CN117319212B - Multi-tenant isolated password resource automatic scheduling system and method in cloud environment - Google Patents
Multi-tenant isolated password resource automatic scheduling system and method in cloud environment Download PDFInfo
- Publication number
- CN117319212B CN117319212B CN202311606215.3A CN202311606215A CN117319212B CN 117319212 B CN117319212 B CN 117319212B CN 202311606215 A CN202311606215 A CN 202311606215A CN 117319212 B CN117319212 B CN 117319212B
- Authority
- CN
- China
- Prior art keywords
- tenant
- virtual
- password
- host
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000007246 mechanism Effects 0.000 claims abstract description 34
- 238000002955 isolation Methods 0.000 claims abstract description 20
- 238000005516 engineering process Methods 0.000 claims abstract description 12
- 238000007726 management method Methods 0.000 claims description 58
- 230000008569 process Effects 0.000 claims description 45
- 230000008602 contraction Effects 0.000 claims description 17
- 238000009827 uniform distribution Methods 0.000 claims description 13
- 230000006870 function Effects 0.000 claims description 10
- 238000001914 filtration Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000013468 resource allocation Methods 0.000 claims description 7
- 230000008439 repair process Effects 0.000 claims description 6
- 230000006399 behavior Effects 0.000 claims description 5
- 238000009826 distribution Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 238000013507 mapping Methods 0.000 claims description 2
- 230000002085 persistent effect Effects 0.000 claims description 2
- 238000013439 planning Methods 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims description 2
- 230000004931 aggregating effect Effects 0.000 claims 1
- 230000008859 change Effects 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract description 7
- 239000003795 chemical substances by application Substances 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011038 discontinuous diafiltration by volume reduction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
- H04L9/0836—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a multi-tenant isolated password resource automatic scheduling system in a cloud environment, which comprises modules such as a tenant authentication gateway, a tenant name space, a virtual password host controller, a virtual password host scheduler, a node management component, a network service component and the like, wherein the operation, maintenance and management difficulties of physical password equipment can be greatly reduced; the invention realizes a multi-tenant isolated name space based on a Linux Namespace name space, a CGroups control group kernel mechanism and an SR-IOV technology, and realizes multi-tenant safe isolation in a cloud environment; the invention provides a dynamic allocation and automatic scheduling method of password resources according to needs, which realizes uniform allocation and dynamic scheduling of the password resources and improves the utilization efficiency of the password resources.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a multi-tenant isolated password resource automatic scheduling system and a method thereof in a cloud environment.
Background
With the vigorous development of artificial intelligence, big data and internet of things, cloud computing has become an important infrastructure for digital transformation, and businesses and data are migrated to a cloud platform by various industries such as government affairs, operators, finance, medical treatment, education and the like. However, with the rapid popularization and application of cloud computing, cloud security risks such as unauthorized access, important data tampering, sensitive data leakage and the like are faced to the business information system and data on the cloud at any time. The password is used as a core technology of network security and information security, and the problems can be well solved.
In the conventional mode, in order to meet the password use requirement of the service system, enterprise users generally buy the password machine equipment and the matched key management software directly and hire special personnel to maintain and manage the password equipment and the key management software.
With the rapid development of enterprises, the business scale and user data are increased, the enterprises start to migrate a large amount of business systems and data into the cloud platform, and the computing and storage capacity of the cloud computing platform is relied on to meet the demands of the enterprises. In order to meet the password use requirement of a service system in a cloud environment, enterprise users need to build own password equipment clusters, the password equipment is deployed in a back-to-back direct connection mode, and an exclusive password application mode is adopted to provide password operation capability for the service system.
The traditional technical scheme has the advantages that the multi-tenant password resources are isolated in a physical mode, so that the safety is high; on the premise that the traffic does not generate large-scale burst growth, the password service can be safely and reliably provided. However, if the number of business systems of an enterprise increases dramatically, or business peaks occur frequently, the conventional physical password device cluster will not provide a dynamically adjusted password service capability, and present a great challenge to the operation and management capabilities of the cluster administrator, and even fail to provide effective support.
In a cloud computing environment, a service system mainly adopts resource virtualization to provide service support, the concept of enterprise users is changed from purchasing hardware products to purchasing service directions, and the traditional password equipment application mode has many defects when providing password service for the cloud service system, and even can not meet the password application requirements in the cloud computing environment.
(1) The password resource allocation and isolation requirements of the virtualized service system cannot be met. Industry in cloud computing
The service application system mainly adopts resource virtualization to provide service support, the traditional password equipment deployment mode cannot be suitable for the application mode of cloud virtualization, all application calls must be called in a network call mode, different virtualized service resource allocation isolation special password resources are required to be ensured, and when the number of virtualized service resources is excessive, the traditional password equipment cluster cannot meet the requirements.
(2) The flexibility and dynamic adjustment of the password resources cannot be realized. Elastic calculation is business system in cloud environment
The cloud computing environment can rapidly expand more computing resources to cope with service peaks when service peaks arrive, the occurrence of the service peaks also represents the peak demand for the password operation resources, and the traditional exclusive password application mode cannot provide dynamically adjusted password operation capability.
(3) A secure, reliable remote management capability cannot be provided. Supporting multiple tenants in cloud computing services in general
The capability, meanwhile, the tenant needs to have complete key management rights for password resources provided by the tenant, including key generation, distribution, operation, updating, destruction and the like, the safe remote key management is a basic requirement of password application in the cloud, the remote management requirement has a complete identity authentication mechanism, and the traditional password application has obvious shortages for the capability.
Therefore, the method for providing the security isolation, the on-demand distribution, the dynamic expansion and contraction and the automatic scheduling of the password resources according to the tenants in the cloud environment is a technical problem which needs to be solved by the cloud of the password.
Disclosure of Invention
In order to solve the technical problems, the invention provides an automatic dispatching system and method for multi-tenant isolated password resources in a cloud environment, and aims to construct a set of physical password equipment clusters in the cloud environment, provide a virtual password host with multi-tenant isolated, and realize the processes of cloud password resource allocation and automatic dispatching according to requirements. The technical scheme is as follows:
a multi-tenant isolated password resource automatic scheduling system in a cloud environment comprises modules such as a tenant authentication gateway, a tenant name space, a virtual password host controller, a virtual password host scheduler, a node management component, a network service component and the like.
The tenant authentication gateway is used as a cluster resource access entrance and is used for realizing the functions of identity authentication, resource authentication, admission control and the like of tenants.
The identity authentication is to perform validity check on the identity of the tenant.
The resource authentication is that after the identity authentication is passed by the tenant, the requested resource is authenticated, and each tenant can only access the password resource in the range of the name space.
The admission control is a finer grained verification of requests that pass resource authentication, including but not limited to whitelist restrictions, blacklist/exception request interception, request type restrictions, request data size restrictions, etc.
The tenant namespaces are resource views isolated according to tenants, each tenant is allocated with a unique Namespace, and the safe isolation of the multi-tenant resources is realized by using a Linux Namespace namespaces, a CGroups control group kernel mechanism and an SR-IOV technology, wherein each Namespace consists of a network Namespace, a process Namespace, a user Namespace and a password resource Namespace.
The network namespaces are used for isolating network views of the working nodes, and limiting the tenants and the virtual password hosts to only view and start network interfaces in the namespaces.
The process namespaces are used for isolating process views of the working nodes, limiting tenants to only manage processes in the namespaces, enabling the virtual cryptographic host to only communicate with processes in the namespaces, and limiting memory access space, process priority, CPU computing time and the like of cryptographic service processes in running examples of the virtual cryptographic host by using the Cgroup control group.
The user name space is used for isolating user views of the working nodes, and isolating users running in the virtual password host from users in the nodes, namely, processes running in the virtual password host by root users can only run by common users on the nodes, so that escape unauthorized operation of processes in the tenant name space is prevented.
The password resource name space is used for isolating the password resource view of the working node, and limiting the tenant to only view and operate the password resources allocated to the tenant, wherein the password resource name space comprises a key space, a PCI-E channel and a random number buffer pool.
The virtual cryptographic host is a relatively temporary entity, is created based on a virtual cryptographic host configuration template, exists in the range of the tenant namespaces, and has a life cycle comprising creation, scheduling, initialization, readiness, termination and resource recovery.
The virtual password host configuration template is a configuration list which is created for reducing the operation and maintenance difficulty and the management difficulty of the physical password equipment, meeting the self-diversified password operation requirements of each tenant and providing a basis for realizing automation. The tenant can configure the virtual password host template according to the actual situation of the own business system, and the template configuration items comprise: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, label, resource request and restriction, priority, instance number range, etc.
The virtual password host controller creates a virtual password host with the lower limit value of the number range of instances according to the virtual password host template configured by the tenant, and ensures the minimum availability of the tenant password resources. The method comprises the steps of defining a plurality of observable indexes including average CPU utilization rate, average memory utilization rate, VF average I/O read-write rate and the like, and calculating the number of running instances of the virtual password host in real time according to the current index and the expected index, so that the required scale of the tenant virtual password host is dynamically adjusted.
The virtual password host dispatcher discovers a virtual password host which is newly created in the cluster and is not dispatched to the working node through a monitoring mechanism, and dispatches the virtual password host to a proper node for operation by using a dispatching algorithm, so that the uniform distribution of password resources is realized, and the utilization efficiency of the password resources is improved.
The node management component is responsible for distributing password resources for the virtual password host machine scheduled to the current node, generating a virtual password host machine operation instance, monitoring the operation state of the instance in real time, and carrying out fault detection and repair; and stopping a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, releasing and recovering the cryptographic resources occupied by the low-load instance copies, realizing uniform distribution of the cryptographic resources, and improving the utilization efficiency of the cryptographic resources.
The network service component discloses one or a group of ready virtual cryptographic host running examples as network services through service discovery, load balancing and networking mechanisms, monitors example processes in the tenant namespaces in real time, adds new examples which are expanded and ready to a service endpoint list, and removes old examples which are contracted and terminated from the service endpoint list. Meanwhile, a specific route access rule is generated for the virtual password host running instance in the service network endpoint list, so that network session connection is established between the tenant service system and the virtual password host running instance in the service endpoint list, and a password service request is processed.
Based on the system, the invention also discloses a method for realizing the automatic dispatching of the password resources of the multi-tenant isolation in the cloud environment, which comprises the following steps:
Step S1: a cryptographic resource cluster is deployed. After the cluster administrator deploys the automatic password resource scheduling system, a complete password resource cluster is constructed. The cluster is provided with at least one management node for operating the tenant authentication gateway, the virtual password host controller, the virtual password host dispatcher and the network service component; the rest nodes are all working nodes and are used for operating node management components, node network agents and virtual password host operating examples.
Step S2: and constructing a cloud password resource pool. Before the cluster works normally, a system administrator performs cluster initialization to generate a cluster key system and construct a cloud password resource pool.
Step S3: a tenant namespace is created. Tenant namespaces are views of resources that are isolated by tenant, with each tenant assigned a unique namespace. Each namespace is comprised of a network namespace, a process namespace, a user namespace, and a cryptographic resource namespace. The cluster administrator is responsible for creating tenant namespaces including opening tenant access accounts, authorizing accessible resources, resource quotas, setting admission control rules, and the like.
Step S4: and configuring a virtual password host template. The virtual password host template is configured by the tenant according to the actual requirement of the own business system, and the template configuration items can comprise: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, label, resource request and restriction, priority, instance number range, etc.
Step S5: a virtual cryptographic host is created. The virtual password host controller creates a virtual password host with the lower limit value of the number range of the instances according to the virtual password host template configured by the tenant, ensures the minimum availability of the tenant password resources, calculates the number of the running instances of the virtual password host in real time according to the current index and the expected index, and realizes the dynamic adjustment of the required scale of the tenant virtual password host.
Step S6: the virtual cryptographic host is scheduled. The virtual crypto host scheduler tries to select a best node for each newly created virtual crypto host found. The dispatcher firstly filters out all schedulable nodes meeting the configuration of the virtual password host in the cluster, then scores the nodes, and selects the node with the highest score as a target node to operate.
Step S7: and generating a virtual password host operation instance. The node management component allocates password resources for the virtual password host scheduled to the current node, generates a virtual password host running instance, monitors the running state of the instance in real time, and detects and repairs faults; and stopping a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, and releasing and recovering the cryptographic resources occupied by the low-load instance copies.
Step S8: the cryptographic service in the virtual cryptographic host running instance is disclosed as a web service. The network service component defines a set of logical collections of virtual cryptographic host running instances in each tenant namespace and a method of how to expose those instances as network services, ultimately yielding a set of service endpoints accessible to the tenant business system and providing load balancing capabilities.
The invention also discloses a nonvolatile storage medium, which is characterized in that the nonvolatile storage medium comprises a stored program, wherein the program controls equipment where the nonvolatile storage medium is located to execute the method when running.
The invention also discloses an electronic device which is characterized by comprising a processor and a memory; the memory has computer readable instructions stored therein, and the processor is configured to execute the computer readable instructions, where the computer readable instructions execute the method described above when executed.
Advantageous effects
The invention realizes the multi-tenant isolated password resource automatic scheduling system in the cloud environment, and can greatly reduce the operation, maintenance and management difficulties of the physical password equipment; the invention realizes a multi-tenant isolated name space based on a Linux Namespace name space, a CGroups control group kernel mechanism and an SR-IOV technology, and realizes multi-tenant safe isolation in a cloud environment; the invention provides a dynamic allocation and automatic scheduling method of password resources according to needs, which realizes uniform allocation and dynamic scheduling of the password resources and improves the utilization efficiency of the password resources.
Drawings
FIG. 1 is a schematic diagram of the system components of the present invention;
FIG. 2 is a flow chart of the steps of the present invention;
FIG. 3 is a hierarchical diagram of cluster key structure and protection in accordance with the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and to specific embodiments.
The embodiment provides a multi-tenant isolated password resource automatic scheduling system in a cloud environment, which comprises modules such as a tenant authentication gateway, a tenant name space, a virtual password host controller, a virtual password host scheduler, a node management component, a network service component and the like. FIG. 1 is a schematic diagram of the system of the present invention.
The tenant authentication gateway is used as a cluster resource access entrance and is used for realizing the functions of identity authentication, resource authentication, admission control and the like of tenants.
The identity authentication is to perform validity check on the identity of the tenant.
The resource authentication is that after the identity authentication is passed by the tenant, the requested resource is authenticated, and each tenant can only access the password resource in the range of the name space.
The admission control is a finer grained verification of requests that pass resource authentication, including but not limited to whitelist restrictions, blacklist/exception request interception, request type restrictions, request data size restrictions, etc.
The tenant namespaces are resource views isolated according to tenants, each tenant is allocated with a unique Namespace, and the safe isolation of the multi-tenant resources is realized by using a Linux Namespace namespaces, a CGroups control group kernel mechanism and an SR-IOV technology, wherein each Namespace consists of a network Namespace, a process Namespace, a user Namespace and a password resource Namespace.
The present system uses a con-tainerd (an open-source container runtime) and SR-IOV techniques to create and manage the runtime environment of the tenant namespaces. When creating a tenant, the tenant namespace component creates a process namespace, a network namespace, and a user namespace by invoking a containing using a namespace mechanism of a Linux kernel, thereby isolating the process, network, and user resources; the tenant name space component creates a password resource name space based on the SR-IOV technology, namely, when the tenant name space component creates a virtual password host running instance for the tenant, an independent VF device is dynamically allocated for the virtual password host running instance, the VF device defines the configurations of a key space, a PCI-E channel, a random number buffer pool and the like of the virtual password host, the password resource isolation view among different tenants can be realized, and the access right of the tenant to the password resource is limited.
The network namespaces are used for isolating network views of the working nodes, and limiting the tenants and the virtual password hosts to only view and start network interfaces in the namespaces. The tenant namespace component creates a network namespace by invoking a containerd using the netns mechanism of the Linux kernel. When creating a virtual cryptographic host running instance for a tenant, the tenant namespace component assigns a separate network stack to the virtual cryptographic host running instance and associates it to a particular netns. The netns (system call function) defines the configuration of network interfaces, routing tables, protocol stacks and the like of the virtual cryptographic host running instance, and can realize network isolation and access control among different tenants.
The process namespaces are used for isolating process views of the working nodes, limiting tenants to only manage processes in the namespaces, enabling the virtual cryptographic host to only communicate with processes in the namespaces, and limiting memory access space, process priority, CPU computing time and the like of cryptographic service processes in running examples of the virtual cryptographic host by using the Cgroup control group. The tenant namespace component creates a process namespace by invoking a containerd using the namespace mechanism of the Linux kernel. When the system creates a virtual cryptographic host running instance for a tenant, the con-tainerd uses system call functions such as fork and exec to create a new process and associate it to a specific namespace. This naspace is associated with the runtime environment of the tenant namespace, which can limit the access rights of processes to system resources.
The user name space is used for isolating user views of the working nodes, and isolating users running in the virtual password host from users in the nodes, namely, processes running in the virtual password host by root users can only run by common users on the nodes, so that escape unauthorized operation of processes in the tenant name space is prevented. The tenant namespace component creates a user namespace by invoking a containerd using the user_nasspace mechanism of the Linux kernel. When creating a virtual cryptographic host running instance for a tenant, the tenant namespace component assigns a set of user IDs and group IDs to the same and associates them into a particular user_namespace. The user_Namespace defines the user and group environment of the virtual cryptographic host running instance, and can realize user isolation and access control among different tenants.
The password resource name space is used for isolating the password resource view of the working node, and limiting the tenant to only view and operate the password resources allocated to the tenant, wherein the password resource name space comprises a key space, a PCI-E channel and a random number buffer pool. The tenant namespace component creates a cryptographic resource namespace for a user based on SR-IOV techniques. When creating a virtual cryptographic host operation instance for a tenant, the tenant name space component dynamically allocates an independent VF device for the virtual cryptographic host operation instance, and the VF device defines the configurations of a key space, a PCI-E channel, a random number buffer pool and the like of the virtual cryptographic host, so that a cryptographic resource isolation view among different tenants can be realized, and the access authority of the tenant to the cryptographic resource is limited.
The tenant namespaces component creates a process namespace, a network namespace and a user namespace by calling namespaces, netns and a user_nasspace mechanism of the underlying Linux kernel through a containerd, and creates a cryptographic resource namespace based on SR-IOV technology, thereby implementing a resource view isolated by tenant. Linkage between these namespaces is coordinated and managed by tenant namespace components, providing a more flexible and secure tenant-isolated virtual cryptographic host operating environment.
The virtual cryptographic host is a relatively temporary entity, is created based on a virtual cryptographic host configuration template, exists in the range of the tenant namespaces, and has a life cycle comprising creation, scheduling, initialization, readiness, termination and resource recovery.
The virtual password host configuration template is a configuration list which is created for reducing the operation and maintenance difficulty and the management difficulty of the physical password equipment, meeting the self-diversified password operation requirements of each tenant and providing a basis for realizing automation. The tenant can configure the virtual password host template according to the actual situation of the own business system, and the template configuration items comprise: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, label, resource request and restriction, priority, instance number range, etc.
The virtual password host controller creates a virtual password host with the lower limit value of the number range of instances according to the virtual password host template configured by the tenant, and ensures the minimum availability of the tenant password resources. The method comprises the steps of defining a plurality of observable indexes including average CPU utilization rate, average memory utilization rate, VF average I/O read-write rate and the like, and calculating the number of running instances of the virtual password host in real time according to the current index and the expected index, so that the required scale of the tenant virtual password host is dynamically adjusted.
The virtual password host dispatcher discovers a virtual password host which is newly created in the cluster and is not dispatched to the working node through a monitoring mechanism, and dispatches the virtual password host to a proper node for operation by using a dispatching algorithm, so that the uniform distribution of password resources is realized, and the utilization efficiency of the password resources is improved.
The node management component is responsible for distributing password resources for the virtual password host machine scheduled to the current node, generating a virtual password host machine operation instance, monitoring the operation state of the instance in real time, and carrying out fault detection and repair; and stopping a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, releasing and recovering the cryptographic resources occupied by the low-load instance copies, realizing uniform distribution of the cryptographic resources, and improving the utilization efficiency of the cryptographic resources.
The network service component discloses one or a group of ready virtual cryptographic host running examples as network services through service discovery, load balancing and networking mechanisms, monitors example processes in the tenant namespaces in real time, adds new examples which are expanded and ready to a service endpoint list, and removes old examples which are contracted and terminated from the service endpoint list. Meanwhile, a specific route access rule is generated for the virtual password host running instance in the service network endpoint list, so that network session connection is established between the tenant service system and the virtual password host running instance in the service endpoint list, and a password service request is processed.
Fig. 2 is a flowchart of implementation steps of a method for automatically scheduling multi-tenant isolated cryptographic resources in a cloud environment, which is implemented specifically according to the following steps:
step S1: a cryptographic resource cluster is deployed. The cluster administrator deploys the password resource automatic scheduling system. Further comprises:
step S11: planning the cryptographic resource cluster scale according to the need, namely adopting a master multi-slave type, wherein the cluster comprises a management node and two working nodes;
step S12: the cluster operating environment is deployed. The following operations are performed at all nodes: configuring a node network, installing a container runtime (container), installing and running an SR-IOV network equipment plug-in, synchronizing time, configuring a kernel forwarding and network bridge filtering function; deploying a tenant authentication gateway, a virtual password host controller, a virtual password host dispatcher and a network service component at a master node; deploying a node management component, a node network agent, a virtual cryptographic host mirror image and the like at each working node; and finally, establishing connection between each working node and the management node, and uniformly managing the working nodes and the management node.
Step S13: deploying a cluster management Web tool, checking the running state of the cluster, and verifying whether the cluster is built successfully.
Then, a complete cryptographic resource cluster is constructed. The cluster is provided with at least one management node for operating the tenant authentication gateway, the virtual password host controller, the virtual password host dispatcher and the network service component; the rest nodes are all working nodes and are used for operating node management components, node network agents and virtual password host operating examples.
Step S2: and constructing a cloud password resource pool. Before the cluster works normally, a cluster manager performs cluster initialization to generate a cluster key system and construct a cloud password resource pool.
After successful deployment, the cluster does not generate a cluster key system and is in an initial state. Initializing the cluster through a cluster management Web tool to generate a cluster key system, and constructing a cloud password resource pool to enable the cluster to be in a ready state.
