CN114244891B - Communication method and device between containers, electronic equipment and storage medium - Google Patents
Communication method and device between containers, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114244891B CN114244891B CN202111579866.9A CN202111579866A CN114244891B CN 114244891 B CN114244891 B CN 114244891B CN 202111579866 A CN202111579866 A CN 202111579866A CN 114244891 B CN114244891 B CN 114244891B
- Authority
- CN
- China
- Prior art keywords
- container
- communication
- communication connection
- quick
- connection information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 180
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000008569 process Effects 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000008093 supporting effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a communication method, a device, electronic equipment and a storage medium between containers, and relates to the technical field of network security. The communication method between the containers comprises the following steps: configuring a rapid communication connection path; acquiring the instruction mark and session connection information generated by the first container or the second container; adding the instruction mark to the session connection information to generate quick connection information; and establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path. The communication method between the containers can realize the technical effect of optimizing the communication performance on the premise of ensuring the safety protection performance of the containers.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for communication between containers, an electronic device, and a storage medium.
Background
Container technology can be seen as a lightweight way of virtualizing, packaging applications with the necessary execution environments into container images, so that applications can run relatively independently directly in the host machine (physical machine or virtual machine). The container is used for application isolation at an operating system layer, and can run a plurality of independent application running environments on a host kernel. Compared with the traditional application test and deployment, the container is deployed without considering the running environment compatibility problem of the application in advance; compared with the traditional virtual machine, the container can run in the host machine without an independent operating system kernel, and higher running efficiency and resource utilization rate are realized.
In the prior art, the security protection between containers is similar to the security of a traditional virtual machine, and data messages transmitted between containers need to be detected and filtered, wherein one mode is through a Linux bottom NFQ technology; because the security means is complex, the effective security protection of end-to-end communication is ensured, the communication performance is sacrificed to be necessarily selected, compared with the traditional security protection, when security equipment such as a firewall is added in a communication link, a part of communication resources are lost, and likewise, under the container environment, the security means such as access control among containers can increase the path cost, and under the container environment, the problems such as numerous containers, flexible start and stop, multiple address conversion in the data transmission process and the like are faced, the security burden is increased, and the performance loss is more serious. Therefore, it is important to improve the communication efficiency in the case of safety protection of the container environment.
Disclosure of Invention
The embodiment of the application aims to provide a technical effect of optimizing communication performance on the premise of ensuring the safety protection performance of a container.
In a first aspect, an embodiment of the present application provides a method for communication between containers, including:
configuring a rapid communication connection path;
acquiring the instruction mark and session connection information generated by the first container or the second container;
adding the instruction mark to the session connection information to generate quick connection information;
and establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path.
In the implementation process, the communication method between the containers establishes the communication connection between the first container and the second container according to the quick connection information added with the marking instruction and the quick communication connection path by configuring the quick communication connection path, so that in the process of communication between the first container or the second container, the quick path forwarding of the residual data message can be performed through the quick communication connection path; therefore, the communication method between the containers does not need to install a plug-in module in the kernel or send a private protocol under a definition agent and the like, so that the quick connection between the containers is realized, new components are prevented from being introduced in the process of safety protection, new potential safety hazards are increased, the communication performance is effectively improved under the condition that the kernel is not changed, and the safety protection effect is greatly supported; therefore, the communication method between the containers can realize the technical effect of optimizing the communication performance on the premise of ensuring the safety protection performance of the containers.
Further, after the step of configuring the quick communication connection path, the method further includes:
and sending the rapid communication connection path to a system kernel.
In the implementation process, after the configuration of the quick communication connection path is completed, the quick communication connection path is issued to the system kernel, and the application of the quick communication connection path is completed by the system kernel.
Further, after the step of issuing the rapid communication connection path to the system kernel, the method further includes:
and detecting the rapid communication connection path according to the safety function component to generate safety connection information.
In the implementation process, the safety state can be actively judged through the safety connection information, the safety of the quick communication connection path is detected, and the safety protection is effectively improved.
Further, before the step of acquiring the session connection information generated by the first container or the second container, the method further includes:
configuring an NFQ redirection communication connection path;
and sending the NFQ redirection communication connection path to a system kernel.
In the implementation process, the NFQ redirection communication connection path is configured outside the rapid communication connection path; thus, the primary communication connection of the first container and the second container is completed through the NFQ redirect communication connection path; and when the fast communication connection path is not available, still enabling communication between the first container and the second container through the NFQ redirect communication connection path.
Further, before the step of acquiring the session connection information generated by the first container or the second container, the method further includes:
before connection between the first container and the second container is established, configuring two iptables access control rules by a top agent and issuing the two iptables access control rules to a system kernel, wherein the first one is a quick path rule corresponding to a quick communication connection path, namely, when a message has an instruction mark, directly forwarding the message; the second rule is NFQ rule corresponding to the NFQ redirection communication connection path, that is, all messages are redirected by NFQ into the security service container process.
Further, the step of adding the instruction tag to the session connection information to generate quick connection information includes:
and adding the instruction mark to the session connection information through a netlink message to generate the quick connection information.
In a second aspect, embodiments of the present application provide an inter-container communication device, including:
the configuration module is used for configuring the quick communication connection path;
the connection information acquisition module is used for acquiring the instruction mark and session connection information generated by the first container or the second container;
the mark adding module is used for adding the instruction mark to the session connection information to generate quick connection information;
and the communication establishing module is used for establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path.
Further, the inter-container communication device further includes:
and the issuing module is used for issuing the rapid communication connection path to a system kernel.
Further, the inter-container communication device further includes:
and the safety connection module is used for detecting the rapid communication connection path according to the safety function component and generating safety connection information.
Further, the configuration module is further configured to configure the NFQ redirect communication connection path;
the issuing module is further configured to issue the NFQ redirect communication connection path to a system kernel.
Further, the tag adding module is specifically configured to add the instruction tag to the session connection information through a netlink message, so as to generate the quick connection information.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having instructions stored thereon, which when executed on a computer, cause the computer to perform the method according to any of the first aspects.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspects.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques disclosed herein.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a communication method between containers according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a first container computing node and a second container computing node provided in an embodiment of the present application;
FIG. 3 is a flow chart of another method of communication between containers according to an embodiment of the present disclosure;
FIG. 4 is a block diagram of a communication device between containers according to an embodiment of the present disclosure;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a communication method, a device, electronic equipment and a storage medium between containers, which can be applied to communication connection and access control between containers; according to the communication method between the containers, through configuring the quick communication connection path, the communication connection between the first container and the second container is established according to the quick connection information added with the marking instruction and the quick communication connection path, so that in the process of communication between the first container or the second container, the quick path forwarding of the residual data message can be performed through the quick communication connection path; therefore, the communication method between the containers does not need to install a plug-in module in the kernel or send a private protocol under a definition agent and the like, so that the quick connection between the containers is realized, new components are prevented from being introduced in the process of safety protection, new potential safety hazards are increased, the communication performance is effectively improved under the condition that the kernel is not changed, and the safety protection effect is greatly supported; therefore, the communication method between the containers can realize the technical effect of optimizing the communication performance on the premise of ensuring the safety protection performance of the containers.
It should be noted that the first container and the second container are deployed at respective container computing nodes; the scene precondition of the embodiment of the application is as follows: and (3) deploying a security service container top agent (existing product) on the container computing nodes (the first container and the second container) at the two ends of communication, wherein the top agent comprises tag control logic and advanced defense function and is used for managing access control strategies configured by the containers at the two ends and issuing iptables instructions to the system kernel of the container computing node.
In the present example, NFQ is an abbreviation for nfquue, which is an Iptables and ip6tables object that delegates packet decisions to user space software. For example, the following rules would require all packets destined for a packet to be informed of the decision of the user's security plan. When a packet reaches an NFQUEUE destination, it enters the queue corresponding to the number given by the-queue-num option. That is, NFQ is a technique to achieve traffic redirection in the kernel.
Referring to fig. 1 and fig. 2, fig. 1 is a flow chart of a communication method between containers provided in an embodiment of the present application, and fig. 2 is a schematic diagram of a first container computing node and a second container computing node provided in an embodiment of the present application.
As shown in fig. 2, a first container is deployed on a first container computing node and a second container is deployed on a second container computing node; each container computing node is provided with a security service container top agent, and the top agent comprises tag control logic and advanced defense functions and is used for managing access control strategies configured by containers at two ends and simultaneously issuing iptables instructions to system kernels of the container computing nodes.
The communication method between the containers comprises the following steps:
s100: the fast communication connection path is configured.
Illustratively, the quick communication connection path is configured, that is, the iptables access control rule is configured by the top agent, and the quick communication connection path is configured as follows:
iptables-t mangle-A TAECHAIN-m connmark–mark 0xeeef-jACCEPT;
the fast path rule corresponding to the fast communication connection path is the above rule, wherein "0xeeef" is the instruction mark; when the data packet carries an instruction tag, it can be forwarded directly via the fast communication connection path without having to go through NFQ redirection.
S200: the instruction mark and session connection information generated by the first container or the second container are acquired.
S300: and adding the instruction mark to the session connection information to generate quick connection information.
Illustratively, when the first container and the second container establish a communication connection, the first container or the second container generates session connection information, and the session connection information is marked with an instruction of "0 xeef"; as such, the subsequent datagram Wen Jiuhui of the first container or the second container hits the fast communication connection path, with the result that accept is directly released and the datagram is no longer redirected through the NFQ.
The session connection information is illustratively quintuple data, where the quintuple data includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, that is, the quintuple data is a set of five amounts of the source IP address, the source port, the destination IP address, the destination port, and the transport layer protocol. The five-tuple can distinguish between different sessions and the corresponding session is unique.
S400: and establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path.
The quick connection information is added with instruction marks, communication connection between the first container and the second container is established through a quick communication connection path, and quick path forwarding is performed; therefore, the communication method between the containers effectively improves the safety protection performance on the premise of ensuring the safety protection performance of the containers under the condition that no component is added.
In some embodiments, the communication method between the containers establishes the communication connection between the first container and the second container according to the quick connection information added with the marking instruction and the quick communication connection path by configuring the quick communication connection path, so that in the process of communication between the first container or the second container, the quick path forwarding of the residual data message can be performed through the quick communication connection path; therefore, the communication method between the containers does not need to install a plug-in module in the kernel or send a private protocol under a definition agent and the like, so that the quick connection between the containers is realized, new components are prevented from being introduced in the process of safety protection, new potential safety hazards are increased, the communication performance is effectively improved under the condition that the kernel is not changed, and the safety protection effect is greatly supported; therefore, the communication method between the containers can realize the technical effect of optimizing the communication performance on the premise of ensuring the safety protection performance of the containers.
Referring to fig. 3, fig. 3 is a flow chart of another communication method between containers according to an embodiment of the present application.
Illustratively, at S100: after the step of configuring the rapid communication connection path, further comprising:
s110: and issuing the quick communication connection path to the system kernel.
Illustratively, after the rapid communication connection path is configured, the rapid communication connection path is issued to the system kernel, and the application of the rapid communication connection path is completed by the system kernel.
In some implementations, the configuration of the quick communication connection path is completed by the top agent, and the configured quick communication connection path is issued to the system kernel by the top agent.
Illustratively, at S110: after the step of issuing the rapid communication connection path to the system kernel, the method further comprises:
s120: and detecting the rapid communication connection path according to the safety function component to generate safety connection information.
By way of example, the safety state can be actively judged through the safety connection information, the safety of the quick communication connection path is detected, and the safety protection is effectively improved.
In some implementation scenarios, a security function component in the top agent, such as a firewall, an IPS (Intrusion Prevention System), or the like, completes detection of the connection, determines that the connection of the quick communication connection path is safe, and then issues the quick communication connection path to the system kernel.
Illustratively, at S200: before the step of obtaining the session connection information generated by the first container or the second container, the method further comprises:
s201: configuring an NFQ redirection communication connection path;
s202: the NFQ redirect communication connection path is issued to the system kernel.
Illustratively, beyond configuring the fast communication connection path, configuring the NFQ redirect communication connection path; thus, the primary communication connection of the first container and the second container is completed through the NFQ redirect communication connection path; and when the fast communication connection path is not available, still enabling communication between the first container and the second container through the NFQ redirect communication connection path.
In some implementations, the iptables access control rules are configured by the top agent, and the NFQ redirect communication connection path is configured as follows:
iptables-t mangle-A TAECHAIN-p tcp-m set-j NFQUEUE--queue-num8--queue-bypass;
when the first container and the second container establish communication connection, the communication connection between the first container and the second container is established through the security detection of the data message that completes the three-way handshake, and then the data message is continuously sent, and the subsequent data message is continuously redirected to the top agent by the NFQ for security detection.
Illustratively, S300: the step of adding the instruction mark to the session connection information to generate the quick connection information comprises the following steps:
s310: and adding instruction marks to the session connection information through the netlink message to generate quick connection information.
Illustratively, a netlink message is a special inter-process communication used to enable a user process to communicate with a kernel process, and is also the most commonly used interface for network applications to communicate with the kernel.
Illustratively, as IT technology continues to develop, the lightweight nature of containers makes this technology widely used in cloud computing, and since containers belong to finer granularity identification units, unlike virtual machines that have similar network properties to traditional hardware devices, inter-container security is certainly a huge threat challenge. The container cluster provides a plurality of networking modes such as bridging network, macVLAN, overlay network and the like, can respectively realize network modes such as interconnection of containers in the same host machine, interconnection of containers across the host machine, container cluster network and the like, and meanwhile, the containers share an operating system kernel with the host machine, so that security risks in isolation between the containers and the host machine and between the containers are introduced. The access control between containers cannot be safeguarded like the conventional five-tuple access control policy configuration, and multiple NAT (Network Address Translation ) makes IP addressing very complex, which further increases the security difficulty of the container environment. The security protection between containers, similar to the security of a traditional virtual machine, requires detection and filtering of data packets transmitted between containers, wherein one way is to redirect the data packets to a security protection component through Linux bottom NFQ technology, NFQ (collectively referred to as nfquue) is a target of an iptables and ip 6-tables rule, which redirects the data packets to a user space process, and the user space process determines whether the data packets are released or discarded. When a packet reaches an NFQ destination, it enters a queue corresponding to the number given by the-queue-num option.
According to the traditional technical scheme, a kernel plug-in module is added in a system kernel, namely a kernel driver is added, and data message redirection and performance acceleration are realized through the kernel driver module. However, a driver is added in the kernel, the kernel of the system needs to be adapted, and the drivers corresponding to different cloud platforms need to be modified; in addition, plug-in components are added in the kernel, so that potential safety hazards of the kernel are increased.
Illustratively, the inter-container communication method provided by the embodiment of the application establishes a communication connection from a first container of one computing node to a second container of another computing node, and security protection such as access control of the first container and the second container is provided by a top agent. When connection is established, the data packets sent out by the first container and the second container are redirected through the bottom NFQ, the data packets are redirected to the top agent, the top agent is used as a safety protection component, access control strategies are mastered, corresponding strategy matching can be carried out to provide safety protection, and therefore the data messages between the first container and the second container can be filtered and checked one by one.
Before connection between the first container and the second container is established, configuring two iptables access control rules by a top agent and issuing the two iptables access control rules to a system kernel, wherein the first one is a quick path rule corresponding to a quick communication connection path, namely, when a message has an instruction mark, the message is directly forwarded; the second is the NFQ rule corresponding to the NFQ redirect communication connection path, i.e., all messages are redirected by the NFQ into the security services container process.
The process can realize the one-by-one safety detection and protection of the data messages among the containers, but the redirection process greatly influences the communication efficiency and reduces the transmission performance. Aiming at the problems, the performance optimization method of the embodiment of the application provides a method for adding an iptables fast path (namely a fast communication connection path) on the basis of NFQ, and when a top agent is used as an instruction end and a data message is determined to be safe, a fast path instruction is issued to a system kernel, and the rest of the connected data message is directly forwarded through the fast path in the kernel. Therefore, the performance optimization method solves the problem of communication performance reduction caused by the redirection of the data message by the container environment safety protection component, and effectively improves the overall safety protection performance.
By means of a native mechanism, the communication method between containers provided by the embodiment of the application effectively improves the performance of safety protection under the condition that no component is added, and the method does not have the modes of installing a plug-in module in a kernel or defining a mode that a agent sends a private protocol downwards, and the like, so that the process of safety protection is prevented from introducing new components, new potential safety hazards are increased, the communication performance is effectively improved under the condition that the kernel is not changed, and a considerable supporting effect is achieved on the safety protection effect.
Referring to fig. 4, fig. 4 is a block diagram of a communication device between containers according to an embodiment of the present application, where the communication device between containers includes:
a configuration module 100 for configuring a quick communication connection path;
a connection information obtaining module 200, configured to obtain the instruction tag and session connection information generated by the first container or the second container;
the tag adding module 300 is configured to add an instruction tag to session connection information to generate quick connection information;
the communication establishing module 400 is configured to establish a communication connection between the first container and the second container according to the quick connection information and the quick communication connection path.
Illustratively, the inter-container communication device further comprises:
and the issuing module is used for issuing the quick communication connection path to the system kernel.
Illustratively, the inter-container communication device further comprises:
and the safety connection module is used for detecting the rapid communication connection path according to the safety function component and generating safety connection information.
Illustratively, the configuration module 100 is further configured to configure the NFQ redirect communication connection path;
the issuing module is further configured to issue the NFQ redirect communication connection path to the system kernel.
Illustratively, the tag adding module 300 is specifically configured to add an instruction tag to session connection information through a netlink message, and generate quick connection information.
It should be understood that the communication device between containers shown in fig. 4 corresponds to the method embodiment shown in fig. 1 to 3, and is not described here again for the sake of avoiding repetition.
The application further provides an electronic device, please refer to fig. 5, and fig. 5 is a block diagram of an electronic device according to an embodiment of the application. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used to enable direct connection communication for these components. The communication interface 520 of the electronic device in the embodiment of the present application is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip with signal processing capabilities.
The processor 510 may be a general-purpose processor, including a central processing unit (CPU, central Processing Unit), a network processor (NP, network Processor), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, random access Memory (RAM, random Access Memory), read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable Read Only Memory (EEPROM, electric Erasable Programmable Read-Only Memory), and the like. The memory 530 has stored therein computer readable instructions which, when executed by the processor 510, may cause an electronic device to perform the various steps described above in relation to the method embodiments of fig. 1-3.
Optionally, the electronic device may further include a storage controller, an input-output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is configured to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 5, or have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The embodiment of the application further provides a storage medium, where instructions are stored, and when the instructions run on a computer, the computer program is executed by a processor to implement the method described in the method embodiment, so that repetition is avoided, and no further description is given here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (6)
1. A method of communicating between containers, comprising:
configuring a rapid communication connection path;
acquiring an instruction mark and session connection information generated by a first container or a second container, wherein the session connection information is quintuple data, and the quintuple data comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
adding the instruction mark to the session connection information to generate quick connection information;
establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path;
before the step of acquiring the session connection information generated by the first container or the second container, the method further comprises:
before connection between the first container and the second container is established, configuring two iptables access control rules by a top agent and issuing the two iptables access control rules to a system kernel, wherein the first one is a quick path rule corresponding to a quick communication connection path, namely, when a message has an instruction mark, directly forwarding the message; the second rule is an NFQ rule corresponding to an NFQ redirection communication connection path, that is, all messages are redirected by the NFQ to a security service container process;
after the step of configuring the quick communication connection path, further comprising:
issuing the rapid communication connection path to a system kernel;
before the step of acquiring the session connection information generated by the first container or the second container, the method further comprises:
configuring an NFQ redirection communication connection path;
and sending the NFQ redirection communication connection path to a system kernel.
2. The method of inter-container communication according to claim 1, further comprising, after the step of issuing the quick communication connection path to a system kernel:
and detecting the rapid communication connection path according to the safety function component to generate safety connection information.
3. The method of inter-container communication according to claim 1, wherein the step of adding the instruction tag to the session connection information to generate quick connection information includes:
and adding the instruction mark to the session connection information through a netlink message to generate the quick connection information.
4. An inter-container communication device, comprising:
the configuration module is used for configuring the quick communication connection path;
the connection information acquisition module is used for acquiring the instruction mark and session connection information generated by the first container or the second container, wherein the session connection information is quintuple data, and the quintuple data comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol;
the mark adding module is used for adding the instruction mark to the session connection information to generate quick connection information;
the communication establishing module is used for establishing communication connection between the first container and the second container according to the quick connection information and the quick communication connection path;
before connection between the first container and the second container is established, two iptables access control rules are configured by a top agent and issued to a system kernel, wherein the first one is a fast path rule corresponding to a fast communication connection path, namely, when a message has an instruction mark, the message is directly forwarded; the second rule is an NFQ rule corresponding to an NFQ redirection communication connection path, that is, all messages are redirected by the NFQ to a security service container process;
the issuing module is used for issuing the rapid communication connection path to a system kernel;
the configuration module is further used for configuring an NFQ redirection communication connection path; the issuing module is further configured to issue the NFQ redirect communication connection path to a system kernel.
5. An electronic device, comprising: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method of communication between containers according to any one of claims 1 to 3 when the computer program is executed.
6. A computer readable storage medium having instructions stored thereon which, when run on a computer, cause the computer to perform the inter-container communication method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111579866.9A CN114244891B (en) | 2021-12-22 | 2021-12-22 | Communication method and device between containers, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111579866.9A CN114244891B (en) | 2021-12-22 | 2021-12-22 | Communication method and device between containers, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244891A CN114244891A (en) | 2022-03-25 |
| CN114244891B true CN114244891B (en) | 2024-01-23 |
Family
ID=80761129
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111579866.9A Active CN114244891B (en) | 2021-12-22 | 2021-12-22 | Communication method and device between containers, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244891B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114780211B (en) * | 2022-06-16 | 2022-11-08 | 阿里巴巴(中国)有限公司 | Method for managing a secure container and system based on a secure container |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656980A (en) * | 2016-10-21 | 2017-05-10 | 郑州云海信息技术有限公司 | Method for automatically configuring accessing control of Docker container |
| CN109067877A (en) * | 2018-08-03 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of control method, server and the storage medium of cloud computing platform deployment |
| CN109324908A (en) * | 2017-07-31 | 2019-02-12 | 华为技术有限公司 | The vessel isolation method and device of Netlink resource |
| CN110191007A (en) * | 2019-06-27 | 2019-08-30 | 广州虎牙科技有限公司 | Node administration method, system and computer readable storage medium |
| CN110704158A (en) * | 2019-09-23 | 2020-01-17 | 凡普数字技术有限公司 | Method, apparatus and storage medium for forwarding access requests within a container cluster |
| CN111885005A (en) * | 2020-06-29 | 2020-11-03 | 济南浪潮数据技术有限公司 | Container cloud platform service communication method, device, equipment and medium |
| CN111934918A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Network isolation method and device for container instances in same container cluster |
| CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
-
2021
- 2021-12-22 CN CN202111579866.9A patent/CN114244891B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656980A (en) * | 2016-10-21 | 2017-05-10 | 郑州云海信息技术有限公司 | Method for automatically configuring accessing control of Docker container |
| CN109324908A (en) * | 2017-07-31 | 2019-02-12 | 华为技术有限公司 | The vessel isolation method and device of Netlink resource |
| CN109067877A (en) * | 2018-08-03 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of control method, server and the storage medium of cloud computing platform deployment |
| CN110191007A (en) * | 2019-06-27 | 2019-08-30 | 广州虎牙科技有限公司 | Node administration method, system and computer readable storage medium |
| CN110704158A (en) * | 2019-09-23 | 2020-01-17 | 凡普数字技术有限公司 | Method, apparatus and storage medium for forwarding access requests within a container cluster |
| CN111885005A (en) * | 2020-06-29 | 2020-11-03 | 济南浪潮数据技术有限公司 | Container cloud platform service communication method, device, equipment and medium |
| CN111934918A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Network isolation method and device for container instances in same container cluster |
| CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244891A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10623309B1 (en) | Rule processing of packets | |
| US10122629B2 (en) | Systems and methods for externalizing network functions via packet trunking | |
| CN109565500B (en) | On-demand security architecture | |
| KR100998418B1 (en) | Methods for operating virtual networks, data network system, computer program and computer program product | |
| US10693899B2 (en) | Traffic enforcement in containerized environments | |
| US10979453B2 (en) | Cyber-deception using network port projection | |
| US10027687B2 (en) | Security level and status exchange between TCP/UDP client(s) and server(s) for secure transactions | |
| US10810034B2 (en) | Transparent deployment of meta visor into guest operating system network traffic | |
| CA3021285C (en) | Methods and systems for network security | |
| US20200252437A1 (en) | Network traffic switching for virtual machines | |
| CN114244891B (en) | Communication method and device between containers, electronic equipment and storage medium | |
| US20080002586A1 (en) | End-point based tamper resistant congestion management | |
| CN114070637B (en) | Access control method, system, electronic equipment and storage medium based on attribute tag | |
| KR101883712B1 (en) | Method, apparatus and computer program for managing a network function virtualization system | |
| JP6569741B2 (en) | Communication apparatus, system, method, and program | |
| US11463404B2 (en) | Quarantined communications processing at a network edge | |
| US11895129B2 (en) | Detecting and blocking a malicious file early in transit on a network | |
| US20240061796A1 (en) | Multi-tenant aware data processing units | |
| Bak et al. | Logical network separation and update inducing techniques of non-updated vaccine host by creating flow rule in SDN | |
| CN116961940A (en) | Service security capability realization method and device, readable storage medium and electronic equipment | |
| CN117527763A (en) | Network proxy method and related equipment | |
| CN115695013A (en) | Traffic redirection method and device, electronic equipment and storage medium | |
| EP3113440A1 (en) | Self-managed network security measures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |