CN112099913A - Method for realizing safety isolation of virtual machine based on OpenStack - Google Patents
Method for realizing safety isolation of virtual machine based on OpenStack Download PDFInfo
- Publication number
- CN112099913A CN112099913A CN202010903348.7A CN202010903348A CN112099913A CN 112099913 A CN112099913 A CN 112099913A CN 202010903348 A CN202010903348 A CN 202010903348A CN 112099913 A CN112099913 A CN 112099913A
- Authority
- CN
- China
- Prior art keywords
- server
- service
- network
- switch
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 title claims abstract description 27
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000009434 installation Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a related device for realizing safety isolation of a virtual machine based on OpenStack, which realize the isolation of the virtual machine accessing Internet service on the basis of an OpenStack platform and an intranet application virtual machine on the network, wherein the method comprises the following steps: creating, by the Nova component, a first usable area AZ and a second usable area AZ; allocating a first physical link access mode to a network card of a server accessed to the first AZ, wherein the server comprises 2 or more than 2 network cards, and the first physical link access mode is used for accessing a management network switch and an intranet switch; allocating a second physical link access mode to a network card of a server machine accessed to the second AZ, wherein the server machine comprises 2 or more than 2 network cards, and the second physical link access mode is used for accessing a management network switch and a DMZ zone switch; selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol DHCP service for the server; and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server.
Description
Technical Field
The embodiment of the application relates to the field of information security management, in particular to a method and a related device for realizing security isolation of a virtual machine based on OpenStack.
Background
The OpenStack cloud computing management platform is a free and open-source cloud computing platform which is developed and launched by cooperation of National Aeronautics and astronautics Administration (NASA) and Rackspace of one of three global cloud computing centers, mainly uses pooled virtual resources to construct and manage private cloud and public cloud, can be installed on hardware platforms of different manufacturers of data centers, and uniformly manages computing, network and storage resources. OpenStack is composed of a number of components, for example Nova is the component mainly responsible for computing resources, Neutron is the component providing the network, Heat is the component doing application orchestration, and so on.
In the existing scheme, visitors from both an external network and an internal network can access services based on the OpenStack platform, but when important confidential information is placed in a server, if all visitors can contact the information, unsafe factors and the possibility of confidential information leakage are brought to the server.
Disclosure of Invention
The embodiment of the application provides a method and a related device for realizing the safety isolation of a virtual machine under an OpenStack platform, and the physical isolation of the virtual machine accessed to the Internet service and an intranet application virtual machine on the network is realized based on the OpenStack platform.
The embodiment of the application provides a method for realizing virtual machine security isolation under an OpenStack platform, which comprises the following steps:
creating a first available area AZ and a second available area AZ through a Nova assembly, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
allocating a first physical link access mode to a network card of the server machine accessed to the first AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server machine, and the first access mode is used for accessing a management network switch and an intranet switch;
allocating a second physical link access mode to a network card of the server machine accessed to the second AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network established on the server machine, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
Optionally, after selecting the server accessing the second AZ, before configuring a second DHCP service for the server, the method further includes:
and detecting whether the server completes the installation of the Openstack-neutron software package, if so, configuring a second DHCP service for the server, and if not, prompting a user to install the software package.
Optionally, the allocating a first physical link access manner to the network card of the server accessing the first AZ includes:
and both the computing node management network card and the control node management network card which are accessed to the first AZ are accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transparent transmission of the designated service network vlan.
Optionally, the allocating a second physical link access manner to the network card of the server accessing the second AZ includes:
and uniformly accessing the computing node management network card accessed to the second AZ into a management network switch, accessing the service network card into the DMZ zone switch, and setting a trunk mode at a port of the DMZ zone switch for transparent transmission of the corresponding service network vlan.
Optionally, configuring a second DHCP service for the server machine includes:
modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutron software package;
starting a dhcp agent service;
and configuring a network scheduling strategy, restarting network service, and providing DHCP service for the virtual machines in the network.
Optionally, a host server machine in the second AZ, where the virtual machine accessing the internet is located, receives management sent by the OpenStack and requests the control node for invocation.
A second aspect of the present application provides a device for implementing virtual machine security isolation based on OpenStack, including:
the device comprises a creating unit, a first available area AZ and a second available area AZ, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation zone DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
the first allocation unit is used for allocating a first physical link access mode to a network card of the service machine accessing the first AZ, the service machine comprises 2 or more than 2 network cards, the network card is used for managing a network and providing network service for a virtual machine service network created on the service machine, and the first access mode is used for accessing a management network switch and an intranet switch;
the second allocating unit is used for allocating a second physical link access mode to a network card of the server machine accessed to the second AZ, the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server machine, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
the first configuration unit is used for selecting a server accessed to the first AZ and configuring a protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and the second configuration unit is used for selecting a service machine accessed to the second AZ and configuring a second DHCP service for the service machine, wherein the service machine comprises at least one service machine, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
Optionally, the apparatus further comprises:
the detection unit is used for detecting whether the server completes the installation of the Openstack-neutron software package;
and the prompting unit prompts a user to install the software package if the detection unit does not detect the Openstack-neutron software package.
Optionally, the first distribution unit comprises:
and the first access module accesses the computing node management network card and the control node management network card which are accessed to the first AZ into a management network switch, the service network card accesses an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transparently transmitting the specified service network vlan.
Optionally, the second configuration unit includes:
the selecting module is used for selecting the server accessed to the second AZ;
the modification module is used for modifying a dhcp agent configuration file of the server, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutron software package;
the starting module is used for starting the dhcp agent service;
and the network module is used for configuring a network scheduling strategy, restarting network service and providing DHCP service for the virtual machines in the network.
A third aspect of the present embodiment provides a system for implementing virtual machine isolation based on OpenStack, including:
the system comprises a router, a firewall, an intranet switch, a management network switch, a DMZ (distributed multimedia broadcasting) zone switch, a plurality of intranet servers, a plurality of DMZ zone servers, a computing node management network card, a control node management network card, an internal service network zone and an internet service network;
the router is respectively connected with the intranet switch and the DMZ zone server, and the router is respectively connected with an intranet service network zone and a firewall;
the Internet service network is connected with a firewall;
the DMZ zone server is respectively connected with the DMZ zone switch and the management switch to form a DMZ zone network;
the intranet server and the DMZ server are respectively connected with a computing node management network card and a control node management network card;
the intranet switch is connected with the intranet server;
the DMZ zone switch is connected with the DMZ zone server in a Trunk mode;
the intranet server is connected with the management network switch through a computing node management network card;
and the DMZ zone server is connected with the management network switch through a computing node management network card.
From the technical scheme, the application establishes two available network areas, namely a first AZ and a second AZ, sets a DHCP service for a server in the two network areas so as to schedule the network, establishes an intranet business application virtual machine and an Internet business virtual machine accessed to a DMZ area, and establishes the virtual machines to a specified host server through specifying AZ, so that the host server where the intranet business virtual machine is positioned and the host server where the DMZ area business virtual machine is positioned are separated physically and the business network is also separated, carries out policy control on the network accessed to the Internet virtual machine by deploying to the DMZ area, so that a visitor from an external network can access the services in the DMZ, but can not contact company confidential information or private information stored in the intranet, and the like, and even if the server in the DMZ is damaged, the confidential information in the intranet cannot be influenced, the security of confidential information is improved.
Drawings
Fig. 1 is a schematic flowchart of a method for implementing virtual machine security isolation based on OpenStack according to an embodiment of the present disclosure;
fig. 2 is another schematic flow chart of a method for implementing virtual machine security isolation based on OpenStack according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an OpenStack-based implementation of a virtual machine security isolation apparatus according to an embodiment of the present application;
fig. 4 is a schematic diagram of a network for implementing a virtual machine isolation system based on OpenStack according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method and a related device for realizing the safety isolation of a virtual machine under an OpenStack platform, which are used for realizing the physical isolation of the virtual machine accessed to the Internet service and an intranet application virtual machine on the network based on the OpenStack platform.
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The method of the present application may be applied to a router, a network switch with a three-layer switching function, or other gateway devices with a routing function, and the present application is not limited thereto.
Referring to fig. 1, an embodiment of a method for implementing virtual machine security isolation based on OpenStack according to the present application includes:
101. creating a first available area AZ and a second available area AZ through a Nova assembly, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
if important information is contained in the project deployed on the cloud platform, but no limitation is imposed on visitors, the security of the project is bound to be threatened. For this purpose, the present application divides a set of servers accessing an intranet service and servers accessing an extranet service, creates and names an Available Zone (AZ) through a Nova component of an OpenStack platform, divides a part of the originally default AZ as an isolation Zone (DMZ), and constructs a safety Zone between an internal network and an external network, thereby realizing separation of the internal network from the external network.
AZ may be understood as a set of hosts (host), and in the Nova module, a user may specify an AZ when creating a virtual machine, so that the virtual machine is generated on the host included in the AZ. The first AZ is a set of service machines accessing intranet services, the second AZ, namely the DMZ is a set of service machines accessing internet services, important information is stored in the first AZ, and visitors of an extranet can only access information of the DMZ area without influencing the information in the first AZ.
It should be noted that the number of servers divided by the first AZ and the second AZ may be set by actual business requirements, and is not limited herein.
102. Allocating a first physical link access mode to a network card of the server machine accessed to the first AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server machine, and the first access mode is used for accessing a management network switch and an intranet switch;
since Nova services are deployed on the compute nodes and the control nodes, in this embodiment, the compute node management Network card and the control node management Network card that access the first AZ are both accessed to the management Network switch, and the service Network card is accessed to the intranet switch, and ports of the two switches are both set to be in a port convergence (trunk) mode and used for transparent transmission of a specified Virtual Local Area Network (vlan).
It should be noted that the generation of the virtual machine depends on the host, and since the virtual machine in this embodiment uses a service network, each service machine at least includes two types of network cards, one type is used for managing the network, the other type is used as the service network of the virtual machine, the number of the network cards is 2 or more than 2, and the specific details are not limited herein.
103. Allocating a second physical link access mode to a network card of the server machine accessed to the second AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network established on the server machine, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
and uniformly accessing the computing node management network card accessed to the second AZ into a management network switch, accessing the service network card into a DMZ zone switch, and setting a port of the DMZ zone switch into a trunk mode for transparently transmitting the external network service vlan.
In the embodiment of the application, the corresponding network card is accessed into different switches, so that the requirement that the control node in the first AZ realizes internal management through the management network and the computing node in the DMZ area is met, and meanwhile, the requirement that the virtual machine service network accessed into the computing node in the DMZ area is accessed into the DMZ area switch and is mapped to the public network through the firewall.
104. Selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
selecting a certain service machine from the service machines accessed to the first AZ, deploying a set of dhcp-agent services provided by a Neutron component on the service machine, setting the availability _ zone as the name of the first AZ, and acquiring an IP address for creating an intranet service virtual machine, wherein the dhcp-agent services deployed on the service machine can be shared by the service machines accessed to the first AZ.
It should be noted that the present application may deploy the dhcp-agent service to the plurality of servers accessing the first AZ according to the actual business requirements, and is not limited herein.
105. And selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
And selecting a certain service machine from the service machines accessed to the second AZ, deploying a set of dhcp-agent service on the service machine, setting the availability _ zone as the name of the second AZ, and obtaining the IP address for creating the Internet service virtual machine for use, wherein the dhcp-agent service deployed on the service machine can be shared by the service machines accessed to the second AZ.
It should be noted that the present application may deploy the dhcp-agent service to the plurality of servers accessing the second AZ according to actual business requirements, and is not limited herein.
According to the embodiment of the application, the service virtual machines which can meet the requirement for accessing/accessing the internet after the DHCP service is configured for the service machines in the first AZ and the second AZ are scheduled and created to the host machine appointed for the DMZ area, so that the access strategy control of the virtual machines in the DMZ area is facilitated, and the unauthorized access to any resource is prevented.
Referring to fig. 2, a schematic flow diagram of another embodiment of a method for implementing virtual machine security isolation based on OpenStack according to the present application includes:
201. creating a first available area AZ and a second available area AZ through a Nova assembly, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
202. the computing node management network card and the control node management network card which are accessed to the first AZ are both accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transparent transmission of the designated service network vlan;
203. uniformly accessing the computing node management network card accessed to the second AZ into a management network switch, accessing a business network card into the DMZ zone switch, and setting a trunk mode at a port of the DMZ zone switch for transparent transmission of a corresponding business network vlan;
204. selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
205. Selecting a server accessed to the second AZ,
the number of the servers randomly selected to access the second AZ may be one or multiple, and is not limited herein, and may be determined according to actual service conditions.
206. Detecting whether the server completes the installation of the Openstack-neutron software package, if so, executing a step 208, and if not, executing a step 207;
since the Openstack-neutral software package provides network support for the entire Openstack environment, it is necessary to determine whether the software package is installed on the server selected in step 205, so as to support meeting the requirement of configuring the network.
207. Prompting a user to install the software package;
and if the fact that the Openstack-neutron software package is not installed on the server is detected, prompting a user to install the software package, otherwise, failing to perform subsequent network configuration.
208. Modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutron software package;
and if the server has installed the Openstack-neutron software package, modifying the configuration file specified under the software package, and specifying the domain to which the dhcp agent belongs as the name of the second AZ.
209. Starting a dhcp agent service;
after the configuration step 208, the dhcp agent service is started.
210. And configuring a network scheduling strategy, restarting network service, and providing DHCP service for the virtual machines in the network.
The appointed file is configured through a kernel component Neutron-server of Neutron, the scheduling of starting DHCP service DHCP-agent is changed, after the configuration is completed, the Neutron-server is restarted, and the configured network scheduling policy service takes effect.
According to the method and the device, the network scheduling strategy is configured, the availability _ zone _ tasks can be used for specifying the domain to which the network belongs when the network is created, and after the network is created, the DHCP service is provided for the virtual machine in the network by the DHCP-agent corresponding to the available domain, so that the intranet service virtual machine and the internet service virtual machine can be independently opened, and the safety of the intranet service is greatly improved.
Referring to fig. 3, an embodiment of the present application provides an OpenStack-based virtual machine isolation apparatus, including:
a creating unit 301, configured to create, through a Nova component, a first available area AZ and a second available area AZ, where the first available area AZ is a set of servers accessing an intranet service, the second available area AZ is a set of servers accessing an isolation zone DMZ internet service, and the first available area AZ and the second available area AZ are respectively connected to a plurality of computing nodes generated by the accessed servers;
a first allocating unit 302, configured to allocate a first physical link access manner to a network card of a server accessing the first AZ, where the server includes 2 or more network cards, the network card is used to manage a network and provide a network service for a virtual machine service network created on the server, and the first access manner is used to access a management network switch and an intranet switch;
a second allocating unit 303, configured to allocate a second physical link access manner to a network card of a server that accesses the second AZ, where the server includes 2 or more network cards, the network card is used to manage a network and provide a network service for a virtual machine service network created on the server, and the second access manner is used to access a management network switch and a DMZ zone switch;
a first configuration unit 304, configured to select a server accessed to the first AZ, and configure a protocol DHCP service for the server, where the server includes at least one server, and the first DHCP service is used to obtain an IP address for a created intranet service virtual machine;
a second configuration unit 305, configured to select a server accessed to the second AZ, and configure a second DHCP service for the server, where the server includes at least one server, and the second DHCP service is used to obtain an IP address for the created internet service virtual machine;
a detecting unit 306, configured to detect whether the server completes installation of an Openstack-neutron software package;
and a prompting unit 307, configured to prompt the user to install the software package if the Openstack-neutron software package is not detected by the detection unit.
In this embodiment, the second configuration unit 305 includes:
a selecting module 3051, configured to select a server that accesses the second AZ;
a modifying module 3052, configured to modify a dhcp agent configuration file of the server, where the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutral software package;
a starting module 3053, configured to start a dhcp agent service;
the network module 3054 is configured to configure a network scheduling policy, restart a network service, and provide a DHCP service for a virtual machine in a network.
In this embodiment, the functions of each unit and each module correspond to the steps in the embodiment shown in fig. 2, and are not described herein again.
Referring to fig. 4, an embodiment of the present application provides a schematic diagram of a network group for implementing a virtual machine isolation system based on OpenStack, including:
the system comprises a router 401, a firewall 402, an intranet switch 403, a management network switch 404, a DMZ zone switch 405, a plurality of intranet servers 406, a plurality of DMZ zone servers 407, a computing node management network card 408, a control node management network card 409, an internal service network zone 410 and an internet service network 411;
the router 401 is respectively connected with the intranet switch 403 and the DMZ zone server 405, and the router is respectively connected with the intranet service network zone 410 and the firewall;
the internet service network 411 is connected with the firewall 402;
the DMZ zone server 405 is connected to the DMZ zone switch and the management switch, respectively, to form a DMZ zone network;
the intranet server 406 and the DMZ zone server 407 are respectively connected with a computing node management network card 408 and a control node management network card 409;
the intranet switch 403 is connected to the intranet server 406;
the DMZ zone switch 405 is connected with the DMZ zone server 407 through a Trunk mode;
the intranet server 406 is connected to the management network switch 404 through a computing node management network card 408;
the DMZ zone server 407 is connected to the management network switch 404 through a computing node management network card 408.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Claims (10)
1. A method for realizing security isolation of a virtual machine based on OpenStack is characterized by comprising the following steps:
creating a first available area AZ and a second available area AZ through a Nova assembly, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
allocating a first physical link access mode to a network card of the server machine accessed to the first AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server machine, and the first access mode is used for accessing a management network switch and an intranet switch;
allocating a second physical link access mode to a network card of the server machine accessed to the second AZ, wherein the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network established on the server machine, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
2. The method according to claim 1, wherein after selecting the server accessing the second AZ and before configuring a second DHCP service for the server, the method further comprises:
detecting whether the server completes the installation of the Openstack-neutron software package or not;
if yes, configuring a second DHCP service for the server;
if not, prompting the user to install the software package.
3. The method of claim 1, wherein assigning a first physical link access mode to a network card of a server accessing the first AZ comprises:
and both the computing node management network card and the control node management network card which are accessed to the first AZ are accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transparent transmission of the designated service network vlan.
4. The method according to claim 1, wherein allocating a second physical link access mode to the network card of the server accessing the second AZ comprises:
and uniformly accessing the computing node management network card accessed to the second AZ into a management network switch, accessing the service network card into the DMZ zone switch, and setting a trunk mode at a port of the DMZ zone switch for transparent transmission of the corresponding service network vlan.
5. The method of claim 2, wherein configuring the server machine with a second DHCP service comprises:
modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutron software package;
starting a dhcp agent service;
and configuring a network scheduling strategy, restarting network service, and providing DHCP service for the virtual machines in the network.
6. The method according to any one of claims 1 to 5, wherein a host server machine in the second AZ, in which a virtual machine accessing the Internet is located, receives management issued by OpenStack and requests a control node for invocation.
7. An apparatus for implementing security isolation of a virtual machine based on OpenStack, comprising:
the device comprises a creating unit, a first available area AZ and a second available area AZ, wherein the first AZ is a set of service machines accessing intranet services, the second AZ is a set of service machines accessing isolation zone DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed service machines;
the first allocation unit is used for allocating a first physical link access mode to a network card of the service machine accessing the first AZ, the service machine comprises 2 or more than 2 network cards, the network card is used for managing a network and providing network service for a virtual machine service network created on the service machine, and the first access mode is used for accessing a management network switch and an intranet switch;
the second allocating unit is used for allocating a second physical link access mode to a network card of the server machine accessed to the second AZ, the server machine comprises 2 or more than 2 network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server machine, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
the first configuration unit is used for selecting a server accessed to the first AZ and configuring a protocol DHCP service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and the second configuration unit is used for selecting a service machine accessed to the second AZ and configuring a second DHCP service for the service machine, wherein the service machine comprises at least one service machine, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
8. The apparatus of claim 7, further comprising:
the detection unit is used for detecting whether the server completes the installation of the Openstack-neutron software package;
and the prompting unit prompts a user to install the software package if the detection unit does not detect the Openstack-neutron software package.
9. The apparatus of claim 7, wherein the first allocation unit comprises:
and the first access module accesses the computing node management network card and the control node management network card which are accessed to the first AZ into a management network switch, the service network card accesses an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transparently transmitting the specified service network vlan.
10. A system for realizing virtual machine isolation based on OpenStack is characterized by comprising:
the system comprises a router, a firewall, an intranet switch, a management network switch, a DMZ (distributed multimedia broadcasting) zone switch, a plurality of intranet servers, a plurality of DMZ zone servers, a computing node management network card, a control node management network card, an internal service network zone and an internet service network;
the router is respectively connected with the intranet switch and the DMZ zone server, and the router is respectively connected with an intranet service network zone and a firewall;
the Internet service network is connected with a firewall;
the DMZ zone server is respectively connected with the DMZ zone switch and the management switch to form a DMZ zone network;
the intranet server and the DMZ server are respectively connected with a computing node management network card and a control node management network card;
the intranet switch is connected with the intranet server;
the DMZ zone switch is connected with the DMZ zone server in a Trunk mode;
the intranet server is connected with the management network switch through a computing node management network card;
and the DMZ zone server is connected with the management network switch through a computing node management network card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010903348.7A CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010903348.7A CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112099913A true CN112099913A (en) | 2020-12-18 |
| CN112099913B CN112099913B (en) | 2023-12-01 |
Family
ID=73757379
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010903348.7A Active CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112099913B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162944A (en) * | 2021-04-29 | 2021-07-23 | 杭州安恒信息安全技术有限公司 | Network communication method, device and equipment for security operation platform and security component |
| CN113411225A (en) * | 2021-08-20 | 2021-09-17 | 苏州浪潮智能科技有限公司 | QGA service management method, device, equipment and medium based on cloud host |
| CN113765787A (en) * | 2021-08-25 | 2021-12-07 | 新华三大数据技术有限公司 | Fault processing method and device |
| CN115134367A (en) * | 2022-06-28 | 2022-09-30 | 浙江吉利控股集团有限公司 | Cloud platform and service processing method |
| CN115987989A (en) * | 2023-03-22 | 2023-04-18 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| US20140123135A1 (en) * | 2012-10-28 | 2014-05-01 | Citrix Systems, Inc. | Network offering in cloud computing environment |
| US20140258446A1 (en) * | 2013-03-07 | 2014-09-11 | Citrix Systems, Inc. | Dynamic configuration in cloud computing environments |
| CN104468746A (en) * | 2014-11-23 | 2015-03-25 | 国云科技股份有限公司 | Method for realizing distributed virtual networks applicable to cloud platform |
| CN107301083A (en) * | 2017-06-16 | 2017-10-27 | 郑州云海信息技术有限公司 | One kind creates OpenStack virtual machines method and OpenStack dummy machine systems |
| CN107743152A (en) * | 2017-12-07 | 2018-02-27 | 南京易捷思达软件科技有限公司 | The implementation method of the High Availabitity of load equalizer in a kind of OpenStack cloud platforms |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
-
2020
- 2020-09-01 CN CN202010903348.7A patent/CN112099913B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140123135A1 (en) * | 2012-10-28 | 2014-05-01 | Citrix Systems, Inc. | Network offering in cloud computing environment |
| US20140258446A1 (en) * | 2013-03-07 | 2014-09-11 | Citrix Systems, Inc. | Dynamic configuration in cloud computing environments |
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN104468746A (en) * | 2014-11-23 | 2015-03-25 | 国云科技股份有限公司 | Method for realizing distributed virtual networks applicable to cloud platform |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
| CN107301083A (en) * | 2017-06-16 | 2017-10-27 | 郑州云海信息技术有限公司 | One kind creates OpenStack virtual machines method and OpenStack dummy machine systems |
| CN107743152A (en) * | 2017-12-07 | 2018-02-27 | 南京易捷思达软件科技有限公司 | The implementation method of the High Availabitity of load equalizer in a kind of OpenStack cloud platforms |
Non-Patent Citations (2)
| Title |
|---|
| PARAKH, P.等: "SLA-aware Virtual Machine Scheduling in OpenStack-based Private Cloud", 《 2018 3RD INTERNATIONAL CONFERENCE ON COMPUTATIONAL SYSTEMS AND INFORMATION TECHNOLOGY FOR SUSTAINABLE SOLUTIONS (CSITSS)》, pages 259 - 64 * |
| 李莉 等: "基于OpenStack云平...Neutron关键技术研究", 《长春理工大学学报(自然科学版)》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162944A (en) * | 2021-04-29 | 2021-07-23 | 杭州安恒信息安全技术有限公司 | Network communication method, device and equipment for security operation platform and security component |
| CN113411225A (en) * | 2021-08-20 | 2021-09-17 | 苏州浪潮智能科技有限公司 | QGA service management method, device, equipment and medium based on cloud host |
| WO2023019736A1 (en) * | 2021-08-20 | 2023-02-23 | 苏州浪潮智能科技有限公司 | Cloud host-based qga service management method and apparatus, device and medium |
| CN113765787A (en) * | 2021-08-25 | 2021-12-07 | 新华三大数据技术有限公司 | Fault processing method and device |
| CN113765787B (en) * | 2021-08-25 | 2022-10-21 | 新华三大数据技术有限公司 | Fault processing method and device |
| CN115134367A (en) * | 2022-06-28 | 2022-09-30 | 浙江吉利控股集团有限公司 | Cloud platform and service processing method |
| CN115987989A (en) * | 2023-03-22 | 2023-04-18 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
| CN115987989B (en) * | 2023-03-22 | 2023-09-26 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112099913B (en) | 2023-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112099913B (en) | Method for realizing virtual machine security isolation based on OpenStack | |
| US11252228B2 (en) | Multi-tenant multi-session catalogs with machine-level isolation | |
| CN106844000B (en) | Method and device for accessing Linux container cluster by browser in multi-user environment | |
| CN107181808B (en) | Private cloud system and operation method | |
| CN109254831B (en) | Virtual machine network security management method based on cloud management platform | |
| CN111934918B (en) | Network isolation method and device for container instances in same container cluster | |
| CN109067877B (en) | Control method for cloud computing platform deployment, server and storage medium | |
| US8973098B2 (en) | System and method for virtualized resource configuration | |
| CN108255497B (en) | Application deployment method and device | |
| CN109194502B (en) | Management method of multi-tenant container cloud computing system | |
| CN102571698B (en) | Access authority control method, system and device for virtual machine | |
| CA3033217A1 (en) | Method for virtual machine to access physical server in cloud computing system, apparatus, and system | |
| WO2014169870A1 (en) | Virtual network element automatic loading and virtual machine ip address acquisition method and system, and storage medium | |
| US10938619B2 (en) | Allocation of virtual interfaces to containers | |
| US20140068032A1 (en) | Application dependent data center integration | |
| CN113810230B (en) | Method, device and system for carrying out network configuration on containers in container cluster | |
| CN113821268B (en) | Kubernetes network plug-in method fused with OpenStack Neutron | |
| CN111835820A (en) | System and method for realizing cloud management | |
| CN114448978B (en) | Network access method and device, electronic equipment and storage medium | |
| CN113923023A (en) | Authority configuration and data processing method, device, electronic equipment and medium | |
| CN110489305B (en) | Server management method and device | |
| CN111818081A (en) | Virtual encryption machine management method and device, computer equipment and storage medium | |
| CN114422350A (en) | Public cloud container instance creating method | |
| CN112468476B (en) | Equipment management system and method for different types of terminals to access application | |
| US20230138867A1 (en) | Methods for application deployment across multiple computing domains and devices thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |