CN112099913B - Method for realizing virtual machine security isolation based on OpenStack - Google Patents
Method for realizing virtual machine security isolation based on OpenStack Download PDFInfo
- Publication number
- CN112099913B CN112099913B CN202010903348.7A CN202010903348A CN112099913B CN 112099913 B CN112099913 B CN 112099913B CN 202010903348 A CN202010903348 A CN 202010903348A CN 112099913 B CN112099913 B CN 112099913B
- Authority
- CN
- China
- Prior art keywords
- server
- network
- service
- switch
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000009434 installation Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 3
- 239000000306 component Substances 0.000 description 16
- 230000006870 function Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000007935 neutral effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a related device for realizing the safety isolation of a virtual machine based on OpenStack, which realize the isolation of the virtual machine accessing internet service on an OpenStack platform and an intranet application virtual machine on a network, wherein the method comprises the following steps: creating, by the Nova component, a first available area AZ and a second AZ; distributing a first physical link access mode to a network card of a server accessed to a first AZ, wherein the server comprises 2 or more network cards, and the first physical link access mode is used for accessing and managing a network switch and an intranet switch; distributing a second physical link access mode to the network card of the server accessed to the second AZ, wherein the server comprises 2 or more network cards, and the second physical link access mode is used for accessing the management network switch and the DMZ zone switch; selecting a server accessed to the first AZ, and configuring a first dynamic server configuration protocol (DHCP) service for the server; and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server.
Description
Technical Field
The embodiment of the application relates to the field of information security management, in particular to a method and a related device for realizing virtual machine security isolation based on OpenStack.
Background
The OpenStack cloud computing management platform is a free and open-source cloud computing platform developed and launched by the cooperation of the national aviation space agency (NASA, national Aeronautics and Space Administration) and the Rackspace of one of the three cloud computing centers, and mainly uses pooled virtual resources to construct and manage private cloud and public cloud, and can be installed on hardware platforms of different manufacturers of a data center to uniformly manage computing, network and storage resources. OpenStack is made up of multiple components, such as Nova is the component primarily responsible for computing resources, neutron is the component that provides the network, and Heat is the component that makes the application orchestration, etc.
In the prior art, visitors from the external network or the internal network can access services on the OpenStack platform, but when important confidential information is placed in the server, if all visitors can contact the information, unsafe factors and possibility of confidential information leakage can be brought to the server.
Disclosure of Invention
The embodiment of the application provides a method and a related device for realizing the safety isolation of a virtual machine under an OpenStack platform, which realize the physical isolation of the virtual machine accessing internet service and an intranet application virtual machine on a network based on the OpenStack platform.
The embodiment of the application provides a method for realizing virtual machine security isolation under an OpenStack platform, which comprises the following steps:
creating a first available area AZ and a second AZ through a Nova component, wherein the first AZ is a set of servers accessed to intranet service, the second AZ is a set of servers accessed to DMZ internet service in an isolation area, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
a first physical link access mode is allocated to a network card of a server accessed to the first AZ, the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine business network created on the server, and the first access mode is used for accessing a management network switch and an intranet switch;
a second physical link access mode is allocated to a network card of a server accessed to the second AZ, the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
Optionally, after selecting the server accessing the second AZ, before configuring the second DHCP service for the server, the method further includes:
and detecting whether the server completes the installation of the Openstack-neutron software package, if so, configuring a second DHCP service for the server, and if not, prompting a user to install the software package.
Optionally, the allocating a first physical link access manner to a network card of the server accessing the first AZ includes:
and the computing node management network card and the control node management network card which are accessed to the first AZ are both accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transmitting the designated service network vlan.
Optionally, the allocating a second physical link access manner to the network card of the server accessing the second AZ includes:
and uniformly accessing the computing node management network card accessed to the second AZ to a management network switch, accessing the service network card to the DMZ zone switch, and setting a trunk mode at a port of the DMZ zone switch for transmitting the corresponding service network vlan.
Optionally, configuring the second DHCP service for the server includes:
modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the Openstack-neutron software package;
starting a dhcp agent service;
and configuring a network scheduling strategy, restarting the network service, and providing a DHCP service for the virtual machine in the network.
Optionally, the host server where the virtual machine accessing the internet in the second AZ is located receives management sent by OpenStack and requests to call the control node.
A second aspect of the present application provides a device for implementing virtual machine security isolation based on OpenStack, including:
the device comprises a creation unit, a storage unit and a storage unit, wherein the creation unit is used for creating a first available area AZ and a second AZ through a Nova component, the first AZ is a set of servers accessing intranet services, the second AZ is a set of servers accessing isolated area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
the first allocation unit is configured to allocate a first physical link access manner to a network card of a server accessing the first AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the first access manner is used for accessing a management network switch and an intranet switch;
the second allocation unit is configured to allocate a second physical link access manner to a network card of a server accessing the second AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second access manner is used for accessing a management network switch and a DMZ zone switch;
the first configuration unit is used for selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
the second configuration unit is used for selecting a server accessed to the second AZ, configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
Optionally, the apparatus further comprises:
the detection unit is used for detecting whether the server completes the installation of an Openstack-neutron software package;
and the prompting unit is used for prompting a user to install the software package if the detecting unit does not detect the Openstack-neutron software package.
Optionally, the first distribution unit includes:
the first access module is used for accessing the computing node management network card and the control node management network card which are accessed to the first AZ to the management network switch, the service network card is accessed to the intranet switch, and the port of the intranet switch is in a trunk mode and is used for transmitting the designated service network vlan.
Optionally, the second configuration unit includes:
the selecting module is used for selecting a server accessed to the second AZ;
the modification module is used for modifying a dhcp agent configuration file of the server, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the Openstack-neutron software package;
the starting module is used for starting the dhcp agent service;
and the network module is used for configuring a network scheduling strategy and restarting the network service to provide the DHCP service for the virtual machine in the network.
A third aspect of the embodiment of the present application provides a system for implementing virtual machine isolation based on OpenStack, including:
the system comprises a router, a firewall, an intranet switch, a management network switch, a DMZ zone switch, a plurality of intranet servers, a plurality of DMZ zone servers, a computing node management network card, a control node management network card, an internal service network zone and an Internet service network;
the router is respectively connected with the intranet switch and the DMZ zone server, and is respectively connected with an intranet service network zone and a firewall;
the Internet service network is connected with the firewall;
the DMZ zone server is respectively connected with the DMZ zone switch and the management switch to form a DMZ zone network;
the intranet server and the DMZ zone server are respectively connected with a computing node management network card and a control node management network card;
the intranet switch is connected with the intranet server;
the DMZ zone switch is connected with the DMZ zone server in a Trunk mode;
the intranet server is connected with the management network switch through a computing node management network card;
and the DMZ zone server is connected with the management network switch through a computing node management network card.
According to the technical scheme, two available network areas are created, the first AZ and the second AZ are used for scheduling the network by setting DHCP service for the servers in the two network areas, an intranet service application virtual machine and an Internet service virtual machine accessed to a DMZ area are created, and the virtual machine can be created to a designated host server by designating the AZ, so that the host server where the intranet service virtual machine is located and the host server where the DMZ area service virtual machine is located are independently and physically isolated, the service network is also isolated, the access to the Internet virtual machine network is strategically controlled by being deployed to the DMZ area, so that visitors from the external network can access the services in the DMZ, but cannot access confidential information or private information stored in the intranet, even if the server in the DMZ is damaged, the confidential information in the intranet cannot be influenced, and the security of the confidential information is improved.
Drawings
Fig. 1 is a schematic flow chart of a method for implementing virtual machine security isolation based on OpenStack according to an embodiment of the present application;
fig. 2 is another flow chart of a method for implementing virtual machine security isolation based on OpenStack according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an OpenStack-based virtual machine security isolation device according to an embodiment of the present application;
fig. 4 is a schematic networking diagram of a virtual machine isolation system based on OpenStack according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method and a related device for realizing the safety isolation of a virtual machine under an OpenStack platform, which are used for realizing the physical isolation of the virtual machine accessing internet service based on the OpenStack platform and an intranet application virtual machine on a network.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The method of the present application can be applied to routers, network switches with three-layer switching functions or other gateway devices with routing functions, and the present application is not limited to this.
Referring to fig. 1, a flowchart of an embodiment of a method for implementing virtual machine security isolation based on OpenStack according to the present application includes:
101. creating a first available area AZ and a second AZ through a Nova component, wherein the first AZ is a set of servers accessed to intranet service, the second AZ is a set of servers accessed to DMZ internet service in an isolation area, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
if the project deployed on the cloud platform contains important information, but there is no limit to the visitor, the security of the project is threatened. The application divides the set of the server accessing the intranet service and the server accessing the extranet service, creates an available zone (AZ, availability Zone) through the Nova component of the OpenStack platform and names the available zone, divides a part of the original default AZ as an isolation zone (DMZ, demilitarized Zone), and constructs a safe zone between the internal network and the external network to realize the separation of the internal network and the external network.
AZ is understood to be a collection of hosts (host) and in the Nova module, a user may specify an AZ when creating a virtual machine, so that the virtual machine will be generated on the host that the AZ contains. The first AZ is a set of servers accessed to the intranet service, the second AZ is a set of servers accessed to the Internet service, important information is stored in the first AZ, and visitors of the external network can only access the information of the DMZ area, so that the information in the first AZ is not influenced.
It should be noted that the number of servers divided by the first AZ and the second AZ may be set by actual service requirements, which is not limited herein.
102. A first physical link access mode is allocated to a network card of a server accessed to the first AZ, the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine business network created on the server, and the first access mode is used for accessing a management network switch and an intranet switch;
because Nova's service is deployed on the computing node and the control node, in this embodiment, the computing node management network card and the control node management network card that access the first AZ access the management network switch, the service network card accesses the intranet switch, and both switch ports are set to a port convergence (trunk) mode for transparent transmission of the specified virtual local area network (vlan, virtual Local Area Network).
It should be noted that, the generation of the virtual machine depends on the host machine, and because the virtual machine uses the service network in this embodiment, each server machine includes at least two types of network cards, one type is used for the management network, the other type is used as the service network of the virtual machine, and the number of network cards is 2 or more, which is not limited herein.
103. A second physical link access mode is allocated to a network card of a server accessed to the second AZ, the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second access mode is used for accessing a management network switch and a DMZ zone switch;
and uniformly accessing the computing node management network card accessed to the second AZ to the management network switch, and accessing the service network card to the DMZ zone switch, wherein the port of the DMZ zone switch is set to be in a trunk mode and is used for transmitting the external network service vlan.
According to the embodiment of the application, the corresponding network cards are connected into different switches, so that the control node in the first AZ can realize internal management with the computing node of the DMZ through the management network, and the virtual machine service network connected with the computing node of the DMZ is connected into the switch of the DMZ and is mapped to the public network through the firewall.
104. Selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and selecting a certain server from the servers accessed to the first AZ, deploying a set of dhcp-agent service provided by a neutral component on the server, setting availability_zone as the name of the first AZ, acquiring an IP address for creating an intranet service virtual machine, and sharing the dhcp-agent service deployed on the server for accessing the first AZ.
It should be noted that, the present application can deploy the dcp-agent service to multiple servers accessing the first AZ according to the actual service requirement, which is not limited herein.
105. And selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
And selecting a certain server from the servers accessed to the second AZ, deploying a set of dhcp-agent service on the server, setting availability_zone as the name of the second AZ, acquiring IP addresses for creating the Internet service virtual machine for use, wherein the dhcp-agent service deployed on the server can be shared for all the servers accessed to the second AZ.
It should be noted that, the present application can deploy the dhcp-agent service to the multiple servers accessing the second AZ according to the actual service requirement, which is not limited herein.
According to the embodiment of the application, the service virtual machines which can access/access the Internet requirements after the DHCP service is configured for the service machines in the first AZ and the second AZ are scheduled and created on the host appointed for the DMZ zone, so that the access strategy control of the virtual machines in the DMZ zone is facilitated, and unauthorized access to any resource is prevented.
Referring to fig. 2, a flowchart of another embodiment of a method for implementing virtual machine security isolation based on OpenStack according to the present application includes:
201. creating a first available area AZ and a second AZ through a Nova component, wherein the first AZ is a set of servers accessed to intranet service, the second AZ is a set of servers accessed to DMZ internet service in an isolation area, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
202. the computing node management network card and the control node management network card which are accessed to the first AZ are both accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transmitting the designated service network vlan;
203. the computing node management network card accessed to the second AZ is accessed to a management network switch in a unified way, the service network card is accessed to the DMZ zone switch, and a trunk mode is set at a port of the DMZ zone switch and used for transmitting the corresponding service network vlan;
204. selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
steps 201 to 204 in the embodiment of the present application are similar to steps 101 to 104 in the previous embodiment, and are not repeated here.
205. Selecting a server accessing the second AZ,
the server to be accessed to the second AZ is selected randomly, and may be one or more servers, which is not limited herein and may be determined according to actual service conditions.
206. Detecting whether the server completes the installation of an Openstack-neutron software package, if so, executing a step 208, and if not, executing a step 207;
because the Openstack-neutron package provides network support for the entire Openstack environment, for the server selected in step 205, it needs to determine whether the package is already installed on the server to support meeting the requirement of configuring the network.
207. Prompting a user to install the software package;
if the fact that the Openstack-neutron software package is not installed on the server is detected, the user is prompted to install the software package, and otherwise, subsequent network configuration cannot be conducted.
208. Modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the Openstack-neutron software package;
if the server has installed an Openstack-neutron software package, modifying a configuration file specified under the software package, and specifying a domain to which the dcp agent belongs as the name of the second AZ.
209. Starting a dhcp agent service;
after configuration step 208, the dhcp agent service is started.
210. And configuring a network scheduling strategy, restarting the network service, and providing a DHCP service for the virtual machine in the network.
The designated file is configured through a core component, namely a Neutron-server, of the Neutron, the dispatching of starting a DHCP service, namely a dcp-agent is changed, after the configuration is completed, the Neutron-server is restarted, and the configured network dispatching strategy service is validated.
According to the embodiment of the application, the network scheduling strategy is configured, when the network is created, the domain to which the network belongs can be specified by using the availability_zone_points, after the network is created, the DHCP-agent corresponding to the available domain provides DHCP service for the virtual machine in the network, so that the intranet service virtual machine and the Internet service virtual machine can be separated independently, and the safety of intranet service is greatly improved.
Referring to fig. 3, an embodiment of the present application provides an OpenStack-based virtual machine isolation device, including:
the creating unit 301 is configured to create, by using a Nova component, a first available area AZ and a second AZ, where the first AZ is a set of servers accessing an intranet service, the second AZ is a set of servers accessing an isolated area DMZ internet service, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
a first allocation unit 302, configured to allocate a first physical link access manner to a network card of a server accessing the first AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the first access manner is used for accessing a management network switch and an intranet switch;
a second allocation unit 303, configured to allocate a second physical link access manner to a network card of a server accessing the second AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second access manner is used for accessing a management network switch and a DMZ zone switch;
a first configuration unit 304, configured to select a server accessing the first AZ, configure a first dynamic server configuration protocol DHCP service for the server, where the server includes at least one server, and the first DHCP service is configured to obtain an IP address for the created intranet service virtual machine;
a second configuration unit 305, configured to select a server accessing the second AZ, configure a second DHCP service for the server, where the server includes at least one server, and the second DHCP service is configured to obtain an IP address for the created internet service virtual machine;
the detecting unit 306 is configured to detect whether the server completes installation of an Openstack-neutron software package;
and a prompting unit 307, configured to prompt a user to install the Openstack-neutron software package if the detection unit does not detect the software package.
The second configuration unit 305 in this embodiment includes:
a selecting module 3051, configured to select a server accessing the second AZ;
the modification module 3052 is configured to modify a dhcp agent configuration file of the server, where the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the OpenStack-neutron software package;
a start module 3053 for starting a dhcp agent service;
the network module 3054 is configured to configure a network scheduling policy, restart a network service, and provide a DHCP service for a virtual machine in a network.
In this embodiment, the functions of each unit and module correspond to the steps in the embodiment shown in fig. 2, and are not described herein.
Referring to fig. 4, an embodiment of the present application provides a network group diagram for implementing a virtual machine isolation system based on OpenStack, including:
router 401, firewall 402, intranet switch 403, management network switch 404, DMZ zone switch 405, multiple intranet servers 406, multiple DMZ zone servers 407, computing node management network card 408, control node management network card 409, internal service network zone 410, and internet service network 411;
the router 401 is respectively connected with the intranet switch 403 and the DMZ zone server 405, and is respectively connected with an intranet service network zone 410 and a firewall;
the internet service network 411 is connected to the firewall 402;
the DMZ zone server 405 is respectively connected to the DMZ zone switch and the management switch to form a DMZ zone network;
the intranet server 406 and the DMZ zone server 407 are respectively connected with a computing node management network card 408 and a control node management network card 409;
the intranet switch 403 is connected with the intranet server 406;
the DMZ zone switch 405 is connected to the DMZ zone server 407 through a Trunk mode;
the intranet server 406 is connected to the management network switch 404 through a computing node management network card 408;
the DMZ zone server 407 is connected to the management network switch 404 through a computing node management network card 408.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding process in the foregoing method embodiment for the specific working process of the above-described system, which is not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random access memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Claims (10)
1. A method for realizing virtual machine security isolation based on OpenStack is characterized by comprising the following steps:
creating a first available area AZ and a second AZ through a Nova component, wherein the first AZ is a set of servers accessed to intranet service, the second AZ is a set of servers accessed to DMZ internet service in an isolation area, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
a first physical link access mode is allocated to a network card of a server accessed to the first AZ, the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the first physical link access mode is used for accessing a management network switch and an intranet switch;
distributing a second physical link access mode to a network card of a server accessed to the second AZ, wherein the server comprises 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second physical link access mode is used for accessing a management network switch and a DMZ zone switch;
selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
and selecting a server accessed to the second AZ, and configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
2. The method of claim 1, wherein after selecting a server for accessing the second AZ, before configuring the server with a second DHCP service, the method further comprises:
detecting whether the server completes the installation of an Openstack-neutron software package;
if yes, configuring a second DHCP service for the server;
if not, prompting the user to install the software package.
3. The method of claim 1, wherein assigning a first physical link access manner to a network card of a server that accesses the first AZ comprises:
and the computing node management network card and the control node management network card which are accessed to the first AZ are both accessed to a management network switch, the service network card is accessed to an intranet switch, and the port of the intranet switch is in a trunk mode and is used for transmitting the designated service network vlan.
4. The method of claim 1, wherein assigning a second physical link access manner to a network card of a server that accesses the second AZ comprises:
and uniformly accessing the computing node management network card accessed to the second AZ to a management network switch, accessing the service network card to the DMZ zone switch, and setting a trunk mode at a port of the DMZ zone switch for transmitting the corresponding service network vlan.
5. The method of claim 2, wherein configuring the second DHCP service for the server comprises:
modifying a dhcp agent configuration file, wherein the dhcp agent is a functional component provided by an OpenStack platform, and the configuration file is a file under the Openstack-neutron software package;
starting a dhcp agent service;
and configuring a network scheduling strategy, restarting the network service, and providing a DHCP service for the virtual machine in the network.
6. The method according to any one of claims 1 to 5, wherein a host server where a virtual machine accessing the internet in the second AZ is located receives management sent by OpenStack and requests a call from a control node.
7. An apparatus for implementing virtual machine security isolation based on OpenStack, comprising:
the device comprises a creation unit, a storage unit and a storage unit, wherein the creation unit is used for creating a first available area AZ and a second AZ through a Nova component, the first AZ is a set of servers accessing intranet services, the second AZ is a set of servers accessing isolated area DMZ internet services, and the first AZ and the second AZ are respectively connected with a plurality of computing nodes generated by the accessed servers;
the first allocation unit is configured to allocate a first physical link access manner to a network card of a server accessing the first AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the first physical link access manner is used for accessing a management network switch and an intranet switch;
the second allocation unit is configured to allocate a second physical link access manner to a network card of a server accessing the second AZ, where the server includes 2 or more network cards, the network cards are used for managing a network and providing network services for a virtual machine service network created on the server, and the second physical link access manner is used for accessing a management network switch and a DMZ zone switch;
the first configuration unit is used for selecting a server accessed to the first AZ, configuring a first dynamic server configuration protocol (DHCP) service for the server, wherein the server comprises at least one server, and the first DHCP service is used for acquiring an IP address for the created intranet service virtual machine;
the second configuration unit is used for selecting a server accessed to the second AZ, configuring a second DHCP service for the server, wherein the server comprises at least one server, and the second DHCP service is used for acquiring an IP address for the created Internet service virtual machine.
8. The apparatus of claim 7, wherein the apparatus further comprises:
the detection unit is used for detecting whether the server completes the installation of an Openstack-neutron software package;
and the prompting unit is used for prompting a user to install the software package if the detecting unit does not detect the Openstack-neutron software package.
9. The apparatus of claim 7, wherein the first distribution unit comprises:
the first access module is used for accessing the computing node management network card and the control node management network card which are accessed to the first AZ to the management network switch, the service network card is accessed to the intranet switch, and the port of the intranet switch is in a trunk mode and is used for transmitting the designated service network vlan.
10. A system for implementing virtual machine isolation based on OpenStack, comprising:
the system comprises a router, a firewall, an intranet switch, a management network switch, a DMZ zone switch, a plurality of intranet servers, a plurality of DMZ zone servers, a computing node management network card, a control node management network card, an internal service network zone and an Internet service network;
the router is respectively connected with the intranet switch and the DMZ zone server, and is respectively connected with an intranet service network zone and a firewall;
the Internet service network is connected with the firewall;
the DMZ zone server is respectively connected with the DMZ zone switch and the management switch to form a DMZ zone network;
the intranet server and the DMZ zone server are respectively connected with a computing node management network card and a control node management network card;
the intranet switch is connected with the intranet server;
the DMZ zone switch is connected with the DMZ zone server in a Trunk mode;
the intranet server is connected with the management network switch through a computing node management network card;
and the DMZ zone server is connected with the management network switch through a computing node management network card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010903348.7A CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010903348.7A CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112099913A CN112099913A (en) | 2020-12-18 |
| CN112099913B true CN112099913B (en) | 2023-12-01 |
Family
ID=73757379
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010903348.7A Active CN112099913B (en) | 2020-09-01 | 2020-09-01 | Method for realizing virtual machine security isolation based on OpenStack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112099913B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162944B (en) * | 2021-04-29 | 2022-08-02 | 杭州安恒信息安全技术有限公司 | Network communication method, device and equipment for security operation platform and security component |
| CN113411225B (en) * | 2021-08-20 | 2021-11-09 | 苏州浪潮智能科技有限公司 | QGA service management method, device, equipment and medium based on cloud host |
| CN113765787B (en) * | 2021-08-25 | 2022-10-21 | 新华三大数据技术有限公司 | Fault processing method and device |
| CN115134367A (en) * | 2022-06-28 | 2022-09-30 | 浙江吉利控股集团有限公司 | Cloud platform and service processing method |
| CN115987989B (en) * | 2023-03-22 | 2023-09-26 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN104468746A (en) * | 2014-11-23 | 2015-03-25 | 国云科技股份有限公司 | Method for realizing distributed virtual networks applicable to cloud platform |
| CN107301083A (en) * | 2017-06-16 | 2017-10-27 | 郑州云海信息技术有限公司 | One kind creates OpenStack virtual machines method and OpenStack dummy machine systems |
| CN107743152A (en) * | 2017-12-07 | 2018-02-27 | 南京易捷思达软件科技有限公司 | The implementation method of the High Availabitity of load equalizer in a kind of OpenStack cloud platforms |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9223635B2 (en) * | 2012-10-28 | 2015-12-29 | Citrix Systems, Inc. | Network offering in cloud computing environment |
| US9251115B2 (en) * | 2013-03-07 | 2016-02-02 | Citrix Systems, Inc. | Dynamic configuration in cloud computing environments |
-
2020
- 2020-09-01 CN CN202010903348.7A patent/CN112099913B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN104468746A (en) * | 2014-11-23 | 2015-03-25 | 国云科技股份有限公司 | Method for realizing distributed virtual networks applicable to cloud platform |
| CN107769938A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | The system and method that a kind of Openstack platforms support Multi net voting region |
| CN107301083A (en) * | 2017-06-16 | 2017-10-27 | 郑州云海信息技术有限公司 | One kind creates OpenStack virtual machines method and OpenStack dummy machine systems |
| CN107743152A (en) * | 2017-12-07 | 2018-02-27 | 南京易捷思达软件科技有限公司 | The implementation method of the High Availabitity of load equalizer in a kind of OpenStack cloud platforms |
Non-Patent Citations (2)
| Title |
|---|
| SLA-aware Virtual Machine Scheduling in OpenStack-based Private Cloud;Parakh, P.等;《 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS)》;第259-64页 * |
| 基于OpenStack云平...Neutron关键技术研究;李莉 等;《长春理工大学学报(自然科学版)》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112099913A (en) | 2020-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112099913B (en) | Method for realizing virtual machine security isolation based on OpenStack | |
| CN106844000B (en) | Method and device for accessing Linux container cluster by browser in multi-user environment | |
| CN111711557B (en) | Remote access system and method for network target range users | |
| CN109254831B (en) | Virtual machine network security management method based on cloud management platform | |
| US20170257269A1 (en) | Network controller with integrated resource management capability | |
| CN109194502B (en) | Management method of multi-tenant container cloud computing system | |
| CN107153565B (en) | Method for configuring resource and network equipment thereof | |
| US8868710B2 (en) | Virtual network interface objects | |
| CN109067877B (en) | Control method for cloud computing platform deployment, server and storage medium | |
| US10938619B2 (en) | Allocation of virtual interfaces to containers | |
| CN107222320A (en) | The method and apparatus that Cloud Server cluster sets up High Availabitity connection | |
| CN112769965B (en) | IP address management and distribution method, device and system | |
| CN106878480B (en) | DHCP service process sharing method and device | |
| CN112910685B (en) | Method and device for realizing unified management of container network | |
| US10567242B2 (en) | Physical resource life-cycle in a template based orchestration of end-to-end service provisioning | |
| CN111835820A (en) | System and method for realizing cloud management | |
| CN113821268A (en) | Kubernetes network plug-in method fused with OpenStack Neutron | |
| CN114070822A (en) | Kubernetes Overlay IP address management method | |
| CN114448978B (en) | Network access method and device, electronic equipment and storage medium | |
| CN114124714B (en) | Multi-level network deployment method, device, equipment and storage medium | |
| CN109450768B (en) | Method for interconnecting containers and system for interconnecting containers | |
| CN112003964B (en) | Multi-architecture-based IP address allocation method, device and medium | |
| CN115185637A (en) | Communication method and device for PaaS component management end and virtual machine agent | |
| CN114070637A (en) | Access control method and system based on attribute label, electronic device and storage medium | |
| CN112637111B (en) | Virtualized cloud platform system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |