CN110704155B

CN110704155B - Container network construction method and device, physical host and data transmission method

Info

Publication number: CN110704155B
Application number: CN201810747082.4A
Authority: CN
Inventors: 李训; 李星; 朱良伟; 徐志
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2018-07-09
Filing date: 2018-07-09
Publication date: 2023-03-17
Anticipated expiration: 2038-07-09
Also published as: CN110704155A

Abstract

The embodiment of the application provides a container network construction method and device, a physical host and a data transmission method, wherein the construction method comprises the following steps: after a virtual network interface is created in a physical host, the created virtual network interface is distributed to a virtual host deployed in the physical host; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network name space of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the performance of the container network is improved.

Description

Container network construction method and device, physical host and data transmission method

Technical Field

The application relates to the technical field of internet, in particular to a container network construction method and device, a physical host and a data transmission method.

Background

At present, with the rapid development of cloud computing, most business systems are gradually migrated to a cloud platform, and start to provide business services for users through virtual hosts, and meanwhile, with the gradually increasing demands of users on cost reduction and business configuration flexibility improvement, the application of providing business services for users through deploying containers in physical hosts is more and more extensive.

Currently, in a container network construction method provided in the related art, for a plurality of containers created in a virtual host deployed in a physical host, a VETH virtual device pair is created in a host system where the container is located, one end of the VETH virtual device pair is configured to a container network space, the other end of the VETH virtual device pair is reserved in a host network namespace, and each container establishes a communication connection with a Linux Bridge (i.e., a Linux Bridge, in which a kernel stack is configured) through the VETH virtual device pair; then, the Linux Bridge establishes communication connection with the virtual switch through a virtual network card configured for the virtual host in advance, that is, a plurality of containers in each physical host are all connected to one Linux Bridge inside the virtual host, and then data transmission is performed with the virtual switch through the corresponding virtual network card, that is, the data transmission process is as follows: and the container example transmits the data message to the Linux Bridge through the VELH virtual equipment, and then the Linux Bridge transmits the data message to the virtual switch through the virtual network card.

Therefore, when a container in a virtual host provided in the prior art performs data transmission with a corresponding virtual switch, the problem of low container network performance due to complex data forwarding logic exists depending on a host system in the virtual host where the container is located is known.

Disclosure of Invention

In the container network constructed by the construction method, a container instance directly transmits data to a virtual switch or a physical network interface on the physical host where the container instance is located through a virtual network interface configured to a network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to a forwarding rule configured based on the virtual network interface, so that when data is transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

In order to solve the above technical problem, the embodiment of the present application is implemented as follows:

the embodiment of the application provides a container network construction method, which comprises the following steps:

creating a virtual network interface in a physical host;

allocating the created virtual network interface to a virtual host deployed in the physical host, wherein a plurality of container instances are deployed in the virtual host;

configuring the virtual network interface to a network namespace of the container instance so that the container instance transmits data to a virtual switch or a physical network interface on the physical host through the virtual network interface;

configuring a forwarding rule based on the virtual network interface so that the physical host forwards data received from the virtual switch or the physical network interface according to the forwarding rule.

The embodiment of the application provides a container network, which is constructed by the container network construction method and comprises the following steps:

a plurality of physical hosts, the physical hosts comprising: a virtual network interface, a virtual switch or a physical network interface, a virtual host deployed in the physical host, and a container instance deployed in the virtual host; and the number of the first and second groups,

a network switching device connected to the physical host.

The embodiment of the application provides a physical host based on a container network, wherein the container network is constructed by the container network construction method, and the physical host comprises:

a virtual network interface;

a virtual switch or a physical network interface;

a virtual host deployed in the physical host; and the number of the first and second groups,

a container instance deployed in the virtual host.

The embodiment of the application provides a data transmission method for a container network, wherein the container network is constructed by the container network construction method, and the data transmission method comprises the following steps:

sending a first data packet at a first container instance over a first virtual network interface;

receiving the first data message at a first physical host where the first container instance is located through a first virtual switch or a first physical network interface, and sending the first data message, where the first data message is intended to be deployed in a second container instance in a second virtual host, and the second virtual host is deployed in a second physical host.

The embodiment of the application provides a container network constructs device, includes:

the network interface creating module is used for creating a virtual network interface in the physical host;

a network interface allocation module, configured to allocate the created virtual network interface to a virtual host deployed in the physical host, where multiple container instances are deployed in the virtual host;

a network interface configuration module, configured to configure the virtual network interface to a network namespace of the container instance, so that the container instance transmits data to a virtual switch or a physical network interface on the physical host through the virtual network interface;

a forwarding rule configuration module, configured to configure a forwarding rule based on the virtual network interface, so that the physical host forwards data received from the virtual switch or the physical network interface according to the forwarding rule.

An embodiment of the present application provides a container network building device, including: a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the above-described container network construction method.

The embodiment of the application provides a storage medium for storing computer-executable instructions, and the executable instructions realize the container network construction method when being executed.

In the container network construction method and device, the physical host and the data transmission method in the embodiment of the application, after the virtual network interface is created in the physical host, the created virtual network interface is distributed to the virtual host deployed in the physical host; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments described in the present application, and for those skilled in the art, other drawings may be obtained according to these drawings without creative efforts.

Fig. 1 is a first flowchart of a container network construction method according to an embodiment of the present disclosure;

fig. 2 is a schematic diagram illustrating an implementation principle of a container network construction method provided in an embodiment of the present application;

fig. 3 is a second flowchart of a container network construction method according to an embodiment of the present application;

fig. 4 is a third schematic flowchart of a container network construction method according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a physical host according to an embodiment of the present disclosure;

fig. 6a is a first flowchart of a data transmission method according to an embodiment of the present application;

fig. 6b is a schematic flowchart of a second data transmission method according to an embodiment of the present application;

fig. 7 is a schematic diagram illustrating an implementation principle of a data transmission method according to an embodiment of the present application;

fig. 8 is a schematic block diagram of a container network construction apparatus according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a container network construction device according to an embodiment of the present application.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making creative efforts shall fall within the protection scope of the present application.

In the container network constructed by the construction method, a container instance directly transmits data to a virtual switch or a physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network name space of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to a forwarding rule configured based on the virtual network interface.

Fig. 1 is a first flowchart illustrating a method for constructing a container network according to an embodiment of the present application, where the method in fig. 1 can be executed by a network management and control platform, and as shown in fig. 1, the method at least includes the following steps:

s101, a virtual network interface is created in a physical host, specifically, the virtual network interface may be an elastic network interface, a Virtualization Function (VF) interface obtained by using a single input/output virtualization (SR-IOV) technology, or a virtual network interface obtained by using a Data Plane Development Kit (DPDK) technology.

S102, distributing the created virtual network interface to a virtual host machine deployed in a physical host machine, wherein a plurality of container instances are deployed in the virtual host machine;

specifically, for each virtual host deployed in a physical host, the number allocated to the virtual network interface is greater than or equal to N +1, where N represents the number of container instances deployed in the virtual host; moreover, the virtual network interface may be a virtual network interface supporting hot plugging, that is, the virtual network interface supports hot plugging, so that when the virtual network interface configured for the virtual host is plugged, the virtual host is in a stable running state without controlling the virtual host to be in a stop running state, and thus, no influence is generated on services running on the virtual host.

S103, configuring the virtual network interface to a network namespace of a container instance deployed in a virtual host machine, so that the container instance transmits data to a virtual switch or a physical network interface on a physical host machine where the virtual host machine is located through the virtual network interface; that is, when the container instance transmits data to the virtual switch on the physical host where the virtual host is located through the virtual network interface, or the container instance transmits data to the physical network interface on the physical host where the virtual host is located through the virtual network interface, in a specific implementation, in a case where the virtual network interface is a Virtualization Function (VF) interface obtained by using an SR-IOV technology, the physical network interface (e.g., a physical network card) receives the data instead of the virtual switch.

The method comprises the steps that for each container instance deployed in a virtual host, one virtual network interface is selected from a plurality of virtual network interfaces distributed to the virtual host and configured to a network name space of the container instance; specifically, in a plurality of virtual network interfaces allocated to virtual hosts deployed in a physical host, only one of the virtual network interfaces is configured to the virtual host itself, and the rest of the virtual network interfaces are configured to a plurality of container instances in the virtual host, so that each virtual network interface needs to be configured to a network namespace of a corresponding container instance, at this time, the container instances can be directly communicated to a virtual switch or a physical network interface through the virtual network interfaces, that is, a virtual network interface is provided between each container instance and the virtual switch or the physical network interface, and the virtual network interfaces arranged between the container instances and the virtual switch or the physical network interface, and the virtual network interfaces arranged between the virtual host itself and the virtual switch or the physical network interface are generated by unified configuration of a network management and control platform.

S104, configuring a forwarding rule based on the configured virtual network interface so that the physical host forwards data received from the virtual switch or the physical network interface according to the forwarding rule to construct a container network, and realizing mutual communication between container instances on a single physical host or mutual communication between container instances across the physical host, wherein the forwarding rule can be a flow forwarding rule configured for the virtual switch or the physical network interface (namely a physical network card forwarding chip under an SR-IOV scene), and the physical host forwards target data from the container instance generating the data to a target container instance according to a network IP address corresponding to the virtual network interface through the virtual switch or the physical network interface based on the forwarding rule;

specifically, because a plurality of virtual network interfaces allocated to the virtual host are uniformly configured and generated by the network management and control platform, and a part of the virtual network interfaces are configured to the network name space of the container instance, so as to realize that the container instance directly transmits data to the virtual switch or the physical network interface on the physical host through the corresponding virtual network interface, and configure a forwarding rule based on the virtual network interface, so as to realize that the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule, thereby completing the construction of the container network, improving the management efficiency of the configuration of the container network, improving the usability of the container network, that is, the network interface of the container instance connected to the virtual switch or the physical network interface and the network interface of the virtual host connected to the virtual switch or the physical network interface are created simultaneously, and a user does not need to additionally install a management system to configure the communication network between the container instance and the virtual switch or the physical network interface, reducing the maintenance cost of the container network, and providing load balancing ACL by means of SLBs and the like in the VPC, and using QoS and QoS functions of the VPC.

In the embodiment of the application, in the container network constructed by the construction method, one virtual network interface of a plurality of virtual network interfaces allocated to the virtual host where the container instance is located is respectively accessed to the network name space of each container instance, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network name space of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface.

As shown in fig. 2, a schematic diagram of an internal structure of a physical host of a container network constructed based on the method includes, taking a virtual switch as an example on the physical host, and three container instances are deployed in the virtual host, so that the number of virtual network interfaces allocated to the virtual host is at least 4, taking 4 as an example, one of the virtual network interfaces is directly disposed between the virtual host and the virtual switch, and the other 3 virtual network interfaces are respectively configured to network namespaces of the container instances, so that each container instance is directly connected to the virtual switch through the corresponding virtual network interface, and the container instance directly transmits data to the virtual switch through the virtual network interface.

Specifically, when container instances are deployed in the virtual host ECS, the virtual network interfaces a to D (i.e., virtual network interface cards or VF devices connected to the virtual switching software) configured for the virtual host are dynamically bound to the virtual host on the physical host, and then the dynamically "plugged-in" virtual network interfaces B to D are respectively applied to the network namespaces of the container instances inside the virtual host, that is, the virtual network interfaces B to D allocated for the virtual host are respectively configured to the network namespaces of the container instances, so that network traffic in the container instances can be sent to the physical host through the corresponding virtual network interfaces, and the physical host forwards the traffic through the functions of ACL, qoS, security group, and the like.

In addition, after the life cycle of the container instance is finished, the virtual network interface is directly pulled out from the virtual host, that is, the virtual network interface configured to the network name space of the container instance is removed, and the virtual network interface is removed from the plurality of virtual network interfaces configured for the virtual host, and the virtual network interface can be used by other virtual hosts or container instances in the physical host, or the resources can be destroyed and recycled without a user.

Specifically, the virtual network interface configured to the network namespace of the container instance may be obtained based on a single input/output virtualization SR-IOV technology or simulated based on a data plane development kit DPDK technology, where the virtualization function VF obtained by the SR-IOV technology and the virtual network card obtained by the simulated DPDK technology have a high-performance acceleration function, and therefore, the container instance performs data transmission through the virtual network interface based on the virtualization function VF or the virtual network card configured to the network namespace of the container instance, so that the network where the container instance is located also has the high-performance network acceleration function, thereby improving the performance of the container network as a whole.

Further, after the created virtual network interface is allocated to the virtual host, it is necessary to select a virtual network interface for each container instance in the virtual host from a plurality of virtual network interfaces allocated to the virtual host, and then configure the corresponding virtual network interface to the network namespace of the container instance, where the selection mode of the virtual network interface is related to the access mode of the container instance, specifically, after the S102 allocates the created virtual network interface to the virtual host deployed in the physical host, the method further includes:

if the access mode of the container example is domain name access, sequentially selecting a target virtual network interface from the plurality of virtual network interfaces according to a preset rule, and judging whether the target virtual network interface is occupied, wherein the occupied mode refers to the mode of configuring the target virtual network interface between a virtual host and a virtual switch or a physical network interface or configuring the target virtual network interface to a network name space of other container examples; if not, configuring the target virtual network interface to a network name space of the container instance;

if the access mode of the container instance is IP address access, selecting a virtual network interface which is the same as the IP address of the container instance to be configured from the plurality of virtual network interfaces as a target virtual network interface according to the IP address of each virtual network interface, and configuring the target virtual network interface to the network name space of the container instance; specifically, for the case of accessing the container instance by using the IP address, each container instance has its own IP address, and at this time, the virtual network interface needs to be allocated to the container instance with the same IP address according to the IP address of the virtual network interface.

Further, considering that when a container instance is abnormal in processing or a function of the container instance needs to be upgraded, that is, when a certain container instance cannot normally provide a corresponding service, a service traffic requesting the container instance needs to be migrated, that is, a service request needs to be transferred to a substitute container instance, whereas in the prior art, a user needs to feed back to a platform and a container network needs to be reconfigured, which results in a complex traffic migration management configuration process, based on this, in order to simplify the traffic migration process, and because the container instance is directly connected to a virtual switch or a physical network interface through a virtual network interface, it may be implemented that the service traffic of the container instance is directly migrated without being perceived by the user, specifically, after the S104 configures a forwarding rule based on the configured virtual network interface, the method further includes:

after determining a target container instance to be subjected to traffic migration, determining a substitute container instance of the target container instance, and determining a target virtual network interface aiming at the substitute container instance;

and configuring the determined target virtual network interface to a network name space of the substitute container instance so that the substitute container instance transmits data to a virtual switch or a physical network interface on a physical host where the substitute container instance is located through the target virtual network interface, and the physical host where the substitute container instance is located forwards the data received from the virtual switch or the physical network interface according to a forwarding rule of the target virtual network interface.

Specifically, the target container instance requiring flow migration may be determined by the following method:

performing anomaly detection on each container instance, and determining the container instance with an abnormal detection result as a target container instance; specifically, the running state of the container instance can be automatically detected, so that the container instance which runs abnormally can be found in time, and the abnormal container instance can be migrated in time;

and judging whether each container instance needs to be subjected to function upgrading or not, and determining the container instance needing to be subjected to function upgrading as a target container instance.

Specifically, after determining the substitute container instance of the target container instance, a target virtual network interface for the substitute container instance needs to be determined, where the target virtual network interface selected for the substitute container instance may be newly configured, or may be an original virtual network interface configured to a network namespace of the target container instance, and which target virtual network interface selected as the substitute container instance is related to a deployment location of the substitute container instance.

Specifically, after the target virtual network interface is configured to the network namespace of the substitute container instance, if the received service request points to the request target container instance, the service request is directly allocated to the substitute container instance, in the process, the creation of the substitute container instance and the configuration of the target virtual network interface are automatically performed by the network management and control platform, a user does not need to participate in the reconfiguration of the container network, the process of traffic migration is simplified, and the traffic is directly migrated under the condition that the user does not sense, that is, the user still uses the original IP address or the domain name to access the service provided by the substitute container instance.

In order to further simplify the difficulty of traffic migration, it is considered that if a substitute container instance is in a physical host where a target container instance is located, an original virtual network interface corresponding to the target container instance is still used, so that a new virtual network interface does not need to be created, and a forwarding rule does not need to be reconfigured, and based on this, the substitute container instance and the target container instance are deployed in the same virtual host or different virtual hosts in the same physical host;

the target virtual network interface is an original virtual network interface configured to a network namespace of the target container instance.

Specifically, the substitute container instance may be in a virtual host where the target container instance is located (that is, the target container instance and the substitute container instance are deployed in the same virtual host of the same physical host), may also be in another virtual host of a physical host where the target container instance is located (that is, the target container instance and the substitute container instance are deployed in different virtual hosts of the same physical host), and may also be in a virtual host of another physical host different from the physical host where the target container instance is located (that is, the target container instance and the substitute container instance are deployed in different physical hosts), and for different situations, the specific process of configuring the target virtual network interface to the network namespace of the substitute container instance is different, specifically:

(1) Specifically, in the virtual host machine where the target container instance is located, a substitute container instance of the target container instance is created, and a virtual network interface of the target container instance is configured to a network namespace of the substitute container instance;

in this process, because the target container instance and the substitute container instance are located in the same virtual host of the same physical host, and the virtual network interface of the target container instance is configured for the virtual host, the original virtual network interface is directly pulled out from the target container instance, that is, the original virtual network interface is removed from the network namespace in the target container instance, and then "plugged into" the network namespace of the substitute container instance, that is, the original virtual network interface is configured into the network namespace of the substitute container instance.

(2) For the case that the substitute container instance is in another virtual host of the physical host where the target container instance is located, specifically, in another target virtual host of the physical host where the target container instance is located, creating the substitute container instance of the target container instance, pulling out the virtual network interface of the target container instance from the original virtual host, then plugging the virtual network interface into the target virtual host, and configuring the virtual network interface into the network namespace of the substitute container instance in the target virtual host;

in this process, since the target container instance and the substitute container instance are located in different virtual hosts of the same physical host, and the virtual network interface of the target container instance is not configured for the virtual host where the substitute container instance is located, it is necessary to first "pull out" and "plug in" the virtual network interface to the virtual host where the substitute container instance is located, that is, to remove the virtual network interface from the plurality of virtual network interfaces configured for the virtual host where the target container instance is located, add the virtual network interface to the plurality of virtual network interfaces configured for the virtual host where the substitute container instance is located, and then configure the virtual network interface to the network namespace of the substitute container instance, that is, compared with the case (2), the above case (1) omits the operation of pulling out the virtual network interface of the target container instance from one virtual host and then plugging it into another virtual host.

(3) For the case that the substitute container instance is in a virtual host of another physical host different from the physical host where the target container instance is located, specifically, in a target virtual host of another physical host different from the physical host where the target container instance is located, creating the substitute container instance of the target container instance, configuring a new virtual network interface for the target virtual host, and configuring the new virtual network interface in the target virtual host to a network namespace of the substitute container instance, wherein, for the case that the access mode of the container instance is IP address access, the IP address of the new virtual network interface is the IP address of the original virtual network interface of the target container instance;

in this process, since the target container instance and the substitute container instance are located in different virtual hosts of different physical hosts, the virtual network interface of the target container instance is not configured for the virtual host where the substitute container instance is located, and the virtual switch or the physical network interface corresponding to the different physical hosts are different, a network management and control platform needs to configure a new virtual network interface for the target virtual host, and then configure the virtual network interface to the network namespace of the substitute container instance, that is, compared to the case (3), the above cases (1) and (2) omit the operation of reconfiguring a new virtual network interface for the virtual host.

Further, considering that the existing container network mostly depends on a host system in a virtual host where the container is located, and the container network is autonomously controlled by a user, so that the container network cannot interface with a high-level network function that can be provided by a VPC network, the container instance in the embodiment of the present application is directly connected to a virtual switch or a physical network interface through a virtual network interface based on the same configuration of a network control platform, and therefore, the virtual network interface can be configured in a network plane of the VPC, so that the network function provided by the VPC network can be directly shared, and the upgrade of the container network function is realized. Based on this, the container instance accesses a Virtual Private Cloud (VPC) accessed by the physical host through a virtual network interface.

Specifically, as shown in fig. 3, after the step S103 configures the virtual network interface to the network namespace of the container instance deployed in the virtual host, the method further includes:

and S105, accessing the virtual network interface configured to the network namespace of the container instance to a network plane of a Virtual Private Cloud (VPC) accessed by the physical host.

Specifically, because a plurality of Virtual network interfaces configured for the Virtual host are all generated by unified configuration of the network management and control platform, and a part of the Virtual network interfaces are configured in the network name space of the container instance, and then the Virtual network interface of each container instance is accessed to the network plane of the Virtual Private Cloud (VPC) accessed by the physical host, and a forwarding rule is configured based on the Virtual network interface, so that the physical host performs data forwarding according to the forwarding rule, and further the construction of the container network is completed, each container instance is enabled to have a full number of VPC network functions, and thus, the functions of EIP, SLB, high defense, security, HAVIP, NAT, user routing and the like can be configured for the container instance, and the service of the container instance can be easily accessed.

Further, considering that there may be different container instances purchased by different users in the same virtual host, it is necessary to isolate the container instance managed by each user from the container instances managed by other users to ensure that the container instances among different users are not affected, and perform network isolation on the container instances among different users through the VPC network, so as to improve flexibility of performing network isolation on the container instances, specifically, as shown in fig. 4, the S105 accesses the virtual network interface configured to the network namespace of the container instance to the network plane of the VPC accessed by the physical host, which specifically includes:

s1051, according to the holding user of the container instance, the virtual network interface configured to the network namespace of the container instance is accessed to the corresponding network plane of the virtual private cloud VPC, wherein the network plane of the virtual private cloud VPC is isolated and set according to the holding user of the container instance, and further VPC network security isolation is realized by taking the container instance as the minimum unit.

Specifically, whether holding users of a plurality of containers deployed in the virtual host are the same is judged; if not, accessing the virtual network interface corresponding to the container instance to different network planes of the virtual private cloud VPC; and if the virtual network interfaces are the same, accessing the virtual network interfaces corresponding to the container instances to the network plane of the same Virtual Private Cloud (VPC).

In the container network construction method in the embodiment of the application, after a virtual network interface is created in a physical host, the created virtual network interface is distributed to a virtual host deployed in the physical host; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

The container network construction method described in correspondence with fig. 1 to 4 above, the container network being constructed by the above construction method, and including:

a plurality of physical hosts, the physical hosts comprising: the system comprises a virtual network interface, a virtual switch or a physical network interface, a virtual host deployed in the physical host and a container instance deployed in the virtual host; and the number of the first and second groups,

a network switching device connected to the physical host.

Specifically, as shown in fig. 5, the physical host based on the container network includes: the system comprises a virtual network interface, a virtual switch or a physical network interface, a virtual host machine and a container instance, wherein the virtual host machine is deployed in the physical host machine, and the container instance is deployed in the virtual host machine;

the network name space of each container instance is configured with one virtual network interface in a plurality of virtual network interfaces distributed for the virtual hosts;

the container instance transmits data to a virtual switch or a physical network interface on a physical host through a virtual network interface configured to a network name space of the container instance; and the physical host forwards data received from the virtual switch or the physical network interface according to a forwarding rule configured based on the virtual network interface. In fig. 5, a virtual switch is provided on a physical host as an example.

In the multiple virtual network interfaces allocated to the virtual hosts deployed in the physical hosts, only one of the multiple virtual network interfaces is configured to the virtual host itself, and the other multiple container instances are configured to the multiple container instances in the virtual host, so that each virtual network interface needs to be configured to the network namespace of the corresponding container instance, at this time, the container instances can be directly communicated to the virtual switch or the physical network interface through the virtual network interfaces, that is, one virtual network interface is arranged between each container instance and the virtual switch or the physical network interface, and the virtual network interfaces arranged between the container instances and the virtual switch or the physical network interface and the virtual network interfaces arranged between the virtual host itself and the virtual switch or the physical network interface are generated by unified configuration of a network management and control platform.

Specifically, when container instances are deployed inside the ECS, the virtual network interfaces (i.e., virtual network interface cards or VF devices connected to the virtual switching software) configured for the virtual hosts are dynamically bound to the virtual hosts on the physical hosts, and then the dynamically "plugged-in" virtual network interfaces are respectively applied to the network namespaces of the container instances inside the virtual hosts, that is, the virtual network interfaces allocated to the virtual hosts are configured to the network namespaces of the container instances, so that network traffic in the container instances can be sent to the physical hosts through the corresponding virtual network interfaces, and the physical hosts forward the traffic through the functions of ACL, qoS, security group, and the like.

The virtual network interfaces allocated to the virtual host configuration are generated by the network management and control platform in a unified configuration mode, and a part of the virtual network interfaces are configured to the network name space of the container instance, so that the container instance can directly transmit data to the virtual switch or the physical network interface on the physical host through the corresponding virtual network interface, and the forwarding rule is configured based on the virtual network interface, so that the physical host can forward the data received from the virtual switch or the physical network interface according to the forwarding rule, and further the construction of the container network is completed.

In the physical host in the embodiment of the present application, a network namespace of each container instance deployed inside a virtual host in the physical host is configured with one virtual network interface of a plurality of virtual network interfaces allocated to the virtual host. The container instance directly transmits data to a virtual switch or a physical network interface on a physical host where the container instance is located through the virtual network interface configured to the network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to a forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

It should be noted that the physical host provided in the embodiment of the present application and the container network construction method provided in the present application are based on the same inventive concept, and therefore specific implementation of the embodiment may refer to implementation of the container network construction method, and repeated details are not described herein.

Based on the same technical concept, another embodiment of the present application further provides a data transmission method for a container network, the data transmission method is used for implementing data transmission between a first container instance and a second container instance, the container network is constructed by the above construction method, fig. 6a is a schematic flow chart of the data transmission method provided by the embodiment of the present application, and as shown in fig. 6a, the method at least includes the following steps:

s601, sending a first data message through a first virtual network interface at a first container instance, wherein the first data message can be requested by service processing;

s602, receiving the first data packet at a first physical host where the first container instance is located through a first virtual switch or a first physical network interface, and sending the first data packet, where the first data packet is intended to be a second container instance deployed in a second virtual host, and the second virtual host is deployed in a second physical host.

Specifically, for the second physical host, after receiving the first data packet at the first physical host and sending the first data packet, the data transmission method further includes:

s603, receiving the first data packet at the second physical host through the second virtual switch or the second physical network interface, and sending the first data packet through the second virtual network interface;

s604, receiving the first data packet at the second container instance through the second virtual network interface.

The first virtual switch and the second virtual switch may be the same virtual switch or different virtual switches, and for a case where the first container instance and the second container instance are located on the same physical host, the first virtual switch and the second virtual switch are the same virtual switch, and for a case where the first container instance and the second container instance are located on different physical hosts, the first virtual switch and the second virtual switch are different virtual switches.

Further, after the second container instance receives the first data packet, a corresponding response is performed, specifically, as shown in fig. 6b, after the S604 receives the first data packet through the second virtual network interface at the second container instance, the data transmission method further includes:

s605, responding to the first data message at the second container example, and generating a second data message aiming at the first container example, wherein the second data message is a data processing result of the service processing request;

s606, sending a second data message through a second virtual network interface at a second container instance;

s607, receiving the second data packet through the second virtual switch or the second physical network interface at the second physical host, and sending the second data packet.

Specifically, for the first physical host, after the second physical host receives the second data packet and sends the second data packet, the data transmission method further includes:

s608, receiving a second data packet at the first physical host through the first virtual switch or the first physical network interface, and sending the second data packet through the first virtual network interface;

s609, receive the second data packet at the first container instance through the first virtual network interface.

The first container instance and the second container instance are deployed in different virtual host machines in different physical host machines, or the first container instance and the second container instance are deployed in different virtual host machines in the same physical host machine, or the first container instance and the second container instance are deployed in the same virtual host machine in the same physical host machine.

Specifically, for a case where the first container instance and the second container instance are deployed in different virtual hosts in different physical hosts, and the physical host has a virtual switch as an example, as shown in fig. 7, when the first container instance accesses a service provided by the second container instance located in a virtual host of another physical host, a main flow of data transmission specifically includes:

(1) Sending a first data packet at a first container instance over a first virtual network interface;

(2) Receiving a first data message through a first virtual switch (namely virtual switch software) at a first physical host where a first container instance is located, and sending the first data message out of a physical port;

(3) After receiving a first data message sent by a first physical host, the network switching equipment sends the first data message to a second physical host;

(4) After receiving the first data message forwarded by the network switching equipment, the second physical host receives the first data message through a second virtual switch (namely virtual switching software) and sends the first data message through a second virtual network interface;

(5) Receiving, at a second container instance, a first data packet over a second virtual network interface;

(6) Generating, at the second container instance, a second data message destined for the first container instance in response to the first data message;

(7) Sending a second data packet at the second container instance over the second virtual network interface;

(8) Receiving a second data message at the second physical host through a second virtual switch (i.e., virtual switch software), and sending the second data message out of the physical port;

(9) After receiving a second data message sent by a second physical host, the network switching equipment sends the second data message to the first physical host;

(10) Receiving a second data message at the first physical host through a first virtual switch (i.e., virtual switch software) and sending the second data message through the first virtual network interface;

(11) A second data packet is received at the first container instance over the first virtual network interface.

In the data transmission method for the container network in the embodiment of the application, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network namespace, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data is transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

It should be noted that the data transmission method provided in the embodiment of the present application and the container network construction method provided in the embodiment of the present application are based on the same inventive concept, and therefore specific implementation of the embodiment may refer to implementation of the aforementioned container network construction method, and repeated details are not described again.

Corresponding to the container network constructing method described in fig. 1 to fig. 4, based on the same technical concept, an embodiment of the present application further provides a container network constructing apparatus, and fig. 8 is a schematic diagram of module composition of the container network constructing apparatus provided in the embodiment of the present application, where the apparatus is configured to execute the container network constructing method described in fig. 1 to fig. 4, and as shown in fig. 8, the apparatus includes:

a network interface creating module 801, configured to create a virtual network interface in a physical host;

a network interface allocating module 802, configured to allocate the created virtual network interface to a virtual host deployed in the physical host, where multiple container instances are deployed in the virtual host;

a network interface configuration module 803, configured to configure the virtual network interface to a network namespace of the container instance, so that the container instance transmits data to a virtual switch or a physical network interface on the physical host through the virtual network interface;

a forwarding rule configuring module 804, configured to configure a forwarding rule based on the virtual network interface, so that the physical host forwards data received from the virtual switch or the physical network interface according to the forwarding rule.

Optionally, the virtual network interface includes: and supporting a virtual network interface for hot plug.

Optionally, the apparatus further includes a traffic migration module, where the traffic migration module is configured to:

and configuring the target virtual network interface to a network name space of the substitute container instance, so that the substitute container instance transmits data to a virtual switch or a physical network interface on a physical host where the substitute container instance is located through the target virtual network interface, and the physical host where the substitute container instance is located forwards the data received from the virtual switch or the physical network interface according to a forwarding rule of the target virtual network interface.

Optionally, the alternative container instance and the target container instance are deployed in the same virtual host or in different virtual hosts in the same physical host;

Optionally, the container instance accesses a virtual private cloud accessed by the physical host through the virtual network interface.

Optionally, the virtual network interface includes: an elastic network interface, a virtualized function interface obtained using a single-root input-output virtualization technique, or a virtual network interface obtained using a data plane development suite technique.

The container network construction device in the embodiment of the application allocates the created virtual network interface to the virtual host machine deployed in the physical host machine after the virtual network interface is created in the physical host machine; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network name space of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

Further, corresponding to the methods shown in fig. 1 to fig. 4, based on the same technical concept, the embodiment of the present application further provides a container network construction device, which is configured to execute the container network construction method described above, as shown in fig. 9.

The container network building apparatus may have a large difference due to different configurations or performances, and may include one or more processors 901 and a memory 902, where the memory 902 may store one or more stored applications or data. Memory 902 may be, among other things, transient storage or persistent storage. The application program stored in memory 902 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for a container network build device. Still further, processor 901 may be configured to communicate with memory 902 to execute a series of computer-executable instructions in memory 902 on a container network building apparatus. The container network construction apparatus may also include one or more power supplies 903, one or more wired or wireless network interfaces 904, one or more input-output interfaces 905, one or more keyboards 906, and the like.

In a particular embodiment, a container network construction apparatus includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the container network construction apparatus, and the one or more programs configured to be executed by one or more processors include computer-executable instructions for:

creating a virtual network interface in a physical host;

and configuring a forwarding rule based on the virtual network interface so that the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule.

Optionally, the virtual network interface comprises, when executed, computer executable instructions: and supporting a virtual network interface for hot plug.

Optionally, the computer executable instructions, when executed, further comprise computer executable instructions for:

after determining a target container instance to be subjected to traffic migration, determining a substitute container instance of the target container instance, and determining a target virtual network interface for the substitute container instance;

and configuring the target virtual network interface to a network namespace of the substitute container instance so that the substitute container instance transmits data to a virtual switch or a physical network interface on a physical host where the substitute container instance is located through the target virtual network interface, and the physical host where the substitute container instance is located forwards the data received from the virtual switch or the physical network interface according to a forwarding rule of the target virtual network interface.

Optionally, the computer-executable instructions, when executed, deploy the alternate container instance and the target container instance in the same virtual host or in different virtual hosts in the same physical host;

Optionally, the computer executable instructions, when executed, access the container instance to a virtual private cloud accessed by the physical host through the virtual network interface.

Optionally, the virtual network interface comprises, when executed, computer executable instructions: an elastic network interface, a virtualized function interface obtained using single root input output virtualization technology, or a virtual network interface obtained using data plane development suite technology.

After a virtual network interface is created in a physical host, the container network construction equipment in the embodiment of the application allocates the created virtual network interface to a virtual host deployed in the physical host; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

Further, corresponding to the methods shown in fig. 1 to fig. 4, based on the same technical concept, embodiments of the present application further provide a storage medium for storing computer-executable instructions, where in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and when being executed by a processor, the storage medium stores computer-executable instructions capable of implementing the following processes:

creating a virtual network interface in a physical host;

Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, the virtual network interface comprises: and supporting a virtual network interface for hot plug.

Optionally, the storage medium stores computer executable instructions that, when executed by the processor, further implement the following process:

Optionally, the storage medium stores computer executable instructions that, when executed by the processor, deploy the replacement container instance and the target container instance in the same virtual host or in different virtual hosts in the same physical host;

Optionally, the storage medium stores computer executable instructions that, when executed by the processor, the container instance accesses a virtual private cloud accessed by the physical host through the virtual network interface.

Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, the virtual network interface comprises: an elastic network interface, a virtualized function interface obtained using single root input output virtualization technology, or a virtual network interface obtained using data plane development suite technology.

When the computer executable instructions stored in the storage medium in the embodiment of the application are executed by the processor, after the virtual network interface is created in the physical host, the created virtual network interface is distributed to the virtual host deployed in the physical host; configuring the virtual network interface to a network name space of a container instance deployed in a virtual host; and configuring forwarding rules based on the virtual network interface. In the container network constructed by the method, the container instance directly transmits data to the virtual switch or the physical network interface on the physical host where the container instance is located through the virtual network interface configured to the network namespace of the container instance, and the physical host forwards the data received from the virtual switch or the physical network interface according to the forwarding rule configured based on the virtual network interface, so that when data are transmitted between the container instance and the virtual switch or the physical network interface, intermediate forwarding logic is omitted, and the overall performance of the container network is improved.

In the 90's of the 20 th century, improvements to a technology could clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements to process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD) (e.g., a Field Programmable Gate Array (FPGA)) is an integrated circuit whose Logic functions are determined by a user programming the Device. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A method of constructing a container network, comprising:

creating a virtual network interface in a physical host;

configuring a forwarding rule based on the virtual network interface so that the physical host forwards data received from the virtual switch or the physical network interface according to the forwarding rule;

the method further comprises the following steps:

when a target container instance is abnormal in processing or the target container instance needs to be upgraded in function, determining a substitute container instance of the target container instance, and determining a target virtual network interface aiming at the substitute container instance;

and configuring the target virtual network interface to a network namespace of the substitute container instance, so that the substitute container instance transmits data to a virtual switch or a physical network interface on a physical host where the substitute container instance is located through the target virtual network interface, and the physical host where the substitute container instance is located forwards the data received from the virtual switch or the physical network interface according to a forwarding rule of the target virtual network interface.

2. The method of claim 1, wherein the virtual network interface comprises: and supporting a virtual network interface for hot plug.

3. The method of claim 1, wherein the alternative container instance and the target container instance are deployed in the same virtual host or in different virtual hosts in the same physical host;

4. The method of claim 1, wherein the container instance accesses a virtual private cloud to which the physical host accesses through the virtual network interface.

5. The method of claim 1, wherein the virtual network interface comprises: an elastic network interface, a virtualized function interface obtained using single root input output virtualization technology, or a virtual network interface obtained using data plane development suite technology.

6. A container network constructed by the method of any one of claims 1 to 5 and comprising:

a network switching device connected to the physical host.

7. A physical host based on a container network, the container network being constructed by the method of any one of claims 1 to 5, the physical host comprising:

a virtual network interface;

a virtual switch or a physical network interface;

a container instance deployed in the virtual host.

8. A data transmission method for a container network constructed by the method of any one of claims 1 to 5, the data transmission method comprising:

9. The method of claim 8, wherein after receiving the first data packet at the first physical host and sending the first data packet, the data transfer method further comprises:

receiving the first data message at the second physical host through a second virtual switch or a second physical network interface, and sending the first data message through a second virtual network interface;

receiving, at the second container instance, the first data packet over the second virtual network interface.

10. The method of claim 9, wherein after receiving the first data packet at the second container instance over the second virtual network interface, the data transfer method further comprises:

generating, at the second container instance, a second data packet destined for the first container instance in response to the first data packet;

sending, at the second container instance, the second data packet over the second virtual network interface;

and receiving the second data message at the second physical host through the second virtual switch or a second physical network interface, and sending the second data message.

11. The method of claim 10, wherein after receiving the second data packet at the second physical host and sending the second data packet, the data transmission method further comprises:

receiving, at the first physical host, the second data packet through the first virtual switch or a first physical network interface, and sending the second data packet through a first virtual network interface;

receiving, at the first container instance, the second data message through the first virtual network interface.

12. A container network construction apparatus comprising:

a forwarding rule configuration module, configured to configure a forwarding rule based on the virtual network interface, so that the physical host forwards, according to the forwarding rule, data received from the virtual switch or the physical network interface;

the traffic migration module is used for determining a substitute container instance of a target container instance and determining a target virtual network interface aiming at the substitute container instance when the target container instance is abnormal in processing or the target container instance needs to be upgraded in function;

13. A container network construction apparatus comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of any of claims 1 to 5.

14. A storage medium storing computer-executable instructions that, when executed, implement the method of any one of claims 1 to 5.