CN108600149B - Cloud computing high-availability cluster resource management method - Google Patents

Cloud computing high-availability cluster resource management method Download PDF

Info

Publication number
CN108600149B
CN108600149B CN201810061040.5A CN201810061040A CN108600149B CN 108600149 B CN108600149 B CN 108600149B CN 201810061040 A CN201810061040 A CN 201810061040A CN 108600149 B CN108600149 B CN 108600149B
Authority
CN
China
Prior art keywords
web application
data
code
cluster
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810061040.5A
Other languages
Chinese (zh)
Other versions
CN108600149A (en
Inventor
刘颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huabao Digital Technology Co.,Ltd.
Original Assignee
Shanghai Ouye Huagongbao Electronic Commerce Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ouye Huagongbao Electronic Commerce Co ltd filed Critical Shanghai Ouye Huagongbao Electronic Commerce Co ltd
Priority to CN201810061040.5A priority Critical patent/CN108600149B/en
Publication of CN108600149A publication Critical patent/CN108600149A/en
Application granted granted Critical
Publication of CN108600149B publication Critical patent/CN108600149B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a cloud computing high-availability cluster resource management method, which comprises the following steps: and setting a task distributor in the private cloud, wherein the task distributor is used for access distribution of control data and transaction data. The invention provides a cloud computing high-availability cluster resource management method, which is used for carrying out space instantiation on a basic cluster environment of a cloud platform, more fully utilizing system resources of a cluster and solving the problem of time consumption caused by utilizing a private cloud of a virtual machine. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.

Description

Cloud computing high-availability cluster resource management method
Technical Field
The invention relates to cloud computing, in particular to a cloud computing high-availability cluster resource management method.
Background
The affairs processed by the mobile terminal extend from the traditional communication field to the high-safety affairs field such as office, payment and the like. The mobile terminal needs to process information including user account information, personal privacy information, payment order information, private files, and the like. How to effectively ensure the security of private data becomes a difficult problem for mobile terminal equipment to develop safe and private affairs. The existing solution is to encrypt private data by a high-strength cryptographic algorithm and to restrict data access by means of the authority control of the cluster nodes. However, the complexity and openness of the mobile terminal cluster node make it impossible to create a secure operating environment, and the cluster node itself and the application are vulnerable to malicious attacks. In addition, the private data is stored in a common file system in an encrypted mode, and the risk of attack caused by illegal damage exists. Although the trusted partition technology provides a safe and isolated runtime environment for processing private data by an application, a uniform secure access interface cannot be provided for verified application development and web application development, and meanwhile security detection is performed on a web application sending a data secure access request.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a cloud computing high-availability cluster resource management method, which comprises the following steps:
and setting a task distributor in the private cloud, wherein the task distributor is used for access distribution of control data and transaction data.
Preferably, before the access allocation of the control data and the transaction data, the method further comprises:
analyzing a terminal access address to obtain accessed authentication information;
and transmitting the authentication information to a main control module of the private cloud, verifying the authentication information by an authority control node of the main control module, and returning a verification result to the task distributor.
Preferably, after the verification result is returned to the task distributor, the method further comprises:
and if the verification result fails, the task distributor returns failure information to the mobile terminal.
Preferably, further comprising:
if the verification result is successful, the task distributor analyzes the type of the access data and analyzes whether the access data is control data or transaction data;
if the data is the control data, the main control module processes the control data;
if the transaction data is the transaction data, the address request is forwarded to a cluster engine of the private cloud, and the cluster engine processes the transaction data;
the cluster engine analyzes the accessed web application ID according to the access address request of the mobile terminal;
selecting a web application running copy for processing according to the accessed web application ID and a preset scheduling rule; redirecting the access request to the selected web application running copy;
the web application runs a copy processing terminal request, completes specific calling and returns a calling processing result to the cluster engine;
and the cluster engine returns the calling result to the mobile terminal.
Compared with the prior art, the invention has the following advantages:
the invention provides a cloud computing high-availability cluster resource management method, which is used for carrying out space instantiation on a basic cluster environment of a cloud platform, more fully utilizing system resources of a cluster and solving the problem of time consumption caused by utilizing a private cloud of a virtual machine. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.
Drawings
Fig. 1 is a flowchart of a cloud computing high availability cluster resource management method according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a cloud computing high-availability cluster resource management method. Fig. 1 is a flowchart of a cloud computing high availability cluster resource management method according to an embodiment of the present invention.
The method comprises the steps that firstly, a task distributor is arranged in a private cloud computing system and is connected with a cluster engine and a main control module, the task distributor is used for controlling access distribution of data and transaction data and authority verification of an access request in a private cloud platform, and the cluster engine is connected with a cluster space instantiation unit; the main control module further comprises an authority control node and a management control node;
for the access allocation of the control data and the transaction data, the specific steps are as follows:
resolving an access address to obtain access authentication information;
and transmitting the authentication information to the main control module, verifying the authentication information by the authority control node of the main control module, and returning the verification result to the task distributor.
If the verification result fails, the task distributor returns failure information to the mobile terminal; if the verification result is successful, the task distributor analyzes the type of the access data and analyzes whether the access data is control data or transaction data;
if the control data is the control data, the main control module processes the control data;
if the transaction data is the transaction data, forwarding the address request to a cluster engine, and processing the transaction data by the cluster engine;
the cluster engine forwards the access request to the specific space instance, the specific space instance performs transaction processing and then returns the transaction processing result to the cluster engine, and the cluster engine returns the processing result to the mobile terminal;
the cluster engine maintains an addressing list in memory, the addressing list including a web application ID, scheduling rules, a web application running copy address, and a most recent update time. The web application ID is a web application ID deployed in the space instance, one web application corresponds to one or more web application running copies, and the web application running copies provide specific processing; the scheduling rule is a processing rule for task scheduling; the web application running copy address is an address used when accessing the space instance application; the web application running copy update time is the latest update time when the space instance application is running;
the specific steps of the treatment are as follows:
after the cluster engine is successfully started, issuing a cluster engine starting success message to the main control module;
the cluster space instantiation unit monitors a successful starting message of a cluster engine, and after receiving the message, the cluster space instantiation unit sends specific information of a running copy of a web application running by the local machine at regular time;
after receiving the message of the cluster space instantiation unit, the cluster engine analyzes a web application ID, a web application running copy address and a port;
if the web application running copy address already exists in the addressing list maintained in the cluster engine memory, the latest update time of the web application running copy is updated.
If the web application running copy address does not exist in the addressing list maintained in the memory by the cluster engine, adding a record in the addressing list maintained in the memory by the cluster scheduling;
according to the address request, the cluster engine analyzes the accessed web application ID; selecting a proper web application running copy for processing according to the ID of the accessed web application and the set scheduling rule; redirecting the access request to the selected web application running copy;
the web application runs the copy processing request, completes specific calling and returns a calling processing result to the cluster engine; the cluster engine returns the calling result to the mobile terminal;
the cluster space instantiation unit performs space instantiation on a cluster, performs overall arrangement on all space instances, records and maintains an application and web application running copy list running in a current platform, and the main control module receives data information, maintains the application and web application running copy list, monitors and feeds back the state of the web application running copy;
the cluster space instantiation unit receives control data forwarded by the main control module and forwards the control data to a response for processing, wherein the control data comprises the steps of obtaining a web application list, constructing a web application, deleting the web application and updating the number of copies;
the cloud cluster is operated and deployed in the cluster space instantiation unit, the operation state of the operation copy is constructed, deleted and monitored according to the message content forwarded by the server, meanwhile, the update information of the operation copy and the resource state of the operation cluster are fed back, and support is provided for the server to process and acquire the web application list, construct the application, delete the application and update the copy number of the application.
Specifically, the specific steps of obtaining the web application list are as follows:
firstly, accessing a database table by a cluster space instantiation unit to acquire an application ID, an application state and a corresponding running copy;
secondly, the cluster space instantiates single vector organization data and returns the single vector organization data to the mobile terminal;
the specific steps for constructing the application are as follows:
firstly, a cluster space instantiation unit sends a message for constructing an application resource request;
secondly, the cluster space instantiation unit monitors the message and obtains the number of running copies which can be constructed by the cluster through calculation;
setting overtime time to obtain a response list within a certain time range, and distributing the copy number requested to be constructed to each cluster node according to the number of the operation copies which can be constructed; the method comprises the following specific steps of allocating the number of configurable running copies to cluster nodes:
i, recording the number of constructed copies distributed to cluster nodes each time;
and ii, if the sum of the number of constructed copies and the number of running copies to be distributed to the cluster node is greater than the number of running copies to be constructed by the application, distributing the number of constructed copies to the cluster node to be equal to the number of running copies of the web application to be constructed by the application minus the number of constructed copies distributed.
Fourthly, sending the number of the running copies of the web application to be constructed to the designated cluster node;
fifthly, the cluster node acquires the mirror image file to construct a running copy, informs the server end after the construction is finished, and registers an access path of the web application running copy in cluster scheduling;
and sixthly, modifying the information in the record data table according to the feedback, and modifying the state of the application into starting after the number of the running copies required by the application is constructed.
The specific steps for deleting the application are as follows:
analyzing a web application ID to be deleted by a space instantiation engine;
the space instantiation engine sends a message for deleting the application;
the cluster node monitors the message of deleting the application, judges whether the cluster in which the cluster is positioned has the running copy of the application after receiving the message, and finishes the operation if the cluster does not have the running copy of the application; and if the running copy of the application exists, deleting the running copy of the application.
The method comprises the following specific steps of updating the number of running copies of the web application:
the space instantiation engine calculates the ID of the web application, the running copy number of the change and the change operation type (increasing or decreasing);
if the operation type is to increase the running copy, constructing an application copy;
if the operation type is to reduce the running copy, the specific operation is as follows:
i. obtaining a current running copy list from the record table;
ii. Randomly selecting a running copy to be deleted;
iii, sending a message to delete the running copy of the web application;
iv, the space instantiation engine cluster node monitors the message, judges whether the cluster in which the space instantiation engine cluster node is located has the running copy after receiving the message, and does not perform any operation if the running copy does not exist; and if the running copy exists, deleting the running copy.
In the process of dispatching the access requests collected by the cloud platform to the target cluster nodes of the cloud platform, firstly, the service performance of all current cluster nodes is calculated according to the fitness function for evaluating the performance of the cluster nodes, the cluster nodes in the cloud platform are subjected to condition filtering according to the terminal request transaction amount, and the cluster nodes with the residual space amount of the cluster nodes larger than the total space amount of the access request set form a set, wherein the set is the integral constraint on the cloud platform. Abstracting k cluster nodes in the cluster node set into k cluster points, clustering the k cluster points with all cluster nodes in the cloud platform respectively, calculating the similarity between the cluster nodes according to the two spatial quantity attributes of the cluster nodes, giving a threshold value according to the similarity, and adding the cluster nodes with the similarity between the cluster nodes within the threshold value into a new set. When the elements in a set no longer change, this set is the final result of the clustering. And finally, scheduling the to-be-processed transaction to the cluster node in the final set.
1: supposing that n cluster nodes form a set H, carrying out constraint condition limitation on all cluster nodes, and limiting the residual space L of the cluster nodesiAs a metric, LiThe definition is as follows:
Li=αLc+βLm
wherein α + β ═ 1
LcApplying an amount of space for the web; l ismApplying the amount of space for the verified application; a and b areThe weights of the two are determined, the values of the weights are obtained by learning of a BP neural network, all performance monitoring data of cluster nodes in the whole private cloud are obtained according to a fitness function of the performance of the cluster nodes, and the residual space amount of n cluster nodes in the current cloud platform is calculated. The constraint value is defined as: the total amount of space for the set of access requests received during a particular time period, namely:
Figure BDA0001555317340000071
where LR is expressed as the total amount of space in the access request set,
Figure BDA0001555317340000072
expressed as the amount of space for the ith transaction in the set of access requests. Defining a null set phi, calculating the total space quantity LR of the access request set, when L isi>And during LR, scheduling the i cluster nodes into a set phi, otherwise, continuously searching, and obtaining the set phi after the n cluster nodes are compared with the constraint value, wherein the set phi is { s }1,s2,s3....,smAnd f, obtaining a set of clustering points, wherein m is less than n.
Step 2: and obtaining the performance value of each cluster node according to the fitness function of the cluster node performance, and scheduling the cluster nodes with relatively good performance into a set phi through the limitation of the constraint value. Let phi be { s ═1,s2,s3....,smThe m cluster nodes are grouped, the web application space residue of the cluster nodes in the set phi is sorted in descending order, and s is assumedjFor the cluster node with the largest remaining web application space, sjAs a clustering point, the formula for calculating the similarity is:
Figure BDA0001555317340000081
s(si,sj)=1/d(si,sj)
Figure BDA0001555317340000082
for the kth attribute of the cluster node j, the similarity s(s) between the cluster node j and the cluster node i is calculatedi,sj):
Figure BDA0001555317340000083
Step 3 with sjFor the cluster point, s is calculatedjAnd similarity values with the elements in the set H. A threshold U is given according to the similarity, and if the similarity is greater than the threshold U, the element is added to the new set Φ'. Then the cluster phi sequentially selects cluster points according to the remaining descending order of the cluster node processors, similarity between the cluster points and elements in the cluster H is respectively calculated, elements with the threshold value larger than U are scheduled into the cluster phi ', iteration is finished when the elements in the cluster phi' are not changed, and the cluster phi 'is a final clustering result, namely phi' ═ s1',s2'...sq', wherein q < m < n.
And 4, step 4: and scheduling the received access request to the cluster node in the set phi ', then processing the transaction set of the request by the cluster node in the set phi', and returning the result to the user after the processing is finished. And starting to process the transaction from the cluster node in the set phi' to finish the processing, and taking the number of the access requests received in the period of time as the next transaction to be processed.
And the authority control node of the main control module allows the web application to send a data private access request to the verified application by calling the management interface. In order to enable the trusted execution environment to perform security detection on the process of the web application when the web application sends a data access request, the permission control node provides fingerprint information of the web application as a check criterion, and the method comprises the following specific implementation steps:
(1) reading web application binary file information and obtaining code segment Sizecode
HASH operation is carried out on binary information of the web application code segment by using HASH algorithm to generate a code segment HASH value HcodeHash (Code), where Code stands for web application Code segment;
size of code segmentcodeAnd code segment HASH value HcodeFingerprint information Fpr as a web applicationapp=(Sizecode||Hcode);
(2) Signing fingerprint information Fpr of a web application using trusted permissionsappGenerating a fingerprint information signature Sgapp=Sg(Sizecode||Hcode);
(3) Signing the fingerprint information SgappTo the specific data segment of the verified application. The authenticated application is an authenticated application that accepts web application data access requests.
When the web application sends a data access request to the verified application, the cluster node sends process exception information of the web application to a trusted isolation area monitoring process of a trusted execution environment; after the monitoring process of the trusted isolation area captures process abnormal information, the process abnormal information of the web application is detected, and the method specifically comprises the following steps:
(1) acquiring process exception information (including an interface calling data address, a process code segment base address, a process code segment size and a verified application ID) of the web application, and loading a web application fingerprint information signature Sg from a specific data segment of the corresponding verified application according to the verified application IDapp
(2) HASH operation is carried out on code segment data between a process memory address and a process code segment size by using an HASH algorithm, and a code segment HASH value H 'of the web application process is calculated'codeHash (code), get the process fingerprint information Fpr 'of the web application'app=(CodeSize||H'code) (ii) a Wherein Code represents a Code segment of a web application process;
(3) signing Sg of fingerprint information using trusted license public keyappThe verification is carried out to obtain the fingerprint information Fpr of the web applicationapp=(Sizecode||Hcode);
(4) Comparing fingerprint information FprappAnd Fpr'appWhether or not equal. If the web application process is equal to the current web application process, judging that the current web application process is legal, and detecting the position 1 of a state mark; otherwise, judging that the current web application process is illegal, and detecting the stateFlag position 0;
the detection state flag bit indicates whether the current web application process passes the safety detection, and if the detection flag bit is 1, the detection is passed; otherwise, it indicates a failure.
After completing the security detection, the right control node then implements application data processing and key management, further comprising:
a) the verified application initiates remote call of Data storage operation, and the request parameters comprise verified application ID and private Data to be processedpvAnd cryptographic algorithm Typeen
b) After receiving the data access request of the verified application, determining whether the remote call can be accepted and processed by judging the detection status flag bit. If the detection state flag bit is 0, rejecting remote calling; if the detection state flag bit is 1, processing remote call;
c) after the safety detection is passed, according to the cryptographic algorithm TypeenInitiating a key generation request;
d) after receiving the key generation request, firstly, according to the cryptographic algorithm TypeenInvoking a KEY generator to generate a random KEY (IDType) for a symmetric cryptographic algorithmen);
Secondly, loading the license public key PK of the verified applicationpyPair cipher algorithm TypeenEncrypting with random KEY KEY to generate KEY encrypted data EPKpy=RSA(PKpy,(ID||KEY));
The license private key PPK of the verified application is then loadedpyEncrypting data EPK to a keypySigning, generating key signature data SPKpy=Sg(PPKpy,EPKpy);
Finally, the key encryption data EPK is indexed by the verified application IDpyAnd key signature data SPKpyStored on a non-volatile memory in the trusted execution environment in a particular organizational manner, and returns the generated random KEY.
Wherein, KeyGenerator is a symmetric key generator algorithm; RSA is a public key encryption algorithm; sg is a public key signature algorithm;
e) after the key is successfully generated, according to the cryptographic algorithm TypeenCalling corresponding symmetric cipher encryption algorithm and using random KEY KEY to secret DatapvEncrypted to generate encrypted data EDatapv=SymEn(KEY,Datapv);
Secondly, the HASH algorithm is used to calculate the HASH value HData for the encrypted datapv=Hash(EDatapv);
Then using the license private key PPK of the verified applicationpySign the HASH value to generate signature data SDatapv=Sg(PPKpy,HDatapv);
Finally the data processing module 103 indexes the encrypted data EData with the verified application IDpvAnd signature data SDatapvStoring the data to a nonvolatile memory in the trusted execution environment according to a specific organization mode, and returning a data storage result to the verified application.
Wherein SymEn is a symmetric encryption algorithm; sg is a public key signature algorithm.
The authority control node of the main control module also controls authentication information verification of the access address and provides a management interface, including acquiring a web application list, constructing an application, deleting the application and updating the number of running copies of the web application, and the specific steps are as follows:
the method comprises the steps that a main control module maintains an application authentication information table, wherein the application authentication information table comprises web application IDs and authentication information;
receiving authentication information; the authentication information includes the following features: the authentication information verification method has the advantages that the length is 128 bits, uniqueness is realized, the time characteristic is realized corresponding to the unique application, and the verification function is realized on the authentication information;
searching whether corresponding application authentication information exists in an application authentication information table;
if the applied authentication information is found, returning success; if the applied authentication information is not found, returning failure;
analyzing the address request parameters and analyzing an operation interface; if the operation type obtains a web application list, constructs an application, deletes the application and updates the running copy number of the web application, the address request is forwarded to a cluster space instantiation engine;
the cluster space instantiation engine performs specific operation and feeds back a processing result to a management control node of the main controller;
and returning the calling result to the mobile terminal by the main controller.
In addition, if the running state of the application is not consistent with the preset state, the space instantiation unit is informed to process, and the steps are as follows:
starting two threads, intercepting an update message issued by a thread interception space instantiation engine, storing the update message in a key value pair system, comparing a preset state and an operation state of an application by a discovery thread, and informing the space instantiation engine of a processing state difference;
the interception thread intercepts the message bus all the time, analyzes the web application ID, the web application running copy access address and the state of the web application running copy after receiving the update information message, and stores the state in a key-value pair system in a key-value pair form;
the discovery thread acquires the preset state and the preset running copy of the current application from the space instantiation engine at regular time, acquires the actual running state of the current application from the system from the key value pair at the same time, judges the difference between the actual running state and the preset state, and informs the space instantiation engine to process, and the specific steps are as follows:
the discovery thread acquires the actual running state of the application from the key value pair system at regular time, and each acquired running state moment is taken as a snapshot;
recording the latest N snapshots of the actual running state of the application, comparing the N snapshots, and if the N snapshots are inconsistent, judging that the current network is unstable or is caused by fault transfer, and not processing under the condition;
and if the N snapshot states are consistent, starting to judge whether the actual running state of the running copy of the web application is consistent with the preset state, and after the judgment is finished, judging whether the number of the copies of the application is consistent with the preset number.
The specific steps for checking whether the actual running state of the running copy is consistent with the preset state are as follows:
i, comparing records in the system one by one with key values according to a web application running copy list provided by a space instantiation engine, and calling a management interface of the space instantiation engine to finish state change if running copy states recorded by the two are inconsistent;
ii, only comparing the running copies of the web application in the running state and the stopping state, and not processing the application in the intermediate state;
case 1: the recorded copies in the space instantiation engine are not in the key-value pair system, and the discovery thread informs the space instantiation engine to newly construct a copy;
case 2: the state of the copy recorded in the space instantiation engine is inconsistent in the key value pair system, and the discovery thread informs the space instantiation engine to modify the state of the copy;
case 3: the spatial instantiation engine has no record, but the key value pair system has updating information, and the discovery thread informs the spatial instantiation engine to remove the copy;
the specific steps of judging whether the number of the copies of the application is consistent with the preset number are as follows:
i, obtaining an expected value of the application running number recorded in the space instantiation unit, and comparing the expected value with the number of copy updating information recorded in the system by using a key value;
ii only compare applications in running and stopped states, other states are not processed.
Possible situations exist when the two are compared, including:
case 1: if the preset number of the copies recorded by the space instantiation engine is more than the number of the copies recorded by the key-value pair system, informing the space instantiation engine to reduce the running copies;
case 2: and if the preset number of the copies recorded by the space instantiation engine is less than the number of the copies recorded by the key-value pair system, informing the space instantiation engine to increase the running copies.
After the application runs the copy data verification tag and is generated, aiming at each copy RjBuilding a hash treeTREEj,TREEjThe leaf nodes of (1) are a set of vector HASH values { H (H (r) } ordered on the primary keyij) H, tree root) of hRj
Root node HASH value { h } using all replica Hash TREEs TREERjJ is more than or equal to 1 and less than or equal to m to generate a signature Sg1=(IDR|hR) α. The verification tag set and the application run copy hash tree of the same data copy are stored in the same cluster node in the cloud together with the application run copy data.
And the web application simultaneously sends a sampling request to the cluster node data copy for integrity verification. The sampling inspection process comprises the following steps:
(1) a trusted third party verification node for web application delegation determines the number c of vectors to be sampled, c is larger than or equal to 1 and smaller than or equal to N, and a permutation function pi is randomly generatedkeyKey k of1With a random mapping function psikeyKey k of2. The verification node uses the same random permutation function and random mapping function and follows the same key k1,k2Generating a challenge value set C { (i, v)i) C represents the value of the vector key to be validated i e [1, N ∈]And a corresponding random value vi. Where { i } ═ pikey(k)1≤k≤c,{vi}=ψkey(k) K is more than or equal to 1 and less than or equal to c. The verifying node samples information (C, k)1,k2) And sending the data to the cluster node.
(2) After receiving the sampling information sent by the verification node, the cluster nodes generate verification evidence P to prove that each cluster node correctly stores the copy data of the web application. The generated proof of verification P ═ σ, μ,<H(r)ij),Iij>(i,*)∈C,1≤j≤ms }, wherein:
σ is the aggregate tag value of the sample vector,
Figure BDA0001555317340000141
validating tag aggregation values for sampled replica vectors, where σi=Πj∈[1,m]σijThe aggregation label is an aggregation label of homomorphic labels of a plurality of data copies corresponding to the same vector, and sigma belongs to G;
mu is verification information capable of proving that the cluster node stores the sampled data vector of the web application, and for the web application all data copies mu are { mu ═ muj}1≤j≤mWherein the vector data in each copy is calculated as
Figure BDA0001555317340000142
Figure BDA0001555317340000152
③IijFor the auxiliary verification path information corresponding to each data copy sampling vector on the hash TREE, the information records all brother node information and position information on a path from a TREE root node to a leaf node corresponding to the sampling data vector.
(3) After the verification node receives a verification value P returned by the cluster node, verifying the correctness of the P:
according to<H(r)ij),Iij>(i,*)∈C,1≤j≤mRunning copy number information with the application, reconstructing V ═ IDR|hR
Determining whether the information of the check value returned by the web application is correct, and checking whether an equation is established:
Figure BDA0001555317340000151
e (-) is a bilinear map, and returns true if verification passes, otherwise returns false.
In summary, the invention provides a cloud computing high-availability cluster resource management method, which performs spatial instantiation on a basic cluster environment of a cloud platform, makes full use of system resources of a cluster, and solves the problem of time consumption caused by a private cloud using a virtual machine. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (1)

1. A cloud computing high-availability cluster resource management method is characterized by comprising the following steps:
setting a task distributor in the private cloud, wherein the task distributor is used for access distribution of control data and transaction data;
before the access allocation of the control data and the transaction data, further comprising:
analyzing a terminal access address to obtain accessed authentication information;
the authentication information is transmitted to a main control module of the private cloud, the authority control node of the main control module verifies the authentication information, and the verification result is returned to the task distributor;
if the verification result is successful, the task distributor analyzes the type of the access data and analyzes whether the access data is control data or transaction data;
if the data is the control data, the main control module processes the control data;
if the transaction data is the transaction data, the address request is forwarded to a cluster engine of the private cloud, and the cluster engine processes the transaction data;
the cluster engine analyzes the accessed web application ID according to the access address request of the mobile terminal;
selecting a web application running copy for processing according to the accessed web application ID and a preset scheduling rule; redirecting the access request to the selected web application running copy;
the web application runs a copy processing terminal request, completes specific calling and returns a calling processing result to the cluster engine;
the cluster engine returns the calling result to the mobile terminal;
the method further comprises the following steps:
after receiving control data forwarded by the main control module, forwarding and processing the control data, wherein the control data comprises the steps of obtaining a web application list, constructing a web application, deleting the web application and updating the number of copies;
the authority control node of the main control module allows the web application to send a data private access request to the verified application through calling a management interface; in order to enable the trusted execution environment to perform security detection on the process of the web application when the web application sends a data access request, the permission control node provides fingerprint information of the web application as a check criterion, and the method comprises the following specific implementation steps:
(1) reading web application binary file information and obtaining code segment Sizecode
HASH operation is carried out on binary information of the web application code segment by using HASH algorithm to generate a code segment HASH value Hcode= hash (Code), where Code stands for web application Code segment;
size of code segmentcodeAnd code segment HASH value HcodeFingerprint information Fpr as a web applicationapp=(Sizecode||Hcode);
(2) Signing fingerprint information Fpr of a web application using trusted permissionsappGenerating a fingerprint information signature Sgapp=Sg(Sizecode||Hcode);
(3) Signing the fingerprint information SgappStoring the data into a specific data segment of the verified application; the authenticated application is one that accepts web application data access requestsVerifying the application;
when the web application sends a data access request to the verified application, the cluster node sends process exception information of the web application to a trusted isolation area monitoring process of a trusted execution environment; after the monitoring process of the trusted isolation area captures process abnormal information, the process abnormal information of the web application is detected, and the method specifically comprises the following steps:
(1) acquiring process abnormal information of the web application, including an interface calling data address, a process code segment base address, a process code segment size and a verified application ID, and loading a web application fingerprint information signature Sg from a specific data segment of the corresponding verified application according to the verified application IDapp
(2) HASH operation is carried out on code segment data between a process memory address and a process code segment size by using an HASH algorithm, and a code segment HASH value H 'of the web application process is calculated'code= Hash (code) ' get process fingerprint information Fpr ' of web application 'app=(CodeSize||H'code) (ii) a Wherein Code represents a Code segment of a web application process;
(3) signing Sg of fingerprint information using trusted license public keyappThe verification is carried out to obtain the fingerprint information Fpr of the web applicationapp=(Sizecode||Hcode);
(4) Comparing fingerprint information FprappAnd Fpr'appWhether the web application processes are equal or not is judged, if yes, the current web application process is judged to be legal, and the position 1 of the state mark is detected; otherwise, judging that the current web application process is illegal, and detecting the position 0 of the state mark;
the detection state flag bit indicates whether the current web application process passes the safety detection, and if the detection flag bit is 1, the detection is passed; otherwise, the detection is failed;
after returning the verification result to the task distributor, further comprising:
and if the verification result fails, the task distributor returns failure information to the mobile terminal.
CN201810061040.5A 2018-01-22 2018-01-22 Cloud computing high-availability cluster resource management method Active CN108600149B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810061040.5A CN108600149B (en) 2018-01-22 2018-01-22 Cloud computing high-availability cluster resource management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810061040.5A CN108600149B (en) 2018-01-22 2018-01-22 Cloud computing high-availability cluster resource management method

Publications (2)

Publication Number Publication Date
CN108600149A CN108600149A (en) 2018-09-28
CN108600149B true CN108600149B (en) 2021-05-07

Family

ID=63608565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810061040.5A Active CN108600149B (en) 2018-01-22 2018-01-22 Cloud computing high-availability cluster resource management method

Country Status (1)

Country Link
CN (1) CN108600149B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981267B (en) * 2019-03-22 2021-06-08 西安电子科技大学 Large-scale user multi-key scene cloud encryption database system and storage query method
CN113076197A (en) * 2021-04-20 2021-07-06 北京沃东天骏信息技术有限公司 Load balancing method and device, storage medium and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219318A (en) * 2014-09-15 2014-12-17 北京联创信安科技有限公司 Distributed file storage system and method thereof
CN104753709A (en) * 2013-12-30 2015-07-01 华为技术有限公司 Equipment management method and control server
CN107294769A (en) * 2017-05-16 2017-10-24 南京邮电大学 A kind of Agility cloud service management system and its control method based on 5G networks

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281306B (en) * 2013-05-03 2016-02-24 四川省电力公司信息通信公司 Cloud data center virtualization base platform
CN107426034B (en) * 2017-08-18 2020-09-01 国网山东省电力公司信息通信公司 Large-scale container scheduling system and method based on cloud platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753709A (en) * 2013-12-30 2015-07-01 华为技术有限公司 Equipment management method and control server
CN104219318A (en) * 2014-09-15 2014-12-17 北京联创信安科技有限公司 Distributed file storage system and method thereof
CN107294769A (en) * 2017-05-16 2017-10-24 南京邮电大学 A kind of Agility cloud service management system and its control method based on 5G networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向云计算的控制层面与数据层面的柔性分离理论与方法研究;袁珍;《CNKI 中国优秀硕士学位论文全文数据库 信息科技辑》;20160315;正文第10-11 *

Also Published As

Publication number Publication date
CN108600149A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
CN108156175B (en) Method for accessing shared storage information under cloud computing platform
EP2987090B1 (en) Distributed event correlation system
US10277608B2 (en) System and method for verification lineage tracking of data sets
JP2020523839A (en) System and method for avoiding or reducing crypto stranded resources in blockchain networks
US11658982B2 (en) Efficient authentication in a file system with multiple security groups
US20190141048A1 (en) Blockchain identification system
JP2004192639A (en) Secure recovery in serverless distributed file system
US11121876B2 (en) Distributed access control
CN110290150A (en) A kind of login validation method and login authentication device of Virtual Private Network VPN
CN112364311A (en) Method and device for managing identity on block chain
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
US20210297269A1 (en) Token node locking with fingerprints authenticated by digital certificates
CN111340483A (en) Data management method based on block chain and related equipment
CN108881261B (en) Service authentication method and system based on block chain technology in container environment
US20210075626A1 (en) Identity-based application and file verification
CN114925141B (en) Cloud primary automation deployment management system and method based on block chain
CN108600149B (en) Cloud computing high-availability cluster resource management method
US10158623B2 (en) Data theft deterrence
US20190303935A1 (en) System and methods for preventing reverse transactions in a distributed environment
WO2017112484A1 (en) Data breach detection system
CN108270865B (en) Job scheduling method of high-performance cloud computing platform
WO2019191579A1 (en) System and methods for recording codes in a distributed environment
US10341342B2 (en) Configuration data based fingerprinting for access to a resource
CA2986731A1 (en) A blockchain based smart home security solution
CN109688158B (en) Financial execution chain authentication method, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210420

Address after: Room 3301-t, no.1325 Mudanjiang Road, Baoshan District, Shanghai

Applicant after: SHANGHAI OUYE HUAGONGBAO ELECTRONIC COMMERCE Co.,Ltd.

Address before: 610000 Sichuan city of Chengdu province high tech Zone Kyrgyzstan Road No. 666 Building 2 floor 13 No. 2

Applicant before: CHENGDU HUIZHI YUANJING TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: No.3301, no.1325 Mudanjiang Road, Baoshan District, Shanghai - T-room

Patentee after: Shanghai Huabao Digital Technology Co.,Ltd.

Address before: No.3301, no.1325 Mudanjiang Road, Baoshan District, Shanghai - T-room

Patentee before: SHANGHAI OUYE HUAGONGBAO ELECTRONIC COMMERCE Co.,Ltd.