CN105871942B - A kind of IaaS management platform and method - Google Patents
A kind of IaaS management platform and method Download PDFInfo
- Publication number
- CN105871942B CN105871942B CN201510024893.8A CN201510024893A CN105871942B CN 105871942 B CN105871942 B CN 105871942B CN 201510024893 A CN201510024893 A CN 201510024893A CN 105871942 B CN105871942 B CN 105871942B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- network
- reinforcement elements
- memory source
- page table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of IaaS management platform and methods, comprising: network reinforcement elements, for intercepting autonomous network configuration operations when detecting that client domain virtual machine user executes autonomous network configuration operations;And page table is sent to service unit and modifies service request;Service unit in virtual machine monitor, service request is modified for receiving the page table that the network reinforcement elements are sent, and service request is modified according to the page table and determines subsystem call table, the network reinforcement elements are modified to the corresponding page table entry operating right of the subsystem call table, and send page table modification service response instruction to the network reinforcement elements;The network reinforcement elements, the page table modification service response instruction for being also used to send according to the virtual machine monitor received, the autonomous network configuration operations of the client domain virtual machine user of interception are handled, to solve bring management and safety problem when user intentionally or accidentally changes IP address or MAC Address.
Description
Technical field
The present invention relates to field of cloud computer technology, serviced more particularly, to a kind of basis instrument (English:
Infrastructure as a Service, abbreviation: IaaS) manage platform and method.
Background technique
Since cloud computing concept proposes, the upsurge of cloud computing has swept across entire IT industry, changes the letter of the whole society
Breath service provides and usage mode, has started domestic and international cloud computing in IaaS, platform and has serviced (English: Platform as a
Service abbreviation: PaaS), program i.e. service (English: Software as a Service, abbreviation: SaaS) research boom.
Wherein, IaaS mainly delivers virtual machine capable of making remote access to user;Currently, mainstream IaaS service includes that business is public
Take charge of Amazon EC2, open source tissue Eucalyptus, OpenStack, OpenNebula etc..Under present circumstances, in current main-stream
IaaS solution in, be related to the mainstream virtualization software of bottom, such as Xen, KVM, VM Ware, Hyper-V etc., and
Amazon EC2, Eucalyptus, Open Stack, the Open Nebula on upper layer etc..Overwhelming majority enterprise or research aircraft at present
Structure is when constructing and studying IaaS, it is intended to based on mainstream open source technology, the Internet protocol that will be used needed for virtual machine
(English: Internet Protocol, abbreviation: IP) address is bound with virtual machine instance, can prevent user with changing IP
Location bring management and safety problem.
However, the IaaS solution released by open source mechanism, from underlying virtual software such as Xen, KVM, Hyper-V,
IaaS software such as Eucalyptus, Open Stack, Open Nebula to upper layer are directed to be constructed based on virtualization technology
Network environment under IaaS environment carries out security hardening, can not solve user change IP address or media access control (English:
Madia Access Control, abbreviation: MAC) address bring management and safety problem, the safety of network environment it is poor.
Summary of the invention
The present invention provides a kind of IaaS management platform and method, to solve user intentionally or accidentally change IP address or
Bring management and safety problem when MAC Address, improve the safety of network environment.
A kind of IaaS management platform, comprising:
Network reinforcement elements, for intercepting when detecting that client domain virtual machine user executes autonomous network configuration operations
The autonomous network configuration operations;And page table is sent to service unit and modifies service request;
Service unit in virtual machine monitor is asked for receiving the page table modification service that the network reinforcement elements are sent
It asks, and service request is modified according to the page table and determines subsystem call table, modify the network reinforcement elements to the system tune
Page table modification service response instruction is sent with the corresponding page table entry operating right of table, and to the network reinforcement elements;
The network reinforcement elements, the page table modification service for being also used to send according to the virtual machine monitor received
Response instruction, handles the autonomous network configuration operations of the client domain virtual machine user of interception.
The autonomous network configuration operations that the client domain virtual machine user of the network reinforcement elements detection executes include: to net
The off permanently or temporarily modification of network configuration file.
The network profile that the client domain virtual machine user of the network reinforcement elements detection executes, comprising: client domain
The internet protocol address of virtual machine;And/or the MAC address of client domain virtual machine.
The network reinforcement elements are also used to register for requesting to execute autonomous network configuration to client domain virtual machine user
Operate the network environment detected.
The network reinforcement elements are specifically used for sending memory source operation requests to service unit;
The service unit is specifically used for receiving memory source operation requests, and according to the memory source operation requests,
The network reinforcement elements are set to the modification authority of memory source;And memory source operation is sent to network reinforcement elements and is rung
Answer message;
The network reinforcement elements disappear specifically for receiving the memory source operation response that the virtual machine monitor is sent
Breath;According to the memory setting permission in memory source operation response message, the memory source is modified.
The service unit is also used to after the network reinforcement elements modify the memory source, is restored in described
The modification authority of resource is deposited, and forbids modifying to the memory source.
Further include:
Module hidden unit, for hiding the network reinforcement elements.
A kind of IaaS method, comprising:
When detecting that client domain virtual machine user executes autonomous network configuration operations, the autonomous network configuration behaviour is intercepted
Make;And
Page table, which is sent, to virtual machine monitor modifies service request;And
The page table modification service response instruction sent according to the virtual machine monitor received, to the visitor of interception
The autonomous network configuration operations of family domain virtual machine user are handled.
The autonomous network configuration operations include:
Off permanently or temporarily modification to network profile.
Network profile, comprising:
The internet protocol address of client domain virtual machine;And/or
The MAC address of client domain virtual machine.
Before executing autonomous network configuration operations detection to client domain virtual machine user, further includes:
Registration is for requesting to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
Registration is used to request to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user,
Include:
Memory source operation requests are sent to virtual machine monitor;And
Receive the memory source operation response message that the virtual machine monitor is sent;
According to the memory setting permission in memory source operation response message, the memory source is modified.
Further include:
It hides for requesting to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
A kind of IaaS method, comprising:
It receives page table and modifies service request;And
Service request is modified according to the page table and determines subsystem call table, modifies the network reinforcement elements to the system
The corresponding page table entry operating right of call list;And
Page table modification service response instruction is sent, instruction is repaired according to the page table that the virtual machine monitor received is sent
Change service response instruction, the autonomous network configuration operations of the client domain virtual machine user of interception are handled.
Before receiving page table modification service request, further includes:
Receive memory source operation requests;And
According to the memory source operation requests, the modification authority to memory source is set;And
It sends memory source and operates response message.
After sending memory source operation response message, further includes:
The modification authority of the memory source is restored, and forbids modifying to the memory source.
By using above-mentioned technical proposal, the subframe network configuration operation that client domain virtual machine user executes is reset
To, and service response instruction is modified by the page table that service unit is sent, to the hoc network of the client domain virtual machine user of interception
Network configuration operation is handled, and is realized and is intercepted autonomous network configuration operations, intentionally or accidentally changes IP address to solve user
Or bring management and safety problem when MAC Address, improve the safety of network environment.
Detailed description of the invention
Fig. 1 is in the embodiment of the present invention one, and the IaaS of proposition manages platform structure composition schematic diagram;
Fig. 2 a is in the embodiment of the present invention one, and the IaaS management platform of proposition intercepts network autonomous configuration behavior schematic diagram;
Fig. 2 b is in the embodiment of the present invention one, and the network reinforcement elements of proposition handle network autonomous configuration behavior schematic diagram;
Fig. 3 is the IaaS method flow diagram of proposition in the embodiment of the present invention two;
Fig. 4 is the IaaS method flow diagram of proposition in the embodiment of the present invention two.
Specific embodiment
For under open source environment, bring management and safety are asked when user intentionally or accidentally changes IP address or MAC Address
Topic, the poor problem of the safety of network environment, the present invention propose a kind of technical solution, by increasing network reinforcement elements, use
In when detecting that client domain virtual machine user executes autonomous network configuration operations, the autonomous network configuration operations are intercepted;And
Page table modification service request and service unit are sent to service unit, the page table that the network reinforcement elements are sent is received and repairs
Change service request, and service request is modified according to page table and determines subsystem call table, modifies network reinforcement elements to the system tune
Page table modification service response instruction is sent with the corresponding page table entry operating right of table, and to network reinforcement elements, network is reinforced
Unit, the page table modification service response instruction for being also used to send according to the virtual machine monitor received, to the institute of interception
The autonomous network configuration operations for stating client domain virtual machine user are handled.IP address is intentionally or accidentally changed to solve user
Or bring management and safety problem when MAC Address, improve the safety of network environment.
Below in conjunction with each attached drawing to the main realization principle of technical solution of the embodiment of the present invention, specific embodiment and
Its beneficial effect corresponding to reach is set forth.
Embodiment one
The embodiment of the present invention one proposes a kind of IaaS management platform, as shown in Figure 1, including for carrying out pipe to whole system
Cloud computing platform, interchanger and at least one physical machine of reason, are provided at least one virtual machine in physical machine, physical machine it
Between by interchanger connect, carry out data transmission.Wherein:
In the technical solution that the embodiment of the present invention one proposes, with the operating system of virtual machine monitor be Xen, client domain it is empty
Intend the operating system of machine to be described in detail for Linux, but in being embodied, the operation system of virtual machine monitor
The operating system of system and client domain virtual machine is not limited to this mode.For the virtual machine in physical machine, network is added
Reinforcement elements and service unit 2.
Network reinforcement elements are deployed in the virtual machine of client domain, can be set to system boot and load automatically.It is opened in system
When machine, initialization client domain virtual machine network reinforces environment, and the registration of network reinforcement elements uses client domain virtual machine for requesting
Family executes the network environment that autonomous network configuration operations are detected.Network reinforcement elements send memory source to service unit
Operation requests.
Service unit is deployed in virtual machine monitor, in system boot, for receiving the transmission of network reinforcement elements
Memory source operation requests, and according to the memory source operation requests received, network reinforcement elements are set to memory source
Modification authority, and send memory source to network reinforcement elements and operate response message.
Specifically, the write permission of memory source is arranged according to the memory source operation requests received in service unit.
Network reinforcement elements receive the memory source that the service unit in virtual machine monitor is sent and operate response message,
According to the memory setting permission in the memory source operation response message received, memory source is modified.
Specifically, network reinforcement elements intra vires, modify the memory source, at the default network configuration of system
Reason process guides network reinforcement elements into.
Service unit is also used to after network reinforcement elements modify memory source, restores the modification authority of memory source,
And forbid modifying to the memory source.
Specifically, the operating right of service unit reduction memory source, and any of the memory source is repaired after refusing
Change request.
By the above process, operation ring needed for completing network reinforcement elements is had been built up when client domain virtual machine starts
After border, when user carries out network configuration, the system calling triggered will be redirected to network reinforcement elements, by network plus
Gu unit handles the request of specific network operation, to realize the real-time blocking to user network autonomous configuration behavior.
Wherein, above-mentioned IaaS manages platform, can also include module hidden unit, be set in the virtual machine of client domain, use
In hiding network reinforcement elements.
User's either intentionally or unintentionally deletion/offloading network reinforcement elements can be prevented by module hidden unit.
After having been built up running environment needed for completing network reinforcement elements in the starting of client domain virtual machine, such as Fig. 2 a
It is shown, it intercepts user and executes autonomous network configuration operations.
Network reinforcement elements, for intercepting when detecting that client domain virtual machine user executes autonomous network configuration operations
The autonomous network configuration operations, and send page table to service unit and modify service request.
As shown in Figure 2 b, client domain virtual machine user is by calling application program, when executing corresponding operating, kernel inquiry system
Call list of uniting obtains the entry address of alignment processing function.System relevant to network configuration calls execution process steering network to add
Gu unit, remaining system calls then steering system default process.Network reinforcement elements judge system call operation whether with network
Configuration is related, if it is judged that be it is yes, then return to application layer and refuse execution, otherwise steering system default processing flow.
For example, by taking client domain virtual machine user modifies MAC Address as an example, to be further elaborated on network reinforcement elements
Interception scheme.Client domain virtual machine user executes ip link set in the virtual machine (SuSE) Linux OS of client domain
Eth0address 00:E0:4C:6A:1A:8E modifies MAC Address, and user executes ip link set eth0address 00:
E0:4C:6A:1A:8E, the process can initiate execve system calling, and by feature string ip link set
For eth0address 00:E0:4C:6A:1A:8E as its parameter, which, which calls, turns to network reinforcement elements.Network is reinforced single
Member judges that user's operation is network according to feature string ip link set eth0address00:E0:4C:6A:1A:8E
Configuration behavior directly returns.Wherein, network reinforcement elements before intercepting network configuration behavior can also include log recording or
Send warning etc..
Wherein, the autonomous network configuration operations that the client domain virtual machine user of network reinforcement elements detection executes include following
Two kinds of situations:
The first: the permanent modification to network profile.
Second: the provisional modification to network profile.
Above-mentioned network profile includes:
The IP address of client domain virtual machine;And/or the MAC Address of client domain virtual machine.
Specifically, network reinforcement elements send page table to service unit by hypercalls and modify service request.
Service unit, the page table for receiving the transmission of network reinforcement elements modifies service request, and is modified and taken according to page table
Business requests to determine subsystem call table, modifies network reinforcement elements to the corresponding page table entry operating right of subsystem call table, Yi Jixiang
Network reinforcement elements send page table modification service response instruction.
Specifically, the page table that service unit receives that network reinforcement elements are sent modifies service request, modifies subsystem call table
The operating right of page table entry is mapped as writeable by corresponding page table entry.
Network reinforcement elements, the page table modification service response instruction for being sent according to the virtual machine monitor received,
The autonomous network configuration operations of the client domain virtual machine user of interception are handled.
Specifically, network reinforcement elements modify subsystem call table, guide system default network configuration treatment process into network
Reinforcement elements.
Service unit restores the corresponding page table entry operating right of subsystem call table.
Specifically, operating right is reduced to read-only, refusal net by the corresponding page table entry of service unit reduction subsystem call table
Any modification of the network reinforcement elements to the page table entry.
IaaS set forth above of the embodiment of the present invention manages platform, of the invention as shown in figure 1 to implement a deployment provided
Figure, wherein network reinforcement elements, service unit and module hidden unit.Wherein network reinforcement elements and module hidden unit
It is deployed in the virtual machine of client domain, is disposed as the automatic loading mode of system boot.Since IaaS management platform is for user
When providing virtual machine service, client domain virtual machine is usually instantiated by virtual machine template, therefore the embodiment of the present invention proposes
Technical solution in, network reinforcement elements 101 and module hidden unit 102 are directly packaged in virtual machine template.Service is single
Member 103 is then set in virtual machine monitor, for handling the resource request for carrying out automatic network reinforcement elements.
Embodiment two
Platform is managed based on above-mentioned IaaS shown in FIG. 1, the embodiment of the present invention two proposes a kind of IaaS method, such as Fig. 3 institute
Show, specific process flow is for example following:
Step 30, registration is for requesting to execute the net that autonomous network configuration operations are detected to client domain virtual machine user
Network environment.
Firstly, sending memory source operation requests to virtual machine monitor.
Secondly, receiving the memory source operation response message that the virtual machine monitor is sent.
Finally, modifying memory source according to the memory setting permission in memory source operation response message.
By the above process, client domain virtual machine start when have been built up complete needed for running environment after, when with
When family carries out network configuration, the system calling triggered will be redirected, to realize to user network autonomous configuration behavior
Real-time blocking.
Step 31, it when detecting that client domain virtual machine user executes autonomous network configuration operations, intercepts autonomous network and matches
Set operation.
Wherein, autonomous network configuration operations include: the off permanently or temporarily modification to network profile.
Wherein, network profile, comprising:
The IP address of client domain virtual machine;And/or
The MAC Address of client domain virtual machine.
Client domain virtual machine user is by calling application program, and when executing corresponding operating, kernel inquiry system call list is obtained
Take the entry address of alignment processing function.System relevant to network configuration, which is called, executes process redirection, remaining system is called
Then steering system defaults process.Whether related to network configuration judge system call operation, if it is judged that be it is yes, then return
Application layer not executes, otherwise steering system default processing flow.
For example, by taking client domain virtual machine user modifies MAC Address as an example, to be further elaborated on interception scheme.Client
Domain virtual machine user executes ip link set eth0address 00:E0 in the virtual machine (SuSE) Linux OS of client domain:
4C:6A:1A:8E modifies MAC Address, and user executes ip link set eth0address00:E0:4C:6A:1A:8E, the mistake
Journey can initiate execve system calling, and by feature string ip link set eth0address 00:E0:4C:6A:1A:
8E is redirected as its parameter, system calling.According to feature string ip link set eth0address 00:E0:
4C:6A:1A:8E judges that user's operation is network configuration behavior, directly returns.Wherein, before intercepting network configuration behavior
It can also include log recording or transmission warning etc..
Step 32, page table is sent to virtual machine monitor modify service request.
Step 33, the page table modification service response instruction sent according to the virtual machine monitor received, to the visitor of interception
The autonomous network configuration operations of family domain virtual machine user are handled.
Wherein, the above method further include:
It hides for requesting to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
It can prevent user's either intentionally or unintentionally deletion/offloading network reinforcement elements.
Correspondingly, the embodiment of the present invention two also proposes a kind of IaaS method, as shown in figure 4, its specific process flow is as follows
It states:
Step 41, it receives page table and modifies service request.
Step 42, service request is modified according to page table and determines subsystem call table, modify the network reinforcement elements to described
The corresponding page table entry operating right of subsystem call table.
Specifically, it receives page table and modifies service request, the corresponding page table entry of modification subsystem call table, by the operation of page table entry
Permissions mapping is writeable.
Step 43, page table modification service response instruction, the page that instruction is sent according to the virtual machine monitor received are sent
Table modifies service response instruction, handles the autonomous network configuration operations of the client domain virtual machine user of interception.
Optionally, before above-mentioned steps 41 receive page table modification service request, further includes:
Step 1 receives memory source operation requests.
The modification authority to memory source is arranged according to memory source operation requests in step 2.
Specifically, the write permission of memory source is arranged according to the memory source operation requests received in service unit.
Step 3 sends memory source and operates response message.
Optionally, after above-mentioned steps 43 send memory source operation response message, can also include:
The modification authority of memory source is restored, and forbids modifying to the memory source.
Specifically, the corresponding page table entry of reduction subsystem call table, operating right is reduced to read-only, is refused to the page table entry
Any modification.
The treatment process of one~step 3 through the above steps has been built up in the starting of client domain virtual machine and completes network
After running environment needed for reinforcement elements, when user carries out network configuration, the system calling triggered will be redirected to
Network reinforcement elements are handled the request of specific network operation by network reinforcement elements, to realize to user network certainly
The real-time blocking of main configuration behavior.
It will be understood by those skilled in the art that the embodiment of the present invention can provide as method, apparatus (equipment) or computer
Program product.Therefore, in terms of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, it wherein includes the meter of computer usable program code that the present invention, which can be used in one or more,
The computer implemented in calculation machine usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of program product.
The present invention be referring to according to the method for the embodiment of the present invention, the flow chart of device (equipment) and computer program product
And/or block diagram describes.It should be understood that each process in flowchart and/or the block diagram can be realized by computer program instructions
And/or the combination of the process and/or box in box and flowchart and/or the block diagram.It can provide these computer programs to refer to
Enable the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate
One machine so that by the instruction that the processor of computer or other programmable data processing devices executes generate for realizing
The device for the function of being specified in one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (16)
1. a kind of IaaS manages platform characterized by comprising
Network reinforcement elements, for when detecting that client domain virtual machine user executes autonomous network configuration operations, described in interception
Autonomous network configuration operations;And page table is sent to service unit and modifies service request;
Service unit in virtual machine monitor modifies service request for receiving the page table that the network reinforcement elements are sent,
And service request is modified according to the page table and determines subsystem call table, the network reinforcement elements are modified to the subsystem call table
Corresponding page table entry operating right, and page table modification service response instruction is sent to the network reinforcement elements;
The network reinforcement elements are also used to modify service response according to the page table that the virtual machine monitor received is sent
Instruction, handles the autonomous network configuration operations of the client domain virtual machine user of interception.
2. platform as described in claim 1, which is characterized in that the client domain virtual machine user of the network reinforcement elements detection
The autonomous network configuration operations executed include: the off permanently or temporarily modification to network profile.
3. platform as claimed in claim 2, which is characterized in that the client domain virtual machine user of the network reinforcement elements detection
The network profile of execution, comprising: the internet protocol address of client domain virtual machine;And/or the matchmaker of client domain virtual machine
Body access control MAC address.
4. the platform as described in claims 1 to 3 is any, which is characterized in that the network reinforcement elements are also used to registration and are used for
Request executes the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
5. platform as claimed in claim 4, which is characterized in that the network reinforcement elements are specifically used for sending out to service unit
Send memory source operation requests;
The service unit is specifically used for receiving memory source operation requests, and according to the memory source operation requests, setting
Modification authority of the network reinforcement elements to memory source;And memory source operation response is sent to network reinforcement elements and is disappeared
Breath;
The network reinforcement elements operate response message specifically for receiving the memory source that the virtual machine monitor is sent;
According to the memory setting permission in memory source operation response message, the memory source is modified.
6. platform as claimed in claim 5, which is characterized in that the service unit is also used in the network reinforcement elements
After modifying the memory source, the modification authority of the memory source is restored, and forbids modifying to the memory source.
7. the platform as described in claims 1 to 3 is any, which is characterized in that further include:
Module hidden unit, for hiding the network reinforcement elements.
8. a kind of IaaS method characterized by comprising
When detecting that client domain virtual machine user executes autonomous network configuration operations, the autonomous network configuration operations are intercepted;
And
Page table, which is sent, to virtual machine monitor modifies service request;And
The page table modification service response instruction sent according to the virtual machine monitor received, to the client domain of interception
The autonomous network configuration operations of virtual machine user are handled.
9. method according to claim 8, which is characterized in that the autonomous network configuration operations include:
Off permanently or temporarily modification to network profile.
10. method as claimed in claim 9, which is characterized in that network profile, comprising:
The internet protocol address of client domain virtual machine;And/or
The MAC address of client domain virtual machine.
11. the method as described in claim 8~10 is any, which is characterized in that autonomous being executed to client domain virtual machine user
Before network configuration operations detection, further includes:
Registration is for requesting to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
12. method as claimed in claim 11, which is characterized in that registration executes certainly client domain virtual machine user for requesting
The network environment that master network configuration operation is detected, comprising:
Memory source operation requests are sent to virtual machine monitor;And
Receive the memory source operation response message that the virtual machine monitor is sent;
According to the memory setting permission in memory source operation response message, the memory source is modified.
13. the method as described in claim 8~10 is any, which is characterized in that further include:
It hides for requesting to execute the network environment that autonomous network configuration operations are detected to client domain virtual machine user.
14. a kind of IaaS method characterized by comprising
It receives page table and modifies service request;And
Service request is modified according to the page table and determines subsystem call table, modifies network reinforcement elements to the subsystem call table pair
The page table entry operating right answered;And
Page table modification service response instruction is sent, the page table modification service that instruction is sent according to the virtual machine monitor received is rung
It should instruct, the autonomous network configuration operations of the client domain virtual machine user of interception are handled.
15. method as claimed in claim 14, which is characterized in that before receiving page table modification service request, further includes:
Receive memory source operation requests;And
According to the memory source operation requests, the modification authority to memory source is set;And
It sends memory source and operates response message.
16. method as claimed in claim 15, which is characterized in that after sending memory source operation response message, also wrap
It includes:
The modification authority of the memory source is restored, and forbids modifying to the memory source.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510024893.8A CN105871942B (en) | 2015-01-19 | 2015-01-19 | A kind of IaaS management platform and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510024893.8A CN105871942B (en) | 2015-01-19 | 2015-01-19 | A kind of IaaS management platform and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105871942A CN105871942A (en) | 2016-08-17 |
| CN105871942B true CN105871942B (en) | 2019-03-22 |
Family
ID=56622689
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510024893.8A Active CN105871942B (en) | 2015-01-19 | 2015-01-19 | A kind of IaaS management platform and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105871942B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109002354B (en) * | 2017-06-07 | 2022-05-03 | 中国科学院信息工程研究所 | OpenStack-based computing resource capacity elastic expansion method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103167041A (en) * | 2013-03-28 | 2013-06-19 | 广州中国科学院软件应用技术研究所 | System and method for supporting cloud environment application cluster automation deployment |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN103746823A (en) * | 2011-12-31 | 2014-04-23 | 华茂云天科技(北京)有限公司 | Resource management and operation system |
| CN103870749A (en) * | 2014-03-20 | 2014-06-18 | 中国科学院信息工程研究所 | System and method for implementing safety monitoring of virtual machine system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10445121B2 (en) * | 2012-02-23 | 2019-10-15 | Red Hat Inc. | Building virtual machine disk images for different cloud configurations from a single generic virtual machine disk image |
-
2015
- 2015-01-19 CN CN201510024893.8A patent/CN105871942B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746823A (en) * | 2011-12-31 | 2014-04-23 | 华茂云天科技(北京)有限公司 | Resource management and operation system |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN103167041A (en) * | 2013-03-28 | 2013-06-19 | 广州中国科学院软件应用技术研究所 | System and method for supporting cloud environment application cluster automation deployment |
| CN103870749A (en) * | 2014-03-20 | 2014-06-18 | 中国科学院信息工程研究所 | System and method for implementing safety monitoring of virtual machine system |
Non-Patent Citations (1)
| Title |
|---|
| IaaS模式下虚拟机部署机制研究;曹伟杰;《计算机技术与发展》;20121031;全文 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105871942A (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110612512B (en) | Protecting virtual execution environments | |
| US10956184B2 (en) | On-demand disposable virtual work system | |
| Berger et al. | TVDc: managing security in the trusted virtual datacenter | |
| US9935971B2 (en) | Mitigation of virtual machine security breaches | |
| US9503475B2 (en) | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment | |
| US10540499B2 (en) | Method for monitoring the security of a virtual machine in a cloud computing architecture | |
| CN106384045B (en) | Android storage application sandbox based on application program virtualization and communication method | |
| RU2462747C2 (en) | Protection of operating system resources | |
| US8380987B2 (en) | Protection agents and privilege modes | |
| KR100938521B1 (en) | Method, apparatus and system for enabling a secure location-aware platform | |
| CN104331375B (en) | Shared virtual resource management method under shared virtualization resource pool environment and device | |
| JP2010514028A (en) | A system that enables multiple execution environments to share a single data process | |
| JP2007220086A (en) | Input/output controller, input/output control system, and input/output control method | |
| CN111880891B (en) | Extensible virtual machine monitor based on microkernel and embedded system | |
| US20160162685A1 (en) | Monitoring application execution in a clone of a virtual computing instance for application whitelisting | |
| CN108509251A (en) | A kind of safety virtualization system suitable for credible performing environment | |
| CN108549571A (en) | A kind of safety virtualization method suitable for credible performing environment | |
| CN104036185A (en) | Virtualization based power and function isolating method for loading module of monolithic kernel operation system | |
| TWI772747B (en) | Computer implement method, computer system and computer program product for injecting interrupts and exceptions into secure virtual machine | |
| US9697027B1 (en) | Hypercall-based security for hypervisors | |
| JP4576449B2 (en) | Switch device and copy control method | |
| WO2017036376A1 (en) | Data access method, code calling method, and virtual machine monitor | |
| CN105871942B (en) | A kind of IaaS management platform and method | |
| WO2016037650A1 (en) | Memory privilege | |
| CN115576626A (en) | Method, device and storage medium for safe mounting and dismounting of USB (Universal Serial bus) device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |