determining that virtual machine has the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node allows the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding; When determining that virtual machine does not have the authority of virtual resource corresponding to the identification information of accesses virtual resource, computing node stops the virtual resource that the identification information of virtual machine accesses virtual resource is corresponding.Like this, cloud computing Controlling vertex is when virtual machine creating, after virtual machine and identification information corresponding to virtual resource configuration corresponding to virtual machine, computing node is when virtual machine needs accesses virtual resource, according to the identification information of the identification information of this virtual machine and the virtual resource that need access thereof, can determine whether this virtual machine has permission.When virtual machine has permission the virtual resource of accessing and need access, this virtual machine is just allowed to access.Thus the probability that malicious user accesses the situation generation of the virtual resource of other users can be reduced, realize the protection to virtual resource, and then achieve the safeguard protection of virtual resource in cloud computing virtual machine platform.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (8)
1. a safety access method for virtual machine, is characterized in that, is applied to dummy machine system, and described dummy machine system comprises: computing node, cloud computing Controlling vertex, virtual machine, and described method comprises:
Described cloud computing Controlling vertex, when described virtual machine is set up, is described virtual machine and identification information corresponding to virtual resource configuration corresponding to described virtual machine;
The virtual resource access request message that described computing node sink virtual machine sends; Wherein, the identification information carrying virtual machine in described virtual resource access request message and the identification information of virtual resource that need access;
Described computing node is according to the identification information of described virtual machine, and the identification information of the virtual resource that need access, and determines whether described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource;
When determining that described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described computing node allows described virtual machine to access virtual resource corresponding to the identification information of described virtual resource;
When determining that described virtual machine does not have the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described computing node stops described virtual machine to access virtual resource corresponding to the identification information of described virtual resource.
2. method according to claim 1, is characterized in that, before the virtual resource access request message that described computing node sink virtual machine sends, also comprises:
Cloud computing Controlling vertex, according to the benefits information of user, determines the computing node running virtual machine;
Described cloud computing Controlling vertex is to the message of the operational relation between the computing node transmission foundation and described virtual machine of described operation virtual machine; Described computing node receives the message of the operational relation between the foundation of cloud computing Controlling vertex transmission and described virtual machine;
Described computing node, according to the message of the operational relation between described foundation and described virtual machine, runs resource for described virtual machine distributes, sets up operational relation with described virtual machine.
3. method according to claim 2, is characterized in that, at described cloud computing Controlling vertex according to the benefits information of user, before determining the computing node of operation virtual machine, also comprises:
Described cloud computing Controlling vertex, according to the load information of the computing node at described virtual machine place, determines whether to move described virtual machine;
Described cloud computing Controlling vertex, according to the benefits information of user, determines that the computing node running virtual machine comprises:
When described cloud computing Controlling vertex is determined to move described virtual machine, according to the benefits information of user, determine the computing node running virtual machine.
4. method according to claim 2, is characterized in that, described cloud computing Controlling vertex, according to the benefits information of user, determines that the computing node running virtual machine comprises:
When described cloud computing Controlling vertex is determined to create virtual machine, described cloud computing Controlling vertex, according to the benefits information of user, determines the computing node running virtual machine.
5. a dummy machine system, is characterized in that, comprising: computing node, cloud computing Controlling vertex, virtual machine; Wherein,
Described cloud computing Controlling vertex, for when described virtual machine is set up, is described virtual machine and identification information corresponding to virtual resource configuration corresponding to described virtual machine;
Described computing node, for the virtual resource access request message that sink virtual machine sends; Wherein, the identification information carrying virtual machine in described virtual resource access request message and the identification information of virtual resource that need access;
Described computing node, also for the identification information according to described virtual machine, and the identification information of the virtual resource that need access, determines whether described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource; When determining that described virtual machine has the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described virtual machine is allowed to access virtual resource corresponding to the identification information of described virtual resource; When determining that described virtual machine does not have the authority of virtual resource corresponding to the identification information of accessing described virtual resource, described virtual machine is stoped to access virtual resource corresponding to the identification information of described virtual resource.
6. system according to claim 5, is characterised in that,
Cloud computing Controlling vertex, also for the benefits information according to user, determines the computing node running virtual machine;
Described cloud computing Controlling vertex, also for sending the message of the operational relation set up and between described virtual machine to the computing node of described operation virtual machine;
Described computing node, also for receiving the message of the operational relation between the foundation of cloud computing Controlling vertex transmission and described virtual machine;
Described computing node, also for the message according to the operational relation between described foundation and described virtual machine, runs resource for described virtual machine distributes, sets up operational relation with described virtual machine.
7. system according to claim 6, is characterized in that,
Described cloud computing Controlling vertex, also for the load information of the computing node according to described virtual machine place, determines whether to move described virtual machine;
Described cloud computing Controlling vertex, during specifically for determining to move described virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
8. system according to claim 6, is characterized in that,
Described cloud computing Controlling vertex, specifically for when determining to create virtual machine, according to the benefits information of user, determines the computing node running virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510738195.4A CN105303102A (en) | 2015-11-03 | 2015-11-03 | Secure access method for virtual machine and virtual machine system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510738195.4A CN105303102A (en) | 2015-11-03 | 2015-11-03 | Secure access method for virtual machine and virtual machine system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105303102A true CN105303102A (en) | 2016-02-03 |
Family
ID=55200359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510738195.4A Pending CN105303102A (en) | 2015-11-03 | 2015-11-03 | Secure access method for virtual machine and virtual machine system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105303102A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106230830A (en) * | 2016-08-03 | 2016-12-14 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual resource access control method and device |
| CN106713003A (en) * | 2016-05-12 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Virtual node creating method and apparatus based on network topological diagram |
| CN108521397A (en) * | 2018-02-09 | 2018-09-11 | 华为技术有限公司 | A kind of method and system accessing resource service |
| CN110516431A (en) * | 2019-08-29 | 2019-11-29 | 北京浪潮数据技术有限公司 | Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission |
| CN112487478A (en) * | 2020-12-02 | 2021-03-12 | 星环信息科技(上海)股份有限公司 | Data access control method, device, storage medium and database system |
| CN114285842A (en) * | 2021-12-09 | 2022-04-05 | 华特数字科技有限公司 | Electronic reading room building method and system based on cloud desktop |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050258992A1 (en) * | 2004-05-21 | 2005-11-24 | Fontaine Paul A | Digital-to-analog converter data rate reduction by interleaving and recombination through mixer switching |
| CN102292698A (en) * | 2009-02-04 | 2011-12-21 | 思杰系统有限公司 | Methods and systems for automated management of virtual resources in a cloud computing environment |
| CN102707985A (en) * | 2011-03-28 | 2012-10-03 | 中兴通讯股份有限公司 | Access control method and system for virtual machine system |
| CN102811239A (en) * | 2011-06-03 | 2012-12-05 | 中兴通讯股份有限公司 | Virtual machine system and safety control method thereof |
| CN103533086A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院计算机网络信息中心 | Uniform resource scheduling method in cloud computing system |
| CN103902884A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | System and method for protecting data of virtual machine |
-
2015
- 2015-11-03 CN CN201510738195.4A patent/CN105303102A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050258992A1 (en) * | 2004-05-21 | 2005-11-24 | Fontaine Paul A | Digital-to-analog converter data rate reduction by interleaving and recombination through mixer switching |
| CN102292698A (en) * | 2009-02-04 | 2011-12-21 | 思杰系统有限公司 | Methods and systems for automated management of virtual resources in a cloud computing environment |
| CN102707985A (en) * | 2011-03-28 | 2012-10-03 | 中兴通讯股份有限公司 | Access control method and system for virtual machine system |
| CN102811239A (en) * | 2011-06-03 | 2012-12-05 | 中兴通讯股份有限公司 | Virtual machine system and safety control method thereof |
| CN103902884A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | System and method for protecting data of virtual machine |
| CN103533086A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院计算机网络信息中心 | Uniform resource scheduling method in cloud computing system |
Non-Patent Citations (1)
| Title |
|---|
| 乔然等: "云计算客户虚拟机间的安全机制研究与实现方法", 《计算机工程》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713003A (en) * | 2016-05-12 | 2017-05-24 | 深圳市深信服电子科技有限公司 | Virtual node creating method and apparatus based on network topological diagram |
| CN106230830A (en) * | 2016-08-03 | 2016-12-14 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual resource access control method and device |
| CN108521397A (en) * | 2018-02-09 | 2018-09-11 | 华为技术有限公司 | A kind of method and system accessing resource service |
| WO2019154175A1 (en) * | 2018-02-09 | 2019-08-15 | 华为技术有限公司 | Method and system for accessing resource services |
| CN108521397B (en) * | 2018-02-09 | 2021-02-12 | 华为技术有限公司 | Method and system for accessing resource service |
| CN110516431A (en) * | 2019-08-29 | 2019-11-29 | 北京浪潮数据技术有限公司 | Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission |
| CN110516431B (en) * | 2019-08-29 | 2022-02-18 | 北京浪潮数据技术有限公司 | Method, system, equipment and storage medium for dynamically configuring virtual machine operation authority |
| CN112487478A (en) * | 2020-12-02 | 2021-03-12 | 星环信息科技(上海)股份有限公司 | Data access control method, device, storage medium and database system |
| CN114285842A (en) * | 2021-12-09 | 2022-04-05 | 华特数字科技有限公司 | Electronic reading room building method and system based on cloud desktop |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105303102A (en) | Secure access method for virtual machine and virtual machine system | |
| US9800655B2 (en) | Policy and identity based workload provisioning | |
| EP3313023B1 (en) | Life cycle management method and apparatus | |
| Berger et al. | TVDc: managing security in the trusted virtual datacenter | |
| US8966573B2 (en) | Self-generation of virtual machine security clusters | |
| EP2724244B1 (en) | Native cloud computing via network segmentation | |
| CN102811239B (en) | A kind of dummy machine system and its method of controlling security | |
| US20160277310A1 (en) | Dynamic management of computing platform resources | |
| US20180173549A1 (en) | Virtual network function performance monitoring | |
| US10666572B2 (en) | Dynamic management of computing platform resources | |
| US10223170B2 (en) | Dynamic management of computing platform resources | |
| US8949415B2 (en) | Activity-based virtual machine availability in a networked computing environment | |
| Sammy et al. | Energy efficient security preserving vm live migration in data centers for cloud computing | |
| CN103347027A (en) | Trusted network connecting method and system | |
| CN111953732A (en) | Resource scheduling method and device in cloud computing system | |
| CN103258160A (en) | Method for monitoring cloud security under virtualization environment | |
| CN106445641A (en) | Method for data migration between safety virtual platforms on discrete computing node | |
| CN109347661A (en) | The instantiation method and device of consumer VNF | |
| CN106529284B (en) | Virtual machine monitor security reinforcement method based on security chip | |
| Zhang et al. | Towards effective virtualization of intrusion detection systems | |
| Caron et al. | Smart resource allocation to improve cloud security | |
| CN109343935A (en) | The instantiation method and device of consumer VNF | |
| Wu et al. | A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one | |
| CN104598297B (en) | virtual machine management method and device | |
| CN105912892B (en) | A kind of Process Protection system and method based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160203 |
|
| WD01 | Invention patent application deemed withdrawn after publication |