The cluster key system adopts a layered key protection system according to the security principle of layered structure and layer-by-layer protection, and prevents unauthorized access, use, leakage, modification and replacement. Consists of root key, device key/tenant key/key encryption key and session key. In the hierarchical key system, the root key is used as a top-level key of the cluster for protecting a device key, a tenant key and a key encryption key of a second layer; the equipment key is an identity key of each node in the cluster and is used for identifying the identity of the node; the tenant key is used for tenant identity authentication, signature verification, negotiation of session keys and the like; the key encryption key is used for protecting a session key of the third layer; the session key is used for data encryption and decryption operations.
The hierarchical relationship of cluster key structure and protection is shown in fig. 3. When the cluster is initialized, the management node calls a random number generator WNG-8 of the PCI-E password card to generate a root key, and the root key is divided into three parts by adopting a three-two threshold mechanism. One part is subjected to full network synchronization by a management node and is stored to each node; one part is sent to a cluster manager, and the encrypted public KEY in the USB KEY intelligent password KEY held by the cluster manager is used for encryption protection and then stored in USB KEY equipment; the other part is discarded.
When the cluster is initialized, a cluster manager holds USB KEY equipment, calls a random number generator WNG-8 of a PCI-E password card on each node to generate an equipment KEY, and the equipment KEY is protected by a root KEY and stored in each node, and when the equipment KEY is used, the equipment KEY is decrypted by the root KEY. The tenant key/key encryption key is generated by a random number generator WNG-8 of the PCI-E cipher card by the management node when the tenant is created, and is protected by the root key and stored in the management node, and is decrypted by the root key when the tenant is used. The session key is generated by tenant key negotiation when the cryptographic operation is executed, and is protected by a key encryption key, the key is not statically stored, and is destroyed immediately after the use is completed.
When the cluster is started, a cluster manager sequentially inserts USB KEY equipment into each node, reads a group of KEY components in the USB KEY equipment, decrypts the USB KEY by using a decryption private KEY, synthesizes a root KEY with the group of KEY components stored in each node by adopting a three-two-threshold mechanism, starts each node of the cluster, and restores a cluster KEY system.
When the cluster is initialized, each working node is responsible for loading a PCI-E password card device kernel module and binding a driver to the PF, then creating a required VF, binding all the VFs with the correct driver, and creating a resource configuration map. And each working node synchronizes the resource configuration mapping of each working node to the management node, and the management node performs dynamic allocation and management to form a cloud password resource pool.
Step S3: a tenant namespace is created. Tenant namespaces are views of resources that are isolated by tenant, with each tenant assigned a unique namespace. Each namespace is comprised of a network namespace, a process namespace, a user namespace, and a cryptographic resource namespace. The cluster administrator is responsible for creating tenant namespaces including opening tenant access accounts, authorizing accessible resources, resource quotas, setting admission control rules, and the like.
The present system uses a con-tainerd (an open-source container runtime) and SR-IOV techniques to create and manage the runtime environment of the tenant namespaces. When creating a tenant, the tenant namespace component creates a process namespace, a network namespace, and a user namespace by invoking a containing to use a namespace mechanism of a Linux kernel, thereby isolating process, network, and user resources; the tenant name space component creates a password resource name space based on the SR-IOV technology, namely, when the tenant name space component creates a virtual password host running instance for the tenant, an independent VF device is dynamically allocated for the virtual password host running instance, the VF device defines the configurations of a key space, a PCI-E channel, a random number buffer pool and the like of the virtual password host, the password resource isolation view among different tenants can be realized, and the access right of the tenant to the password resource is limited.
The tenant namespace component creates a network namespace by invoking a containerd using the netns mechanism of the Linux kernel. When creating a virtual cryptographic host running instance for a tenant, the tenant namespace component assigns a separate network stack to the virtual cryptographic host running instance and associates it to a particular netns. The netns (system call function) defines the configuration of network interfaces, routing tables, protocol stacks and the like of the virtual cryptographic host running instance, and can realize network isolation and access control among different tenants.
The tenant namespace component creates a process namespace by invoking a containerd using the namespace mechanism of the Linux kernel. When creating a virtual cryptographic host running instance for a tenant, the tenant namespace component creates a new process using system call functions such as fork and exec and associates it to a particular naspace. This naspace is associated with the runtime environment of the tenant namespace, which can limit the access rights of processes to system resources.
The tenant namespace component creates a user namespace by invoking a containerd using the user_nasspace mechanism of the Linux kernel. When creating a virtual cryptographic host running instance for a tenant, the tenant namespace component assigns a set of user IDs and group IDs to the same and associates them into a particular user_namespace. The user_Namespace defines the user and user group environment of the virtual password host running instance, and can realize user isolation and access control among different tenants.
The tenant namespace component creates a cryptographic resource namespace based on SR-IOV technology. When creating a virtual cryptographic host operation instance for a tenant, the tenant name space component dynamically allocates an independent VF device for the virtual cryptographic host operation instance, and the VF device defines cryptographic resources such as a key space, a PCI-E channel, a random number buffer pool and the like of the virtual cryptographic host, so that a cryptographic resource isolation view among different tenants can be realized, and access rights of the tenants to the cryptographic resources are limited.
A cluster manager creates a tenant name space through a cluster Web management tool, a tenant name space component creates a process name space, a network name space and a user name space by calling namespaces, netns and a user_Namespace mechanism of an underlying Linux kernel through a containerd, creates a password resource name space based on an SR-IOV technology, opens an access account number, grants accessible resources, resource quota, sets admission control rules and the like for the tenant, and therefore a resource view isolated by the tenant is achieved. Linkage between these namespaces is coordinated and managed by tenant namespace components, providing a more flexible and secure tenant-isolated virtual cryptographic host operating environment.
Step S4: and configuring a virtual password host template. The virtual password host template is configured by the tenant according to the actual requirement of the own business system, and the template configuration items can comprise: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, label, resource request and restriction, priority, instance number range, etc.
In order to meet the self-diversified cryptographic operation requirements of each tenant, the tenant can configure a virtual cryptographic host template according to the actual situation of the own business system. By using the virtual cryptographic host template, the virtual cryptographic host controller can automatically create and manage the virtual cryptographic host according to the number range of instances of the virtual cryptographic host and based on tenant cryptographic service request flow, and the virtual cryptographic host scheduler can search for a proper working node to generate an operation instance according to the resource request and limitation of the virtual cryptographic host, and finally, the node management component ensures that the virtual cryptographic host operation instance applied on each node has correct and identical configuration and behavior.
The values of the configuration items can be divided into two categories: the first type is used for standardizing that the virtual cryptographic host has the same settings and behaviors on all nodes, including virtual cryptographic host names, belonging namespaces, mirror image types and versions, service port numbers, labels and the like; the other is specially set for realizing uniform distribution and dynamic scheduling of the password resources, and comprises resource request and limitation, priority, instance number range and the like. Wherein the instance number range is a limit range set for the virtual cryptographic host controller to balance the number of virtual cryptographic hosts according to the observation index; the resource request, the limit and the priority are specification parameters which are set by the virtual cryptographic host scheduler and are special for each virtual cryptographic host, wherein the specification parameters are used for the virtual cryptographic host scheduler to select the optimal working node for creating an operation instance according to the current cluster cryptographic resource distribution condition.
The virtual cipher host controller and the dispatcher combine the use condition of resources on the working node and the second type configuration items (resource request and limit, priority, instance number range and the like) of the virtual cipher host to realize automatic dynamic dispatching and uniform distribution of cipher resources, and improve the utilization rate of the cipher resources.
The node management component ensures that the virtual password host operating examples applied to each working node have correct and same configuration and behavior, namely the virtual password hosts operated on each working node are identical configuration and indiscriminate example copies, so that the step S5 and the step S6 can be ensured to successfully realize automatic dynamic scheduling of password resources and uniform distribution of the password resources, and the utilization rate of the password resources is improved.
Step S5: a virtual cryptographic host is created. The virtual password host controller creates a virtual password host with the lower limit value of the number range of instances according to the virtual password host template configured by the tenant, ensures the minimum availability of the tenant password resources, and dynamically adjusts the required scale of the tenant virtual password host and improves the utilization rate of the password resources by defining some observable indexes including average CPU utilization rate, average memory utilization rate, VF average I/O read-write rate and the like, and calculating the number of running instances of the virtual password host in real time according to the current index and the expected index.
The virtual cryptographic host controller calculates the expansion and contraction proportion of the number of virtual cryptographic host operation examples according to the number of current examples, the current value of the observation index, the expected value of the observation index and other parameters, firstly selects the observation index (the observation index supported by the system comprises but is not limited to average CPU utilization rate, average memory utilization rate, average VF I/O read-write rate and the like, and is set by a configuration file when the system is started), and the calculation formula is as follows:
Expected number of instances = current number of instances (observed index current value/observed index expected value), rounded up.
The terms in the formula are explained as follows:
number of desired examples: the number of the expected tenant virtual password host operation examples set in the configuration file, namely the upper limit value of the example number range set in the step S4.
Current number of instances: the number of tenant virtual cryptographic host running instances that already exist and are in good operation.
And (3) observing the indexes: metrics for evaluating and adjusting tenant virtual cryptographic host numbers.
Current value of observation index: real-time data for measuring the operation performance of the tenant virtual password host.
Observing the expected value of the index: and the target data is used for measuring the operation performance of the tenant virtual password host.
For example: the virtual cryptographic host controller adopts the average CPU utilization as an observation index, and if the current value of the observation index is 300m (CPU=1000 microkernel [ m ] per core) and the expected value of the observation index is 150m, the number of virtual cryptographic host instances is doubled; if the current value of the observation index is 75m, the number of virtual crypto host instances is halved.
If a plurality of observation indexes are configured in the virtual password host controller, the expansion and contraction quantity is calculated according to each observation index, and the maximum value is taken for expansion and contraction.
In addition, before the virtual cryptographic host controller performs the scaling operation, scaling information is recorded, and then all information is considered in the operation time window (30 seconds as a default, configurable), and the highest scoring result is selected. This configuration allows the system to perform the scaling operation more smoothly, thereby eliminating the influence of rapid fluctuation of the observation index value in a short time.
Step S6: the virtual cryptographic host is scheduled. The virtual cryptographic host scheduler selects a best node for each newly created virtual cryptographic host found. The dispatcher firstly filters out all schedulable nodes meeting the configuration of the virtual password host in the cluster, then scores the nodes, and selects the node with the highest score as a target node to operate.
The virtual cryptographic host scheduler discovers virtual cryptographic hosts in the cluster that are newly created and have not yet been scheduled onto the working node through a monitoring mechanism. The virtual crypto host scheduler will schedule each discovered unscheduled virtual crypto host to run on an appropriate working node.
The virtual cryptographic host scheduler mainly comprises two steps when making scheduling selection for a virtual cryptographic host: filtering and scoring. The method comprises the following steps:
Step S61: the purpose of the filtering stage is to select all working nodes meeting the scheduling requirements of the virtual crypto host. The virtual crypto host scheduler may execute the filter rules according to the following principles:
1) Resource requirements. And selecting a working node with enough resources according to the CPU, the memory and the password operation requirements of the virtual password host.
2) And (5) resource allocation. The virtual cryptographic host scheduler may consider other virtual cryptographic hosts already running on the working node and their resource requirements to reasonably allocate resources without exceeding node resource limits.
3) And (5) configuration checking. It is checked whether the port already used on the working node conflicts with the port applied by the virtual cryptographic host. If there is a conflict, comparing the priority of the running virtual cryptographic host that the virtual cryptographic host conflicts with the port, if the virtual cryptographic host to be scheduled has a higher priority than the latter, reserving the working node (if the best node is not found, the node will be used as the target node, the virtual cryptographic host with a low priority will be evicted), otherwise removing the working node.
4) Tag selector: and filtering out the working nodes which are not matched with the labels of the virtual password hosts. If the virtual cryptographic host does not define a tag, this term is ignored.
After filtering, a list of working nodes is obtained, which contains all schedulable nodes. In general
In the case this target list of working nodes contains more than one working node. If the list is empty, the current cluster does not have a working node which meets the operation of the virtual password host, and the scheduling fails.
If the virtual crypto host of the tenant fails to dispatch, the following processing logic will be performed:
1) The scheduling is continuously attempted. The virtual crypto host scheduler will continually try to schedule it onto the available working nodes. During the attempt, the virtual crypto host scheduler may temporarily fail to schedule, but may continually monitor available working nodes and crypto resource usage and gradually find the appropriate working node over time.
2) Triggering a priority preemption mechanism. If the persistent attempt to schedule is still unsuccessful, the virtual cryptographic host scheduler will attempt to remove the low priority virtual cryptographic host running instance from the working node in other tenants to free up resources for the non-scheduled high priority virtual cryptographic host.
3) Sending an alarm notification: if the virtual crypto host is not scheduled all the time and the problem is not solved by triggering the priority preemption mechanism, the system sends an alarm notification to the cluster manager so that the cluster manager can know the problem in time and take corresponding measures.
In short, when the tenant virtual crypto host is not scheduled all the time, the virtual crypto host scheduler will take hold of
And continuing to try scheduling, triggering a priority preemption mechanism, sending an alarm notification and other processing methods to help solve the problem. The cluster manager can know the reason of the problem by looking up the information such as the log, the event object, the alarm notification and the like, and take corresponding measures to solve the problem.
Step S62: in the scoring stage, the virtual cryptographic host scheduler may select a most appropriate working node from all schedulable nodes for the virtual cryptographic host. The scoring range is 0-10 points, and the node with the highest score is the best node bound by the virtual cryptographic host.
Step S621: the key indicator (CPU, memory, VF I/O) scores on each working node are calculated. The formula is as follows:
✧cpuFraction = cpu((capacity – sum(requested)) * 10 / capacity)
✧memoryFraction = memory((capacity – sum(requested)) * 10 / capacity)
✧vfioFraction = vfio((capacity – sum(requested)) * 10 / capacity)
the terms in the formula are explained as follows:
cpu fraction: CPU free score, representing CPU free resource occupancy for the working node.
memeryface: and the memory idle score represents the memory idle resource occupation amount of the working node.
vfioface: VF I/O free score, representing the VF I/O free resource occupancy of the working node.
cpu (): and converting the CPU idle resource percentage value of the working node into an integer CPU idle score.
memory (): and converting the memory idle resource percentage value of the working node into an integer memory idle score.
vfio (): and converting the VF I/O idle resource percentage value of the working node into an integer memory idle score.
capability: representing the total capacity of each key indicator of the working node.
requested: indicating the amount of resources that each key indicator on the working node has requested.
sum (): representing the sum of all the resources requested by the virtual cryptographic host on the working node.
The smaller the amount of requested resources on a worker node, the higher the score for each key indicator, and therefore it should be scheduled to that worker node preferentially.
Step S622: scoring all schedulable nodes. The formula is as follows:
score = 10 – variance(cpuFraction, memoryFraction, vfioFraction) * 10
the terms in the formula are explained as follows:
score: and calculating the obtained scheduling score of the working node according to the scoring rule.
variance (): "distance" between key metrics (CPU, memory, VF I/O) scores on the working nodes.
cpu fraction: CPU free score, representing CPU free resource occupancy for the working node.
memeryface: and the memory idle score represents the memory idle resource occupation amount of the working node.
vfioface: VF I/O free score, representing the VF I/O free resource occupancy of the working node.
Finally, the virtual cryptographic host scheduler will schedule the virtual cryptographic host to the highest scoring working node, i.e., the virtual cryptographic host scheduler selects the node with the most balanced resource allocation in the working node list. If there are a plurality of working nodes with highest scores, the scheduler randomly selects one of the working nodes as a target node.
The scoring rule is helpful to ensure that resources on the working nodes are fully utilized, and the situation that the number of virtual cryptographic host operation examples on some working nodes is excessive and other working nodes are idle is avoided, so that the uniform distribution of the cryptographic resources is realized.
Step S7: and generating a virtual password host operation instance. The node management component allocates password resources for the virtual password host scheduled to the current node, generates a virtual password host running instance, monitors the running state of the instance in real time, and detects and repairs faults; and stopping a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, and releasing and recovering the cryptographic resources occupied by the low-load instance copies.
The node management component operates on each working node, receives the first type of configuration templates of the virtual password host provided for the node management component by the virtual password host controller, allocates password resources for the first type of configuration templates, generates virtual password host operation examples, and ensures that the virtual password hosts described in the configuration templates are in an operation state and have good operation conditions.
In addition, the node management component is responsible for receiving the volume shrinking instruction sent to the virtual cryptographic host controller after the expansion and contraction quantity is calculated according to the observation index, executing the volume shrinking operation, randomly terminating a certain quantity of instance copies, and releasing and recovering the cryptographic resources occupied by the instance copies.
Step S8: the cryptographic service in the virtual cryptographic host running instance is disclosed as a web service. The network service component defines a set of logical collections of virtual cryptographic host running instances in each tenant namespace and a method of how to expose those instances as network services, ultimately yielding a set of service endpoints accessible to the tenant business system and providing load balancing capabilities.
In order to reduce the operation and maintenance difficulty of the physical password equipment cluster in the cloud environment and simplify the cluster management process, the invention provides an operation and maintenance management mechanism of the virtual password host operation example based on the configuration template, which is mentioned in the step S4. Meanwhile, in order to better realize automatic dynamic scheduling and uniform distribution of password resources, a virtual password host is defined as a relatively temporary entity, the expansion and contraction proportion of the number of the virtual password hosts is calculated in real time by a virtual password host controller according to current indexes and expected indexes, and the newly created virtual password hosts are scheduled to proper working nodes to operate by the virtual password host scheduler, so that dynamic scheduling and uniform distribution of password resources are realized, and the utilization efficiency of the password resources is improved. Each virtual cryptographic host running instance is assigned an IP address belonging to itself in the cluster, but because it is designed as a relatively temporary instance, it is destroyed or replaced by the node management component at any time, and thus it is unable to provide a stable and reliable cryptographic service to the outside.
Network service components have emerged to address this problem. The network service component provides a fixed IP address for each tenant to be accessed externally, and the virtual password host is accessed through the network service component, so that the tenant business system can still access the password service through the fixed IP address of the network service component when the IP address of the virtual password host changes.
The virtual cryptographic host running instance created by the cluster for each tenant has the same tag configuration item and the tag value is the same. The network service component matches a set of virtual cryptographic host operating instances based on the tag selection operators, aggregated into a set of logical collections of unified fixed access portals. The label selection operator is based on a label configured in the tenant virtual cryptographic host template, and the network service component selects a virtual cryptographic host matching the label and creates a corresponding logical set, thereby routing ingress traffic to the matching virtual cryptographic host running instance. The logical set contains references of all virtual crypto hosts matched with the network service component tag selection algorithm, and the virtual crypto hosts are organized together through unique protocols, port numbers and service names, so that a crypto service endpoint set which can be accessed by the tenant service system is finally generated. The network service component monitors the virtual cryptographic host running instance in the tenant name in real time, adds the newly generated instance due to scheduling to the endpoint set, and removes the old instance due to the volume reduction or abnormal termination from the endpoint set.
The network service component generates specific routing access rules for virtual cryptographic host instance processes in the cryptographic service endpoint set by using an iptables tool to realize a flow forwarding function, wherein the routing access rules allow network session to be established between cryptographic service requests outside the cluster and the virtual cryptographic host instance processes in the cluster, and the tenant cryptographic service requests are processed.
The method solves the problems of password resource waste, unstable password service performance and the like caused by unbalanced password resource allocation and incapability of real-time adjustment according to the actual request flow of a service system in a cloud environment, and the dynamic scheduling of the password resources in the whole cluster can be automatically completed without manual intervention, thereby reducing the operation and maintenance difficulty of a physical password device cluster in the cloud environment, simplifying the cluster management process and improving the use efficiency of the password resources in the cluster.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made therein without departing from the spirit and scope of the invention, which is defined by the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. The utility model provides a password resource automation dispatch system of multitenant isolation under cloud environment, includes tenant authentication gateway, tenant namespace, virtual password host computer controller, virtual password host computer dispatcher, node management subassembly, network service component module, its characterized in that:
the tenant authentication gateway is used as a cluster resource access entrance for realizing identity authentication, resource authentication and admission control of tenants; the cloud tenant or service system must pass through the tenant authentication gateway to check the identity validity, and then authenticate the resource requested by the cloud tenant or service system; each tenant can only access the password resources in the range of the affiliated name space, and can set a finer-granularity access control rule according to the service requirement, including but not limited to white list limitation, black list interception, request type limitation and request data size limitation;
the tenant namespaces are resource views isolated according to tenants, each tenant is allocated with a unique Namespace, and the security isolation of the multi-tenant resources is realized by using a Linux Namespace Namespace, a CGroups control group kernel mechanism and an SR-IOV technology, wherein the method comprises a network Namespace for isolating tenant network resources, a process Namespace for isolating tenant process resources, a user Namespace for limiting user access rights and a password resource Namespace for limiting the fact that the tenant can only view and operate password resources allocated to the tenant;
The virtual password host is a relatively temporary entity, is created based on a virtual password host configuration template and exists in the range of the tenant namespaces, and the life cycle comprises creation, scheduling, initialization, readiness, termination and resource recovery;
the virtual password host controller creates a virtual password host with the lower limit value of the number range of instances according to the virtual password host template configured by the tenant, and ensures the minimum availability of the tenant password resources. By defining observable indexes including average CPU utilization rate, average memory utilization rate and VF average I/O read-write rate, and calculating the number of running instances of the virtual cryptographic host in real time according to the current index and the expected index, the required scale of the tenant virtual cryptographic host is dynamically adjusted;
the virtual password host computer scheduler uses a scheduling algorithm to schedule the virtual password host computer to a proper node for operation, so that the uniform distribution of password resources is realized, and the utilization efficiency of the password resources is improved;
the node management component is responsible for distributing password resources for the virtual password host machine scheduled to the current node, generating a virtual password host machine operation instance, monitoring the operation state of the instance in real time, and carrying out fault detection and repair; terminating a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, releasing and recovering the cryptographic resources occupied by the low-load instance copies, realizing uniform distribution of the cryptographic resources and improving the utilization efficiency of the cryptographic resources;
The network service component defines a set of logical collections of virtual cryptographic host running instances in each tenant namespace and a method of how to disclose these instances as network services, ultimately yielding a set of service endpoints accessible to the tenant business system, handling tenant cryptographic business requests, and providing load balancing capabilities.
2. The method for automating the password resources of the multi-tenant isolation in the cloud environment is based on the system for automating the scheduling of the password resources of the multi-tenant isolation in the cloud environment, which is characterized in that:
step S1: deploying a password resource cluster: a cluster manager deploys a password resource automatic scheduling system through an automatic deployment tool to construct a complete password resource cluster;
step S2: constructing a cloud password resource pool: before the cluster works normally, a cluster manager initializes the cluster to generate a cluster key system and constructs a cloud password resource pool;
step S3: creating a tenant namespace: tenant namespaces are views of resources isolated by tenant, each tenant being assigned a unique namespace; each namespace is comprised of a network namespace, a process namespace, a user namespace, and a cryptographic resource namespace; the cluster manager is responsible for creating tenant namespaces, including opening tenant access accounts, authorizing accessible resources, resource quota and setting admission control rules;
Step S4: configuring a virtual password host template: the virtual password host template is configured by the tenant according to the actual requirement of the own business system, and the template configuration items can comprise: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, resource request and limit, priority, number of instances range;
step S5: creating a virtual cryptographic host: the virtual password host controller creates a virtual password host with the lower limit value of the number range of the instances according to the virtual password host template configured by the tenant, ensures the minimum availability of the tenant password resources, calculates the number of running instances of the virtual password host in real time according to the current index and the expected index, and realizes the dynamic adjustment of the required scale of the tenant virtual password host;
step S6: scheduling a virtual cryptographic host: the virtual cryptographic host scheduler selects an optimal node for each newly created virtual cryptographic host found; the dispatcher firstly filters out all schedulable nodes meeting the configuration of the virtual password host computer in the cluster, then scores the nodes, and selects the node with the highest score as a target node to operate;
step S7: generating a virtual cryptographic host running instance: the node management component allocates password resources for the virtual password host scheduled to the current node, generates a virtual password host running instance, monitors the running state of the instance in real time, and detects and repairs faults; terminating a certain number of instance copies according to the volume shrinkage message sent by the virtual cryptographic host controller, and releasing and recovering the cryptographic resources occupied by the low-load instance copies;
Step S8: the cryptographic service in the virtual cryptographic host running instance is disclosed as a web service. The network service component defines a set of logical collections of virtual cryptographic host running instances in each tenant namespace and a method of how to expose those instances as network services, ultimately yielding a set of service endpoints accessible to the tenant business system and providing load balancing capabilities.
3. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S1 specifically includes:
step S11: planning the cryptographic resource cluster scale according to the need, namely adopting a master multi-slave type, wherein the cluster comprises a management node and two working nodes;
step S12: deploying a cluster running environment, and executing the following operations at all nodes: configuring a node network, installing a container runtime (container), installing and running an SR-IOV network equipment plug-in, synchronizing time, configuring a kernel forwarding and network bridge filtering function; deploying a tenant authentication gateway, a virtual password host controller, a virtual password host dispatcher and a network service component at a master node; deploying a node management component, a node network agent and a virtual password host mirror image on each working node; finally, each working node is connected with the management node, and the working nodes and the management node are managed in a unified way;
Step S13: deploying a cluster management Web tool, checking the running state of the cluster, and verifying whether the cluster is built successfully.
4. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S2 specifically includes:
after the password resource cluster is successfully deployed, a cluster key system is not generated and is in an initial state; initializing a cluster through a cluster management Web tool to generate a cluster key system, and constructing a cloud password resource pool to enable the cluster to be in a ready state;
step S21: generating a cluster key system: the management node calls a random number generator WNG-8 of the PCI-E cipher card to generate a root KEY, and adopts a three-two threshold mechanism for protection, then a cluster manager holds USB KEY equipment to call the random number generator WNG-8 of the PCI-E cipher card on each node to generate an equipment KEY, and the equipment KEY is protected and stored in each node by the root KEY; the tenant key/key encryption key is generated by a random number generator WNG-8 of a PCI-E cipher card by a management node when the tenant is created, and is protected and stored in the management node by a root key, and is decrypted by the root key when the tenant is used; the session key is generated by tenant key negotiation when the cryptographic operation is executed, and is protected by a key encryption key, the key is not statically stored, and is destroyed immediately after the use is completed;
Step S22: constructing a cloud password resource pool: each working node is responsible for loading a PCI-E password card device kernel module and binding a driver to the PF, then creating a required VF, binding all the VFs with a correct driver, and creating a resource configuration map; each working node synchronizes the resource allocation mapping of the working node to the management node, and the management node performs dynamic allocation and management to form a cloud password resource pool;
step S23: starting a cluster and recovering a cluster key system; the cluster manager sequentially inserts USB KEY equipment into each node, reads a group of KEY components in the USB KEY equipment, decrypts the USB KEY by using a decryption private KEY, synthesizes a root KEY with the group of KEY components stored in each node by adopting a three-two-threshold mechanism, starts each node of the cluster, and restores a cluster KEY system.
5. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S3 specifically includes:
step S31: the tenant namespace component creates a network namespace by invoking a containerd using a netns mechanism of the Linux kernel;
step S32: the tenant namespace component creates a process namespace by invoking a containerd using a namespace mechanism of the Linux kernel;
Step S33: the tenant namespace component creates a user namespace by invoking a containerd using a user_nasspace mechanism of the Linux kernel;
step S34: the tenant namespace component creates a cryptographic resource namespace based on SR-IOV technology.
6. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S4 specifically includes:
in order to meet the self-diversified cryptographic operation requirements of each tenant, the tenant can configure a virtual cryptographic host template according to the actual situation of the self-service system; the template configuration items may include: virtual cryptographic hostname, belonging namespace, mirror type and version, service port number, label, resource request and restriction, priority, number of instances range;
step S41: setting a first type of configuration item; the first type of configuration items are used for standardizing that the virtual password host has the same setting and behavior on all nodes, and comprise a virtual password host name, a name space, a mirror image type and version, a service port number and a label;
step S42: setting a second type of configuration item which is specially set for realizing uniform distribution and dynamic scheduling of password resources, wherein the range of the number of instances is a limiting range set for a virtual password host controller to balance the number of virtual password hosts according to the observation indexes; the resource request, the limit and the priority are specification parameters which are set by the virtual cryptographic host scheduler and are special for each virtual cryptographic host, wherein the specification parameters are used for the virtual cryptographic host scheduler to select the optimal working node for creating an operation instance according to the current cluster cryptographic resource distribution condition.
7. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S5 specifically includes:
the virtual password host controller determines the behavior of the controller by defining some observable indexes including average CPU utilization rate, average memory utilization rate and VF average I/O read-write rate, and strives to change the current state into a desired state, so as to dynamically adjust the required scale of the tenant virtual password host;
step S51: configuring observation indexes including CPU utilization rate, average memory utilization rate and VF average I/O read-write rate;
step S52: the expansion and contraction proportion of the number of the virtual password hosts is calculated respectively, and the calculation formula is as follows: expected number of instances = current number of instances (observed index current value/observed index expected value), rounded up;
step S53: calculating the expansion and contraction quantity according to each observation index, and taking the maximum value as an expansion and contraction index (M);
step S54: acquiring the number (N) of running virtual password host instances in the name space of the current tenant, and judging expansion and contraction logic; the expansion and contraction logic is that if the expansion and contraction index is larger than N, newly creating (M-N) virtual password hosts to meet the requirement for expansion and contraction operation, sending an expansion message to a virtual password host dispatcher, and executing step S6; if the expansion and contraction index is smaller than N, the (N-M) virtual password hosts are reduced for the capacity contraction operation, and capacity contraction information is sent to the target working node, and step S7 is executed.
8. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S6 specifically includes:
the virtual cryptographic host scheduler mainly comprises two steps when making scheduling selection for a virtual cryptographic host: filtering and scoring;
step S61: filtering; executing a filtering rule to select all working nodes meeting the scheduling requirement of the virtual password host to obtain a working node list, wherein all schedulable nodes are contained in the working node list; typically, this target list of worker nodes contains more than one worker node; if the list is empty, the current cluster does not have a working node which meets the operation of the virtual password host, and the scheduling fails; if the virtual crypto host of the tenant fails to dispatch, the following processing logic will be performed:
1) Continuously attempting to schedule; the virtual crypto host scheduler will continually try to schedule it onto available working nodes; during the trial, the virtual crypto host scheduler may not be able to successfully schedule temporarily, but may continuously monitor the available working nodes and crypto resource usage and gradually find the appropriate working nodes over time;
2) Triggering a priority preemption mechanism; if the persistent attempt to schedule is still unsuccessful, the virtual cryptographic host scheduler will attempt to remove the low priority virtual cryptographic host running instance from the working node in other tenants to free up resources for the high priority virtual cryptographic host that cannot be scheduled;
3) Sending an alarm notification: if the virtual password host cannot be scheduled all the time and the problem cannot be solved by triggering the priority preemption mechanism, the system sends an alarm notification to the cluster manager so that the cluster manager can know the problem in time and take corresponding measures;
step S62: scoring; the virtual cipher host computer scheduler performs scoring according to scoring rules from all schedulable nodes, wherein the scoring range is 0-10 points, the node with the highest score is the best node bound by the virtual cipher host computer finally, and if a plurality of working nodes with the highest scores exist, the scheduler randomly selects one of the working nodes as a target node.
9. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S7 specifically includes:
step S71: the node management component receives a first type of configuration template of the virtual password host provided by the virtual password host controller, allocates password resources for the first type of configuration template, generates a virtual password host operation instance, and ensures that the virtual password host described in the configuration templates is in an operation state and has good operation condition;
Step S72: the node management component receives the volume shrinking instruction sent by the virtual password host controller after calculating the expansion and contraction quantity according to the observation index, performs volume shrinking operation, randomly terminates a certain quantity of instance copies, and releases and recovers password resources occupied by the instance copies.
10. The method for automating multi-tenant isolated cryptographic resources in a cloud environment of claim 2, wherein the method comprises the steps of: the step S8 specifically includes:
step S81: matching a group of virtual password host operation examples based on the label selection operators, and aggregating the virtual password host operation examples into a group of logic sets of unified fixed access portals;
step S82: monitoring virtual password host operation examples in tenant names in real time, adding newly generated examples due to scheduling into an endpoint set, and removing old examples due to capacity shrinkage or abnormal termination from the endpoint set;
step S83: and generating specific routing access rules for virtual cryptographic host instance processes in the cryptographic service endpoint set by using an iptables tool to realize a flow forwarding function, wherein the routing access rules allow network session to be established between cryptographic service requests outside the cluster and virtual cryptographic host instance processes in the cluster, and the tenant cryptographic service requests are processed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311606215.3A CN117319212B (en) | 2023-11-29 | 2023-11-29 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311606215.3A CN117319212B (en) | 2023-11-29 | 2023-11-29 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117319212A CN117319212A (en) | 2023-12-29 |
| CN117319212B true CN117319212B (en) | 2024-02-02 |
Family
ID=89255647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311606215.3A Active CN117319212B (en) | 2023-11-29 | 2023-11-29 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117319212B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949551A (en) * | 2021-10-12 | 2022-01-18 | 中安网脉(北京)技术股份有限公司 | Virtualization cloud password service system based on channel isolation and implementation method thereof |
| CN115189896A (en) * | 2022-09-13 | 2022-10-14 | 中安网脉(北京)技术股份有限公司 | Virtual cloud password service system and method |
| CN115686843A (en) * | 2022-10-28 | 2023-02-03 | 福建亿榕信息技术有限公司 | Heterogeneous virtualization multi-tenant resource isolation scheduling method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107153565B (en) * | 2016-03-03 | 2020-06-16 | 华为技术有限公司 | Method for configuring resource and network equipment thereof |
| US11038866B2 (en) * | 2018-09-18 | 2021-06-15 | Microsoft Technology Licensing, Llc | Securing an injection of a workload into a virtual network hosted by a cloud-based platform |
| US11263033B2 (en) * | 2018-12-28 | 2022-03-01 | Salesforce.Com, Inc. | Usage checks for code running within a secure sub-environment of a virtual machine |
| US20220083364A1 (en) * | 2020-09-17 | 2022-03-17 | Sap Se | Reconciler sandboxes for secure kubernetes operators |
-
2023
- 2023-11-29 CN CN202311606215.3A patent/CN117319212B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949551A (en) * | 2021-10-12 | 2022-01-18 | 中安网脉(北京)技术股份有限公司 | Virtualization cloud password service system based on channel isolation and implementation method thereof |
| CN115189896A (en) * | 2022-09-13 | 2022-10-14 | 中安网脉(北京)技术股份有限公司 | Virtual cloud password service system and method |
| CN115686843A (en) * | 2022-10-28 | 2023-02-03 | 福建亿榕信息技术有限公司 | Heterogeneous virtualization multi-tenant resource isolation scheduling method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117319212A (en) | 2023-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3313023B1 (en) | Life cycle management method and apparatus | |
| CN113169952B (en) | Container cloud management system based on block chain technology | |
| JP4964220B2 (en) | Realization of security level in virtual machine failover | |
| US20190386956A1 (en) | Dynamically opening ports for trusted application processes hosted in containers | |
| CN109564524A (en) | The safety guidance of virtualization manager | |
| CN109564514A (en) | Memory allocation technique in the virtualization manager of partial relief | |
| CN103685608B (en) | A kind of method and device for automatically configuring secure virtual machine IP address | |
| CN102790716A (en) | Techniques for securing a virtualized computing environment using a physical network switch | |
| CN110120979A (en) | A kind of dispatching method, device and relevant device | |
| US20090328193A1 (en) | System and Method for Implementing a Virtualized Security Platform | |
| CN111683074A (en) | NFV-based secure network architecture and network security management method | |
| CN110661842B (en) | Resource scheduling management method, electronic equipment and storage medium | |
| CN112099913A (en) | Method for realizing safety isolation of virtual machine based on OpenStack | |
| CN114780214B (en) | Task processing method, device, system and equipment | |
| CN111464331A (en) | Control method and system for thread creation and terminal equipment | |
| CN112003931B (en) | Method and system for deploying scheduling controller and related components | |
| CN103309722A (en) | Cloud computation system and application access method thereof | |
| CN112003964B (en) | Multi-architecture-based IP address allocation method, device and medium | |
| CN117319212B (en) | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment | |
| CN112882765A (en) | Digital twin model scheduling method and device | |
| CN111181929A (en) | Heterogeneous hybrid cloud architecture based on shared virtual machine files and management method | |
| CN113179285B (en) | High-performance password service method, device and system for video Internet of things | |
| US11231969B2 (en) | Method for auditing a virtualised resource deployed in a cloud computing network | |
| US20220317982A1 (en) | Method and system for generating and executing a software appliance | |
| JP2002318700A (en) | Providing/control method for operation management information of virtual computer system and virtual computer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |