CN113626150A - Elastic container example implementation method - Google Patents
Elastic container example implementation method Download PDFInfo
- Publication number
- CN113626150A CN113626150A CN202110884151.8A CN202110884151A CN113626150A CN 113626150 A CN113626150 A CN 113626150A CN 202110884151 A CN202110884151 A CN 202110884151A CN 113626150 A CN113626150 A CN 113626150A
- Authority
- CN
- China
- Prior art keywords
- container
- resources
- eci
- network
- tenant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000002955 isolation Methods 0.000 claims abstract description 16
- 244000035744 Hura crepitans Species 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 4
- 238000005516 engineering process Methods 0.000 claims abstract description 4
- 230000006978 adaptation Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5061—Partitioning or combining of resources
- G06F9/5077—Logical partitioning of resources; Management or configuration of virtualized resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Abstract
The invention relates to the field of serverless containers, Kubernets and OpenStack, and discloses an elastic container example implementation method which comprises the following steps: s1, using a shared Kubernets cluster as a real operation environment of the container instance; s2, isolation of a name space level; s3, strong isolation of bottom layer resources is achieved by using a lightweight safe sandbox technology; s4, intranet communication; s5, exposing the service to the external network. Compared with the prior art, all tenants share one Kubernets cluster, so that the server saves resources and the tenants save cost. The OpenStack network resources are introduced, and the tenants can divide the network for the container instances according to the requirements, so that the method is more flexible compared with a Kubernets cluster. A secure sandbox technique was introduced to ensure strong isolation between ECIs on the bottom layer. The access capability of the ECI is further enhanced by binding the EIP.
Description
Technical Field
The invention relates to the field of serverless containers, Kubernets and OpenStack, and particularly provides an elastic container example implementation method.
Background
The Serverless Container (Serverless Container) is an architectural concept, which means that a tenant does not need to create and manage a server, does not need to worry about the running state of the server to concentrate on service development, and leaves the server to a special personnel management and maintenance development mode.
Kubernetes is a container arrangement technical scheme, can provide a series of functions such as deployment operation, resource scheduling, service discovery and dynamic expansion for containers, and improves the convenience of large-scale container cluster management.
The OpenStack is an open-source cloud computing management platform project, and aims to provide a cloud computing management platform which is simple to implement, can be expanded in a large scale, is rich and has a unified standard.
Traditionally running containers requires creating a kubernets server cluster and then deploying application load in the cluster. When the load occupies less resources, the resources occupied by the cluster itself are wasted. How to avoid the occurrence of such a phenomenon is a technical problem to be urgently solved by those skilled in the art.
Disclosure of Invention
The invention aims at the defects of the prior art and provides a high-practicability device.
The technical scheme adopted by the invention for solving the technical problems is as follows:
an example implementation method of an elastic container comprises the following steps:
s1, using a shared Kubernets cluster as a real operation environment of the container instance;
s2, isolation of a name space level;
s3, strong isolation of bottom layer resources is achieved by using a lightweight safe sandbox technology;
s4, intranet communication;
s5, exposing the service to the external network.
Further, in step S1, the tenant only applies for a suitable resource for its own application and runs, and for the scheduling of the container, capacity expansion/capacity reduction is automatically completed by the cluster without tenant operation.
Further, in step S2, each tenant corresponds to a unique namespace on the cluster, and tenant resources are all placed under the namespace, and different namespace resources cannot access each other for data isolation.
Further, in step S2, when the tenant creates an ECI, it is first queried whether there is a namespace with the same name:
a) if not, creating a new name space and creating resources;
b) there are resources created directly under this namespace.
Further, in step S3, the secure sandbox is a lightweight virtual machine, which is constructed according to the container runtime standard.
Preferably, the secure sandbox starts a virtual machine for each container, so that each container has an independent kernel and does not affect each other.
Further, in step S4, a network adaptation plug-in is introduced on the kubernets cluster, which is capable of integrating the OpenStack VPC network, so that the ECI may be in the same or a different VPC network.
Further, the plug-in captures a request for creating the ECI by monitoring a Kubernets API, calls an OpenStack interface to create a Port under a corresponding VPC and binds to the ECI.
Further, the ECI default is to allow access only to the internal VPC, and if access is to be from the external network, it is required to bind EIPs to it, and a container instance only allows one EIP to be bound.
Compared with the prior art, the implementation method of the elastic container disclosed by the invention has the following outstanding beneficial effects:
all tenants share one Kubernets cluster, so that the server saves resources and the tenants save cost. The OpenStack network resources are introduced, and the tenants can divide the network for the container instances according to the requirements, so that the method is more flexible compared with a Kubernets cluster. A secure sandbox technique was introduced to ensure strong isolation between ECIs on the bottom layer. The access capability of the ECI is further enhanced by binding the EIP.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of tenant data isolation in an elastic container instance implementation;
FIG. 2 is a schematic diagram of a secure sandbox in an exemplary implementation of a flexible container;
fig. 3 is a schematic diagram of tenant network isolation in an elastic container example implementation method.
Detailed Description
The present invention will be described in further detail with reference to specific embodiments in order to better understand the technical solutions of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A preferred embodiment is given below:
an implementation method of an elastic container in this embodiment includes the following steps:
s1, real operation environment using shared Kubernets cluster as container example:
shared kubernets are maintained by administrators as real servers where container instances run. The tenant does not need to care about the state of the cluster, only needs to apply for proper resources for self application and operate, and the container scheduling, capacity expansion/capacity reduction do not need tenant operation and are automatically completed by the cluster.
S2, isolation of namespace level:
please refer to fig. 1;
each tenant corresponds to a unique name space on the cluster, tenant resources are placed in the name space, and different name space resources cannot access each other, so that the purpose of data isolation is achieved.
When a tenant creates an ECI, whether a namespace with the same name exists is firstly inquired:
a) if not, creating a new name space and creating resources;
b) there are resources created directly under this namespace.
Each tenant has a unique name space mapped with the tenant in Kubernets, and resources are stored in the name space corresponding to the tenant.
S3, strong isolation of bottom layer resources is achieved by using a lightweight secure sandbox technology:
please refer to fig. 2;
the safety sandbox is a lightweight virtual machine and is constructed according to the container operation standard.
The traditional container runs on the shared kernel during running, and is isolated through cgroups, so that the safety is not high. The safety sandbox starts a virtual machine for each container, so that each container has an independent kernel and does not influence each other.
S4, intranet communication:
please refer to fig. 3;
the Kubernetes cluster only supports one network in design, and when the cluster acts on multiple tenants, containers of all the tenants are located in the same network and can access each other, so that the requirement of network isolation cannot be met obviously. A network adaptation plug-in is therefore introduced that is able to integrate the OpenStack VPC network so that the ECI may be in the same or a different VPC network.
The plug-in captures a request for creating the ECI by monitoring a Kubernets API, calls an OpenStack interface to create a Port under a corresponding VPC and binds to the ECI.
The ECI must be subordinate to one VPC, and a plurality of ECIs can be contained under one VPC, wherein each ECI corresponds to one virtual machine.
S5, exposing service to external network:
please refer to fig. 3;
the ECI defaults to allowing access only to the internal VPC, and if access is to be made from an external network, it is necessary to bind EIPs to it, and a container instance only allows one EIP to be bound.
The network plug-in can integrate the Openstack VPC and the Kubernets network, and the ECI belongs to a certain VPC and can bind the EIP.
The above embodiments are only specific ones of the present invention, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that may be made by a person of ordinary skill in the art and in accordance with the claims of an example method of implementing a flexible container according to the present invention shall fall within the scope of the present invention.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (9)
1. An example implementation method of an elastic container is characterized by comprising the following steps:
s1, using a shared Kubernets cluster as a real operation environment of the container instance;
s2, isolation of a name space level;
s3, strong isolation of bottom layer resources is achieved by using a lightweight safe sandbox technology;
s4, intranet communication;
s5, exposing the service to the external network.
2. The method for implementing the elastic container instance according to claim 1, wherein in step S1, the tenant only applies for a proper resource for its own application and runs, and for the scheduling of the container, capacity expansion/capacity reduction is automatically completed by the cluster without tenant operation.
3. The elastic container instance implementation method of claim 2, wherein in step S2, each tenant corresponds to a unique namespace on the cluster, tenant resources are all placed under the namespace, and different namespace resources cannot be accessed to each other for data isolation.
4. The elastic container instance implementation method of claim 3, wherein in step S2, when the tenant creates an ECI, it is first queried whether there is a namespace with the same name:
a) if not, creating a new name space and creating resources;
b) there are resources created directly under this namespace.
5. The elastic container instance implementation method of claim 4, wherein in step S3, the secure sandbox is a lightweight virtual machine, and is constructed according to container runtime standards.
6. The method of claim 5, wherein the secure sandbox initiates a virtual machine for each container, such that each container has a separate kernel and does not affect each other.
7. The elastic container instance implementation method of claim 6, wherein in step S4, a network adaptation plug-in is introduced on the kubernets cluster, and the plug-in can integrate the OpenStack VPC network, so that the ECI can be in the same or different VPC network.
8. The method for implementing the elastic container instance as claimed in claim 7, wherein the plug-in captures the request for creating the ECI by listening to Kubernets API, calls OpenStack interface to create Port under the corresponding VPC and binds to ECI.
9. The method of claim 8, wherein the ECI default is only allowed to establish access in the internal VPC, and binding EIP is required for it if access is from external network, and only one EIP is allowed to be bound for one container instance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110884151.8A CN113626150A (en) | 2021-08-03 | 2021-08-03 | Elastic container example implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110884151.8A CN113626150A (en) | 2021-08-03 | 2021-08-03 | Elastic container example implementation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113626150A true CN113626150A (en) | 2021-11-09 |
Family
ID=78382367
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110884151.8A Pending CN113626150A (en) | 2021-08-03 | 2021-08-03 | Elastic container example implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626150A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114205229A (en) * | 2021-12-03 | 2022-03-18 | 紫光云(南京)数字技术有限公司 | Method for judging issuing configuration when flexibly controlling elastic public network IP binding elastic network card |
| CN115065729A (en) * | 2022-05-24 | 2022-09-16 | 亚太卫星宽带通信(深圳)有限公司 | Kubernetes-based edge application sandbox transplanting method |
-
2021
- 2021-08-03 CN CN202110884151.8A patent/CN113626150A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114205229A (en) * | 2021-12-03 | 2022-03-18 | 紫光云(南京)数字技术有限公司 | Method for judging issuing configuration when flexibly controlling elastic public network IP binding elastic network card |
| CN114205229B (en) * | 2021-12-03 | 2024-01-05 | 紫光云(南京)数字技术有限公司 | Method for judging issuing configuration of elastic public network IP binding elastic network card |
| CN115065729A (en) * | 2022-05-24 | 2022-09-16 | 亚太卫星宽带通信(深圳)有限公司 | Kubernetes-based edge application sandbox transplanting method |
| CN115065729B (en) * | 2022-05-24 | 2023-10-17 | 亚太卫星宽带通信(深圳)有限公司 | Edge application sandbox transplanting method based on Kubernetes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107066319B (en) | Multi-dimensional scheduling system for heterogeneous resources | |
| CN107220039B (en) | Heterogeneous resource standardized packaging system based on cloud environment | |
| CN109194502B (en) | Management method of multi-tenant container cloud computing system | |
| CN110098946B (en) | Method and device for deploying virtualized network element equipment | |
| CN105025095A (en) | Cluster framework capable of realizing cloud computing flexible service | |
| US20190250946A1 (en) | Migrating a software container taking into account resource constraints | |
| CN108900651B (en) | Kubernetes and Neutron docking method based on multi-tenant environment, storage medium and equipment | |
| WO2017063512A1 (en) | Storage service platform applicable to virtual desktop scenario and realization method thereof | |
| CN113504954B (en) | Method, system and medium for calling CSI LVM plug in and dynamic persistent volume supply | |
| CN110737508A (en) | cloud container service network system based on wave cloud and implementation method | |
| CN113626150A (en) | Elastic container example implementation method | |
| CN111694789A (en) | Embedded reconfigurable heterogeneous determination method, system, storage medium and processor | |
| US20180307539A1 (en) | Allocating Hosts For Instances With Anti Affinity Rule | |
| CN103685608A (en) | Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine | |
| CN104954458A (en) | Configuration method of cloud operating system based on Loongson platform | |
| CN109873714B (en) | Cloud computing node configuration updating method and terminal equipment | |
| CN105468429A (en) | Efficient virtual cluster management method and cluster node | |
| CN111427822A (en) | Edge computing system | |
| CN113821268A (en) | Kubernetes network plug-in method fused with OpenStack Neutron | |
| CN111541599B (en) | Cluster software system and method based on data bus | |
| CN111857951A (en) | Containerized deployment platform and deployment method | |
| CN107634849A (en) | A kind of global block chain link border construction method | |
| CN113204353A (en) | Big data platform assembly deployment method and device | |
| CN114422350B (en) | Public cloud container instance creation method | |
| CN110008005B (en) | Cloud platform-based power grid communication resource virtual machine migration system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |