CN117632367A - Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene - Google Patents

Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene Download PDF

Info

Publication number
CN117632367A
CN117632367A CN202311631548.1A CN202311631548A CN117632367A CN 117632367 A CN117632367 A CN 117632367A CN 202311631548 A CN202311631548 A CN 202311631548A CN 117632367 A CN117632367 A CN 117632367A
Authority
CN
China
Prior art keywords
virtual machine
target
snapshot
memory
computing nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311631548.1A
Other languages
Chinese (zh)
Inventor
赵谦
张五一
朱海东
刘雪梅
丁泉
李圣泉
陈燕峰
李战举
江楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guodian Nanjing Automation Co Ltd
Original Assignee
Guodian Nanjing Automation Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guodian Nanjing Automation Co Ltd filed Critical Guodian Nanjing Automation Co Ltd
Priority to CN202311631548.1A priority Critical patent/CN117632367A/en
Publication of CN117632367A publication Critical patent/CN117632367A/en
Pending legal-status Critical Current

Links

Abstract

The invention discloses a second starting method and a second starting system of targets in a large-scale network attack and defense countermeasure simulation scene, wherein the method comprises the steps of firstly creating a template virtual machine target by utilizing a target mirror image, starting, then freezing the template virtual machine target, creating a system disk snapshot and a memory snapshot aiming at the template virtual machine target, and storing the system disk snapshot and the memory snapshot into a shared storage; selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes; when the virtual machine target needs to be started, selecting a computing node according to the load condition of the computing node and the caching condition of the memory snapshot, creating a new system disk by using the system disk snapshot of the virtual machine target in the shared storage, and restoring the new virtual machine target to the running state by using the cached memory snapshot. The virtual machine target creation method and the virtual machine target creation device can improve virtual machine target creation efficiency and avoid influence caused by starting storm.

Description

Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene
Technical Field
The invention relates to the technical field of network security, in particular to a second starting method and a second starting system of targets in a large-scale network attack and defense countermeasure simulation scene.
Background
Attack and defense countermeasures, security protection, are a critical activity in the field of information security, involving protecting computer systems, networks and data resources from unauthorized access, data leakage, destruction or abuse, etc. The attack and defense countermeasure simulation platform is a virtual environment specially designed for simulating and practicing network attack and defense countermeasure and safety protection activities. The virtual machine is one of the most common targets in the attack and defense countermeasure simulation platform due to the advantages of flexibility and configurability, but as the scene scale in the attack and defense countermeasure simulation platform is increased, especially under ultra-large scale, the number of the virtual machine targets is possibly thousands, at the moment, tens or hundreds of virtual machines exist on the same computing node at the same time as the common scene, the virtual machine targets can face serious resource competition, storm starting and the like under the large-scale scene, and how to quickly create and start is one of the problems to be solved urgently.
"startup storm" refers to a phenomenon in which a large number of virtual machines are simultaneously started in a short time, thereby causing a large number of storage I/os (Input/Output). The method has the advantages that violent impact can be caused on the host machine and the storage back end, when the storage service capacity of the storage back end is weak, the storage system is easily crashed due to the virtual machine starting storm, or a large number of virtual machines are failed to start. How to eliminate the starting storm and quickly start the virtual machine target, the method of the scene is as follows:
1. the method of dividing and controlling: the virtual machine targets are created in batches, only a certain number of virtual machine targets are allowed to be created and started at a time, resource allocation is carried out in a stable mode, and large-scale virtual machine target construction is advanced step by step.
2. Lifting hardware configuration: it is common practice to use high-performance commercial storage and promote the hardware configuration of hosts, thereby improving the response capability of the hardware.
For the first mode, although the creation of the virtual machine targets is batched, the impact caused by the virtual machine starting storm can be effectively alleviated, and some potential disadvantages and considerations may exist in the method: 1. delay and time cost: creating virtual machine targets in batches can result in a prolonged time of the overall process, especially for large scale virtual machine target deployments, which can increase the overall time cost of the project. 2. Management complexity: creating virtual machine targets in batches may require more management effort, such as requiring periodic inspection and adjustment of the start-up plans for each batch, which may increase management complexity. 3. Difficulty in resource allocation: the virtual machine target start-up for each batch requires appropriate resource allocation to avoid resource contention and performance degradation, and additional monitoring and planning may be required to ensure accurate resource allocation. 4. Inconsistency: different batches of virtual machine targets may differ in configuration and performance, resulting in some batches of targets being inconsistent in operation. 5. Technical challenges: virtual machine target creation across multiple batches may require more technical and automation support to ensure that the entire process proceeds smoothly. 6. The concurrency problem: while batch creation may reduce the concurrency of virtual machine startup, it is still necessary to consider how to balance startup concurrency between batches to avoid resource peaking.
For mode two, while the use of high performance commercial storage and promotion of host hardware configuration can significantly improve the problem of virtual machine start-up storms, it can also present some potential drawbacks and challenges, including: 1. high cost: upgrading host hardware and using high performance commercial storage often requires significant investment, which can lead to budget constraints and cost effectiveness issues. 2. Complexity: upgrading hardware and using commercial storage may introduce more complex configurations and management, requiring more technical knowledge and resources to maintain and monitor new hardware and storage devices. 3. Waste of resources: if the host hardware configuration is too large, but the actual target service is not high in density, that is, a large number of service idle periods exist, resource waste can be caused, and therefore the effective utilization rate of hardware resources is reduced.
Disclosure of Invention
This section is intended to outline some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description summary and in the title of the application, to avoid obscuring the purpose of this section, the description summary and the title of the invention, which should not be used to limit the scope of the invention.
Therefore, the invention aims to provide a second starting method and a second starting system for targets in a large-scale network attack and defense countermeasure simulation scene, which reduce high I/O (input/output) of a virtual machine target during starting and avoid influence caused by starting storm.
In order to solve the technical problems, according to one aspect of the present invention, the following technical solutions are provided:
a second starting method of targets in a large-scale network attack and defense countermeasure simulation scene comprises the following steps:
creating a template virtual machine target by using the target image and starting;
freezing a template virtual machine target, creating a system disk snapshot and a memory snapshot aiming at the template virtual machine target, and storing the system disk snapshot and the memory snapshot into a shared storage;
selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes;
when a virtual machine target needs to be started, selecting a computing node according to the load condition of the computing node and the caching condition of the memory snapshot, creating a new system disk by using the system disk snapshot of the virtual machine target in the shared storage when a new virtual machine target is created on the computing node, and restoring the new virtual machine target to an operation state by using the cached memory snapshot.
As a preferable scheme of the second starting method of the targets in the large-scale network attack and defense countermeasure simulation scene, the steps of creating the template virtual machine targets by using the target mirror images and starting are as follows:
uploading a target mirror image to a platform by a user, storing target mirror image data to a storage service by a control service, and establishing metadata of the target mirror image to be stored in a database;
the control service initiates a pre-started request to the scheduling service, and the scheduling service returns a proper computing node to the control service according to the load condition of the computing nodes in the cluster;
the control service sends a request for pre-starting the template virtual machine target to the computing node obtained in the step;
after receiving the instruction, the computing service of the computing node creates a system disk by using target mirror image data stored by the storage service;
the computing service creates a template virtual machine target without network card information by using a system disk.
As a preferable scheme of the second starting method of the target in the large-scale network attack and defense countermeasure simulation scene, the method for selecting a batch of computing nodes according to the load condition of the computing nodes comprises the following steps: and sorting all the computing nodes in the cluster from large to small according to the weighted sum of the idle memory quantity, the idle CPU quantity and the I/O load of the computing nodes, and selecting the computing nodes with the preset quantity or proportion for caching memory snapshots of the template virtual machine targets.
As a preferred scheme of the second starting method of the targets in the large-scale network attack and defense countermeasure simulation scene, when a batch of computing nodes are selected according to the load condition of the computing nodes, the heat degree of target mirror images is also considered, and the logic for selecting the number of the computing nodes is as follows:
MIN(MAX(int(cache_ratio*node_num),
int(image_frequency/max_num)+1),node_num)
wherein cache_ratio is the percentage of the number of cache computing nodes, and node_num is the number of computing nodes in the cluster; image_frequency is the heat of the target image, and each time a virtual machine target is created by using the target image, the image_frequency is increased by 1; max_num is the virtual machine target value that a single compute node is allowed to create, int represents rounding, MIN represents taking the minimum value, and MAX represents taking the maximum value.
As a preferred scheme of the second starting method of targets in the large-scale network attack and defense countermeasure simulation scene, the invention updates the heat of corresponding target images when a new virtual machine target is created; and judging whether the number of computing nodes for caching the memory snapshot of the template virtual machine target needs to be increased or not. .
As a preferred scheme of the second starting method of targets in the large-scale network attack and defense countermeasure simulation scene, when a new virtual machine target is created, according to the load condition of a computing node and the memory snapshot caching condition of a template virtual machine target, the computing node cached with the memory snapshot is preferentially selected.
As a preferred scheme of the second starting method of targets in the large-scale network attack and defense countermeasure simulation scene, the template virtual machine targets do not have network card information, and the template virtual machine targets are destroyed after a system disk snapshot and a memory snapshot of the template virtual machine targets are stored.
As a preferred scheme of the second starting method of targets in the large-scale network attack and defense countermeasure simulation scene, after a system disk snapshot and a memory snapshot of a template virtual machine target are stored, a mapping relation between the target image and the snapshot is established, and metadata of the target image is updated.
As a preferred scheme of the second starting method of targets in the large-scale network attack and defense countermeasure simulation scene, the invention selects the computing node according to the load condition of the computing node and the cache condition of the memory snapshot, and the step of creating a new system disk by utilizing the system disk snapshot of the template virtual machine target is as follows:
the control service firstly sends a request to the scheduling service to acquire a proper computing node;
the scheduling service preferentially returns the computing nodes cached in the memory snapshot according to the computing node resource load condition and the computing node list condition of the target mirror image cache_node cache memory snapshot, and selects the computing nodes with light load from the computing nodes cached in the memory snapshot;
the control service sends a creation request to the computing service of the corresponding computing node;
and the computing service takes the information of the system disk snapshot according to the disk_snap information of the target image, performs md5 value verification, and then creates a new system disk by utilizing the system disk snapshot.
Compared with the prior art, the invention has the following beneficial effects: the invention has the following advantages: 1. according to the method, the system disk and the memory snapshot of the template virtual machine target are used for creating the new virtual machine target, so that loading and initialization of a virtual machine operating system and services in the traditional starting process are avoided, and the ready speed of the virtual machine target is remarkably increased. 2. According to the invention, the state of the template virtual machine target is frozen and the snapshot is created in the pre-starting stage, so that the consistency of memory and disk data is ensured, the data loss, damage and errors are prevented, and more reliable target creation is provided. 3. According to the method, a memory snapshot caching mechanism is introduced, memory snapshots are cached locally at the computing node, the need of loading from shared storage is reduced, network bandwidth and storage overhead are reduced, resource utilization efficiency is improved, memory snapshot reading time when a virtual machine target is created is reduced, the creation speed of the virtual machine is further accelerated, and user experience is improved. 4. According to the load condition of the computing nodes and the cache state of the memory snapshot, the method flexibly selects the appropriate computing nodes to create the virtual machine targets, is beneficial to balancing the load of the computing nodes, and improves the performance of the whole cluster. 5. The invention stores the snapshot of the system disk instead of reserving a plurality of complete images, thereby saving the storage space and reducing the storage cost. 6. According to the method, heat management is further introduced into the memory snapshot cache, resource allocation can be optimized according to actual use conditions and requirements of the targets, the creation efficiency of the targets is improved, and the creation time is reduced. 7. The rapid virtual machine target creation mode can reduce the risk of starting storm and avoid performance degradation and resource competition which possibly occur when a large number of virtual machine targets are started simultaneously.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following detailed description will be given with reference to the accompanying drawings and detailed embodiments, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained from these drawings without inventive faculty for a person skilled in the art. Wherein:
fig. 1 is a schematic diagram of a second start method of targets in a large-scale network attack and defense countermeasure simulation scene;
fig. 2 is a timing diagram of a second start method of a target in a large-scale network attack and defense countermeasure simulation scenario according to the present invention.
Detailed Description
In order that the above objects, features and advantages of the invention will be readily understood, a more particular description of the invention will be rendered by reference to the appended drawings.
Next, the present invention will be described in detail with reference to the drawings, wherein the sectional view of the device structure is not partially enlarged to general scale for the convenience of description, and the drawings are only examples, which should not limit the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
The invention provides a second starting method and a second starting system for targets in a large-scale network attack and defense countermeasure simulation scene, which reduce high I/O (input/output) of a virtual machine target during starting and avoid influence caused by starting storm.
As shown in fig. 1, in the second starting method of targets in a large-scale network attack and defense countermeasure simulation scene disclosed by the embodiment of the invention, a template virtual machine target is firstly created and started by using a target mirror image, the template virtual machine target is frozen, and a system disk snapshot and a memory snapshot are created for the template virtual machine target and are stored in a shared storage; selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes; when a virtual machine target needs to be started, selecting a computing node according to the load condition of the computing node and the caching condition of the memory snapshot, when a new virtual machine target is created on the computing node, creating a new system disk by utilizing the system disk snapshot of the template virtual machine target in shared storage, and then restoring the new virtual machine target to an operation state by utilizing the cached memory snapshot.
Specifically, as shown in fig. 2, the method of the embodiment of the present invention may be logically divided into three stages, namely, a pre-start stage, a memory snapshot buffer stage, and a virtual machine target creation stage.
In the pre-starting stage, a template virtual machine target is created by utilizing a target image, and then a system disk snapshot and a memory snapshot created by the template virtual machine target are obtained. The method comprises the following specific steps:
s101, uploading target mirror images to a platform by a user, storing target mirror image data to a storage service by a control service, and storing metadata of the established target mirror images in a database.
S102, the control service initiates a pre-started request to the scheduling service, and the scheduling service returns a proper computing node to the control service according to the load condition of the computing nodes in the cluster.
S103, the control service sends a request for pre-starting the template virtual machine target to the computing node obtained in the step S102.
S104, after the computing service of the computing node receives the instruction, creating a system disk by using target mirror image data stored by the storage service.
S105, the computing service creates a template virtual machine target without network card information by using a system disk.
And S106, the calculation service monitors whether the template virtual machine target operates normally or not by using the vnc protocol, and after waiting for the normal operation of the template virtual machine target, the state of the template virtual machine target is frozen.
Virtualization layer command reference:
virsh suspend<uuid>
wherein uuid is a string of random strings in a fixed format used to identify the uniqueness of the template virtual machine target.
The method comprises the steps that in order to freeze a template virtual machine target process, a system does not allocate CPU time slices of the template virtual machine target process and does not have I/O, but memory of the template virtual machine target is reserved and allocated in a virtualization layer; the template virtual machine target does not generate new dirty page memory, so that system disk snapshot with data consistency can be obtained conveniently and memory snapshot can be carried out conveniently.
S107, the computing service performs snapshot on the system disk of the template virtual machine target and saves the snapshot to the shared storage.
S108, the computing service performs memory snapshot on the template virtual machine target, and the CPU, memory and disk states of the template virtual machine target are saved in the shared storage.
Virtualization layer command reference:
virsh save<uuid><file>--no-metadata
the command can save the states of CPU, memory and disk of the template virtual machine target into the designated file. Wherein uuid is a string of random strings in a fixed format used to identify the uniqueness of the template virtual machine target. file is the name of the memory snapshot file to be saved, and is also a string of uuid character strings;
-no-metadata indicates that the memory snapshot is established without carrying attribute information of the template virtual machine target, so that the memory snapshot can be conveniently restored to another virtual machine target.
S109, destroying the template virtual machine target.
S110, the computing service returns system disk snapshot and memory snapshot information of the template virtual machine targets to the control service, and the control service establishes a mapping relation between the target mirror images and the snapshots (the system disk snapshot and the memory snapshot) and updates metadata of the target mirror images. The data structure of the mapping relationship is as follows:
disk_snap:(disk_sanp_uuid,md5_uuid)
this is a key-value pair, the key is the disk_snap flag is a system disk snapshot, the value is a tuple, disk_sanp_uuid is uuid of the system disk snapshot, and md5_uuid is the md5 value of the system disk snapshot data.
ram_snap:(ram_snap_uuid,md5_uuid)
This is a key-value pair, the key is that the ram_snap flag is a memory snapshot, the value is a tuple, ram_sanp_uuid is uuid of the memory snapshot, and md5_uuid is the md5 value of the memory snapshot data.
S111, the control service deletes the data content of the target mirror image, and only retains the metadata information of the mirror image.
Through the steps, the system disk snapshot and the memory snapshot of the template virtual machine target exist in the shared storage, and the control service correctly establishes the mapping of the target mirror image and the snapshot.
In the memory snapshot caching stage, the memory snapshot of the template virtual machine target is cached from the shared storage to the local computing node, so that the virtual machine target can be conveniently restored to the running state when the virtual machine target is subsequently created.
The memory snapshot cache has three trigger phases: 1. when uploading the target mirror image, caching the memory snapshot to the computing node; 2. when deleting the target mirror image, deleting the memory snapshot cached by the computing node; 3. when a new virtual machine target is created, the warmth of the target image is updated, and then the memory snapshot is cached to a new computing node. The target image is deleted (the image data content is not used after the pre-boot), and the image metadata information of the mapping information of the memory snapshot and the system disk snapshot is reserved.
When the memory snapshot is cached, the control service sends a request to the scheduling service, the scheduling service returns a batch of computing node lists to the control service, and the list computing logic of the computing nodes is as follows:
firstly, weighing and sorting according to the loads of all computing nodes in the cluster, wherein the weighing logic is as follows:
(free_ram*ram_weight+free_cpu*cpu_weight+io*io_weight)
wherein free_ram is the amount of memory that the compute node is free; ram_weight is a coefficient, usually a positive value, and the larger the value, the larger the ratio of memory factors when weighing; free_cpu is the amount of compute node idle cpu; cpu_weight is a coefficient, usually a positive value, and the larger the value, the larger the ratio of cpu factor when weighing; io is the I/O load of the compute node; io_weight is a coefficient, typically negative, with larger values representing larger I/O factor ratios when weighed.
After weighing and sorting, a list is obtained, and the ordered cluster computing node complete set is arranged in the list. And then intercepting the list according to the preset quantity or proportion to obtain the computing node for caching the memory snapshot. In the embodiment, mirror image heat is introduced, and the calculation node list of the previous step is intercepted according to a preset cache percentage (cache_ratio) and the heat (image_frequency) of the target mirror image; the maximum length of the interception is the length of the list, and the logic is as follows:
MIN(MAX(int(cache_ratio*node_num),
int(image_frequency/max_num)+1),node_num)
the cache_ratio is the percentage of the cache calculation node number, and a user can dynamically adjust; node_num is the number of compute nodes in the cluster; image_frequency is the heat of a target image, and each time a virtual machine target is created by using the target image, the image_frequency is increased by 1; max_num is the virtual machine target value that a single compute node is allowed to create.
After the scheduling service returns to the computing node list, the control service will take out the computing node list of the cached memory snapshot from the target mirror metadata, and the identification is as follows: cache_node: node_list; wherein the cache_node is a key, and the computing node which has cached the memory snapshot is identified; node_list is a value, is a list, and is an empty list, wherein the list stores computing nodes which have cached memory snapshots; and then, a difference set is made with a calculation node list returned by the scheduling service to obtain a calculation node list of the memory snapshot to be cached, then, a request is sent to the calculation service of each calculation node in the list to cache the memory snapshot, and after the memory snapshot is cached successfully, the value of the node list corresponding to the target mirror metadata cache_node is updated.
After the operation, part or all of the computing nodes in the cluster can cache the memory snapshot, and the target mirror metadata also correctly records the computing node list cached in the memory snapshot.
In the virtual machine target creation stage, selecting a computing node according to the load condition of the computing node and the caching condition of the memory snapshot, creating a new system disk by using the system disk snapshot of the template virtual machine target, and restoring the new virtual machine target to an operation state by using the cached memory snapshot. The method comprises the following specific steps:
s301, the control service firstly sends a request to a dispatching service to acquire a proper computing node.
S302, the scheduling service preferentially returns the computing nodes cached in the memory snapshot according to the computing node resource load condition and the computing node list condition of the target mirror image cache_node cache memory snapshot, and the computing nodes with light load are selected from the computing nodes cached in the memory snapshot.
S303, the control service sends a creation request to the computing service of the corresponding computing node.
S304, the computing service takes the information of the system disk snapshot according to the disk_snap information of the target image, performs md5 value verification, and then creates a new system disk by using the system disk snapshot.
S305, the computing service takes the information of the memory snapshot according to the ram_snap information of the target mirror image, then finds the cache file of the corresponding memory snapshot from the local, and performs md5 value verification.
S306, the computing service directly creates a running virtual machine target by using the newly created system disk and the memory snapshot file.
Virtualization layer command reference:
virsh define<file>
the command generates a virtual machine target according to the statement of the configuration of various virtual machine targets in the file; the file is an xml file, and contains declarations of various virtual machine target configurations and declarations of a system disk;
virsh restore<file>--xml xml_file--running--no-metadata
the command is used for directly restoring the target of the appointed virtual machine to a certain state by using the memory snapshot file; wherein file is a memory snapshot file; -xml xml_file is used to specify the specified virtual machine target information to be restored; -running indicates restoring the virtual machine target to an operational state; -no-metadata indicates that the memory snapshot is restored to the virtual machine target without carrying the attribute information of the virtual machine target, thereby facilitating the application of the memory snapshot of the template virtual machine to the virtual machine target.
S307, the computing service mounts necessary network card resources to the virtual machine targets.
S308, controlling the service to update the heat image_frequency value +1 of the target image, judging whether the memory snapshot is needed to be cached to a new computing node according to the computing node list returned by the scheduling service, and then performing memory snapshot caching.
Since the new virtual machine target is successfully created, the state of the CPU, the memory and the disk is restored by directly using the memory snapshot, so that the new virtual machine target is in a ready running state after the creation of the virtual machine target is completed without a starting process.
In summary, the method of the embodiment of the invention can improve the creation efficiency and data consistency of the virtual machine target and reduce the resource consumption in a large-scale scene. The main key points and advantages in the scheme are as follows:
1. the state of the pre-start-up phase freezes: in the pre-starting stage, the state of the target of the template virtual machine is frozen, so that the generation of a new dirty page memory is prevented, the data consistency of the system disk snapshot is ensured, and the states of a CPU, a memory and a disk of the template virtual machine are conveniently stored in a memory snapshot file under the normal running condition; so that new virtual machine targets with the same data and state are replicated using the system disk snapshot and the memory snapshot.
2. Creation and storage of system disk and memory snapshot: after pre-starting, the data and the state of the template virtual machine target are saved by creating system disk and memory snapshots, so that when a new virtual machine target is created later, the snapshots can be directly used for recovering the data and the state, and the restarting process of the new virtual machine target is eliminated.
3. Memory snapshot caching mechanism: introducing a memory snapshot caching mechanism, caching the memory snapshot from the shared storage to the local computing node so as to improve the creation efficiency of the subsequent virtual machine targets, avoid the resource load pressure of downloading the memory snapshot from the shared storage and the high-network I/O request when the virtual machine targets are created in a large concurrency manner, and save the use time of the memory snapshot; the triggering conditions and the strategies of the memory snapshot cache can be adjusted according to the heat of the target image and the resource load of the computing node, so that the space and time balance of different scenes can be met.
4. Optimization of the scheduling algorithm: when the dispatching service selects the computing node, dispatching is carried out according to the load condition of the computing node and the caching condition of the memory snapshot, and the optimization of a dispatching algorithm can enable the virtual machine target to be created more efficiently and cache the proper memory snapshot when needed.
5. Quick creation of virtual machine targets: by means of the system disk and the memory snapshot of the template virtual machine target, the virtual machine target can be directly subjected to state recovery during creation, and a complicated starting initialization process is not needed, so that the ready time of the virtual machine target is shortened, and the virtual machine target can reach the ready state from the level of creation seconds.
6. Management of target mirror heat: the concept of target mirror image heat is introduced, heat update is carried out according to the use condition of the virtual machine target, so that the caching strategy of the memory snapshot is optimized, and the cached memory snapshot can be better utilized when a new virtual machine target is created.
7. Near zero network I/O overhead: the system disk of the virtual machine target is created based on the system disk snapshot of the template virtual machine target, the relation between the new system disk and the system disk snapshot is based on a copy-on-write mechanism, so that the size of the system disk is negligible, and the computing node has cached the corresponding memory snapshot according to a caching mechanism, so that the network I/O occupied by the new virtual machine target from creation to ready providing service is negligible.
Based on the same inventive concept, the second starting system of the targets in the large-scale network attack and defense countermeasure simulation scene disclosed by the embodiment of the invention comprises the following components: the pre-starting module is used for creating a template virtual machine target by utilizing the target image and starting the template virtual machine target; freezing the template virtual machine target, creating a system disk snapshot and a memory snapshot aiming at the template virtual machine target, and storing the system disk snapshot and the memory snapshot into a shared storage; the memory snapshot caching module is used for selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes; the virtual machine target creation module is used for selecting a computing node according to the load condition of the computing node and the cache condition of the memory snapshot when the virtual machine target needs to be started, creating a new system disk by utilizing the system disk snapshot of the template virtual machine target when the new virtual machine target is created on the computing node, and restoring the new virtual machine target to the running state by utilizing the cached memory snapshot.
Although the invention has been described hereinabove with reference to embodiments, various modifications thereof may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In particular, the features of the disclosed embodiments may be combined with each other in any manner as long as there is no structural conflict, and the exhaustive description of these combinations is not given in this specification merely for the sake of omitting the descriptions and saving resources. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.

Claims (10)

1. The second starting method of the target in the large-scale network attack and defense countermeasure simulation scene is characterized by comprising the following steps of:
creating a template virtual machine target by using the target image and starting;
freezing a template virtual machine target, creating a system disk snapshot and a memory snapshot aiming at the template virtual machine target, and storing the system disk snapshot and the memory snapshot into a shared storage;
selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes;
when a virtual machine target needs to be started, selecting a computing node according to the load condition of the computing node and the caching condition of the memory snapshot, creating a new system disk by using the system disk snapshot of the virtual machine target in the shared storage when a new virtual machine target is created on the computing node, and restoring the new virtual machine target to an operation state by using the cached memory snapshot.
2. The method for second-starting targets in a large-scale network attack and defense countermeasure simulation scenario according to claim 1, wherein the steps of creating template virtual machine targets by using target images and starting are as follows:
uploading a target mirror image to a platform by a user, storing target mirror image data to a storage service by a control service, and establishing metadata of the target mirror image to be stored in a database;
the control service initiates a pre-started request to the scheduling service, and the scheduling service returns a proper computing node to the control service according to the load condition of the computing nodes in the cluster;
the control service sends a request for pre-starting the template virtual machine target to the computing node obtained in the step;
after receiving the instruction, the computing service of the computing node creates a system disk by using target mirror image data stored by the storage service;
the computing service creates a template virtual machine target without network card information by using a system disk.
3. The method for second-starting a target in a large-scale network attack and defense countermeasure simulation scenario according to claim 1, wherein the selecting a batch of computing nodes according to the load condition of the computing nodes comprises: and sorting all the computing nodes in the cluster from large to small according to the weighted sum of the idle memory quantity, the idle CPU quantity and the I/O load of the computing nodes, and selecting the computing nodes with the preset quantity or proportion for caching memory snapshots of the template virtual machine targets.
4. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scenario according to claim 1, wherein when a batch of computing nodes are selected according to load conditions of the computing nodes, the logic for selecting the number of the computing nodes is as follows:
MIN(MAX(int(cache_ratio*node_num),
int(image_frequency/max_num)+1),node_num)
wherein cache_ratio is the percentage of the number of cache computing nodes, and node_num is the number of computing nodes in the cluster; image_frequency is the heat of the target image, and each time a virtual machine target is created by using the target image, the image_frequency is increased by 1; max_num is the virtual machine target value that a single compute node is allowed to create, int represents rounding, MIN represents taking the minimum value, and MAX represents taking the maximum value.
5. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scenario according to claim 1, wherein when a new virtual machine target is created, the heat of the corresponding target image is updated; and judging whether the number of computing nodes for caching the memory snapshot of the template virtual machine target needs to be increased or not.
6. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scene according to claim 1, wherein when a new virtual machine target is created, the computing nodes cached with memory snapshots are preferentially selected according to the load condition of the computing nodes and the memory snapshot caching condition of the template virtual machine target.
7. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scene according to claim 1, wherein the template virtual machine targets do not have network card information, and the template virtual machine targets are destroyed after a system disk snapshot and a memory snapshot of the template virtual machine targets are stored.
8. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scene according to claim 1, wherein after a system disk snapshot and a memory snapshot of a template virtual machine target are stored, a mapping relation between the target image and the snapshot is established and metadata of the target image is updated.
9. The method for second starting of targets in a large-scale network attack and defense countermeasure simulation scenario according to claim 1, wherein the steps of selecting a computing node according to a load condition of the computing node and a cache condition of a memory snapshot, and creating a new system disk by using a system disk snapshot of a template virtual machine target are as follows:
the control service firstly sends a request to the scheduling service to acquire a proper computing node;
the scheduling service preferentially returns the computing nodes cached in the memory snapshot according to the computing node resource load condition and the computing node list condition of the target mirror image cache_node cache memory snapshot, and selects the computing nodes with light load from the computing nodes cached in the memory snapshot;
the control service sends a creation request to the computing service of the corresponding computing node;
and the computing service takes the information of the system disk snapshot according to the disk_snap information of the target image, performs md5 value verification, and then creates a new system disk by utilizing the system disk snapshot.
10. A system for implementing a second-initiated method of a target in a large-scale network attack and defense countermeasure simulation scenario according to any of claims 1-9, comprising:
the pre-starting module is used for creating a template virtual machine target by utilizing the target image and starting the template virtual machine target; freezing the template virtual machine target, creating a system disk snapshot and a memory snapshot aiming at the template virtual machine target, and storing the system disk snapshot and the memory snapshot into a shared storage;
the memory snapshot caching module is used for selecting a batch of computing nodes according to the load condition of the computing nodes, caching memory snapshots of the template virtual machine targets in the shared storage to the local of the selected computing nodes, and recording the mapping relation between the memory snapshots and the computing nodes;
the virtual machine target creation module is used for selecting a computing node according to the load condition of the computing node and the cache condition of the memory snapshot when the virtual machine target needs to be started, creating a new system disk by utilizing the system disk snapshot of the template virtual machine target in shared storage when the new virtual machine target is created on the computing node, and restoring the new virtual machine target to the running state by utilizing the cached memory snapshot.
CN202311631548.1A 2023-12-01 2023-12-01 Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene Pending CN117632367A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311631548.1A CN117632367A (en) 2023-12-01 2023-12-01 Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311631548.1A CN117632367A (en) 2023-12-01 2023-12-01 Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene

Publications (1)

Publication Number Publication Date
CN117632367A true CN117632367A (en) 2024-03-01

Family

ID=90015980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311631548.1A Pending CN117632367A (en) 2023-12-01 2023-12-01 Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene

Country Status (1)

Country Link
CN (1) CN117632367A (en)

Similar Documents

Publication Publication Date Title
US10817386B2 (en) Virtual machine recovery method and virtual machine management device
US9442760B2 (en) Job scheduling using expected server performance information
Bhide An Analysis of Three Transaction Processing Architectures.
CN103067425B (en) Virtual machine creation method, virtual machine management system and relevant device
EP2851799B1 (en) Fault tolerant batch processing
US20030051128A1 (en) Method and apparatus for managing client computers in a distributed data processing system
US20090172142A1 (en) System and method for adding a standby computer into clustered computer system
EP3688598B1 (en) Method for reading data stored in a non-volatile cache using rdma
US20030078933A1 (en) Checkpointing filesystem
US10860363B1 (en) Managing virtual machine hibernation state incompatibility with underlying host configurations
US8751446B2 (en) Transference control method, transference control apparatus and recording medium of transference control program
CN115599747A (en) Metadata synchronization method, system and equipment of distributed storage system
US9990231B2 (en) Resource pre-configuration
CN110377664B (en) Data synchronization method, device, server and storage medium
US10831369B2 (en) System and method for synchronizing caches after reboot
CN110162395B (en) Memory allocation method and device
CN110445580B (en) Data transmission method and device, storage medium, and electronic device
CN117632367A (en) Second starting method and system for targets in large-scale network attack and defense countermeasure simulation scene
US20230058193A1 (en) Computer system and storage medium
CN116700901A (en) Container construction and operation system and method based on microkernel
US20230101776A1 (en) Desired state configuration for virtual machines
US20130346975A1 (en) Memory management method, information processing device, and computer-readable recording medium having stored therein memory management program
JP2001282551A (en) Job processor and job processing method
CN113342511A (en) Distributed task management system and method
CN111813501A (en) Data deleting method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication