CN113703911B - Virtual machine migration method, device, equipment and storage medium - Google Patents

Virtual machine migration method, device, equipment and storage medium Download PDF

Info

Publication number
CN113703911B
CN113703911B CN202110779956.6A CN202110779956A CN113703911B CN 113703911 B CN113703911 B CN 113703911B CN 202110779956 A CN202110779956 A CN 202110779956A CN 113703911 B CN113703911 B CN 113703911B
Authority
CN
China
Prior art keywords
key
check value
virtual machine
migrated
migration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110779956.6A
Other languages
Chinese (zh)
Other versions
CN113703911A (en
Inventor
王理想
左兰海
刘海伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN202110779956.6A priority Critical patent/CN113703911B/en
Publication of CN113703911A publication Critical patent/CN113703911A/en
Application granted granted Critical
Publication of CN113703911B publication Critical patent/CN113703911B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Abstract

The application discloses a virtual machine migration method, device, equipment and storage medium, comprising the following steps: inquiring a first key corresponding to the virtual machine to be migrated from a key server by utilizing the characteristic information of the virtual machine to be migrated, and generating a first check value by utilizing the first key; transmitting a migration request containing the characteristic information and the first check value to a destination host, so that the destination host queries a second key corresponding to the virtual machine to be migrated from a key server by using the characteristic information, and generates a second check value by using the second key; and when the target host computer is obtained and the migration is allowed based on the comparison result between the first check value and the second check value, the virtual machine data of the virtual machine to be migrated is migrated to the target host computer. IP spoofing of the migrated destination host is prevented by verifying the virtual machine keys of the source host and the destination host, and illegal interception and tampering of virtual machine data are effectively prevented.

Description

Virtual machine migration method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of virtual machines, and in particular, to a virtual machine migration method, device, apparatus, and storage medium.
Background
Virtual machine migration is an important function of virtualized software or cloud computing management platforms. Virtual machine migration may migrate a closed or running virtual machine from one physical host to another, the migration of the closed virtual machine is called cold migration, and the migration of the running virtual machine on the host is called hot migration.
However, in the process of migrating a virtual machine at present, a source host generally migrates the virtual machine to be migrated to a corresponding destination host directly according to the IP address of the destination host, but because the IP address of the destination host may be masqueraded and replaced, an illegal destination host obtains the migrated virtual machine data, thereby causing illegal interception of the virtual machine data.
From the above, how to avoid the situation that data is illegally intercepted due to IP spoofing of a destination host in the migration process of a virtual machine is a problem to be solved in the field.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a virtual machine migration method, apparatus, device, and storage medium, which can avoid the situation that data is illegally intercepted due to IP spoofing of a destination host. The specific scheme is as follows:
In a first aspect, the application discloses a virtual machine migration method, applied to a source host, including:
inquiring a first key corresponding to a virtual machine to be migrated from a key server by utilizing characteristic information of the virtual machine to be migrated, and calculating the first key to generate a first check value;
transmitting a migration request containing the characteristic information and the first check value to a destination host, so that the destination host queries a second key corresponding to the virtual machine to be migrated from the key server by using the characteristic information, and calculates the second key to generate a second check value;
acquiring response information returned by the destination host for the migration request based on a comparison result between the first check value and the second check value;
and if the response information is the response information for indicating that migration is allowed, migrating the virtual machine data of the virtual machine to be migrated to the target host.
Optionally, the querying, by using the feature information of the virtual machine to be migrated, a first key corresponding to the virtual machine to be migrated from a key server, and performing an operation on the first key to generate a first check value, including:
Creating a key inquiry request containing the characteristic information and sending the key inquiry request to the key server so that the key server can inquire the first key which is stored in advance locally and corresponds to the virtual machine to be migrated by utilizing the characteristic information;
acquiring the first key sent by the key server;
calculating the first key by using a preset target check value generation algorithm to obtain the first check value;
and the process of the destination host operating on the second key to generate the second check value includes: and calculating the second secret key by using the target check value generation algorithm to obtain the second check value.
Optionally, the obtaining the response information for the migration request returned by the destination host based on the comparison result between the first check value and the second check value includes:
and if the comparison result is that the first check value is matched with the second check value, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
Optionally, the sending the migration request including the feature information and the first check value to the destination host includes:
Transmitting a migration request containing the characteristic information, the first check value and the data volume of the virtual machine data to a target host;
correspondingly, the obtaining the response information returned by the destination host for the migration request based on the comparison result between the first check value and the second check value includes:
and if the comparison result is that the first check value is matched with the second check value, and the local idle storage resource of the target host is not smaller than the data volume, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
Optionally, the migrating the virtual machine data of the virtual machine to be migrated to the destination host includes:
encrypting the virtual machine data of the virtual machine to be migrated by using the first key and based on an asymmetric encryption algorithm to obtain encrypted data;
and migrating the encrypted data to the target host, so that the target host can decrypt the encrypted data by using the second key and store the corresponding decrypted data.
Optionally, before the inquiring the first key corresponding to the virtual machine to be migrated from the key server by using the feature information of the virtual machine to be migrated, the method further includes:
The characteristic information is sent to the key server, so that the key server binds the key pair which is created in advance for the virtual machine to be migrated with the characteristic information and stores the key pair locally; wherein the public key in the key pair is the first key, and the private key in the key pair is the second key.
In a second aspect, the present application discloses a virtual machine migration method, applied to a destination host, including:
acquiring a migration request which is sent by a source host and contains characteristic information of a virtual machine to be migrated and a first check value; the first check value is generated by the source host inquiring a first key corresponding to the virtual machine to be migrated from a key server by utilizing the characteristic information and operating the first key;
inquiring a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and operating the second key to generate a second check value;
comparing the first check value with the second check value to obtain a corresponding comparison result;
returning response information aiming at the migration request to the source host based on the comparison result;
And if the response information is the response information for indicating that migration is allowed, acquiring the virtual machine data of the virtual machine to be migrated, which is migrated by the source host.
In a third aspect, the present application discloses a virtual machine migration apparatus, applied to a source host, including:
the first check value generation module is used for inquiring a first key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information of the virtual machine to be migrated, and calculating the first key to generate a first check value;
the request sending module is used for sending a migration request containing the characteristic information and the first check value to a target host, so that the target host can inquire a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and the second key is operated to generate a second check value;
the information acquisition module is used for acquiring response information which is returned by the target host and is specific to the migration request based on the comparison result between the first check value and the second check value;
and the data migration module is used for migrating the virtual machine data of the virtual machine to be migrated to the target host when the response information is response information for indicating that migration is allowed.
In a fourth aspect, the present application discloses an electronic device comprising a processor and a memory; the processor implements the virtual machine migration method when executing the computer program stored in the memory.
In a fifth aspect, the present application discloses a computer-readable storage medium for storing a computer program; the computer program, when executed by the processor, implements the virtual machine migration method described above.
In the method, characteristic information of a virtual machine to be migrated is firstly utilized to inquire a first key corresponding to the virtual machine to be migrated from a key server, the first key is operated to generate a first check value, then a migration request containing the characteristic information and the first check value is sent to a destination host, so that the destination host can inquire a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, the second key is operated to generate a second check value, then response information, which is returned by the destination host based on a comparison result between the first check value and the second check value, for the migration request is obtained, and if the response information is response information for indicating that migration is allowed, virtual machine data of the virtual machine to be migrated is migrated to the destination host. Therefore, before the virtual machine data in the source host is migrated to the destination host, the destination host needs to generate a corresponding second check value by using the second key corresponding to the virtual machine to be migrated, and compares the second check value with the first check value acquired from the source host, so as to determine whether to migrate the virtual machine data to the destination host or not based on the comparison result of the check values.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of a virtual machine migration method disclosed in the present application;
FIG. 2 is a flowchart of a specific virtual machine migration method disclosed in the present application;
FIG. 3 is a flowchart of a specific virtual machine migration method disclosed in the present application;
FIG. 4 is a flowchart of a specific virtual machine migration method disclosed in the present application;
fig. 5 is a schematic structural diagram of a virtual machine migration apparatus disclosed in the present application;
fig. 6 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The embodiment of the application discloses a virtual machine migration method, which is applied to a source host, and is shown in fig. 1, and the method comprises the following steps:
step S11: inquiring a first key corresponding to the virtual machine to be migrated from a key server by utilizing characteristic information of the virtual machine to be migrated, and operating the first key to generate a first check value.
It should be noted that, in this embodiment, the key server is mainly configured to store a virtual machine key of a virtual machine to be migrated in a source host and a virtual machine key corresponding to a destination host, and the virtual machine key of the virtual machine to be migrated and the virtual machine key corresponding to the destination host are stored in pairs. Specifically, the key server needs to establish communication connection with a source host in advance, acquire feature information which is sent by the source host and can uniquely characterize the identity of the virtual machine to be migrated, bind a key pair created in advance for the virtual machine to be migrated with the feature information and store the key pair and the feature information in the key server; the feature information includes, but is not limited to, configuration information of the virtual machine, unique identification information, and the like. It is understood that the configuration information is information capable of uniquely characterizing the virtual machine, including but not limited to an IP address of the virtual machine.
Further, when the first key corresponding to the virtual machine to be migrated needs to be queried, the virtual machine key, i.e. the first key, which corresponds to the feature information and needs to be sent to the source host, can be queried by sending the feature information corresponding to the virtual machine to be migrated to the key server.
In this embodiment, after the first key is obtained, a preset check value generation algorithm may be used to calculate the first key to obtain a first check value corresponding to the virtual machine to be migrated.
Step S12: and sending a migration request containing the characteristic information and the first check value to a destination host, so that the destination host can query a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and operate the second key to generate a second check value.
In this embodiment, after the first check value is obtained, the feature information of the virtual machine to be migrated and the first check value are packaged into a migration request and sent to a destination host, the destination host obtains the feature information and the first check value after receiving the migration request, queries a virtual machine key, which corresponds to the feature information and needs to be sent to the destination host, from the key server, that is, the second key, and calculates the second key by using the check value generation algorithm to obtain the second check value. It should be noted that the check value generation algorithm corresponding to the first check value and the check value generation algorithm corresponding to the second check value are the same algorithm.
Step S13: and acquiring response information returned by the destination host aiming at the migration request based on the comparison result between the first check value and the second check value.
In this embodiment, after the migration request including the feature information and the first check value is sent to the destination host, the destination host calculates the second key to obtain the second check value, and further, the destination host compares the first check value in the migration request with the second check value, when the first check value is matched with the second check value, it indicates that the destination host successfully accesses the key server and obtains the legal second check value, and when the first check value is not matched with the second check value, it indicates that the destination host cannot successfully access the key server and obtain the legal second check value from the key server, thereby also indicating that the destination host is not a legal destination host, and thus avoiding illegal interception of virtual machine data caused by IP spoofing of the destination host.
Step S14: and if the response information is the response information for indicating that migration is allowed, migrating the virtual machine data of the virtual machine to be migrated to the target host.
In this embodiment, if the response information returned by the destination host to the migration request based on the matching comparison result is obtained, the migration of the virtual machine data of the virtual machine to be detected is allowed, and further, the operation of migrating the virtual machine data to the destination host is performed. It should be noted that, in order to ensure the security in the process of transmitting the virtual machine data, the virtual machine data may be encrypted by using the first key to obtain encrypted data, and the encrypted data may be sent to the destination host.
It can be understood that in this embodiment, the source host sends a migration request including the feature information of the virtual machine and the first check value to the destination host, and then the destination host obtains the migration request, so as to implement a first handshake between the source host and the destination host; the destination host returns response information aiming at the migration request to the source host based on the comparison result between the first check value and the second check value, and the source host acquires the response information, so that second handshake between the source host and the destination host is realized; the source host encrypts and migrates the virtual machine data to the destination host according to the response information, and the destination host decrypts and stores the received virtual machine data, so that a third handshake between the source host and the destination host is realized, IP spoofing of the destination host can be prevented through the third handshake between the source host and the destination host, and the situation that the data is illegally intercepted due to the IP spoofing of the destination host is prevented.
In the embodiment of the application, before the virtual machine data in the source host is migrated to the destination host, the destination host needs to generate the corresponding second check value by using the second key corresponding to the virtual machine to be migrated, which is acquired from the key server, and compares the second check value with the first check value acquired from the source host, so as to determine whether to migrate the virtual machine data to the destination host or not based on the comparison result of the check values.
The embodiment of the application discloses a virtual machine migration method, which is applied to a source host, and is shown in fig. 2, and the method comprises the following steps:
step S21: and creating a key inquiry request containing the characteristic information of the virtual machine to be migrated and sending the key inquiry request to the key server so that the key server can inquire the first key corresponding to the virtual machine to be migrated, which is locally and pre-stored, by utilizing the characteristic information.
In this embodiment, before sending the feature information of the virtual machine to be migrated to the key server, the source host needs to create a key query request including the feature information of the virtual machine to be migrated, and send the key query request to the key server, and after obtaining the feature information, the key server queries a virtual machine key, that is, the first key, corresponding to the virtual machine to be migrated, which is locally pre-stored, by using the feature information, and returns the first key to the source host.
Step S22: and acquiring the first key sent by the key server.
In this embodiment, after a key query request including feature information of a virtual machine to be migrated is created and sent to the key server, the first key corresponding to the virtual machine to be migrated, which is obtained by querying the key server, is acquired.
Step S23: and calculating the first key by using a preset target check value generation algorithm to obtain the first check value.
In this embodiment, after the first key sent by the key server is obtained, a preset target check value generation algorithm may be used to operate on the first key, so as to obtain the first check value corresponding to the virtual machine to be migrated. Among them, the above-mentioned check value generation Algorithm includes, but is not limited to, parity check, MD5 (Message-Digest Algorithm), CRC (Cyclic Redundancy Check ) Algorithm, LRC (Longitudinal Redundancy Check, longitudinal redundancy check) Algorithm, and the like.
Step S24: and sending a migration request containing the characteristic information, the first check value and the data volume of the virtual machine data to a destination host, so that the destination host can query a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, calculate the second key to generate a second check value, and then compare the first check value with the second check value.
In this embodiment, after the first check value is obtained, a migration request including the feature information, the first check value, and the data amount of the virtual machine data is sent to the destination host, and after the destination host receives the migration request, the feature information, the first check value, and the data amount of the virtual machine data are obtained, the second key corresponding to the virtual machine to be migrated is queried from the key server by using the feature information, and the second key is calculated by using the target check value generation algorithm to generate a second check value.
Step S25: and if the comparison result is that the first check value is matched with the second check value, and the local idle storage resource of the target host is not smaller than the data volume, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
In this embodiment, if the comparison result is that the first check value is matched with the second check value, it is determined that the identity of the destination host is normal and a trust relationship is established between the destination host and the destination host, and further, in order to prevent that the local idle storage resource of the destination host is too small to accommodate new virtual machine data of the virtual machine to be migrated and further cause failure of data transmission, it is necessary to further determine a quantitative relationship between the local idle storage resource of the destination host and the data volume, and if the local idle storage resource of the destination host is greater than or equal to the data volume, it is indicated that the current local idle storage resource of the destination host can accommodate the virtual machine data of the virtual machine to be migrated, and response information returned by the destination host for indicating that migration is allowed is acquired.
Step S26: and if the response information is the response information for indicating that migration is allowed, migrating the virtual machine data of the virtual machine to be migrated to the target host.
For more specific processing procedures in the steps S24 and S26, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no detailed description is given here.
Therefore, before the virtual machine is migrated, the first check value and the second check value corresponding to the source host and the destination host are obtained through the virtual machine key, and the source host and the destination host are verified and the destination host are ensured to have enough resources to accommodate virtual machine data by comparing the two check values and judging the local idle storage resources of the destination host, so that IP spoofing of the migrated destination host can be prevented and enough resources to accommodate data to be migrated can be ensured.
The embodiment of the application discloses a virtual machine migration method, which is applied to a source host, and is shown in fig. 3, and the method comprises the following steps:
step S31: inquiring a first key corresponding to the virtual machine to be migrated from a key server by utilizing characteristic information of the virtual machine to be migrated, and operating the first key to generate a first check value.
Step S32: and sending a migration request containing the characteristic information and the first check value to a destination host, so that the destination host can query a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and operate the second key to generate a second check value.
Step S33: and acquiring response information returned by the destination host aiming at the migration request based on the comparison result between the first check value and the second check value.
Step S34: and if the response information is the response information for indicating that migration is allowed, encrypting the virtual machine data of the virtual machine to be migrated by using the first key and based on an asymmetric encryption algorithm to obtain encrypted data.
In this embodiment, if the response information is response information indicating that migration is allowed, the virtual machine data of the virtual machine to be migrated is encrypted by using the first key and based on an asymmetric encryption algorithm, so as to obtain encrypted data. It can be understood that, in order to improve the security in the data transmission process, in the process of encrypting the virtual machine data of the virtual machine to be migrated by using the first key, an asymmetric encryption algorithm may be used to encrypt the virtual machine data, so as to obtain encrypted data. Wherein the asymmetric encryption algorithm includes, but is not limited to, RSA algorithm, ECC (Error Correcting Code) algorithm, such as DH (Diffie-Hellman, diffie-Hulman) algorithm, ECDH (Elliptic Curve Diffie-Hellmankey Exchange, elliptic curve Diffie-Hulman key exchange) algorithm, etc
Step S35: and migrating the encrypted data to the target host, so that the target host can decrypt the encrypted data by using the second key and store the corresponding decrypted data.
In this embodiment, after the virtual machine data of the virtual machine to be migrated is encrypted by using the first key and based on an asymmetric encryption algorithm to obtain encrypted data, the encrypted data is migrated to the destination host, and the destination host further receives the encrypted data, decrypts the encrypted data by using the second key to obtain corresponding decrypted data, and stores the decrypted data. It can be understood that the first key and the second key are the same encryption algorithm and are stored in the key server in pairs, and since the first key is used for encryption in the process of encrypting the virtual machine, the second key corresponding to the first key needs to be used for decryption after the destination host receives the virtual machine data.
It should be noted that, in this embodiment, before the inquiring the first key corresponding to the virtual machine to be migrated from the key server by using the feature information of the virtual machine to be migrated, the method further includes:
The characteristic information is sent to the key server, so that the key server binds the key pair which is created in advance for the virtual machine to be migrated with the characteristic information and stores the key pair locally; wherein the public key in the key pair is the first key, and the private key in the key pair is the second key. It may be understood that after the feature information is sent to the key server, the key server binds and stores a key pair, which is created in advance for the virtual machine to be migrated and is obtained based on an asymmetric encryption algorithm, with the feature information, where the key pair includes a public key and a private key, the public key corresponds to the first key, and the private key corresponds to the second key.
For more specific processing procedures in the steps S31, S32, and S33, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no detailed description is given here.
Therefore, according to the embodiment of the application, IP spoofing of the migrated destination host is prevented through three-way handshake, the virtual machine key is encrypted by adopting an asymmetric encryption algorithm, the migrated destination host is authenticated through the virtual machine key verification, and the virtual machine data is encrypted by utilizing the virtual machine key, so that the data has better confidentiality in the transmission process, and interception and tampering of the data can be effectively prevented.
The embodiment of the application discloses a virtual machine migration method, which is applied to a target host, and is shown in fig. 4, and the method comprises the following steps:
step S41: acquiring a migration request which is sent by a source host and contains characteristic information of a virtual machine to be migrated and a first check value; and the first check value is generated by inquiring a first key corresponding to the virtual machine to be migrated from a key server by the source host by utilizing the characteristic information and operating the first key.
In this embodiment, the feature information is information capable of uniquely characterizing the identity of the virtual machine to be migrated, the source host may query the first key corresponding to the feature information from the key server by using the feature information, obtain the first check value by using the first key based on a preset target check value generating algorithm, and then package the first key and the first check value into a migration request and send the migration request to the target host.
Further, it should be noted that before the first key corresponding to the virtual machine to be migrated is queried from the key server by using the feature information of the virtual machine to be migrated, the method further includes: the characteristic information is sent to the key server, so that the key server binds the key pair which is created in advance for the virtual machine to be migrated with the characteristic information and stores the key pair locally; the key pair can be obtained through a symmetric encryption algorithm or an asymmetric encryption algorithm. Specifically, if an asymmetric encryption algorithm is adopted, the public key in the key pair is the first key, and the private key in the key pair is the second key.
Step S42: and inquiring a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and operating the second key to generate a second check value.
In this embodiment, after obtaining a migration request including feature information of a virtual machine to be migrated and a first check value sent by a source host, the second key corresponding to the virtual machine to be migrated is queried from the key server, and then the second key is operated to generate the second check value. It should be noted that the algorithm for generating the second check value using the second key and the algorithm for generating the first check value using the first key are the same algorithm, i.e. both are the target check value generation algorithms. Wherein the target check value generation algorithm includes, but is not limited to, parity check, MD5 algorithm, CRC algorithm, LRC algorithm, etc.
Step S43: and comparing the first check value with the second check value to obtain a corresponding comparison result.
Further, in this embodiment, after the second check value is obtained, the second check value is compared with the first check value in the migration request, when the first check value is matched with the second check value, it indicates that the destination host successfully accesses the key server and obtains the legal second check value, and when the first check value is not matched with the second check value, it indicates that the key server cannot be successfully accessed and the legal second check value is obtained therefrom, that is, the IP address of the current destination host may be in a spoofed state.
Step S44: and returning response information aiming at the migration request to the source host based on the comparison result.
In this embodiment, after the comparison result of the first check value and the second check value is obtained, response information for the migration request may be returned to the source host based on the comparison result.
In a specific embodiment, it may include: and if the comparison result is that the first check value is matched with the second check value, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
In another specific embodiment, it may include: and if the comparison result is that the first check value is matched with the second check value, further judging the number relation between the local idle storage resources and the data volume, and if the local idle storage resources are not smaller than the data volume, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
Step S45: and if the response information is the response information for indicating that migration is allowed, acquiring the virtual machine data of the virtual machine to be migrated, which is migrated by the source host.
In this embodiment, when the response information indicates that migration is allowed, virtual machine data of the virtual machine to be migrated, which is migrated by the source host, is obtained. It may be understood that, when the response information obtained by comparing the first check value and the second check value indicates that migration is allowed, that is, a trust relationship is established between the response information and the source host, virtual machine data of the virtual machine to be migrated, which is migrated by the source host, may be received.
Further, after receiving the virtual machine data, the second key may be used to decrypt the virtual machine data to obtain decrypted data, and store the decrypted data.
For more specific processing procedures in steps S41, S42, S43, S44, and S45, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In the embodiment of the application, before the virtual machine data in the source host is migrated to the destination host, the destination host needs to generate the corresponding second check value by using the second key corresponding to the virtual machine to be migrated, which is acquired from the key server, and compares the second check value with the first check value acquired from the source host, so as to determine whether to migrate the virtual machine data to the destination host or not based on the comparison result of the check values.
Correspondingly, the embodiment of the application also discloses a virtual machine migration device, and referring to fig. 5, the device includes:
the first check value generating module 11 is configured to query a first key corresponding to the virtual machine to be migrated from a key server by using feature information of the virtual machine to be migrated, and operate the first key to generate a first check value;
a request sending module 12, configured to send a migration request including the feature information and the first check value to a destination host, so that the destination host uses the feature information to query a second key corresponding to the virtual machine to be migrated from the key server, and perform an operation on the second key to generate a second check value;
an information obtaining module 13, configured to obtain response information for the migration request, where the response information is returned by the destination host based on a comparison result between the first check value and the second check value;
and the data migration module 14 is configured to migrate the virtual machine data of the virtual machine to be migrated to the destination host when the response information is response information indicating that migration is allowed.
In the embodiment of the application, before the virtual machine data in the source host is migrated to the destination host, the destination host needs to generate the corresponding second check value by using the second key corresponding to the virtual machine to be migrated, which is acquired from the key server, and compares the second check value with the first check value acquired from the source host, so as to determine whether to migrate the virtual machine data to the destination host or not based on the comparison result of the check values.
In some specific embodiments, the first check value generating module 11 may specifically include:
a first request sending unit, configured to create a key query request containing the feature information and send the key query request to the key server, so that the key server queries, using the feature information, the first key corresponding to the virtual machine to be migrated, where the first key is stored in advance;
a first key obtaining unit, configured to obtain the first key sent by the key server;
the first check value generation unit is used for calculating the first key by using a preset target check value generation algorithm so as to obtain the first check value;
and the process of the destination host operating on the second key to generate the second check value includes:
and the second check value generating unit is used for calculating the second secret key by utilizing the target check value generating algorithm so as to obtain the second check value.
In some specific embodiments, the information obtaining module 13 may specifically include:
and the first information acquisition module unit is used for acquiring response information which is returned by the target host and used for indicating that migration is allowed if the comparison result is that the first check value is matched with the second check value.
In some specific embodiments, the request sending module 12 may specifically include:
a second request sending unit, configured to send a migration request including the feature information, the first check value, and the data amount of the virtual machine data to a destination host;
correspondingly, the information obtaining module 13 may specifically include:
and the second information acquisition module unit is used for acquiring response information which is returned by the target host and is used for indicating that migration is allowed when the comparison result is that the first check value is matched with the second check value and the local idle storage resource of the target host is not smaller than the data volume.
In some embodiments, the migration of the virtual machine data of the virtual machine to be migrated to the destination host may specifically include:
the data acquisition unit is used for encrypting the virtual machine data of the virtual machine to be migrated by utilizing the first key and based on an asymmetric encryption algorithm to obtain encrypted data;
and the data migration unit is used for migrating the encrypted data to the target host, so that the target host can decrypt the encrypted data by using the second key and store the corresponding decrypted data.
In some specific embodiments, before the first check value generating module 11, the method may further include:
the information sending unit is used for sending the characteristic information to the key server so that the key server binds the key pair which is created in advance for the virtual machine to be migrated with the characteristic information and stores the key pair locally; wherein the public key in the key pair is the first key, and the private key in the key pair is the second key.
Further, the embodiment of the present application further discloses an electronic device, and fig. 6 is a structural diagram of the electronic device 20 according to an exemplary embodiment, where the content of the drawing is not to be considered as any limitation on the scope of use of the present application.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the virtual machine migration method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the virtual machine migration method performed by the electronic device 20 disclosed in any of the previous embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program; the computer program, when executed by the processor, implements the virtual machine migration method disclosed above. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing describes in detail a virtual machine migration method, apparatus, device, and storage medium provided in the present application, and specific examples are applied to illustrate principles and implementations of the present application, where the foregoing examples are only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. The virtual machine migration method is characterized by being applied to a source host and comprising the following steps of:
inquiring a first key corresponding to a virtual machine to be migrated from a key server by utilizing characteristic information of the virtual machine to be migrated, and calculating the first key to generate a first check value;
transmitting a migration request containing the characteristic information and the first check value to a destination host, so that the destination host queries a second key corresponding to the virtual machine to be migrated from the key server by using the characteristic information, and calculates the second key to generate a second check value;
Acquiring response information returned by the destination host for the migration request based on a comparison result between the first check value and the second check value;
if the response information is the response information for indicating that migration is allowed, migrating the virtual machine data of the virtual machine to be migrated to the target host;
operating on the first key to generate a first check value includes: calculating the first key by using a preset target check value generation algorithm to obtain the first check value; operating on the second key to generate a second check value includes: and calculating the second key by using the target check value generation algorithm to generate a second check value.
2. The virtual machine migration method according to claim 1, wherein the querying a first key corresponding to the virtual machine to be migrated from a key server by using feature information of the virtual machine to be migrated, and performing an operation on the first key to generate a first check value, includes:
creating a key inquiry request containing the characteristic information and sending the key inquiry request to the key server so that the key server can inquire the first key which is stored in advance locally and corresponds to the virtual machine to be migrated by utilizing the characteristic information;
Acquiring the first key sent by the key server;
calculating the first key by using a preset target check value generation algorithm to obtain the first check value;
and the process of the destination host operating on the second key to generate the second check value includes: and calculating the second secret key by using the target check value generation algorithm to obtain the second check value.
3. The virtual machine migration method according to claim 1, wherein the obtaining response information for the migration request returned by the destination host based on the comparison result between the first check value and the second check value includes:
and if the comparison result is that the first check value is matched with the second check value, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
4. The virtual machine migration method of claim 1, wherein the sending the migration request including the characteristic information and the first check value to the destination host includes:
transmitting a migration request containing the characteristic information, the first check value and the data volume of the virtual machine data to a target host;
Correspondingly, the obtaining the response information returned by the destination host for the migration request based on the comparison result between the first check value and the second check value includes:
and if the comparison result is that the first check value is matched with the second check value, and the local idle storage resource of the target host is not smaller than the data volume, acquiring response information which is returned by the target host and is used for indicating that migration is allowed.
5. The virtual machine migration method according to any one of claims 1 to 4, wherein the migration of the virtual machine data of the virtual machine to be migrated to the destination host includes:
encrypting the virtual machine data of the virtual machine to be migrated by using the first key and based on an asymmetric encryption algorithm to obtain encrypted data;
and migrating the encrypted data to the target host, so that the target host can decrypt the encrypted data by using the second key and store the corresponding decrypted data.
6. The virtual machine migration method according to claim 5, wherein before the inquiring the first key corresponding to the virtual machine to be migrated from the key server by using the feature information of the virtual machine to be migrated, the method further comprises:
The characteristic information is sent to the key server, so that the key server binds the key pair which is created in advance for the virtual machine to be migrated with the characteristic information and stores the key pair locally; wherein the public key in the key pair is the first key, and the private key in the key pair is the second key.
7. The virtual machine migration method is characterized by being applied to a destination host and comprising the following steps of:
acquiring a migration request which is sent by a source host and contains characteristic information of a virtual machine to be migrated and a first check value; the first check value is generated by the source host inquiring a first key corresponding to the virtual machine to be migrated from a key server by utilizing the characteristic information and operating the first key;
inquiring a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and operating the second key to generate a second check value;
comparing the first check value with the second check value to obtain a corresponding comparison result;
returning response information aiming at the migration request to the source host based on the comparison result;
If the response information is the response information for indicating that migration is allowed, virtual machine data of the virtual machine to be migrated, which is migrated by the source host, are obtained;
operating on the first key to generate a first check value includes: calculating the first key by using a preset target check value generation algorithm to obtain the first check value; operating on the second key to generate a second check value includes: and calculating the second key by using the target check value generation algorithm to generate a second check value.
8. A virtual machine migration apparatus, applied to a source host, comprising:
the first check value generation module is used for inquiring a first key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information of the virtual machine to be migrated, and calculating the first key to generate a first check value; operating on the first key to generate a first check value includes: calculating the first key by using a preset target check value generation algorithm to obtain the first check value;
the request sending module is used for sending a migration request containing the characteristic information and the first check value to a target host, so that the target host can inquire a second key corresponding to the virtual machine to be migrated from the key server by utilizing the characteristic information, and the second key is operated to generate a second check value; operating on the second key to generate a second check value includes: calculating the second secret key by using the target check value generation algorithm to generate a second check value;
The information acquisition module is used for acquiring response information which is returned by the target host and is specific to the migration request based on the comparison result between the first check value and the second check value;
and the data migration module is used for migrating the virtual machine data of the virtual machine to be migrated to the target host when the response information is response information for indicating that migration is allowed.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the virtual machine migration method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program, when executed by a processor, implements the virtual machine migration method of any one of claims 1 to 7.
CN202110779956.6A 2021-07-09 2021-07-09 Virtual machine migration method, device, equipment and storage medium Active CN113703911B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110779956.6A CN113703911B (en) 2021-07-09 2021-07-09 Virtual machine migration method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110779956.6A CN113703911B (en) 2021-07-09 2021-07-09 Virtual machine migration method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113703911A CN113703911A (en) 2021-11-26
CN113703911B true CN113703911B (en) 2024-03-12

Family

ID=78648672

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110779956.6A Active CN113703911B (en) 2021-07-09 2021-07-09 Virtual machine migration method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113703911B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189928B (en) * 2022-06-25 2023-10-17 中国人民解放军战略支援部队信息工程大学 Dynamic security migration method and system for password service virtual machine
CN114938275B (en) * 2022-07-21 2022-10-14 国开启科量子技术(北京)有限公司 Method, apparatus, medium, and device for migrating virtual machine using quantum key

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110515700A (en) * 2019-08-23 2019-11-29 北京浪潮数据技术有限公司 A kind of virtual machine migration method, system, device and readable storage medium storing program for executing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5749855B2 (en) * 2011-12-16 2015-07-15 株式会社日立製作所 Computer system and volume migration control method using the same

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110515700A (en) * 2019-08-23 2019-11-29 北京浪潮数据技术有限公司 A kind of virtual machine migration method, system, device and readable storage medium storing program for executing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于XEN平台的可信虚拟机迁移协议;刘明芳;李文锋;赵阳;;计算机安全(03);全文 *

Also Published As

Publication number Publication date
CN113703911A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
US10979231B2 (en) Cross-chain authentication method, system, server, and computer-readable storage medium
CN110968743B (en) Data storage and data reading method and device for private data
JP6215934B2 (en) Login verification method, client, server, and system
JP5860815B2 (en) System and method for enforcing computer policy
US10708047B2 (en) Computer-readable recording medium storing update program and update method, and computer-readable recording medium storing management program and management method
US20170214664A1 (en) Secure connections for low power devices
WO2021120871A1 (en) Authentication key negotiation method and apparatus, storage medium and device
CN111064569B (en) Cluster key obtaining method and device of trusted computing cluster
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US10257171B2 (en) Server public key pinning by URL
CN106790045B (en) distributed virtual machine agent device based on cloud environment and data integrity guarantee method
US10298388B2 (en) Workload encryption key
CN113703911B (en) Virtual machine migration method, device, equipment and storage medium
JP6967449B2 (en) Methods for security checks, devices, terminals and servers
KR102510868B1 (en) Method for authenticating client system, client device and authentication server
CN112118242A (en) Zero trust authentication system
CN115664655A (en) TEE credibility authentication method, device, equipment and medium
CN114282267A (en) Token generation method, token signature verification method, device, equipment and storage medium
CN111611620B (en) Access request processing method and related device of access platform
US11153344B2 (en) Establishing a protected communication channel
JP2016220062A (en) Communication device, server, signature verification commission system, and signature verification commission method
EP3836478A1 (en) Method and system of data encryption using cryptographic keys
CN108932425B (en) Offline identity authentication method, authentication system and authentication equipment
CN116599719A (en) User login authentication method, device, equipment and storage medium
CN114065170A (en) Method and device for acquiring platform identity certificate and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant