CN111290838B - Application access request processing method and device based on container cluster - Google Patents

Application access request processing method and device based on container cluster Download PDF

Info

Publication number
CN111290838B
CN111290838B CN202010384200.7A CN202010384200A CN111290838B CN 111290838 B CN111290838 B CN 111290838B CN 202010384200 A CN202010384200 A CN 202010384200A CN 111290838 B CN111290838 B CN 111290838B
Authority
CN
China
Prior art keywords
application
node
computing
computing nodes
trusted memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010384200.7A
Other languages
Chinese (zh)
Other versions
CN111290838A (en
Inventor
吴秉哲
陈超超
王力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010384200.7A priority Critical patent/CN111290838B/en
Publication of CN111290838A publication Critical patent/CN111290838A/en
Application granted granted Critical
Publication of CN111290838B publication Critical patent/CN111290838B/en
Priority to PCT/CN2021/092172 priority patent/WO2021227954A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45575Starting, stopping, suspending or resuming virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation

Abstract

The embodiment of the specification provides an application access request processing method and device based on a container cluster. A first application is deployed in a part of the computing nodes, and a container corresponding to the first application runs in a trusted memory area. The method is performed by a master node and comprises the following steps: an access request for a first application by a user is received. And sending an acquisition request of the usage amount of the trusted memory area to each computing node. And receiving the returned usage amount of the trusted memory area. And determining the remaining amount of the trusted memory area of each computing node based on the received usage amount. If the residual amounts are less than the predetermined threshold, expanding the capacity of the first application, including: and starting the newly-built container of the first application in the trusted memory areas of other computing nodes. The access request is distributed to other computing nodes, and the other computing nodes respond to the access request. Thereby, processing of access requests for private data in a trusted execution environment may be achieved.

Description

Application access request processing method and device based on container cluster
Technical Field
One or more embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and an apparatus for processing an application access request based on a container cluster.
Background
In the conventional technology, applications deployed in a container cluster usually run in a common memory. The container cluster herein is used to provide services to users based on the applications deployed therein. Therefore, the conventional service response mechanism of the container cluster, i.e. the response mechanism of the application access request, only considers the CPU occupancy rate and the normal memory usage amount.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and an apparatus for processing an application access request based on a container cluster, which can effectively process the application access request.
In a first aspect, a container cluster-based application access request processing method is provided, including:
receiving an access request of a user for the first application;
sending a request for acquiring the usage amount of the trusted memory area to each computing node in the partial computing nodes;
receiving the usage amount of the trusted memory area returned by each computing node;
determining the residual amount of the trusted memory area of each computing node based on the usage amount;
if the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value, carrying out capacity expansion aiming at the first application; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes;
distributing the access request to the other computing nodes, and responding to the access request by the other computing nodes.
In a second aspect, a container cluster-based application access request processing method is provided, including:
receiving an acquisition request of the usage amount of the trusted memory area sent by the main node; the obtaining request is sent by the main node when receiving an access request of a user aiming at a first application;
acquiring the usage amount of a trusted memory area of the first computing node;
returning the usage amount of the trusted memory area to the main node, so that the main node expands the capacity of the first application when judging that the residual amounts of the trusted memory areas of the partial computing nodes are all smaller than a preset threshold value; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes; and causing the master node to distribute the access request to the other computing nodes and to respond to the access request by the other computing nodes.
In a third aspect, an apparatus for processing an application access request based on a container cluster is provided, including:
a receiving unit, configured to receive an access request of a user for the first application;
a sending unit, configured to send an acquisition request of a usage amount of the trusted memory area to each computing node in the partial computing nodes;
the receiving unit is further configured to receive usage amounts of the trusted memory areas returned by the computing nodes respectively;
a determining unit, configured to determine, based on the usage amount received by the receiving unit, a remaining amount of the trusted memory area of each computing node;
the capacity expansion unit is used for expanding the capacity of the first application if the residual quantity of the trusted memory area of each computing node determined by the determination unit is smaller than a preset threshold value; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes;
an allocating unit, configured to allocate the access request received by the receiving unit to the other computing node, and respond to the access request by the other computing node.
In a fourth aspect, an apparatus for processing an application access request based on a container cluster is provided, including:
the receiving unit is used for receiving a request for acquiring the usage amount of the trusted memory area sent by the main node; the obtaining request is sent by the main node when receiving an access request of a user aiming at a first application;
the obtaining unit is used for obtaining the usage amount of the trusted memory area of the first computing node;
a sending unit, configured to return the usage amount of the trusted memory area to the master node, so that the master node performs capacity expansion for the first application when determining that the remaining amount of the trusted memory area of the part of the computing nodes is smaller than a predetermined threshold; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes; and causing the master node to distribute the access request to the other computing nodes and to respond to the access request by the other computing nodes.
In a fifth aspect, there is provided a computer storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first or second aspect.
In a sixth aspect, there is provided a computing device comprising a memory having stored therein executable code, and a processor that when executing the executable code, implements the method of the first or second aspect.
In the method and apparatus for processing an application access request based on a container cluster provided in one or more embodiments of the present specification, when an access request of a user for a first application is received, usage amounts of a trusted memory area of each computing node to which the first application is deployed are collected first, and a remaining amount of the trusted memory area of each computing node is further determined. The expansion here includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the computing node with the first application. The access request is then distributed to other computing nodes, and the other computing nodes respond to the access request. Therefore, the processing efficiency of the access request of the first application can be greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a schematic diagram of a container cluster provided herein;
FIG. 2 is a flow chart of an application deployment method provided herein;
FIG. 3 is a flowchart of a method for processing an application access request based on a container cluster according to an embodiment of the present disclosure;
FIG. 4 is a flowchart of a method for processing an application access request based on a container cluster according to another embodiment of the present disclosure;
fig. 5 is a schematic diagram of an application access request processing apparatus based on a container cluster according to an embodiment of the present specification;
fig. 6 is a schematic diagram of an application access request processing apparatus based on a container cluster according to another embodiment of the present disclosure.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
Before describing the solution provided in the present specification, the inventive concept of the present solution will be explained below.
As will be understood from the background, in the conventional art, applications in a container cluster run in a common memory. However, with the general popularity of SGX (Software Guard Extensions) (which is a set of Software protection technologies provided by Intel based on its CPU hardware) technology and the increasing requirements of some applications in terms of security, the inventors of the present application propose to introduce SGX technology into container clusters. For example, for an application with a high security requirement deployed in a container cluster, it may run in secure memory (i.e., EPC memory) of the SGX (a piece of hardware region based on secure hardware protection provided by the SGX in physical memory). However, since the EPC memory has a limit of 128MB, it is a problem to be solved to effectively manage an access request of an application (hereinafter, referred to as a first application) running in the secure memory.
To achieve an efficient management of access requests of a first application, the inventors of the present application propose that a master node in a container cluster receives access requests of users for the first application. And sending an acquisition request of the usage amount of the trusted memory area to each computing node with the first application deployed in the container cluster. And receiving the usage amount of the trusted memory area returned by each computing node. And determining the remaining amount of the trusted memory area of each computing node based on the received usage amount. And if the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value, expanding the capacity of the first application. This dilatation includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the computing node with the first application. The access request is then distributed to other computing nodes, and the other computing nodes respond to the access request. Therefore, the processing efficiency of the access request of the first application can be greatly improved.
The present invention has been made in view of the above-mentioned problems, and it is an object of the present invention to provide a novel and improved method for manufacturing a display device.
Fig. 1 is a schematic diagram of a container cluster provided herein. The container cluster may be managed by k8s (Kubernets), a tool for container organization, and may also be referred to as a k8s container cluster. In fig. 1, the container cluster may include several hosts, one of which is a master node, and the other hosts are computing nodes. The master node is used for managing a plurality of computing nodes. The memories of the computing nodes all comprise a trusted memory region, wherein the trusted memory region is an EPC memory and has a size limit of 128 MB. In addition, a first application is deployed in a part of the computing nodes, the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of the memory of the computing nodes. A containerized application is herein an application that runs in a container. That is, there is a one-to-one relationship between containers and applications.
Note that each container in the container cluster of k8s is managed by group. In particular, multiple closely related containers are often grouped together in the same compute node. The group of containers constitutes a basic scheduling unit of the container cluster: pod. It should be understood that at least one pod runs in one compute node. For each of the above compute nodes, the following components are also run thereon: kubelet, Proxy, Docker daemon. The three components are responsible for managing the life cycle of the Pod on the computing node (for example, creating the Pod or destroying the Pod, etc.), processing the access request of the application, and the like.
In addition, the following components run on the main node: the system comprises an etcd, an API Server, a Controller Manager and a Scheduler, wherein the last three components form a master control center of a container cluster, and the master control center is used for performing management functions of resource management, Pod scheduling, elastic expansion, safety control, system monitoring, error correction and the like of the whole cluster.
It should be noted that the above-mentioned components of the master node and the components of the computing nodes are common components in the container cluster of k8s, and therefore, the functions thereof are not described in detail herein.
In short, based on the master node and the components on the plurality of computing nodes, application deployment can be performed in the container cluster, and in addition, an access request of the deployed application can be processed.
It should be understood that fig. 1 is only an example of a container cluster, and in practical applications, common applications may also be deployed for each computing node where the first application is deployed, but the common applications run in a common memory. That is, for each compute node in fig. 1, only the deployed first application will run in the trusted memory region of its memory, i.e., the first application will monopolize the trusted memory region. In addition, for other computing nodes except the computing node with the first application deployed in fig. 1, a common application (i.e., an application running in a common memory) may be deployed therein.
The following describes a deployment process of the first application in the container cluster shown in fig. 1.
Fig. 2 is a flowchart of an application deployment method provided in this specification. As shown in fig. 2, the method may include the steps of:
at step 202, the host node receives an application deployment request.
The application deployment request may include a container image corresponding to the first application. The container image may be obtained by a developer packaging a first application and a dependent package of the first application through a container (Docker) (an open source application container engine).
In addition, the application deployment request may further include a configuration file of the container image. The configuration file can be used for defining container parameters, such as the CPU occupation amount and the storage resource occupation amount of the container.
And 204, selecting part of the computing nodes for deploying the first application from the plurality of computing nodes at least according to the resource occupation conditions of the plurality of computing nodes.
The resource usage here may include, but is not limited to, CPU occupancy, memory usage, storage resource occupancy, and the like.
In one example, the master node may select, from the plurality of computing nodes through its overall control center, a computing node whose resource usage satisfies a predetermined condition as a part of the computing nodes where the first application is deployed. The predetermined conditions herein may include, but are not limited to, CPU occupancy being less than a first threshold, memory usage being less than a second threshold, storage resource occupancy being less than a third threshold, and so on. Here, the first threshold, the second threshold, and the third threshold are set based on empirical values.
In another example, the master node may select, through its master control center, a part of the computing nodes to deploy the first application from the plurality of computing nodes according to the resource usage of the plurality of computing nodes and the configuration file.
For example, first, the remaining amount of CPU and the remaining amount of storage resource of several computing nodes may be determined according to the CPU occupancy and the storage resource occupancy of several computing nodes, respectively. And then selecting the computing nodes corresponding to the CPU residual quantity which is greater than the CPU occupation quantity defined in the configuration file and the storage resource residual quantity which is greater than the storage resource occupation quantity defined in the configuration file from the plurality of computing nodes as part of the computing nodes for deploying the first application.
In step 206, the master node sends the container mirror image to each of the partial compute nodes, so that each of the partial compute nodes starts a corresponding container of the first application by running the container mirror image, and runs the first application in the started corresponding container.
The corresponding container of the first application mentioned above is referred to as a Docker container. It should be noted that, based on the image files corresponding to different applications, there is no interface between the started Docker containers, that is, the Docker containers are isolated from each other. Furthermore, the first application described above runs in a Docker container just as if it were running on a real physical machine.
After each computing node in the above part of computing nodes starts a corresponding container of the first application and runs the first application in the started corresponding container, deployment of the first application in the container cluster is completed.
The above is a description of a deployment process of the first application in the container cluster shown in fig. 1, and the following is a description of an access process of the first application by the user.
Fig. 3 is a flowchart of a method for processing an application access request based on a container cluster according to an embodiment of the present disclosure. The method execution subject may be a device having processing capabilities: a server or system or host. E.g. may be the master node in fig. 1. As shown in fig. 3, the method may specifically include:
step 302, receiving an access request of a user for a first application.
In one example, the access request may include a unique identification of the first application. Thus, the first application that the user requested to access may be determined based on the unique identification.
Step 304, sending an obtaining request of the usage amount of the trusted memory area to each computing node in the partial computing nodes.
It should be appreciated that, because the first application is deployed in only a portion of the computing nodes of the container cluster, the portion of the computing nodes having the first application deployed therein may be selected from the computing nodes of the container cluster prior to performing step 304.
Referring to fig. 1, each compute node deployed with a first application may be selected from N compute nodes, compute node 1 through compute node N. Assuming that the computing node i and the computing node j are both deployed with the first application, the computing node i and the computing node j may be selected as the part of the computing nodes. Wherein i and j are positive integers, i is more than or equal to 1 and less than or equal to N, and j is more than or equal to 1 and less than or equal to N.
After receiving the acquisition request, each computing node may acquire the usage amount of its respective trusted memory area by calling a hardware interface of the trusted memory area, and return the acquired result to the host node. The hardware interface of the trusted memory area is an SGX interface, which is also commonly referred to as an SGX driver (driver).
Step 306, receiving the usage amount of the trusted memory area returned by each computing node.
And step 308, determining the remaining amount of the trusted memory area of each computing node based on the received usage amount.
For example, for any first computing node in each computing node, the remaining amount of the trusted memory region of the first computing node may be obtained based on an upper usage limit (e.g., 128 MB) of the trusted memory region and a difference between the corresponding usage amounts.
In step 310, if the remaining amount of the trusted memory area of each computing node is less than the predetermined threshold, performing capacity expansion for the first application, where the capacity expansion includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except part of the computing nodes.
In this specification, a corresponding predetermined threshold value may be set in advance for each computing node. The predetermined threshold corresponding to each computing node may be the same or different. For example, the predetermined threshold corresponding to each computing node is the same, and may be set according to the type of the first application deployed in the container cluster.
In an example, the step of determining whether the remaining amounts of the trusted memory regions of the computing nodes are all less than a predetermined threshold may include: and determining the maximum residual amount from the residual amount of the trusted memory area of each computing node. It is determined whether the maximum remaining amount is less than a predetermined threshold. If yes, determining that the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value.
It should be noted that, the newly created container mentioned in step 310 may be obtained by copying the corresponding container of the first application to the corresponding pod on the deployed computing node; alternatively, this may be achieved by generating copies of the pod containing the corresponding container of the first application on other computing nodes.
In addition, the number of the other computing nodes may be one or more, and the specific number may be set by the master control center of the master node in combination with target information (e.g., the current usage amount and the predetermined usage amount of the trusted memory of each computing node).
At step 312, the access request is distributed to other computing nodes and the other computing nodes respond to the access request.
It should be understood that when the number of other computing nodes is multiple, the access request may be allocated to one of the other computing nodes. In one example, one other compute node here may be randomly chosen.
In the above description, for the case that the remaining amount of the trusted memory region of each computing node deployed with the first application is smaller than the predetermined threshold, when the remaining amount of the trusted memory region of at least one computing node in each computing node is not smaller than the predetermined threshold, the computing node corresponding to the largest remaining amount in the at least one computing node is taken as a target computing node responding to the access request, and the access request is sent to the target computing node.
After receiving the access request, the target computing node may process the access request and return a processing result of the access request to the master node. And then the main node forwards the processing result to the user.
As in the foregoing example, assuming that, of the computing node i and the computing node j, the computing node i corresponds to the maximum remaining amount, and the maximum remaining amount is not less than the predetermined threshold value, an access request may be sent to the computing node i, processed by the computing node i, and a processing result of the access request may be returned to the master node.
In summary, in the application access request processing method based on the container cluster provided in one embodiment of the present specification, when an access request of a user for a first application is received, usage amounts of trusted memory areas of computing nodes deployed with the first application are collected first, and further remaining amounts of the trusted memory areas of the computing nodes are determined, and if the remaining amounts of the trusted memory areas of the computing nodes are smaller than a predetermined threshold, capacity expansion is performed for the first application. The expansion here includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the computing node with the first application. The access request is then distributed to other computing nodes, and the other computing nodes respond to the access request. Therefore, the response to the access request of the user can be realized quickly, and the user experience can be further improved.
Fig. 4 is a flowchart of a method for processing an application access request based on a container cluster according to another embodiment of the present disclosure. The method execution subject may be a device having processing capabilities: a server or system or host. For example, it may be any first computing node in the portion of computing nodes in FIG. 1 in which the first application is deployed. As shown in fig. 4, the method may specifically include:
step 402, receiving a request for obtaining the usage amount of the trusted memory area sent by the master node.
The acquisition request may be sent by the master node upon receiving an access request from a user for the first application.
In step 404, the usage amount of the trusted memory area of the first computing node is obtained.
In one example, the first computing node may obtain the usage amount of the trusted memory region by calling a hardware interface of the trusted memory region. The hardware interface of the trusted memory area is an SGX interface, which is also commonly referred to as an SGX driver (driver).
Step 406, returning the usage amount of the trusted memory area to the host node.
After receiving the usage amount of the trusted memory area returned by each computing node, the master node may determine the remaining amount of the trusted memory area of each computing node based on the received usage amount. For example, for any first computing node in each computing node, the remaining amount of the trusted memory region of the first computing node may be obtained based on an upper usage limit (e.g., 128 MB) of the trusted memory region and a difference between the corresponding usage amounts.
Then, the master node may determine whether the remaining amount of the trusted memory region of each computing node is less than a predetermined threshold. In this specification, a predetermined threshold may be set for each computing node in advance. The predetermined threshold corresponding to each computing node may be the same or different. For example, the predetermined threshold corresponding to each computing node is the same, and may be set according to the type of the first application deployed in the container cluster.
In an example, the step of determining whether the remaining amounts of the trusted memory regions of the computing nodes are all less than a predetermined threshold may include: and determining the maximum residual amount from the residual amount of the trusted memory area of each computing node. It is determined whether the maximum remaining amount is less than a predetermined threshold. If yes, determining that the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value.
And then, when the main node judges that the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value, expanding the capacity of the first application. This dilatation includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except part of the computing nodes.
The newly created container mentioned here may be obtained by copying a corresponding pod of the first application on the deployed computing node; alternatively, this may be achieved by generating copies of the pod containing the corresponding container of the first application on other computing nodes.
It should be noted that the number of the other computing nodes may be one or more, and the specific number may be set by the master control center of the master node in combination with target information (e.g., the current usage amount and the predetermined usage amount of the trusted memory of each computing node).
Finally, the master node may distribute the access request to other computing nodes and respond to the access request by the other computing nodes.
It should be understood that when the number of other computing nodes is multiple, the access request may be allocated to one of the other computing nodes. In one example, one other compute node here may be randomly chosen.
In the above description, for the case that the remaining amount of the trusted memory region of each computing node deployed with the first application is smaller than the predetermined threshold, when the remaining amount of the trusted memory region of at least one computing node in each computing node is not smaller than the predetermined threshold, the computing node corresponding to the largest remaining amount in the at least one computing node is taken as a target computing node responding to the access request, and the access request is sent to the target computing node.
Assuming that the first computing node is the target computing node corresponding to the largest remaining amount, the first computing node may receive the access request, and after receiving the access request, may process the access request and return a processing result of the access request to the master node. And then the main node forwards the processing result to the user.
In summary, in the application access request processing method based on the container cluster provided in one embodiment of the present specification, when an access request of a user for a first application is received, usage amounts of trusted memory areas of computing nodes deployed with the first application are collected first, and further remaining amounts of the trusted memory areas of the computing nodes are determined, and if the remaining amounts of the trusted memory areas of the computing nodes are smaller than a predetermined threshold, capacity expansion is performed for the first application. The expansion here includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the computing node with the first application. The access request is then distributed to other computing nodes, and the other computing nodes respond to the access request. Therefore, the response to the access request of the user can be realized quickly, and the user experience can be further improved.
Corresponding to the method for processing the application access request based on the container cluster, an embodiment of the present specification further provides an apparatus for processing the application access request based on the container cluster. The container cluster includes a master node and a number of compute nodes. The master node is used for managing the plurality of computing nodes. A first application is deployed in a part of the plurality of computing nodes, the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of a memory of the part of the computing nodes. The apparatus is provided in a master node, and as shown in fig. 5, the apparatus may include:
a receiving unit 502, configured to receive an access request of a user for a first application.
A sending unit 504, configured to send an obtaining request of a usage amount of the trusted memory area to each computing node in the partial computing nodes.
The receiving unit 502 is further configured to receive a usage amount of the trusted memory area returned by each computing node.
The usage amount of the trusted memory area of each computing node is obtained by each computing node through calling a hardware interface of the trusted memory area.
A determining unit 506, configured to determine, based on the usage amount received by the receiving unit 502, a remaining amount of the trusted memory region of each computing node.
An expansion unit 508, configured to, if the remaining amount of the trusted memory area of each computing node determined by the determining unit 506 is less than the predetermined threshold, expand the capacity of the first application. This dilatation includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except part of the computing nodes.
The step of determining whether the remaining amount of the trusted memory area of each computing node is less than a predetermined threshold value comprises: the maximum remaining amount in the remaining amounts of the trusted memory areas of the computing nodes is smaller than a predetermined threshold value.
An allocating unit 510, configured to allocate the access request received by the receiving unit 502 to other computing nodes, and respond the access request by the other computing nodes.
The sending unit 504 is further configured to, if the remaining amount of the trusted memory region of at least one of the computing nodes is not less than the predetermined threshold, take the computing node corresponding to the largest remaining amount of the at least one computing node as a target computing node responding to the access request, and send the access request to the target computing node.
Optionally, the apparatus may further include: a selection unit (not shown).
The receiving unit 502 is further configured to receive an application deployment request, where the application deployment request includes a container image corresponding to the first application.
And the selecting unit is used for selecting part of the computing nodes from the plurality of computing nodes at least according to the resource occupation conditions of the plurality of computing nodes.
The sending unit 504 is further configured to send the container mirror image to each computing node in the part of the computing nodes selected by the selecting unit, so that each computing node in each computing node starts a corresponding container of the first application by running the container mirror image, and runs the first application in the started corresponding container.
The functions of each functional module of the device in the above embodiments of the present description may be implemented through each step of the above method embodiments, and therefore, a specific working process of the device provided in one embodiment of the present description is not repeated herein.
An embodiment of the present specification provides an application access request processing apparatus based on a container cluster, which can quickly respond to an access request of a user, and thus can improve user experience.
Corresponding to the method for processing the application access request based on the container cluster, an embodiment of the present specification further provides an apparatus for processing the application access request based on the container cluster. The container cluster includes a master node and a number of compute nodes. The master node is used for managing the plurality of computing nodes. A first application is deployed in a part of the plurality of computing nodes, the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of a memory of the part of the computing nodes. The apparatus is disposed at any first computing node in the partial computing nodes, and as shown in fig. 6, the apparatus may include:
a receiving unit 602, configured to receive an obtaining request of a usage amount of a trusted memory area sent by a host node, where the obtaining request is sent by the host node when receiving an access request of a user for a first application.
An obtaining unit 604, configured to obtain a usage amount of the trusted memory area of the first computing node.
The obtaining unit 604 is specifically configured to:
and calling a hardware interface of the trusted memory area to acquire the usage amount of the trusted memory area of the first computing node.
A sending unit 606, configured to return the usage amount of the trusted memory area to the master node, so that when the master node determines that the remaining amount of the trusted memory area of the partial computing node is less than the predetermined threshold, the capacity of the first application is expanded. This dilatation includes: and starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except part of the computing nodes. And causing the master node to distribute the access request to other computing nodes and to respond to the access request by the other computing nodes.
Optionally, the first computing node corresponds to a maximum remaining amount of the remaining amounts, and the apparatus may further include: a processing unit (not shown in the figure).
The receiving unit 602 is further configured to receive an access request for the first application sent by the master node.
And the processing unit is configured to process the access request received by the receiving unit 602, and return a corresponding processing result to the master node.
Optionally, the apparatus may further include: an operation unit (not shown in the figure).
The receiving unit 602 is further configured to receive a container image of the first application sent by the master node.
And the running unit is used for running the container mirror image in the trusted memory area of the first computing node so as to start the corresponding container of the first application.
And the running unit is also used for running the first application in the started corresponding container.
The functions of each functional module of the device in the above embodiments of the present description may be implemented through each step of the above method embodiments, and therefore, a specific working process of the device provided in one embodiment of the present description is not repeated herein.
An embodiment of the present specification provides an application access request processing apparatus based on a container cluster, which can quickly respond to an access request of a user, and thus can improve user experience.
In another aspect, embodiments of the present specification provide a computer-readable storage medium having stored thereon a computer program, which, when executed in a computer, causes the computer to perform the method shown in fig. 3 or fig. 4.
In another aspect, embodiments of the present specification provide a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements the method illustrated in fig. 3 or fig. 4.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or may be embodied in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a server. Of course, the processor and the storage medium may reside as discrete components in a server.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the present specification are further described in detail, it should be understood that the above-mentioned embodiments are only specific embodiments of the present specification, and are not intended to limit the scope of the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present specification should be included in the scope of the present specification.

Claims (12)

1. An application access request processing method based on a container cluster, wherein the container cluster comprises a main node and a plurality of computing nodes; the main node is used for managing the plurality of computing nodes; a first application is deployed in a part of the computing nodes, wherein the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of a memory of the part of the computing nodes; the method is performed by the master node and comprises:
receiving an access request of a user for the first application;
sending a request for acquiring the usage amount of the trusted memory area to each computing node in the partial computing nodes;
receiving the usage amount of the trusted memory area returned by each computing node;
determining the residual amount of the trusted memory area of each computing node based on the difference value between the upper limit of the usage amount of each computing node and the usage amount returned by each computing node;
if the residual quantity of the trusted memory area of each computing node is smaller than a preset threshold value, carrying out capacity expansion aiming at the first application; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes;
distributing the access request to the other computing nodes and responding to the access request by the other computing nodes;
if the residual amount of the trusted memory area of at least one of the computing nodes is not less than a preset threshold value, taking the computing node corresponding to the maximum residual amount in the at least one computing node as a target computing node responding to the access request, and sending the access request to the target computing node;
and the use amount of the trusted memory area of each computing node is obtained by calling a hardware interface of the trusted memory area by each computing node.
2. The method of claim 1, wherein the remaining amount of the trusted memory region of each compute node being less than a predetermined threshold comprises: and the maximum residual quantity in the residual quantities of the trusted memory areas of the computing nodes is smaller than a preset threshold value.
3. The method of claim 1, the first application being deployed by:
receiving an application deployment request; the application deployment request includes a container image corresponding to the first application;
selecting the part of the computing nodes from the plurality of computing nodes at least according to the resource occupation conditions of the plurality of computing nodes;
and sending the container mirror image to each computing node in the part of computing nodes, so that each computing node in the computing nodes starts a corresponding container of the first application by running the container mirror image, and runs the first application in the started corresponding container.
4. An application access request processing method based on a container cluster, wherein the container cluster comprises a main node and a plurality of computing nodes; the main node is used for managing the plurality of computing nodes; a first application is deployed in part of the plurality of computing nodes, the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of memories of the plurality of computing nodes; the method is performed by a first computing node of any of the partial computing nodes, and comprises:
receiving an acquisition request of the usage amount of the trusted memory area sent by the main node; the obtaining request is sent by the main node when receiving an access request of a user aiming at a first application;
acquiring the usage amount of a trusted memory area of the first computing node;
returning the usage amount of the trusted memory area to the main node, so that the main node expands the capacity of the first application when judging that the residual amounts of the trusted memory areas of the partial computing nodes are all smaller than a preset threshold value; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes; and causing the master node to distribute the access request to the other computing nodes and to respond to the access request by the other computing nodes; the residual amount of the trusted memory area of the part of the computing nodes is determined based on the difference value between the upper limit of the usage amount of the part of the computing nodes and the respective returned usage amount;
the obtaining of the usage amount of the trusted memory area of the first computing node includes:
calling a hardware interface of a trusted memory area to acquire the usage amount of the trusted memory area of the first computing node;
the first computing node corresponds to a maximum remaining amount of the remaining amounts; the method further comprises the following steps:
receiving an access request aiming at the first application, which is sent by the main node;
and processing the access request and returning a corresponding processing result to the main node.
5. The method of claim 4, the first application deployed in the first computing node by:
receiving a container mirror image of the first application sent by the main node;
running the container image in a trusted memory area of the first compute node to launch a corresponding container of the first application;
running the first application in the started corresponding container.
6. An application access request processing device based on a container cluster, wherein the container cluster comprises a main node and a plurality of computing nodes; the main node is used for managing the plurality of computing nodes; a first application is deployed in a part of the computing nodes, wherein the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of a memory of the part of the computing nodes; the apparatus is provided in the master node, including:
a receiving unit, configured to receive an access request of a user for the first application;
a sending unit, configured to send an acquisition request of a usage amount of the trusted memory area to each computing node in the partial computing nodes;
the receiving unit is further configured to receive usage amounts of the trusted memory areas returned by the computing nodes respectively;
a determining unit, configured to determine, based on a difference between the upper usage limit of each computing node received by the receiving unit and the usage amount returned by each computing node, a remaining amount of the trusted memory area of each computing node;
the capacity expansion unit is used for expanding the capacity of the first application if the residual quantity of the trusted memory area of each computing node determined by the determination unit is smaller than a preset threshold value; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes;
an allocation unit configured to allocate the access request received by the receiving unit to the other computing node, and to respond to the access request by the other computing node;
the sending unit is further configured to, if the remaining amount of the trusted memory area of at least one of the computing nodes is not less than a predetermined threshold, take the computing node corresponding to the largest remaining amount of the at least one computing node as a target computing node responding to the access request, and send the access request to the target computing node;
and the use amount of the trusted memory area of each computing node is obtained by calling a hardware interface of the trusted memory area by each computing node.
7. The apparatus of claim 6, wherein the remaining amount of the trusted memory region of each compute node being less than the predetermined threshold comprises: and the maximum residual quantity in the residual quantities of the trusted memory areas of the computing nodes is smaller than a preset threshold value.
8. The apparatus of claim 6, further comprising: selecting a unit;
the receiving unit is further configured to receive an application deployment request; the application deployment request includes a container image corresponding to the first application;
the selecting unit is used for selecting the part of the computing nodes from the plurality of computing nodes at least according to the resource occupation condition of the plurality of computing nodes;
the sending unit is further configured to send the container mirror image to each computing node in the part of computing nodes selected by the selecting unit, so that each computing node in each computing node starts a corresponding container of the first application by running the container mirror image, and runs the first application in the started corresponding container.
9. An application access request processing device based on a container cluster, wherein the container cluster comprises a main node and a plurality of computing nodes; the main node is used for managing the plurality of computing nodes; a first application is deployed in part of the plurality of computing nodes, the first application is a containerized application, and a corresponding container of the first application runs in a trusted memory area of memories of the plurality of computing nodes; the apparatus, disposed at any first computing node of the plurality of computing nodes, includes:
the receiving unit is used for receiving a request for acquiring the usage amount of the trusted memory area sent by the main node; the obtaining request is sent by the main node when receiving an access request of a user aiming at a first application;
the obtaining unit is used for obtaining the usage amount of the trusted memory area of the first computing node;
a sending unit, configured to return the usage amount of the trusted memory area to the master node, so that the master node performs capacity expansion for the first application when determining that the remaining amount of the trusted memory area of the part of the computing nodes is smaller than a predetermined threshold; the capacity expansion comprises: starting a new container corresponding to the first application in a trusted memory area of memories of other computing nodes except the part of the computing nodes; and causing the master node to distribute the access request to the other computing nodes and to respond to the access request by the other computing nodes; the residual amount of the trusted memory area of the part of the computing nodes is determined based on the difference value between the upper limit of the usage amount of the part of the computing nodes and the respective returned usage amount;
the obtaining unit is specifically configured to:
calling a hardware interface of a trusted memory area to acquire the usage amount of the trusted memory area of the first computing node;
the first computing node corresponds to a maximum remaining amount of the remaining amounts; the device further comprises: a processing unit;
the receiving unit is further configured to receive an access request for the first application sent by the master node;
and the processing unit is used for processing the access request received by the receiving unit and returning a corresponding processing result to the main node.
10. The apparatus of claim 9, the apparatus further comprising: an operation unit;
the receiving unit is further configured to receive the container image of the first application sent by the master node;
the running unit is configured to run the container mirror image in a trusted memory area of the first computing node to start a corresponding container of the first application;
the running unit is further used for running the first application in the started corresponding container.
11. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-5.
12. A computing device comprising a memory having executable code stored therein and a processor that, when executing the executable code, implements the method of any of claims 1-5.
CN202010384200.7A 2020-05-09 2020-05-09 Application access request processing method and device based on container cluster Active CN111290838B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010384200.7A CN111290838B (en) 2020-05-09 2020-05-09 Application access request processing method and device based on container cluster
PCT/CN2021/092172 WO2021227954A1 (en) 2020-05-09 2021-05-07 Application access request processing based on container cluster

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010384200.7A CN111290838B (en) 2020-05-09 2020-05-09 Application access request processing method and device based on container cluster

Publications (2)

Publication Number Publication Date
CN111290838A CN111290838A (en) 2020-06-16
CN111290838B true CN111290838B (en) 2020-08-18

Family

ID=71017389

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010384200.7A Active CN111290838B (en) 2020-05-09 2020-05-09 Application access request processing method and device based on container cluster

Country Status (2)

Country Link
CN (1) CN111290838B (en)
WO (1) WO2021227954A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111290838B (en) * 2020-05-09 2020-08-18 支付宝(杭州)信息技术有限公司 Application access request processing method and device based on container cluster
CN111831447A (en) * 2020-07-16 2020-10-27 中国民航信息网络股份有限公司 Application elastic capacity expansion method and device based on performance monitoring
CN114143315A (en) * 2021-11-30 2022-03-04 阿里巴巴(中国)有限公司 Edge cloud system, host access method and device
CN117130718A (en) * 2022-05-18 2023-11-28 中兴通讯股份有限公司 Memory management method, network device and computer readable storage medium
CN115269198A (en) * 2022-08-10 2022-11-01 抖音视界有限公司 Access request processing method based on server cluster and related equipment

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2941702A1 (en) * 2014-03-08 2015-09-17 Diamanti, Inc. Methods and systems for converged networking and storage
US10181048B2 (en) * 2014-07-25 2019-01-15 International Business Machines Corporation Use case driven granular application and browser data loss prevention controls
CN106934303B (en) * 2015-12-29 2020-10-30 大唐高鸿信安(浙江)信息科技有限公司 System and method for creating trusted process by trusted operating system based on trusted chip
CN105933391B (en) * 2016-04-11 2019-06-21 聚好看科技股份有限公司 A kind of node expansion method, apparatus and system
CN107786358A (en) * 2016-08-29 2018-03-09 中兴通讯股份有限公司 The expansion method of distributed system and the distributed system
CN108572867A (en) * 2017-03-09 2018-09-25 株式会社日立制作所 The method and apparatus disposed distributed container cluster for application and execute the application
CN111259380B (en) * 2017-08-22 2021-02-12 海光信息技术股份有限公司 Memory page transfer method and function call method
CN108021823A (en) * 2017-12-04 2018-05-11 北京元心科技有限公司 Method, device and terminal for seamlessly running application program based on trusted execution environment
CN110289982B (en) * 2019-05-17 2022-08-23 平安科技(深圳)有限公司 Container application capacity expansion method and device, computer equipment and storage medium
CN110782122B (en) * 2019-09-16 2023-11-24 腾讯大地通途(北京)科技有限公司 Data processing method and device and electronic equipment
CN111290838B (en) * 2020-05-09 2020-08-18 支付宝(杭州)信息技术有限公司 Application access request processing method and device based on container cluster

Also Published As

Publication number Publication date
CN111290838A (en) 2020-06-16
WO2021227954A1 (en) 2021-11-18

Similar Documents

Publication Publication Date Title
CN111290838B (en) Application access request processing method and device based on container cluster
US20130103835A1 (en) Resource management method, resource management device, and program product
CN110647394A (en) Resource allocation method, device and equipment
CN113296792B (en) Storage method, device, equipment, storage medium and system
CN110941481A (en) Resource scheduling method, device and system
JP2013513174A (en) Method and system for managing virtual machine storage space and physical hosts
WO2021227999A1 (en) Cloud computing service system and method
JP2009110347A (en) Resource management system, resource management device, and method thereof
CN113037794A (en) Computing resource allocation scheduling method, device and system
CN110750336B (en) OpenStack virtual machine memory hot-expanding method
CN111880936A (en) Resource scheduling method and device, container cluster, computer equipment and storage medium
CN112162856A (en) GPU virtual resource allocation method and device, computer equipment and storage medium
CN114615340B (en) Request processing method and device, computer equipment and storage device
CN112243044A (en) Container address allocation method and device
CN111338779A (en) Resource allocation method, device, computer equipment and storage medium
CN112865993B (en) Method and device for switching slave nodes in distributed master-slave system
CN113849260A (en) Instance processing core allocation method and device
CN110795234A (en) Resource scheduling method and device
WO2021013185A1 (en) Virtual machine migration processing and strategy generation method, apparatus and device, and storage medium
Wu et al. Abp scheduler: Speeding up service spread in docker swarm
CN108833532B (en) Service processing method, device and system based on Internet of things
CN116467066A (en) Method and device for allocating number bin resources, electronic equipment and storage medium
CN110968406B (en) Method, device, storage medium and processor for processing task
CN116263715A (en) Automatic scaling system and method for cloud native intelligent typesetting service
CN112398892B (en) Service distribution method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40029453

Country of ref document: HK