CN105550576A - Communication method and device between containers - Google Patents

Communication method and device between containers Download PDF

Info

Publication number
CN105550576A
CN105550576A CN201510919506.7A CN201510919506A CN105550576A CN 105550576 A CN105550576 A CN 105550576A CN 201510919506 A CN201510919506 A CN 201510919506A CN 105550576 A CN105550576 A CN 105550576A
Authority
CN
China
Prior art keywords
container
communication
file
main frame
authentication request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510919506.7A
Other languages
Chinese (zh)
Other versions
CN105550576B (en
Inventor
修剑锋
叶磊
于浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Huawei Technologies Service Co Ltd
Original Assignee
Huawei Technologies Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Service Co Ltd filed Critical Huawei Technologies Service Co Ltd
Priority to CN201510919506.7A priority Critical patent/CN105550576B/en
Publication of CN105550576A publication Critical patent/CN105550576A/en
Priority to PCT/CN2016/107228 priority patent/WO2017097116A1/en
Application granted granted Critical
Publication of CN105550576B publication Critical patent/CN105550576B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/543Local
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the invention provide a communication method and device between containers. The method comprises the following steps: receiving an authentication request sent by a first container and used for requesting to communicate with a second container, wherein the first container and the second container are located on the same host, and a shared catalog of the host are loaded on both of the first container and the second container; generating a communication file under the shared catalog of the host according to the authentication request, wherein the communication file comprises communication resources of the first container and the second container; and sending the file information of the communication file to the first container and the second container, thus allowing the first container and the second container to determine the communication file under the shared catalog of the host according to the file information of the communication file and communicate according to the communication file. Therefore, two mutually isolated containers can communicate.

Description

The method and apparatus communicated between container
Technical field
The present invention relates to the communications field, and more specifically, relate to the method and apparatus communicated between container.
Background technology
Container is other lightweight Intel Virtualization Technology of operating system grade, and technology Linux NameSpace (Namespace), Linux control group (ControlGroup that its bottom relies on, CGroup) be interior nuclear properties completely, without any middle layer expense, utilization factor for resource is high, and performance is close to physical machine.
LinuxNamespace is other virtual machine technique of operating system grade, provides a kind of resource isolation scheme.Unix time sharing operating system (UnixTimesharingSystem, UTS), interprocess communication (Inter-ProcessCommunication, IPC), file system (MOUNT), the system resources such as Process flowchart symbol (ProcessIDentifier, PID) are no longer of overall importance, but belonging to specific namespace, the resource inside each namespace is transparent to other namespace.
Container class is similar to virtual machine, and be a kind of software sandbox, a kind of security mechanism, is mainly the isolation environment that active program provides, the strict resource controlling the program in container and can access.LinuxNamespaces mechanism is that the Intel Virtualization Technology realized based on container provides good basis, and container is exactly the isolation utilizing this characteristic to achieve resource, and the process in different vessels belongs to different Namespace, transparent each other, does not interfere with each other.
Summary of the invention
Embodiments provide the method and apparatus communicated between a kind of container, can make to communicate between two mutually isolated containers.
First aspect, provide a kind of method communicated between container, the method comprises: receive first container send for asking the authentication request of carrying out with second container communicating, wherein, this first container and this second container are positioned on same main frame, and this first container and this second container equal carry share directory of this main frame; According to this authentication request, under the share directory of this main frame, generate communication file, this communication file comprises the communication resource that this first container and this second container carry out communicating; The fileinfo of this communication file is sent to this first container and this second container, so that this first container and this second container are according to the fileinfo of this communication file, under the share directory of this main frame, determine this communication file, and communicate according to this communication file.
The method communicated between the container of the embodiment of the present invention, the authentication request for asking second container to communicate of the first container transmission is received by authentication module, this first container and this second container are arranged in same main frame, and this first container and this second container equal carry share directory of this main frame, the communication file comprising this first container and this second container communication resource is generated according to this authentication request, and the fileinfo of this communication file is sent to this first container and this second container, can make to communicate between two mutually isolated containers.
In conjunction with first aspect, in the first possible implementation of first aspect, according to this authentication request, generate communication file under the share directory of this main frame before, the method also comprises: according to this authentication request, judge this first container and this second container whether in the credible container list preset, wherein, this authentication request carries the mark of this first container and the mark of this second container; If this first container and this second container all in this credible container list preset, then determine that this first container and this second container have the authority of communication.
In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, according to this authentication request, communication file is generated under the share directory of this main frame, comprise: according to this authentication request, determine the communication mode of this first container and this second container; According to this communication mode, generate this communication file.
Alternatively, this authentication request can comprise the mark of this first container and the mark of this second container, can also comprise the communication mode that this first container and this second container use.
In conjunction with the implementation that the second of first aspect is possible, in the third possible implementation of first aspect, according to this communication mode, generate this communication file, comprise: if determine, this first container and this second container adopt the communication mode of Unix territory socket, then generate socket file, this socket file carries out communication provide socket for describing this first container and this second container; If and/or determine that this first container and this second container adopt the communication mode of shared drive, then generate shared memory file, this shared memory file be used in the internal memory of this main frame, provide shared drive for this first container and this second container carry out communication.
The method communicated between the container of the embodiment of the present invention, this first container and this second container adopt Unix territory socket mode to communicate, and the speed of communication is fast, and security is good; This first container and this second container adopt shared drive mode to communicate, and the performance of communication is good, and quality is high.
Second aspect, provide the method communicated between another kind of container, comprise: the fileinfo of the communication file of the authentication module transmission of Receiving Host, this communication file comprises the communication resource that the first container and second container carry out communicating, this first container and this second container equal carry share directory of this main frame, and under this communication file is positioned at the share directory of this main frame; This first container, according to the fileinfo of this communication file, determines this communication file under the share directory of this main frame; This first container, according to this communication file, communicates with this second container.
In conjunction with second aspect, in the first possible implementation of second aspect, before the fileinfo of the communication file sent in the authentication module of Receiving Host, the method also comprises: this first container sends authentication request to this authentication module, this authentication request is used for request and communicates with this second container, and this first container and this second container are all arranged in this main frame.
In conjunction with the first possible implementation of second aspect, in the implementation that the second of second aspect is possible, this authentication request carries the communication mode of this first container and this second container.
Alternatively, the communication mode between this first container and this second container can set in advance for user.
In conjunction with the implementation that the first or the second of second aspect, second aspect are possible, in the third possible implementation of second aspect, this communication file comprises: socket file and/or shared memory file, this socket file carries out communication provide socket for describing this first container and this second container, and this shared memory file is used for providing shared drive for this first container and this second container carry out communication in the internal memory of this main frame.
The third aspect, provides the device communicated between a kind of container, for performing the method in the implementation possible arbitrarily of above-mentioned first aspect or first aspect.Particularly, the unit of the method during this device comprises for performing above-mentioned first aspect or first aspect implementation possible arbitrarily.
Fourth aspect, provides the device communicated between a kind of container, for performing the method in the implementation possible arbitrarily of above-mentioned second aspect or second aspect.Particularly, the unit of the method during this device comprises for performing above-mentioned second aspect or second aspect implementation possible arbitrarily.
5th aspect, provides the device communicated between a kind of container, and this device comprises: receiver, transmitter, storer, processor and bus system.Wherein, this receiver, this transmitter, this storer are connected by this bus system with this processor, this storer is for storing instruction, the instruction that this processor stores for performing this storer, to control receiver Received signal strength, and control transmitter transmission signal, and when this processor performs the instruction of this storer storage, this execution makes the method in the implementation possible arbitrarily of this processor execution first aspect or first aspect.
6th aspect, provides the device communicated between a kind of container, and this device comprises: receiver, transmitter, storer, processor and bus system.Wherein, this receiver, this transmitter, this storer are connected by this bus system with this processor, this storer is for storing instruction, the instruction that this processor stores for performing this storer, to control receiver Received signal strength, and control transmitter transmission signal, and when this processor performs the instruction of this storer storage, this execution makes the method in the implementation possible arbitrarily of this processor execution second aspect or second aspect.
7th aspect, provides a kind of computer-readable medium, and for storing computer program, this computer program comprises the instruction of the method in the implementation possible arbitrarily for performing first aspect or first aspect.
Eighth aspect, provides a kind of computer-readable medium, and for storing computer program, this computer program comprises the instruction of the method in the implementation possible arbitrarily for performing second aspect or second aspect.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, be briefly described to the accompanying drawing used required in the embodiment of the present invention below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of the linux system of embodiment of the present invention application.
Fig. 2 is the indicative flowchart of the method communicated between the container that provides of the embodiment of the present invention.
Fig. 3 is the indicative flowchart of the method communicated between another container of providing of the embodiment of the present invention.
Fig. 4 is the indicative flowchart of the method communicated between another container of providing of the embodiment of the present invention.
Fig. 5 is the schematic block diagram of the device communicated between the container that provides of the embodiment of the present invention.
Fig. 6 is the schematic block diagram of the device communicated between another container of providing of the embodiment of the present invention.
Fig. 7 is the schematic block diagram of the device communicated between another container of providing of the embodiment of the present invention.
Fig. 8 is the schematic block diagram of the device communicated between another container of providing of the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, embodiments of the invention are described.
Fig. 1 shows the schematic diagram of the linux system 100 of embodiment of the present invention application.This linux system can comprise authentication module and multiple container.Alternatively, due to the Namespace isolation mech isolation test of (SuSE) Linux OS, same kernel shared by all containers in this linux system, and the main frame of linux system is each container provides the virtual environment that has oneself process and cyberspace, the inner separately application program of multiple containers in this linux system is mutually isolated, does not interfere with each other.
Fig. 1 schematically illustrates authentication module 110, container 121 and container 122, and alternatively, this linux system can to comprise in main frame other container, and the embodiment of the present invention is not construed as limiting this.
This authentication module 110 is for the authentication request by authentication channel reception container 121, and this authentication request is used for request and communicates with container 122; According to this authentication request, judge the authority that container 121 communicates with container 122, namely judge whether container 121 and container 122 are trusted container; If container 121 and container 122 are trusted container, then generate the communication file that above-mentioned two containers carry out communicating, this communication file comprises the communication resource that above-mentioned two containers carry out communicating, and the fileinfo of this communication file is sent to container 121 and container 122 respectively by authentication passage, so that these two containers are according to the fileinfo of communication file, find this communication file in the share directory of main frame, and undertaken communicating between container by this communication file.
This container 121 and this container 122, for the fileinfo of communication file receiving this authentication module 110 and send, are determined this communication file, and are communicated according to this communication file in the main frame share directory of respective carry.
Alternatively, this container 121 can ask to communicate with container 122, and this container 122 also can ask to communicate with container 121, and the embodiment of the present invention is not construed as limiting this.
Alternatively, this container 121 can also ask to communicate with other containers in main frame, these other containers can be one or more, authentication module sends the fileinfo of communication file can to all containers with communication authority, make these other containers one or more also can with the intercommunication of container 121 and container 122, the embodiment of the present invention is not construed as limiting this.
Should be understood that before container 121 to send the authentication request communicated with container 122 to main frame authentication module, container 121 and container 122 should the share directories of first carry main frame, thus container 121 and container 122 can read the share directory of this main frame.This carry process can pass through software simulating, and the details of the Physical Extents of main frame can be masked by container 121 and container 122, and unified use logical concept, namely all things are all files.
Fig. 2 shows the method 200 communicated between container that the embodiment of the present invention provides, and the method 200 communicated between this container can be applied to the host computer system 100 shown in Fig. 1, but the embodiment of the present invention is not limited thereto.
S210, the first container sends authentication request to the authentication module of main frame, and this authentication request is used for request and communicates with second container.
Should be understood that this first container can set up communication to one or more container request, the embodiment of the present invention is only set up to communicate for the first container request and second container and is described the communication process of the embodiment of the present invention, but the embodiment of the present invention is not limited thereto.Wherein, this first container and this second container are positioned on same main frame, and this first container and this second container equal carry share directory of this main frame, so that this first container and this second container can read host memory.
Alternatively, this authentication request can carry the mark of this first container and the mark of this second container.
S220, this authentication request that this authentication module sends according to this first container, generates communication file under the share directory of this main frame, and this communication file can comprise the communication resource that this first container and this second container carry out communicating.
Alternatively, first container can communicate in several ways with second container, such as can be communicated by Unix territory socket communication mode, or can be communicated by shared drive mode, or can be communicated by Unix territory socket and shared drive two kinds of modes, the embodiment of the present invention is not construed as limiting this.
Should be understood that the container of communicating pair especially by which kind of communication mode communicates, can be determined by user, if user requires the Performance and quality communicated, then can select the communication mode of shared drive; If user requires speed and the security of communication, then can select the communication mode of Unix territory socket, or can use other communication modes according to actual needs, the embodiment of the present invention is not construed as limiting this.
Alternatively, the communication mode of the first container and second container can be carried in the authentication request of the first container, this communication mode is obtained by authentication module, and generate communication file according to this authentication request, can also be according to actual needs, in authentication module, directly set the communication mode of use in advance, the embodiment of the present invention is not construed as limiting this.
As an embodiment, if determine, this first container and second container adopt the communication mode of Unix territory socket, then this authentication module can generate a communication file under main frame share directory, this communication file can be such as socket file, and it is the socket that this first container and this second container carry out allocation of communications that this socket file describes this authentication module.
As another embodiment, if determine, this first container and this second container adopt the communication mode of shared drive, then this authentication module can generate a communication file under main frame share directory, this communication file can be such as shared memory file, and this shared memory file can be defined as the shared drive of this first container and this second container allocation of communications in the internal memory of main frame.Alternatively, the shared drive of this distribution, can for the host memory except the host memory that this first container and this second container take.
Alternatively, before S220, this authentication module can according to the mark of this first container of carrying in this authentication request and the mark of this second container, judge whether this first container and this second container have communication authority, if this first container and this second container have communication authority, then generate communication file, this communication file comprises the communication resource that this first container and this second container carry out communicating.
As an embodiment, authentication module can preset a credible container list, all trusted containers in main frame are listed in this list, and according to authentication module send the mark of this first container and the mark of this second container, judge that above-mentioned needs set up this first container of communication and this second container whether in this credible container list, namely judge whether this first container and this second container are all trusted container, if this first container and this second container are trusted container, then this first container has with this second container the authority intercomed mutually.As another embodiment, this authentication module can also by setting up a communication list, all containers that can intercom mutually in this main frame are listed in this communication list, and determine whether this first container and this second container have communication authority according to this communication list, but the embodiment of the present invention is not limited thereto.
Alternatively, this authentication module can pass through this authentication module of forced symmetric centralization technical configuration, such as can by safe enhanced Linux (SecurityEnhancedLinux, SELinux) technology or security application (Apparmor) technology, make the access rights of this communication file only open to the container of right of access, but the embodiment of the present invention is not limited thereto.
S230, this authentication module sends the fileinfo of this communication file to this first container and this second container.
Alternatively, the fileinfo of this communication file can comprise the filename of this communication file.
Alternatively, this authentication module can send the fileinfo of this communication file respectively to this first container and this second container, and can also send the filename of this communication file to all containers with communication authority with the form of broadcast, the present invention is not construed as limiting this.
As an embodiment, if this authentication module generates socket file, the filename of this socket file then can be sent to this first container and this second container, if this authentication module generates shared memory file, the fileinfo of shared memory file then can be sent to this first container and this second container, the fileinfo of this shared memory file can comprise filename, alternatively, the fileinfo of this shared memory file can also comprise start address and the length of the shared drive that this shared memory file is determined, can determine that this authentication module is the concrete internal memory of container allocation of communications by the fileinfo of this shared memory file.
S240, this first container and this second container, respectively according to the fileinfo of this communication file, determine this communication file under the main frame share directory of respective carry.
Alternatively, this communication file also can be the file under the sub-directory of this share directory, and the fileinfo of this communication file can also comprise the information in the path of the file under the sub-directory being used to indicate this share directory, but the embodiment of the present invention is not limited thereto.
S250, this first container communicates according to this communication file with this second container.
As an embodiment, when the communication mode that this first container and this second container adopt Unix to overlap machine word communicates, by socket file set up kernel passage, read socket file when communicating and read kernel passage, do not need to unpack through network protocol stack, packing, just copy application layer data to another process from a process, speed is fast, and security is high.
As another embodiment, when this first container and this second container adopt the communication mode of shared drive to communicate, the shared drive distributed in main frame by one piece is communicated, the data message of communication can be exchanged by the mode of Circular buffer (ring-buffer), namely ring-buffer provides service entrance for the container of a pair communication mutually, suppose that second container is the receiving end of communication, first container is the transmitting terminal of communication, then when this first container communicates with this second container, receiving end can read message from the head of this ring-buffer, and transmitting terminal can send message from the afterbody of this ring-buffer, the performance of communication is good, quality is high.Alternatively, this first container and this second container can also by other buffer memorys or other mode exchange datagrams literary compositions, and the embodiment of the present invention is not construed as limiting this.
Should understand, the first container and second container carry out shared drive adopt the communication mode of shared drive to communicate time, except exchanges data, also need synchronization mechanism, to ensure this first container and this second container transceiving data message synchronous in communication process.
As an embodiment, this first container and this second container can adopt the synchronization mechanism of poll, suppose that second container is the receiving end of communication, first container is the transmitting terminal of communication, then when this first container communicates with this second container, transmitting terminal sends message by all means in ring-buffer, and do not notify receiving end, receiving end initiatively can go whether have data message in inquiry ring-buffer, if there is data message, then this receiving end can read message, otherwise this receiving end continues inquiry.
The method communicated between the container of the embodiment of the present invention, the authentication request for asking second container to communicate of the first container transmission is received by authentication module, this first container and this second container are arranged in same main frame, and this first container and this second container equal carry share directory of this main frame, the communication file comprising this first container and this second container communication resource is generated according to this authentication request, and the fileinfo of this communication file is sent to this first container and this second container, can make to communicate between two mutually isolated containers.
The method communicated between the container of the embodiment of the present invention, this first container and this second container adopt Unix territory socket mode to communicate, and the speed of communication is fast, and security is good; This first container and this second container adopt shared drive mode to communicate, and the performance of communication is good, and quality is high.
Fig. 3 shows the method 300 communicated between container that the embodiment of the present invention provides, and the method 300 communicated between this container can be applied to the linux system 100 shown in Fig. 1, and can be performed by the authentication module in Fig. 1.
S310, receive that the first container sends for asking the authentication request of carrying out with second container communicating, wherein, this first container and this second container are positioned on same main frame, and this first container and this second container equal carry share directory of this main frame.
Specifically, this authentication module can receive that the first container sends for asking the authentication request of carrying out with the second container on same main frame communicating, the share directory of this first container and this second container this main frame of carry all.
Alternatively, this authentication request can comprise the mark of this first container and the mark of this second container.
S320, according to this authentication request, generates communication file under the share directory of this main frame, and this communication file comprises the communication resource that this first container and this second container carry out communicating.
Specifically, the authentication request that authentication module can send according to this first container, determine the communication mode communicated between this first container with this second container, and be that this first container and this second container generate communication file according to concrete communication mode, this communication file comprises the communication resource for communicating, so that this first container can communicate according to the communication resource in this communication file with this second container.
Specifically, as an embodiment, if determine, this first container and second container adopt the communication mode of Unix territory socket, then this authentication module can generate a communication file under main frame share directory, this communication file can be such as socket file, and it is the socket that this first container and this second container carry out allocation of communications that this socket file describes this authentication module.
As another embodiment, if determine, this first container and this second container adopt the communication mode of shared drive, then this authentication module can generate a communication file under main frame share directory, this communication file can be such as shared memory file, and this shared memory file can be defined as the shared drive of this first container and this second container allocation of communications in the internal memory of main frame.Alternatively, the shared drive of this distribution, can for the host memory except the host memory that this first container and this second container take.
Specifically, before S310, authentication module can judge the communication authority of this first container and this second container according to this authentication request, and the communication authority between container is only open to the container of granted permission.
Alternatively, this authentication module can according to this authentication request, judges this first container and this second container whether in the credible container list preset, if, then illustrate that this first container and this second container are credible list, there is the authority of communication.
Alternatively, if have one at least not in the credible container list that this authentication module is default in this first container and this second container, then illustrate there is malice container, the authority of two containers communications can not be authorized, therefore, this communication file can not be generated to this first container and this second container.
Alternatively, this authentication request can ask to communicate with one or more second containers, this authentication module needs to carry out authentication to all containers in request, when containers all in authentication request are trusted container, can be the communication file that this first container and this second container one or more generate for communicating, the embodiment of the present invention be not construed as limiting this.
S330, the fileinfo of this communication file is sent to this first container and this second container, so that this first container and this second container are according to the fileinfo of this communication file, under the share directory of main frame, determine this communication file, and communicate according to this communication file.
Specifically, this authentication module is after generation communication file, the fileinfo of this communication file can be sent to this first container and this second container, the information being about to be used to indicate the communication resource sends to this first container and this second container, so that this first container and this second container are according to this indication information determination communication resource, and communicate according to this communication resource.
Alternatively, this authentication module can be broadcast to this first container and this second container by the communication information of communication file, and can also send to this first container and this second container respectively, the embodiment of the present invention is not construed as limiting this.
Alternatively, the fileinfo of this file can be the filename of this article part, the resource information that can also comprise for this file.
As an embodiment, if this authentication module generates socket file, the filename of this socket file then can be sent to this first container and this second container, if this authentication module generates shared memory file, the fileinfo of shared memory file then can be sent to this first container and this second container, the fileinfo of this shared memory file can comprise filename, alternatively, the fileinfo of this shared memory file can also comprise start address and the length of the shared drive that this shared memory file is determined, can determine that this authentication module is the concrete internal memory of container allocation of communications by the fileinfo of this shared memory file.
Alternatively, this communication file also can be the file under the sub-directory of this share directory, and the fileinfo of this communication file can also comprise the information in the path of the file under the sub-directory being used to indicate this share directory, but the embodiment of the present invention is not limited thereto.
As an embodiment, when the communication mode that this first container and this second container adopt Unix to overlap machine word communicates, by socket file set up kernel passage, read socket file when communicating and read kernel passage, do not need to unpack through network protocol stack, packing, just copy application layer data to another process from a process, speed is fast, and security is high.
As another embodiment, when this first container and this second container adopt the communication mode of shared drive to communicate, the shared drive distributed in main frame by one piece is communicated, the data message of communication can be exchanged by the mode of ring-buffer, namely ring-buffer provides service entrance for the container of a pair communication mutually, suppose that second container is the receiving end of communication, first container is the transmitting terminal of communication, then when this first container communicates with this second container, receiving end can read message from the head of this ring-buffer, and transmitting terminal can send message from the afterbody of this ring-buffer, the performance of communication is good, quality is high.Alternatively, this first container and this second container can also by other buffer memorys or other mode exchange datagrams literary compositions, and the embodiment of the present invention is not construed as limiting this.
Should understand, the first container and second container carry out shared drive adopt the communication mode of shared drive to communicate time, except exchanges data, also need synchronization mechanism, to ensure this first container and this second container transceiving data message synchronous in communication process.
As an embodiment, this first container and this second container can adopt the synchronization mechanism of poll, suppose that second container is the receiving end of communication, first container is the transmitting terminal of communication, then when this first container communicates with this second container, transmitting terminal sends message by all means in ring-buffer, and do not notify receiving end, receiving end initiatively can go whether have data message in inquiry ring-buffer, if there is data message, then this receiving end can read message, otherwise this receiving end continues inquiry.
The method communicated between the container of the embodiment of the present invention, the authentication request for asking second container to communicate of the first container transmission is received by authentication module, this first container and this second container are arranged in same main frame, and this first container and this second container equal carry share directory of this main frame, the communication file comprising this first container and this second container communication resource is generated according to this authentication request, and the fileinfo of this communication file is sent to this first container and this second container, can make to communicate between two mutually isolated containers.
The method communicated between the container of the embodiment of the present invention, this first container and this second container adopt Unix territory socket mode to communicate, and the speed of communication is fast, and security is good; This first container and this second container adopt shared drive mode to communicate, and the performance of communication is good, and quality is high.
Fig. 4 shows the method 400 communicated between container that the embodiment of the present invention provides, and the method 400 communicated between this container can be applied to the linux system 100 shown in Fig. 1.
S410, the fileinfo of the communication file of the authentication module transmission of Receiving Host, this communication file comprises the communication resource that this first container and this second container carry out communicating, this first container and this second container equal carry share directory of this main frame, and under this communication file is positioned at the share directory of this main frame.
Should be understood that in same main frame and can comprise multiple mutually isolated container, because LinuxNamespace mechanism is transparent mutually between the plurality of container, independently of one another.The plurality of container can the share directory of carry main frame, so that each container can communicate mutually with main frame, reads the file in this share directory.
Specifically, multiple containers in main frame can receive the fileinfo being used to indicate the communication file of the communication resource that this authentication module sends, under this communication is positioned at the share directory of this main frame of the plurality of container carry, according to this fileinfo, the plurality of container can determine that this authentication module is the communication resource of allocation of communications between the plurality of container, the plurality of container can set up mutual communication according to this communication resource.
As an embodiment, before S410, the first container in the plurality of container can send for asking the authentication request of carrying out with second container communicating to this authentication module.
Alternatively, this authentication request can comprise the mark of this second container of mark of this first container, so that this authentication module carries out authentication according to this authentication request for this first container and this second container carry out communication.
Alternatively, this second container can be one or more, and the embodiment of the present invention is not construed as limiting this.
S420, this first container, according to the information of this communication file, determines this communication file.
Specifically, this first container and this second container according to the information of this communication file, can determine this communication file, and this communication file includes the communication resource that this first container and this second container carry out communicating.
Alternatively, the resource information of this communication file can be the filename of this communication file, can also be the identification information of this communication file or the attribute information etc. of this communication file, may be used for the information that this first container and this second container determine this communication file, the embodiment of the present invention is not construed as limiting this.
As an embodiment, if this authentication module generates socket file, the filename of this socket file then can be sent to this first container and this second container, if this authentication module generates shared memory file, the fileinfo of shared memory file then can be sent to this first container and this second container, the fileinfo of this shared memory file can comprise filename, alternatively, the fileinfo of this shared memory file can also comprise start address and the length of the shared drive that this shared memory file is determined, can determine that this authentication module is the concrete internal memory of container allocation of communications by the fileinfo of this shared memory file.
Alternatively, this communication file also can be the file under the sub-directory of this share directory, and the fileinfo of this communication file can also comprise the information in the path of the file under the sub-directory being used to indicate this share directory, but the embodiment of the present invention is not limited thereto.
S430, this first container, according to this communication file, communicates with this second container.
Specifically, this first container can communicate according to this communication file with this second container, and this communication file includes the communication resource for communicating.
As an embodiment, when the communication mode that this first container and this second container adopt Unix to overlap machine word communicates, the socket provided by socket file sets up a kernel passage, read socket file when communicating and read kernel passage, do not need to unpack through network protocol stack, packing, just copy application layer data to another process from a process, speed is fast, and security is high.
As another embodiment, when this first container and this second container adopt the communication mode of shared drive to communicate, the shared drive distributed in main frame by one piece is communicated, the data message of communication can be exchanged by the mode of ring-buffer, namely ring-buffer provides service entrance for the container of a pair communication mutually, suppose that second container is the receiving end of communication, first container is the transmitting terminal of communication, then when this first container communicates with this second container, receiving end can read message from the head of this ring-buffer, and transmitting terminal can send message from the afterbody of this ring-buffer, the performance of communication is good, quality is high.Alternatively, this first container and this second container can also by other buffer memorys or other mode exchange datagrams literary compositions, and the embodiment of the present invention is not construed as limiting this.
The method communicated between the container of the embodiment of the present invention, by receiving the fileinfo of the communication file that authentication module sends, this communication file comprises and is arranged in this first container of same main frame and the communication resource of this second container, and this first container and this second container equal carry share directory of this main frame, this first container determines this communication file according to the fileinfo of this communication file, and communicated with this second container by this communication file, can make to communicate between two mutually isolated containers.
The method communicated between the container of the embodiment of the present invention, this first container and this second container adopt Unix territory socket mode to communicate, and the speed of communication is fast, and security is good; This first container and this second container adopt shared drive mode to communicate, and the performance of communication is good, and quality is high.
Should be understood that the size of the sequence number of above-mentioned each process and do not mean that the priority of execution sequence, the execution sequence of each process should be determined with its function and internal logic, and should not form any restriction to the implementation process of the embodiment of the present invention.
Above composition graphs 1 to Fig. 4, describes the method communicated between the container according to the embodiment of the present invention in detail, below in conjunction with Fig. 5 to Fig. 8, describes the device communicated between the container according to the embodiment of the present invention in detail.
Fig. 5 shows the device 500 communicated between container that the embodiment of the present invention provides, and this device 500 comprises:
Receiving element 510, for receive first container send for asking the authentication request of carrying out with second container communicating, wherein, this first container and this second container are positioned on same main frame, and this first container and this second container equal carry share directory of this main frame;
Generation unit 520, for this authentication request received according to this receiving element 510, generates communication file under the share directory of this main frame, and this communication file comprises the communication resource that this first container and this second container carry out communicating;
Transmitting element 530, for sending the fileinfo of this communication file that this generation unit 520 generates to this first container and this second container, so that this first container and this second container are according to the fileinfo of this communication file, under the share directory of this main frame, determine this communication file, and communicate according to this communication file.
Alternatively, this device 500 also comprises: determining unit, this determining unit is used at this according to this authentication request, generate communication file under the share directory of this main frame before, according to this authentication request, judge this first container and this second container whether in the credible container list preset, wherein, this authentication request carries the mark of this first container and the mark of this second container; If this first container and this second container all in this credible container list preset, then determine that this first container and this second container have the authority of communication.
Alternatively, this generation unit 520 specifically for: according to this authentication request, determine the communication mode of this first container and this second container; According to this communication mode, generate this communication file.
Alternatively, if determine, this first container and this second container adopt the communication mode of Unix territory socket, then this generation unit 520 generates socket file, and this socket file is used for providing socket for this first container and this second container carry out communication; And/or, if determine, this first container and this second container adopt the communication mode of shared drive, then this generation unit 520 generates shared memory file, and this shared memory file is used for providing shared drive for this first container and this second container carry out communication in the internal memory of this main frame.
Should be understood that device 500 here embodies with the form of functional unit.Here term " unit " can refer to apply peculiar integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), electronic circuit, for performing the processor (such as share processor, proprietary processor or group processor etc.) of one or more software or firmware program and storer, merging the suitable assembly of the function described by logical circuit and/or other support.In an optional example, it will be understood by those skilled in the art that device 500 can be specially the authentication module in above-described embodiment, device 500 may be used for performing each flow process and/or step corresponding with authentication module in said method embodiment, for avoiding repetition, do not repeat them here.
Fig. 6 shows the device 600 communicated between container that the embodiment of the present invention provides, and this device 600 comprises:
Receiving element 610, for the fileinfo of the communication file that the authentication module of Receiving Host sends, this communication file comprises the communication resource that the first container and second container carry out communicating, this first container and this second container equal carry share directory of this main frame, and under this communication file is positioned at the share directory of this main frame;
Determining unit 620, for the fileinfo of this communication file that this first container receives according to this receiving element 610, determines this communication file under the share directory of this main frame;
Communication unit 630, for this communication file that this first container is determined according to this determining unit 620, communicates with this second container.
Alternatively, this device 600 also comprises: transmitting element, before this transmitting element is used for the fileinfo of the communication file sent in the authentication module of this Receiving Host, this first container sends authentication request to this authentication module, this authentication request is used for request and communicates with this second container, and this first container and this second container are all arranged in this main frame.
Alternatively, this authentication request carries the communication mode of this first container and this second container.
Alternatively, this communication file comprises: socket file and/or shared memory file, this socket file is used for providing socket for this first container and this second container carry out communication, and this shared memory file is used for providing shared drive for this first container and this second container carry out communication in the internal memory of this main frame.
Should be understood that device 600 here embodies with the form of functional unit.Here term " unit " can refer to apply peculiar integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), electronic circuit, for performing the processor (such as share processor, proprietary processor or group processor etc.) of one or more software or firmware program and storer, merging the suitable assembly of the function described by logical circuit and/or other support.In an optional example, it will be understood by those skilled in the art that device 600 can be specially the container in above-described embodiment, device 600 may be used for performing each flow process and/or step corresponding with container in said method embodiment, for avoiding repetition, do not repeat them here.
Fig. 7 shows the device 700 communicated between container that the embodiment of the present invention provides, and this device 700 comprises receiver 710, processor 720, transmitter 730, storer 740 and bus system 750.Wherein, receiver 710, processor 720, transmitter 730 are connected by bus system 750 with storer 740, this storer 740 is for storing instruction, the instruction that this processor 720 stores for performing this storer 740, to control this receiver 710 Received signal strength, and control this transmitter 730 and send instruction.
Wherein, this receiver 710 for receive first container send for asking the authentication request of carrying out with second container communicating, wherein, this first container and this second container are positioned on same main frame, and this first container and this second container equal carry share directory of this main frame;
This processor 720, for this authentication request received according to this receiver 710, generates communication file under the share directory of this main frame, and this communication file comprises the communication resource that this first container and this second container carry out communicating;
This transmitter 730 is for sending the fileinfo of this communication file that this processor 720 generates to this first container and this second container, so that this first container and this second container are according to the fileinfo of this communication file, under the share directory of this main frame, determine this communication file, and communicate according to this communication file.
Alternatively, this processor 720 specifically for: according to this authentication request, determine the communication mode of this first container and this second container; According to this communication mode, generate this communication file.
Alternatively, if determine, this first container and this second container adopt the communication mode of Unix territory socket, then this processor 720 generates socket file, the socket that this socket file carries out communicating for describing this first container and this second container; And/or, if determine, this first container and this second container adopt the communication mode of shared drive, then this processor 720 generates shared memory file, and this shared memory file is used for providing shared drive for this first container and this second container carry out communication in the internal memory of this main frame.
Alternatively, this processor 720 is also for according to this authentication request, generate communication file under the share directory of this main frame before, according to this authentication request, judge this first container and this second container whether in the credible container list preset, wherein, this authentication request carries the mark of this first container and the mark of this second container; If this first container and this second container all in this credible container list preset, then determine that this first container and this second container have the authority of communication.
Should be understood that device 700 can be specially the terminal device in above-described embodiment, and may be used for performing each step and/or flow process corresponding with terminal device in said method embodiment.Alternatively, this storer 740 can comprise ROM (read-only memory) and random access memory, and provides instruction and data to processor.A part for storer can also comprise nonvolatile RAM.Such as, the information of all right storage device type of storer.This processor 720 may be used for the instruction stored in execute store, and when this processor performs this instruction, each step that this processor can be corresponding with terminal device in embodiment to perform the above method.
Fig. 8 shows the device 800 communicated between container that the embodiment of the present invention provides.This device 800 comprises receiver 810, processor 820, transmitter 830, storer 840 and bus system 850.Wherein, receiver 810, processor 820, transmitter 830 are connected by bus system 850 with storer 840, this storer 840 is for storing instruction, the instruction that this processor 820 stores for performing this storer 840, to control this receiver 810 Received signal strength, and control this transmitter 830 and send signal.
Wherein, the fileinfo of the communication file that this receiver 810 sends for the authentication module of Receiving Host, this communication file comprises the communication resource that the first container and second container carry out communicating, this first container and this second container equal carry share directory of this main frame, and under this communication file is positioned at the share directory of this main frame;
The fileinfo of this communication file that this processor 820 receives according to this receiver 810 for this first container, determines this communication file under the share directory of this main frame; And according to this communication file that this processor is determined, communicate with this second container.
Alternatively, this transmitter 830 is for before the fileinfo of communication file that sends in the authentication module of Receiving Host, this first container sends authentication request to this authentication module, this authentication request is used for request and communicates with this second container, and this first container and this second container are all arranged in this main frame.
Alternatively, this authentication request carries the communication mode of this first container and this second container.
Alternatively, this communication file comprises: socket file and/or shared memory file, the socket that this socket file carries out communicating for describing this first container and this second container, this shared memory file is used for carrying out allocation of communications shared drive for this first container and this second container in the internal memory of this main frame.
Should be understood that device 800 can be specially the network equipment in above-described embodiment, and may be used for performing each step and/or flow process corresponding with the network equipment in said method embodiment.Alternatively, this storer 840 can comprise ROM (read-only memory) and random access memory, and provides instruction and data to processor.A part for storer can also comprise nonvolatile RAM.Such as, the information of all right storage device type of storer.This processor 820 may be used for the instruction stored in execute store, and when the instruction stored in this processor execute store, this processor is for performing each step and/or the flow process of said method embodiment.
Should understand, in embodiments of the present invention, this processor can be CPU (central processing unit) (CentralProcessingUnit, CPU), this processor can also be other general processors, digital signal processor (DSP), special IC (ASIC), ready-made programmable gate array (FPGA) or other programmable logic device (PLD), discrete gate or transistor logic, discrete hardware components etc.The processor etc. of general processor can be microprocessor or this processor also can be any routine.
In implementation procedure, each step of said method can be completed by the instruction of the integrated logic circuit of the hardware in processor or software form.Step in conjunction with the method disclosed in the embodiment of the present invention can directly be presented as that hardware processor is complete, or hardware in purpose processor and software module combination complete.Software module can be positioned at random access memory, flash memory, ROM (read-only memory), in the storage medium of this area maturations such as programmable read only memory or electrically erasable programmable storer, register.This storage medium is positioned at storer, the instruction in processor execute store, completes the step of said method in conjunction with its hardware.For avoiding repetition, be not described in detail here.
Those of ordinary skill in the art can recognize, in conjunction with the various method steps described in embodiment disclosed herein and unit, can realize with electronic hardware, computer software or the combination of the two, in order to the interchangeability of hardware and software is clearly described, generally describe step and the composition of each embodiment in the above description according to function.These functions perform with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme.Those of ordinary skill in the art can use distinct methods to realize described function to each specifically should being used for, but this realization should not thought and exceeds scope of the present invention.
Those skilled in the art can be well understood to, and for convenience of description and succinctly, the specific works process of the system of foregoing description, device and unit, with reference to the corresponding process in preceding method embodiment, can not repeat them here.
In several embodiments that the application provides, should be understood that disclosed system, apparatus and method can realize by another way.Such as, device embodiment described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.In addition, shown or discussed coupling each other or direct-coupling or communication connection can be indirect coupling by some interfaces, device or unit or communication connection, also can be electric, machinery or other form connect.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of embodiment of the present invention scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, and also can be that the independent physics of unit exists, also can be that two or more unit are in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, technical scheme of the present invention is in essence in other words to the part that prior art contributes, or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (read-only memory) (Read-OnlyMemory, referred to as " ROM "), random access memory (RandomAccessMemory, referred to as " RAM "), magnetic disc or CD etc. various can be program code stored medium.
The above; be only the specific embodiment of the present invention; but protection scope of the present invention is not limited thereto; anyly be familiar with those skilled in the art in the technical scope that the present invention discloses; can expect amendment or the replacement of various equivalence easily, these amendments or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (16)

1. the method communicated between container, is characterized in that, comprising:
Receive first container send for asking the authentication request of carrying out with second container communicating, wherein, described first container and described second container are positioned on same main frame, and described first container and the described second container equal carry share directory of described main frame;
According to described authentication request, under the share directory of described main frame, generate communication file, described communication file comprises the communication resource that described first container and described second container carry out communicating;
The fileinfo of described communication file is sent to described first container and described second container, so that described first container and described second container are according to the fileinfo of described communication file, under the share directory of described main frame, determine described communication file, and communicate according to described communication file.
2. method according to claim 1, is characterized in that, described according to described authentication request, generate communication file under the share directory of described main frame before, described method also comprises:
According to described authentication request, judge described first container and described second container whether in the credible container list preset, wherein, described authentication request carries the mark of described first container and the mark of described second container;
If described first container and described second container all in described default credible container list, then determine that described first container and described second container have the authority of communication.
3. method according to claim 1 and 2, is characterized in that, described according to described authentication request, generates communication file, comprising under the share directory of described main frame:
According to described authentication request, determine the communication mode of described first container and described second container;
According to described communication mode, generate described communication file.
4. method according to claim 3, is characterized in that, described according to described communication mode, generates described communication file, comprising:
If determine, described first container and described second container adopt the communication mode of Unix territory socket, then generate socket file, and described socket file is used for providing socket for described first container and described second container carry out communication; And/or
If determine, described first container and described second container adopt the communication mode of shared drive, then generate shared memory file, described shared memory file is used for providing shared drive for described first container and described second container carry out communication in the internal memory of described main frame.
5. the method communicated between container, is characterized in that, comprising:
The fileinfo of the communication file of the authentication module transmission of Receiving Host, described communication file comprises the communication resource that the first container and second container carry out communicating, described first container and the described second container equal carry share directory of described main frame, and under described communication file is positioned at the share directory of described main frame;
Described first container, according to the fileinfo of described communication file, determines described communication file under the share directory of described main frame;
Described first container, according to described communication file, communicates with described second container.
6. method according to claim 5, is characterized in that, before the fileinfo of the communication file sent in the authentication module of described Receiving Host, described method also comprises:
Described first container sends authentication request to described authentication module, and described authentication request is used for request and communicates with described second container, and described first container and described second container are all arranged in described main frame.
7. method according to claim 6, is characterized in that, described authentication request carries the communication mode of described first container and described second container.
8. the method according to any one of claim 5 to 7, it is characterized in that, described communication file comprises: socket file and/or shared memory file, described socket file is used for providing socket for described first container and described second container carry out communication, and described shared memory file is used for providing shared drive for described first container and described second container carry out communication in the internal memory of described main frame.
9. the device communicated between container, is characterized in that, comprising:
Receiving element, for receive first container send for asking the authentication request of carrying out with second container communicating, wherein, described first container and described second container are positioned on same main frame, and described first container and the described second container equal carry share directory of described main frame;
Generation unit, for the described authentication request received according to described receiving element, generates communication file under the share directory of described main frame, and described communication file comprises the communication resource that described first container and described second container carry out communicating;
Transmitting element, for sending the fileinfo of the described communication file that described generation unit generates to described first container and described second container, so that described first container and described second container are according to the fileinfo of described communication file, under the share directory of described main frame, determine described communication file, and communicate according to described communication file.
10. device according to claim 9, is characterized in that, described device also comprises: determining unit,
Described determining unit is used for described according to described authentication request, generate communication file under the share directory of described main frame before, according to described authentication request, judge described first container and described second container whether in the credible container list preset, wherein, described authentication request carries the mark of described first container and the mark of described second container;
If described first container and described second container all in described default credible container list, then determine that described first container and described second container have the authority of communication.
11. devices according to claim 9 or 10, is characterized in that, described generation unit specifically for:
According to described authentication request, determine the communication mode of described first container and described second container;
According to described communication mode, generate described communication file.
12. devices according to claim 11, is characterized in that, described generation unit specifically for:
If determine, described first container and described second container adopt the communication mode of Unix territory socket, then generate socket file, and described socket file is used for providing socket for described first container and described second container carry out communication; And/or
If determine, described first container and described second container adopt the communication mode of shared drive, then generate shared memory file, described shared memory file is used for providing shared drive for described first container and described second container carry out communication in the internal memory of described main frame.
The device communicated between 13. 1 kinds of containers, is characterized in that, comprising:
Receiving element, for the fileinfo of the communication file that the authentication module of Receiving Host sends, described communication file comprises the communication resource that the first container and second container carry out communicating, described first container and the described second container equal carry share directory of described main frame, and under described communication file is positioned at the share directory of described main frame;
Determining unit, for the fileinfo of the described communication file that described first container receives according to described receiving element, determines described communication file under the share directory of described main frame;
Communication unit, for the described communication file that described first container is determined according to described determining unit, communicates with described second container.
14. devices according to claim 13, is characterized in that, described device also comprises: transmitting element,
Before described transmitting element is used for the fileinfo of the communication file sent in the authentication module of described Receiving Host, described first container sends authentication request to described authentication module, described authentication request is used for request and communicates with described second container, and described first container and described second container are all arranged in described main frame.
15. devices according to claim 14, is characterized in that, described authentication request carries the communication mode of described first container and described second container.
16. according to claim 13 to the device according to any one of 15, it is characterized in that, described communication file comprises: socket file and/or shared memory file, described socket file is used for providing socket for described first container and described second container carry out communication, and described shared memory file is used for providing shared drive for described first container and described second container carry out communication in the internal memory of described main frame.
CN201510919506.7A 2015-12-11 2015-12-11 The method and apparatus communicated between container Active CN105550576B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510919506.7A CN105550576B (en) 2015-12-11 2015-12-11 The method and apparatus communicated between container
PCT/CN2016/107228 WO2017097116A1 (en) 2015-12-11 2016-11-25 Inter-container communication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510919506.7A CN105550576B (en) 2015-12-11 2015-12-11 The method and apparatus communicated between container

Publications (2)

Publication Number Publication Date
CN105550576A true CN105550576A (en) 2016-05-04
CN105550576B CN105550576B (en) 2018-09-11

Family

ID=55829763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510919506.7A Active CN105550576B (en) 2015-12-11 2015-12-11 The method and apparatus communicated between container

Country Status (2)

Country Link
CN (1) CN105550576B (en)
WO (1) WO2017097116A1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017097116A1 (en) * 2015-12-11 2017-06-15 华为技术有限公司 Inter-container communication method and apparatus
CN107329792A (en) * 2017-07-04 2017-11-07 北京奇艺世纪科技有限公司 A kind of Docker containers start method and device
CN107544918A (en) * 2017-08-17 2018-01-05 致象尔微电子科技(上海)有限公司 A kind of page sharing method
CN107783854A (en) * 2016-08-29 2018-03-09 华为技术有限公司 The method and its device for the treatment of progress
CN108228313A (en) * 2017-11-30 2018-06-29 中国联合网络通信集团有限公司 The discovery method and device of downstream reservoir
CN108322307A (en) * 2017-01-16 2018-07-24 中标软件有限公司 Communication system and method between container based on kernel memory sharing
CN108604992A (en) * 2016-05-26 2018-09-28 华为技术有限公司 The system and method switched using the software definition between the lightweight virtual machine of host kernel resources
CN108875385A (en) * 2018-05-07 2018-11-23 麒麟合盛网络技术股份有限公司 The method and device of inter-application communication
CN108880898A (en) * 2018-06-29 2018-11-23 新华三技术有限公司 Active and standby containment system switching method and device
CN109324908A (en) * 2017-07-31 2019-02-12 华为技术有限公司 The vessel isolation method and device of Netlink resource
CN109361606A (en) * 2018-09-28 2019-02-19 新华三技术有限公司 A kind of message handling system and the network equipment
CN109359450A (en) * 2018-10-29 2019-02-19 北京猎户星空科技有限公司 Safety access method, device, equipment and the storage medium of linux system
CN110308987A (en) * 2019-05-17 2019-10-08 北京瀚海星云科技有限公司 A method of distributed training mission Connecting quantity on more new container cloud
CN110572288A (en) * 2019-11-04 2019-12-13 河南戎磐网络科技有限公司 Data exchange method based on trusted container
CN113468517A (en) * 2021-09-02 2021-10-01 北京交研智慧科技有限公司 Data sharing method, system and storage medium based on block chain

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108205623B (en) * 2016-12-16 2020-04-03 杭州华为数字技术有限公司 Method and apparatus for sharing a directory
US11188345B2 (en) 2019-06-17 2021-11-30 International Business Machines Corporation High performance networking across docker containers
CN115242898B (en) * 2022-06-06 2024-04-19 浪潮通信技术有限公司 Communication method and device between protocol stack and physical layer process

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150879A1 (en) * 2006-01-09 2009-06-11 International Business Machines Corporation Sharing files among different virtual machine images
CN101667144A (en) * 2009-09-29 2010-03-10 北京航空航天大学 Virtual machine communication method based on shared memory
US20100217916A1 (en) * 2009-02-26 2010-08-26 International Business Machines Corporation Method and apparatus for facilitating communication between virtual machines
CN101977195A (en) * 2010-10-29 2011-02-16 西安交通大学 Method for realizing virtual machine inter-domain communication protocol based on shared memory mechanism
CN103491193A (en) * 2013-09-30 2014-01-01 华为技术有限公司 Method and device for sharing file
CN104487943A (en) * 2012-04-23 2015-04-01 思杰系统有限公司 Trusted file indirection

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707416B2 (en) * 2002-02-01 2010-04-27 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
JP5595636B2 (en) * 2004-10-29 2014-09-24 オランジュ Communication between secure information storage device and at least one third party, corresponding entity, information storage device, and method and system for third party
CN104391694B (en) * 2014-11-05 2018-04-03 工业和信息化部电子科学技术情报研究所 Intelligent mobile terminal software public service support platform system
CN105550576B (en) * 2015-12-11 2018-09-11 华为技术服务有限公司 The method and apparatus communicated between container

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150879A1 (en) * 2006-01-09 2009-06-11 International Business Machines Corporation Sharing files among different virtual machine images
US20100217916A1 (en) * 2009-02-26 2010-08-26 International Business Machines Corporation Method and apparatus for facilitating communication between virtual machines
CN101667144A (en) * 2009-09-29 2010-03-10 北京航空航天大学 Virtual machine communication method based on shared memory
CN101977195A (en) * 2010-10-29 2011-02-16 西安交通大学 Method for realizing virtual machine inter-domain communication protocol based on shared memory mechanism
CN104487943A (en) * 2012-04-23 2015-04-01 思杰系统有限公司 Trusted file indirection
CN103491193A (en) * 2013-09-30 2014-01-01 华为技术有限公司 Method and device for sharing file

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
朱团结 等: "基于共享内存的Xen虚拟机间通信的研究", 《计算机技术与发展》 *
瞿鑫: "Xen硬件虚拟化域间通信优化的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
陈凯: "并行多虚拟机域间通信系统", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017097116A1 (en) * 2015-12-11 2017-06-15 华为技术有限公司 Inter-container communication method and apparatus
CN108604992A (en) * 2016-05-26 2018-09-28 华为技术有限公司 The system and method switched using the software definition between the lightweight virtual machine of host kernel resources
CN107783854B (en) * 2016-08-29 2021-08-20 华为技术有限公司 Method and device for processing progress
US10983825B2 (en) 2016-08-29 2021-04-20 Huawei Technologies Co., Ltd. Processing for multiple containers are deployed on the physical machine
CN107783854A (en) * 2016-08-29 2018-03-09 华为技术有限公司 The method and its device for the treatment of progress
EP3499373A4 (en) * 2016-08-29 2019-11-06 Huawei Technologies Co., Ltd. Method and apparatus for processing process
CN108322307B (en) * 2017-01-16 2021-02-09 中标软件有限公司 Inter-container communication system and method based on kernel memory sharing
CN108322307A (en) * 2017-01-16 2018-07-24 中标软件有限公司 Communication system and method between container based on kernel memory sharing
CN107329792A (en) * 2017-07-04 2017-11-07 北京奇艺世纪科技有限公司 A kind of Docker containers start method and device
CN107329792B (en) * 2017-07-04 2020-05-22 北京奇艺世纪科技有限公司 Docker container starting method and device
US11500666B2 (en) 2017-07-31 2022-11-15 Huawei Technologies Co., Ltd. Container isolation method and apparatus for netlink resource
CN109324908A (en) * 2017-07-31 2019-02-12 华为技术有限公司 The vessel isolation method and device of Netlink resource
CN109324908B (en) * 2017-07-31 2021-09-07 华为技术有限公司 Container isolation method and device for Netlik resources
CN107544918B (en) * 2017-08-17 2021-01-15 海光信息技术股份有限公司 Memory page sharing method
CN107544918A (en) * 2017-08-17 2018-01-05 致象尔微电子科技(上海)有限公司 A kind of page sharing method
CN108228313B (en) * 2017-11-30 2021-11-30 中国联合网络通信集团有限公司 Method and device for discovering downstream container
CN108228313A (en) * 2017-11-30 2018-06-29 中国联合网络通信集团有限公司 The discovery method and device of downstream reservoir
CN108875385A (en) * 2018-05-07 2018-11-23 麒麟合盛网络技术股份有限公司 The method and device of inter-application communication
CN108880898A (en) * 2018-06-29 2018-11-23 新华三技术有限公司 Active and standby containment system switching method and device
CN108880898B (en) * 2018-06-29 2020-09-08 新华三技术有限公司 Main and standby container system switching method and device
CN109361606B (en) * 2018-09-28 2021-05-25 新华三技术有限公司 Message processing system and network equipment
CN109361606A (en) * 2018-09-28 2019-02-19 新华三技术有限公司 A kind of message handling system and the network equipment
CN109359450A (en) * 2018-10-29 2019-02-19 北京猎户星空科技有限公司 Safety access method, device, equipment and the storage medium of linux system
CN110308987A (en) * 2019-05-17 2019-10-08 北京瀚海星云科技有限公司 A method of distributed training mission Connecting quantity on more new container cloud
CN110308987B (en) * 2019-05-17 2023-08-01 深圳致星科技有限公司 Method for updating connection parameters of distributed training tasks on container cloud
CN110572288A (en) * 2019-11-04 2019-12-13 河南戎磐网络科技有限公司 Data exchange method based on trusted container
CN113468517A (en) * 2021-09-02 2021-10-01 北京交研智慧科技有限公司 Data sharing method, system and storage medium based on block chain

Also Published As

Publication number Publication date
WO2017097116A1 (en) 2017-06-15
CN105550576B (en) 2018-09-11

Similar Documents

Publication Publication Date Title
CN105550576A (en) Communication method and device between containers
US20210399958A1 (en) Networked programmable logic service provider
US20240045824A1 (en) Remote Mapping Method, Apparatus and Device for Computing Resources, and Storage Medium
CN107534579B (en) System and method for resource management
US10320674B2 (en) Independent network interfaces for virtual network environments
CN109561171B (en) Configuration method and device of virtual private cloud service
EP3772009B1 (en) Device interface security management for computer buses
US10540186B1 (en) Interception of identifier from client configurable hardware logic
US11943340B2 (en) Process-to-process secure data movement in network functions virtualization infrastructures
US9525592B2 (en) Client/server network environment setup method and system
CN103229478B (en) A kind of method and apparatus determining virtual-machine drift
EP2942914B1 (en) Load sharing method and apparatus
CN105518611A (en) Remote direct memory access method, equipment and system
KR102022441B1 (en) Hardware Acceleration Methods and Related Devices
CN101924693A (en) Be used for method and system in migrating processes between virtual machines
WO2021197182A1 (en) Program loading method, device and system and storage medium
US11036535B2 (en) Data storage method and apparatus
CN110389711B (en) Method, device, and non-transitory computer-readable medium for assisting endpoint device in implementing SR-IOV functionality
CN106873970B (en) Installation method and device of operating system
JP2023509033A (en) SOFTWARE UPGRADE METHOD AND APPARATUS
US20150113241A1 (en) Establishing physical locality between secure execution environments
WO2017142577A1 (en) Identity management of virtualized entities
Link et al. Container orchestration by kubernetes for rdma networking
CN104570967A (en) Android system based remote control method and system
CN109656674B (en) Computer equipment, virtualization chip and data transmission method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant