CN114640646B - System, device and method for binding container public network IP based on ARP proxy - Google Patents
System, device and method for binding container public network IP based on ARP proxy Download PDFInfo
- Publication number
- CN114640646B CN114640646B CN202011379894.1A CN202011379894A CN114640646B CN 114640646 B CN114640646 B CN 114640646B CN 202011379894 A CN202011379894 A CN 202011379894A CN 114640646 B CN114640646 B CN 114640646B
- Authority
- CN
- China
- Prior art keywords
- pod
- elastic
- network
- module
- ovn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000004891 communication Methods 0.000 claims abstract description 40
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 230000015654 memory Effects 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 238000007726 management method Methods 0.000 description 21
- 230000006870 function Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000010267 cellular communication Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The present disclosure relates to systems, apparatuses, and methods for ARP proxy based container public network IP binding. A system for network communication comprising: the address resolution protocol ARP proxy resolution module is configured to dynamically receive the iptables rule and the elastic sub-network POD IP binding information from the open virtual machine room switch OVN module and upload the iptables rule and the elastic sub-network POD IP binding information to the ARP control management module; the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
Description
Technical Field
The present disclosure relates generally to the field of communications, and more particularly to systems, methods, and apparatus for network communications of containers.
Background
Currently, public network IP binding schemes adopted by mainstream public cloud manufacturers (such as ali cloud) are approximately: firstly, a DHCP address pool with a fixed IP address range is planned, an elastic network card is obtained through the association of user views, and a NAT mapping mode is adopted to map the public network IP to the elastic network card of the cloud account. However, in order to implement such a public network IP binding scheme, the cloud backend system needs to implement NAT mapping on the machine room switch in addition to the function of implementing the elastic network card. For a small cloud sharing scene, such a public network IP binding scheme is too complicated, and has high implementation cost and poor flexibility.
In addition, although the CDN+edge computing project adopts a container Kubernetes as a base, the common Kubernetes CNI network plug-in has the functions of elastic subnet division, elastic subnet isolation, elastic IP and the like. However, kubernetes based on a physical machine does not have functions such as a VPC and an elastic network card in public cloud IAAS facilities, which brings a certain technical challenge for the POD to directly bind a public network IP and for the user to directly access the scene of the POD through the public network.
It is therefore desirable to propose a system, apparatus and method that enables public network IP binding in a more flexible manner and at lower cost.
Disclosure of Invention
The following presents a simplified summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. However, it should be understood that this summary is not an exhaustive overview of the disclosure. It is not intended to identify key or critical elements of the disclosure or to delineate the scope of the disclosure. Its purpose is to present some concepts related to the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
According to one aspect of the present disclosure, there is provided a system for network communication, comprising: the address resolution protocol ARP proxy resolution module is configured to dynamically receive the iptables rule and the elastic sub-network POD IP binding information from the open virtual machine room switch OVN module and upload the iptables rule and the elastic sub-network POD IP binding information to the ARP control management module; the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
According to another aspect of the present disclosure, there is provided a method for network communication, comprising: dynamically receiving iptables rules and elastic subnetwork POD IP binding information from an open virtual machine room switch OVN module, and uploading the iptables rules and the elastic subnetwork POD IP binding information to an ARP control management module; the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
According to yet another aspect of the present disclosure, there is provided an apparatus for network communication, comprising: a memory having instructions stored thereon; and a processor configured to execute instructions stored on the memory to perform the above-described method for network communication.
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium comprising computer-executable instructions which, when executed by one or more processors, cause the one or more processors to perform the above-described method for network communication.
Other features of the present invention and its advantages will become more apparent from the following detailed description of exemplary embodiments of the invention, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 shows a schematic diagram of a system for network communication according to an embodiment of the present disclosure;
fig. 2 shows a schematic diagram of a method for network communication according to an embodiment of the present disclosure; and
FIG. 3 illustrates an exemplary configuration of a computing device in which embodiments according to the present disclosure may be implemented.
Detailed Description
The following detailed description is made with reference to the accompanying drawings and is provided to assist in a comprehensive understanding of various example embodiments of the disclosure. The following description includes various details to aid in understanding, but these are to be considered merely examples and are not intended to limit the disclosure, which is defined by the appended claims and their equivalents. The words and phrases used in the following description are only intended to provide a clear and consistent understanding of the present disclosure. In addition, descriptions of well-known structures, functions and configurations may be omitted for clarity and conciseness. Those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the spirit and scope of the present disclosure.
In view of the above problems in the prior art, the present invention discloses a container public network IP binding scheme based on address resolution protocol ARP. The invention solves the public network IP binding problem at the container PASS layer, but not at the VPC layer of the prior head public cloud manufacturer, the public network IP binding problem is solved by NAT mode.
Next, a system, method and apparatus for network communication according to the present invention will be described in detail with reference to fig. 1 to 3.
Fig. 1 illustrates a system 100 for network communication according to an embodiment of the present disclosure.
As shown in fig. 1, a system 100 for network communication according to an embodiment of the present disclosure includes: an Address Resolution Protocol (ARP) proxy resolution module 102, an open virtual machine room switch (Open Virtual Switch, OVN) module 104, and an ARP control management module 106.
The ARP proxy resolution module 102 dynamically receives the iptables rules and resilient subnet POD IP binding information from the OVN module 104 (specifically, OVN control plane module 1044 as described below) and uploads the iptables rules and resilient subnet POD IP binding information to the ARP control management module 106.
In some aspects according to embodiments of the present disclosure, ARP proxy module 102 is deployed in the form of a DaemonSet at each node in the Kubernetes cluster. Kubernetes (K8 s for short) is an abbreviation that replaces 8 characters "ubennee" with 8. Is an open-source application for managing containerization on multiple hosts in a cloud platform. The goal of Kubernetes is to make deploying containerized applications simple and efficient. Kubernetes provides a mechanism for application deployment, planning, updating, and maintenance. DaemonSet guarantees that a copy of the container is run on each Node (Node), often used to deploy some cluster journals, monitoring or other system management applications.
POD is applied as a copy unit of Kubernetes. Specifically, kubernetes does not run the container directly; instead, it encapsulates one or more containers into a high-level structure called a POD. Any container in the same POD will share the same namespaces and local network. The containers can easily communicate with other containers in the same container as if they were on the same machine while maintaining some degree of isolation.
The POD may accommodate multiple containers, but should restrict itself where possible. Because PODs are scaled up and down as a unit, all the containers in one POD must be scaled together, whether or not they are needed. This results in waste of resources and increased costs. To solve this problem, the POD should be kept as small as possible, typically leaving only one main process and tightly coupled auxiliary containers.
Furthermore, in the event that a single POD instance cannot carry a load, kubernetes may be configured to deploy new copies of PODs into the cluster as necessary. Even without heavy load, multiple copies are needed at any time in the production system to ensure load balancing and fault resistance.
In addition, ARP proxy resolution module 102 listens for and parses and verifies a message request from machine room switch 200 at a port.
Further, the ARP proxy parsing module 102 detects a POD corresponding to the destination address IP based on the destination address IP, the iptables rule, and the resilient subnet POD IP binding information contained in the parsed and verified message request, and responds to the message request to inform the machine room switch 200 of the corresponding communication link.
The machine room switch 200 receives the data packet transmitted from the user 300 via the public network router, checks whether the destination address IP contained in the data packet is the present machine room IP network segment, and initiates the message request when the destination address IP is the present machine room IP network segment.
In addition, the machine room switch 200 also sends the data packets to the OVN module 104 (specifically, OVN control plane module 1044 as described below) based on the communication link notified by the ARP proxy module 200.
OVN modules 104 include OVN elastic subnet management module 1042 and OVN control plane module 1044.
OpenvSwitch (OVS) is a virtual machine room switch widely used in OpenStack with its rich functionality and relatively excellent performance. The OVS mimics the workflow of a physical machine room switch device, implementing many network functions that many physical machine room switches support at the time. OVN is an OpenvSwitch project group developing SDN controllers for OVSs, OVN has better compatibility and performance for OVSs and OpenStack than other SDN products. OVN provides many native virtual network functions that enhance the operating efficiency and performance of OVSs.
Specifically, the OVS is similar to the single machine software, and has no cluster information, and cannot know the virtual network condition of the whole cluster, namely cannot construct a virtual network of a cluster scale by itself, and is better than a single machine Docker. OVN, which is equivalent to k8s of OVS, provides a centralized OVS controller. This allows the entire network facility to be organized from a cluster perspective.
OVN the elastic subnetwork management module 1042 sets an elastic subnetwork and sets a public network IP network segment for the elastic subnetwork.
In addition, the OVN elastic subnet management module 1042 also creates iptables rules and PODs and binds the elastic subnets to the created PODs to obtain elastic subnet POD IP binding information.
In some aspects according to embodiments of the present disclosure, the OVN elastic subnetwork module 1042 is deployed in Kubernetes cluster in POD form.
In some aspects according to embodiments of the present disclosure, the OVN elastic subnetwork management module 1042 needs to plan the public network segment IP in order to ensure that the planned network segment IP messages can be properly routed through the public network to the machine room switch 200 side. For example, segments 125.88.39.200-125.88.39.230 are contemplated as machine room segments to which Kubernetes clusters belong.
Further, the ETCD is utilized to store related IP information. ETCD is an open source project initiated by the CoreOS team at month 6 of 2013, whose goal is to build a highly available distributed key-value database.
OVN the control plane module 1044 writes the iptables rules and elastic subnetwork POD IP binding information into the cluster nodes under the control plane and uploads the iptables rules and elastic subnetwork POD IP binding information to the ARP proxy module 102.
In addition, the OVN control plane module 1044 takes over the data packet from the machine room switch 200, performs a destination address translation (DNAT) on the data packet, and transmits the translated data packet to the container internal network of the compliant POD.
The ARP control management module 106 manages individual PODs in the Kubernetes cluster based on iptables rules and elastic subnet POD IP binding information.
In some aspects according to embodiments of the present disclosure, ARP control management module 106 is also deployed in Kubernetes clusters in POD form.
The information interaction process between the ARP proxy resolution module 102, OVN module 104, ARP control management module 106, and the machine room switch 200 described with reference to fig. 1 will be further described below with reference to fig. 2.
Fig. 2 shows a schematic diagram 200 of a method for network communication according to an embodiment of the present disclosure.
As shown in fig. 2, at step S202, the ARP proxy resolution module 102 dynamically receives the iptables rules and the elastic subnetwork POD IP binding information from the OVN control plane module 1044.
Although not shown, it is noted that the iptables rules and elastic subnet POD IP binding information are created by OVN elastic subnet management module 1042 and written by OVN control plane module 1044 into the cluster node under the control plane.
Next, at step S204, the ARP proxy resolution module 102 uploads the iptables rule and the elastic subnet POD IP binding information to the ARP control management module 106.
Next, in step S206, the machine room switch 200 receives the data packet transmitted from the user 300 via the public network router, and verifies whether the destination address IP included in the data packet is the home machine room IP network segment.
Next, at step S208, when the destination address IP is the home machine room IP network segment, the machine room switch 200 initiates a message request.
Next, at step S210, the ARP proxy resolution module 102 listens for and parses and verifies a message request from the machine room switch 200 at a port. In addition, the ARP proxy parsing module 102 detects a POD corresponding to the destination address IP based on the destination address IP, the iptables rule, and the resilient subnet POD IP binding information included in the parsed and verified message request, and responds to the message request to inform the machine room switch 200 of the corresponding communication link.
Next, at step S212, the machine room switch 200 sends the data packet to the OVN control plane module 1044 based on the communication link notified by the ARP proxy module 102. Note that, although not shown, the OVN control plane module 1044 takes over the data packet from the machine room switch 200, performs destination address conversion on the data packet, and transmits the converted data packet to the container internal network of the conforming POD.
Fig. 3 illustrates an exemplary configuration of a computing device 300 capable of implementing embodiments in accordance with the present disclosure.
Computing device 300 is an example of a hardware device that can employ the above aspects of the present disclosure. Computing device 300 may be any machine configured to perform processing and/or computation. The computing device 300 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an on-board computer, or a combination thereof.
As shown in fig. 3, computing device 300 may include one or more elements that may be connected to or in communication with bus 302 via one or more interfaces. Bus 302 may include, but is not limited to, an industry standard architecture (Industry Standard Architecture, ISA) bus, a micro channel architecture (Micro Channel Architecture, MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus. Computing device 300 may include, for example, one or more processors 304, one or more input devices 306, and one or more output devices 308. The one or more processors 304 may be any kind of processor and may include, but is not limited to, one or more general purpose processors or special purpose processors (such as special purpose processing chips). The processor 302 may be configured, for example, to implement the operations in the method described above with reference to fig. 2. Input device 306 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, keyboard, touch screen, microphone, and/or remote controller. Output device 308 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, video/audio output terminals, vibrators, and/or printers.
The computing device 300 may also include or be connected to a non-transitory storage device 314, which non-transitory storage device 314 may be any storage device that is non-transitory and that may enable data storage, and may include, but is not limited to, a disk drive, an optical storage device, a solid state memory, a floppy disk, a flexible disk, a hard disk, a magnetic tape or any other magnetic medium, a compact disk or any other optical medium, a cache memory and/or any other memory chip or module, and/or any other medium from which a computer may read data, instructions, and/or code. Computing device 300 may also include Random Access Memory (RAM) 310 and Read Only Memory (ROM) 312. The ROM 312 may store programs, utilities or processes to be executed in a non-volatile manner. RAM 310 may provide volatile data storage and store instructions related to the operation of computing device 300. The computing device 300 may also include a network/bus interface 316 coupled to a data link 318. The network/bus interface 316 may be any kind of device or system capable of enabling communication with external devices and/or networks and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication devices, and/or chipsets (such as bluetooth) TM Device, 802.11 device, wiFi device, wimaxx devices, cellular communications facilities, etc.).
The system, method and device for network communication according to the present invention set up an elastic subnet through a OVN elastic subnet module, set up a public network IP network segment, bind OVN the elastic subnet to a naspace, and create a POD on the naspace, thereby realizing the binding of the elastic subnet to the POD. The OVN control plane module writes the POD IP binding information of the elastic subnetwork into the cluster nodes under the data control plane in the form of a flow table, and reports the flow table information and the POD information to the ARP proxy analysis module. The ARP proxy analysis module receives the flow table information and the POD information and uploads the flow table information and the POD information to the ARP control management module so as to carry out overall control on each POD in the Kubernetes cluster. On the other hand, the ARP proxy analysis module monitors a message request from the machine room switch at a port, analyzes and checks the message request, detects the POD conforming to the destination address IP based on the destination address IP, the flow table information and the elastic sub-network POD IP binding information contained in the analyzed and checked message request, and responds to the message request so as to inform the machine room switch of a corresponding communication link, thereby enabling the machine room switch to send the data packet to the OVN control plane module. The OVN control plane module in turn takes over the data packets from the machine room switch 200, performs destination address conversion on the data packets, and sends the converted data packets to the container internal network of the conforming POD.
In other words, by the system, the method and the device for network communication, disclosed by the invention, the elastic sub-network dividing capability of the POD level is provided, and the capabilities of network strategies, network resource limits and the like are provided for the sub-network, and meanwhile, the POD public network IP binding capability, the public network IP network segment fine granularity dividing capability and the like are also provided, so that after a public network data packet is transmitted to a two-layer network of a machine room switch from a three-layer network, a two-layer data packet channel to the POD in Kubernetes is opened.
The present disclosure may be implemented as any combination of apparatuses, systems, integrated circuits, and computer programs on a non-transitory computer readable medium. One or more processors may be implemented as an Integrated Circuit (IC), application Specific Integrated Circuit (ASIC), or large scale integrated circuit (LSI), system LSI, super LSI, or ultra LSI assembly that performs some or all of the functions described in this disclosure.
The present disclosure includes the use of software, applications, computer programs, or algorithms. The software, application, computer program or algorithm may be stored on a non-transitory computer readable medium to cause a computer, such as one or more processors, to perform the steps described above and depicted in the drawings. For example, one or more memories may store software or algorithms in executable instructions and one or more processors may associate a set of instructions to execute the software or algorithms to provide various functions in accordance with the embodiments described in this disclosure.
The software and computer programs (which may also be referred to as programs, software applications, components, or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural, object-oriented, functional, logical, or assembly or machine language. The term "computer-readable medium" refers to any computer program product, device, or apparatus, such as magnetic disks, optical disks, solid state memory devices, memory, and Programmable Logic Devices (PLDs), for providing machine instructions or data to a programmable data processor, including computer-readable media that receives machine instructions as a computer-readable signal.
By way of example, computer-readable media can comprise Dynamic Random Access Memory (DRAM), random Access Memory (RAM), read Only Memory (ROM), electrically erasable read only memory (EEPROM), compact disk read only memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired computer-readable program code in the form of instructions or data structures and that can be accessed by a general purpose or special purpose computer or general purpose or special purpose processor. Disk or disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable media.
The subject matter of the present disclosure is provided as examples of apparatuses, systems, methods, and programs for performing the features described in the present disclosure. However, other features or variations are contemplated in addition to the features described above. It is contemplated that the implementation of the components and functions of the present disclosure may be accomplished with any emerging technology that may replace any of the above-described implementation technologies.
In addition, the foregoing description provides examples without limiting the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various embodiments may omit, replace, or add various procedures or components as appropriate. For example, features described with respect to certain embodiments may be combined in other embodiments.
In addition, in the description of the present disclosure, the terms "first," "second," "third," etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or order.
Similarly, although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous.
Additionally, embodiments of the present disclosure may also include the following examples:
(1) A system for network communication, comprising:
an address resolution protocol ARP proxy resolution module configured to
Dynamically receiving iptables rules and elastic subnetwork POD IP binding information from an open virtual machine room switch OVN module, and uploading the iptables rules and the elastic subnetwork POD IP binding information to an ARP control management module;
the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and
and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
(2) The system according to the above (1), further comprising:
the OVN module comprises a OVN elastic subnet management module and a OVN control plane module, wherein
The OVN elastic subnetwork management module is configured to
Setting an elastic sub-network and setting a public network IP network segment for the elastic sub-network; and
creating the iptables rule and the POD, and binding an elastic subnet to the created POD to obtain the POD IP binding information of the elastic subnet; and
the OVN control plane module is configured to
Writing the iptables rule and the elastic sub-network POD IP binding information into a cluster node under a control plane; and is also provided with
And uploading the iptables rule and the elastic subnet POD IP binding information to the ARP proxy module.
(3) The system according to the above (2), characterized in that,
the machine room exchanger checks whether the destination address IP contained in the data packet from the public network is the IP network segment of the machine room; and is also provided with
When the destination address IP is the IP network segment of the machine room, the message request is initiated; and
the data packet is sent to the OVN control plane module based on the communication link advertised by the ARP proxy module.
(4) The system according to the above (3), characterized in that
The OVN control plane module is further configured to
Maintaining a destination address conversion DNAT rule table, taking over the data packet, and carrying out destination address conversion on the data packet; and
and sending the converted data packet to the container internal network of the conforming POD.
(5) The system according to the above (1), further comprising:
the ARP control management module is configured to
And managing each POD based on the iptables rule and the elastic sub-network POD IP binding information.
(6) The system according to the above (2), characterized in that,
the ARP proxy module is deployed at each node in the Kubernetes cluster in the form of DaemonSet; and is also provided with
The ARP control management module and the OVN elastic subnetwork module are deployed in Kubernetes clusters in POD form.
(7) A method for network communication, comprising:
dynamically receiving iptables rules and elastic subnetwork POD IP binding information from an open virtual machine room switch OVN module, and uploading the iptables rules and the elastic subnetwork POD IP binding information to an ARP control management module;
the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and
and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
(8) An apparatus for network communication, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method according to any one of (1) to (6) above.
(9) A computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of (1) to (6) above.
While certain exemplary embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are illustrative only and are not intended to limit the scope of the present disclosure. The various exemplary embodiments disclosed herein may be combined in any desired manner without departing from the spirit and scope of the present disclosure. Those skilled in the art will also appreciate that various modifications might be made to the exemplified embodiments without departing from the scope and spirit of the disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (9)
1. A system for network communication, comprising:
an address resolution protocol ARP proxy resolution module configured to
Dynamically receiving iptables rules and elastic subnetwork POD IP binding information from an open virtual machine room switch OVN module, and uploading the iptables rules and the elastic subnetwork POD IP binding information to an ARP control management module;
the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and
and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
2. The system of claim 1, further comprising:
the OVN module comprises a OVN elastic subnet management module and a OVN control plane module, wherein
The OVN elastic subnetwork management module is configured to
Setting an elastic sub-network and setting a public network IP network segment for the elastic sub-network; and
creating the iptables rule and the POD, and binding an elastic subnet to the created POD to obtain the elastic subnet PODIP binding information; and
the OVN control plane module is configured to
Writing the iptables rule and the elastic sub-network POD IP binding information into a cluster node under a control plane; and is also provided with
And uploading the iptables rule and the elastic subnet POD IP binding information to the ARP proxy module.
3. The system of claim 2, wherein the system further comprises a controller configured to control the controller,
the machine room exchanger checks whether the destination address IP contained in the data packet from the public network is the IP network segment of the machine room; and is also provided with
When the destination address IP is the IP network segment of the machine room, the message request is initiated; and
the data packet is sent to the OVN control plane module based on the communication link advertised by the ARP proxy module.
4. A system according to claim 3, characterized in that
The OVN control plane module is further configured to
Maintaining a destination address conversion DNAT rule table, taking over the data packet, and carrying out destination address conversion on the data packet; and
and sending the converted data packet to the container internal network of the conforming POD.
5. The system of claim 1, further comprising:
the ARP control management module is configured to
And managing each POD based on the iptables rule and the elastic sub-network POD IP binding information.
6. The system of claim 2, wherein the system further comprises a controller configured to control the controller,
the ARP proxy module is deployed at each node in the Kubernetes cluster in the form of DaemonSet; and is also provided with
The ARP control management module and the OVN elastic subnetwork management module are deployed in Kubernetes clusters in POD form.
7. A method for network communication, comprising:
dynamically receiving iptables rules and elastic subnetwork POD IP binding information from an open virtual machine room switch OVN module, and uploading the iptables rules and the elastic subnetwork POD IP binding information to an ARP control management module;
the method comprises the steps of monitoring a message request from a machine room switch at a port, and analyzing and checking the message request; and
and detecting the POD conforming to the destination address IP based on the destination address IP, the iptables rule and the POD IP binding information contained in the analyzed and checked message request, and responding to the message request so as to inform a machine room switch of a corresponding communication link.
8. An apparatus for network communication, comprising:
a memory having instructions stored thereon; and
a processor configured to execute instructions stored on the memory to perform the method of claim 7.
9. A computer-readable storage medium comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011379894.1A CN114640646B (en) | 2020-12-01 | 2020-12-01 | System, device and method for binding container public network IP based on ARP proxy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011379894.1A CN114640646B (en) | 2020-12-01 | 2020-12-01 | System, device and method for binding container public network IP based on ARP proxy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114640646A CN114640646A (en) | 2022-06-17 |
| CN114640646B true CN114640646B (en) | 2024-01-02 |
Family
ID=81945566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011379894.1A Active CN114640646B (en) | 2020-12-01 | 2020-12-01 | System, device and method for binding container public network IP based on ARP proxy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114640646B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103024028A (en) * | 2012-12-07 | 2013-04-03 | 武汉邮电科学研究院 | Virtual machine IP (Internet Protocol) address detection system and method in cloud computing |
| CN105430113A (en) * | 2015-11-03 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | SDN APR message processing method and device, SDN controller and SDN switch |
| CN107124364A (en) * | 2017-06-30 | 2017-09-01 | 广州市品高软件股份有限公司 | The complete Proxy Methods of network A RP and system based on software defined network controller |
| CN109428949A (en) * | 2017-08-30 | 2019-03-05 | 杭州达乎科技有限公司 | A kind of method and apparatus that ARP proxy is realized based on SDN |
| CN110247899A (en) * | 2019-05-27 | 2019-09-17 | 南京大学 | The system and method for ARP attack is detected and alleviated based on SDN cloud environment |
| CN111800329A (en) * | 2020-06-28 | 2020-10-20 | 浪潮思科网络科技有限公司 | Message forwarding method, device and medium based on SDN and OVN |
| CN111917649A (en) * | 2019-05-10 | 2020-11-10 | 华为技术有限公司 | Virtual private cloud communication and configuration method and related device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8937955B2 (en) * | 2012-12-05 | 2015-01-20 | Cisco Technology, Inc. | System and method for scaling IPv6 addresses in a network environment |
| US10547588B2 (en) * | 2016-04-30 | 2020-01-28 | Nicira, Inc. | Method of translating a logical switch into a set of network addresses |
-
2020
- 2020-12-01 CN CN202011379894.1A patent/CN114640646B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103024028A (en) * | 2012-12-07 | 2013-04-03 | 武汉邮电科学研究院 | Virtual machine IP (Internet Protocol) address detection system and method in cloud computing |
| CN105430113A (en) * | 2015-11-03 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | SDN APR message processing method and device, SDN controller and SDN switch |
| CN107124364A (en) * | 2017-06-30 | 2017-09-01 | 广州市品高软件股份有限公司 | The complete Proxy Methods of network A RP and system based on software defined network controller |
| CN109428949A (en) * | 2017-08-30 | 2019-03-05 | 杭州达乎科技有限公司 | A kind of method and apparatus that ARP proxy is realized based on SDN |
| CN111917649A (en) * | 2019-05-10 | 2020-11-10 | 华为技术有限公司 | Virtual private cloud communication and configuration method and related device |
| CN110247899A (en) * | 2019-05-27 | 2019-09-17 | 南京大学 | The system and method for ARP attack is detected and alleviated based on SDN cloud environment |
| CN111800329A (en) * | 2020-06-28 | 2020-10-20 | 浪潮思科网络科技有限公司 | Message forwarding method, device and medium based on SDN and OVN |
Non-Patent Citations (1)
| Title |
|---|
| 基于SDN的VxLAN组网方案研究;庞杨;电信技术;19-24 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114640646A (en) | 2022-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9300731B2 (en) | Connection following during network reconfiguration | |
| CN111917649B (en) | Virtual private cloud communication and configuration method and related device | |
| CN106657180B (en) | Information transmission method and device for cloud service, terminal equipment and system | |
| US11895081B2 (en) | Distributed network address translation over network environments | |
| CN113141405B (en) | Service access method, middleware system, electronic device, and storage medium | |
| RU2761186C1 (en) | Method and device for traffic exchange of the data processing center, device and data carrier | |
| CN110224917B (en) | Data transmission method, device and system and server | |
| CN112398936B (en) | Kubernetes-based multi-network card container implementation method and system | |
| CN110177010B (en) | Link switching method and device | |
| CN112822061B (en) | Method and system for exposing service to outside by edge node | |
| US10862804B2 (en) | Redirecting data packets between overlay network and underlay network | |
| CN105306368A (en) | Data message transmission method and device | |
| CN115314353B (en) | Device and method for realizing single-pod multi-network card based on kubernetes | |
| CN113676564B (en) | Data transmission method, device and storage medium | |
| WO2020242651A1 (en) | Distributed sonic fabric chassis | |
| US20210103457A1 (en) | Control apparatus, control system, control method, and program | |
| CN114422350A (en) | Public cloud container instance creating method | |
| CN114371914A (en) | Container IP address configuration method and device, storage medium and electronic equipment | |
| CN113765801B (en) | Message processing method and device applied to data center, electronic equipment and medium | |
| CN114640646B (en) | System, device and method for binding container public network IP based on ARP proxy | |
| CN109981437B (en) | Multi-data center intercommunication method based on VPC and related equipment | |
| CN114338832B (en) | Network protocol conversion method and system of container cloud platform | |
| CN115987990A (en) | Multi-cluster load balancing method and device, electronic equipment and storage medium | |
| CN115242791A (en) | Service platform access method, device, equipment and storage medium | |
| CN114884956B (en) | Method and device for realizing multi-cluster architecture and multi-cluster architecture system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |