CN116800605B - Network implementation method, system, equipment and medium for running virtual machine in container - Google Patents
Network implementation method, system, equipment and medium for running virtual machine in container Download PDFInfo
- Publication number
- CN116800605B CN116800605B CN202311075599.0A CN202311075599A CN116800605B CN 116800605 B CN116800605 B CN 116800605B CN 202311075599 A CN202311075599 A CN 202311075599A CN 116800605 B CN116800605 B CN 116800605B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- port
- ebpf
- tap
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 8
- 239000002071 nanotube Substances 0.000 claims description 5
- 238000012545 processing Methods 0.000 abstract description 7
- 238000005516 engineering process Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 101100152304 Caenorhabditis elegans tap-1 gene Proteins 0.000 description 7
- 102100033121 Transcription factor 21 Human genes 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 101710119687 Transcription factor 21 Proteins 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 3
- 101150109289 tcf21 gene Proteins 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0806—Configuration setting for initial configuration or provisioning, e.g. plug-and-play
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Abstract
The invention discloses a network implementation method, a system, equipment and a medium for running a virtual machine in a container, which belong to the technical field of containers, and solve the technical problems of reducing the data link length between the virtual machine network and a CNI data plane module of a node where the virtual machine is located and skipping unnecessary kernel network protocol stack processing such as netfilter of a Pod network naming space on the premise of not changing the original architecture of kubeevirt and conforming to the standard requirements of Kubernetes on the Pod network; the technical proposal is as follows: creating an eBPF plugin based on the network card configuration of the running virtual machine in the container; configuring an eBPF plug-in to a tap port of a virtual machine in a container, and intercepting the ingress traffic of the tap port of the virtual machine and redirecting the traffic to a port of a veth pair device in the container; the eBPF plugin is configured to the port of the veth pair device in the container.
Description
Technical Field
The invention relates to the technical field of containers, in particular to a network implementation method, a system, equipment and a medium for running a virtual machine in a container.
Background
kubyirt is a technology of kubernetets platform nanotube virtual machine which is mainstream at present, each kubyirt virtual machine corresponds to one VMI object and one Pod object of Kubernetes, an independent virt-launcher process and a libvirt process are started in the Pod corresponding to each kubyirt virtual machine, the virt-launcher process monitors configuration changes of the VMI object of the kubyirt virtual machine, updates the xml configuration of the virtual machine and issues the virtual machine to the libvirt process in the Pod, and the libvirt process manages the life cycle of the qemu process of the virtual machine according to the xml configuration of the virtual machine.
Because Kubernetes themselves require some Specifications (CNIs) of the Pod network, the tap port of the kubev irt virtual machine cannot directly communicate with the node where the Pod is located in the network naming space where the Pod belongs, and cannot be connected with a data plane module of the CNI on the node, for example, cannot be connected with a ovs bridge of the kuve-ovn CNI.
At present, kubev irt provides a binding method for connecting a CNI data plane module to support masquerade, bridge, passt, slirp, sriov and other technologies, and because masquerade, passt, slirp technologies cannot configure a real IP address in a virtual machine, cannot support trunk and cannot meet the standard virtual machine network requirements; the sriov technology requires that the node network card supports sriov, the configuration is very complex, the requirement on hardware is higher, and the node network card cannot be used universally. The binding method which is more universal for the kubev irt virtual machine to connect with the CNI data surface module is bridge technology.
As shown in fig. 1, the application of the bridge technology in the prior art is specifically: creating a linux network bridge and a veth pair device in a Pod to which the virtual machine belongs, wherein a tap port of the virtual machine in the Pod and one port of the veth pair device are connected to the linux network bridge, and the other port of the veth pair device is connected to a data plane module of a node CNI, so that the tap port of the virtual machine in the Pod can be communicated with a CNI data plane module network on the node, and the virtual machine in the Pod can be communicated with other pods or virtual machines of a container platform through the CNI data plane module.
However, in bridge technology, the virtual machine network and the CNI data plane module of the node are additionally passed through the linux bridge in the Pod, and also pass through unnecessary kernel network protocol stack paths such as netfilter of the Pod network naming space, so that the network delay is greatly increased and the network efficiency is reduced due to the excessively long network link and unnecessary kernel network protocol stack processing.
Therefore, how to reduce the data link length between the virtual machine network and the CNI data plane module of the node where the virtual machine network is located and skip unnecessary kernel network protocol stack processing such as netfilter of the name space of the Pod network on the premise of not changing the original architecture of kubeevirt and meeting the requirement of Kubernetes on the specification (CNI) of the Pod network, avoiding network delay and improving network efficiency is a technical problem to be solved urgently at present.
Disclosure of Invention
The technical task of the invention is to provide a network implementation method, a system, equipment and a medium for running a virtual machine in a container, which are used for solving the problems of reducing the data link length between the virtual machine network and a CNI data plane module of a node where the virtual machine is located, skipping unnecessary kernel network protocol stack processing such as netfilter of a Pod network naming space, avoiding network delay and improving network efficiency on the premise of not changing the original architecture of kubevelit and conforming to the requirement of Kubernetes on the specification (CNI) of the Pod network.
The technical task of the invention is realized in the following way, namely a network realization method for running a virtual machine in a container, which is applied to a Kubernetes platform nanotube virtual machine and specifically comprises the following steps:
creating an eBPF plugin based on the network card configuration of the running virtual machine in the container;
configuring an eBPF plug-in to a tap port of a virtual machine in a container, and intercepting the ingress traffic of the tap port of the virtual machine and redirecting the traffic to a port of a veth pair device in the container;
and configuring the eBPF plug-in to the port of the in-container veth pair equipment, and intercepting the ingress traffic of the port of the in-container veth pair equipment and redirecting the ingress traffic to the tap port of the virtual machine.
Preferably, the eBPF plugin is created based on the network card configuration of the running virtual machine in the container specifically as follows:
running a virtual machine in the Pod with independent network namespaces, wherein the virtual machine is provided with one or more network cards, each network card of the virtual machine is provided with a tap port which corresponds to the network card one by one and can communicate with the network card in the Pod, and the one or more tap ports of the virtual machine are positioned in the Pod network namespaces;
each tap port of the virtual machine corresponds to one veth pair device one by one, and each veth pair device is provided with two ports, namely a veth pair device first port and a veth pair device second port; the first port of the veth pair equipment is positioned in a default network naming space of the node to which the Pod belongs and is connected with a CNI data plane module of the node to which the Pod belongs; the second port of the veth pair device is located in the Pod network namespace;
creating an eBPF plug-in based on one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports; the association relation between one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports is stored in an eBPF map of the eBPF plug-in.
More preferably, when the eBPF plugin intercepts and redirects the ingress traffic of the virtual machine tap port to the in-container veth pair equipment port, intercepting and redirecting part of the ingress traffic of the virtual machine tap port to the in-container veth pair equipment port or intercepting and redirecting all the ingress traffic of the virtual machine tap port to the in-container veth pair equipment port;
when the eBPF plugin intercepts and redirects the ingress traffic of the in-container veth pair equipment port to the virtual machine tap port, intercepting and redirecting part of the ingress traffic of the in-container veth pair equipment port to the virtual machine tap port or intercepting and redirecting all the ingress traffic of the in-container veth pair equipment port to the virtual machine tap port.
More preferably, the association relationship between one or more tap ports of the eBPF map storage virtual machine of the eBPF plug-in and the second port of the veth pair device corresponding to the one or more tap ports is specifically:
taking one or more tap port names of the virtual machine as keys, and taking second port names of veth pair equipment corresponding to one or more tap ports as values to form a first key value pair;
taking the second port names of the veth pair equipment corresponding to one or more tap ports of the virtual machine as keys, and taking one or more tap port names as values to form a second key value pair;
and merging the first key value pair and storing the merged first key value pair and the first key value pair into an eBPF map of the eBPF plug-in.
Preferably, the eBPF plugin is configured on a tap port of a virtual machine in a container, and is used for intercepting the ingress flow of the tap port of the virtual machine and redirecting the ingress flow to a path equipment port in the container, specifically as follows:
configuring an eBPF plug-in on one or more tap ports of the virtual machine, wherein the eBPF plug-in is used for intercepting and redirecting the ingress traffic of the one or more tap ports of the virtual machine to a second port of the veth pair equipment corresponding to the one or more tap ports of the virtual machine; the ingress traffic of one or more tap ports of the virtual machine refers to uplink traffic of the virtual machine network card corresponding to the one or more tap ports.
Preferably, the eBPF plugin is configured on a veth pair device port in a container, and is used for intercepting the ingress traffic of the veth pair device port in the container and redirecting the ingress traffic to a tap port of a virtual machine, wherein the ingress traffic is specifically as follows:
an eBPF plug-in configured on a second port of the veth pair device corresponding to one or more tap ports of the virtual machine is used for intercepting and redirecting the ingress traffic of the second port of the veth pair device corresponding to one or more tap ports to the one or more tap ports; the ingress traffic of the second port of the veth pair device corresponding to one or more tap ports refers to the downlink traffic of the virtual machine network card corresponding to one or more tap ports;
the eBPF plugin executes interception and redirection actions by using a key value stored in an eBPF map of the eBPF plugin to inquire a destination port, specifically: and finding a corresponding value in the eBPF map of the eBPF plug-in by taking the tap port name of the configured eBPF plug-in or the second port name of the veth pair device as a key, and finding the corresponding value in the eBPF map of the eBPF plug-in as a destination port name.
The network implementation system for running the virtual machine in the container is used for implementing the network implementation method for running the virtual machine in the container, and comprises a network plug-in configuration module, a monitoring module and a Pod configuration module;
the network plug-in configuration module is used for creating an eBPF plug-in, and the eBPF plug-in is used for intercepting and redirecting the ingress traffic of one or more tap ports of the virtual machine to a second port of the veth pair equipment corresponding to the one or more tap ports of the virtual machine;
the monitoring module is used for monitoring Pod and resource variation conditions of the virtual machine through a watch API of the Kubernetes;
the Pod configuration module is used for creating an eBPF plug-in for the virtual machine running in the Pod through the network plug-in configuration module when the Pod of the virtual machine running in the Pod is newly added on the node is monitored through the monitoring module, and the eBPF plug-in is configured to one or more tap ports of the virtual machine in the Pod and to a second port of the veth pair equipment corresponding to one or more tap ports of the virtual machine through the network plug-in configuration module calling the eBPF interface in the kernel of the operating system.
Preferably, when the Pod configuration module monitors that the Pod of the running virtual machine is deleted on the node through the monitoring module, the Pod configuration module calls an eBPF interface through the network plug-in configuration module to remove the eBPF plug-in from one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports of the virtual machine in the kernel of the operating system, and deletes the eBPF plug-in.
An electronic device, comprising: a memory and at least one processor;
wherein the memory has a computer program stored thereon;
the at least one processor executes the computer program stored by the memory, causing the at least one processor to perform the network implementation method of running virtual machines in containers as described above.
A computer readable storage medium having stored therein a computer program executable by a processor to implement a network implementation method of running a virtual machine in a container as described above.
The eBPF (Extended Berkeley Packet Filter) is a technology capable of running a user program in a linux system kernel, allowing specific functions to be realized without modifying kernel codes or loading kernel modules, and the eBPF provides a plurality of hook points in the process of receiving and transmitting network data packets, so that operations such as capturing, filtering, modifying or redirecting the network data packets can be performed.
The eBPF map is a data structure which resides in a kernel and is stored in a key value pair form, and functions of user mode and kernel mode data exchange, data storage, multi-program sharing data and the like are provided.
Kubernetes is an open-source container orchestration engine, and is currently the most mainstream container management platform.
Pod is a combination of one or more containers, which are the smallest unit of deployment that Kubernetes can create, schedule, manage, and share specifications of storage, networks, and namespaces, and how to operate.
The veth pair (Virtual Ethernet Pair) is a pair of ports, and all packets coming in from one end of the pair will come out from the other end, and vice versa.
The network implementation method, system, equipment and medium for running the virtual machine in the container have the following advantages:
the invention firstly opens the tap port of the virtual machine in the container and the veth pair equipment port network connected with the CNI data surface module through the eBPF technology, and does not increase the data link length between the virtual machine network and the CNI data surface module, and skips the kernel network protocol stack processing of the naming space of the container network, thereby reducing the network delay of the virtual machine and improving the network efficiency;
on the premise of not changing the original architecture of kubeevirt and meeting the requirement of Kubernetes on the specification (CNI) of the Pod network, the invention opens the tap port of the virtual machine in the Pod and the CNI data surface module network of the node where the Pod is located through the linux eBPF technology, and the technology does not increase the data link length between the virtual machine network and the CNI data surface module of the node where the Pod is located, skips unnecessary kernel network protocol stack processing such as netfilter of the name space of the Pod network, thereby greatly reducing the network delay of the virtual machine in the container and improving the network efficiency.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of an application of a method for implementing a network for running virtual machines in a container according to the prior art;
FIG. 2 is a flow chart of a method for implementing a network of running virtual machines in a container;
FIG. 3 is a schematic diagram of an application for implementing a method for running a virtual machine network in a container;
FIG. 4 is a schematic diagram of a virtual machine running in a container accessing the outside through an eBPF plugin;
FIG. 5 is a block diagram of a system for implementing a network of running virtual machines in a container.
Detailed Description
The network implementation method, system, device and medium for running virtual machines in a container of the present invention are described in detail below with reference to the accompanying drawings and specific embodiments of the present invention.
Example 1:
as shown in fig. 2, the present embodiment further provides a network implementation method for running a virtual machine in a container, which is applied to a Kubernetes platform nanotube virtual machine, where the method specifically includes:
s1, creating an eBPF plug-in based on network card configuration of a running virtual machine in a container; the method comprises the following steps:
s101, running a virtual machine in a Pod with independent network namespaces, wherein the virtual machine is provided with one or more network cards, each network card of the virtual machine is provided with a tap port which corresponds to the one in the Pod and can communicate with the one network card, and one or more tap ports of the virtual machine are positioned in the Pod network namespaces; as shown in fig. 3, pod1 has an independent network naming space, a virtual machine VM1 is running in Pod1, the virtual machine VM1 has two network cards eth0 and eth1, the virtual machine network cards eth0 and eth1 are respectively connected with a tap0 port and a tap1 port in Pod, and the tap0 port and the tap1 port are both located in the Pod1 network naming space.
S102, each tap port of a virtual machine running in a Pod corresponds to one veth pair device one by one, and each veth pair device is provided with two ports, namely a veth pair device first port and a veth pair device second port; the first port of the veth pair equipment is positioned in a default network naming space of the node to which the Pod belongs and is connected with a CNI data plane module of the node to which the Pod belongs; the veth pair device second port is located in the Pod network namespace. As shown in fig. 3, pod1 has two veth pair devices, where a veth pair device composed of nic-eth0 and veth0 corresponds to a tap0 port, a veth pair device composed of nic-eth1 and veth1 corresponds to a tap1 port, the first ports of the two veth pair devices are veth0 and veth1, respectively, the veth0 and veth1 are located in a default network namespace of node1 to which Pod1 belongs and are connected with CNI data plane module 1 of node1, the second ports of the two veth pair devices are nic-eth0 and nic-eth1, and the nic-eth0 and nic-eth1 are located in a network namespace of Pod1, and are not connected with any bridge.
S103, an eBPF plug-in is created based on one or more tap ports of the virtual machine and a veth pair device second port corresponding to the one or more tap ports, and the association relation between the one or more tap ports of the virtual machine and the veth pair device second port corresponding to the one or more tap ports is stored in an eBPF map of the eBPF plug-in. As shown in fig. 3, an eBPF plug-in 1 is created based on a network card configuration of a virtual machine VM1 running in Pod1, and the eBPF map of the eBPF plug-in 1 stores association relations between tap0 and a nic-eth0 port, and between tap1 and a nic-eth1 port, where the specific contents in the eBPF map of the eBPF plug-in 1 are:
{
’tap0’ : ’nic-eth0’,
’tap1’ : ’nic-eth1’,
’nic-eth0’ : ’tap0’,
’nic-eth1’ : ’tap1’,
}。
s2, configuring the eBPF plug-in on a tap port of the virtual machine in the container, and intercepting and redirecting ingress traffic of the tap port of the virtual machine to a veth pair equipment port in the container.
In this embodiment, an eBPF plugin created based on a network card configuration of a virtual machine running in a Pod is configured on one or more tap ports of the virtual machine, and a direction in which the eBPF plugin is configured on the one or more tap ports of the virtual machine is ingess. As shown in fig. 3, the eBPF plug-in 1 is configured on the tap0 port and the tap1 port, and the configuration direction is ingress.
S3, configuring an eBPF plug-in on a veth pair equipment port in the container, and intercepting the ingress traffic of the veth pair equipment port in the container and redirecting the traffic to a tap port of the virtual machine; the method comprises the following steps:
and configuring an eBPF plug-in which is created based on the network card configuration of the virtual machine running in the Pod on a second port of the virtual machine corresponding to the veth pair equipment, wherein the direction of configuring the eBPF plug-in on the second port of the virtual machine corresponding to the veth pair equipment is ingress. As shown in fig. 3, the eBPF plug-in 1 is configured on the nic-eth0 port and the nic-eth1 port, and the configuration direction is ingress.
As shown in fig. 4, the virtual machine VM1 eth0 network card and the data links that the eth1 network card and the CNI data plane module 1 access to each other are shown by dashed lines in fig. 4. Taking the mutual access of the virtual machine VM1 eth0 network card and the CNI data surface module 1 as an example for details, firstly, after the data packet of the virtual machine VM1 eth0 accessing the CNI data surface module 1 reaches the tap0, the eBPF plug-in 1 configured on the tap0 intercepts and redirects to the nic-eth0 port, because the nic-eth0 and the veth0 belong to the same veth pair, the data packet received by the nic-eth0 is directly forwarded to the veth0, and the veth0 is bound to the CNI data surface module 1, so that the CNI data surface module 1 receives the data packet sent by the virtual machine VM1 eth 0; similarly, when the CNI data plane module 1 accesses the virtual machine VM1 eth0 network card, the data packet is forwarded to the veth0 interface, and the nic-eth0 and veth0 belong to the same veth pair, the data packet received by veth0 is directly forwarded to the nic-eth0, and after the data packet reaches the nic-eth0, the eBPF plug-in 1 configured on the nic-eth0 intercepts and redirects to the tap0 port, thereby reaching the virtual machine VM1 eth0 network card.
Example 2:
the embodiment provides a network implementation system for running virtual machines in a container, which is applied to a Kubernetes platform nanotube virtual machine. As shown in fig. 5, the network implementation system for running the virtual machine in the container includes a network plug-in configuration module, a monitoring module and a Pod configuration module;
the network plug-in configuration module is used for creating an eBPF plug-in, and the eBPF plug-in is used for being configured on one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports of the virtual machine;
the monitoring module monitors the resource change conditions of Pod, virtual machines and the like through a watch API of the Kubernetes;
when the Pod configuration module monitors the Pod of the newly-added running virtual machine on the node, based on the virtual machine newly-added running in the Pod, an eBPF plug-in is created for the virtual machine running in the Pod through the network plug-in configuration module, and the eBPF plug-in is configured on one or more tap ports of the virtual machine in the Pod and on a second port of the veth pair equipment corresponding to one or more tap ports of the virtual machine through the network plug-in configuration module calling the eBPF interface in the kernel of the operating system.
In this embodiment, when the Pod configuration module monitors that the Pod running the virtual machine on the node is deleted through the monitoring module, the Pod configuration module invokes the eBPF interface through the network plug-in configuration module to remove the eBPF plug-in from one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to one or more tap ports of the virtual machine in the kernel of the operating system, and deletes the eBPF plug-in.
The technical solution of the same parts of this embodiment as those of embodiment 1 is referred to embodiment 1, and will not be repeated here. The network implementation system for running the virtual machine in the container disclosed by the embodiment can be deployed in the scenes such as a super-fusion integrated machine, a computer, a server, a data center, a virtual cluster, a portable mobile terminal, a Web system, a financial payment platform or an ERP system, a virtual online payment platform/system and the like.
Example 3:
the embodiment also provides an electronic device, including: a memory and a processor;
wherein the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory, causing the processor to perform the network-implemented method of running a virtual machine in a container in any of the embodiments of the invention.
The processor may be a Central Processing Unit (CPU), but may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), off-the-shelf programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may be used to store computer programs and/or modules, and the processor implements various functions of the electronic device by running or executing the computer programs and/or modules stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the terminal, etc. The memory may also include high-speed random access memory, but may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, memory card only (SMC), secure Digital (SD) card, flash memory card, at least one disk storage period, flash memory device, or other volatile solid state memory device.
Example 4:
the present embodiment also provides a computer readable storage medium having stored therein a plurality of instructions, the instructions being loaded by a processor, to cause the processor to perform the network implementation method of running a virtual machine in a container according to any of the embodiments of the present invention. Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RYM, DVD-RWs, DVD+RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion unit connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion unit is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (4)
1. The network implementation method for running the virtual machine in the container is characterized by being applied to the Kubernetes platform nanotube virtual machine, and specifically comprises the following steps:
creating an eBPF plugin based on the network card configuration of the running virtual machine in the container; the method comprises the following steps:
running a virtual machine in the Pod with independent network namespaces, wherein the virtual machine is provided with one or more network cards, each network card of the virtual machine is provided with a tap port which corresponds to the network card one by one and can communicate with the network card in the Pod, and the one or more tap ports of the virtual machine are positioned in the Pod network namespaces;
each tap port of the virtual machine corresponds to one veth pair device one by one, and each veth pair device is provided with two ports, namely a veth pair device first port and a veth pair device second port; the first port of the veth pair equipment is positioned in a default network naming space of the node to which the Pod belongs and is connected with a CNI data plane module of the node to which the Pod belongs; the second port of the veth pair device is located in the Pod network namespace;
creating an eBPF plug-in based on one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports; the association relation between one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports is stored in an eBPF map of the eBPF plug-in;
configuring an eBPF plug-in to a tap port of a virtual machine in a container, and intercepting the ingress traffic of the tap port of the virtual machine and redirecting the traffic to a port of a veth pair device in the container; the method comprises the following steps:
configuring an eBPF plug-in on one or more tap ports of the virtual machine, wherein the eBPF plug-in is used for intercepting and redirecting the ingress traffic of the one or more tap ports of the virtual machine to a second port of the veth pair equipment corresponding to the one or more tap ports of the virtual machine; the ingress traffic of one or more tap ports of the virtual machine refers to uplink traffic of the virtual machine network card corresponding to the one or more tap ports;
configuring an eBPF plug-in to a port of the in-container veth pair device, and intercepting the ingress traffic of the port of the in-container veth pair device and redirecting the traffic to a tap port of the virtual machine; the method comprises the following steps:
an eBPF plug-in configured on a second port of the veth pair device corresponding to one or more tap ports of the virtual machine is used for intercepting and redirecting the ingress traffic of the second port of the veth pair device corresponding to one or more tap ports to the one or more tap ports; the ingress traffic of the second port of the veth pair device corresponding to one or more tap ports refers to the downlink traffic of the virtual machine network card corresponding to one or more tap ports;
the eBPF plugin executes interception and redirection actions by using a key value stored in an eBPF map of the eBPF plugin to inquire a destination port, specifically: the tap port name of the eBPF plugin or the second port name of the veth pair equipment is configured to be used as a key to find a corresponding value in the eBPF plugin eBPF map, and the corresponding value is found in the eBPF plugin eBPF map to be used as a destination port name;
when the eBPF plug-in intercepts the ingress traffic of the virtual machine tap port and redirects the ingress traffic to the in-container veth pair equipment port, intercepting and redirecting part of the ingress traffic of the virtual machine tap port to the in-container veth pair equipment port or intercepting and redirecting all the ingress traffic of the virtual machine tap port to the in-container veth pair equipment port;
when the eBPF plugin intercepts and redirects the ingress traffic of the port of the path equipment in the container to the virtual machine tap port, intercepting and redirecting part of the ingress traffic of the port of the path equipment in the container to the virtual machine tap port or intercepting and redirecting all the ingress traffic of the port of the path equipment in the container to the virtual machine tap port;
the association relationship between one or more tap ports of the eBPF map storage virtual machine and the second port of the veth pair device corresponding to the one or more tap ports is specifically:
taking one or more tap port names of the virtual machine as keys, and taking second port names of veth pair equipment corresponding to one or more tap ports as values to form a first key value pair;
taking the second port names of the veth pair equipment corresponding to one or more tap ports of the virtual machine as keys, and taking one or more tap port names as values to form a second key value pair;
and merging the first key value pair and storing the merged first key value pair and the first key value pair into an eBPF map of the eBPF plug-in.
2. A network implementation system for running a virtual machine in a container, wherein the system is configured to implement the network implementation method for running a virtual machine in a container according to claim 1, and the system includes a network plug-in configuration module, a listening module, and a Pod configuration module;
the network plug-in configuration module is used for creating an eBPF plug-in, and the eBPF plug-in is used for intercepting and redirecting the ingress traffic of one or more tap ports of the virtual machine to a second port of the veth pair equipment corresponding to the one or more tap ports of the virtual machine;
the monitoring module is used for monitoring Pod and resource variation conditions of the virtual machine through a watch API of the Kubernetes;
the Pod configuration module is used for creating an eBPF plug-in for the virtual machine running in the Pod through the network plug-in configuration module when the Pod of the virtual machine running in the Pod is newly added on the node is monitored through the monitoring module, and the eBPF plug-in is configured to one or more tap ports of the virtual machine in the Pod and to a second port of the veth pair equipment corresponding to one or more tap ports of the virtual machine through the network plug-in configuration module by calling the eBPF interface in the kernel of the operating system;
when the Pod configuration module monitors that the Pod of the running virtual machine is deleted on the node through the monitoring module, the Pod configuration module calls an eBPF interface through the network plug-in configuration module to remove the eBPF plug-in from one or more tap ports of the virtual machine and a second port of the veth pair device corresponding to the one or more tap ports of the virtual machine in an operating system kernel, and deletes the eBPF plug-in.
3. An electronic device, comprising: a memory and at least one processor;
wherein the memory has a computer program stored thereon;
the at least one processor executing the computer program stored by the memory causes the at least one processor to perform the network implementation method of running a virtual machine in a container as claimed in claim 1.
4. A computer readable storage medium having stored therein a computer program executable by a processor to implement the network implementation method of running a virtual machine in a container as claimed in claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311075599.0A CN116800605B (en) | 2023-08-25 | 2023-08-25 | Network implementation method, system, equipment and medium for running virtual machine in container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311075599.0A CN116800605B (en) | 2023-08-25 | 2023-08-25 | Network implementation method, system, equipment and medium for running virtual machine in container |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116800605A CN116800605A (en) | 2023-09-22 |
| CN116800605B true CN116800605B (en) | 2023-12-22 |
Family
ID=88048365
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311075599.0A Active CN116800605B (en) | 2023-08-25 | 2023-08-25 | Network implementation method, system, equipment and medium for running virtual machine in container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116800605B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114510323A (en) * | 2022-02-25 | 2022-05-17 | 中电云数智科技有限公司 | Network optimization implementation method for operating virtual machine in container |
| CN114924835A (en) * | 2022-05-11 | 2022-08-19 | 浪潮云信息技术股份公司 | Method and system for improving virtual machine access performance under super-fusion environment |
| CN115543531A (en) * | 2022-09-20 | 2022-12-30 | 深圳前海环融联易信息科技服务有限公司 | eBPF-based container network implementation method, device, equipment and medium |
| CN115622748A (en) * | 2022-09-26 | 2023-01-17 | 苏州思萃工业互联网技术研究所有限公司 | Container-based network security implementation system and method |
-
2023
- 2023-08-25 CN CN202311075599.0A patent/CN116800605B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114510323A (en) * | 2022-02-25 | 2022-05-17 | 中电云数智科技有限公司 | Network optimization implementation method for operating virtual machine in container |
| CN114924835A (en) * | 2022-05-11 | 2022-08-19 | 浪潮云信息技术股份公司 | Method and system for improving virtual machine access performance under super-fusion environment |
| CN115543531A (en) * | 2022-09-20 | 2022-12-30 | 深圳前海环融联易信息科技服务有限公司 | eBPF-based container network implementation method, device, equipment and medium |
| CN115622748A (en) * | 2022-09-26 | 2023-01-17 | 苏州思萃工业互联网技术研究所有限公司 | Container-based network security implementation system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116800605A (en) | 2023-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865900B (en) | RPC protocol-based cross-network regional proxy access method and system | |
| US20030231632A1 (en) | Method and system for packet-level routing | |
| CN101227343B (en) | Method and device for testing TCPv6 and UDPv6 | |
| CN112035216B (en) | Communication method for Kubernetes cluster network and OpenStack network | |
| CN114025021B (en) | Communication method, system, medium and electronic equipment crossing Kubernetes cluster | |
| CN110505244B (en) | Remote tunnel access technology gateway and server | |
| US20220261270A1 (en) | Reusing software application containers | |
| US20180013660A1 (en) | Namespace routing | |
| EP4209905A1 (en) | Service mesh system employing microservice, and service governance method | |
| CN115604199B (en) | Service routing method and system for cloud native platform micro-service gateway | |
| CN111367685B (en) | Interface calling method and device, computer equipment and storage medium | |
| CN114124929A (en) | Cross-network data processing method and device | |
| CN107995326B (en) | Management method and device of container network | |
| US20220350637A1 (en) | Virtual machine deployment method and related apparatus | |
| KR20230162083A (en) | Extend cloud-based virtual private networks to wireless-based networks | |
| Alliance | Service-based architecture in 5G | |
| KR20230069088A (en) | Container cluster management method and its system | |
| US20200007404A1 (en) | High-Level Interface to Analytics Engine | |
| CN111130978B (en) | Network traffic forwarding method and device, electronic equipment and machine-readable storage medium | |
| CN116800605B (en) | Network implementation method, system, equipment and medium for running virtual machine in container | |
| US10149300B1 (en) | Dynamic customization of mobile communication device access point name (APN) selection | |
| CN114374743B (en) | Gateway routing rule generation method and system supporting multiple service discovery mechanisms | |
| CN110086702B (en) | Message forwarding method and device, electronic equipment and machine-readable storage medium | |
| CN117076051A (en) | Network implementation method, system, equipment and medium for running virtual machine in container | |
| CN113918326A (en) | Request processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |