CN112688913A - OpenStack security group optimization method - Google Patents
OpenStack security group optimization method Download PDFInfo
- Publication number
- CN112688913A CN112688913A CN202011342708.7A CN202011342708A CN112688913A CN 112688913 A CN112688913 A CN 112688913A CN 202011342708 A CN202011342708 A CN 202011342708A CN 112688913 A CN112688913 A CN 112688913A
- Authority
- CN
- China
- Prior art keywords
- security group
- openstack
- tenant
- management network
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an OpenStack security group optimization method, which comprises the steps that a tenant creates a self-defined security group, the tenant opens and automatically creates a management network security group, the tenant carries out purchase instruction and virtual network card updating, the purchase instruction is transmitted to a control layer, the control layer transmits information to a Neutron layer of OpenStack, the tenant starts to select a security group, the configuration collected by the OpenStack layer is issued to physical equipment through driver driving of an agent The flexibility is high.
Description
Technical Field
The invention belongs to the field of cloud computing and virtualization, and particularly relates to an OpenStack security group optimization method.
Background
OpenStack Neutron provides two network security approaches for ECS instances: security groups and virtual firewalls. The principle of the security group is to filter the network traffic of the computing node where the ECS instance is located by using iptables, and the network packet is filtered on the Router by the iptables at the bottom layer of the virtual firewall. The security group has the capabilities of state detection and data packet filtering, in the field of cloud computing, the security group is used for dividing security domains at the cloud end, and the ingress and egress flow of an ECS (electronic traffic control) instance in the security group is controlled by setting security group rules; in the security group scheme provided in OpenStack, each tenant automatically creates a default security group named default, a virtual machine using the default security group allows data messages to be sent to the outside, but all external traffic is prohibited from entering the virtual machine (except that two ECS instances use the same default security group), and the tenant is forced to use the default security group if a new security group is not created when creating the ECS instances;
when a tenant creates an instance of an ECS virtual machine, if no self-established security group other than the default security group can be selected, the tenant is forced to use the default security group, but the default security group has the following disadvantages:
the default security group rules are all released, and security risks exist;
some PaaS products relying on the ECS virtual machine, such as RDS database, container, KAFKA, etc., after a tenant purchases the product, because the products rely on the virtual machine to implement, if it is needed to make high availability, more virtual machines are needed, and all the virtual machines use the default security group, but the tenant does not sense the virtual machines used for supporting the products, and once the rules of the default security group are changed, normal use of the products is affected;
due to the requirements of a plurality of scenes, some products need to realize the intercommunication between a tenant network and a management network (hereinafter, referred to as lease intercommunication), the lease intercommunication needs to get through the communication barrier between the management network and the tenant network, the flow entering a virtual machine cannot be completely forbidden, the flow message from the management network needs to enter the virtual machine, the virtual machine using a default security group can filter the flow of the management network, and the demand of the lease intercommunication cannot be met.
Disclosure of Invention
In view of this, the present invention is directed to an OpenStack security group optimization method to solve the inherent limitation problem of the default security group.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
an OpenStack security group optimization method comprises the following steps
S1: the method comprises the steps that a tenant creates a self-defined security group, and the tenant opens and automatically creates a management network security group;
s2: the tenant carries out a purchase instruction;
s3: updating the virtual network card, transmitting a purchase instruction to a control layer, judging whether the virtual machine needs to use the renting and managing intercommunication or not by the control layer according to the type of a product purchased by a tenant, releasing a management network address, and transmitting information to a Neutron layer of the OpenStack;
s4: the Neutron layer automatically binds the management network security group with the virtual machine according to information transmitted by the control layer if the virtual machine needs to use leased management for intercommunication when binding the security group, stores the binding relationship, performs unbinding operation on the virtual machine and the management network security group when the virtual machine is deleted, performs step S5 after automatically binding the management network security group with the virtual machine, and directly performs step S5 if the leased management for intercommunication is not needed by a tenant;
s5: the tenant starts to select a security group, if the security group is not selected, the step S6 is directly performed, then the step S6 is performed, if the security group is selected, the tenant automatically selects a user-defined security group created by the previous tenant, the user-defined security group is bound with the virtual machine, and the step S6 is performed after the user-defined security group is bound;
s6: the configuration saved by the Openstack layer is sent to the physical equipment through the driver of the agent
Furthermore, the management network security group passes through the management network IP address needing to be passed in the outgoing direction and the incoming direction, and all tenants of the management network security group share the management network IP address.
Further, the lease interworking requires the security group to pass through the management network.
Further, the tube renting intercommunication is an internal operation of the PaaS product.
Furthermore, the lease intercommunication requires the release of the IP address, and the management network security group is invisible and imperceptible to the tenant.
Further, the customized security group is visible and perceptible to the tenant.
Further, a control layer above the OpenStack controls the operation of all security groups.
Compared with the prior art, the OpenStack security group optimization method has the following advantages:
(1) the invention relates to an OpenStack security group optimization method which mainly comprises two modifications, namely removing a default security group in a Neutron, controlling the operation of all security groups by a control layer on an OpenStack, ensuring that the security of a virtual machine is higher, not using the default security group of the self-carried by the OpenStack, and ensuring that the flow of the outgoing direction and the incoming direction of the virtual machine is all prohibited, wherein the security of the virtual machine is higher, and after deleting the default security group, the security of the virtual machine is higher, and all security groups of a tenant are completely independently controllable; the invention needs to establish a management network security group, the management network security group is released in the security group rules, and then the management network security group and the virtual machine are automatically bound to achieve the purpose of releasing the management network IP.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a structural diagram of OpenStack security group optimization according to an embodiment of the present invention;
fig. 2 is a flowchart of an OpenStack Neutron part according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
The noun explains:
neutron is a component responsible for providing network services in the OpenStack project, and realizes resource management under network virtualization based on the idea of defining a network by software.
An ECS (electronic computer Service, cloud server) is a computing Service that is simple, efficient, safe, reliable, and flexible in processing capability.
The OpenStack is an open-source cloud computing management platform project and is a combination of a series of software open-source projects.
PaaS is an abbreviation of Platform as a Service, and refers to Platform as a Service. A business model in which a server platform is provided as a service, and a service provided by a program through a network is referred to as saas (software as a service), while a server platform or a development environment corresponding to the cloud computing age is provided as a service as paas (platform as a service).
IPTABLES is an IP packet filtering system integrated with the latest version 3.5 Linux kernel.
RDS is a short name of Relational Database Service (Relational Database Service), and is an on-line Database Service which is ready to use, stable, reliable and elastically scalable.
driver is configured for hardware devices.
Default security group: namely, the default security group. .
As shown in fig. 1-2, an OpenStack security group optimization method includes the following steps:
s1: the method comprises the steps that a tenant creates a self-defined security group, the self-defined security group is selected when the tenant selects the security group, the tenant opens and automatically creates a management network security group, the IP address released by security group rules of the management network security group is controllable and high in flexibility, the management network security group is set, the security group rules release the management network IP address, the tenant does not sense the IP address, and the requirement of PaaS products for releasing the management network IP is met;
s2: the tenant carries out a purchase instruction;
s3: updating the virtual network card, transmitting a purchase instruction to a control layer, judging whether the virtual machine needs to use the renting and managing intercommunication by the control layer according to the type of a product purchased by a tenant, releasing a management network address, and transmitting information to a Neutron layer of the OpenStack, wherein the IP address needs to be released because of the renting and managing intercommunication;
s4: the Neutron layer automatically binds the management network security group with the virtual machine according to information transmitted by the control layer if the virtual machine needs to use leased management for intercommunication when binding the security group, stores the binding relationship, performs unbinding operation on the virtual machine and the management network security group when the virtual machine is deleted, performs step S5 after automatically binding the management network security group with the virtual machine, is convenient for realizing leased management for intercommunication, and directly performs step S5 by a tenant if lease management for intercommunication is not needed;
s5: the tenant starts to select the security group, if the security group is not selected, the step S6 is directly performed, then the step S6 is performed, if the security group is selected, the tenant automatically selects the user-defined security group created by the previous tenant, the user-defined security group is bound with the virtual machine, and the step S6 is performed after the user-defined security group is bound, so that the tenant has certain selection rights, and the flexibility is improved;
s6: the configuration saved by the Openstack layer is sent to the physical equipment through the driver of the agent;
the management network security group releases the IP addresses of the management network to be released in the outgoing direction and the incoming direction, and all tenants of the management network security group share the IP addresses; the renting and managing intercommunication requires the security group to release the management network; the renting and managing intercommunication is the internal operation of the PaaS product; the IP addresses need to be released for renting, managing and communicating, the security group of the management network is invisible and imperceptible for tenants, and the IP addresses released by the security group rules of the security group of the management network are controllable and have high flexibility; the custom security group is visible and perceptible to the tenant; the control layer above the OpenStack controls the operation of all security groups, and the security of the virtual machine is higher.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (7)
1. An OpenStack security group optimization method is characterized by comprising the following steps: comprises the following steps
S1: the method comprises the steps that a tenant creates a self-defined security group, and the tenant opens and automatically creates a management network security group;
s2: the tenant carries out a purchase instruction;
s3: updating the virtual network card, transmitting a purchase instruction to a control layer, judging whether the virtual machine needs to use the renting and managing intercommunication or not by the control layer according to the type of a product purchased by a tenant, releasing a management network address, and transmitting information to a Neutron layer of the OpenStack;
s4: the Neutron layer automatically binds the management network security group with the virtual machine according to information transmitted by the control layer if the virtual machine needs to use leased management for intercommunication when binding the security group, stores the binding relationship, performs unbinding operation on the virtual machine and the management network security group when the virtual machine is deleted, performs step S5 after automatically binding the management network security group with the virtual machine, and directly performs step S5 if the leased management for intercommunication is not needed by a tenant;
s5: the tenant starts to select a security group, if the security group is not selected, the step S6 is directly performed, then the step S6 is performed, if the security group is selected, the tenant automatically selects a user-defined security group created by the previous tenant, the user-defined security group is bound with the virtual machine, and the step S6 is performed after the user-defined security group is bound;
s6: the configuration saved by the Openstack layer is sent to the physical device through the driver of the agent.
2. The OpenStack security group optimization method according to claim 1, wherein: the management network security group passes through the IP addresses of the management networks needing to be passed in the outgoing direction and the incoming direction, and all tenants of the management network security group share the IP addresses.
3. The OpenStack security group optimization method according to claim 1, wherein: the lease interworking requires the security group to pass through the management network.
4. The OpenStack security group optimization method according to claim 1, wherein: the renting and managing intercommunication is the internal operation of the PaaS product.
5. The OpenStack security group optimization method according to claim 1, wherein: the lease intercommunication requires the IP address to be released, and the management network security group is invisible and imperceptible to tenants.
6. The OpenStack security group optimization method according to claim 1, wherein: the custom security group is visible and perceptible to the tenant.
7. The OpenStack security group optimization method according to claim 1, wherein: the control layer above the OpenStack controls the operation of all security groups.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011342708.7A CN112688913B (en) | 2020-11-25 | 2020-11-25 | OpenStack security group optimization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011342708.7A CN112688913B (en) | 2020-11-25 | 2020-11-25 | OpenStack security group optimization method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112688913A true CN112688913A (en) | 2021-04-20 |
| CN112688913B CN112688913B (en) | 2023-03-24 |
Family
ID=75446834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011342708.7A Active CN112688913B (en) | 2020-11-25 | 2020-11-25 | OpenStack security group optimization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688913B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07273764A (en) * | 1994-04-01 | 1995-10-20 | Fujitsu Ltd | Network management system |
| US6832120B1 (en) * | 1998-05-15 | 2004-12-14 | Tridium, Inc. | System and methods for object-oriented control of diverse electromechanical systems using a computer network |
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
| US20140289399A1 (en) * | 2013-03-19 | 2014-09-25 | Fujitsu Limited | Apparatus and method of detecting migration completion of virtual machine |
| CN105554015A (en) * | 2015-12-31 | 2016-05-04 | 北京轻元科技有限公司 | Management network and method for multi-tenant container cloud computing system |
| CN111131212A (en) * | 2019-12-17 | 2020-05-08 | 紫光云(南京)数字技术有限公司 | OpenStack-based binding security group method |
-
2020
- 2020-11-25 CN CN202011342708.7A patent/CN112688913B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH07273764A (en) * | 1994-04-01 | 1995-10-20 | Fujitsu Ltd | Network management system |
| US6832120B1 (en) * | 1998-05-15 | 2004-12-14 | Tridium, Inc. | System and methods for object-oriented control of diverse electromechanical systems using a computer network |
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
| US20140289399A1 (en) * | 2013-03-19 | 2014-09-25 | Fujitsu Limited | Apparatus and method of detecting migration completion of virtual machine |
| CN105554015A (en) * | 2015-12-31 | 2016-05-04 | 北京轻元科技有限公司 | Management network and method for multi-tenant container cloud computing system |
| CN111131212A (en) * | 2019-12-17 | 2020-05-08 | 紫光云(南京)数字技术有限公司 | OpenStack-based binding security group method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112688913B (en) | 2023-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11218420B2 (en) | Virtual network interface objects | |
| CN103765386B (en) | The system and method that infrastructure is built for virtual network | |
| CN101800658B (en) | Apparatus and method for managing subscription requests for a network interface component | |
| US7925737B2 (en) | System and method for dynamic configuration of network resources | |
| WO2016034074A1 (en) | Method, apparatus and system for implementing software-defined networking (sdn) | |
| EP2731313B1 (en) | Distributed cluster processing system and message processing method thereof | |
| CN105530259A (en) | Message filtering method and equipment | |
| CN109768871A (en) | Configure method, host and the storage medium of multiple Microsoft Loopback Adapters | |
| US20080195756A1 (en) | Method and system to access a service utilizing a virtual communications device | |
| CN101009683A (en) | Computer system and method for processing network flow | |
| CN105100026A (en) | Safe message forwarding method and safe message forwarding device | |
| KR102355746B1 (en) | Service layer registration | |
| CN106131122A (en) | A kind of method and device disposing load balancing service | |
| CN105721487B (en) | Information processing method and electronic equipment | |
| CN108063761A (en) | Network processing method, cloud platform and software defined network SDN controllers | |
| US20230109231A1 (en) | Customizable network virtualization devices using multiple personalities | |
| CN112422397B (en) | Service forwarding method and communication device | |
| CN112688913B (en) | OpenStack security group optimization method | |
| CN110417774A (en) | Secure resources management-control method and device in a kind of SDN network | |
| CN109005068A (en) | A kind of configuration method of cluster virtual machine qos | |
| US20130258901A1 (en) | Communication interface apparatus, computer-readable recording medium for recording communication interface program, and virtual network constructing method | |
| CN114978563A (en) | Method and device for blocking IP address | |
| CN101170502A (en) | A method and system for realizing mutual access between stacking members | |
| CN109218415A (en) | A kind of method, node and the storage medium of distributed node management | |
| CN100373800C (en) | Backup method capable of carrying on main interface service character |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |