CN112187671B - Network access method and related equipment thereof - Google Patents

Network access method and related equipment thereof Download PDF

Info

Publication number
CN112187671B
CN112187671B CN202011224128.8A CN202011224128A CN112187671B CN 112187671 B CN112187671 B CN 112187671B CN 202011224128 A CN202011224128 A CN 202011224128A CN 112187671 B CN112187671 B CN 112187671B
Authority
CN
China
Prior art keywords
accessed
network
container group
container
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011224128.8A
Other languages
Chinese (zh)
Other versions
CN112187671A (en
Inventor
姜智成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202011224128.8A priority Critical patent/CN112187671B/en
Publication of CN112187671A publication Critical patent/CN112187671A/en
Application granted granted Critical
Publication of CN112187671B publication Critical patent/CN112187671B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application discloses a network access method and related equipment thereof, wherein the method comprises the following steps: firstly, determining a network naming space of a container group to be accessed as a network naming space of a target host machine, so that the target host machine is positioned in the network naming space of the container group to be accessed; and obtaining virtual network equipment corresponding to the container group to be accessed, and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed can be accessed to the VPC network through the virtual network equipment, and the aim of accessing the container group to the VPC network is fulfilled.

Description

Network access method and related equipment thereof
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a network access method and related devices.
Background
In a cluster system based on kubernetes (k 8s for short) and kata, at least one Container group (Pod) may be deployed in a virtual machine as a computing Node (Work Node), and multiple containers (containers) located in the same Container group may share the same network namespace.
In some cases, groups of containers located on different hosts may be separately accessed into a virtual private cloud (Virtual Private Cloud, VPC) network to enable the VPC network to maintain the groups of containers located on different hosts within the same subnet, thereby enabling network communication between the groups of containers.
However, how to access a group of containers to a VPC network remains a technical problem to be solved.
Disclosure of Invention
In order to solve the above technical problems in the prior art, the application provides a network access method and related equipment, which can solve the technical problem of accessing a container group to a VPC network.
In order to achieve the above object, the technical solution provided in the embodiments of the present application is as follows:
the embodiment of the application provides a network access method, which comprises the following steps:
determining a network naming space of a container group to be accessed as a network naming space of a target host machine, so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
obtaining virtual network equipment corresponding to the container group to be accessed;
and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
In a possible implementation manner, the obtaining the virtual network device corresponding to the to-be-accessed container group includes:
Acquiring the name identification of the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the to-be-accessed container group, the virtual network device corresponding to the to-be-accessed container group includes:
determining a container network interface file path corresponding to the container group to be accessed according to the name identification of the container group to be accessed;
determining a container network interface file corresponding to the container group to be accessed according to a container network interface file path corresponding to the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the to-be-accessed container group, a container network interface file path corresponding to the to-be-accessed container group includes:
and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
In one possible embodiment, the method further comprises:
judging whether the network naming space of the target host meets a first condition or not;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network namespaces of the target hosts meet the first condition, determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts.
In one possible embodiment, the method further comprises:
acquiring network access parameters of the container group to be accessed;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network access parameters of the container group to be accessed meet the second condition, determining the network naming space of the container group to be accessed as the network naming space of the target host.
In a possible implementation manner, the acquiring the network access parameter of the to-be-accessed container group includes:
acquiring a configuration file of the container group to be accessed;
and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
The embodiment of the application also provides a network access device, which comprises:
the space determining unit is used for determining the network naming space of the container group to be accessed as the network naming space of the target host machine so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
the device acquisition unit is used for acquiring virtual network devices corresponding to the container group to be accessed;
the network access unit is used for configuring the network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
The embodiment of the application also provides equipment, which comprises a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute any implementation mode of the network access method provided by the embodiment of the application according to the computer program.
The embodiment of the application also provides a computer readable storage medium for storing a computer program for executing any implementation mode of the network access method provided by the embodiment of the application.
Compared with the prior art, the embodiment of the application has at least the following advantages:
in the network access method provided by the embodiment of the application, firstly, determining the network naming space of the container group to be accessed as the network naming space of the target host, so that the target host is positioned in the network naming space of the container group to be accessed; and obtaining virtual network equipment corresponding to the container group to be accessed, and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed can be accessed to the VPC network through the virtual network equipment, and the aim of accessing the container group to the VPC network is fulfilled. The to-be-accessed container group is deployed on the target virtual machine, and the target virtual machine is installed on the target host machine.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network access method provided in an embodiment of the present application;
fig. 2 is a corresponding relationship between a host, a virtual machine, and a container set provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a CNI file path provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a k8s+kata-based VPC network access method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network access device according to an embodiment of the present application;
fig. 6 is a schematic diagram of an apparatus structure according to an embodiment of the present application.
Detailed Description
In order to facilitate understanding of the technical solutions of the present application, some technical terms related to the present application are described below.
kubernetes (k 8s for short) is a container-based cluster management platform, and a kubernetes cluster may include a Master Node (Master Node) and a plurality of computing nodes (Work nodes) communicatively connected to the Master Node, respectively. Wherein a master node may be used to manage and control multiple computing nodes. The compute nodes are workload nodes and each compute node may have at least one Container group (Pod) deployed therein, each Container group having one or more containers (containers) for carrying software programs packaged therein.
Pod is the basic unit of operation of Kubernetes, and is the smallest unit of deployment that can be created, debugged, and managed. In addition, multiple containers (containers) located in the same Pod may share network resources (e.g., IP addresses). For example, when a first Pod includes 3 containers and the first Pod has a first IP address, the 3 containers located on the first Pod share the first IP address.
kata is an open source container item aimed at unifying the security advantages of virtual machines with the speed and manageability of the container. In addition, kata is obtained by merging the two existing open source items Intel Clear Containers and Hyper runV, so that kata solves the security and isolation problems of the conventional container sharing kernel.
kata-run is a component in kata and is used to handle all commands specified by the OCI runtime specification and launch kata-shim instances when a OCI (Oracle Call Interface) compatible container is running. Wherein kata-shim is also a component in kata and is used to monitor the progress of the container.
qemu is a virtual operating system simulator, and kata-run may call instructions (e.g., hot plug instructions that call cloud hard disk) through the qmp interface provided by qemu.
A tap device is a virtual network device in the kernel of an operating system. Alternatively, the tap device may be equivalent to an ethernet device, and the tap device may be capable of manipulating data link layer packets (e.g., ethernet data frames). In addition, tap devices are typically created on the host.
kvgw is a kernel file for maintaining a VPC network, and vgw-agent is a component for managing kvgw.
The dhclient command is a commonly used Linux command and functions to dynamically configure network parameters of a network interface using a dynamic host configuration protocol.
Network namespaces are used to implement network isolation, and are capable of partitioning the use of network devices, addresses, ports, routes, firewall rules, etc. into different boxes to implement virtualizing a network in a single running kernel instance. In addition, network resources can be shared among multiple objects in the same network namespace. For example, multiple containers deployed in one Pod are all in the same network namespace so that multiple containers in the same Pod can share network resources.
In order to make the present application solution better understood by those skilled in the art, the following description will clearly and completely describe the technical solution in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Method embodiment one
Referring to fig. 1, the figure is a flowchart of a network access method provided in an embodiment of the present application.
The network access method provided by the embodiment of the application comprises S101-S103:
s101: and determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts so that the target hosts are located in the network namespaces of the to-be-accessed container groups.
The group of containers to be accessed refers to a group of containers that need to be accessed to the VPC network, and the group of containers to be accessed includes at least one container. For example, as shown in fig. 2, if the set of containers to be accessed is Pod203, the set of containers to be accessed may include N containers. Wherein N is a positive integer.
In addition, the set of containers to be accessed is deployed on a target virtual machine, and the target virtual machine is installed on a target host machine. For example, as shown in fig. 2, when the host 201 is installed with the virtual machine 202, the virtual machine 202 is deployed with the Pod203, and the Pod203 includes N containers, if the set of containers to be accessed is the Pod203, the target virtual machine is the virtual machine 202, and the target host is the host 201.
Based on the above description of S101, in the embodiment of the present application, if the container group to be accessed is to be accessed to the VPC network, the network namespace of the container group to be accessed may be determined as the network namespace of the target host, so that the target host is located in the network namespace of the container group to be accessed, so that the container group to be accessed and the target host are located in the same network namespace, and further communication between the container group to be accessed and the target host is enabled.
It should be noted that the embodiment of the present application is not limited to the implementation of S101, and may be implemented by any method capable of determining the network namespace of the container group to be accessed as the network namespace of the target host.
S102: and obtaining virtual network equipment corresponding to the container group to be accessed.
The virtual network device is used for accessing the container group to be accessed to the VPC network. In addition, embodiments of the present application are not limited to virtual network devices, for example, the virtual network device may be a tap device.
In addition, the embodiment of the application does not limit the obtaining mode of the virtual network device corresponding to the container group to be accessed. For ease of understanding, the following description is provided in connection with examples.
As an example, S102 may specifically include S1021-S1022:
s1021: and acquiring the name identification of the container group to be accessed.
The name identifier of the to-be-accessed container group (also called as an ID of the to-be-accessed container group) is used for uniquely identifying the to-be-accessed container group. In addition, the embodiment of the application is not limited to the method for acquiring the name identifier of the container group to be accessed, and may be implemented by any method that can acquire the name identifier of the container group to be accessed existing or appearing in the future.
S1022: and determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
The embodiment of the present application is not limited to the implementation of S1022, and in order to facilitate understanding of S1022, description will be made below with reference to examples.
As an example, S1022 may include S10221-S10223 in particular:
s10221: and determining a container network interface file path corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
The container network interface file path refers to a storage path of a container network interface (Container Network Interface, CNI) file corresponding to a container group to be accessed. Wherein, the container network interface file (abbreviated as CNI file) is used for recording VPC network parameters of the container group to be accessed (for example, virtual network device names corresponding to the container group to be accessed)
In addition, the embodiment of the present application is not limited to the embodiment of S10221. For example, S10221 may specifically be: and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
The preset file path information refers to preset path information, and the preset file path information may include at least one level of directory. For example, if the container network interface file path includes a level T directory, the default file path information may refer to the level 1 directory through the level T-1 directory, and the name identifier of the container group to be accessed may be the level T directory. Therefore, the container network interface file path can uniquely identify the storage path of the container network interface file corresponding to the container group to be accessed because different container groups to be accessed have different name identifications. Wherein T is a positive integer.
In addition, the preset manner may be preset, for example, the preset manner may refer to a directory stitching manner (that is, a symbol "\") needs to be added between different stitching objects).
Based on the above-mentioned related content of S10221, in some cases, the container network interface file path corresponding to the container group to be accessed may be determined according to the name identifier of the container group to be accessed. For example, as shown in fig. 3, when the container network interface file path includes a T-level directory, the preset file path information includes a 1 st-level directory to a T-1 st-level directory, and the name identifier of the container group to be accessed may be used as the T-level directory, the preset file path information and the name identifier of the container group to be accessed may be spliced according to a directory splicing manner, so as to obtain the container network interface file path corresponding to the container group to be accessed.
S10222: and determining the container network interface file corresponding to the container group to be accessed according to the container network interface file path corresponding to the container group to be accessed.
In this embodiment of the present application, after a container network interface file path corresponding to a container group to be accessed is obtained, a file stored in the container network interface file path may be determined as a container network interface file corresponding to the container group to be accessed, so that a virtual network device corresponding to the container group to be accessed may be determined based on the container network interface file.
S10223: and determining virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
In this embodiment of the present application, after obtaining a container network interface file corresponding to a container group to be accessed, a virtual network device corresponding to the container group to be accessed may be determined according to the container network interface file, and the determining process may specifically be: and reading the virtual network equipment name from the container network interface file, and determining the virtual network equipment corresponding to the container group to be accessed according to the virtual network equipment name.
Based on the above-mentioned content related to S10221 to S10223, in some cases, the container network interface file path corresponding to the container group to be accessed may be determined according to the name identifier of the container group to be accessed; and determining virtual network equipment (such as tap equipment) corresponding to the container group to be accessed according to the container network interface file stored under the container network interface file path so as to be capable of accessing the VPC network based on the virtual network equipment.
S103: and configuring network card data of the container group to be accessed according to virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to the virtual private cloud network through the virtual network equipment.
In this embodiment of the present application, after determining a virtual network device corresponding to a container group to be accessed, network card data of the container group to be accessed may be configured according to the virtual network device, so that the configured container group to be accessed may be accessed to a VPC network through the virtual network device.
Based on the above-mentioned content related to S101 to S103, in the network access method provided in the embodiment of the present application, the network namespace of the container group to be accessed is first determined as the network namespace of the target host, so that the container group to be accessed and the target host share the same network namespace; and obtaining virtual network equipment corresponding to the container group to be accessed, and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed can be accessed to the VPC network through the virtual network equipment, and the aim of accessing the container group to the VPC network is fulfilled.
Method embodiment II
In practice, some groups of containers need access to the VPC network, while some groups of containers do not. In order to meet the above-mentioned service requirement, the embodiment of the present application further provides a possible implementation manner of the network access method, where the implementation manner may further include S104 in addition to S101-S103 described above:
S104: and acquiring network access parameters of the container group to be accessed.
The network access parameter is used to describe whether the container group to be accessed needs to be accessed to the VPC network.
In addition, the embodiments of the present application do not limit the network access parameters, for example, the network access parameters may be expressed as UseVPC, and if usevpc=true, it is determined that the container group to be accessed needs to be accessed to the VPC network; if usevpc=false, it is determined that there is no need to access the set of containers to be accessed to the VPC network.
In addition, the embodiment of the application does not limit the acquisition mode of the network access parameters. For example, in some cases, the network access parameters may be recorded in a profile of the set of containers to be accessed, so the network access parameters may be determined from the profile. Based on this, the embodiment of the present application further provides a possible implementation manner of S104, which may specifically include S1041-S1042:
s1041: and acquiring a configuration file of the container group to be accessed.
The configuration file is used for recording configuration parameters related to the container group to be accessed. In addition, the embodiments of the present application do not limit the configuration file, for example, the configuration file of the container group to be accessed may record the network access parameters of the container group to be accessed.
S1042: and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
In this embodiment of the present application, after a configuration file of a container group to be accessed is obtained, a network access parameter of the container group to be accessed may be read from the configuration file, so that whether the container group to be accessed needs to be accessed to a VPC network or not can be determined based on the network access parameter, thereby determining whether a VPC network access procedure needs to be started for the container group to be accessed.
Based on the above-mentioned content related to S1041 to S1042, in some cases, a configuration file of the container group to be accessed may be obtained first, and then the network access parameters of the container group to be accessed may be read from the configuration file, so that whether the VPC network access procedure (that is, the network access method provided by the embodiment of the present application) needs to be started for the container group to be accessed can be determined based on the network access parameters.
S105: judging whether the network access parameters of the container group to be accessed meet the second condition, if so, executing S101; if not, carrying out network setting on the container group to be accessed according to a preset network setting flow.
Wherein the second condition may be preset. For example, the second condition may be equal to a preset parameter value. It should be noted that, in the embodiment of the present application, the preset parameter value is not limited to the preset parameter value, for example, if the parameter value of the network access parameter may be true or false, the preset parameter value may be true, so that the second condition may be set equal to true.
The preset network setting flow is a preset container group network setting flow. In addition, the embodiment of the present application is not limited to the preset network setting procedure, and for example, the preset network setting procedure may be any procedure that is capable of performing network setting for a container group, existing or occurring in the future.
Based on the above-mentioned content related to S105, after obtaining the network access parameter of the container group to be accessed, it may be directly determined whether the network access parameter meets a second condition (e.g., whether the network access parameter is equal to true) or not, if so, it is determined that the container group to be accessed needs to be accessed to the VPC network, thereby determining that the VPC network access procedure needs to be started for the container group to be accessed (i.e., the network access method provided by the embodiment of the present application); if not, determining that the container group to be accessed is not required to be accessed to the VPC network, and thus, performing network setting on the container group to be accessed according to a preset network setting flow.
Based on the above-mentioned related content of S104 to S105, in the embodiment of the present application, when the network setting needs to be performed on the container group to be accessed, the network access parameter of the container group to be accessed may be obtained first, and then it is determined whether the VPC network access procedure needs to be started for the container group to be accessed according to the network access parameter, so that when it is determined that the VPC network access procedure needs to be started for the container group to be accessed, any implementation mode (e.g., S101 to S103) of the network access method provided in the embodiment of the present application is used to implement the access of the container to be accessed into the VPC network.
In some cases, in order to avoid that the VPC network access procedure of the container group to be accessed is in an abnormal state due to the influence of other procedures on the VPC network access procedure of the container group to be accessed, whether the VPC network access procedure of the container group to be accessed is in a non-interfered state may be determined according to the setting state of the network namespace of the target host. Based on this, the embodiment of the present application further provides another possible implementation manner of the network access method, where the implementation manner may further include S106 in addition to the partial steps or all the steps described above:
s106: judging whether the network naming space of the target host meets a first condition, if so, executing S101; if not, generating alarm information carrying the abnormality of the VPC network access flow.
Wherein the first condition may be preset. For example, the first condition may be set to a network namespace of the target host that is not configured, and in particular may be set to a network namespace of the target host that is not configured as a network namespace of the set of containers to be accessed.
Based on the above-mentioned content related to S106, in some cases, before performing the step of determining the network namespace of the container group to be accessed as the network namespace of the target host, it may be determined whether the network namespace of the target host satisfies the first condition, so that the step of determining the network namespace of the container group to be accessed as the network namespace of the target host may be performed continuously when the network namespace of the target host satisfies the first condition; and when the network naming space of the target host does not meet the first condition, the error reporting prompt is carried out, so that a technician can timely know that the VPC network access flow of the container group to be accessed is in an abnormal state.
In order to facilitate understanding of the network access method provided in the embodiments of the present application, the embodiments of the present application are described in connection with the scene embodiments.
Scene embodiment
In some cases, the network access method provided by the embodiment of the present application may be applied to the application scenario shown in fig. 4. Fig. 4 is a schematic diagram of a k8s+kata-based VPC network access method according to an embodiment of the present application.
In the application scenario shown in fig. 4, a virtual machine 401 is installed on a host machine 400, and a container group 402 is deployed on the virtual machine 401, where the container group 402 includes a container 403 and a container 404. In addition, the tap device 405 corresponds to the network card eth0, so that the container group 402 can access the VPC network through the tap device 405. In addition, the dhclient command can control eth0 to automatically acquire the network IP address when the virtual machine is started.
Based on the application scenario shown in fig. 4, the kata-run may perform network configuration for the container group 402, and the network configuration process may specifically include steps 1-10:
step 1: the kata-run time obtains the configuration file for the container group 402.
Step 2: the kata-run time reads the network access parameters UseVPC of the container group 402 from the configuration file of the container group 402.
Step 3: judging whether the UseVPC is true or not by kata-run, if so, executing the step 4; if not, the network setting is performed on the container set 402 according to the preset network setting flow.
Step 4: the kata-run judges whether the network naming space of the host 400 meets the first condition, if yes, the step 5 is executed; if not, determining that the VPC network access procedure of the container group 402 is in an abnormal state, and generating alarm information carrying the abnormality of the VPC network access procedure of the container group 402.
Step 5: the kata-run determines the network namespace of the container group 402 as the network namespace of the host 400 such that the host 400 is located in the network namespace of the container group 402.
Step 6: the kata-run time obtains the name identification of the container group 402.
Step 7: the kata-run splices the preset file path information and the name identifier of the container group 402 according to a directory splicing mode to obtain a CNI interface file path corresponding to the container group 402.
Step 8: the kata-run obtains the CNI interface file corresponding to the container group 402 from the CNI interface file path corresponding to the container group 402.
Step 9: the kata-run reads the tap device name corresponding to the container group 402 from the CNI interface file corresponding to the container group 402, so as to determine the tap device 405 corresponding to the container group 402 according to the tap device name corresponding to the container group 402.
Step 10: the network card data of the container group 402 is configured according to the tap device 405, so that the tap device 405 becomes a network device of the container group 402, thereby enabling the container group 402 to access the VPC network through the tap device 405.
Based on the above description of steps 1 to 10, for k8s+kata-based application scenarios, the network configuration process of the container set 402 may be performed by the kata-run time, so that when it is determined that the container set 402 needs to be accessed to the VPC network, the container set 402 is accessed to the VPC network by the kata-run time by executing the VPC network access procedure provided by the embodiment of the present application, so that the container set 402 can communicate with other VPC network access container sets by means of the VPC network, so that all container sets accessed to the VPC network remain in the same subnet, and thus, the purpose of communicating container sets located on different hosts can be achieved.
Based on the network access method provided by the above method embodiment, the embodiment of the application also provides a network access device, which is explained and illustrated below with reference to the accompanying drawings.
Device embodiment
For the technical details of the network access device provided in the device embodiment, please refer to the above method embodiment.
Referring to fig. 5, the structure of a network access device according to an embodiment of the present application is shown.
The network access device 500 provided in the embodiment of the present application includes:
a space determining unit 501, configured to determine a network namespace of a container group to be accessed as a network namespace of a target host, so that the target host is located in the network namespace of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
An equipment obtaining unit 502, configured to obtain a virtual network equipment corresponding to the container group to be accessed;
the network access unit 503 is configured to configure network card data of the container group to be accessed according to the virtual network device corresponding to the container group to be accessed, so that the container group to be accessed accesses to the virtual private cloud network through the virtual network device.
In a possible implementation manner, the device obtaining unit 502 includes:
the first acquisition subunit is used for acquiring the name identification of the container group to be accessed;
and the first determination subunit is used for determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
In one possible embodiment, the first determining subunit includes:
a second determining subunit, configured to determine a container network interface file path corresponding to the container group to be accessed according to the name identifier of the container group to be accessed;
a third determining subunit, configured to determine, according to the container network interface file path corresponding to the container group to be accessed, a container network interface file corresponding to the container group to be accessed;
and the fourth determining subunit is used for determining the virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
In a possible embodiment, the second determining subunit is specifically configured to:
and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
In one possible implementation, the network access device 500 further includes:
the condition judging unit is used for judging whether the network naming space of the target host meets a first condition;
the space determining unit 501 is specifically configured to: and when the network namespaces of the target hosts meet the first condition, determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts.
In one possible implementation, the network access device 500 further includes:
the parameter acquisition unit is used for acquiring network access parameters of the container group to be accessed;
the space determining unit 501 is specifically configured to: and when the network access parameters of the container group to be accessed meet the second condition, determining the network naming space of the container group to be accessed as the network naming space of the target host.
In a possible implementation manner, the parameter obtaining unit is specifically configured to:
Acquiring a configuration file of the container group to be accessed;
and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
Based on the above-mentioned related content of the network access device 500, for the network access device 500, the network namespace of the container group to be accessed is determined as the network namespace of the target host, so that the target host is located in the network namespace of the container group to be accessed; and obtaining virtual network equipment corresponding to the container group to be accessed, and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed can be accessed to the VPC network through the virtual network equipment, and the aim of accessing the container group to the VPC network is fulfilled.
Based on the network access method provided by the above method embodiment, the embodiment of the application also provides a device, which is explained and illustrated below with reference to the accompanying drawings.
Device embodiment
For the technical details of the device provided in the device embodiment, please refer to the above method embodiment.
Referring to fig. 6, a schematic diagram of an apparatus structure is provided in an embodiment of the present application.
The apparatus 600 provided in the embodiment of the present application includes: a processor 601 and a memory 602;
the memory 602 is used for storing a computer program;
the processor 601 is configured to execute any implementation of the network access method provided in the above method embodiment according to the computer program. That is, the processor 601 is configured to perform the steps of:
determining a network naming space of a container group to be accessed as a network naming space of a target host machine, so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
obtaining virtual network equipment corresponding to the container group to be accessed;
and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
In a possible implementation manner, the obtaining the virtual network device corresponding to the to-be-accessed container group includes:
acquiring the name identification of the container group to be accessed;
And determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the to-be-accessed container group, the virtual network device corresponding to the to-be-accessed container group includes:
determining a container network interface file path corresponding to the container group to be accessed according to the name identification of the container group to be accessed;
determining a container network interface file corresponding to the container group to be accessed according to a container network interface file path corresponding to the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the container group to be accessed, a container network interface file path corresponding to the container group to be accessed includes:
and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
In one possible embodiment, the method further comprises:
Judging whether the network naming space of the target host meets a first condition or not;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network namespaces of the target hosts meet the first condition, determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts.
In one possible embodiment, the method further comprises:
acquiring network access parameters of the container group to be accessed;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network access parameters of the container group to be accessed meet the second condition, determining the network naming space of the container group to be accessed as the network naming space of the target host.
In a possible implementation manner, the acquiring the network access parameter of the to-be-accessed container group includes:
acquiring a configuration file of the container group to be accessed;
and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
The foregoing is related to the device 600 provided in the embodiments of the present application.
Based on the network access method provided by the above method embodiment, the embodiment of the application also provides a computer readable storage medium.
Media embodiment
For technical details of the computer-readable storage medium provided in the medium embodiment, please refer to the method embodiment.
The present application provides a computer readable storage medium for storing a computer program for executing any implementation of the network access method provided by the above method embodiments. That is, the computer program is for performing the steps of:
determining a network naming space of a container group to be accessed as a network naming space of a target host machine, so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
obtaining virtual network equipment corresponding to the container group to be accessed;
and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
In a possible implementation manner, the obtaining the virtual network device corresponding to the to-be-accessed container group includes:
acquiring the name identification of the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the to-be-accessed container group, the virtual network device corresponding to the to-be-accessed container group includes:
determining a container network interface file path corresponding to the container group to be accessed according to the name identification of the container group to be accessed;
determining a container network interface file corresponding to the container group to be accessed according to a container network interface file path corresponding to the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
In a possible implementation manner, the determining, according to the name identifier of the container group to be accessed, a container network interface file path corresponding to the container group to be accessed includes:
and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
In one possible embodiment, the method further comprises:
judging whether the network naming space of the target host meets a first condition or not;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network namespaces of the target hosts meet the first condition, determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts.
In one possible embodiment, the method further comprises:
acquiring network access parameters of the container group to be accessed;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network access parameters of the container group to be accessed meet the second condition, determining the network naming space of the container group to be accessed as the network naming space of the target host.
In a possible implementation manner, the acquiring the network access parameter of the to-be-accessed container group includes:
acquiring a configuration file of the container group to be accessed;
and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
The foregoing is related to computer readable storage media provided by embodiments of the present application.
It should be understood that in this application, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The above description is only of the preferred embodiment of the present invention, and is not intended to limit the present invention in any way. While the invention has been described with reference to preferred embodiments, it is not intended to be limiting. Any person skilled in the art can make many possible variations and modifications to the technical solution of the present invention or modifications to equivalent embodiments using the methods and technical contents disclosed above, without departing from the scope of the technical solution of the present invention. Therefore, any simple modification, equivalent variation and modification of the above embodiments according to the technical substance of the present invention still fall within the scope of the technical solution of the present invention.

Claims (10)

1. A network access method, the method comprising:
determining a network naming space of a container group to be accessed as a network naming space of a target host machine, so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
obtaining virtual network equipment corresponding to the container group to be accessed;
and configuring network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
2. The method of claim 1, wherein the obtaining the virtual network device corresponding to the set of containers to be accessed comprises:
acquiring the name identification of the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the name identification of the container group to be accessed.
3. The method according to claim 2, wherein the determining, according to the name identifier of the to-be-accessed container group, the virtual network device corresponding to the to-be-accessed container group includes:
Determining a container network interface file path corresponding to the container group to be accessed according to the name identification of the container group to be accessed;
determining a container network interface file corresponding to the container group to be accessed according to a container network interface file path corresponding to the container group to be accessed;
and determining virtual network equipment corresponding to the container group to be accessed according to the container network interface file corresponding to the container group to be accessed.
4. A method according to claim 3, wherein the determining, according to the name identifier of the container group to be accessed, a container network interface file path corresponding to the container group to be accessed includes:
and splicing the preset file path information and the name identifier of the container group to be accessed according to a preset mode to obtain a container network interface file path corresponding to the container group to be accessed.
5. The method according to claim 1, wherein the method further comprises:
judging whether the network naming space of the target host meets a first condition or not;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network namespaces of the target hosts meet the first condition, determining the network namespaces of the to-be-accessed container groups as the network namespaces of the target hosts.
6. The method according to claim 1, wherein the method further comprises:
acquiring network access parameters of the container group to be accessed;
the determining the network naming space of the container group to be accessed as the network naming space of the target host machine comprises the following steps:
and when the network access parameters of the container group to be accessed meet the second condition, determining the network naming space of the container group to be accessed as the network naming space of the target host.
7. The method of claim 6, wherein the obtaining network access parameters of the set of containers to be accessed comprises:
acquiring a configuration file of the container group to be accessed;
and determining network access parameters of the container group to be accessed according to the configuration file of the container group to be accessed.
8. A network access device, the device comprising:
the space determining unit is used for determining the network naming space of the container group to be accessed as the network naming space of the target host machine so that the target host machine is positioned in the network naming space of the container group to be accessed; the to-be-accessed container group is deployed on a target virtual machine, and the target virtual machine is installed on the target host machine;
The device acquisition unit is used for acquiring virtual network devices corresponding to the container group to be accessed;
the network access unit is used for configuring the network card data of the container group to be accessed according to the virtual network equipment corresponding to the container group to be accessed, so that the container group to be accessed is accessed to a virtual private cloud network through the virtual network equipment.
9. A network access device, the device comprising a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to perform the method of any of claims 1-7 according to the computer program.
10. A computer readable storage medium, characterized in that the computer readable storage medium is for storing a computer program for executing the method of any one of claims 1-7.
CN202011224128.8A 2020-11-05 2020-11-05 Network access method and related equipment thereof Active CN112187671B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011224128.8A CN112187671B (en) 2020-11-05 2020-11-05 Network access method and related equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011224128.8A CN112187671B (en) 2020-11-05 2020-11-05 Network access method and related equipment thereof

Publications (2)

Publication Number Publication Date
CN112187671A CN112187671A (en) 2021-01-05
CN112187671B true CN112187671B (en) 2024-03-12

Family

ID=73917857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011224128.8A Active CN112187671B (en) 2020-11-05 2020-11-05 Network access method and related equipment thereof

Country Status (1)

Country Link
CN (1) CN112187671B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112953908A (en) * 2021-01-28 2021-06-11 中国工商银行股份有限公司 Network isolation configuration method, device and system
WO2023098645A1 (en) * 2021-12-01 2023-06-08 百果园技术(新加坡)有限公司 Container network configuration method and apparatus, computing node, master node, and storage medium
CN115086166B (en) * 2022-05-19 2024-03-08 阿里巴巴(中国)有限公司 Computing system, container network configuration method, and storage medium
CN115314448B (en) * 2022-08-11 2023-12-05 北京百度网讯科技有限公司 Method and device for accessing cloud network, electronic equipment and computer medium
CN115473760B (en) * 2022-08-31 2023-12-26 上海仙途智能科技有限公司 Data transmission method and device, terminal equipment and computer readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060122A (en) * 2016-05-20 2016-10-26 北京奇虎科技有限公司 Docker container uploading/downloading feature control method and device
CN106789363A (en) * 2017-02-20 2017-05-31 郑州云海信息技术有限公司 A kind of method and device to virtual machine configuration network interface card
CN108111470A (en) * 2016-11-25 2018-06-01 华为技术有限公司 Communication means and relevant apparatus between the dispositions method of container, service
CN109582441A (en) * 2018-11-30 2019-04-05 北京百度网讯科技有限公司 For providing system, the method and apparatus of container service
CN110704155A (en) * 2018-07-09 2020-01-17 阿里巴巴集团控股有限公司 Container network construction method and device, physical host and data transmission method
CN111404923A (en) * 2020-03-12 2020-07-10 北京金山云网络技术有限公司 Control method and system for access authority of container cluster
CN111796904A (en) * 2020-05-21 2020-10-20 北京中软华泰信息技术有限责任公司 Docker file access control method based on namespace

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8893261B2 (en) * 2011-11-22 2014-11-18 Vmware, Inc. Method and system for VPN isolation using network namespaces
US10819675B2 (en) * 2017-08-14 2020-10-27 Nicira, Inc. Managing network connectivity between cloud computing service endpoints and virtual machines
US10855531B2 (en) * 2018-08-30 2020-12-01 Juniper Networks, Inc. Multiple networks for virtual execution elements

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060122A (en) * 2016-05-20 2016-10-26 北京奇虎科技有限公司 Docker container uploading/downloading feature control method and device
WO2017198035A1 (en) * 2016-05-20 2017-11-23 北京奇虎科技有限公司 Method and apparatus for controlling uploading/downloading characteristic of docker container
CN108111470A (en) * 2016-11-25 2018-06-01 华为技术有限公司 Communication means and relevant apparatus between the dispositions method of container, service
CN106789363A (en) * 2017-02-20 2017-05-31 郑州云海信息技术有限公司 A kind of method and device to virtual machine configuration network interface card
CN110704155A (en) * 2018-07-09 2020-01-17 阿里巴巴集团控股有限公司 Container network construction method and device, physical host and data transmission method
CN109582441A (en) * 2018-11-30 2019-04-05 北京百度网讯科技有限公司 For providing system, the method and apparatus of container service
CN111404923A (en) * 2020-03-12 2020-07-10 北京金山云网络技术有限公司 Control method and system for access authority of container cluster
CN111796904A (en) * 2020-05-21 2020-10-20 北京中软华泰信息技术有限责任公司 Docker file access control method based on namespace

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向Microsoft Virtual PC的虚拟机远程检测方法;韩玲;蔡皖东;;计算机技术与发展(第12期);全文 *

Also Published As

Publication number Publication date
CN112187671A (en) 2021-01-05

Similar Documents

Publication Publication Date Title
CN112187671B (en) Network access method and related equipment thereof
CN109067877B (en) Control method for cloud computing platform deployment, server and storage medium
US20220078092A1 (en) Provisioning a service
US10681046B1 (en) Unauthorized device detection in a heterogeneous network
CN107357660A (en) The distribution method and device of a kind of virtual resource
CN104718723A (en) A framework for networking and security services in virtual networks
US10270650B2 (en) Data defined infrastructure
US11563799B2 (en) Peripheral device enabling virtualized computing service extensions
CN106462457A (en) Virtualized application cluster
US20210089239A1 (en) Peripheral device for configuring compute instances at client-selected servers
EP2595055A1 (en) Network port profile representation in open virtualization format package
CN114826969B (en) Network connectivity checking method, device, equipment and storage medium
CN110417741B (en) Method and device for filtering security group
CN112328363B (en) Cloud hard disk mounting method and device
CN106487633B (en) method and device for monitoring abnormity of virtual machine
CN107493204B (en) Mirror image detection method and device
CN114461303A (en) Method and device for accessing cluster internal service
US11799743B2 (en) Node addition in cloud networks
CN115185637A (en) Communication method and device for PaaS component management end and virtual machine agent
US20220231916A1 (en) Network time parameter configuration based on logical host group
EP4035003A1 (en) Peripheral device for configuring compute instances at client- selected servers
US10855659B2 (en) Commanding a new device into a provisioning state
CN114448691B (en) Data forwarding method, data plane and switch
CN115145603B (en) Method and system for automatically installing OS (operating system) based on Redfish
CN112446027B (en) Configuration checking method and device, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant