CN107483520B - Method and device for processing network attached storage instance - Google Patents
Method and device for processing network attached storage instance Download PDFInfo
- Publication number
- CN107483520B CN107483520B CN201610404400.8A CN201610404400A CN107483520B CN 107483520 B CN107483520 B CN 107483520B CN 201610404400 A CN201610404400 A CN 201610404400A CN 107483520 B CN107483520 B CN 107483520B
- Authority
- CN
- China
- Prior art keywords
- network
- file system
- private
- nas
- instance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
Abstract
The application provides a method and a device for processing a network attached storage instance, which relate to the field of cloud computing product websites, and the method comprises the following steps: creating mount points corresponding to the file system instances in the proprietary network; communicating the mounting point with a Network Attached Storage (NAS) server outside a private network; and isolating and distinguishing file system instances on the NAS server according to the request network data packet. Under the condition of obtaining authorization, one NAS file system instance can be shared by a plurality of private networks, and the security of the instance is ensured while the strong binding between the file system instance and the private networks is eliminated.
Description
Technical Field
The invention relates to the field of cloud computing product websites, in particular to a method and a device for processing Network Attached Storage (NAS) examples.
Background
In the NAS System, File or directory operations are based on volumes, one NAS volume is called a File System instance, for example, in a most typical NFS (Network File System) protocol, in order to read and write a File, a File System instance must be mounted on a local directory tree, and a mount object consists of an instance address and a mount directory, so in one NAS System, in order to isolate each File System instance, the instance address and the mount directory must be able to form a unique identifier. However, in a private network environment, the problems of network isolation and private network address multiplexing exist, so how to open a network path and accurately identify a file system instance becomes a key technical scheme of the NAS file storage service on the premise of ensuring instance isolation and security.
The existing solutions for isolating and identifying the NAS file system instance in the proprietary network environment in the related art mainly include the following two solutions:
1. deploying an exclusive NAS service and storage resource in a private network, so that file system instances in the private network are all distributed on the exclusive resource, the instance addresses are designated as private network addresses, and the instances are identified and isolated in the private network through the instance private network addresses and a mounting directory; and instance isolation is performed between the proprietary networks by utilizing the characteristic of network isolation. A typical practice of this approach is to deploy NAS systems (e.g., NFS Server and backend storage) on virtual machines inside a proprietary network, where users access the file system instances by directly specifying the private addresses of the virtual machines.
2. Service and storage resources of the NAS system are deployed outside the private network, a path from each private network to the NAS system is opened, a routable address is distributed for the shared NAS system inside each private network, access to all file system instances in the private network is carried out through the address, and the mounting directory is used as a globally unique identifier to achieve the purpose of instance isolation.
However, the related technical solutions mainly have the following disadvantages:
the scheme that the exclusive network exclusively shares NAS service and storage resources is simple and intuitive and has high safety, but the overall deployment cost is high, the horizontal expansion and elastic expansion capacity of a file system example are weak, and uneven and waste resources are easily caused. Meanwhile, due to the factor of network isolation, a file system instance inside a proprietary network cannot be accessed by other networks at all, and the flexibility is poor.
The scheme that the NAS system is deployed outside a proprietary network and the network is opened solves the problems of system level expansion and resource waste, one file system example can be easily accessed by a plurality of special network users, but the security of the file system is poor due to lack of network isolation protection, a complex means is needed to enhance the security of the file system, and meanwhile, the mounting directory is not friendly to the users in a mode of taking the mounting directory as an example identifier, so that the original hierarchical structure significance of the mounting directory is damaged.
Disclosure of Invention
The invention provides a method and a device for processing network attached storage instances, which enable NAS services to share back-end services and storage resources on the premise of ensuring the logic independence and safety of each file system instance, and have the capabilities of elastic expansion and horizontal expansion.
In order to achieve the purpose of the invention, the technical scheme adopted by the invention is as follows:
a method of network attached storage instance processing, comprising:
creating mount points corresponding to the file system instances in the proprietary network;
communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
and isolating and distinguishing file system instances on the NAS server according to the request network data packet.
Preferably, creating a mount point corresponding to the file system instance within the proprietary network comprises:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
Preferably, communicating the mount point with a network attached storage NAS server outside of a proprietary network comprises:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
Preferably, communicating the mount point with a network attached storage NAS server outside of a proprietary network comprises:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
Preferably, the request network data packet includes a header including a unique identification of the file system instance; the unique identification of the file system instance includes: the file system comprises a sequence number of a special network corresponding to the file system example and a private network IP distributed for the file system example in the special network.
Preferably, the isolating and distinguishing, at the NAS server, the file system instance according to the request network packet includes:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
The invention also provides a device for processing the network attached storage instance, which comprises:
the creation module is set to create a mount point corresponding to the file system instance in the proprietary network;
the binding module is used for communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
and the identification module is arranged to isolate and distinguish the file system examples on the NAS server according to the request network data packet.
Preferably, the creating module creating a mount point corresponding to the file system instance in the private network means:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
Preferably, the communicating, by the binding module, the mount point with a network attached storage NAS server outside a private network means:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
Preferably, the communicating, by the binding module, the mount point with a network attached storage NAS server outside a private network means:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
Preferably, the isolating and distinguishing the file system instance on the NAS server according to the request network packet by the identification module is:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
Compared with the prior art, the invention has the following beneficial effects:
the technical scheme of the invention is that a distributed NAS system capable of being horizontally expanded is deployed outside a private network, users inside the private network can access a specific file system instance in the NAS system through a private network address, and the file system instance can ensure the safety by utilizing the characteristic of network isolation. Under the condition of obtaining authorization, one NAS file system instance can be shared by a plurality of private networks, and the security of the instance is ensured while the strong binding between the file system instance and the private networks is eliminated.
Drawings
FIG. 1 is a flow diagram of a method for network attached storage instance processing according to an embodiment of the invention;
FIG. 2 is a block diagram of an apparatus for handling an example of network attached storage according to an embodiment of the present invention;
fig. 3 is a schematic diagram of NAS instance isolation, identification, and sharing in a private network environment according to embodiment 1 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following description of the embodiments of the present invention with reference to the accompanying drawings is provided, and it should be noted that, in the case of conflict, features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
As shown in fig. 1, an embodiment of the present invention provides a method for processing an example of a network attached storage, including:
s101, creating a mount point corresponding to a file system instance in a private network;
s102, communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
s103, isolating and distinguishing file system instances on the NAS server according to the request network data packet.
Wherein, step S101 includes:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
Step S102 includes:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
Specifically, the process of step S102 is:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
Requesting that the network data packet include a header, the header including a unique identification of the file system instance; the unique identification of the file system instance includes: the file system comprises a sequence number of a special network corresponding to the file system example and a private network IP distributed for the file system example in the special network.
Step S103 includes:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
As shown in fig. 2, an embodiment of the present invention further provides an apparatus for processing an example of a network attached storage, including:
the creation module is set to create a mount point corresponding to the file system instance in the proprietary network;
the binding module is used for communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
and the identification module is arranged to isolate and distinguish the file system examples on the NAS server according to the request network data packet.
The creation module creating a mount point corresponding to a file system instance in a proprietary network means:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
The step of communicating the mounting point with a Network Attached Storage (NAS) server outside a private network by the binding module is as follows:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
The step of communicating the mounting point with a Network Attached Storage (NAS) server outside a private network by the binding module is as follows:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
The identification module is used for isolating and distinguishing the file system instances on the NAS server according to the request network data packet, and the identification module is used for:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
Example 1
As shown in fig. 3, the steps of NAS instance isolation, identification, and sharing in the private network environment in the embodiment of the present invention are as follows:
(1) creating a mount point within a proprietary network: due to the characteristic of network isolation, users in the private network can only access private network addresses, so in order to access the file system instance, a mount point corresponding to the instance must be created in the private network, the mount point can be communicated with an NAS server outside the private network, and the requests of the users in the private network to the mount point are immediately forwarded to the NAS server. The specific scheme is as follows:
a1, allocating a private address for the file system instance in the private network, the private address is called an endpoint, and the private network internal users access the corresponding file system instance through the private address.
A2, binding the front end IP of load balancing (SLB) with the endpoint in the special network, sending the routing item from the endpoint to the front end IP of the SLB to each gateway of the special network cluster, at this time, the access request to the endpoint in the special network will be routed to the front end IP of the SLB, and the back end real server bound by the front end IP of the SLB is the front end machine of the NAS system. Therefore, a request for mount point endpoint in the private network is firstly routed to the SLB, and then the SLB forwards the request to a certain NAS front-end machine according to a load balancing strategy.
(2) Isolating and distinguishing file system instances on the NAS front-end machine according to the request network packet header information: since requests for different endpoints in different proprietary networks are all eventually forwarded to a same set of NAS front-end machines, and the IP address of an endpoint in a proprietary network is a private network address, without uniqueness, NAS front-end machines cannot isolate and differentiate instances according to the endpoint address alone. To this end, we introduce a binary < TunnelId, EndpointIP > as the unique identifier of the file system instance, where TunnelId is a sequence number representing a specific proprietary network and EndpointIP is a private network IP assigned to the file system instance within the proprietary network. The NAS front-end parses the TunnelId and EndpointIP from the last variable length field (option) of the TCP packet header to identify each request as corresponding to a particular file system instance. The request forwarding and processing flow for the file system instance within the proprietary network is (as shown in fig. 3): the control system mainly has two functions: 1) instance management, including creation, modification, deletion, and the like; 2) and (4) permission verification, namely performing permission verification on the request sent by the client.
B1, the VM in the private network sends a request to the file system instance mount point endpoint, and after the TCP packet of the request passes through the VXLAN packet (VXLAN is a technology for encapsulating a two-layer packet with a three-layer protocol), the TunnelId of the current private network and the EndpointIP of the file system are encapsulated in the packet of VXLAN.
B2, forwarding the network packet to an SLB front-end machine on a gateway of the VM according to the route, unpacking the VXLAN message by the SLB front-end machine, putting the Tunnel Id and the Endpoint IP into an option field of a TCP message header, and then forwarding the requested TCP message to one NAS front-end machine by the SLB according to a load balancing strategy.
B3, while taking out the normal TCP message from the kernel protocol stack, the NAS front-end machine analyzes the TunelId and the EndpointIP in the option field of the message header together, identifies the requested file system instance according to the binary group, and then starts the subsequent file system protocol processing.
(3) NAS file system instances are shared across multiple proprietary networks: in the scheme, the file system examples are decoupled from the specific proprietary network, all the examples share NAS front-end service resources and back-end storage resources, and the access of the VM to the examples is performed through the endpoint of the mount point, so that the sharing of the NAS examples among the proprietary networks can be easily realized only by respectively creating the mount points in different proprietary networks and performing authority configuration on one specific file system example.
Although the embodiments of the present invention have been described above, the contents thereof are merely embodiments adopted to facilitate understanding of the technical aspects of the present invention, and are not intended to limit the present invention. It will be apparent to persons skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (11)
1. A method for network attached storage instance processing, comprising:
creating mount points corresponding to the file system instances in the proprietary network;
communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
and isolating and distinguishing file system instances on the NAS server according to the request network data packet.
2. The method of claim 1, wherein: creating mount points corresponding to file system instances within a proprietary network includes:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
3. The method of claim 2, wherein: communicating the mount point with a network attached storage NAS server outside of a proprietary network comprises:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
4. The method of claim 3, wherein: communicating the mount point with a network attached storage NAS server outside of a proprietary network comprises:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
5. The method of claim 1 or 4, wherein: requesting that the network data packet include a header, the header including a unique identification of the file system instance; the unique identification of the file system instance includes: the file system comprises a sequence number of a special network corresponding to the file system example and a private network IP distributed for the file system example in the special network.
6. The method of claim 5, wherein: isolating and distinguishing file system instances on the NAS server according to the requested network data packets includes:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
7. An apparatus for network attached storage instance processing, comprising: the method comprises the following steps:
the creation module is set to create a mount point corresponding to the file system instance in the proprietary network;
the binding module is used for communicating the mounting point with a Network Attached Storage (NAS) server outside a private network;
and the identification module is arranged to isolate and distinguish the file system examples on the NAS server according to the request network data packet.
8. The apparatus of claim 7, wherein: the creation module creating a mount point corresponding to a file system instance in a proprietary network means:
and allocating a private address for the file system instance in the private network, wherein the private address is used for a user in the private network to access the corresponding file system instance.
9. The apparatus of claim 8, wherein: the step of communicating the mounting point with a Network Attached Storage (NAS) server outside a private network by the binding module is as follows:
binding a front-end network Interconnection Protocol (IP) of the load balancing SLB with a private address in a private network;
and establishing the connection between the network attached storage NAS server and the private address according to the front-end IP of the SLB.
10. The apparatus of claim 9, wherein: the step of communicating the mounting point with a Network Attached Storage (NAS) server outside a private network by the binding module is as follows:
and issuing the routing entry from the private address to the SLB front-end IP to each gateway of the private network cluster, so that the SLB forwards the request network data packet to the corresponding NAS server according to the load balancing strategy.
11. The apparatus of claim 7 or 10, wherein the means for isolating and distinguishing file system instances at the NAS server from requesting network packets is to:
receiving a request network data packet sent by a Virtual Machine (VM) in the private network;
analyzing the serial number of the special network corresponding to the file system example requesting the header of the network data packet and the private network IP allocated to the file system example in the special network, identifying the file system example requesting the network data packet according to the serial number of the special network corresponding to the file system example and the private network IP allocated to the file system example in the special network, and processing a file system protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610404400.8A CN107483520B (en) | 2016-06-08 | 2016-06-08 | Method and device for processing network attached storage instance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610404400.8A CN107483520B (en) | 2016-06-08 | 2016-06-08 | Method and device for processing network attached storage instance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107483520A CN107483520A (en) | 2017-12-15 |
| CN107483520B true CN107483520B (en) | 2020-10-02 |
Family
ID=60594593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610404400.8A Active CN107483520B (en) | 2016-06-08 | 2016-06-08 | Method and device for processing network attached storage instance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107483520B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639804A (en) * | 2018-12-18 | 2019-04-16 | 交通银行股份有限公司 | Monitoring method, system and the production equipment of production system, terminal, server |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001067707A2 (en) * | 2000-03-03 | 2001-09-13 | Scale Eight, Inc. | A network storage system |
| CN1726454A (en) * | 2002-10-17 | 2006-01-25 | 英特尔公司 | A distributed network attached storage system |
| CN102325196A (en) * | 2011-10-27 | 2012-01-18 | 上海文广互动电视有限公司 | Distributed cluster storage system |
-
2016
- 2016-06-08 CN CN201610404400.8A patent/CN107483520B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001067707A2 (en) * | 2000-03-03 | 2001-09-13 | Scale Eight, Inc. | A network storage system |
| CN1726454A (en) * | 2002-10-17 | 2006-01-25 | 英特尔公司 | A distributed network attached storage system |
| CN102325196A (en) * | 2011-10-27 | 2012-01-18 | 上海文广互动电视有限公司 | Distributed cluster storage system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107483520A (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602307B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
| CN110710168B (en) | Intelligent thread management across isolated network stacks | |
| TWI752939B (en) | Method and device for processing user request | |
| US20140254603A1 (en) | Interoperability for distributed overlay virtual environments | |
| CN109302466B (en) | Data processing method, related device and computer storage medium | |
| US11095716B2 (en) | Data replication for a virtual networking system | |
| JP2019527988A (en) | Packet transmission | |
| US20150188802A1 (en) | System for supporting multi-tenant based on private ip address in virtual private cloud networks and operating method thereof | |
| US11563799B2 (en) | Peripheral device enabling virtualized computing service extensions | |
| US10361970B2 (en) | Automated instantiation of wireless virtual private networks | |
| CN108243079B (en) | Method and equipment for network access based on VPC | |
| WO2016177145A1 (en) | Packet transmission method and device | |
| US11520530B2 (en) | Peripheral device for configuring compute instances at client-selected servers | |
| WO2015081515A1 (en) | Data processing method, device, storage controller and equipment cabinet | |
| CN112583618A (en) | Method, device and computing equipment for providing network service for business | |
| CN113361913A (en) | Communication service arranging method, device, computer equipment and storage medium | |
| CN112583655B (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| CN107483520B (en) | Method and device for processing network attached storage instance | |
| CN113067824A (en) | Data scheduling method, system, virtual host and computer readable storage medium | |
| TW201818699A (en) | Data transmission method, equipment, device and system | |
| US8914467B2 (en) | Information processing apparatus, system, and storage medium | |
| CN114389905B (en) | Network traffic statistics method, related device and medium | |
| CN117499318B (en) | Cloud computing virtual network system, and use method, device, equipment and medium thereof | |
| CN105763669A (en) | Method and device for supporting host name mapping of edge device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |