CN114327741A - Server system, container setting method and device - Google Patents
Server system, container setting method and device Download PDFInfo
- Publication number
- CN114327741A CN114327741A CN202011063093.4A CN202011063093A CN114327741A CN 114327741 A CN114327741 A CN 114327741A CN 202011063093 A CN202011063093 A CN 202011063093A CN 114327741 A CN114327741 A CN 114327741A
- Authority
- CN
- China
- Prior art keywords
- virtual
- hardware
- host bridge
- pcie
- isa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/40—Bus structure
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
Abstract
The application discloses a server system, a container setting method and a container setting device, and belongs to the technical field of cloud services. The server system includes: the safety container is arranged in the virtual machine, wherein the virtual machine manager is used for providing virtual hardware for the virtual machine, and the virtual hardware is matched with the safety container; a secure container to use virtual hardware within a virtual machine. The application realizes the lightweight configuration of the virtual machine and improves the safety of virtual hardware.
Description
Technical Field
The present application relates to the field of cloud service technologies, and in particular, to a server system, a container setting method, and an apparatus.
Background
With the continuous development and maturation of cloud computing technology, cloud computing products are continuously accepted and used widely by enterprises. Meanwhile, the container-based cloud computing product has the characteristics of portability, flexibility, high performance, rapid deployment and the like, and is also greatly developed and widely applied.
At present, a scheme for implementing a container in a virtual machine (also referred to as a virtual machine container scheme) mainly includes: a virtual machine container scheme using a kernel-based virtual machine (KVM) and a virtual operating system emulator (Qemu). In order to be compatible with operating systems of different types and versions (such as a Linux operating system, a Windows operating system and the like), the scheme needs a virtual machine manager to provide a large amount of virtual hardware for the virtual machine.
However, this scheme is less secure.
Disclosure of Invention
The application provides a server system, a container setting method and a container setting device, which can solve the problem of low safety of a scheme for realizing a container in a virtual machine.
In a first aspect, the present application provides a server system, comprising: the safety container is arranged in the virtual machine, wherein the virtual machine manager is used for providing virtual hardware for the virtual machine, and the virtual hardware is matched with the safety container; a secure container to use virtual hardware within a virtual machine.
Wherein, the virtual hardware and the security container are matched, which means that: the virtual hardware provides the hardware capability required by the operation of the security container for the security container, and the virtual hardware in the virtual machine is the virtual hardware which can be used by the security container when the security container operates. That is, the virtual hardware in the virtual machine does not include virtual hardware that the secure container does not use when running, i.e., does not include redundant devices provided for improving compatibility. Also, the virtual machine includes virtual hardware necessary for the secure container to run, and is also referred to as a virtual hardware system.
In the server system, because the virtual hardware in the virtual machine is matched with the safety container and does not comprise redundant equipment, the light configuration of the virtual machine is realized, and the complexity of simulating the virtual hardware by the virtual machine manager is reduced. In addition, compared with the virtual machine comprising the virtual hardware in the related technology, the total number of the virtual hardware in the virtual machine is reduced, the number of the exposed interfaces of the virtual hardware is reduced, the attack surface for attacking the safety container is further reduced, the safety of the virtual hardware is improved, and the resource overhead of the simulated virtual hardware is reduced.
The virtual hardware comprises: one or more virtual bus host bridges, and virtual bus devices disposed at each virtual bus host bridge.
In one implementation, the virtual hardware includes: the virtual peripheral express component interconnects the PCIe host bridge and a virtual PCIe device disposed at the virtual PCIe host bridge. Because PCIe has the advantages of high data transmission rate, strong anti-interference capability, long transmission distance, low power consumption and the like, when the virtual bus main bridge is a virtual PCIe main bridge and the virtual bus equipment is virtual PCIe equipment, the transmission speed of the virtual PCIe main bridge and the virtual PCIe equipment can be further ensured, and the performance of the safety container is improved.
Virtual PCIe devices may include virtual devices used to implement network transport, storage, and computation. For example, a virtual PCIe device may include: virtual input/output PCIe devices. And, the virtual PCIe device may further include: PCIe pass-through devices of the server system. For example, the virtual PCIe device may further include: virtual function input/output PCIe devices. When the virtual PCIe slot is inserted into the PCIe through device, the performance of the server system can be effectively ensured because the PCIe through device has the characteristics of low delay and high bandwidth.
Moreover, when one virtual bus host bridge included in the virtual hardware is a virtual PCIe host bridge, the virtual hardware may further include a virtual bus host bridge using another bus standard and a virtual bus device disposed in the virtual bus host bridge using the other bus standard, so that the virtual machine can provide hardware functions with different transmission rates for the secure container.
Optionally, the virtual PCIe device further includes: and the access device of the virtual Industry Standard Architecture (ISA) bus is used for being connected with the virtual ISA device.
Or, the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
In addition, if the secure container has an increased demand for virtual hardware, the virtual PCIe device may further include: and the access device of the virtual PCIe bus is used for being connected with the virtual PCIe devices needing to be added so as to expand the application range of the security container.
In another implementation, the virtual hardware includes: the virtual peripheral component interconnects the PCI host bridge and the virtual PCI device arranged on the virtual PCI host bridge. Because the virtual PCI host bridge and the virtual PCI equipment both use PCI standard to transmit data, the transmission speed of the virtual PCI host bridge and the virtual PCI equipment can be effectively ensured.
Optionally, the virtual PCI devices may include virtual devices for implementing network transmission, storage, and computation. For example, a virtual PCI device may include: virtual input/output PCI devices. And, the virtual PCI device may further include: PCI express devices of the server system. For example, the virtual PCI device may further include: virtual function input/output PCI devices. When the virtual PCI slot is inserted into the PCI direct connection device, the performance of the server system can be effectively ensured because the PCI direct connection device has the characteristics of low time delay and high bandwidth.
And when one virtual bus host bridge included in the virtual hardware is a virtual PCI host bridge, the virtual hardware may further include a virtual bus host bridge using other bus standards and a virtual bus device disposed in the virtual bus host bridge using other bus standards, so that the virtual machine can provide hardware functions with different transmission rates for the secure container.
Optionally, the virtual PCI device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Or, the virtual hardware further comprises: the system comprises a virtual ISA host bridge and virtual ISA equipment arranged on the virtual ISA host bridge, wherein the virtual ISA host bridge is parallel to a virtual PCI host bridge.
In this application, an application scenario of the security container is as follows: the operating system of the virtual machine is a LINUX operating system. Therefore, the virtual hardware provided by the virtual machine in the application is all the virtual hardware required by the operation of the secure container using the LINUX operating system.
In a second aspect, the present application provides a container setup method comprising: acquiring a security container creation request; creating a virtual machine according to the safety container creating request, and providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container; a secure container is created within the virtual machine, wherein the secure container uses virtual hardware within the virtual machine.
Optionally, the virtual hardware comprises: the virtual PCIe host bridge comprises a virtual PCIe host bridge and a virtual PCIe device arranged on the virtual PCIe host bridge.
Optionally, the virtual PCIe device includes: a PCIe pass-through device.
Optionally, the virtual PCIe device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
Optionally, the virtual hardware comprises: the virtual PCI host bridge and the virtual PCI equipment arranged in the virtual PCI host bridge.
Optionally, the virtual PCI device includes: a PCI express device.
Optionally, the virtual PCI device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the system comprises a virtual ISA host bridge and virtual ISA equipment arranged on the virtual ISA host bridge, wherein the virtual ISA host bridge is parallel to a virtual PCI host bridge.
Optionally, the operating system of the virtual machine is a LINUX operating system.
In a third aspect, the present application provides a container-setting device comprising: the acquisition module is used for acquiring a security container creation request; the processing module is used for creating a virtual machine according to the safety container creation request and providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container; a processing module to create a secure container within the virtual machine, wherein the secure container uses virtual hardware within the virtual machine.
Optionally, the virtual hardware comprises: the virtual PCIe host bridge comprises a virtual PCIe host bridge and a virtual PCIe device arranged on the virtual PCIe host bridge.
Optionally, the virtual PCIe device includes: a PCIe pass-through device.
Optionally, the virtual PCIe device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
Optionally, the virtual hardware comprises: the virtual PCI host bridge and the virtual PCI equipment arranged in the virtual PCI host bridge.
Optionally, the virtual PCI device includes: a PCI express device.
Optionally, the virtual PCI device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the system comprises a virtual ISA host bridge and virtual ISA equipment arranged on the virtual ISA host bridge, wherein the virtual ISA host bridge is parallel to a virtual PCI host bridge.
Optionally, the operating system of the virtual machine is a LINUX operating system.
In a fourth aspect, there is provided a computer device comprising: a processor and a memory, the memory having stored therein a computer program; when the processor executes the computer program, the computer device implements the method provided by the second aspect.
In a fifth aspect, a storage medium is provided, and when executed by a processor, the instructions in the storage medium implement the method provided by the second aspect.
Drawings
Fig. 1 is a schematic diagram of an implementation scenario related to a server system provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a server system provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a virtual machine for providing virtual hardware to a secure container according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another virtual machine for providing virtual hardware to a secure container according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of another virtual machine for providing virtual hardware to a secure container according to an embodiment of the present application;
FIG. 6 is a flow chart of a method for setting a container according to an embodiment of the present disclosure;
FIG. 7 is a schematic structural diagram of a container placement device according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The embodiment of the application provides a server system, a container setting method and a container setting device. The server system includes: a virtual machine, a virtual machine manager, and a secure container. The secure container is disposed within the virtual machine. And the virtual machine manager is used for providing virtual hardware for the virtual machine, and the virtual hardware is matched with the safety container. A secure container to use virtual hardware within a virtual machine.
Wherein, the virtual hardware and the security container are matched, which means that: the virtual hardware provides the hardware capability required by the operation of the security container for the security container, and the virtual hardware in the virtual machine is the virtual hardware which can be used by the security container when the security container operates. That is, the virtual hardware in the virtual machine does not include virtual hardware that is not used by the secure container when operating, for example, does not include redundant devices provided for improving compatibility. Also, the virtual machine includes virtual hardware necessary for the secure container to run, and is also referred to as a virtual hardware system.
In the server system, the container setting method and the device provided by the embodiment of the application, because the virtual hardware in the virtual machine is matched with the safety container and does not include redundant equipment, the light configuration of the virtual machine is realized, and the complexity of simulating the virtual hardware by the virtual machine manager is reduced. In addition, compared with the virtual machine comprising the virtual hardware in the related technology, the total number of the virtual hardware in the virtual machine is reduced, the number of the exposed interfaces of the virtual hardware is reduced, the attack surface for attacking the safety container is further reduced, the safety of the virtual hardware is improved, and the resource overhead of the simulated virtual hardware is reduced.
Fig. 1 is a schematic diagram of an implementation scenario related to a server system provided in an embodiment of the present application. As shown in fig. 1, the implementation scenario includes: a server system 1 and a cloud management platform 2 deployed in the cloud platform P. A large amount of basic resources owned by a cloud service provider are deployed in the cloud platform P, and the cloud platform P can provide cloud services to tenants by using the basic resources. The underlying resources may include computing resources, storage resources, network resources, and the like, and the computing resources may be a large number of computing devices (e.g., servers).
The cloud management platform 2 is configured to receive a security container creation request input by a tenant, and send the security container creation request to the server system 1. The server system 1 is configured to create a secure container based on the secure container creation request.
The cloud management platform 2 and the server system 1 may be implemented according to the basic resources in the cloud platform P. In an implementation manner, optionally, the cloud management platform 2 may be implemented by software such as a virtual machine or a container on a base resource, or the cloud management platform 2 may be implemented by a physical server (also referred to as a host) such as a bare metal server. The server system 1 may be implemented by a physical server (also referred to as a host) such as a bare metal server. The server system 1 may include: hardware, virtual machines that rely on hardware deployment, virtual machine managers, and security containers, among others. Wherein the secure container is disposed within the virtual machine. The safety container is used for realizing the business of the tenant and providing cloud service for the tenant. The tenant service includes a software application service created by the cloud platform P according to the service requirement of the user, for example: a language identification service, a video review service, or an image rendering service, etc.
The following describes an implementation of the server system provided in the embodiment of the present application. As shown in fig. 2, the server system 1 includes: a Virtual Machine (VM) 11, a Virtual Machine Manager (VMM) 12, and a secure container (pod) 111. The secure container 111 is provided in the virtual machine 11. The virtual machine manager 12 is used to provide virtual hardware 121 for the virtual machine 11, and the virtual hardware 121 is matched with the secure container 111. The secure container 111 is used to use virtual hardware within the virtual machine 11.
The security container 111 is used to implement the tenant's business. As shown in fig. 2, the security container 111 is disposed in the virtual machine 11, and the virtual machine 11 can isolate the security container 111 from each other, thereby ensuring the security of data between different tenants. Fig. 2 is a schematic diagram of one virtual machine 11 including two security containers 111.
As shown in fig. 2, the virtual machine manager 12 runs on the hardware 13 of the server system 1, and the hardware 13 of the server system 1 also runs a host operating system. The virtual machine manager 12 is configured to provide virtual hardware 121 for the virtual machine 11 by using a virtualization technique based on hardware provided by the hardware 13 of the server system 1. The operating system of the virtual machine is used to identify the virtual hardware within the virtual machine 11 and run based on the virtual hardware within the virtual machine 11.
The virtual machine 11 may virtualize virtual hardware for the secure container 111 according to the virtual hardware 121 provided by the virtual machine manager 12 for the virtual machine 11, where the virtual hardware virtualized by the virtual machine 11 for the secure container 111 is the virtual hardware in the virtual machine 11 (the virtual hardware in the virtual machine 11 is not shown in fig. 2). For example, when two security containers 111 are disposed in the virtual machine 11, the virtual machine manager 12 may provide a virtual network card for the virtual machine 11, and the virtual machine 11 may virtualize a virtual network card that can be used for each of the two security containers 111 according to the virtual network card, where the virtual network card virtualized by the virtual machine 11 is virtual hardware in the virtual machine, and the security container 111 is configured to run based on the virtual hardware in the virtual machine.
Optionally, to ensure that the virtual hardware 121 can provide the hardware capability required by the operation of the secure container 111, the virtual hardware 121 may include virtual devices such as a virtual disk, a network card, and a computing card, which provide services such as storage, network, and computation for the secure container 111 in the secure container 111.
In order to ensure that the secure container 111 operates, as shown in fig. 3, the virtual hardware 121 provided by the virtual machine manager 12 to the virtual machine 11 at least includes: a virtual processor 1216 (e.g., a Central Processing Unit (CPU)), a virtual memory 1217 (e.g., a virtual Dynamic Random Access Memory (DRAM)), a virtual interrupt controller 1218 (e.g., an Advanced Programmable Interrupt Controller (APIC)), and a virtual clock 1219 (e.g., a KVM clock).
Moreover, the virtual hardware 121 further includes: one or more virtual bus host bridges, and virtual bus devices disposed at each virtual bus host bridge. The bus standard used by the virtual bus host bridge and the virtual bus device disposed in the virtual bus host bridge to transmit data may be determined according to the requirement of the security container 111.
In one implementation, as shown in FIG. 3, the virtual bus host bridge may include a virtual Peripheral Component Interconnect (PCI) host bridge 1211. When the virtual bus host bridge is the virtual PCI host bridge 1211, the virtual bus devices provided on the virtual bus host bridge are virtual PCI devices. Since the virtual PCI host bridge 1211 and the virtual PCI device both transmit data using the PCI standard, the transmission speed of the virtual PCI host bridge 1211 and the virtual PCI device can be effectively guaranteed.
The implementation manner of setting the virtual PCI device on the virtual PCI host bridge 1211 includes: a virtual PCI bus is led out from the virtual PCI host bridge 1211, and virtual PCI devices are connected to the virtual PCI bus. Furthermore, one or more virtual PCI slots may be disposed on the virtual PCI bus, and each virtual PCI slot is connected to one virtual PCI device.
The operating system of the virtual machine can read the configuration space of the virtual PCI device through the virtual PCI host bridge 1211 and enumerate and enable the virtual PCI device so that the virtual PCI device can be used by the secure container 111. Furthermore, according to the specification of the PCI specification, the configuration space of the virtual PCI device includes: the optional configuration space comprises the first 64 bytes of the mandatory configuration space with the address range of 0x 00-0 x3F and the optional configuration space with the address range of 0x 40-0 xFF. In the embodiment of the present invention, since the virtual hardware 121 provided by the virtual machine 11 to the secure container 111 is matched with the secure container 111, and the light configuration of the virtual machine 11 is realized, the configuration space of the virtual PCI device provided in the embodiment of the present invention is a necessary configuration space of the first 64 bytes having an address range of 0x00 to 0x 3F.
Optionally, the virtual PCI devices may include virtual devices for implementing network transmission, storage, and computation. For example, as shown in fig. 3, a virtual PCI device may include: a virtual input/output (virtio I/O) PCI device 1212 a. And, the virtual PCI device may further include: PCI express devices of the server system. For example, the virtual PCI device as shown in fig. 3 may further include: a virtual function input/output (VFIO) PCI device 1212 b. When the virtual PCI slot is inserted into the PCI direct connection device, the performance of the server system can be effectively ensured because the PCI direct connection device has the characteristics of low time delay and high bandwidth.
Also, when one virtual bus host bridge included in the virtual hardware 121 is the virtual PCI host bridge 1211, the virtual hardware 121 may further include a virtual bus host bridge using another bus standard and a virtual bus device provided in the virtual bus host bridge using the other bus standard, so that the virtual machine 11 can provide hardware functions with different transmission rates for the secure container 111.
Optionally, as shown in fig. 4, when one virtual bus host bridge included in the virtual hardware 121 is the virtual PCI host bridge 1211, the virtual hardware 121 may further include: an Industry Standard Architecture (ISA) host bridge 1213 and a virtual ISA device provided in the virtual ISA host bridge 1213. Even though the virtual bus host bridge using the other bus standard may be the virtual ISA host bridge, the virtual bus device provided at the virtual bus host bridge using the other bus standard may be the virtual ISA device. The virtual ISA host bridge 1213 is in parallel with virtual PCI host bridge 1211, i.e., the virtual ISA host bridge 1213 operates independently of virtual PCI host bridge 1211.
The implementation manner of setting the virtual ISA device on the virtual ISA host bridge 1213 includes: a virtual ISA bus is led out of the virtual ISA host bridge 1213, and virtual ISA devices are connected to the virtual ISA bus. Furthermore, one or more virtual ISA slots may be provided on the virtual ISA bus, each virtual ISA slot being connected to a virtual ISA device. Alternatively, as shown in fig. 4, the virtual ISA device may be a virtual programmable interval timer (PTI) 1214a and a virtual ISA serial interface (serial port) 1214 b.
It should be noted that, the implementation manner of the hardware function of providing different transmission rates for the secure container 111 by the virtual machine 11 is not limited to that the virtual hardware 121 also includes a virtual bus host bridge using another bus standard and a virtual bus device disposed in the virtual bus host bridge using the other bus standard, and may also be implemented by another implementation manner.
Illustratively, the virtual PCI device may further include: an access device using a virtual bus of another bus standard for connecting with a virtual bus device using the other bus standard so that the secure container 111 can transmit data using the other bus standard. That is, the access device may serve as a virtual PCI device of the virtual PCI host bridge 1211, and the access device may be connected to a virtual bus device of a virtual bus using another bus standard, so that the secure container 111 transmits data using the other bus standard. For example, as shown in fig. 5, the virtual PCI device may further include: access device 1215 of a virtual ISA bus, the access device 1215 of the virtual ISA bus being configured to interface with a virtual ISA device. Alternatively, as shown in fig. 5, virtual ISA devices may be a virtual programmable interval timer 1214a and a virtual ISA serial interface device 1214 b.
In addition, if the secure container 111 has an increased demand for the virtual hardware 121, the virtual PCI device may further include: and the access device of the virtual PCI bus is used for connecting with the virtual PCI device which needs to be added so as to expand the application range of the security container 111.
In another implementation, the virtual bus host bridge may comprise a virtual peripheral component interconnect express (PCIe) host bridge. When the virtual bus host bridge is a virtual PCIe host bridge, the virtual bus arranged on the virtual bus host bridge is set as a virtual PCIe device. This virtual PCIe main bridge and this virtual PCIe equipment all use PCIe standard transmission data, because PCIe has that data transmission rate is high, the interference killing feature is strong, transmission distance is far away and advantages such as low power dissipation, when virtual bus main bridge is virtual PCIe main bridge, virtual bus equipment is virtual PCIe equipment, can further guarantee this virtual PCIe main bridge and this virtual PCIe equipment's transmission rate, improve safety container 111's performance.
The implementation mode of the virtual PCIe equipment arranged on the virtual PCIe host bridge comprises the following steps: a virtual PCIe bus is led out of the virtual PCIe main bridge, and the virtual PCIe equipment is connected with the virtual PCIe bus. Moreover, one or more virtual PCIe slots may be disposed on the virtual PCIe bus, and each virtual PCIe slot is connected to one virtual PCIe device.
The operating system of the virtual machine can read the configuration space of the virtual PCIe device through the virtual PCIe host bridge, and enumerate and enable the virtual PCIe device, so that the secure container 111 can use the virtual PCIe device. In addition, the virtual PCIe device is configured in a configuration space of the virtual PCI device, and a memory mapped input/output (MMIO) function is added to improve the read-write performance of the operating system of the virtual machine on the virtual PCIe device. The MMIO function is to map the configuration space of the virtual PCIe device to the memory address space, and the operating system of the virtual machine may access the memory address space to access the virtual PCIe device whose configuration space and the memory address space have a mapping relationship.
Optionally, the virtual PCIe device may include a virtual device for implementing network transport, storage, and computation. For example, a virtual PCIe device may include: virtual input/output PCIe devices. And, the virtual PCIe device may further include: PCIe pass-through devices of the server system. For example, the virtual PCIe device may further include: virtual function input/output PCIe devices. When the virtual PCIe slot is inserted into the PCIe through device, the performance of the server system can be effectively ensured because the PCIe through device has the characteristics of low delay and high bandwidth.
Moreover, when one virtual bus host bridge included in the virtual hardware 121 is a virtual PCIe host bridge, the virtual hardware 121 may further include a virtual bus host bridge using another bus standard and a virtual bus device provided in the virtual bus host bridge using the other bus standard, so that the virtual machine 11 can provide hardware functions with different transmission rates for the secure container 111.
Optionally, when one virtual bus host bridge included in the virtual hardware 121 is a virtual PCIe host bridge, the virtual hardware 121 may further include: virtual ISA host bridge 1213 and virtual ISA devices provided at virtual ISA host bridge 1213. Even though the virtual bus host bridge using the other bus standard may be the ISA host bridge, the virtual bus device provided at the virtual bus host bridge using the other bus standard may be the virtual ISA device. The virtual ISA host bridge 1213 is in parallel with the virtual PCIe host bridge, i.e., the virtual ISA host bridge 1213 operates independently of the virtual PCIe host bridge.
The implementation manner of setting the virtual ISA device on the virtual ISA host bridge 1213 includes: a virtual ISA bus is led out of the virtual ISA host bridge 1213, and virtual ISA devices are connected to the virtual ISA bus. Furthermore, one or more virtual ISA slots may be provided on the virtual ISA bus, each virtual ISA slot being connected to a virtual ISA device. Alternatively, the virtual ISA device may be a virtual programmable interval timer and a virtual ISA serial interface device.
It should be noted that, the implementation manner of the hardware function of providing different transmission rates for the secure container 111 by the virtual machine 11 is not limited to that the virtual hardware 121 also includes a virtual bus host bridge using another bus standard and a virtual bus device disposed in the virtual bus host bridge using the other bus standard, and may also be implemented by another implementation manner.
Illustratively, the virtual PCIe device may further include: an access device using a virtual bus of another bus standard for connecting with a virtual bus device using the other bus standard so that the secure container 111 can transmit data using the other bus standard. For example, the virtual PCIe device may further include: access device 1215 of a virtual ISA bus, the access device 1215 of the virtual ISA bus being configured to interface with a virtual ISA device.
In addition, if the secure container 111 has an increased demand for the virtual hardware 121, the virtual PCIe device may further include: and the virtual PCIe bus access device is used for connecting with the virtual PCIe devices needing to be added so as to expand the application range of the secure container 111.
In the embodiment of the present application, an application scenario of the secure container 111 is as follows: the operating system of the virtual machine is a LINUX operating system. Therefore, the virtual hardware 121 provided by the virtual machine 11 in the embodiment of the present application is all the virtual hardware 121 required to run using the secure container 111 of the LINUX operating system.
For example, when the virtual bus host bridge is the virtual PCI host bridge 1211, the virtual hardware 121 provided by the virtual machine 11 in the embodiment of the present application may include: a virtual central processing unit, a virtual dynamic random access memory, a virtual advanced programmable interrupt controller, a virtual KVM clock, a virtio I/O PCI device, a VFIO PCI device, and a virtual interval timer.
For another example, when the virtual bus host bridge is a virtual PCI host bridge and a virtual ISA host bridge, respectively, the virtual hardware provided by the virtual machine in the embodiment of the present application may include: the virtual central processing unit, the virtual dynamic random access memory, the virtual advanced programmable interrupt controller, the virtual KVM clock, the virtio I/O PCI device and the VFIO PCI device which are arranged on the virtual PCI main bridge, and the virtual programmable interval timer which is arranged on the virtual ISA main bridge. Even, the virtual hardware provided by the virtual machine in the embodiment of the present application may further include: a virtual ISA serial interface device disposed on the virtual ISA host bridge.
Whereas in the related art, the virtual machine container scheme generally includes a large amount of virtual hardware. Taking the KVM and Qemu based virtual machine container scheme as an example, the KVM and Qemu based virtual machine container scheme includes: virtual Advanced Configuration and Power Interface (ACPI), virtual Universal Serial Bus (USB) controllers, virtual Power Modules (PMs), virtual Integrated Drive Electronics (IDEs), virtual disks (disks) connected via integrated drive electronics, virtual disks (CDs) connected via integrated drive electronics, virtual Programmable Interrupt Controllers (PICs), virtual ISA floppy disk drive controllers (FDCs), and virtual mice (mice).
Therefore, in the server system provided in the embodiment of the present application, since the virtual hardware in the virtual machine is matched with the secure container, and does not include redundant devices such as a virtual advanced configuration and power interface, a virtual USB controller, a virtual power module, a virtual integrated drive electronic device, a virtual disk connected through the integrated drive electronic device, a virtual optical disk connected through the integrated drive electronic device, a virtual programmable interrupt controller, a virtual ISA floppy disk drive control device, and a virtual mouse, compared with the related art, the lightweight configuration of the virtual machine is achieved, and the complexity of the virtual machine manager for simulating the virtual hardware is reduced. In addition, compared with the related art, the total number of the virtual hardware included in the virtual machine is reduced, the number of the exposed interfaces of the virtual hardware is reduced, the attack surface for attacking the safety container is reduced, the safety of the virtual hardware is improved, and the resource overhead of the simulation virtual hardware, such as the overhead of the memory of the host computer, is reduced.
The following describes an implementation process of the container setting method provided in the embodiment of the present application. The container setting method can be executed by the server system provided by the embodiment of the application. In one implementation, the container setting method may be performed by a virtual machine manager in the server system. As shown in fig. 6, the implementation process of the container setting method may include the following steps:
When a tenant needs to use a security container to implement a service, the tenant may operate on a terminal, the operation may trigger a security container creation request for requesting creation of the security container, the terminal used by the tenant may send the security container creation request to a cloud management platform, and the cloud management platform may send the security container creation request to a server system.
Optionally, the secure container creation request may carry a configuration requirement of the secure container. The configuration requirements of the secure container are used to indicate the specification of the secure container requested to be created. Also, since the security container needs to run based on the virtual hardware provided by the virtual machine, the configuration requirement may indicate the specification of the virtual hardware required for the security container to run. For example, the specification of the virtual hardware indicated by the configuration requirement may include: the method comprises the following steps of obtaining specification parameters such as the total number of virtual processors, the topological structure of the virtual processors, the types of the virtual processors, the number of virtual memories, the use strategy of the virtual memories, the setting mode of virtual memory slots, the total number of virtual bus devices, the specification of the virtual bus devices, the storage path of the image file of the operating system of the virtual machine, the storage path of the image file of the application program of the security container for realizing the service, and the configuration information of the initialization parameters of the operating system of the virtual machine.
Wherein the topology of the virtual processors is to indicate one or more of a total number of virtual processors that the security container needs to use, a total number of virtual cores that each virtual processor includes, and a total number of hyper-threads that each virtual processor includes. The type of the virtual processor is used to indicate the word size, model number, and the like of the virtual process. The word size of a virtual processor is the number of binary bits that the virtual processor can process in parallel at one time. The usage policy of the virtual memory is used to indicate the manner in which the virtual memory is used by the plurality of virtual processors used by the secure container. For example, the policy for using the virtual memory is used to instruct a plurality of virtual CPUs used by the secure container to use the virtual memory in a non-uniform memory access (NUMA) manner. The specification of the virtual bus device is used to indicate the configuration specification of the virtual bus device. For example, when the virtual bus device is a virtual network card, the specification of the virtual network card indicates information such as description information of a queue of the virtual network card and a Media Access Control (MAC) address. When the virtual bus device is a virtual disk, the specification of the virtual disk indicates information such as the capacity of the virtual disk. The image file of the operating system of the virtual machine is used for recording relevant information of interaction between the operating system and the virtual hardware. The image file of the application program for realizing the service of the security container is used for recording relevant information of interaction between the application program for realizing the service, which runs on the basis of the operating system of the virtual machine, and the operating system of the virtual machine. For example, when the operating system of the virtual machine is the LINUX system, the image file of the operating system of the virtual machine may be a kernel image file, and the image file of the application program used by the secure container to implement the service may be an initrd image file.
Also, since the operations of creating the secure container and providing the virtual hardware to the secure container are performed by the virtual machine manager, the server system receiving the secure container creation request may actually receive the secure container creation request for the virtual machine manager. Optionally, the implementation manner of passing the security container creation request to the virtual machine manager may be determined according to application requirements. For example, the configuration requirements of the secure container may be communicated to the virtual machine manager via a command line, configuration file, or communication channel.
After obtaining the security container creation request, the virtual machine manager may create a virtual machine according to the security container creation request, and provide virtual hardware for the virtual machine, so as to create a security container in the virtual machine, and enable the security container to use the virtual hardware in the virtual machine. Optionally, the implementation process of the virtual machine manager creating a virtual machine according to the security container creation request and providing virtual hardware for the virtual machine may include the following steps:
step 6021, creating a virtual processor and a virtual memory according to the configuration requirement of the security container carried by the security container creation request.
The virtual machine manager may create the virtual processor and the virtual memory according to specification parameters related to the virtual processor and the virtual memory, such as the total number of the virtual processors, the topology of the virtual processors, the type of the virtual processors, the number of the virtual memories, the use policy of the virtual memory, the setting mode of the virtual memory slots, and the like, indicated by the configuration requirements.
And 6022, creating and initializing the virtual bus host bridge according to the configuration requirement of the security container carried by the security container creation request.
The virtual machine manager can create a virtual bus host bridge according to the specification parameters related to the virtual bus equipment indicated by the configuration requirements, and initialize the virtual bus host bridge. For example, when the configuration requirement indicates that the virtual bus device comprises a virtual PCI device, indicating that the virtual machine needs to provide a virtual PCI host bridge to the secure container, the virtual machine manager may create the virtual PCI host bridge. Alternatively, when the configuration requirement indicates that the virtual bus device comprises a virtual PCIe device, indicating that the virtual machine needs to provide a virtual PCIe host bridge to the secure container, the virtual machine manager may create the virtual PCIe host bridge.
And when the configuration requirement indicates that the virtual bus device further comprises a virtual bus device using another bus standard, the virtual machine further needs to provide the secure container with the hardware capability of the bus using the other bus standard. Optionally, implementations of the virtual machine to provide hardware capability of the bus using other bus standards may include at least the following two:
in a first implementable manner, the virtual bus device may further include: and the access device is used for connecting with the virtual bus device using the other bus standard. For example, when the configuration requirements indicate that the virtual bus devices also include virtual ISA devices, it is stated that the virtual machine also needs to provide the hardware capabilities of the ISA bus to the secure container. At this time, the virtual machine management system may create an access device of the virtual ISA bus, which is used to connect with the virtual ISA device, so that the secure container transmits data using the ISA bus standard.
In a second implementation, the virtual hardware further includes: virtual bus host bridges using other bus standards. For example, when the configuration requirements indicate that the virtual bus devices also include virtual ISA devices, it is stated that the virtual machine also needs to provide the hardware capabilities of the ISA bus to the secure container. At this time, the virtual machine manager may also create a virtual ISA host bridge, and to avoid the mutual influence between the virtual ISA host bridge and other virtual bus host bridges created by the virtual machine manager, the virtual ISA host bridge and other virtual bus host bridges created by the virtual machine manager are set in a parallel manner.
For implementation of the virtual bus host bridge created by the virtual machine manager, please refer to the corresponding description in the foregoing server system embodiment, which is not described herein again.
In addition, a Standard Hot Plug Controller (SHPC) interface may be configured on the virtual bus host bridge to support hot plug of virtual bus devices on the virtual bus corresponding to the virtual bus host bridge.
Step 6023, creating and initializing virtual system hardware.
The virtual system hardware is the virtual hardware required by all the secure container operations, namely the default integrated device in the virtual machine. The virtual machine manager needs to create and initialize the virtual system hardware, and simulate corresponding registers and interfaces according to the specification of each virtual system hardware, so as to be used by the security container. Optionally, the virtual system hardware may include: a virtual interrupt controller, a virtual clock, and a virtual interval timer. For example, the virtual interrupt controller may be a virtual advanced programmable interrupt controller, the virtual clock may be a KVM clock, and the virtual interval timer may be a virtual programmable interval timer.
And 6024, creating and initializing the virtual bus device according to the configuration requirement of the security container carried by the security container creation request, and connecting the virtual bus device with the virtual bus host bridge.
The virtual machine manager can create and initialize the virtual bus device according to the specification parameters related to the virtual bus device indicated by the configuration requirement, and then connect the virtual bus device with the virtual bus host bridge, so that the virtual bus host bridge can read the virtual bus device. And, the virtual bus device may further include a virtual bus pass-through device of the server system. For example, when the virtual bus host bridge is a virtual PCI host bridge, the virtual PCI device may include: a virtual input/output PCI device and a virtual functional input/output PCI device, wherein the virtual functional input/output PCI device is a PCI pass-through device. When the virtual bus host bridge is a virtual PCIe host bridge, the virtual PCIe device may include: a virtual input/output PCIe device and a virtual function input/output PCIe device, wherein the virtual function input/output PCIe device is a PCIe pass-through device. When a virtual machine provides virtual hardware capabilities of the ISA bus standard to a secure container, the virtual ISA device may be a virtual programmable interval timer and an ISA serial interface device. When the virtual bus equipment comprises the virtual bus straight-through equipment, the performance of the server system can be effectively ensured because the virtual bus straight-through equipment has the characteristics of low time delay and high bandwidth.
And, when the secure container has an increased demand for virtual hardware, the virtual bus device may further include: the access device of the virtual bus is used for being connected with the virtual bus device needing to be added so as to enlarge the application range of the safety container. For example, if the secure container has an increased need for virtual hardware, the virtual PCI device may further include: and the access device of the virtual PCI bus is used for connecting with the virtual PCI device needing to be added so as to enlarge the application range of the security container.
After the virtual machine manager completes creation of the virtual machine, a security container may be created within the virtual machine, the security container using virtual hardware within the virtual machine. Optionally, the implementation process of this step 603 includes: and the virtual machine reads the image file of the operating system of the virtual machine according to the configuration requirement of the security container carried by the security container creation request, and loads the image file of the operating system of the virtual machine into the address space of the virtual memory. And if the virtual machine manager also stores the image file of the application program of which the security container is used for realizing the service, loading the image file of the application program of which the security container is used for realizing the service into the address space of the virtual memory. In the loading process, the virtual machine needs to obtain an entry of a main function of a function for realizing the function of the image file in the loaded image file, and write the starting parameters of the loaded image file into an address space of the virtual memory. And the virtual machine needs to configure an initialization context environment when the operating system of the virtual machine is started, and then transmits configuration information of a virtual processor and a virtual memory of the virtual machine to a kernel of the operating system for running the virtual machine, so that the kernel configures the operating system of the virtual machine according to the configuration information. And then, running a virtual processor in the virtual machine, so that the virtual processor executes a main function in the image file according to the starting parameters of the image file, thereby initializing the operating system of the virtual machine. If the image file to be loaded is a compressed file, the compressed image file needs to be loaded after being decompressed, and if the image file to be loaded is not a compressed file, the image file is directly loaded. Optionally, the configuration information of the virtual processor and the virtual memory of the virtual machine may be written into data structures such as MPTable and XEN PVH startup parameters, so as to transfer the configuration information of the virtual processor and the virtual memory of the virtual machine to a kernel of an operating system for running the virtual machine. The operating system of the virtual machine may be a LINUX operating system.
After the operating system of the virtual machine is initialized, the creation process of the secure container is completed. After the secure container is created, the secure container may be placed into service. In the running process of the security container, the virtual machine can monitor events such as a PIO event, an MMIO event, and an abnormal exit event of an operating system of the virtual machine, and process the events to realize the service of the tenant.
In summary, in the container setting method provided in this embodiment of the present application, since the set virtual hardware in the virtual machine matches the set security container, and does not include redundant devices such as a high-level configuration and power interface, a USB controller, a power module, an integrated drive electronic device, a magnetic disk connected through the integrated drive electronic device, an optical disk connected through the integrated drive electronic device, a programmable interrupt controller, an ISA floppy disk drive control device, and a mouse, compared with the related art, the light configuration of the virtual machine is achieved, and the complexity of the virtual machine manager simulating the virtual hardware is reduced. In addition, compared with the related art, the total number of the virtual hardware included in the virtual machine is reduced, the number of the exposed interfaces of the virtual hardware is reduced, the attack surface for attacking the safety container is reduced, the safety of the virtual hardware is improved, and the resource overhead of the simulation virtual hardware, such as the overhead of the memory of the host computer, is reduced.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the implementation manner and the specific working process of the components in the server system related to the container setting method described above may refer to the corresponding contents in the foregoing server system embodiment, and are not described herein again.
It should be noted that, the order of steps of the container setting method provided in the embodiment of the present application may be appropriately adjusted, and the steps may also be correspondingly increased or decreased according to the situation. Any method that can be easily conceived by a person skilled in the art within the technical scope disclosed in the present application is covered by the protection scope of the present application, and thus the detailed description thereof is omitted.
The embodiment of the application also provides a container setting device. As shown in fig. 7, the container setting device 70 includes:
an obtaining module 701, configured to obtain a security container creation request.
And the processing module 702 is configured to create a virtual machine according to the security container creation request, and provide virtual hardware for the virtual machine, where the virtual hardware is matched with the security container.
A processing module 702 is configured to create a secure container within a virtual machine, wherein the secure container uses virtual hardware within the virtual machine.
Optionally, the virtual hardware comprises: the virtual PCIe host bridge comprises a virtual PCIe host bridge and a virtual PCIe device arranged on the virtual PCIe host bridge.
Optionally, the virtual PCIe device includes: a PCIe pass-through device.
Optionally, the virtual PCIe device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
Optionally, the virtual hardware comprises: the virtual PCI host bridge and the virtual PCI equipment arranged in the virtual PCI host bridge.
Optionally, the virtual PCI device includes: a PCI express device.
Optionally, the virtual PCI device further includes: and the access device of the virtual ISA bus is used for being connected with the virtual ISA device.
Optionally, the virtual hardware further comprises: the system comprises a virtual ISA host bridge and virtual ISA equipment arranged on the virtual ISA host bridge, wherein the virtual ISA host bridge is parallel to a virtual PCI host bridge.
Optionally, the operating system of the virtual machine is a LINUX operating system.
In summary, in the container setting apparatus provided in the embodiment of the present application, since the set virtual hardware in the virtual machine matches the set security container, and does not include redundant devices such as a high-level configuration and power interface, a USB controller, a power module, an integrated drive electronic device, a magnetic disk connected through the integrated drive electronic device, an optical disk connected through the integrated drive electronic device, a programmable interrupt controller, an ISA floppy disk drive control apparatus, and a mouse, compared with the related art, the light-weight configuration of the virtual machine is achieved, and the complexity of the virtual machine manager simulating the virtual hardware is reduced. In addition, compared with the related art, the total number of the virtual hardware included in the virtual machine is reduced, the number of the exposed interfaces of the virtual hardware is reduced, the attack surface for attacking the safety container is reduced, the safety of the virtual hardware is improved, and the resource overhead of the simulation virtual hardware, such as the overhead of the memory of the host computer, is reduced.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the apparatuses and modules described above may refer to the corresponding contents in the foregoing embodiments, and are not described again here.
The embodiment of the application provides computer equipment. Fig. 8 schematically provides a possible architecture diagram of a computer device. As shown in fig. 8, the computer device 80 may include a processor 801, a memory 802, a communication interface 803, and a bus 804. In a computer device, the number of the processors 801 may be one or more, and fig. 8 illustrates only one of the processors 801. Alternatively, the processor 801 may be a Central Processing Unit (CPU). If the computer device has multiple processors 801, the multiple processors 801 may be of different types or may be the same type. Optionally, multiple processors of the computer device may also be integrated into a multi-core processor.
The memory 802 stores computer instructions and data, and the memory 802 may store the computer instructions and data needed to implement the container setup methods provided herein. The memory 802 may be any one or any combination of the following storage media: nonvolatile Memory (e.g., Read-Only Memory (ROM), Solid State Disk (SSD), Hard Disk Drive (HDD), optical disc, etc., volatile Memory.
The communication interface 803 may be any one or any combination of the following devices: network interface (such as Ethernet interface), wireless network card, etc. Communication interface 803 is used for data communication by computer devices with other nodes or other computer devices.
Fig. 8 also illustratively depicts bus 804. The bus 804 may connect the processor 801 with the memory 802 and the communication interface 803. Thus, the processor 801 may access the memory 802 via the bus 804 and may also interact with other nodes or other computer devices using the communication interface 803.
In the present application, the computer device executes the computer instructions in the memory 802, so as to implement the container setting method provided by the embodiment of the present application. For example, a secure container creation request is obtained; creating a virtual machine according to the safety container creating request, and providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container; a secure container is created within the virtual machine, wherein the secure container uses virtual hardware within the virtual machine. Moreover, by executing the computer instructions in the memory 802, the implementation process of executing the steps of the computer device may refer to the corresponding description in the above method embodiments.
The embodiment of the present application also provides a storage medium, which is a non-volatile computer-readable storage medium, and when instructions in the storage medium are executed by a processor, the storage medium implements the container setting method provided in the embodiment of the present application.
Embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the container setting method provided in the embodiments of the present application.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
In the embodiments of the present application, the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The term "at least one" means one or more, and the term "plurality" means two or more, unless expressly defined otherwise.
The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The above description is only exemplary of the present application and is not intended to limit the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.
Claims (22)
1. A server system, comprising: a virtual machine, a virtual machine manager, and a secure container disposed within the virtual machine, wherein,
the virtual machine manager is used for providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container;
the secure container is configured to use virtual hardware within the virtual machine.
2. The system of claim 1, wherein the virtual hardware comprises: the virtual peripheral component interconnect PCIe host bridge and the virtual PCIe device are arranged on the virtual PCIe host bridge.
3. The system of claim 2, wherein the virtual PCIe device comprises: a PCIe pass-through device of the server system.
4. The system of claim 3, wherein the virtual PCIe device further comprises: and the access device of the virtual Industry Standard Architecture (ISA) bus is used for being connected with the virtual ISA device.
5. The system of claim 2 or 3, wherein the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
6. The system of claim 1, wherein the virtual hardware comprises: and the virtual peripheral component interconnects the PCI host bridge and the virtual PCI equipment arranged in the virtual PCI host bridge.
7. The system of claim 6, wherein the virtual PCI device comprises: PCI express devices of the server system.
8. The system of claim 7, wherein the virtual PCI device further comprises: and the access equipment of the virtual ISA bus is used for being connected with the virtual ISA equipment.
9. The system of claim 6 or 7, wherein the virtual hardware further comprises: the system comprises a virtual ISA host bridge and virtual ISA equipment arranged on the virtual ISA host bridge, wherein the virtual ISA host bridge is parallel to the virtual PCI host bridge.
10. The system according to any one of claims 1 to 9, wherein the operating system of the virtual machine is a LINUX operating system.
11. A method of providing a container, comprising:
acquiring a security container creation request;
creating a virtual machine according to the safety container creation request, and providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container;
creating the secure container within the virtual machine, wherein the secure container uses virtual hardware within the virtual machine.
12. The method of claim 11, wherein the virtual hardware comprises: the virtual PCIe host bridge comprises a virtual PCIe host bridge and a virtual PCIe device arranged on the virtual PCIe host bridge.
13. The method of claim 12, wherein the virtual PCIe device comprises: a PCIe pass-through device.
14. The method of claim 13, wherein the virtual PCIe device further comprises: and the access equipment of the virtual ISA bus is used for being connected with the virtual ISA equipment.
15. The method of claim 12 or 13, wherein the virtualization hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
16. A container arrangement, comprising:
the acquisition module is used for acquiring a security container creation request;
the processing module is used for creating a virtual machine according to the safety container creation request and providing virtual hardware for the virtual machine, wherein the virtual hardware is matched with the safety container;
the processing module is configured to create the secure container within the virtual machine, where the secure container uses virtual hardware within the virtual machine.
17. The apparatus of claim 16, wherein the virtual hardware comprises: the virtual PCIe host bridge comprises a virtual PCIe host bridge and a virtual PCIe device arranged on the virtual PCIe host bridge.
18. The apparatus of claim 17, wherein the virtual PCIe device comprises: a PCIe pass-through device.
19. The apparatus of claim 18, wherein the virtual PCIe device further comprises: and the access equipment of the virtual ISA bus is used for being connected with the virtual ISA equipment.
20. The apparatus of claim 17 or 18, wherein the virtual hardware further comprises: the virtual ISA host bridge is parallel to the virtual PCIe host bridge.
21. A computer device, characterized in that the computer device comprises: a processor and a memory, the memory having stored therein a computer program; the computer device implementing the method of any one of claims 11 to 15 when the processor executes the computer program.
22. A storage medium, wherein instructions of the storage medium, when executed by a processor, implement the method of any one of claims 11 to 15.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011063093.4A CN114327741A (en) | 2020-09-30 | 2020-09-30 | Server system, container setting method and device |
| PCT/CN2021/120826 WO2022068753A1 (en) | 2020-09-30 | 2021-09-27 | Server system, and container setting method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011063093.4A CN114327741A (en) | 2020-09-30 | 2020-09-30 | Server system, container setting method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114327741A true CN114327741A (en) | 2022-04-12 |
Family
ID=80949686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011063093.4A Pending CN114327741A (en) | 2020-09-30 | 2020-09-30 | Server system, container setting method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114327741A (en) |
| WO (1) | WO2022068753A1 (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108205461A (en) * | 2016-12-19 | 2018-06-26 | 华耀(中国)科技有限公司 | The virtual platform and dispositions method of a kind of mixed deployment |
| CN109213702B (en) * | 2017-06-30 | 2022-08-30 | 伊姆西Ip控股有限责任公司 | Communication between virtual dual control modules in a virtual machine environment |
| US10728145B2 (en) * | 2018-08-30 | 2020-07-28 | Juniper Networks, Inc. | Multiple virtual network interface support for virtual execution elements |
| CN111381936B (en) * | 2020-03-23 | 2023-03-31 | 中山大学 | Method and system for allocating service container resources under distributed cloud system-cloud cluster architecture |
-
2020
- 2020-09-30 CN CN202011063093.4A patent/CN114327741A/en active Pending
-
2021
- 2021-09-27 WO PCT/CN2021/120826 patent/WO2022068753A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022068753A1 (en) | 2022-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110063051B (en) | System and method for reconfiguring server and server | |
| US8830228B2 (en) | Techniques for enabling remote management of servers configured with graphics processors | |
| US7971203B2 (en) | Method, apparatus and system for dynamically reassigning a physical device from one virtual machine to another | |
| US9110702B2 (en) | Virtual machine migration techniques | |
| RU2532708C2 (en) | Method and apparatus for input/output operation in virtualisation environment | |
| US8151265B2 (en) | Apparatus for and method for real-time optimization of virtual machine input/output performance | |
| US20120054740A1 (en) | Techniques For Selectively Enabling Or Disabling Virtual Devices In Virtual Environments | |
| EP1674987A2 (en) | Systems and methods fro exposing processor topology for virtual machines | |
| CN107430570B (en) | Additional secure execution environment with SR-IOV and xHCI-IOV | |
| US10133504B2 (en) | Dynamic partitioning of processing hardware | |
| US9495172B2 (en) | Method of controlling computer system and computer system | |
| CN103034524A (en) | Paravirtualized virtual GPU | |
| US8930568B1 (en) | Method and apparatus for enabling access to storage | |
| US10235195B2 (en) | Systems and methods for discovering private devices coupled to a hardware accelerator | |
| WO2022143714A1 (en) | Server system, and virtual machine creation method and apparatus | |
| US11922072B2 (en) | System supporting virtualization of SR-IOV capable devices | |
| US20230051825A1 (en) | System supporting virtualization of sr-iov capable devices | |
| CN113312140A (en) | Virtual trusted platform module | |
| WO2021018267A1 (en) | Live migration method for virtual machine and communication device | |
| CN109656675A (en) | Bus apparatus, computer equipment and the method for realizing physical host cloud storage | |
| CN113312141B (en) | Computer system, storage medium and method for offloading serial port simulation | |
| US10776145B2 (en) | Systems and methods for traffic monitoring in a virtualized software defined storage architecture | |
| US11409624B2 (en) | Exposing an independent hardware management and monitoring (IHMM) device of a host system to guests thereon | |
| CN116069584A (en) | Extending monitoring services into trusted cloud operator domains | |
| WO2022068753A1 (en) | Server system, and container setting method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |