CN116346536A - Method, device, equipment and medium for virtual machine to access cloud platform management network - Google Patents

Method, device, equipment and medium for virtual machine to access cloud platform management network Download PDF

Info

Publication number
CN116346536A
CN116346536A CN202310397399.0A CN202310397399A CN116346536A CN 116346536 A CN116346536 A CN 116346536A CN 202310397399 A CN202310397399 A CN 202310397399A CN 116346536 A CN116346536 A CN 116346536A
Authority
CN
China
Prior art keywords
virtual
network
management network
virtual machine
bridge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310397399.0A
Other languages
Chinese (zh)
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anchao Cloud Software Co Ltd
Original Assignee
Anchao Cloud Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anchao Cloud Software Co Ltd filed Critical Anchao Cloud Software Co Ltd
Priority to CN202310397399.0A priority Critical patent/CN116346536A/en
Publication of CN116346536A publication Critical patent/CN116346536A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a medium for a virtual machine to access a cloud platform management network, wherein the method for the virtual machine to access the cloud platform management network comprises the following steps: creating a first virtual network bridge which is communicated with a service network on a physical node of a cloud platform; creating a virtual management network interworking with a management network on the physical node based on the first virtual bridge; and communicating the virtual machine on the physical node with the virtual management network, and configuring a default route when the virtual machine accesses the management network, so that the virtual machine can access the management network based on the virtual management network. The method for accessing the cloud platform management network by the virtual machine can realize the access of the virtual machine to the cloud platform management network under the condition of not changing the physical isolation between the cloud platform management network and the service network.

Description

Method, device, equipment and medium for virtual machine to access cloud platform management network
Technical Field
The present invention relates to the field of cloud computing technologies, and in particular, to a method, an apparatus, a device, and a medium for accessing a cloud platform management network by a virtual machine.
Background
Cloud computing platforms, also referred to as cloud platforms, refer to services that provide computing, networking, and storage capabilities based on hardware resources and software resources. With the development of cloud computing, various PaaS (Platform as a Service) services such as a container platform and a database are deployed on a cloud platform, paaS services gradually become a main angle on the cloud platform, even control services of a plurality of cloud platforms are deployed on the cloud platform in the form of PaaS services, generally, various PaaS services such as the container platform and the database are deployed on the cloud platform in the form of virtual machines, and the services are communicated with the outside through a service network bound by the virtual machines.
Because of the requirement of cloud platform network security, a service network bound by a virtual machine on a cloud platform and a management network of the cloud platform are usually physically isolated, and the virtual machine cannot be connected to access the cloud platform, so that the cloud platform cannot be directly operated. In order to enable the virtual machine to access the cloud platform, the existing mode is to communicate the cloud platform management network and the service network through a physical switch or a physical router, and the disadvantage of the mode is that the physical isolation between the service network of the cloud platform and the management network of the cloud platform is destroyed, if the IP layer is not limited, the virtual machine and the physical machine can access each other, and the security is low. In addition, the links and bandwidths of the management network and the service network are shared, and the links and bandwidths can be mutually influenced in operation and management.
Therefore, in view of the above technical problems, it is necessary to provide a method, apparatus, device and medium for accessing a cloud platform management network by a new virtual machine.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a medium for accessing a cloud platform management network by a virtual machine, which can realize the access of the virtual machine to the cloud platform management network under the condition of not changing the physical isolation of the cloud platform management network and a service network.
In order to achieve the above purpose, the technical scheme provided by the invention is as follows:
in a first aspect, the present invention provides a method for accessing a cloud platform management network by using a virtual machine, including:
creating a first virtual network bridge which is communicated with a service network on a physical node of a cloud platform;
creating a virtual management network interworking with a management network on the physical node based on the first virtual bridge;
and communicating the virtual machine on the physical node with the virtual management network, and configuring a default route when the virtual machine accesses the management network, so that the virtual machine can access the management network based on the virtual management network.
In one or more embodiments, creating a first virtual bridge that interworks with a service network on a physical node of a cloud platform, comprising:
creating a first virtual network bridge on a physical node of a cloud platform, and binding a service network physical network card of the physical node to the first virtual network bridge.
In one or more embodiments, creating a virtual management network interworking with a management network on the physical node based on the first virtual bridge, includes:
and creating a virtual management network card of a preset VLAN ID on the physical node based on the first virtual network bridge, so that the virtual management network card is communicated with a management network physical network card of the physical node.
In one or more embodiments, communicating a virtual machine on the physical node with the virtual management network includes:
creating a second virtual bridge on the physical node that bridges the first virtual bridge;
bridging a virtual network card of a virtual machine on the physical node with the second virtual network bridge;
and configuring a flow table rule on the first virtual network bridge and the second virtual network bridge so as to enable the virtual management network card and the virtual network card of the virtual machine to communicate.
In one or more embodiments, the method further comprises:
when the physical node is provided with a plurality of virtual machines with different networks, different local VLAN TAGs are configured for the virtual network cards of the virtual machines with different networks on the second virtual network bridge.
In one or more embodiments, configuring a default route for the virtual machine when accessing the management network includes:
and configuring IP for the virtual network card of the virtual machine and the virtual management network card, and configuring a default route when the virtual machine accesses the management network to be forwarded through the virtual management network card.
In one or more embodiments, the method further comprises:
and configuring an iptables filter rule for the physical node.
In a second aspect, the present invention provides an apparatus for accessing a cloud platform management network by a virtual machine, including:
a first creation module for creating a first virtual bridge interworking with the service network on the physical node;
a second creation module, configured to create a virtual management network that interworks with a management network on the physical node based on the first virtual bridge;
and the configuration module is used for communicating the virtual machine on the physical node with the virtual management network and configuring a default route when the virtual machine accesses the management network so that the virtual machine can access the management network based on the virtual management network.
In a third aspect, the present invention provides an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing a method for accessing a cloud platform management network by a virtual machine as described above when executing the program.
In a fourth aspect, the present invention provides a computer readable medium carrying computer executable instructions thereon, which when executed by a processor are configured to implement a method for accessing a cloud platform management network by a virtual machine as described above.
Compared with the prior art, the method for accessing the cloud platform management network by the virtual machine can select a virtual local area network as a virtual management network on the service network under the condition of not changing the physical isolation of the cloud platform management network and the service network, create a network based on the virtual management network, select an IP network segment as a network segment of the virtual management network on the virtual management network, and configure a flow table rule on a virtual bridge on a cloud platform physical node, so that the virtual machine bound with the virtual management network and the cloud platform physical node are communicated through two layers of the virtual management network, and the virtual machine bound with the virtual management network can access the management network of the cloud platform physical node through the virtual management network; meanwhile, an iptable filter rule is configured on the cloud platform physical node, and security restriction is added to a virtual machine of the virtual management network so as to ensure network security of the cloud platform physical node.
Drawings
FIG. 1 is a schematic diagram of an implementation scenario of a method for accessing a cloud platform management network by a virtual machine according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for a virtual machine to access a cloud platform management network in an embodiment of the invention;
FIG. 3 is a cloud platform architecture diagram of a method for implementing virtual machine access to a cloud platform management network in an embodiment of the invention;
FIG. 4 is a block diagram illustrating an apparatus for accessing a cloud platform management network by a virtual machine according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention is, therefore, to be taken in conjunction with the accompanying drawings, and it is to be understood that the scope of the invention is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the term "comprise" or variations thereof such as "comprises" or "comprising", etc. will be understood to include the stated element or component without excluding other elements or other components.
In order to facilitate understanding of the technical solutions of the present application, the following first explains in detail the technical terms that may occur in the present invention.
Management network: is a network used by the cloud platform to manage and monitor cloud resources. It is typically a private, isolated network that is used to connect management resources such as management nodes, virtualized hosts, storage devices, network devices, etc. of the cloud platform. The management network has the function of providing a safe and reliable management channel for the cloud platform, and ensuring that cloud platform management personnel can manage and monitor cloud resources at any time.
Service network: is a network for carrying customer traffic for the cloud platform. The cloud platform is usually a public network and is used for connecting service resources such as virtual machines, storage devices, network devices and the like of the cloud platform for clients to use. The service network is used for providing a reliable network environment for the client, so that the client can run own application programs and services in the environment. The service network can be used for communication between virtual machines and between the virtual machines and computers outside the platform, and the physical structure of the service network comprises a service network card of each node and two layers of physical links connected with the service network card.
Virtual Bridge: is a network device used in a virtual network, which can connect virtualized network devices such as virtual machines, containers, etc. together to form a virtual local area network. The virtual bridge is implemented in the form of software in the operating system, which can simulate the functions of the physical switch. The virtual bridge may act as a hub or switch in the physical network to forward packets connected to different virtual ports. Virtualized network devices such as virtual machines, containers, etc. may be connected to a virtual portal of a virtual bridge, and communicate with other virtualized network devices through the virtual bridge. The virtual bridge may also implement some advanced network functions such as VLAN partitioning, traffic control, security policies, etc. The virtual bridge may provide a secure and reliable network infrastructure for the virtualized environment such that the virtual machines and containers may communicate in a single isolated virtual network environment, as well as with external networks via the physical network. Common virtual bridges are bridge, open vSwitch, etc. in the Linux kernel.
VLAN ID (Virtual Local Area Network Identifier ): is a number used to identify a VLAN and is typically represented by a 12-bit binary number or a 3-4-bit decimal number. VLAN is a virtual local area network technology that can divide a physical network into a plurality of logically independent virtual networks, each of which is isolated from each other and does not interfere with each other, thereby improving the security and manageability of the network. And VLAN IDs are unique identifiers used to identify different VLANs. In one VLAN, the port of each network device is configured to belong to a specific VLAN and is assigned a corresponding VLAN ID. When a data packet arrives at the switch, the switch forwards the data packet to the corresponding VLAN according to the VLAN ID of the data packet, thereby realizing data isolation and management among the VLANs. The devices of different VLANs can communicate through the routing function of the switch, and can also be interconnected through VLAN trunk connection.
VLAN TAG: refers to a tag that identifies the VLAN to which the data belongs when it is transmitted in the network. The VLAN TAG is typically a four byte TAG containing a VLAN ID and some other control information such as priority. In the header of the ethernet Frame, a VLAN TAG is added to the original ethernet Frame, and this Frame with the VLAN TAG is called a "Tagged Frame".
PVID (Port-based VLAN ID): is a VLAN configuration that is implemented by assigning a different VLAN ID to each network port (i.e., switch port). In this configuration, the switch may allocate the device types or network requirements of the port connection to different VLANs, thereby implementing isolation and management of different devices or networks. Each port can only belong to one VLAN, which means that if one port needs to be connected to a different VLAN at the same time, multiple ports or other technologies (e.g., 802.1Q) need to be used for configuration.
Fig. 1 is a schematic diagram of an exemplary implementation scenario of a method for accessing a cloud platform management network by a virtual machine according to an embodiment of the present invention. In the implementation scenario shown in fig. 1, a set of cloud platform 100 including control node 101, network node 102, computing node 103, computing node 104, management network switch 105, and traffic network switch 106 is deployed on an OpenStack cloud computing management platform. Wherein the control node 101, the network node 103, the computing node 103 and the computing node 104 are connected with the management network switch 105 and the traffic network switch 106.
Specifically, the management network physical network cards of the control node 101, the network node 102, the computing node 103, and the computing node 104 are connected with the management network switch 105, and the service network physical network cards of the control node 101, the network node 102, the computing node 103, and the computing node 104 are connected with the service network switch 106 to construct the cloud platform.
The method for the virtual machine to access the cloud platform management network provided by the invention is further described below with reference to specific scenes.
First, a first virtual bridge is created on the control node 101, the network node 102, the computing node 103, and the computing node 104, interworking with the traffic network switch 106. Next, based on the first virtual bridge, a virtual management network interworking with the management network switch 105 is created on the control node 101, the network node 102, the computing node 103, and the computing node 104. Finally, virtual machines on compute nodes 103 and 104 are brought into communication with the virtual management network and a default route is configured when the virtual machines access the management network to enable the virtual machines to access management network switch 105 based on the virtual management network.
Referring to fig. 2, a flowchart of a method for accessing a cloud platform management network by a virtual machine according to an embodiment of the present invention specifically includes the following steps:
s201: a first virtual bridge that interworks with a service network is created on a physical node of a cloud platform.
In an exemplary embodiment, creating a first virtual bridge that interworks with a service network on a physical node of a cloud platform specifically includes: creating a first virtual network bridge on a physical node of a cloud platform, and binding a service network physical network card of the physical node to the first virtual network bridge.
It should be noted that the virtual bridge needs a unique name, and some parameters, such as VLAN ID, MAC address, IP address, etc., need to be set. These parameters need to be determined before the virtual bridge is created. Virtual bridges are typically implemented in software in an operating system. The virtual bridge software needs to be installed before the virtual bridge is created. After the virtual bridge software is installed, the virtual bridge may be created using the virtual bridge software, specifying names and parameters, and may be created using a command line tool or a graphical tool. After the virtual network bridge is created, the physical network card can be connected to the virtual network bridge by using virtual network bridge software, so that the physical network card and the virtual network bridge can forward the data packet.
The specific operating steps and commands in creating a virtual bridge may vary from virtual bridge software to virtual bridge software, and may generally be performed by looking at the relevant instructions. Common virtual bridge software is bridge, open vSwitch, etc. in the Linux kernel.
S202: and creating a virtual management network which is communicated with the management network on the physical node based on the first virtual network bridge.
In an exemplary embodiment, based on the first virtual bridge, creating a virtual management network that interworks with a management network on the physical node specifically includes: and creating a virtual management network card of a preset VLAN ID on the physical node based on the first virtual network bridge, so that the virtual management network card is communicated with a management network physical network card of the physical node.
It should be noted that, when creating the virtual management network card on each physical node of the cloud platform, the VLAN IDs of the virtual management network cards on each physical node need to be consistent, so that the virtual management network cards on each physical node can be in the same virtual local area network.
S203: and communicating the virtual machine on the physical node with the virtual management network, and configuring a default route when the virtual machine accesses the management network, so that the virtual machine can access the management network based on the virtual management network.
In an exemplary embodiment, the communicating the virtual machine on the physical node with the virtual management network specifically includes: creating a second virtual bridge on the physical node that bridges the first virtual bridge; bridging a virtual network card of a virtual machine on the physical node with the second virtual network bridge; and configuring a flow table rule on the first virtual network bridge and the second virtual network bridge so as to enable the virtual management network card and the virtual network card of the virtual machine to communicate.
Specifically, when the physical node is provided with a plurality of virtual machines with different networks, different local VLAN TAGs are configured for the virtual network cards of the virtual machines with different networks on the second virtual bridge in order to realize the physical isolation of the virtual network cards of the virtual machines without communicating with the networks.
In an exemplary embodiment, configuring a default route when the virtual machine accesses the management network specifically includes: and configuring IP for the virtual network card of the virtual machine and the virtual management network card, and configuring a default route when the virtual machine accesses the management network to be forwarded through the virtual management network card.
In an exemplary embodiment, to increase network security, the iptables filter rule is configured for the physical node, and only the ports allowed by the cloud platform are opened to the virtual machine to which the virtual management network is bound.
It should be noted that iptables is a firewall tool in Linux system, which can filter and process network traffic according to filtering rules. The filter table is a default table of iptables and is mainly used for filtering network traffic. The iptables filter rules refer to a set of rules defined in the filter table for filtering and controlling the transmission of network traffic. Each rule includes a set of match conditions and an action, which is processed according to the specified action if the packet meets all match conditions in the rule. Common actions include accept, reject, discard, redirect, etc.
The method for accessing the cloud platform management network by the virtual machine provided by the invention is further described below with reference to a specific embodiment.
Fig. 3 is a diagram of a cloud platform architecture for implementing a method for a virtual machine to access a cloud platform management network according to an embodiment of the invention. The cloud platform includes control nodes 310, network nodes 320, compute nodes 330, compute nodes 340, management network switches 350, and traffic network switches 360.
The management network physical network card eth311 of the control node 310 is connected to the management network switch 350, the IP of the management network physical network card eth311 is 10.21.1.41, and the service network physical network card eth312 is connected to the service network switch 360. The management network physical network card eth321 of the network node 320 is connected to the management network switch 350, the IP of the management network physical network card eth321 is 10.21.1.42, and the service network physical network card eth322 is connected to the service network switch 360. The management network physical network card eth331 of the computing node 330 is connected to the management network switch 350, the IP of the management network physical network card eth331 is 10.21.1.43, and the service network physical network card eth332 is connected to the service network switch 360. The management network physical network card eth341 of the computing node 340 is connected to the management network switch 350, the IP of the management network physical network card eth341 is 10.21.1.43, and the service network physical network card eth342 is connected to the service network switch 360.
The method for realizing the access of the virtual machine to the cloud platform management network based on the cloud platform shown in fig. 3 comprises the following specific steps:
step 1: and connecting the management network physical network cards of all the physical nodes of the cloud platform together through the management network switch and opening the two layers.
Specifically, the management network physical network card eth311 of the control node 310, the management network physical network card eth321 of the network node 320, the management network physical network card eth331 of the computing node 330, and the management network physical network card eth441 of the computing node 340 are connected to the management network switch 350 through a network cable. Meanwhile, the management network switch 350 configures the same PVID as the ports to which the management network physical network cards eth311, eth321, eth331, eth341 are connected.
Step 2: and connecting the service network physical network cards of all the physical nodes of the cloud platform together through a service network switch, and configuring ports of the service network switch, which are connected with the service network physical network cards, into trunk ports.
Specifically, the service network physical network card eth312 of the control node 310, the service network physical network card eth322 of the network node 320, the service network physical network card eth332 of the computing node 330, the service network physical network card eth342 of the computing node 40 is connected to the service network switch 360 through a network cable, and the ports of the service network switch 369, which are connected to the service network physical network cards of the nodes, are configured as trunk ports.
Step 3: and creating a first virtual network bridge on all physical nodes of the cloud platform, and binding the service network physical network card of each physical node to each corresponding first virtual network bridge.
Specifically, a first virtual bridge brVlan313 is created on the control node 310, and the service network physical network card eth311 is bound to the brVlan 313; creating a first virtual bridge brVlan323 on the network node 320 and binding the service network physical network card eth322 to the brVlan 323; creating a first virtual bridge brVlan333 on the computing node 330 and binding the service network physical network card eth332 to the brVlan 333; a first virtual bridge brVlan343 is created on the computing node 340 and the traffic network physical network card eth342 is bound to the brVlan 343.
In this embodiment, the creation of the first virtual bridge and the operation of binding the service network physical network card to the first virtual bridge may be implemented by Open vSwitch. For example, a first virtual bridge may be created on the Open vSwitch, and the service network physical network card is bound to the first virtual bridge, specifically implemented by the following commands:
oys-ysctl add-br brVlan
oys-ysctl add-port brVlan eth0
step 4: based on the first virtual network bridge of each physical node, a virtual management network card with a preset VLAN ID is created on the physical node.
Specifically, a virtual management network card VLAN net314 with a VLAN ID of 200 is created on the first virtual bridge brVlan313 of the control node 310; creating a virtual management network card VLAN net324 with a VLAN ID of 200 on a first virtual bridge brVlan323 of the network node 320; creating a virtual management network card VLAN 334 with a VLAN ID of 200 on a first virtual bridge brVlan333 of the computing node 330; a virtual management network card VLAN 344 with a VLAN ID of 200 is created on the first virtual bridge brVlan343 of the computing node 340.
In this embodiment, creating a virtual management network card with a VLAN ID of 200 on the first virtual bridge of each node may be implemented by Open vSwitch. For example, an internal type virtual network card is created on a first virtual bridge of the Open vSwitch, and the VLAN ID of the virtual network card is set to 200, which is specifically implemented by adopting the following commands:
ovs-vsctl----may-exist add-port brVlan vlannet\
--set Interface vlannet type=internal\
--set Interface vlannet external-ids:iface-status=active\
--set Port vlannet tag=200
step 5: a second virtual bridge is created on all computing nodes and a bridge is established with the first virtual bridge.
It should be noted that, a second virtual bridge (bridge-integration) is created on each computing node, the virtual network cards of the virtual machines of each computing node are all bound to the corresponding second virtual bridge, and the virtual network cards of the virtual machines of different networks are isolated on the second virtual bridge by different local vlan tags. In order to realize the cross-node access of the virtual machine of the computing node, bridging needs to be established between the first virtual network bridge and the first virtual network bridge which is bound with the physical network card of the service network.
Specifically, a second virtual bridge br-int335 is created on computing node 330 and a bridge is established with first virtual bridge brVlan 333; a second virtual bridge br-int345 is created on the computing node 340 and a bridge is established with the first virtual bridge brVlan 343.
In this embodiment, the operation of creating the second virtual bridge at the computing node and bridging with the first virtual bridge may be implemented by Open vSwitch. For example, a second virtual bridge is created on the Open vSwitch, and a patch type virtual network card is created on the second virtual bridge and the first virtual bridge respectively, and the peers are mutually assigned, which is specifically implemented by adopting the following commands:
ovs-vsctl----may-exist add-port brVlan patch-brVlan\
--set Interface patch-brVlan type=patch\
--set Interface patch-brVlan options:peer=patch-br-int
ovs-vsctl----may-exist add-port br-int patch-br-int\
--set Interface patch-br-int type=patch\
--set Interface patch-br-int options:peer=patch-brVlan
step 6: creating a virtual machine on the computing node and bridging the virtual machine virtual network card with a second virtual bridge.
It should be noted that, the virtual network cards of the virtual machines of the computing nodes are bridged to the second virtual bridge of the computing node, so as to realize the physical isolation of the virtual network cards of the virtual machines of the non-access network, the virtual network cards of the virtual machines of different networks configure different local vlan tags on the second virtual bridge.
Specifically, a virtual machine VM336 is created on the computing node 330, a virtual network card of the virtual machine VM336 is bridged to a second virtual bridge br-int335, and a local vlan tag is set to 1; virtual machines VM346, 347 and 348 are created on computing node 340, virtual network cards of virtual machines VM346 and VM347 are bridged to second virtual bridge br-int345, and local vlan tag is set to 1, virtual network card of virtual machine VM348 is bridged to second virtual bridge br-int345, and local vlan tag is set to 2.
Step 7: and configuring flow table rules on a first virtual bridge and a second virtual bridge of the computing node, and mutually converting the local VLAN tag on the second virtual network card and the VLAN ID on the first virtual bridge.
Specifically, configuring VLAN 200 on second virtual bridge br-int335 of computing node 330 to convert to the configuration of local VLAN tag 1, and configuring first virtual bridge brVlan333 to convert local VLAN tag 1 to the configuration of VLAN 200, so that the virtual network card with local VLAN tag 1 on second virtual bridge br-int335 and the network card with VLAN ID 200 on first virtual bridge brVlan333 may interwork.
The configuration of VLAN 200 to local VLAN tag 1 and the configuration of VLAN 201 to local VLAN tag 2 are configured on second virtual bridge br-int345 of computing node 340, the configuration of first virtual bridge br VLAN tag 343 to local VLAN tag 1 to VLAN 200 and the configuration of local VLAN tag 2 to VLAN 201 are configured such that the virtual network card with local VLAN tag 1 on second virtual bridge br-int345 and the network card with VLAN ID 200 on first virtual bridge brVlan343 can interwork, and the virtual network card with local VLAN tag 2 on second virtual bridge br-int345 and the network card with VLAN ID 201 on first virtual bridge brVlan343 can interwork.
In an embodiment, the mutual conversion between the local VLAN tag on the second virtual network card on the computing node and the VLAN ID on the first virtual network bridge may be implemented through Open vSwitch, which specifically includes the following commands:
ovs-ofctl add-flow br-int"priority=3,in_port=2,dl_vlan=200
actions=mod_vlan_vid:1,NORMAL"
ovs-ofctl add-flow brVlan"priority=4,in_port=3,dl_vlan=1
actions=mod_vlan_vid:200,NORMAL"
step 8: IP is configured for the virtual management network card and the virtual machine virtual network card of each physical node, and the default route when the virtual machine accesses the management network is configured to be forwarded through the virtual management network card.
Specifically, the IP configuration of the virtual network card vlan net315 on the control node 310 is 169.253.128.2; the IP configuration of the virtual network card vlan net324 on the network node 320 is 169.253.128.3; the IP configuration of the virtual network card vlan net334 on the computing node 330 is 169.253.128.4, and the virtual network card configuration IP of the virtual machine VM336 is 169.253.128.11; the IP configuration of the virtual network card vlan net344 on the computing node 340 is 169.253.128.5, the virtual network card configuration IP of the virtual machine VM346 is 169.253.128.12, and the virtual network card configuration IP of the virtual machine VM347 is 169.253.128.13. Meanwhile, default routes are configured on VM336, VM346, and VM347, and the default routes when the virtual machine accesses the management network are configured to be forwarded through the virtual management network card of the computing node at which they reside.
Note that, since the local VLAN tag of the virtual machine VM348 on the second virtual bridge br-int345 is 2, the VM348 can only access the VLAN ID 201 and cannot access the VLAN management network with the VLAN ID 200 according to the above-configured flow table rule. That is, the local vlan tag and the flow table rule of the virtual machine on the second virtual bridge may be set according to the service requirement to designate the virtual machine that can access the virtual management network.
In this embodiment, the manner in which the virtual machine bound to the virtual management network configures the default route is: when the access management network is configured in the virtual machine, a default route forwarded through a virtual network card on the virtual management network is implemented by taking a common linux virtual machine as an example, specifically adopting the following commands:
ip route add 169.253.128.0/24dev eth0
step 9: and configuring an iptables filter rule for each physical node, and only opening a port allowed by the cloud platform to a virtual machine bound with a virtual management network so as to increase network security.
Specifically, the control node 310 configures the iptables filter rule, and the packets received by the vlan net314 interface only allow the source IP to be 169.253.128.0/24 segments, the destination IP to be 10.21.1.41, the protocol to be TCP, and the destination port to be a port for providing services to the cloud platform (for example, 35357, 8774, etc., where specific ports are different according to the cloud platform services). The network node 320 configures the iptables filter rule, and the packets received by the vlan net324 interface only allow the source IP to be 169.253.128.0/24 network segment, the destination IP to be 10.21.1.42, the protocol to be TCP, and the destination port to be a port for providing services for the cloud platform. The computation node 330 configures the iptables filter rule, and the packets received by the vlan net334 interface only allow the source IP to be 169.253.128.0/24 network segment, the destination IP to be 10.21.1.43, the protocol to be TCP, and the destination port to be the end providing service for the cloud platform. The computation node 340 configures the iptables filter rule, and the packets received by the vlan net344 interface only allow the source IP to be 169.253.128.0/24 network segments, the destination IP to be 10.21.1.44, the protocol to be TCP, and the destination port to be a port for providing services for the cloud platform.
Taking the control node 310 as an example, the specific implementation commands of the iptables filters put through the 35357 and 8774 ports are as follows:
iptables-A INPUT-s 169.253.128.0/18-d 10.21.1.41/32-i vlannet
-p tcp--dport 35357-j ACCEPT
iptables-A INPUT-s 169.253.128.0/18-d 10.21.1.41/32-i vlannet
-p tcp--dport 8774-j ACCEPT
iptables-A INPUT-i vlannet-j DROP
after the control node 310 configures the iptables file rule r, the virtual machine bound with the virtual management network can only access the services of the management network tcp 35357 and tcp 8774 ports of the control node 310, thereby ensuring network security.
After the steps are finished, the virtual machine bound with the virtual management network can access each physical node of the cloud platform. The following description will take as an example a management network (IP 10.21.1.41) of the virtual machine VM346 on the computing node 340 accessing the control node 310:
when the virtual machine VM346 accesses the destination IP 10.21.1.41, an ARP broadcast message is first sent, and the ARP broadcast message is set to the local vlan tag 1 after going to the second virtual bridge br-int345, and then forwarded to the first virtual bridge brVlan 343. Since the local vlan tag 1 is configured on the first virtual bridge brVlan343 to be converted into the flow table of vlan 200, the ARP broadcast message with access destination IP 10.21.1.41 is broadcast in vlan 200.
Both the virtual network card vlan net344 and the service network physical network card eth342 on the computing node 340 can receive and forward, and the virtual management network card vlan net344 on the computing node 340 discards the IP after receiving the ARP broadcast message of the destination IP 10.21.1.41. The service network physical network card eth342 receives the ARP broadcast message with the destination IP 10.21.1.41 and forwards the ARP broadcast message to the service network switch 360, and ports of the service network switch 360, which are connected to the control node 310, the network node 320, and the computing node 330, are trunk ports, so that the service network physical network card eth312 of the control node 310, the service network physical network card eth322 of the network node 320, and the service network physical network card eth332 of the computing node 330 all receive the ARP broadcast message with the VLAN ID 200.
Then, the first virtual bridges brVlan313, brVlan323 and brVlan333 forwarded to each node respectively, and since the VLAN IDs of the virtual management network cards VLAN net314, VLAN net324 and VLAN net334 are all 200, all VLAN nets 314, VLAN net324 and VLAN net334 receive the ARP broadcast message with destination IP 10.21.1.41, i.e. all control node 310, network node 320 and computing node 330 receive the ARP broadcast message with destination IP 10.21.1.41. And only the control node 310 finds that the management network IP of the node is 10.21.1.41, it responds to the virtual machine VM4346,
the source MAC of the ARP reply message is the MAC of vlan net 314. After receiving the ARP reply of IP 10.21.1.41, virtual machine VM346 records that the MAC of destination IP 10.21.1.41 is the MAC of vlan net314 in the ARP table, and subsequent virtual machine VM346 access management IP 10.21.1.41 directly sets the MAC of the access message destination to the MAC of vlan net346, so that control node 310 can receive the access request of virtual machine VM346, thereby implementing access to the cloud platform management network by the virtual machine.
In summary, the method for accessing the cloud platform management network by the virtual machine provided by the invention can select a virtual local area network as the virtual management network on the service network under the condition of not changing the physical isolation between the cloud platform management network and the service network, create a network based on the virtual management network, select an IP network segment as the network segment of the virtual management network on the virtual management network, and configure the flow table rule on the virtual network bridge on the cloud platform physical node, so that the virtual machine bound with the virtual management network and the cloud platform physical node are opened through two layers of the virtual management network, and the virtual machine bound with the virtual management network can access the management network of the cloud platform physical node through the virtual management network; meanwhile, an iptable filter rule is configured on the cloud platform physical node, and security restriction is added to a virtual machine of the virtual management network so as to ensure network security of the cloud platform physical node.
Referring to fig. 4, based on the same inventive concept as the method for accessing the cloud platform management network by the virtual machine, the present invention provides an apparatus 400 for accessing the cloud platform management network by the virtual machine, which includes a first creation module 401, a second creation module 402, and a configuration module 403.
The first creation module 401 is configured to create a first virtual bridge that interworks with the service network on the physical node. The second creating module 402 is configured to create a virtual management network that interworks with a management network on the physical node based on the first virtual bridge. The configuration module 403 is configured to communicate a virtual machine on the physical node with the virtual management network, and configure a default route when the virtual machine accesses the management network, so that the virtual machine can access the management network based on the virtual management network.
Referring to fig. 5, an embodiment of the present invention further provides an electronic device 500, where the electronic device 500 includes at least one processor 501, a memory 502 (e.g., a nonvolatile memory), a memory 503, and a communication interface 504, and the at least one processor 501, the memory 502, the memory 503, and the communication interface 504 are connected together via a bus 505. The at least one processor 501 is configured to invoke at least one program instruction stored or encoded in the memory 502 to cause the at least one processor 501 to perform various operations and functions of the method of accessing a cloud platform management network by a virtual machine described in various embodiments of the present description.
In embodiments of the present description, electronic device 500 may include, but is not limited to: personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile electronic devices, smart phones, tablet computers, cellular phones, personal Digital Assistants (PDAs), handsets, messaging devices, wearable electronic devices, consumer electronic devices, and the like.
Embodiments of the present invention also provide a computer readable medium having computer-executable instructions carried thereon, where the computer-executable instructions, when executed by a processor, may be used to implement various operations and functions of a method for accessing a cloud platform management network by a virtual machine as described in various embodiments of the present specification.
The computer readable medium in the present invention may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, systems, and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present invention are presented for purposes of illustration and description. It is not intended to limit the invention to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain the specific principles of the invention and its practical application to thereby enable one skilled in the art to make and utilize the invention in various exemplary embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims and their equivalents.

Claims (10)

1. A method for a virtual machine to access a cloud platform management network, comprising:
creating a first virtual network bridge which is communicated with a service network on a physical node of a cloud platform;
creating a virtual management network interworking with a management network on the physical node based on the first virtual bridge;
and communicating the virtual machine on the physical node with the virtual management network, and configuring a default route when the virtual machine accesses the management network, so that the virtual machine can access the management network based on the virtual management network.
2. The method for accessing a cloud platform management network by a virtual machine according to claim 1, wherein creating a first virtual bridge interworking with a service network on a physical node of the cloud platform comprises:
creating a first virtual network bridge on a physical node of a cloud platform, and binding a service network physical network card of the physical node to the first virtual network bridge.
3. The method for accessing a cloud platform management network by a virtual machine according to claim 1, wherein creating a virtual management network interworking with a management network on the physical node based on the first virtual bridge comprises:
and creating a virtual management network card of a preset VLAN ID on the physical node based on the first virtual network bridge, so that the virtual management network card is communicated with a management network physical network card of the physical node.
4. The method for accessing a cloud platform management network by a virtual machine of claim 3, wherein communicating the virtual machine on the physical node with the virtual management network comprises:
creating a second virtual bridge on the physical node that bridges the first virtual bridge;
bridging a virtual network card of a virtual machine on the physical node with the second virtual network bridge;
and configuring a flow table rule on the first virtual network bridge and the second virtual network bridge so as to enable the virtual management network card and the virtual network card of the virtual machine to communicate.
5. The method for the virtual machine to access the cloud platform management network of claim 4, said method further comprising:
when the physical node is provided with a plurality of virtual machines with different networks, different local VLAN TAGs are configured for the virtual network cards of the virtual machines with different networks on the second virtual network bridge.
6. The method for accessing a cloud platform management network by a virtual machine according to claim 3, wherein configuring a default route when the virtual machine accesses the management network comprises:
and configuring IP for the virtual network card of the virtual machine and the virtual management network card, and configuring a default route when the virtual machine accesses the management network to be forwarded through the virtual management network card.
7. The method for a virtual machine to access a cloud platform management network of claim 1, the method further comprising:
and configuring an iptables filter rule for the physical node.
8. An apparatus for accessing a cloud platform management network by a virtual machine, comprising:
a first creation module for creating a first virtual bridge interworking with the service network on the physical node;
a second creation module, configured to create a virtual management network that interworks with a management network on the physical node based on the first virtual bridge;
and the configuration module is used for communicating the virtual machine on the physical node with the virtual management network and configuring a default route when the virtual machine accesses the management network so that the virtual machine can access the management network based on the virtual management network.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of accessing a cloud platform management network for a virtual machine as claimed in any one of claims 1 to 7 when the program is executed by the processor.
10. A computer readable medium having computer executable instructions carried therein, which when executed by a processor is adapted to carry out a method of accessing a cloud platform management network by a virtual machine according to any of claims 1 to 7.
CN202310397399.0A 2023-04-13 2023-04-13 Method, device, equipment and medium for virtual machine to access cloud platform management network Pending CN116346536A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310397399.0A CN116346536A (en) 2023-04-13 2023-04-13 Method, device, equipment and medium for virtual machine to access cloud platform management network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310397399.0A CN116346536A (en) 2023-04-13 2023-04-13 Method, device, equipment and medium for virtual machine to access cloud platform management network

Publications (1)

Publication Number Publication Date
CN116346536A true CN116346536A (en) 2023-06-27

Family

ID=86877306

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310397399.0A Pending CN116346536A (en) 2023-04-13 2023-04-13 Method, device, equipment and medium for virtual machine to access cloud platform management network

Country Status (1)

Country Link
CN (1) CN116346536A (en)

Similar Documents

Publication Publication Date Title
US10862732B2 (en) Enhanced network virtualization using metadata in encapsulation header
US10778532B2 (en) Overlay network movement operations
CN109561108B (en) Policy-based container network resource isolation control method
US9584546B2 (en) Providing services to virtual overlay network traffic
CN108471397B (en) Firewall configuration, message sending method and device
CN107276783B (en) Method, device and system for realizing unified management and intercommunication of virtual machines
US9304801B2 (en) Elastic enforcement layer for cloud security using SDN
CN107733795B (en) Ethernet virtual private network EVPN and public network intercommunication method and device
CN103546451A (en) Flow based overlay network
CN109450905B (en) Method, device and system for transmitting data
US9590855B2 (en) Configuration of transparent interconnection of lots of links (TRILL) protocol enabled device ports in edge virtual bridging (EVB) networks
US20190158505A1 (en) Data packet forwarding unit in software defined networks
US20220385497A1 (en) Method for network slices to share uplink port, apparatus, and storage medium
CN113206776A (en) Hybrid cloud network connection method, system and controller
US8675669B2 (en) Policy homomorphic network extension
CN111262762B (en) vCPE tenant-based SFC service chain multi-WAN service realization method and system
CN109756409B (en) Bridge forwarding method
CN112671811B (en) Network access method and equipment
CN113596192B (en) Communication method, device, equipment and medium based on gatekeeper networking
CN114765567B (en) Communication method and communication system
CN116346536A (en) Method, device, equipment and medium for virtual machine to access cloud platform management network
CN113098856B (en) Virtual private network VPN implementation method and safety device in transparent mode
KR20190054224A (en) Machine learning based network automation system architecture
WO2024051321A1 (en) Network isolation method and system, and related device
Granelli et al. Realizing network slicing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination