WO2016095762A1 - Virtual machine access control method and virtual machine access control system - Google Patents

Virtual machine access control method and virtual machine access control system Download PDF

Info

Publication number
WO2016095762A1
WO2016095762A1 PCT/CN2015/097177 CN2015097177W WO2016095762A1 WO 2016095762 A1 WO2016095762 A1 WO 2016095762A1 CN 2015097177 W CN2015097177 W CN 2015097177W WO 2016095762 A1 WO2016095762 A1 WO 2016095762A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
access request
mapper
virtual machine
abi
Prior art date
Application number
PCT/CN2015/097177
Other languages
French (fr)
Chinese (zh)
Inventor
章宇
魏治安
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016095762A1 publication Critical patent/WO2016095762A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a virtual machine access control method and a virtual machine access control system.
  • volume access performance (read and write performance) of a virtual machine is an important indicator of virtual machine performance. Therefore, increasing the volume read and write bandwidth of a virtual machine is important for the performance of applications running on virtual machines. At the same time, virtual machine volume read and write performance management is also an important part of virtual machine performance quality of service (QoS).
  • QoS virtual machine performance quality of service
  • LVM Logical Volume Manager
  • serial access is as follows: There are many processes (Process, Proc) running on the virtual machine, and the process will generate data access operations. These data access operations may be directed to the same volume, that is, data access operations for a single volume. Data access requests from multiple processes are obtained by the virtual machine's disk controller and sent serially to a single volume, which is then received by the disk controller to return the access results and forwarded to the process corresponding to each access result.
  • Any VM can be connected to one or more volumes. Each volume is controlled by one controller. All processes on this virtual machine access to a volume must be sent serially through the disk controller of the volume.
  • the volume disk controller is a module of the virtual machine hypervisor and can be implemented in software.
  • the above serial access scheme can avoid the problem that the access operation is sent out in parallel to cause the access result to be out of order and thus introduce a potential error, but the serial access speed is slow, which seriously affects the performance improvement of the virtual machine.
  • the embodiment of the invention provides a virtual machine access control method, and a virtual machine access control system, which is used to improve the access speed of the virtual machine to the storage device and improve the performance of the virtual machine.
  • An embodiment of the present invention provides an access control method, where the method is applied to a virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two access agents, and the mapper is used to establish a mapping relationship between a process and an access agent corresponding to the process, the method includes:
  • the first access agent receives an access request generated by a process that is in a mapping relationship with the first access agent; the first access agent is any access agent in the virtual machine access control system;
  • the first access agent sends the access request to a destination specified by the access request.
  • the virtual machine access control system includes the number of the mappers; the virtual hardware interface of the mapper and the virtual machine access control system All processes managed establish a communication connection.
  • the virtual machine access control system includes the same number of the mappers as the number of the access agents;
  • the mapper is driven by the driver context of the mapper to establish a communication connection with the process; the mapper is configured to establish a mapping relationship between the process and the access proxy corresponding to the process, including: the mapper is to be mapped.
  • the process maps to a virtual hardware interface of the access agent corresponding to the process to be mapped, and the process to be mapped is a process of establishing a communication connection with the mapper.
  • the mapper maps the to-be-mapped process to the virtual hardware interface of the access proxy corresponding to the to-be-mapped process, including:
  • the mapper receives the configuration information, and maps the to-be-mapped process to a virtual hardware interface of the access proxy corresponding to the to-be-mapped process according to the configuration information.
  • the mapper includes an application binary interface ABI;
  • the ABI includes: a protocol standard ABI, a configuration interface ABI, At least two hardware interfaces ABI;
  • the protocol standard ABI is used to specify the at least two hardware interfaces ABI and the communication protocol used by the configuration interface ABI; the configuration interface ABI is for receiving configuration information.
  • the process includes a process identification ID and is used to identify the process from the system. State or user state status identifier; a process with the same process ID is a process, or a process with the same process ID and the same status ID is a process.
  • the access request is sent to the access by the first access proxy. Before requesting the specified destination, it also includes:
  • the first access proxy caches the received access request
  • Sending, by the first accessing proxy, the access request to the destination specified by the access request includes:
  • the first access proxy Transmitting, by the first access proxy, the cached access request to the destination specified by the access request in descending order of the priority of the process for generating the access request; or the first access proxy is in accordance with the principle of first in first out Sending the cached access request to the destination specified by the access request.
  • the access request is sent by the first access proxy to the access Before requesting the specified destination, it also includes:
  • the first accessing agent sends an authentication request to the destination end of the access request, and after receiving the license information passed by the authentication, the license information is added in the access request.
  • a second embodiment of the present invention provides a virtual machine access control system, where the virtual machine access control system includes: at least one mapper and at least two access agents;
  • the mapper is configured to establish a mapping relationship between a process and an access agent corresponding to the process
  • Each access agent includes:
  • a receiving unit configured to receive an access request generated by a process that is mapped to the access agent
  • a sending unit configured to send the access request to the destination end specified by the access request.
  • the virtual machine access control system includes the number of the mappers; the virtual hardware interface of the mapper and the virtual machine access control system All processes managed establish a communication connection.
  • the virtual machine access control system includes the same number of the mappers as the access agent; the mapper is configured by the mapper After the driver context is driven, establish a communication connection with the process;
  • the mapper is specifically configured to map a process to be mapped to a virtual hardware interface of an access proxy corresponding to the to-be-mapped process, where the to-be-mapped process is a process of establishing a communication connection with the mapper.
  • the mapper includes:
  • An information receiving unit configured to receive configuration information
  • mapping subunit configured to map the to-be-mapped process to a virtual hardware interface of the accessing proxy corresponding to the to-be-mapped process according to the configuration information received by the information receiving unit.
  • the mapper includes an application binary interface ABI;
  • the ABI includes: a protocol standard ABI, a configuration interface ABI, At least two hardware interfaces ABI;
  • the protocol standard ABI is used to specify the at least two hardware interfaces ABI and the communication protocol used by the configuration interface ABI;
  • the configuration interface ABI is configured to receive configuration information.
  • the process includes a process identifier ID and is used to identify that the process is from a system state Or user status status identifier;
  • the mapper is further configured to determine that processes having the same process ID and having different state identifiers belong to different processes, or that processes having the same process ID belong to one process.
  • the accessing the proxy further includes:
  • a cache unit configured to cache the received access request before the sending unit sends the access request to the destination end specified by the access request
  • the sending unit is specifically configured to sequentially send the cached access request to the destination specified by the access request according to the priority of the process that generates the access request; or, the cached access according to the first in first out principle The request is sent to the destination specified by the access request.
  • the accessing the proxy further includes:
  • An authentication unit configured to send an authentication request to the destination end of the access request top before the sending unit sends the access request to the destination end specified by the access request;
  • the adding unit adds the license information to the access request after receiving the license information passed by the authentication.
  • the embodiment of the present invention has the following advantages: the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the access proxy Inter-access requests are all in parallel, that is, corresponding to different The access requests generated by the process of accessing the agent are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
  • FIG. 1 is a schematic flowchart of a method according to an embodiment of the present invention.
  • FIG. 2A is a schematic structural diagram of a system according to an embodiment of the present invention.
  • 2B is a schematic structural diagram of a system according to an embodiment of the present invention.
  • 2C is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a distributed block storage system according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a virtual disk controller according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an ABI design according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of an internal structure of an access proxy according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of an access sequence process according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another virtual disk controller according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
  • An embodiment of the present invention provides an access control method.
  • the foregoing method is applied to a virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two accesses.
  • the proxy is used to establish a mapping relationship between the process and the access proxy corresponding to the process.
  • different processes may be identified by using a process identifier (Identity, ID), or may be a process ID and It is identified by a status identifier that identifies the above process from a system state or a user state.
  • the virtual machine access control system is part of a hypervisor that manages access to data storage volumes by various processes running on the virtual machine. As shown in FIG. 1, the above method includes:
  • the first access proxy receives an access request generated by a process that is mapped to the first access proxy; the first access proxy is any access proxy in the virtual machine access control system;
  • the first access proxy sends the access request to the destination specified by the access request.
  • the direction of the arrow is the transmission direction of the access request
  • the result of the access is the reverse direction of the transmission direction of the access request.
  • the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, the access requests generated by the processes of the different access agents are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
  • the correspondence between the access agent and the process may be specifically as follows: one access agent corresponds to one process, or one access agent corresponds to a set number of processes, and the higher priority of the process is set. The smaller the number, the above the number of settings is greater than one.
  • FIG. 2A and 2C are schematic diagrams of an access proxy corresponding to a process
  • FIG. 2B is a schematic diagram of an access proxy corresponding to a set number of processes. Looking at the entire virtual machine access control system, whether it is FIG. 2A or FIG. 2B, the access requests between the access agents are all parallel; wherein the access requests between the processes of FIG. 2A are also parallel.
  • the number of mappers can be arbitrarily set, as follows: the number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper and the virtual machine access control system are managed. All processes establish a communication connection.
  • the number of mappers can be arbitrarily set, as follows: the virtual machine access control system includes the same number of mappers as the number of access agents; the mapper is configured by The drive context of the mapper is driven to establish a communication connection with the process;
  • the mapper is configured to establish a mapping relationship between the process and the access proxy corresponding to the process, where the mapper maps the to-be-mapped process to a virtual hardware interface of the access proxy corresponding to the to-be-mapped process, where the to-be-mapped process is The above mapper establishes the process of the communication connection.
  • FIG. 2C includes multiple mappers.
  • the scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included.
  • the access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface.
  • the limitations of the virtual machine access control system can not be maximized.
  • the structure shown in Figure 2C can be used as a preferred implementation.
  • the mapping between the process and the access agent can be fixed or configurable. If it is configurable, the initial quality of service (QoS) management can be implemented for each process. Specifically, if the number of the mappers is the same as the number of access agents, the mapper maps the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process, including:
  • the mapper receives the configuration information, and maps the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process according to the foregoing configuration information.
  • the embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows: the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, and at least two hardware interfaces ABI;
  • the above protocol standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI; the configuration interface ABI is configured to receive configuration information.
  • the process identifier (Identity, ID) space of the system state and the user state process may overlap, that is, in the system state and the user state, there are processes with the same process ID, in order to more accurately determine different processes
  • the embodiment of the invention further provides the following solution: the foregoing process includes a process identifier ID and a state identifier for identifying the process from the system state or the user state; the process with the same process ID is a process, or has the same process ID and has The process identified by the same state is a process.
  • the latter solution can determine different processes more accurately. It can be understood that in the latter scheme, having the same process ID but different status identifiers belongs to different processes.
  • the embodiment of the present invention further provides a technical solution for buffering an access request to implement management of an access request, as follows: the first access proxy sends the access request to the destination specified by the access request. Before the end, it also includes:
  • the first access proxy caches the received access request
  • the foregoing first access proxy sends the foregoing access request to the destination specified by the access request, including:
  • the first access proxy sends the cached access request to the destination specified by the access request in order from the highest priority to the priority of the process that generates the access request; or the first access proxy caches according to the first in first out principle
  • the access request is sent to the destination specified by the above access request.
  • the specific cache mode may be a cache queue manner, or other cache manners may not be used in this embodiment.
  • the QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
  • the embodiment further provides an implementation scheme for the access proxy to perform authentication, which is specifically as follows: the first access proxy sends the access request to the destination specified by the access request. Previously, it also included:
  • the first access agent sends an authentication request to the destination end of the access request, and after receiving the license information passed the authentication, adds the license information to the access request.
  • the current volume adopts the logical structure of the distributed block storage system, and may also be referred to as the logical structure of the distributed block storage resource pool.
  • the hardware part of the distributed block storage resource pool which mainly contains multiple general-purpose servers.
  • HDD Hard Disk Drive
  • Each physical hard disk is combined with a daemon running on a general-purpose server for the physical hard disk to form a logical object storage.
  • OSD Object Storage Device
  • a volume logically contains a large number of data blocks that are mapped to corresponding object storage.
  • a virtual disk controller based on a parallel architecture (corresponding to the controller in FIG. 3) and a driver corresponding to the disk controller are introduced on the virtual machine side to eliminate a single point performance bottleneck on the virtual machine side. Enables multiple processes on a virtual machine to access multiple blocks of a volume in parallel to improve performance.
  • the virtual disk controller based on the parallel architecture by introducing an access policy control mechanism, the volume read and write performance of each process can be controlled.
  • This embodiment is mainly implemented on the VM side.
  • the following embodiments will give two example implementations on the VM side.
  • the structure shown in FIG. 3 can be referred to together.
  • Figure 4 shows the logical structure inside the virtual disk controller based on the parallel architecture.
  • the operating system is the client user operating system of the virtual machine
  • the hypervisor is the hypervisor of the virtual machine. Controller (that is, virtual disk controller).
  • three processes Proc0 ⁇ Proc2 are illustrated, each process is connected to a mapper driven by a drive context, the mapper is connected to a virtual hardware interface, the virtual hardware interface is connected to an access proxy, and the access proxy is connected to the storage.
  • a system such as the distributed block storage resource pool in Figure 3.
  • the virtual disk controller on the virtual machine side adopts a multi-process parallel structure, and the logical entity corresponding to each process is an access agent.
  • the access agent has a one-to-one correspondence with the virtual hardware interface.
  • the access agent interacts with the driver-driven mapper in the guest operating system through its corresponding virtual hardware interface, so there is an independent logic for each process.
  • Channel the downstream direction of the access request in the logical channel is: process, mapper, virtual hardware interface, and finally forwarded to the destination specified by the access request by the access proxy. Therefore, each process can access a distributed block storage resource pool through a separate logical channel.
  • the administrator can configure the virtual hardware interface in the interface module through the management module of the virtual disk controller shown in FIG. 4, and can also configure the access agent.
  • the specific implementation of the configuration may be a virtual hardware configuration and management mode, and access to the virtual registers by the guest system inside the VM.
  • the specific content of the configuration may include a protocol to be used, a port number used for communication, and the like. The specific content is not limited in this embodiment.
  • the controller driver module in the guest operating system reads the configured information through the configuration module.
  • the configuration information read by the configuration module may include: the number of virtual hardware interfaces, and the starting hardware address of each virtual hardware interface. Because there is a correspondence between the drive context and the virtual hardware interface. Specifically, each driver context is told by the configuration module which virtual hardware interface should be accessed. To do this, the configuration module needs to first read out the number of virtual hardware interfaces from the management module to determine that it can support up to several drive contexts. Then, the starting addresses of different virtual hardware interfaces are respectively configured to the respective driving contexts to implement separate access of the driving context to the interfaces.
  • the number of processes and the number of access agents are equal, so each process can correspond to one access agent, and if the number of processes is less than the number of access agents, each process can correspond to one access agent. ; However, if the number of processes is greater than the number of access agents, there will be multiple processes corresponding to one access agent. When the number of processes is less than or equal to the number of access agents, all The access to the volume is completely parallel; when the number of processes is greater than the number of access agents, multiple agents are still in parallel, and the processes responsible for the same access agent are serial.
  • this embodiment designs an ABI for the virtual disk controller ( Application binary interface, application binary interface, and develop the driver context accordingly.
  • the ABI design is shown in Figure 5, including: protocol standard ABI, configuration interface ABI, virtual hardware interface 0 ⁇ virtual interface N ABI.
  • the interface ABI corresponds to a physical address range.
  • the ABI is designed to be compatible with the system architecture specification, and currently uses a Peripheral Component Interconnect Express (PCI-e) bus protocol, so that the operating system correctly recognizes the virtual hardware interface of the virtual disk controller.
  • PCI-e Peripheral Component Interconnect Express
  • the ABI is designed to provide a configuration read and write interface ABI for the controller driver module in the guest operating system.
  • the designed ABI provides a separate ABI for each virtual hardware interface to allow multiple process drive contexts to access multiple virtual hardware interface ABIs in parallel.
  • the access agent is the core structure.
  • the internal structure of the access agent is shown in Figure 6. It includes the following sections:
  • Read and write queue The read/write request received by the virtual hardware interface is sent to the read/write queue.
  • the read/write request is for the read and write task of the data block.
  • the read/write queue can record the current read and write requests in the read/write queue. status.
  • Configuring an interface module An interface module that can be used to receive configuration information sent by the management module and send configuration information to the module to be used.
  • the configuration information may include: configuration information of the access policy, configuration information of the cluster authentication, and the like.
  • Access Policy Module This module determines the execution policy of read and write requests in the read/write queue according to the access policy, such as First-In First-Out (FIFO) policy, priority control policy, and so on.
  • the access policy can be determined according to the access policy configuration information sent by the receiving configuration interface.
  • FIFO First-In First-Out
  • priority control policy priority control policy
  • FIFO access policy
  • priority scheduling I/O access requests from different processes are given different priorities.
  • the access policy module sorts the accesses according to different priority values. The way the priority value is specified is not limited and can usually be specified directly by the system administrator. In this embodiment, the FIFO policy can be adopted by default, and the access policy module can be configured to adjust to the priority scheduling.
  • Cluster Access Authentication Module This module replicates the authentication on behalf of the access agent and the distributed storage resource pool.
  • the authentication process can be as follows: The cluster access authentication module sends an authentication request to the distributed storage resource pool.
  • the information carried in the authentication application includes: the IP address of the storage cluster authentication module, the user name, and the user password. If the distributed storage resource pool allows the authentication application, the authentication permission information (such as the byte string of the identity access authority and the authority information) is returned, and the cluster access authentication module is used, and the cluster access authentication module can notify the cluster to read and write.
  • the module can start performing read and write requests to read and write operations on the above distributed storage resource pool.
  • the cluster access authentication module needs to notify the cluster read/write module of the above authentication permission information.
  • Cluster read/write module After the cluster access authentication module passes the authentication, the module executes the read/write request in the read/write queue according to the execution policy determined by the access policy module.
  • the execution process may be: appending the above authentication permission information to the read/write request, and sending the information to the distributed storage resource pool.
  • the embodiment of the invention can also solve the out-of-sequence problem that may be caused by the read and write operations of the same data block from the same process.
  • Proc1 issues write requests and read requests, and read requests and write requests are sent to different access agents: access agent A and access agent B, and access disorder may occur, causing an error.
  • the process shown in Figure 7 is as follows:
  • the process Proc1 generates write requests and read requests for the same data block.
  • the write request is first.
  • the data read operation corresponding to the read request is processed by the access agent A, and the data write operation corresponding to the write request is processed by the access agent B.
  • the data read operation advances to the corresponding data block prior to the data write operation.
  • the read data is returned to Proc1, and the read data obtained by Proc1 is actually the old data before the data operation is written, resulting in an error.
  • FIG. 4 proposes the access disorder error.
  • a mapping mechanism between processes and access agents is introduced. Specifically, by mapping all access requests from the same process to the same access agent, the access operation of the same process can be guaranteed to be serial, thereby ensuring the correctness of the access operation.
  • the process ID space of the client mode and the user state process may overlap, that is, the process with the same process ID exists in the system state and the user mode.
  • this embodiment needs the following information when determining the process:
  • mapping mechanism and the policy between the specific process and the accessing agent can be selected through configuration, and the specific embodiment of the present invention is not limited.
  • the embodiment of the present invention also provides another alternative implementation of the simplified architecture with respect to the structure shown in FIG. This embodiment can be applied to a scenario in which a controller driver in a guest operating system cannot be replaced, or a plurality of fully parallel drive contexts cannot be supported.
  • a schematic diagram of the implementation of the simplified architecture of this embodiment is shown in FIG. 8.
  • the embodiment of the present invention further provides a virtual machine access control system, as shown in FIG. 9A or 9B, including a virtual machine access control system 900.
  • the virtual machine access control system 900 includes at least one mapper 901 and at least two accesses. Agent 902;
  • the mapper 901 is configured to establish a mapping relationship between the process and the access proxy 902 corresponding to the process.
  • Each of the above access agents 902 includes:
  • the receiving unit 9021 is configured to receive an access request generated by a process that is mapped to the access proxy 902.
  • the sending unit 9022 is configured to send the access request to the destination end specified by the access request.
  • the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, access requests generated by processes corresponding to different access agents are executed in parallel. Therefore, the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
  • the number of the mappers may be arbitrarily set, as follows: as shown in FIG. 9A, the number of the mappers 901 included in the virtual machine access control system 900 is one; The virtual hardware interface of 901 establishes a communication connection with all processes managed by the virtual machine access control system 900 described above.
  • the number of mappers can be arbitrarily set, as follows: as shown in FIG. 9B, the number of the mappers 901 and the number of access agents 902 included in the virtual machine access control system 900 are as shown in FIG. 9B. The same; the mapper 901 is driven by the driving context of the mapper 901 to establish a communication connection with the process;
  • the mapper 901 is specifically configured to map a process to be mapped to a virtual hardware interface of the access proxy 902 corresponding to the to-be-mapped process, where the to-be-mapped process is a process of establishing a communication connection with the mapper 901.
  • the scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included.
  • the access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface.
  • the limitations of the virtual machine access control system can not be maximized.
  • the structure shown in Figure 9B can be used as a preferred implementation.
  • the mapping relationship between the process and the access agent can be fixed or configurable. If it is configurable, the initial QoS management can be implemented for each process through configuration. Specifically, as shown in FIG. 10, the mapper 901 includes:
  • the information receiving unit 1001 is configured to receive configuration information.
  • the mapping sub-unit 1002 is configured to map the to-be-mapped process to the virtual hardware interface of the accessing proxy 902 corresponding to the to-be-mapped process according to the configuration information received by the information receiving unit 1001.
  • the embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows:
  • the mapper 901 includes an application binary interface ABI;
  • the ABI includes: a protocol standard ABI, and a configuration interface.
  • ABI at least two hardware interfaces ABI;
  • the above protocol standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI;
  • the configuration interface ABI is configured to receive configuration information.
  • the process ID space of the system state and the user state process may overlap, that is, the process with the same process ID exists in the system state and the user state.
  • the embodiment of the present invention further provides The following solution: further, the above process contains the process identification ID and uses A flag indicating that the process is from a system state or a user state;
  • the mapper 901 is further configured to determine that processes having the same process ID and having different state identifiers belong to different processes, or that processes having the same process ID belong to one process.
  • the embodiment of the present invention further provides a technical solution for the cache access request to implement the management of the access request, as follows:
  • the access proxy 902 further includes:
  • the buffer unit 1201 is configured to cache the received access request before the sending unit 9022 sends the access request to the destination end specified by the access request.
  • the sending unit 9022 is configured to send the cached access request to the destination specified by the access request in sequence according to the priority of the process that generates the access request, or to cache the access request according to the first in first out principle. Send to the destination specified by the above access request.
  • the specific cache mode may adopt a cache queue manner, and other cache manners may not be used in this embodiment.
  • the QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
  • the embodiment further provides an implementation scheme for the access proxy to perform the authentication, as follows: As shown in FIG. 13, the access proxy 902 further includes:
  • the authentication unit 1301 is configured to send an authentication request to the destination end of the access request before the sending unit 9022 sends the access request to the destination end specified by the access request;
  • the adding unit 1302 adds the license information to the access request after receiving the license information passed the authentication.
  • the correspondence between the access proxy and the process may be specifically as follows: the mapper 901 is specifically configured to map a process to an access proxy 902, or may set a number. The process is mapped to an access agent 902, and the higher the priority of the process, the smaller the number of settings, and the number of settings is greater than one.
  • the embodiment of the present invention further provides a virtual machine access control device, which is applied to a virtual machine access control system, as shown in FIG. 14, including: a processor 1401 and a memory 1402; wherein the memory 1402 can be used by the cache processor 1401. Data generated during data processing or data required during data processing;
  • the processor 1401 is configured to construct the virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two access agents, where the mapper is used to establish a process and a mapping relationship between access agents corresponding to the foregoing process; the first access proxy receives an access request generated by a process that is mapped to the first access proxy; and the first access proxy is any access in the virtual machine access control system a proxy; the first access proxy sends the access request to the destination specified by the access request.
  • the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, the access requests generated by the processes of the different access agents are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
  • the correspondence between the access agent and the process may be specifically as follows: one access agent corresponds to one process, or one access agent corresponds to a set number of processes, and the higher priority of the process is set. The smaller the number, the above the number of settings is greater than one.
  • the number of mappers can be arbitrarily set, as follows: the number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper and the virtual machine access control system are managed. All processes establish a communication connection.
  • the number of mappers can be arbitrarily set, as follows: the virtual machine access control system includes the same number of mappers as the number of access agents; the mapper is driven by the drive context of the mapper. After establishing a communication connection with the process;
  • the mapper in the virtual machine access control system which is configured by the processor 1401, is used to establish a mapping relationship between the process and the access agent corresponding to the process, and the mapping device maps the process to be mapped to the access corresponding to the process to be mapped.
  • the virtual hardware interface of the proxy, the process to be mapped is a process of establishing a communication connection with the mapper.
  • the scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included.
  • the access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface.
  • the limitations of the access control system can not be maximized. Therefore, a virtual machine structure using multiple mappers can be used as a preferred implementation.
  • the mapping relationship between the process and the access agent can be fixed or configurable. If it is configurable, the initial QoS management can be implemented for each process through configuration. Specifically, if the number of the mappers is the same as the number of the access agents, the mapper in the virtual machine constructed by the processor 1401 is configured to map the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process. Information, and mapping the process to be mapped to the above to be mapped according to the above configuration information The virtual hardware interface of the access agent corresponding to the process.
  • the embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows: the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, at least two hardware interfaces ABI; the foregoing protocol
  • the standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI described above; the configuration interface ABI is configured to receive configuration information.
  • the embodiment of the present invention further provides a technical solution for buffering an access request to implement management of an access request, as follows: the first access proxy in the virtual machine access control system constructed by the processor 1401 sends the access request to the foregoing Before the destination end specified by the access request, the first access proxy caches the received access request; the first access proxy sends the access request to the destination specified by the access request, where the first access proxy generates the access request according to the request
  • the priority of the process is sent from the highest to the lowest in order to send the cached access request to the destination specified by the access request; or the first access proxy sends the cached access request to the destination specified by the access request according to the first in first out principle. end.
  • the specific cache mode may be a cache queue manner, or other cache manners may not be used in this embodiment.
  • the QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
  • the embodiment further provides an implementation scheme for the access agent to perform authentication, which is specifically as follows: the first access agent in the virtual machine access control system constructed by the processor 1401. Before transmitting the access request to the destination end specified by the access request, the first access proxy sends an authentication request to the destination end of the access request, and after receiving the license information passed the authentication, adding the license information to the access request. in.
  • multiple processes in a single virtual machine can be used to concurrently access a single volume, thereby significantly increasing the access bandwidth of the virtual machine to the volume.
  • QoS management that supports process-level access to multiple processes within a single virtual machine.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the above units is only a logical function division, and the actual implementation may have another
  • the manner of division, such as multiple units or components, may be combined or integrated into another system, or some features may be omitted or not performed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A virtual machine access control method and a virtual machine access control system. The virtual machine access control system (900) comprises at least one mapper (901) and at least two access agents (902), and the mapper (901) is used for establishing mappings between processes and the access agents (902) corresponding to the processes. The method comprises: a first access agent receives an access request generated by a process that has a mapping with the first access agent (101), wherein the first access agent is any one of the access agents in the virtual machine access control system; and the first access agent sends the access request to a destination terminal specified by the access request (102). The access agents (902) receive access requests generated by the processes corresponding to the access agents (902), the access requests sent outwards by the access agents (902) are in parallel, that is to say, the access requests generated by the processes corresponding to different access agents (902) are executed in parallel, and therefore the performance of a virtual machine is improved.

Description

一种虚拟机访问控制方法,及虚拟机访问控制系统Virtual machine access control method and virtual machine access control system 技术领域Technical field
本发明涉及通信技术领域,特别涉及一种虚拟机访问控制方法,及虚拟机访问控制系统。The present invention relates to the field of communications technologies, and in particular, to a virtual machine access control method and a virtual machine access control system.
背景技术Background technique
虚拟机(Virtual Machine,VM)的卷(volume)访问性能(读写性能),是虚拟机性能的重要指标。因此,提升虚拟机的卷读写带宽,对运行在虚拟机上应用的性能有重要意义。同时,虚拟机卷读写性能管理,也是虚拟机性能服务质量(Quality of Service,QoS)的重要组成部分。The volume access performance (read and write performance) of a virtual machine (VM) is an important indicator of virtual machine performance. Therefore, increasing the volume read and write bandwidth of a virtual machine is important for the performance of applications running on virtual machines. At the same time, virtual machine volume read and write performance management is also an important part of virtual machine performance quality of service (QoS).
目前虚拟机访问卷采用的是串行访问,例如:基于内核的虚拟机(kernel-based Virtual Machine,KVM)管理程序(Hypervisor),块存储部分采用主流的存储设备或者开源存储技术。开源的存储技术如:逻辑卷管理器(Logical Volume Manager,LVM)。Currently, virtual machine access volumes use serial access, such as a kernel-based virtual machine (KVM) hypervisor, and block storage uses mainstream storage devices or open source storage technologies. Open source storage technologies such as Logical Volume Manager (LVM).
串行访问的实现方案如下:虚拟机上运行着很多个进程(Process,Proc),进程会产生数据访问操作的需求,这些数据访问操作可能针对同一个卷,即:针对单一卷的数据访问操作;来自多个进程的数据访问请求由虚拟机的磁盘控制器获得并通过串行的方式发送给单一卷,然后由磁盘控制器接收卷返回访问结果并转发给对应各访问结果的进程。The implementation of serial access is as follows: There are many processes (Process, Proc) running on the virtual machine, and the process will generate data access operations. These data access operations may be directed to the same volume, that is, data access operations for a single volume. Data access requests from multiple processes are obtained by the virtual machine's disk controller and sent serially to a single volume, which is then received by the disk controller to return the access results and forwarded to the process corresponding to each access result.
任意一个VM,可以与一个或多个卷相连接。每个卷均由一个控制器控制。这个虚拟机上的所有进程对某一个卷的访问,均需经过这个卷的磁盘控制器串行发出。卷的磁盘控制器是虚拟机hypervisor的一个模块,可以采用软件形式实现。Any VM can be connected to one or more volumes. Each volume is controlled by one controller. All processes on this virtual machine access to a volume must be sent serially through the disk controller of the volume. The volume disk controller is a module of the virtual machine hypervisor and can be implemented in software.
以上串行访问的方案,可以避免访问操作并行发出造成访问结果乱序以及因此引入潜在错误的问题,但是串行访问的速度慢,会严重影响虚拟机的性能提升。The above serial access scheme can avoid the problem that the access operation is sent out in parallel to cause the access result to be out of order and thus introduce a potential error, but the serial access speed is slow, which seriously affects the performance improvement of the virtual machine.
发明内容 Summary of the invention
本发明实施例提供了一种虚拟机访问控制方法,及虚拟机访问控制系统,用于提升虚拟机对存储设备的访问速度,提升虚拟机的性能。The embodiment of the invention provides a virtual machine access control method, and a virtual machine access control system, which is used to improve the access speed of the virtual machine to the storage device and improve the performance of the virtual machine.
本发明实施例一方面提供了一种访问控制方法,所述方法应用于虚拟机访问控制系统,所述虚拟机访问控制系统包含至少一个映射器和至少两个访问代理,所述映射器用于建立进程与所述进程对应的访问代理之间的映射关系,所述方法包括:An embodiment of the present invention provides an access control method, where the method is applied to a virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two access agents, and the mapper is used to establish a mapping relationship between a process and an access agent corresponding to the process, the method includes:
第一访问代理接收由与所述第一访问代理有映射关系的进程产生的访问请求;所述第一访问代理为所述虚拟机访问控制系统中任一访问代理;The first access agent receives an access request generated by a process that is in a mapping relationship with the first access agent; the first access agent is any access agent in the virtual machine access control system;
所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端。The first access agent sends the access request to a destination specified by the access request.
结合一方面的实现方式,在第一种可能的实现方式中,所述虚拟机访问控制系统包含的所述映射器数量为一个;所述映射器的虚拟硬件接口与所述虚拟机访问控制系统管理的所有进程建立通信连接。In combination with the implementation of the aspect, in a first possible implementation, the virtual machine access control system includes the number of the mappers; the virtual hardware interface of the mapper and the virtual machine access control system All processes managed establish a communication connection.
结合一方面的实现方式,在第二种可能的实现方式中,所述虚拟机访问控制系统包含的所述映射器的数量与所述访问代理的数量相同;In combination with the implementation of the aspect, in a second possible implementation manner, the virtual machine access control system includes the same number of the mappers as the number of the access agents;
所述映射器由所述映射器的驱动上下文驱动后与进程建立通信连接;所述映射器用于建立进程与所述进程对应的访问代理之间的映射关系,包括:所述映射器将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口,所述待映射进程是与所述映射器建立通信连接的进程。The mapper is driven by the driver context of the mapper to establish a communication connection with the process; the mapper is configured to establish a mapping relationship between the process and the access proxy corresponding to the process, including: the mapper is to be mapped The process maps to a virtual hardware interface of the access agent corresponding to the process to be mapped, and the process to be mapped is a process of establishing a communication connection with the mapper.
结合一方面的第二种可能的实现方式,在第三种可能的实现方式中,所述映射器将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口包括:In conjunction with the second possible implementation of the aspect, in a third possible implementation, the mapper maps the to-be-mapped process to the virtual hardware interface of the access proxy corresponding to the to-be-mapped process, including:
所述映射器接收配置信息,并按照所述配置信息将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口。The mapper receives the configuration information, and maps the to-be-mapped process to a virtual hardware interface of the access proxy corresponding to the to-be-mapped process according to the configuration information.
结合一方面的第一种或第二种可能的实现方式,在第四种可能的实现方式中,所述映射器包含应用程序二进制接口ABI;所述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;In conjunction with the first or second possible implementation of the aspect, in a fourth possible implementation, the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, At least two hardware interfaces ABI;
所述协议标准ABI用于指定所述至少两个硬件接口ABI以及所述配置接口ABI使用的通信协议;所述配置接口ABI用于接收配置信息。The protocol standard ABI is used to specify the at least two hardware interfaces ABI and the communication protocol used by the configuration interface ABI; the configuration interface ABI is for receiving configuration information.
结合一方面、一方面的第一种、第二种或第三种可能的实现方式,在第五种可能的实现方式中,所述进程包含进程标识ID和用于标识所述进程来自系统 态或用户态的状态标识;具有相同进程ID的进程为一个进程,或者,具有相同进程ID并且具有相同状态标识的进程为一个进程。In combination with the first, second, or third possible implementation of the aspect, in a fifth possible implementation, the process includes a process identification ID and is used to identify the process from the system. State or user state status identifier; a process with the same process ID is a process, or a process with the same process ID and the same status ID is a process.
结合一方面、一方面的第一种、第二种或第三种可能的实现方式,在第六种可能的实现方式中,在所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端之前,还包括:In conjunction with the first, second, or third possible implementation of the aspect, in a sixth possible implementation, the access request is sent to the access by the first access proxy. Before requesting the specified destination, it also includes:
所述第一访问代理缓存接收到的访问请求;The first access proxy caches the received access request;
所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端包括:Sending, by the first accessing proxy, the access request to the destination specified by the access request includes:
所述第一访问代理按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给所述访问请求指定的目的端;或者,所述第一访问代理按照先进先出的原则将缓存的访问请求发送给所述访问请求指定的目的端。Transmitting, by the first access proxy, the cached access request to the destination specified by the access request in descending order of the priority of the process for generating the access request; or the first access proxy is in accordance with the principle of first in first out Sending the cached access request to the destination specified by the access request.
结合一方面、一方面的第一种、第二种或第三种可能的实现方式,在第七种可能的实现方式中,在所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端之前,还包括:In conjunction with the first, second, or third possible implementation of the aspect, in a seventh possible implementation, the access request is sent by the first access proxy to the access Before requesting the specified destination, it also includes:
所述第一访问代理向所述访问请求置顶的目的端发送认证请求,在接收认证通过的许可信息后,将所述许可信息添加在所述访问请求中。The first accessing agent sends an authentication request to the destination end of the access request, and after receiving the license information passed by the authentication, the license information is added in the access request.
本发明实施例二方面提供了一种虚拟机访问控制系统,所述虚拟机访问控制系统包括:至少一个映射器和至少两个访问代理;A second embodiment of the present invention provides a virtual machine access control system, where the virtual machine access control system includes: at least one mapper and at least two access agents;
所述映射器,用于建立进程与所述进程对应的访问代理之间的映射关系;The mapper is configured to establish a mapping relationship between a process and an access agent corresponding to the process;
每个访问代理包括:Each access agent includes:
接收单元,用于接收由与所述访问代理有映射关系的进程产生的访问请求;a receiving unit, configured to receive an access request generated by a process that is mapped to the access agent;
发送单元,用于将所述访问请求发送给所述访问请求指定的目的端。And a sending unit, configured to send the access request to the destination end specified by the access request.
结合二方面的实现方式,在第一种可能的实现方式中,所述虚拟机访问控制系统包含的所述映射器数量为一个;所述映射器的虚拟硬件接口与所述虚拟机访问控制系统管理的所有进程建立通信连接。In combination with the implementation of the two aspects, in a first possible implementation manner, the virtual machine access control system includes the number of the mappers; the virtual hardware interface of the mapper and the virtual machine access control system All processes managed establish a communication connection.
结合二方面的实现方式,在第二种可能的实现方式中,所述虚拟机访问控制系统包含的所述映射器的数量与所述访问代理的数量相同;所述映射器由所述映射器的驱动上下文驱动后与进程建立通信连接;In combination with the implementation of the second aspect, in a second possible implementation manner, the virtual machine access control system includes the same number of the mappers as the access agent; the mapper is configured by the mapper After the driver context is driven, establish a communication connection with the process;
所述映射器,具体用于将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口,所述待映射进程是与所述映射器建立通信连接的进程。The mapper is specifically configured to map a process to be mapped to a virtual hardware interface of an access proxy corresponding to the to-be-mapped process, where the to-be-mapped process is a process of establishing a communication connection with the mapper.
结合二方面的第二种可能的实现方式,在第三种可能的实现方式中,所述 映射器包括:In combination with the second possible implementation of the second aspect, in a third possible implementation manner, The mapper includes:
信息接收单元,用于接收配置信息;An information receiving unit, configured to receive configuration information;
映射子单元,用于按照所述信息接收单元接收到的配置信息将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口。And a mapping subunit, configured to map the to-be-mapped process to a virtual hardware interface of the accessing proxy corresponding to the to-be-mapped process according to the configuration information received by the information receiving unit.
结合二方面的第一种或第二种可能的实现方式,在第四种可能的实现方式中,所述映射器包含应用程序二进制接口ABI;所述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;所述协议标准ABI用于指定所述至少两个硬件接口ABI以及所述配置接口ABI使用的通信协议;In conjunction with the first or second possible implementation of the second aspect, in a fourth possible implementation, the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, At least two hardware interfaces ABI; the protocol standard ABI is used to specify the at least two hardware interfaces ABI and the communication protocol used by the configuration interface ABI;
所述配置接口ABI,用于接收配置信息。The configuration interface ABI is configured to receive configuration information.
结合二方面、二方面的第一种、第二种或第三种可能的实现方式,在第五种可能的实现方式中,所述进程包含进程标识ID和用于标识所述进程来自系统态或用户态的状态标识;In combination with the second aspect, the first, the second, or the third possible implementation of the second aspect, in a fifth possible implementation, the process includes a process identifier ID and is used to identify that the process is from a system state Or user status status identifier;
所述映射器,还用于确定具有相同进程ID并且具有不同状态标识的进程属于不同的进程,或者,确定具有相同进程ID的进程属于一个进程。The mapper is further configured to determine that processes having the same process ID and having different state identifiers belong to different processes, or that processes having the same process ID belong to one process.
结合二方面、二方面的第一种、第二种或第三种可能的实现方式,在第六种可能的实现方式中,所述访问代理还包括:In combination with the second aspect, the first, the second, or the third possible implementation of the second aspect, in a sixth possible implementation, the accessing the proxy further includes:
缓存单元,用于在所述发送单元将所述访问请求发送给所述访问请求指定的目的端之前,缓存接收到的访问请求;a cache unit, configured to cache the received access request before the sending unit sends the access request to the destination end specified by the access request;
所述发送单元,具体用于按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给所述访问请求指定的目的端;或者,按照先进先出的原则将缓存的访问请求发送给所述访问请求指定的目的端。The sending unit is specifically configured to sequentially send the cached access request to the destination specified by the access request according to the priority of the process that generates the access request; or, the cached access according to the first in first out principle The request is sent to the destination specified by the access request.
结合二方面、二方面的第一种、第二种或第三种可能的实现方式,在第七种可能的实现方式中,所述访问代理还包括:In combination with the second aspect, the first, the second, or the third possible implementation of the second aspect, in a seventh possible implementation, the accessing the proxy further includes:
认证单元,用于在所述发送单元将所述访问请求发送给所述访问请求指定的目的端之前,向所述访问请求置顶的目的端发送认证请求;An authentication unit, configured to send an authentication request to the destination end of the access request top before the sending unit sends the access request to the destination end specified by the access request;
添加单元,在接收认证通过的许可信息后,将所述许可信息添加在所述访问请求中。The adding unit adds the license information to the access request after receiving the license information passed by the authentication.
从以上技术方案可以看出,本发明实施例具有以下优点:映射器建立了进程与访问代理之间的映射关系,那么访问代理会接收到与其对应的进程产生的访问请求,那么各访问代理之间外发的访问请求都是并行的,也即:对应不同 访问代理的进程所产生的访问请求被并行执行,因此可以提升虚拟机对存储设备的访问速度,提升虚拟机的性能。As can be seen from the above technical solution, the embodiment of the present invention has the following advantages: the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the access proxy Inter-access requests are all in parallel, that is, corresponding to different The access requests generated by the process of accessing the agent are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying for inventive labor.
图1为本发明实施例方法流程示意图;1 is a schematic flowchart of a method according to an embodiment of the present invention;
图2A为本发明实施例系统结构示意图;2A is a schematic structural diagram of a system according to an embodiment of the present invention;
图2B为本发明实施例系统结构示意图;2B is a schematic structural diagram of a system according to an embodiment of the present invention;
图2C为本发明实施例系统结构示意图;2C is a schematic structural diagram of a system according to an embodiment of the present invention;
图3为本发明实施例分布式块存储系统的结构示意图;3 is a schematic structural diagram of a distributed block storage system according to an embodiment of the present invention;
图4为本发明实施例虚拟磁盘控制器结构示意图;4 is a schematic structural diagram of a virtual disk controller according to an embodiment of the present invention;
图5为本发明实施例ABI设计结构示意图;FIG. 5 is a schematic structural diagram of an ABI design according to an embodiment of the present invention; FIG.
图6为本发明实施例访问代理内部结构示意图;6 is a schematic diagram of an internal structure of an access proxy according to an embodiment of the present invention;
图7为本发明实施例访问乱序流程示意图;FIG. 7 is a schematic diagram of an access sequence process according to an embodiment of the present invention;
图8为本发明实施例另一虚拟磁盘控制器结构示意图;8 is a schematic structural diagram of another virtual disk controller according to an embodiment of the present invention;
图9为本发明实施例系统结构示意图;9 is a schematic structural diagram of a system according to an embodiment of the present invention;
图10为本发明实施例系统结构示意图;10 is a schematic structural diagram of a system according to an embodiment of the present invention;
图11为本发明实施例系统结构示意图;11 is a schematic structural diagram of a system according to an embodiment of the present invention;
图12为本发明实施例系统结构示意图;12 is a schematic structural diagram of a system according to an embodiment of the present invention;
图13为本发明实施例系统结构示意图;13 is a schematic structural diagram of a system according to an embodiment of the present invention;
图14为本发明实施例访问控制装置结构示意图。FIG. 14 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。 The present invention will be further described in detail with reference to the accompanying drawings, in which . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供了一种访问控制方法,如图2A、图2B和图2C所示,上述方法应用于虚拟机访问控制系统,上述虚拟机访问控制系统包含至少一个映射器和至少两个访问代理,上述映射器用于建立进程与上述进程对应的访问代理之间的映射关系;在本实施例中,区分不同的进程可以采用进程标识(Identity,ID)来识别,也可以采用进程ID和用于标识上述进程来自系统态或用户态的状态标识来识别。两种区别不同进程的方式均不会影响本发明实施例的实现,后一种方式可以作为优选的实现方式使用。另外,虚拟机访问控制系统为虚拟机管理器(hypervisor)的一部分,用于管理虚拟机上运行的各个进程对数据存储卷的访问。如图1所示,上述方法包括:An embodiment of the present invention provides an access control method. As shown in FIG. 2A, FIG. 2B, and FIG. 2C, the foregoing method is applied to a virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two accesses. The proxy is used to establish a mapping relationship between the process and the access proxy corresponding to the process. In this embodiment, different processes may be identified by using a process identifier (Identity, ID), or may be a process ID and It is identified by a status identifier that identifies the above process from a system state or a user state. The two ways of distinguishing different processes do not affect the implementation of the embodiment of the present invention, and the latter mode can be used as a preferred implementation. In addition, the virtual machine access control system is part of a hypervisor that manages access to data storage volumes by various processes running on the virtual machine. As shown in FIG. 1, the above method includes:
101:第一访问代理接收由与上述第一访问代理有映射关系的进程产生的访问请求;上述第一访问代理为上述虚拟机访问控制系统中任一访问代理;101: The first access proxy receives an access request generated by a process that is mapped to the first access proxy; the first access proxy is any access proxy in the virtual machine access control system;
102:上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端。102: The first access proxy sends the access request to the destination specified by the access request.
在图2A~图2C所示的结构图中,箭头方向为访问请求的发送方向,访问的结果是访问请求发送方向的逆方向。In the configuration diagrams shown in FIGS. 2A to 2C, the direction of the arrow is the transmission direction of the access request, and the result of the access is the reverse direction of the transmission direction of the access request.
本实施例,映射器建立了进程与访问代理之间的映射关系,那么访问代理会接收到与其对应的进程产生的访问请求,那么各访问代理之间外发的访问请求都是并行的,也即:对应不同访问代理的进程所产生的访问请求被并行执行,因此可以提升虚拟机对存储设备的访问速度,提升虚拟机的性能。In this embodiment, the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, the access requests generated by the processes of the different access agents are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
在本发明实施例中,访问代理和进程的对应关系具体可以如下:一个访问代理与一个进程对应,或者,一个访问代理与设定个数的进程对应,进程的优先级越高上述设定个数越少,上述设定个数大于1。In the embodiment of the present invention, the correspondence between the access agent and the process may be specifically as follows: one access agent corresponds to one process, or one access agent corresponds to a set number of processes, and the higher priority of the process is set. The smaller the number, the above the number of settings is greater than one.
其中图2A和图2C为一个访问代理与一个进程对应的示意图,图2B为一个访问代理与设定个数的进程对应的示意图。以整个虚拟机访问控制系统来看,无论是图2A还是图2B,各访问代理之间的访问请求都是并行的;其中图2A的各进程之间的访问请求也都是并行的。2A and 2C are schematic diagrams of an access proxy corresponding to a process, and FIG. 2B is a schematic diagram of an access proxy corresponding to a set number of processes. Looking at the entire virtual machine access control system, whether it is FIG. 2A or FIG. 2B, the access requests between the access agents are all parallel; wherein the access requests between the processes of FIG. 2A are also parallel.
在本发明实施例中,映射器的个数可以任意设定,具体如下:上述虚拟机访问控制系统包含的上述映射器数量为一个;上述映射器的虚拟硬件接口与上述虚拟机访问控制系统管理的所有进程建立通信连接。In the embodiment of the present invention, the number of mappers can be arbitrarily set, as follows: the number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper and the virtual machine access control system are managed. All processes establish a communication connection.
在本发明实施例中,映射器的个数可以任意设定,具体如下:上述虚拟机访问控制系统包含的上述映射器的数量与访问代理数量相同;上述映射器由上 述映射器的驱动上下文驱动后与进程建立通信连接;In the embodiment of the present invention, the number of mappers can be arbitrarily set, as follows: the virtual machine access control system includes the same number of mappers as the number of access agents; the mapper is configured by The drive context of the mapper is driven to establish a communication connection with the process;
上述映射器用于建立进程与上述进程对应的访问代理之间的映射关系,包括:上述映射器将待映射进程映射到与上述待映射进程对应的访问代理的虚拟硬件接口,上述待映射进程是与上述映射器建立通信连接的进程。The mapper is configured to establish a mapping relationship between the process and the access proxy corresponding to the process, where the mapper maps the to-be-mapped process to a virtual hardware interface of the access proxy corresponding to the to-be-mapped process, where the to-be-mapped process is The above mapper establishes the process of the communication connection.
其中图2A和图2B仅包含一个映射器,图2C包含了多个映射器。采用多个映射器的方案是为了防止仅包含一个映射器时,由于所有进程的访问请求都会先发送到这个映射器,访问请求在这个映射器的虚拟硬件接口串行,可能受到虚拟硬件接口保护的限制而无法发挥虚拟机访问控制系统的最大性能。因此图2C所示的结构可以作为一个优选的实现方案。2A and 2B contain only one mapper, and FIG. 2C includes multiple mappers. The scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included. The access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface. The limitations of the virtual machine access control system can not be maximized. Thus the structure shown in Figure 2C can be used as a preferred implementation.
进程与访问代理之间的映射关系可以是固定的,也可以是可配置的,如果是可配置的那么可以通过配置实现对各进程实现初步的服务质量(Quality of Service,Qos)管理。具体如下:若上述映射器的数量与访问代理数量相同,上述映射器将待映射进程映射到与上述待映射进程对应的访问代理的硬件接口包括:The mapping between the process and the access agent can be fixed or configurable. If it is configurable, the initial quality of service (QoS) management can be implemented for each process. Specifically, if the number of the mappers is the same as the number of access agents, the mapper maps the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process, including:
上述映射器接收配置信息,并按照上述配置信息将待映射进程映射到与上述待映射进程对应的访问代理的硬件接口。The mapper receives the configuration information, and maps the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process according to the foregoing configuration information.
本发明实施例还提供了映射器的接口的可选实现方案具体如下:上述映射器包含应用程序二进制接口ABI;上述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;The embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows: the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, and at least two hardware interfaces ABI;
上述协议标准ABI用于指定上述至少两个硬件接口ABI以及上述配置接口ABI使用的通信协议;上述配置接口ABI用于接收配置信息。The above protocol standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI; the configuration interface ABI is configured to receive configuration information.
由于部分操作系统中,系统态和用户态进程的进程标识(Identity,ID)空间可能重叠,也即,在系统态和用户态中存在进程ID相同的进程,为了更准确地确定不同进程,本发明实施例还提供了如下解决方案:上述进程包含进程标识ID和用于标识上述进程来自系统态或用户态的状态标识;具有相同进程ID的进程为一个进程,或者,具有相同进程ID并且具有相同状态标识的进程为一个进程。其中后一种方案可以更准确的确定不同进程。可以理解的是,在后一种方案中,具有相同进程ID但是状态标识不同则属于不同的进程。In some operating systems, the process identifier (Identity, ID) space of the system state and the user state process may overlap, that is, in the system state and the user state, there are processes with the same process ID, in order to more accurately determine different processes, The embodiment of the invention further provides the following solution: the foregoing process includes a process identifier ID and a state identifier for identifying the process from the system state or the user state; the process with the same process ID is a process, or has the same process ID and has The process identified by the same state is a process. The latter solution can determine different processes more accurately. It can be understood that in the latter scheme, having the same process ID but different status identifiers belongs to different processes.
本发明实施例还提供了缓存访问请求的来实现对访问请求的管理的技术方案,如下:在上述第一访问代理将上述访问请求发送给上述访问请求指定的目 的端之前,还包括:The embodiment of the present invention further provides a technical solution for buffering an access request to implement management of an access request, as follows: the first access proxy sends the access request to the destination specified by the access request. Before the end, it also includes:
上述第一访问代理缓存接收到的访问请求;The first access proxy caches the received access request;
上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端包括:The foregoing first access proxy sends the foregoing access request to the destination specified by the access request, including:
上述第一访问代理按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给上述访问请求指定的目的端;或者,上述第一访问代理按照先进先出的原则将缓存的访问请求发送给上述访问请求指定的目的端。The first access proxy sends the cached access request to the destination specified by the access request in order from the highest priority to the priority of the process that generates the access request; or the first access proxy caches according to the first in first out principle The access request is sent to the destination specified by the above access request.
具体的缓存方式可以采用缓存队列的方式,也可以采用其他缓存方式本实施例不作唯一性限定。通过在访问代理中缓存访问请求,再通过访问请求的发送策略可以实现对进程的Qos管理。The specific cache mode may be a cache queue manner, or other cache manners may not be used in this embodiment. The QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
由于本实施例中执行访问请求的主体数量不止一个,本实施例还提供了访问代理进行认证的实现方案,具体如下:在上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端之前,还包括:Since the number of the main body of the access request is more than one in the embodiment, the embodiment further provides an implementation scheme for the access proxy to perform authentication, which is specifically as follows: the first access proxy sends the access request to the destination specified by the access request. Previously, it also included:
上述第一访问代理向上述访问请求置顶的目的端发送认证请求,在接收认证通过的许可信息后,将上述许可信息添加在上述访问请求中。The first access agent sends an authentication request to the destination end of the access request, and after receiving the license information passed the authentication, adds the license information to the access request.
以下实施例将给出一个具体的应用场景作为举例,对本发明实施例进行更详细的说明。The following embodiments will be given as a specific application scenario, and the embodiments of the present invention will be described in more detail.
如图3所示,目前卷采用分布式块存储系统的逻辑结构,也可称为分布式块存储资源池的逻辑结构。分布式块存储资源池的硬件部分,主要包含多台通用服务器。在每台服务器上有多块物理硬盘,即:物理硬盘驱动器(Hard Disk Drive,HDD),每块物理硬盘与运行在通用服务器上针对该物理硬盘的守护进程相结合形成一个逻辑上的对象存储器(Object Storage Device,OSD)。卷在逻辑上包含众多的数据块,数据块被映射至对应的对象存储器。进程(Proc)产生的访问请求到达VM的控制器以后,VM,将访问请求发送卷里面的数据块,如虚线连接关系,或者直接发送给访问请求指定的数据块。As shown in FIG. 3, the current volume adopts the logical structure of the distributed block storage system, and may also be referred to as the logical structure of the distributed block storage resource pool. The hardware part of the distributed block storage resource pool, which mainly contains multiple general-purpose servers. There are multiple physical hard disks on each server, namely: Hard Disk Drive (HDD). Each physical hard disk is combined with a daemon running on a general-purpose server for the physical hard disk to form a logical object storage. (Object Storage Device, OSD). A volume logically contains a large number of data blocks that are mapped to corresponding object storage. After the access request generated by the process (Proc) reaches the controller of the VM, the VM sends the access request to the data block in the volume, such as a dotted connection relationship, or directly to the data block specified by the access request.
本实施例,通过在虚拟机侧引入基于并行架构的虚拟磁盘控制器(对应图3中的控制器),以及与磁盘控制器相应的驱动程序,用来消除虚拟机侧的单点性能瓶颈,使得虚拟机上的多个进程可以并行访问一个卷的多个数据块,以提高性能。另外,本实施例在基于并行架构的虚拟磁盘控制器中,通过引入访问策略控制机制,可以对每个进程的卷读写性能进行控制。In this embodiment, a virtual disk controller based on a parallel architecture (corresponding to the controller in FIG. 3) and a driver corresponding to the disk controller are introduced on the virtual machine side to eliminate a single point performance bottleneck on the virtual machine side. Enables multiple processes on a virtual machine to access multiple blocks of a volume in parallel to improve performance. In addition, in this embodiment, in the virtual disk controller based on the parallel architecture, by introducing an access policy control mechanism, the volume read and write performance of each process can be controlled.
本实施例主要在VM一侧实现,以下实施例将给出VM一侧的两个举例实现 方案举例,可一并参阅图3所示的结构。This embodiment is mainly implemented on the VM side. The following embodiments will give two example implementations on the VM side. For an example of the scheme, the structure shown in FIG. 3 can be referred to together.
图4所示的是基于并行架构的虚拟磁盘控制器内部的逻辑结构,在图4中,操作系统是虚拟机的客户机用户操作系统,管理程序是虚拟机的管理程序,管理程序内实现了控制器(即虚拟磁盘控制器)。在图4中,示意了3个进程(Proc0~Proc2),每个进程与由驱动上下文驱动的映射器连接,映射器连接到虚拟硬件接口,虚拟硬件接口连接到访问代理,访问代理连接到存储系统,例如图3中的分布式块存储资源池。Figure 4 shows the logical structure inside the virtual disk controller based on the parallel architecture. In Figure 4, the operating system is the client user operating system of the virtual machine, and the hypervisor is the hypervisor of the virtual machine. Controller (that is, virtual disk controller). In Figure 4, three processes (Proc0 ~ Proc2) are illustrated, each process is connected to a mapper driven by a drive context, the mapper is connected to a virtual hardware interface, the virtual hardware interface is connected to an access proxy, and the access proxy is connected to the storage. A system, such as the distributed block storage resource pool in Figure 3.
在图4中,虚拟机侧的虚拟磁盘控制器采用多进程并行结构,每个进程对应的逻辑实体是一个访问代理。访问代理与虚拟硬件接口一一对应,访问代理通过与自己对应的虚拟硬件接口与客户机操作系统中的驱动上下文(context)驱动的映射器交互,因此对于每个进程而言存在一个独立的逻辑通道,访问请求在逻辑通道中的下行方向为:进程、映射器、虚拟硬件接口,最后经访问代理转发到访问请求指定的目的端。因此,每个进程都可以通过独立的逻辑通道访问分布式块存储资源池。In FIG. 4, the virtual disk controller on the virtual machine side adopts a multi-process parallel structure, and the logical entity corresponding to each process is an access agent. The access agent has a one-to-one correspondence with the virtual hardware interface. The access agent interacts with the driver-driven mapper in the guest operating system through its corresponding virtual hardware interface, so there is an independent logic for each process. Channel, the downstream direction of the access request in the logical channel is: process, mapper, virtual hardware interface, and finally forwarded to the destination specified by the access request by the access proxy. Therefore, each process can access a distributed block storage resource pool through a separate logical channel.
管理员可以通过图4所示的虚拟磁盘控制器的管理模块对接口模块内的虚拟硬件接口进行配置,还可以对访问代理进行配置。该处配置的具体实现可以是虚拟硬件配置与管理方式,通过VM内部的客户(guest)系统对虚拟寄存器的访问实现。配置的具体内容可以包括使用的协议、通信使用的端口号等等,具体内容本实施例不作限制。The administrator can configure the virtual hardware interface in the interface module through the management module of the virtual disk controller shown in FIG. 4, and can also configure the access agent. The specific implementation of the configuration may be a virtual hardware configuration and management mode, and access to the virtual registers by the guest system inside the VM. The specific content of the configuration may include a protocol to be used, a port number used for communication, and the like. The specific content is not limited in this embodiment.
客户机操作系统中的控制器驱动模块通过配置模块读取配置的信息。配置模块读取的配置信息可以包括:虚拟硬件接口的个数,以及每个虚拟硬件接口的起始硬件地址等。由于,驱动上下文与虚拟硬件接口之间需要具有对应关系。具体而言,每个驱动上下文会被配置模块告知应该访问哪一个虚拟硬件接口。为此,配置模块需要首先从管理模块中读取出虚拟硬件接口的个数,以确定最多能够支持几个驱动上下文。然后再将不同的虚拟硬件接口的起始地址分别配置给各个驱动上下文,以实现驱动上下文对接口的分别访问。The controller driver module in the guest operating system reads the configured information through the configuration module. The configuration information read by the configuration module may include: the number of virtual hardware interfaces, and the starting hardware address of each virtual hardware interface. Because there is a correspondence between the drive context and the virtual hardware interface. Specifically, each driver context is told by the configuration module which virtual hardware interface should be accessed. To do this, the configuration module needs to first read out the number of virtual hardware interfaces from the management module to determine that it can support up to several drive contexts. Then, the starting addresses of different virtual hardware interfaces are respectively configured to the respective driving contexts to implement separate access of the driving context to the interfaces.
在图4所示的结构中,进程数和访问代理的数量是相等的,所以可以每个进程对应到一个访问代理,如果进程数少于访问代理的数量也可以每个进程对应到一个访问代理;但是如果进程数大于访问代理的数量,那么会存在多个进程对应到一个访问代理的情况。当进程数小于等于访问代理的数量时,所有进 程对卷的访问完全是并行的;当进程数大于访问代理数时,多个代理之间仍为并行,同一访问代理负责的进程间是串行的。In the structure shown in FIG. 4, the number of processes and the number of access agents are equal, so each process can correspond to one access agent, and if the number of processes is less than the number of access agents, each process can correspond to one access agent. ; However, if the number of processes is greater than the number of access agents, there will be multiple processes corresponding to one access agent. When the number of processes is less than or equal to the number of access agents, all The access to the volume is completely parallel; when the number of processes is greater than the number of access agents, multiple agents are still in parallel, and the processes responsible for the same access agent are serial.
为实现客户机操作系统中的驱动上下文与管理程序(Hypervisor)中的虚拟磁盘控制器的接口模块的虚拟硬件接口之间的控制命令与数据交互,本实施例为虚拟磁盘控制器设计了ABI(application binary interface,应用程序二进制接口),并据此开发驱动上下文。ABI设计如图5所示,包括:协议标准ABI,配置接口ABI,虚拟硬件接口0~虚拟接口N的ABI。接口ABI对应物理地址范围。In order to implement control commands and data interaction between the driver context in the guest operating system and the virtual hardware interface of the interface module of the virtual disk controller in the hypervisor, this embodiment designs an ABI for the virtual disk controller ( Application binary interface, application binary interface, and develop the driver context accordingly. The ABI design is shown in Figure 5, including: protocol standard ABI, configuration interface ABI, virtual hardware interface 0 ~ virtual interface N ABI. The interface ABI corresponds to a physical address range.
在本实施例中,ABI的设计前向兼容系统体系结构规范,当前通常采用外围设备接口(Peripheral Component Interconnect Express,PCI-e)总线协议),以便操作系统正确识别虚拟磁盘控制器的虚拟硬件接口,ABI的设计为客户机操作系统中的控制器驱动模块提供配置读写的接口ABI。设计的ABI为每个虚拟硬件接口提供了单独的ABI,来允许多个进程的驱动上下文能够对多个虚拟硬件接口ABI进行并行访问。In this embodiment, the ABI is designed to be compatible with the system architecture specification, and currently uses a Peripheral Component Interconnect Express (PCI-e) bus protocol, so that the operating system correctly recognizes the virtual hardware interface of the virtual disk controller. The ABI is designed to provide a configuration read and write interface ABI for the controller driver module in the guest operating system. The designed ABI provides a separate ABI for each virtual hardware interface to allow multiple process drive contexts to access multiple virtual hardware interface ABIs in parallel.
在虚拟磁盘控制器的实现当中,访问代理是核心的结构。访问代理的内部结构如图6所示。包括如下几个部分:In the implementation of the virtual disk controller, the access agent is the core structure. The internal structure of the access agent is shown in Figure 6. It includes the following sections:
读写队列:虚拟硬件接口接收到的读写请求发送到该读写队列中,读写请求针对的是数据块的读写任务,读写队列可以记录读写队列中的各读写请求当前的状态。Read and write queue: The read/write request received by the virtual hardware interface is sent to the read/write queue. The read/write request is for the read and write task of the data block. The read/write queue can record the current read and write requests in the read/write queue. status.
配置接口模块:是一个接口模块,可以用来接收管理模块下发的配置信息并将配置信息发送给需要使用的模块。配置信息可以包含:访问策略的配置信息,集群认证的配置信息等。Configuring an interface module: An interface module that can be used to receive configuration information sent by the management module and send configuration information to the module to be used. The configuration information may include: configuration information of the access policy, configuration information of the cluster authentication, and the like.
访问策略模块:该模块按照访问策略确定读写队列中的读写请求的执行策略,例如先进先出(First-In First-Out,FIFO)策略,优先级控制策略等。访问策略可以依据接收配置接口发送的访问策略配置信息确定。Access Policy Module: This module determines the execution policy of read and write requests in the read/write queue according to the access policy, such as First-In First-Out (FIFO) policy, priority control policy, and so on. The access policy can be determined according to the access policy configuration information sent by the receiving configuration interface.
访问策略通常可以有两种:FIFO和优先级调度。如果采用优先级调度方式,则不同进程的I/O访问请求被赋予不同的优先级。访问策略模块根据不同优先级数值,对访问进行排序处理。优先级数值的指定方式不作限定,通常可由系统管理员直接指定。在本实施例中,可以默认采用FIFO策略,可以通过配置访问策略模块实现调整到优先级调度。 There are usually two types of access policies: FIFO and priority scheduling. If priority scheduling is used, I/O access requests from different processes are given different priorities. The access policy module sorts the accesses according to different priority values. The way the priority value is specified is not limited and can usually be specified directly by the system administrator. In this embodiment, the FIFO policy can be adopted by default, and the access policy module can be configured to adjust to the priority scheduling.
集群访问认证模块:该模块复制代表访问代理与分布式存储资源池进行认证。认证的流程可以如下:集群访问认证模块向分布式存储资源池发送认证申请,在认证申请中携带的信息包括:存储集群认证模块的IP地址,用户名,用户密码等。如果分布式存储资源池允许该认证申请,则会返回认证许可信息(如标志访问身份与权限信息的字节串),给上述集群访问认证模块,此时上述集群访问认证模块可以告知集群读写模块可以开始执行读写请求对上述分布式存储资源池进行读写操作。集群访问认证模块需要将上述认证许可信息告知给集群读写模块。Cluster Access Authentication Module: This module replicates the authentication on behalf of the access agent and the distributed storage resource pool. The authentication process can be as follows: The cluster access authentication module sends an authentication request to the distributed storage resource pool. The information carried in the authentication application includes: the IP address of the storage cluster authentication module, the user name, and the user password. If the distributed storage resource pool allows the authentication application, the authentication permission information (such as the byte string of the identity access authority and the authority information) is returned, and the cluster access authentication module is used, and the cluster access authentication module can notify the cluster to read and write. The module can start performing read and write requests to read and write operations on the above distributed storage resource pool. The cluster access authentication module needs to notify the cluster read/write module of the above authentication permission information.
集群读写模块:该模块在集群访问认证模块认证通过后,依据访问策略模块确定的执行策略,执行读写队列中的读写请求。执行过程可以是:将上述认证许可信息附加在读写请求中,发送给分布式存储资源池。Cluster read/write module: After the cluster access authentication module passes the authentication, the module executes the read/write request in the read/write queue according to the execution policy determined by the access policy module. The execution process may be: appending the above authentication permission information to the read/write request, and sending the information to the distributed storage resource pool.
本发明实施例还可以解决来自同一进程的、针对同一数据块的读写操作可能导致的乱序问题。具体请参阅图7所示,Proc1先后发出了写请求和读请求,读请求和写请求被发送给了不同的访问代理:访问代理A和访问代理B,则可能出现访问乱序,引发错误。如图7所示流程如下:The embodiment of the invention can also solve the out-of-sequence problem that may be caused by the read and write operations of the same data block from the same process. Specifically, as shown in FIG. 7, Proc1 issues write requests and read requests, and read requests and write requests are sent to different access agents: access agent A and access agent B, and access disorder may occur, causing an error. The process shown in Figure 7 is as follows:
1、进程Proc1产生了针对同一个数据块的,写请求和读请求。其中写请求在先。1. The process Proc1 generates write requests and read requests for the same data block. The write request is first.
2、读请求对应的数据读出操作由访问代理A处理,写请求对应的数据写入操作由访问代理B处理。数据读出操作先于数据写入操作到达对应的数据块。2. The data read operation corresponding to the read request is processed by the access agent A, and the data write operation corresponding to the write request is processed by the access agent B. The data read operation advances to the corresponding data block prior to the data write operation.
基于以上流程,读出的数据返回Proc1,Proc1得到的读出数据事实上是写入数据操作发生以前的旧数据,从而导致错误。Based on the above flow, the read data is returned to Proc1, and the read data obtained by Proc1 is actually the old data before the data operation is written, resulting in an error.
基于以上流程可能产生的乱序错误,本发明实施例提出的如图4所示的结构解决访问乱序错误。在图4中,引入了进程与访问代理间的映射机制。具体而言,通过将来自于同一个进程的所有访问请求映射到同一个访问代理,那么可以保证同一个进程的访问操作为串行,从而保证访问操作的正确性。Based on the out-of-order error that may be generated by the above process, the structure shown in FIG. 4 proposed by the embodiment of the present invention solves the access disorder error. In Figure 4, a mapping mechanism between processes and access agents is introduced. Specifically, by mapping all access requests from the same process to the same access agent, the access operation of the same process can be guaranteed to be serial, thereby ensuring the correctness of the access operation.
另外,由于部分操作系统中,客户态和用户态进程的进程ID空间可能重叠,也即,在系统态和用户态中存在进程ID相同的进程。为在映射时唯一确定进程,本实施例在确定进程时候需要以下信息:In addition, in some operating systems, the process ID space of the client mode and the user state process may overlap, that is, the process with the same process ID exists in the system state and the user mode. In order to uniquely determine the process at the time of mapping, this embodiment needs the following information when determining the process:
(1)当前访问来自系统态还是用户态。(1) Whether the current access is from system state or user mode.
(2)当前访问的进程ID。 (2) The process ID of the current access.
上述进程的信息均可由虚拟硬盘驱动程序通过客户机操作系统获取。具体的进程与访问代理之间的映射机制和策略可以通过配置加以选择,具体如何映射本发明实施例不做唯一限定。Information about the above processes can be obtained by the virtual hard disk driver through the guest operating system. The mapping mechanism and the policy between the specific process and the accessing agent can be selected through configuration, and the specific embodiment of the present invention is not limited.
另外,由于图4和图6所示的结构中,通过对多个访问代理中的多个读写队列分别进行访问策略控制,可以实现对不同进程的读写性能进行QoS控制。In addition, in the structure shown in FIG. 4 and FIG. 6, by performing access policy control on multiple read/write queues of multiple access agents, QoS control of read and write performance of different processes can be realized.
相对于图4所示的结构,本发明实施例还提供了简化构架的另一个可选实现方案。本实施例可以应用于客户机操作系统中的控制器驱动无法被替换,或者无法支持多个完全并行的驱动上下文的场景下。本实施例的简化架构的实现示意图如图8所示。The embodiment of the present invention also provides another alternative implementation of the simplified architecture with respect to the structure shown in FIG. This embodiment can be applied to a scenario in which a controller driver in a guest operating system cannot be replaced, or a plurality of fully parallel drive contexts cannot be supported. A schematic diagram of the implementation of the simplified architecture of this embodiment is shown in FIG. 8.
采用图8所示的简化架构,在客户机操作系统一侧可以不引入修改。可以对比图4所示的结构,多个进程通过同一个虚拟硬件接口连接到映射器,映射器将进程映射到与各进程对应的访问代理。虽然多个进程对控制器的访问为串行,而控制器通过多个访问代理对数据块的访问仍为并行,仍可提高卷访问性能。若虚拟硬件接口在客户机的操作系统中没有锁保护,那么采用图8所示的结构可以获得较好的效果。如果客户机的操作系统对虚拟硬件接口有锁保护,那么多个进程的读写请求在这个虚拟机硬件接口会存在串行导致的性能损失,此时采用图4所示的结构则可以突破串行导致的问题,使整个系统达到并行的目的,从而获得最好读写性能。With the simplified architecture shown in Figure 8, no modifications can be introduced on the guest operating system side. Comparing the structure shown in FIG. 4, multiple processes are connected to the mapper through the same virtual hardware interface, and the mapper maps the process to the access proxy corresponding to each process. Although multiple processes access to the controller are serial, and the controller's access to the data block through multiple access agents is still parallel, volume access performance can still be improved. If the virtual hardware interface has no lock protection in the operating system of the client, then the structure shown in FIG. 8 can be used to obtain better results. If the client's operating system has lock protection for the virtual hardware interface, the read and write requests of multiple processes will have serial performance loss on the virtual machine hardware interface. In this case, the structure shown in Figure 4 can break through the string. The problems caused by the line enable the entire system to achieve parallelism for the best read and write performance.
本发明实施例还提供了一种虚拟机访问控制系统,如图9A或者9B所示,包含虚拟机访问控制系统900,上述虚拟机访问控制系统900包括:至少一个映射器901和至少两个访问代理902;The embodiment of the present invention further provides a virtual machine access control system, as shown in FIG. 9A or 9B, including a virtual machine access control system 900. The virtual machine access control system 900 includes at least one mapper 901 and at least two accesses. Agent 902;
上述映射器901,用于建立进程与上述进程对应的访问代理902之间的映射关系;The mapper 901 is configured to establish a mapping relationship between the process and the access proxy 902 corresponding to the process.
每个上述访问代理902包括:Each of the above access agents 902 includes:
接收单元9021,用于接收由与上述访问代理902有映射关系的进程产生的访问请求;The receiving unit 9021 is configured to receive an access request generated by a process that is mapped to the access proxy 902.
发送单元9022,用于将上述访问请求发送给上述访问请求指定的目的端。The sending unit 9022 is configured to send the access request to the destination end specified by the access request.
本实施例,映射器建立了进程与访问代理之间的映射关系,那么访问代理会接收到与其对应的进程产生的访问请求,那么各访问代理之间外发的访问请求都是并行的,也即:对应不同访问代理的进程所产生的访问请求被并行执行, 因此可以提升虚拟机对存储设备的访问速度,提升虚拟机的性能。In this embodiment, the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, access requests generated by processes corresponding to different access agents are executed in parallel. Therefore, the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
可选地,在本发明实施例中,映射器的个数可以任意设定,具体如下:如图9A所示,上述虚拟机访问控制系统900包含的上述映射器901数量为一个;上述映射器901的虚拟硬件接口与上述虚拟机访问控制系统900管理的所有进程建立通信连接。Optionally, in the embodiment of the present invention, the number of the mappers may be arbitrarily set, as follows: as shown in FIG. 9A, the number of the mappers 901 included in the virtual machine access control system 900 is one; The virtual hardware interface of 901 establishes a communication connection with all processes managed by the virtual machine access control system 900 described above.
可选地,在本发明实施例中,映射器的个数可以任意设定,具体如下:如图9B所示,上述虚拟机访问控制系统900包含的上述映射器901的数量与访问代理902数量相同;上述映射器901由上述映射器901的驱动上下文驱动后与进程建立通信连接;Optionally, in the embodiment of the present invention, the number of mappers can be arbitrarily set, as follows: as shown in FIG. 9B, the number of the mappers 901 and the number of access agents 902 included in the virtual machine access control system 900 are as shown in FIG. 9B. The same; the mapper 901 is driven by the driving context of the mapper 901 to establish a communication connection with the process;
上述映射器901,具体用于将待映射进程映射到与上述待映射进程对应的访问代理902的虚拟硬件接口,上述待映射进程是与上述映射器901建立通信连接的进程。The mapper 901 is specifically configured to map a process to be mapped to a virtual hardware interface of the access proxy 902 corresponding to the to-be-mapped process, where the to-be-mapped process is a process of establishing a communication connection with the mapper 901.
采用多个映射器的方案是为了防止仅包含一个映射器时,由于所有进程的访问请求都会先发送到这个映射器,访问请求在这个映射器的虚拟硬件接口串行,可能受到虚拟硬件接口保护的限制而无法发挥虚拟机访问控制系统的最大性能。因此图9B所示的结构可以作为一个优选的实现方案。The scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included. The access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface. The limitations of the virtual machine access control system can not be maximized. Thus the structure shown in Figure 9B can be used as a preferred implementation.
进程与访问代理之间的映射关系可以是固定的,也可以是可配置的,如果是可配置的那么可以通过配置实现对各进程实现初步的Qos管理。具体如下:如图10所示,上述映射器901包括:The mapping relationship between the process and the access agent can be fixed or configurable. If it is configurable, the initial QoS management can be implemented for each process through configuration. Specifically, as shown in FIG. 10, the mapper 901 includes:
信息接收单元1001,用于接收配置信息;The information receiving unit 1001 is configured to receive configuration information.
映射子单元1002,用于按照上述信息接收单元1001接收到的配置信息将待映射进程映射到与上述待映射进程对应的访问代理902的虚拟硬件接口。The mapping sub-unit 1002 is configured to map the to-be-mapped process to the virtual hardware interface of the accessing proxy 902 corresponding to the to-be-mapped process according to the configuration information received by the information receiving unit 1001.
本发明实施例还提供了映射器的接口的可选实现方案具体如下:可选地,如图11所示,上述映射器901包含应用程序二进制接口ABI;上述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;上述协议标准ABI用于指定上述至少两个硬件接口ABI以及上述配置接口ABI使用的通信协议;The embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows: Optionally, as shown in FIG. 11, the mapper 901 includes an application binary interface ABI; the ABI includes: a protocol standard ABI, and a configuration interface. ABI, at least two hardware interfaces ABI; the above protocol standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI;
上述配置接口ABI,用于接收配置信息。The configuration interface ABI is configured to receive configuration information.
由于部分操作系统中,系统态和用户态进程的进程ID空间可能重叠,也即,在系统态和用户态中存在进程ID相同的进程,为了更准确地确定不同进程,本发明实施例还提供了如下解决方案:进一步地,上述进程包含进程标识ID和用 于标识上述进程来自系统态或用户态的状态标识;In some operating systems, the process ID space of the system state and the user state process may overlap, that is, the process with the same process ID exists in the system state and the user state. In order to determine different processes more accurately, the embodiment of the present invention further provides The following solution: further, the above process contains the process identification ID and uses A flag indicating that the process is from a system state or a user state;
上述映射器901,还用于确定具有相同进程ID并且具有不同状态标识的进程属于不同的进程,或者,确定具有相同进程ID的进程属于一个进程。The mapper 901 is further configured to determine that processes having the same process ID and having different state identifiers belong to different processes, or that processes having the same process ID belong to one process.
进一步地,本发明实施例还提供了缓存访问请求的来实现对访问请求的管理的技术方案,如下:如图12所示,上述访问代理902还包括:Further, the embodiment of the present invention further provides a technical solution for the cache access request to implement the management of the access request, as follows: As shown in FIG. 12, the access proxy 902 further includes:
缓存单元1201,用于在上述发送单元9022将上述访问请求发送给上述访问请求指定的目的端之前,缓存接收到的访问请求;The buffer unit 1201 is configured to cache the received access request before the sending unit 9022 sends the access request to the destination end specified by the access request.
上述发送单元9022,具体用于按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给上述访问请求指定的目的端;或者,按照先进先出的原则将缓存的访问请求发送给上述访问请求指定的目的端。The sending unit 9022 is configured to send the cached access request to the destination specified by the access request in sequence according to the priority of the process that generates the access request, or to cache the access request according to the first in first out principle. Send to the destination specified by the above access request.
在本发明实施例中,具体的缓存方式可以采用缓存队列的方式,也可以采用其他缓存方式本实施例不作唯一性限定。通过在访问代理中缓存访问请求,再通过访问请求的发送策略可以实现对进程的Qos管理。In the embodiment of the present invention, the specific cache mode may adopt a cache queue manner, and other cache manners may not be used in this embodiment. The QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
进一步地,由于本实施例中执行访问请求的主体数量不止一个,本实施例还提供了访问代理进行认证的实现方案,具体如下:如图13所示,上述访问代理902还包括:Further, since the number of the main body of the access request is more than one in the embodiment, the embodiment further provides an implementation scheme for the access proxy to perform the authentication, as follows: As shown in FIG. 13, the access proxy 902 further includes:
认证单元1301,用于在上述发送单元9022将上述访问请求发送给上述访问请求指定的目的端之前,向上述访问请求置顶的目的端发送认证请求;The authentication unit 1301 is configured to send an authentication request to the destination end of the access request before the sending unit 9022 sends the access request to the destination end specified by the access request;
添加单元1302,在接收认证通过的许可信息后,将上述许可信息添加在上述访问请求中。The adding unit 1302 adds the license information to the access request after receiving the license information passed the authentication.
可选地,在本发明实施例中,访问代理和进程的对应关系具体可以如下:上述映射器901,具体用于将一个进程之间映射到一个访问代理902,或者,将设定个数的进程映射到一个访问代理902,且进程的优先级越高上述设定个数越少,上述设定个数大于1。Optionally, in the embodiment of the present invention, the correspondence between the access proxy and the process may be specifically as follows: the mapper 901 is specifically configured to map a process to an access proxy 902, or may set a number. The process is mapped to an access agent 902, and the higher the priority of the process, the smaller the number of settings, and the number of settings is greater than one.
本发明实施例还提供了一种虚拟机访问控制设备,应用于具有虚拟机访问控制系统,如图14所示,包括:处理器1401以及存储器1402;其中存储器1402可以用于缓存处理器1401在数据处理过程中产生的数据或者在数据处理过程中需要的数据;The embodiment of the present invention further provides a virtual machine access control device, which is applied to a virtual machine access control system, as shown in FIG. 14, including: a processor 1401 and a memory 1402; wherein the memory 1402 can be used by the cache processor 1401. Data generated during data processing or data required during data processing;
上述处理器1401,用于构造上述虚拟机访问控制系统,上述虚拟机访问控制系统包含至少一个映射器和至少两个访问代理,上述映射器用于建立进程与 上述进程对应的访问代理之间的映射关系;第一访问代理接收由与上述第一访问代理有映射关系的进程产生的访问请求;上述第一访问代理为上述虚拟机访问控制系统中任一访问代理;上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端。The processor 1401 is configured to construct the virtual machine access control system, where the virtual machine access control system includes at least one mapper and at least two access agents, where the mapper is used to establish a process and a mapping relationship between access agents corresponding to the foregoing process; the first access proxy receives an access request generated by a process that is mapped to the first access proxy; and the first access proxy is any access in the virtual machine access control system a proxy; the first access proxy sends the access request to the destination specified by the access request.
本实施例,映射器建立了进程与访问代理之间的映射关系,那么访问代理会接收到与其对应的进程产生的访问请求,那么各访问代理之间外发的访问请求都是并行的,也即:对应不同访问代理的进程所产生的访问请求被并行执行,因此可以提升虚拟机对存储设备的访问速度,提升虚拟机的性能。In this embodiment, the mapper establishes a mapping relationship between the process and the access proxy, and then the access proxy receives the access request generated by the corresponding process, and then the outgoing access requests between the access agents are parallel, That is, the access requests generated by the processes of the different access agents are executed in parallel, so that the access speed of the virtual machine to the storage device can be improved, and the performance of the virtual machine can be improved.
在本发明实施例中,访问代理和进程的对应关系具体可以如下:一个访问代理与一个进程对应,或者,一个访问代理与设定个数的进程对应,进程的优先级越高上述设定个数越少,上述设定个数大于1。In the embodiment of the present invention, the correspondence between the access agent and the process may be specifically as follows: one access agent corresponds to one process, or one access agent corresponds to a set number of processes, and the higher priority of the process is set. The smaller the number, the above the number of settings is greater than one.
在本发明实施例中,映射器的个数可以任意设定,具体如下:上述虚拟机访问控制系统包含的上述映射器数量为一个;上述映射器的虚拟硬件接口与上述虚拟机访问控制系统管理的所有进程建立通信连接。In the embodiment of the present invention, the number of mappers can be arbitrarily set, as follows: the number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper and the virtual machine access control system are managed. All processes establish a communication connection.
在本发明实施例中,映射器的个数可以任意设定,具体如下:上述虚拟机访问控制系统包含的上述映射器的数量与访问代理数量相同;上述映射器由上述映射器的驱动上下文驱动后与进程建立通信连接;In the embodiment of the present invention, the number of mappers can be arbitrarily set, as follows: the virtual machine access control system includes the same number of mappers as the number of access agents; the mapper is driven by the drive context of the mapper. After establishing a communication connection with the process;
上述处理器1401构建的虚拟机访问控制系统中的映射器用于建立进程与上述进程对应的访问代理之间的映射关系,包括:上述映射器将待映射进程映射到与上述待映射进程对应的访问代理的虚拟硬件接口,上述待映射进程是与上述映射器建立通信连接的进程。The mapper in the virtual machine access control system, which is configured by the processor 1401, is used to establish a mapping relationship between the process and the access agent corresponding to the process, and the mapping device maps the process to be mapped to the access corresponding to the process to be mapped. The virtual hardware interface of the proxy, the process to be mapped is a process of establishing a communication connection with the mapper.
采用多个映射器的方案是为了防止仅包含一个映射器时,由于所有进程的访问请求都会先发送到这个映射器,访问请求在这个映射器的虚拟硬件接口串行,可能受到虚拟硬件接口保护的限制而无法发挥访问控制系统的最大性能。因此采用多个映射器的虚拟机结构可以作为一个优选的实现方案。The scheme of using multiple mappers is to prevent the access request of all processes from being sent to this mapper when only one mapper is included. The access request is serialized on the virtual hardware interface of this mapper, which may be protected by virtual hardware interface. The limitations of the access control system can not be maximized. Therefore, a virtual machine structure using multiple mappers can be used as a preferred implementation.
进程与访问代理之间的映射关系可以是固定的,也可以是可配置的,如果是可配置的那么可以通过配置实现对各进程实现初步的Qos管理。具体如下:若上述映射器的数量与访问代理数量相同,上述处理器1401构建的虚拟机中的映射器用于将待映射进程映射到与上述待映射进程对应的访问代理的硬件接口包括:接收配置信息,并按照上述配置信息将待映射进程映射到与上述待映射 进程对应的访问代理的虚拟硬件接口。The mapping relationship between the process and the access agent can be fixed or configurable. If it is configurable, the initial QoS management can be implemented for each process through configuration. Specifically, if the number of the mappers is the same as the number of the access agents, the mapper in the virtual machine constructed by the processor 1401 is configured to map the to-be-mapped process to the hardware interface of the access proxy corresponding to the to-be-mapped process. Information, and mapping the process to be mapped to the above to be mapped according to the above configuration information The virtual hardware interface of the access agent corresponding to the process.
本发明实施例还提供了映射器的接口的可选实现方案具体如下:上述映射器包含应用程序二进制接口ABI;上述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;上述协议标准ABI用于指定上述至少两个硬件接口ABI以及上述配置接口ABI使用的通信协议;上述配置接口ABI用于接收配置信息。The embodiment of the present invention further provides an optional implementation of the interface of the mapper as follows: the mapper includes an application binary interface ABI; the ABI includes: a protocol standard ABI, a configuration interface ABI, at least two hardware interfaces ABI; the foregoing protocol The standard ABI is used to specify the communication protocol used by the at least two hardware interfaces ABI and the configuration interface ABI described above; the configuration interface ABI is configured to receive configuration information.
本发明实施例还提供了缓存访问请求的来实现对访问请求的管理的技术方案,如下:在上述处理器1401构建的虚拟机访问控制系统中的上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端之前,上述第一访问代理缓存接收到的访问请求;上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端包括:上述第一访问代理按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给上述访问请求指定的目的端;或者,上述第一访问代理按照先进先出的原则将缓存的访问请求发送给上述访问请求指定的目的端。The embodiment of the present invention further provides a technical solution for buffering an access request to implement management of an access request, as follows: the first access proxy in the virtual machine access control system constructed by the processor 1401 sends the access request to the foregoing Before the destination end specified by the access request, the first access proxy caches the received access request; the first access proxy sends the access request to the destination specified by the access request, where the first access proxy generates the access request according to the request The priority of the process is sent from the highest to the lowest in order to send the cached access request to the destination specified by the access request; or the first access proxy sends the cached access request to the destination specified by the access request according to the first in first out principle. end.
具体的缓存方式可以采用缓存队列的方式,也可以采用其他缓存方式本实施例不作唯一性限定。通过在访问代理中缓存访问请求,再通过访问请求的发送策略可以实现对进程的Qos管理。The specific cache mode may be a cache queue manner, or other cache manners may not be used in this embodiment. The QoS management of the process can be realized by caching the access request in the access proxy and then transmitting the request by the access policy.
由于本实施例中执行访问请求的主体数量不止一个,本实施例还提供了访问代理进行认证的实现方案,具体如下:在上述处理器1401构建的虚拟机访问控制系统中的上述第一访问代理将上述访问请求发送给上述访问请求指定的目的端之前,上述第一访问代理向上述访问请求置顶的目的端发送认证请求,在接收认证通过的许可信息后,将上述许可信息添加在上述访问请求中。Since the number of the main body of the access request is more than one in the embodiment, the embodiment further provides an implementation scheme for the access agent to perform authentication, which is specifically as follows: the first access agent in the virtual machine access control system constructed by the processor 1401. Before transmitting the access request to the destination end specified by the access request, the first access proxy sends an authentication request to the destination end of the access request, and after receiving the license information passed the authentication, adding the license information to the access request. in.
以上实施例,可以支持单一虚拟机内的多个进程对单一卷进行并行访问,从而显著提高虚拟机对卷的访问带宽。可以支持单一虚拟机内的多个进程的进程级访问的QoS管理。In the above embodiment, multiple processes in a single virtual machine can be used to concurrently access a single volume, thereby significantly increasing the access bandwidth of the virtual machine to the volume. QoS management that supports process-level access to multiple processes within a single virtual machine.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,上述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另 外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the above units is only a logical function division, and the actual implementation may have another The manner of division, such as multiple units or components, may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents of the technical solutions of the embodiments of the present invention.

Claims (16)

  1. 一种访问控制方法,其特征在于,所述方法应用于虚拟机访问控制系统,所述虚拟机访问控制系统包含至少一个映射器和至少两个访问代理,所述映射器用于建立进程与所述进程对应的访问代理之间的映射关系,所述方法包括:An access control method, characterized in that the method is applied to a virtual machine access control system, the virtual machine access control system comprising at least one mapper and at least two access agents, the mapper for establishing a process and the Mapping relationship between access agents corresponding to the process, the method includes:
    第一访问代理接收由与所述第一访问代理有映射关系的进程产生的访问请求;所述第一访问代理为所述虚拟机访问控制系统中任一访问代理;The first access agent receives an access request generated by a process that is in a mapping relationship with the first access agent; the first access agent is any access agent in the virtual machine access control system;
    所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端。The first access agent sends the access request to a destination specified by the access request.
  2. 根据权利要求1所述方法,其特征在于,The method of claim 1 wherein
    所述虚拟机访问控制系统包含的所述映射器数量为一个;所述映射器的虚拟硬件接口与所述虚拟机访问控制系统管理的所有进程建立通信连接。The number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper establishes a communication connection with all processes managed by the virtual machine access control system.
  3. 根据权利要求1所述方法,其特征在于,The method of claim 1 wherein
    所述虚拟机访问控制系统包含的所述映射器的数量与所述访问代理的数量相同;The number of the mappers included in the virtual machine access control system is the same as the number of the access agents;
    所述映射器由所述映射器的驱动上下文驱动后与进程建立通信连接;所述映射器用于建立进程与所述进程对应的访问代理之间的映射关系,包括:所述映射器将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口,所述待映射进程是与所述映射器建立通信连接的进程。The mapper is driven by the driver context of the mapper to establish a communication connection with the process; the mapper is configured to establish a mapping relationship between the process and the access proxy corresponding to the process, including: the mapper is to be mapped The process maps to a virtual hardware interface of the access agent corresponding to the process to be mapped, and the process to be mapped is a process of establishing a communication connection with the mapper.
  4. 根据权利要求3所述方法,其特征在于,所述映射器将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口包括:The method according to claim 3, wherein the mapping of the mapping process to the virtual hardware interface of the accessing agent corresponding to the to-be-mapped process comprises:
    所述映射器接收配置信息,并按照所述配置信息将所述待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口。The mapper receives configuration information, and maps the to-be-mapped process to a virtual hardware interface of an access proxy corresponding to the to-be-mapped process according to the configuration information.
  5. 根据权利要求2或3所述方法,其特征在于,所述映射器包含应用程序二进制接口ABI;所述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;The method according to claim 2 or 3, wherein the mapper comprises an application binary interface ABI; the ABI comprises: a protocol standard ABI, a configuration interface ABI, at least two hardware interfaces ABI;
    所述协议标准ABI用于指定所述至少两个硬件接口ABI以及所述配置接口ABI使用的通信协议;所述配置接口ABI用于接收配置信息。The protocol standard ABI is used to specify the at least two hardware interfaces ABI and the communication protocol used by the configuration interface ABI; the configuration interface ABI is for receiving configuration information.
  6. 根据权利要求1至4任意一项所述方法,其特征在于,A method according to any one of claims 1 to 4, characterized in that
    所述进程包含进程标识ID和用于标识所述进程来自系统态或用户态的状态标识;具有相同进程ID的进程为一个进程,或者,具有相同进程ID并且具有相同状态标识的进程为一个进程。 The process includes a process identification ID and a status identifier for identifying the process from a system state or a user state; a process having the same process ID is a process, or a process having the same process ID and having the same status identifier is a process .
  7. 根据权利要求1~4任意一项所述方法,其特征在于,在所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端之前,还包括:The method according to any one of claims 1 to 4, further comprising: before the first accessing agent sends the access request to the destination end specified by the access request, further comprising:
    所述第一访问代理缓存接收到的访问请求;The first access proxy caches the received access request;
    所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端包括:Sending, by the first accessing proxy, the access request to the destination specified by the access request includes:
    所述第一访问代理按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给所述访问请求指定的目的端;或者,所述第一访问代理按照先进先出的原则将缓存的访问请求发送给所述访问请求指定的目的端。Transmitting, by the first access proxy, the cached access request to the destination specified by the access request in descending order of the priority of the process for generating the access request; or the first access proxy is in accordance with the principle of first in first out Sending the cached access request to the destination specified by the access request.
  8. 根据权利要求1~4任意一项所述方法,其特征在于,在所述第一访问代理将所述访问请求发送给所述访问请求指定的目的端之前,还包括:The method according to any one of claims 1 to 4, further comprising: before the first accessing agent sends the access request to the destination end specified by the access request, further comprising:
    所述第一访问代理向所述访问请求置顶的目的端发送认证请求,在接收认证通过的许可信息后,将所述许可信息添加在所述访问请求中。The first accessing agent sends an authentication request to the destination end of the access request, and after receiving the license information passed by the authentication, the license information is added in the access request.
  9. 一种虚拟机访问控制系统,其特征在于,所述虚拟机访问控制系统包括:至少一个映射器和至少两个访问代理;A virtual machine access control system, characterized in that the virtual machine access control system comprises: at least one mapper and at least two access agents;
    所述映射器,用于建立进程与所述进程对应的访问代理之间的映射关系;The mapper is configured to establish a mapping relationship between a process and an access agent corresponding to the process;
    所述至少两个访问代理中的每个访问代理包括:Each of the at least two access agents includes:
    接收单元,用于接收由与所述访问代理有映射关系的进程产生的访问请求;a receiving unit, configured to receive an access request generated by a process that is mapped to the access agent;
    发送单元,用于将所述访问请求发送给所述访问请求指定的目的端。And a sending unit, configured to send the access request to the destination end specified by the access request.
  10. 根据权利要求9所述系统,其特征在于,The system of claim 9 wherein:
    所述虚拟机访问控制系统包含的所述映射器数量为一个;所述映射器的虚拟硬件接口与所述虚拟机访问控制系统管理的所有进程建立通信连接。The number of the mappers included in the virtual machine access control system is one; the virtual hardware interface of the mapper establishes a communication connection with all processes managed by the virtual machine access control system.
  11. 根据权利要求9所述系统,其特征在于,The system of claim 9 wherein:
    所述虚拟机访问控制系统包含的所述映射器的数量与所述访问代理的数量相同;所述映射器由所述映射器的驱动上下文驱动后与进程建立通信连接;The number of the mappers included in the virtual machine access control system is the same as the number of the access agents; the mapper is driven by the drive context of the mapper to establish a communication connection with the process;
    所述映射器,具体用于将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口,所述待映射进程是与所述映射器建立通信连接的进程。The mapper is specifically configured to map a process to be mapped to a virtual hardware interface of an access proxy corresponding to the to-be-mapped process, where the to-be-mapped process is a process of establishing a communication connection with the mapper.
  12. 根据权利要求11所述系统,其特征在于,所述映射器包括:The system of claim 11 wherein said mapper comprises:
    信息接收单元,用于接收配置信息;An information receiving unit, configured to receive configuration information;
    映射子单元,用于按照所述信息接收单元接收到的配置信息将待映射进程映射到与所述待映射进程对应的访问代理的虚拟硬件接口。And a mapping subunit, configured to map the to-be-mapped process to a virtual hardware interface of the accessing proxy corresponding to the to-be-mapped process according to the configuration information received by the information receiving unit.
  13. 根据权利要求10至12所述系统,其特征在于,所述映射器包含应用 程序二进制接口ABI;所述ABI包括:协议标准ABI、配置接口ABI、至少两个硬件接口ABI;所述协议标准ABI用于指定所述至少两个硬件接口ABI以及所述配置接口ABI使用的通信协议;System according to claims 10 to 12, characterized in that said mapper comprises an application a program binary interface ABI; the ABI comprises: a protocol standard ABI, a configuration interface ABI, at least two hardware interfaces ABI; the protocol standard ABI is used to specify the communication of the at least two hardware interfaces ABI and the configuration interface ABI protocol;
    所述配置接口ABI,用于接收配置信息。The configuration interface ABI is configured to receive configuration information.
  14. 根据权利要求10至12任意一项所述系统,其特征在于,所述进程包含进程标识ID和用于标识所述进程来自系统态或用户态的状态标识;The system according to any one of claims 10 to 12, wherein the process includes a process identification ID and a status identifier for identifying that the process is from a system state or a user state;
    所述映射器,还用于确定具有相同进程ID并且具有不同状态标识的进程属于不同的进程,或者,确定具有相同进程ID的进程属于一个进程。The mapper is further configured to determine that processes having the same process ID and having different state identifiers belong to different processes, or that processes having the same process ID belong to one process.
  15. 根据权利要求10至12任意一项所述系统,其特征在于,所述访问代理还包括:The system according to any one of claims 10 to 12, wherein the access agent further comprises:
    缓存单元,用于在所述发送单元将所述访问请求发送给所述访问请求指定的目的端之前,缓存接收到的访问请求;a cache unit, configured to cache the received access request before the sending unit sends the access request to the destination end specified by the access request;
    所述发送单元,具体用于按照产生访问请求的进程的优先级从高到低依次将缓存的访问请求发送给所述访问请求指定的目的端;或者,按照先进先出的原则将缓存的访问请求发送给所述访问请求指定的目的端。The sending unit is specifically configured to sequentially send the cached access request to the destination specified by the access request according to the priority of the process that generates the access request; or, the cached access according to the first in first out principle The request is sent to the destination specified by the access request.
  16. 根据权利要求10至12任意一项所述系统,其特征在于,所述访问代理还包括:The system according to any one of claims 10 to 12, wherein the access agent further comprises:
    认证单元,用于在所述发送单元将所述访问请求发送给所述访问请求指定的目的端之前,向所述访问请求置顶的目的端发送认证请求;An authentication unit, configured to send an authentication request to the destination end of the access request top before the sending unit sends the access request to the destination end specified by the access request;
    添加单元,在接收认证通过的许可信息后,将所述许可信息添加在所述访问请求中。 The adding unit adds the license information to the access request after receiving the license information passed by the authentication.
PCT/CN2015/097177 2014-12-17 2015-12-11 Virtual machine access control method and virtual machine access control system WO2016095762A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410788273.7 2014-12-17
CN201410788273.7A CN104731635B (en) 2014-12-17 2014-12-17 A kind of virtual machine access control method and virtual machine access control system

Publications (1)

Publication Number Publication Date
WO2016095762A1 true WO2016095762A1 (en) 2016-06-23

Family

ID=53455554

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/097177 WO2016095762A1 (en) 2014-12-17 2015-12-11 Virtual machine access control method and virtual machine access control system

Country Status (2)

Country Link
CN (1) CN104731635B (en)
WO (1) WO2016095762A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104731635B (en) * 2014-12-17 2018-10-19 华为技术有限公司 A kind of virtual machine access control method and virtual machine access control system
US9891945B2 (en) * 2016-03-21 2018-02-13 Qualcomm Incorporated Storage resource management in virtualized environments
CN107395765B (en) * 2017-08-31 2020-09-22 苏州浪潮智能科技有限公司 Distributed file system, network communication method, platform and creation method thereof
CN109753341A (en) * 2017-11-07 2019-05-14 龙芯中科技术有限公司 The creation method and device of virtual interface
CN107682460B (en) * 2017-11-21 2021-01-12 苏州浪潮智能科技有限公司 Distributed storage cluster data communication method and system
CN109445925B (en) * 2018-11-09 2022-02-18 郑州云海信息技术有限公司 Application program takeover method, device and system
CN113596009B (en) * 2021-07-23 2023-03-24 中国联合网络通信集团有限公司 Zero trust access method, system, zero trust security proxy, terminal and medium
CN115277236B (en) * 2022-08-01 2023-08-18 福建天晴在线互动科技有限公司 Method and system for carrying out request analysis on domain name

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011109305A1 (en) * 2010-03-01 2011-09-09 Sonics, Inc. Various methods and apparatuses for optimizing concurrency in multiple core systems
CN102281169A (en) * 2011-06-29 2011-12-14 广州市弘宇科技有限公司 Cable tunnel monitoring link method based on photoelectric composite cable and monitoring system thereof
CN103118124A (en) * 2013-02-22 2013-05-22 桂林电子科技大学 Cloud computing load balancing method based on layering multiple agents
CN104731635A (en) * 2014-12-17 2015-06-24 华为技术有限公司 Virtual machine access control method and virtual machine access control system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7930487B1 (en) * 2007-09-13 2011-04-19 Emc Corporation System and method for providing access control to raw shared devices
CN101477474A (en) * 2009-01-04 2009-07-08 中国科学院计算技术研究所 Combined simulation system and its operation method
US9575786B2 (en) * 2009-01-06 2017-02-21 Dell Products L.P. System and method for raw device mapping in traditional NAS subsystems
CN102053800A (en) * 2010-11-26 2011-05-11 华为技术有限公司 Data access method, message receiving resolver and system
CN102281161B (en) * 2011-09-15 2014-04-16 浙江大学 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method
CN102360310B (en) * 2011-09-28 2014-03-26 中国电子科技集团公司第二十八研究所 Multitask process monitoring method in distributed system environment
JP6070355B2 (en) * 2013-03-28 2017-02-01 富士通株式会社 Virtual machine control program, virtual machine control method, virtual machine control device, and cloud system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011109305A1 (en) * 2010-03-01 2011-09-09 Sonics, Inc. Various methods and apparatuses for optimizing concurrency in multiple core systems
CN102281169A (en) * 2011-06-29 2011-12-14 广州市弘宇科技有限公司 Cable tunnel monitoring link method based on photoelectric composite cable and monitoring system thereof
CN103118124A (en) * 2013-02-22 2013-05-22 桂林电子科技大学 Cloud computing load balancing method based on layering multiple agents
CN104731635A (en) * 2014-12-17 2015-06-24 华为技术有限公司 Virtual machine access control method and virtual machine access control system

Also Published As

Publication number Publication date
CN104731635B (en) 2018-10-19
CN104731635A (en) 2015-06-24

Similar Documents

Publication Publication Date Title
WO2016095762A1 (en) Virtual machine access control method and virtual machine access control system
US10911358B1 (en) Packet processing cache
US8156503B2 (en) System, method and computer program product for accessing a memory space allocated to a virtual machine
US9733962B2 (en) Method and apparatus for determining the identity of a virtual machine
US8295275B2 (en) Tagging network I/O transactions in a virtual machine run-time environment
WO2015078219A1 (en) Information caching method and apparatus, and communication device
WO2017066944A1 (en) Method, apparatus and system for accessing storage device
US10268612B1 (en) Hardware controller supporting memory page migration
US20070162619A1 (en) Method and System for Zero Copy in a Virtualized Network Environment
US20140032796A1 (en) Input/output processing
US7853957B2 (en) Doorbell mechanism using protection domains
JP2018509674A (en) Clustering host-based non-volatile memory using network-mapped storage
US9864717B2 (en) Input/output processing
US9661007B2 (en) Network interface devices with remote storage control
US9582444B1 (en) Selective partition based redirection for multi-partitioned USB devices
US10228869B1 (en) Controlling shared resources and context data
US10884790B1 (en) Eliding redundant copying for virtual machine migration
US9298658B2 (en) Using PCI-E extended configuration space to send IOCTLS to a PCI-E adapter
US10223305B2 (en) Input/output computer system including hardware assisted autopurge of cache entries associated with PCI address translations
US10768965B1 (en) Reducing copy operations for a virtual machine migration
WO2016119469A1 (en) Service context management method, physical main machine, pcie device and migration management device
US11138130B1 (en) Nested page tables
US20220365688A1 (en) Systems and Methods for Providing High-Performance Access to Shared Computer Memory via Different Interconnect Fabrics
US10275354B2 (en) Transmission of a message based on a determined cognitive context
US10021217B2 (en) Protocol independent way to selectively restrict write-access for redirected USB mass storage devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15869269

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15869269

Country of ref document: EP

Kind code of ref document: A1