JP5970954B2 - Computer, data conversion apparatus, communication method and program - Google Patents

Description

  The present invention relates to a computer, a data conversion device, a communication method, and a program, and more particularly to a computer that provides a virtual machine, a data conversion device arranged between the computers, a communication method and a program between the computers.

  Conventionally, when a single computer network is shared by a plurality of users and organizations, a network virtualization technology such as a virtual LAN (VLAN, LAN is “Local Area Network”) has been used. For example, by using a VLAN, a single Ethernet network (hereinafter, Ethernet (registered trademark)) can be used as a plurality of virtual Ethernets (virtual Ethernet). Each virtual Ethernet is identified and managed / operated by a VLAN ID.

  On the other hand, in recent years, server resource virtualization (server virtualization) has been introduced due to improvement in server performance and reliability. By using server virtualization technology, services that were previously running on individual physical servers are run on virtual machines, and this virtual machine is accommodated on a single physical server. The number of servers can be reduced. As a result, it is possible to reduce the introduction cost and operation cost of the server.

  By using the network virtualization technology and the server virtualization technology together, for example, server resources and network resources installed at a specific base such as a data center can be shared by a plurality of users / organizations.

  The virtualization environment for realizing server virtualization is roughly divided into a management area for managing physical resources and virtual machines of servers, and a user area for introducing user virtual machines. For example, in the case of XenServer (registered trademark) of Citrix, the management area is composed of Xen HyperVisor and an authorized virtual machine called Dom0.

  When a virtual machine uses an I / O resource such as a network interface provided in a physical server, it is common to use a management area. In the management area, a packet switching function realized by software called a virtual switch (Virtual Switch, vSwitch) is provided, and the virtual machine communicates with an external network by vSwitch. However, there is a problem in that high I / O performance cannot be obtained in a virtual machine due to the influence of overhead via the management area, such as software processing for vSwitch. Here, the network interface adopts various realization forms such as a card type such as a LAN (Local Area Network) card and a form mounted on a PC (Personal Computer) or server motherboard as a semiconductor chip.

  In order to solve such performance problems, I / O such as IOMMU (Input / Output Memory Management Unit) or SR-IOV (Single Root I / O Virtualization) is focused on CPU, chipset, and network interface. Introduction of O virtualization technology is progressing. By using such an I / O virtualization technology, the virtual machine can directly access the I / O resource without going through the management area, and high performance can be obtained. Such I / O virtualization technology includes technology that uses one I / O interface as a plurality of virtual I / O interfaces, and memory address conversion for each I / O interface to directly access a virtual machine. The SR-IOV is included in the former and the IOMMU is included in the latter.

  A network interface that supports the I / O virtualization technology can provide a different virtual interface for each virtual machine. In SR-IOV, a Virtual Function is defined as a virtual interface assigned to each virtual machine, and a Physical Function is defined as a physical interface that controls the virtual interface.

  Packets that arrive at a network interface that supports I / O virtualization technology are based on packet identification information such as MAC (Media Access Control) address, VLAN ID, and IP (Internet Protocol) address included in the packet header. , Delivered to the appropriate virtual interface. As described above, in order to determine the delivery destination of the packet according to the information of the packet header, a packet switch function is provided in the controller chip of the network interface that supports the I / O virtualization technology. The function of this packet switch is composed of a port associated with each virtual interface and logic for determining which port the packet is output to. This determination logic is generally composed of a table using a memory such as a TCAM (Ternary Content Addressable Memory) and logic referring to the table. In this table, information in which a specific field information of the packet header is associated with an output destination port is registered (hereinafter, a table provided in the controller chip of the network interface is referred to as a “filter table”). Which field information can be registered depends on the implementation of the controller chip.

  When the I / O virtualization technology is used, high I / O performance can be provided to the virtual machine. However, if I / O virtualization technology is applied to an environment in which server resources and network resources are virtualized to improve network performance, the packet will not be appropriate due to differences in information that can be registered in the filter table. May not be delivered to the virtual machine.

  For example, let us consider a case where a network interface A attached to a server A selects a packet delivery destination virtual interface using information of a destination MAC address (Destination MAC address, Dst MAC address). At this time, if virtual machines A1 and A2 having the same MAC address are accommodated on the server A, but the VLAN IDs are accommodated, all packets addressed to this MAC address are all virtual regardless of the VLAN ID. It will be delivered to either machine A1 or A2.

  In addition, in the case of a system in which communication is classified by information in a specific field of a packet header so that the network is represented by OpenFlow, and the communication is managed and controlled in units of flows with each classified packet group as a flow, a specific It is also conceivable that only packets belonging to the flow are directly delivered to the virtual machine using the I / O virtualization technology.

  For example, when only a packet addressed to port 80 of a certain virtual machine B1 (IP = 192.168.1.1) is to be directly delivered from the network interface to the virtual machine B1, a controller chip of the network interface However, it is necessary that the virtual interface can be selected by the information of the IP address and the port number. However, since what kind of information the network interface allocates the virtual interface depends on the implementation of the network chip, it may happen that only the corresponding packet group cannot be directly transferred to the virtual machine.

  Thus, depending on the combination of network interfaces, there is a possibility that the benefits of speeding up the I / O performance by the I / O virtualization technology may not be received. The present invention solves this problem by converting packet header information so that it can be handled by a filter table. Hereinafter, the case where the management area is bypassed by the I / O virtualization technology is referred to as direct access, and the case where it is not is referred to as indirect access.

  Japanese Patent Application Laid-Open No. 2004-228561 describes a method for properly using a plurality of network interfaces. Of the header information of the packet transmitted by the transmission side application operating on the transmission side server, the information indicating the transmission source is converted into an address allocated for each network interface and transmitted. The server on the packet receiving side returns the received packet to the original address and passes the packet to the application. By exchanging information indicating how the address is returned between the servers, the server on the receiving side can return the address.

  Further, Patent Document 2 discloses a method and system for enabling a plurality of virtual machines (virtual machines, VMs) to individually set and access physical resources. According to the publication, this system is an interface system that receives physical device setting control from each of a plurality of VMs of a computer system via a corresponding instance of a device driver indicating a controllable function of a physical device in the VM. And maintaining connection information and setting parameters specific to each VM for each of the plurality of VMs, and reconfiguring the physical device for each of the plurality of VMs based on the connection information and setting parameters specific to the corresponding VM. And a control system. It is described that the interface system and the control system of this system are realized substantially outside a virtual machine monitor (VMM) that provides the VM.

  Further, Patent Document 3 includes a conversion policy table that stores a conversion entry indicating a correspondence relationship between pre-conversion packet identification information and post-conversion packet identification information, and operates a transfer table of a switch to operate a plurality of virtual networks. A management computer that realizes sharing of appliances between computers is disclosed. Specifically, the management computer rewrites the pre-conversion packet identification information including the virtual network identifier into post-conversion packet identification information that does not overlap between different virtual networks set on the appliance side.

JP 2009-515430 A JP 2012-9029 A JP2011-21502A

  The following analysis is given by the present invention. The techniques disclosed in Patent Documents 1 to 3 described above have the following problems.

  That is, in a server virtualization environment, a plurality of independent virtual machines exist on one physical server, and each virtual machine has identification information such as an assigned MAC address and IP address. When using the I / O virtualization technology, each virtual machine directly accesses the network interface and sends out a packet. For this reason, even if virtual machines that communicate with each other exchange information related to the conversion of identification information such as the MAC address and IP address, the information after the conversion is the physical information for each pair of virtual machines that communicate. The server may be used by another virtual machine, and the packet may not reach the appropriate virtual machine. In addition, enabling each virtual machine to know the identification information of other virtual machines is a security technique in an environment where different users share a single server resource and network resource using virtualization technology. Undesirable from the point of view.

  In this regard, Patent Document 2 discloses a configuration that allows a plurality of virtual machines (virtual machines) to individually set and access physical resources. However, the virtual expansion system (VA system) of the same document is disclosed. The integrated control engine only maintains device-specific parameters on its own device side, and there is no guarantee that conversion is performed so that direct communication can be performed in the virtual machine of the communication partner.

  Similarly, Patent Document 3 discloses a method of rewriting a header so that it does not overlap between virtual networks, but there is no guarantee that conversion is possible so that the virtual machine of the communication partner can perform direct access. There is a point.

  In the present invention, in computers that communicate with each other, there is a difference in identification information that can be registered in the filter table of the network interface, and when direct access is used, there is a possibility that a packet may reach a virtual machine different from the original communication partner. Even if it exists, it aims at providing the computer, data converter, communication method, and program which can deliver a packet to the virtual machine of the right transmission destination using direct access.

  According to the first aspect of the present invention, there is provided a filter table in which a matching condition to be matched with received data and a virtual interface corresponding to an output destination virtual machine are associated, and the reception is performed with reference to the filter table. A computer connected to a second computer having a network interface having a switching function for transferring the data to the virtual machine on the own device side, via the network interface and the network interface on the own device side, When receiving a first virtual machine communicating with a second virtual machine operating on the second computer side and an access request from the first virtual machine, the first computer is informed of the first virtual machine. The data identifier of the data output from the virtual machine is transmitted, and the filter table of the second computer is updated. And requesting the return of the updated filter table match condition, and using the match condition returned from the second computer, a data identifier conversion rule is set in the conversion unit of the first virtual machine After converting a data identifier of data to be transmitted to the second virtual machine to a data identifier set as a match condition in the filter table of the second computer based on the virtual machine management unit and the conversion rule A computer is provided that includes a conversion unit that transmits to the second computer. After setting the conversion rule, the conversion unit of the computer transmits data output from the first virtual machine to the second computer without going through the virtual machine management unit.

  According to the second aspect of the present invention, a filter table in which a matching condition for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and received by referring to the filter table. A network interface having a switching function for transferring the received data to the virtual machine on the own device side, and a virtual machine that communicates with the other virtual machine via the network interface, When receiving a request from the virtual machine of one of the computers, the filter table is configured to transfer the data from the virtual machine of the one computer to the virtual machine of the communication destination. Requesting an update, and sending data from the virtual machine of the one computer to the updated file -A data conversion device is provided that includes a conversion management manager that creates a conversion rule for a data identifier that is converted so as to match the table match condition, and a conversion unit that converts the data identifier with reference to the conversion rule. .

  According to a third aspect of the present invention, there is provided a filter table in which a matching condition to be matched with received data and a virtual interface corresponding to an output destination virtual machine are associated with each other with reference to the filter table. On the computer connected to the second computer having a network interface having a switching function for transferring the data to the virtual machine on the own device side, via the network interface and the network interface on the own device side, the When an access request is received from a first virtual machine that communicates with a second virtual machine operating on the second computer side, the data output from the first virtual machine to the second computer Transmitting a data identifier, updating the filter table of the second computer, and the updated filter Requesting the return of the match condition of the table, setting the data identifier conversion rule in the conversion unit of the first virtual machine using the match condition returned from the second computer, Based on the conversion rule, the data identifier of the data to be transmitted to the second virtual machine is converted to a data identifier set as a match condition in the filter table of the second computer, and then transmitted to the second computer. A communication method is provided. This method is associated with a specific machine, which is a computer including a network interface using the I / O virtualization technology and a virtual machine.

  According to a fourth aspect of the present invention, there is provided a filter table in which a matching condition for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated with each other, with reference to the filter table. On the computer having a network interface having a switching function for transferring the processed data to the virtual machine on its own device side, the second computer uses the data identifier transmitted from the second computer in the filter table. Adding an entry for transferring the data transmitted from the virtual machine to the corresponding virtual machine, returning the match condition of the added filter table to the second computer, and sending the second computer to the second computer. Filter added to the data identifier of the data transmitted from the virtual machine running on the second computer A step of converting to apply the matching condition of Buru, communication method comprising is provided. This method is associated with a specific machine, which is a computer including a network interface using the I / O virtualization technology and a virtual machine.

  According to the fifth aspect of the present invention, there is provided a computer program for realizing the functions of the above-described computer or data converter. This program can be recorded on a computer-readable (non-transient) storage medium. That is, the present invention can be embodied as a computer program product.

  According to the present invention, in computers that communicate with each other, there is a difference in identification information that can be registered in the filter table of the network interface, and when direct access is used, packets may reach a virtual machine that is different from the original communication partner. Even in this case, the packet can be delivered to the correct destination virtual machine using direct access.

It is a figure which shows the structure of one Embodiment of this invention. It is a figure which shows the whole structure of the 1st Embodiment of this invention. It is a block diagram showing the detailed structure of the server of the 1st Embodiment of this invention. FIG. 10 is a sequence diagram illustrating processing for setting direct access between two servers based on a request from a virtual machine (VM A). It is the sequence diagram which showed the flow of communication between virtual machines (VM A-VM B) after the setting of direct access was made. FIG. 10 is a sequence diagram showing processing for setting direct access for communication in both directions between two servers 10 based on a request from a virtual machine (VM A). It is the sequence diagram which showed the flow of a process at the time of deleting the setting of the direct access in the virtual machine (VM B) used as the receiving side after completion | finish of communication between virtual machines (VM A-VM B). It is the flowchart which showed in detail the process (at the time of packet transmission) of the header conversion part in the virtual machine (VMA) of the server of the 1st Embodiment of this invention. It is the flowchart which showed in detail the process (at the time of packet reception) of the header conversion part in the virtual machine (VM B) of the server of the 1st Embodiment of this invention. It is the flowchart which showed in detail the process (one direction at the time of the direct access setting request reception) of the conversion management manager with which the hypervisor of the server of the 1st Embodiment of this invention is equipped. It is the flowchart which showed in detail the process of the conversion management manager with which the hypervisor of the server of the 1st Embodiment of this invention is equipped (when a direct access setting notification is received). It is the flowchart which showed in detail the process of the conversion management manager with which the hypervisor of the server of the 1st Embodiment of this invention is equipped (when a setting request of direct access is received). It is the flowchart which showed in detail the process of the conversion management manager with which the hypervisor of the server of the 1st Embodiment of this invention is provided (when a direct access setting notification is received). It is a block diagram showing the detailed structure of the server of the 2nd Embodiment of this invention. It is the sequence diagram which showed the flow of the process at the time of the new packet reception in the hypervisor in the server of the 2nd Embodiment of this invention. It is the sequence diagram which showed the flow of the acquisition process of the statistical information in the hypervisor in the server of the 2nd Embodiment of this invention. It is a block diagram showing the detailed structure of the server of the 3rd Embodiment of this invention. FIG. 10 is a sequence diagram illustrating processing for setting direct access between two servers based on a request from a virtual machine (VM A) in the third embodiment of the present invention. It is the flowchart which showed in detail the process (one direction at the time of the setting request of direct access) of the conversion management manager with which the hypervisor of the server of the 3rd Embodiment of this invention is equipped. It is the flowchart which showed in detail the process of the conversion management manager with which the hypervisor of the server of the 3rd Embodiment of this invention is equipped (at the time of the setting notification of a direct access being received). It is a block diagram showing the whole structure of the 4th Embodiment of this invention. It is a block diagram showing the detailed structure of the server and direct access controller of the 4th Embodiment of this invention. It is the sequence diagram which showed the process which sets the direct access between two servers based on the request from the virtual machine (VMA) of the server of the 4th Embodiment of this invention. It is the sequence diagram which showed the flow of a process at the time of deleting the setting of the direct access in the virtual machine (VM B) used as the receiving side after completion | finish of communication between virtual machines (VM A-VM B). It is the flowchart which showed in detail the process with respect to the inquiry regarding the identification information of the communication which can be registered into a filter table among the processes of the conversion management local manager in the hypervisor of the server of the 4th Embodiment of this invention. It is the flowchart which showed in detail the registration process of the header conversion rule among the processes of the conversion management local manager with which the hypervisor of the server of the 4th Embodiment of this invention is equipped. It is a block diagram showing the whole structure of the 5th Embodiment of this invention.

  First, an outline of an embodiment of the present invention will be described with reference to the drawings. Note that the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.

  In one embodiment of the present invention, as shown in FIG. 1, a virtual machine 1200 that is constructed on a computer and provides a virtual environment to a user, a virtual machine management unit 1400 that manages the virtual machine 1200, and I The network interface 1600 that supports the / O virtualization technology can be realized by a configuration in which computers 1000 including the network interface 1600 are connected.

  Specifically, the network interface 1600 includes a filter table in which a matching condition to be matched with received data and a virtual interface corresponding to an output destination virtual machine are associated. The network 1800 is referred to the filter table. A switching function of transferring data received from the second virtual machine operating on the second computer connected via the virtual machine 1200 to the virtual machine 1200 on the own apparatus side.

  In addition, the virtual machine 1200 includes a data identifier (MAC address, IP address, etc. or a combination thereof) on the application side in operation and a data identifier (MAC address, IP address, etc.) for communication with the second virtual machine. A conversion unit that converts the data identifier is referred to by referring to a conversion rule that mutually converts these combinations), and communicates with the second virtual machine via the network interface 1600.

  Further, when the virtual machine management unit 1400 receives a new access request from the virtual machine 1200, the virtual machine management unit 1400 transmits a data identifier of data output from the virtual machine 1200 on the own apparatus side to the second computer, and A request is made to update the filter table on the second computer side and to return a match condition for the updated filter table. When the match condition is returned from the second computer, the virtual machine management unit 1400 sets a data identifier conversion rule in the conversion unit of the virtual machine 1200 on the self-device side using the returned match condition.

  When the update of the filter table on the second computer side and the setting of the conversion rule for the virtual machine 1200 on the own device side are completed, direct access not via the virtual machine management unit 1400 is started between the virtual machines 1200. . As a result, high I / O performance can be provided to the virtual machine.

[First Embodiment]
Next, a first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 2 is a diagram showing an overall configuration of the first embodiment of the present invention. Referring to FIG. 2, two servers (hereinafter, Server A is referred to as “Server 10A”, and Server B is referred to as “Server 10B”. If they are not particularly distinguished from each other, “Server 10”), and Server 10A are referred to. Servers 10 </ b> B are connected to each other via a network 18. Each server 10 includes a virtual machine 12 (VM A1-n, VM B1-m), a hypervisor 14 (HyperVisor A, HyperVisor B) corresponding to a virtual machine management unit that manages the virtual machine 12, and a network interface ( NIC) 16 (NIC A, NIC B).

  The virtual machine 12 is assigned resources such as a CPU (Central Processing Unit), a memory, a disk, and a network by the hypervisor 14 and executes various applications.

  The hypervisor 14 performs management such as resource allocation to the virtual machine 12 and monitoring.

  The network interface 16 is an interface between the server 10 and the network 18 and is used when the virtual machine 12 communicates via the network 18. The network interface 16 supports I / O virtualization technology.

  If the network interface does not support the I / O virtualization technology, the virtual machine 12 communicates via the hypervisor 14. On the other hand, when the network interface supports the I / O virtualization technology, the virtual interface is assigned to the virtual machine 12 based on the control of the hypervisor 14, and the virtual machine 12 communicates without going through the hypervisor 14. It can be performed. Conversely, even if the network interface 16 supports the I / O virtualization technology, if the hypervisor 14 does not assign a virtual interface to the virtual machine 12, the virtual machine 12 communicates via the hypervisor 14.

  FIG. 3 is a block diagram showing a detailed configuration of the server 10A of FIG. Referring to FIG. 3, a configuration in which modules are arranged in the virtual machine 12 and the hypervisor 14 is shown. Here, the module refers to a software program or hardware that provides some function.

  Specifically, the virtual machine 12 (VM) of the server 10A of FIG. 3 includes a header conversion unit 122 and a header conversion table 126.

  In the virtual machine 12, one or more application programs (Applications, hereinafter simply referred to as “applications”) 124 are running. The header conversion unit 122 is a module that converts a packet header when the virtual machine 12 transmits a packet using the I / O virtualization technology. At the time of packet header conversion, the header conversion unit 122 refers to the header conversion table 126 and acquires information necessary for packet header conversion.

  Information for converting the packet header is registered in the header conversion table 126. The header conversion unit 122 refers to the header conversion table 126 based on the packet header before conversion, and acquires information on how to convert the packet header. In the header conversion table 126, at least the information of the packet header before conversion having the same granularity as the combination of information included in the packet header necessary for identifying the direct access target communication is associated with this information. Also, packet header conversion rules are registered. For example, as a direct access target communication, there is only a communication with a VLAN ID of 2048, a source IP address of 192.168.1.1, a destination IP address of 192.168.1.2, and a destination port number of 80. Suppose you want to have direct access via communication between virtual machines. At this time, when determining whether or not to perform direct access based on the combination of the destination MAC address and the VLAN ID, which are the matching conditions of the filter table of the network interface, the header conversion table 126 includes the VLAN ID, the source IP address, and the destination. An IP address and a destination port number are registered as information before conversion, and a combination of a destination MAC address and VLAN ID that can identify this communication is registered in the header conversion table 126 of the transmission source virtual machine as a conversion rule.

  The header conversion table 126 also holds information for returning the header of the packet received from the network. The header of the packet that has undergone direct access is converted, and the header conversion table 126 is referred to based on the information of the converted packet header, information for returning the header is obtained, and processing for returning to the original header is performed. Done.

  The header conversion unit 122 refers to the header conversion table 126 as described above when converting the packet header. Such a header conversion unit 122 and header conversion table 126 may be provided in a device driver of an OS (Operating System) installed in the virtual machine 12.

  When the virtual machine 12 wants to newly communicate using direct access, the virtual machine 12 issues a direct access setting request to the hypervisor 14 in order to acquire a header conversion rule. The setting request can be transmitted using a communication function between virtual machines or between a virtual machine and a management area.

  The hypervisor 14 includes a header management table (Header Management Table) 144 and a conversion management manager (Translation Management Manager) 146 in order to provide a direct access function.

  The hypervisor 14 further includes a virtual switch 142 and has a function of relaying communication related to the virtual machine 12 when the I / O virtualization technology is not used.

  The conversion management manager 146 manages information related to direct access in its own server, and sets up direct access with the conversion management manager 146 in the remote server (for example, the server 10B connected via the network 18 in FIG. 2). Negotiate to do. By this negotiation, information that can be registered in the filter table supported by the network interface 16 of the communication partner server 10 and how to convert the packet header are determined.

  The header management table 144 manages communication related to the virtual machine 12 running on its own server. The conversion management manager 146 is used to determine the converted packet header so that the existing communication and the new direct access communication can be identified when setting the direct access.

  The network interface 16 supports I / O virtualization technology, and includes a network interface controller 162 that controls the network interface 16 and a filter table in which the output destination of a packet that reaches the network interface 16 is registered ( Physical connection between a filter table 164, a physical interface (PI) 166 that is an interface to the hypervisor 14, a virtual interface (virtual interface, VI) 167 that is an interface to the virtual machine 12, and the network 18. The physical port 168 (Physical Port) that becomes the mouth of Eteiru.

  The physical interface 166 is used for transmission / reception of packets with the hypervisor 14, and reads from the hypervisor 14 an interface for setting the operation of the network interface 16 from the hypervisor 14 and the status of the network interface 16. Used as an interface for

  The network interface 16 transmits and receives packets under the control of the hypervisor 14.

  When a packet arrives from the network 18 to the physical port 168, the network interface controller 162 accesses the filter table 164 based on the header information of the packet, and the packet is sent to either the physical interface 166 or the virtual interface 167. To output.

  In the filter table 164, an entry that associates an output destination of a packet and the like is registered in association with information (match condition) for determining the output destination of the packet. As a packet output destination, it is possible to set an entry that specifies dropping without outputting to any interface. When a packet not registered in the filter table 164 arrives, the packet is transferred to the hypervisor 14 via the physical interface 166. The processing for this packet is determined by the hypervisor 14. In some cases, the hypervisor 14 registers information of this packet and an entry determined as an output destination in the filter table 164.

  When the packet arrives from either the physical interface 166 or the virtual interface 167, the network interface controller 162 sends the packet through the physical port 168.

  2 and 3 can also be realized by a computer program that causes the computer constituting the server 10 to execute the above-described processes using the hardware thereof.

  Next, the operation of this embodiment will be described in detail with reference to the drawings. First, the overall operation of this embodiment will be described with reference to the sequences of FIGS.

  FIG. 4 is a sequence diagram showing processing for setting direct access between two servers 10 (referred to as server 10A and server 10B, respectively) based on a request from the virtual machine 12. Hereinafter, each element constituting the server 10 will be described with reference numerals A and B. In the sequence diagram of FIG. 4, the virtual machine 12A is the communication start side (transmission side), the virtual machine 12B is the communication reception side, and only direct communication from the virtual machine 12A to the virtual machine 12B is used. And

  First, the header conversion unit 122A in the virtual machine 12A refers to the header conversion table 126A and checks whether the communication is set for direct access (not shown in FIG. 4). If direct access is not set, the header conversion unit 122A issues a direct access setting request to the conversion management manager 146A (S120a in FIG. 4). This request includes information for identifying communication included in the packet header. As an example of the timing at which this request is issued, in the case of communication using TCP / IP, it may be issued when a SYN packet is transmitted in a TCP 3-way handshake.

  Next, the conversion management manager 146A notifies the communication identification information included in the request to the conversion management manager 146B of the server 10B (S142a in FIG. 4).

  Next, the conversion management manager 146B that has received the direct access notification uses the notified communication identification information, the communication identification information that can be registered in the filter table 164B, and the information in the header management table 144B. The packet header conversion rule B indicating how the packet header is to be converted is determined (S140b in FIG. 4). The packet header conversion rule B is a rule indicating how the packet header is converted when the virtual machine 12A transmits a packet using direct access.

  Here, a method of using the information registered in the header management table 144B will be described. When determining the packet header conversion rule B, the same packet header field that can be registered in the filter table 164B of the network interface 16B among the converted packet header fields is the communication related to the server 10B. The header management table 144B is referred to as to whether or not it is used. This ensures that there is no other communication identical to the packet header after packet header conversion. Therefore, the determined packet header conversion rule B is registered in the header management table 144B.

  In this conversion, it is desirable not to change information for uniquely identifying each virtual machine in the network 18. For example, when the network 18 is Ethernet and the same network is shared by a plurality of users, each virtual machine can be identified by a MAC address and a VLAN ID. When converting these pieces of information, it is necessary to confirm that there is no virtual machine 10 whose MAC address and VLAN ID after the conversion match using ARP (Address Resolution Protocol) or the like when determining the packet header conversion rule. There is.

  Next, the conversion management manager 146B registers the packet header conversion rule B determined in 140b of FIG. 3 in the header conversion table 126B of the communication partner virtual machine 12B (S144b of FIG. 4).

  Next, the conversion management manager 146B adds an entry to the filter table 164B based on the packet header conversion rule B and sets direct access (S146b in FIG. 4). Since there is no dependency on the processing in S144b in FIG. 3 and the processing in S146b in FIG. 3, the processing procedure may be switched.

  Next, the conversion management manager 146B notifies the packet management conversion rule B to the conversion management manager 146A (S142b in FIG. 4).

  Next, the conversion management manager 146A registers the packet header conversion rule B notified in step S142b of FIG. 4 in the header conversion table 126A of the virtual machine 12A that has issued the direct access request (S144a of FIG. 4).

  Note that when information that uniquely identifies the virtual machine 12 is converted under the environment of the same user, it is necessary to set the network device so that the packet reaches the communication partner using the converted packet header. For example, when the network is Ethernet and the destination MAC address is converted and the packet is transmitted, the ARP packet is transmitted before the packet is transmitted, and the MAC is transmitted to the network switch existing between the virtual machines 12 that perform communication. You need to learn the address. This learning trigger may be executed before the conversion management manager 146A sets the direct access, or may be executed when the application 124A throws a packet. In the latter case, the MAC address of the packet to be transmitted to the ARP table of the virtual machine A is not registered because the header conversion unit 122 converts the packet header before the protocol stack of the virtual machine A performs ARP resolution. The network device is configured by executing ARP resolution before the protocol stack transmits a packet.

  After the direct access setting is completed, the conversion management manager 146A notifies the virtual machine 12A that issued the direct access setting request that the direct access setting is completed (S147a in FIG. 4).

  With the above operation, the direct access setting is performed for communication from the virtual machine 12A to the virtual machine 12B in consideration of information that can be registered in the filter table 164B of the network interface card 16B. The virtual machine 12A converts the packet based on the packet header conversion rule B, and sends the packet.

  FIG. 5 is a sequence diagram illustrating a communication flow between the virtual machine 12A and the virtual machine 12B after the direct access setting is performed. Similar to FIG. 4, each server 10 and its components are described with reference numerals A and B.

  First, an application 124 (referred to as application 124A) running on the virtual machine 12A issues a packet transmission request by using a communication library such as a socket library (S1240a in FIG. 5). This transmission request includes identification information for identifying communication such as a MAC address and an IP address.

  Next, the header conversion unit 122A searches the header conversion table 126A for an entry corresponding to the identification information, and acquires packet header conversion information (S1220a in FIG. 5).

  Next, the header conversion unit 122A converts the packet header and sends the packet to the network 18 through the protocol stack and the network interface card 16A (S1222a in FIG. 5). The packet header conversion is such that the network interface card 16B of the server 10B rewrites the packet sent from the virtual machine 12A with reference to the filter table 164B to an appropriate virtual machine.

  Next, the network interface card 16B searches for an entry having a matching condition that matches the header information of the packet received from the filter table 164B, and transfers the packet to an appropriate virtual interface (S160b in FIG. 5).

  Next, the header conversion unit 122B searches the header conversion table 126B for an entry having a matching condition that matches the header information of the received packet, and acquires packet header conversion information (S1220b in FIG. 5).

  Next, the header conversion unit 122B converts the packet header of the received packet and transfers the packet to the application (S1224b in FIG. 5). The packet header conversion here restores the contents rewritten in step S1222a.

  As described above, communication using direct access is executed.

  In the above description of FIGS. 4 and 5, it has been described that direct access is set for communication in the direction from the server 10 </ b> A to the server 10 </ b> B, but for bidirectional communication between the two servers 10. It is also possible to set direct access. Hereinafter, with reference to FIG. 6, processing for setting direct access for bidirectional communication between the two servers 10 will be described. Also, in the following description, the respective servers 10 and the components thereof will be described with reference numerals A and B. In FIG. 6, the same processes as those in FIG. 4 are denoted by the same reference numerals, and detailed description thereof is omitted.

  Referring to FIG. 6, upon receiving a direct access setting request from the header converter 122A, the conversion management manager 146A receives a packet header that can be registered in the filter table 164A based on communication identification information included in the direct access request. The packet header conversion rule A indicating how to convert the above field to the virtual machine 12B side is determined (S140a in FIG. 6). At the time of determination, the header management table 144A is referred to and it is ensured that the same conversion rule does not exist. Further, as described above, when converting information that can uniquely identify the virtual machine 12 under the environment of the same user, the virtual machine 12 having the same information as the converted identifier exists in the environment of the user. It is necessary to check whether or not. Therefore, the determined packet header conversion rule A is registered in the header management table 144A.

  Next, the conversion management manager 146A notifies the conversion management manager 146B of the server 10B of the communication identification information before conversion and the packet header conversion rule A (S143a in FIG. 6).

  Upon receiving the direct access notification, the conversion management manager 146B determines the packet header conversion rule B and registers it in the header management table 144B, as in step S140b of FIG. (S140b in FIG. 6).

  Next, the conversion management manager 146B registers the packet header conversion rule A and the packet header conversion rule B in the header conversion table B of the virtual machine 12B (S145b in FIG. 6).

  Next, the conversion management manager 146B adds an entry to the filter table 164B of the network interface card 16B based on the packet header conversion rule B as in step S146b of FIG. 4 (S146b of FIG. 6). Since there is no dependency on the process of S145b in FIG. 6 and the process of S146b in FIG. 6, the procedure of the process may be switched.

  Next, the conversion management manager 146B notifies the packet header conversion rule B to the conversion management manager 146A of the server 10A as in step S142b of FIG.

  Next, the conversion management manager 146A registers the packet header conversion rule A and the packet header conversion rule B notified in 142b of FIG. 6 in the header conversion table 126A of the virtual machine 12A that issued the direct access request. (S145a in FIG. 6). When it is necessary to convert information that uniquely identifies the virtual machine 12 under the environment of the same user, it is necessary to set the network device so that the packet is delivered to the communication partner using the converted packet header. . The packet header conversion rule A is registered in the header conversion table 126A at any timing up to S145a in FIG. 6 (for example, step S140a) after the packet header conversion rule A is determined in S140a in FIG. May be.

  Next, the conversion management manager 146A adds an entry to the filter table 164A based on the packet header conversion rule A, and sets direct access (S146a in FIG. 6). Since there is no dependency on the process in S145a in FIG. 6 and the process in 146a in FIG. 6, the procedure of the process may be switched.

  After the direct access setting is completed, the conversion management manager 146A notifies the virtual machine 12A that issued the direct access setting request that the direct access setting is completed (S147a in FIG. 6).

  With the above operation, the direct access setting is performed for the communication between the virtual machine 12A and the virtual machine 12B in consideration of information that can be registered in the filter table 164B of the network interface card 16B. As shown in the sequence diagram of FIG. 6, the virtual machine 12A and the virtual machine 12B perform the settings for the one-way communication as shown in the sequence diagram of FIG. The same setting can be made by executing each of them. In addition to the request from the virtual machine, the direct access setting may be set in advance according to the communication frequency, the load on the virtual machine management unit, and the like.

  Thereafter, similarly to the sequence shown in FIG. 5, the virtual machine 12A converts the packet header based on the packet header conversion rule B, and sends the packet to the virtual machine 12B. On the other hand, when receiving a packet from the virtual machine 12B, the virtual machine 12A returns a packet header based on the packet header conversion rule A, and forwards the packet to an appropriate application 124A. Similarly, the virtual machine 12B returns the packet from the virtual machine 12A based on the packet header conversion rule B and forwards the packet to the appropriate application 124B, while converting the packet header based on the packet header conversion rule A, A packet is transmitted to the virtual machine 12A.

  Next, the flow of processing when deleting the direct access setting set as described above will be described. FIG. 7 is a sequence diagram showing a flow of processing when the virtual machine 12 on the receiving side deletes the direct access setting in the communication using the direct access after the communication between the virtual machines 12 is completed. .

  First, the virtual machine 12 deletes the entry related to the communication to be deleted, which is registered in the header conversion table 126 (S126 in FIG. 7). The entry search method is the same as S1220a in FIG.

  Next, the virtual machine 12 notifies the conversion management manager 146 that communication using direct access has been completed (S128 in FIG. 7). This notification includes information for identifying the completed communication.

  Next, the conversion management manager 146 deletes the corresponding entry from the header management table 144 (step S148 in FIG. 7). The entry search method here is the same as S140a in FIG.

  Next, the conversion management manager 146 deletes the corresponding entry from the filter table 164 of the network interface card 16 (step S149 in FIG. 7).

  In this way, the direct access setting can be deleted. In the communication using direct access, the process of deleting the direct access setting in the virtual machine 12 on the transmission side may be performed by the virtual machine 12 as in step S126 of FIG.

  By deleting the direct access settings as described above, the number of entries in each table can be reduced, and the response performance of the virtual machine and the conversion management manager 146 can be maintained. Of course, depending on the communication frequency or the like, it is possible to omit setting deletion of direct access for specific communication.

  Next, operations of the virtual machine 12 and the hypervisor 14 in the above sequence diagram will be described for each of these components.

  FIG. 8 is a flowchart showing in detail the processing of the header conversion unit 122 provided in the virtual machine 12A.

  First, when a packet transmission request is made from an application (Yes in step F120a in FIG. 8), the header conversion unit 122 refers to the header conversion table 126A and already directs the communication to which the packet for which the transmission request has been made belongs. It is confirmed whether or not access is set (step F122a in FIG. 8). Whether or not it has been set can be determined by referring to the header conversion table 126A using information included in the packet header and determining whether a corresponding entry exists. In step F120a, when no packet transmission request is made from the application, the header conversion unit 122 does not particularly start processing (No in step F120a in FIG. 8).

  Next, if direct access has already been set (step F122a in FIG. 8 has been set), that is, if the corresponding entry (packet header conversion rule) exists in the header conversion table 126A, the header conversion unit 122 Then, the packet header is converted according to the packet header conversion rule and sent to the network (step F128a in FIG. 8).

  On the other hand, if direct access has not been set (step F122a in FIG. 8 is not set), the header conversion unit 122 issues a direct access setting request to the conversion management manager 146A (step F124a in FIG. 8). Thereby, the sequence shown in FIGS. 4 and 5 is started.

  When the conversion management manager 146A notifies that the direct access setting is completed by executing the sequences shown in FIGS. 4 and 5 (Yes in step F126a in FIG. 8), the header conversion unit 122 transmits the packet header. The data is converted according to the packet header conversion rule and sent to the network (step F128a in FIG. 8). When the direct access setting completion notification is not made (No in Step F126a in FIG. 8), the header conversion unit 122 stands by.

  In this way, the virtual machine 12A executes communication using direct access.

  FIG. 9 is a flowchart showing in detail the processing of the header conversion unit 122B provided in the virtual machine 12B in the sequence diagram of FIG.

  Referring to FIG. 9, when receiving the packet from the network interface card 16B (Yes in Step F120b in FIG. 9), the header conversion unit 122B refers to the header conversion table 122B, acquires the packet header conversion rule, and follows this rule. Return the packet header (step F124b in FIG. 9). Then, the header conversion unit 122B transfers the packet that has returned the packet header to the appropriate application 124B (step F126b in FIG. 9). When the packet is not received from the network interface card 16B (No in Step F120b of FIG. 9), the header conversion unit 126B does not particularly start processing.

  In this way, the virtual machine 12B receives the packet that has been received with the packet header converted for direct access, and passes it to the application.

  FIG. 10 is a flowchart showing in detail the processing of the conversion management manager 146A of the hypervisor 14A in the sequence diagram of FIG.

  Referring to FIG. 10, when a setting request for direct access is issued from the virtual machine 12A (Yes in step F140a in FIG. 10), the conversion management manager 146A sets the communication identification information included in the setting request to the communication destination. The conversion management manager 146B of the server 10B is notified (step F142a in FIG. 10). When the direct access setting request has not been issued (No in Step F140a in FIG. 10), the conversion management manager 146A does not particularly start the processing.

  A series of processing is performed on the hypervisor 14B side by the transmission of the communication identification information (see FIG. 4), and when the packet management rule is notified from the conversion management manager 146B of the communication destination server 10B (FIG. 10). (Yes in step F144a), the conversion management manager 146A registers the packet header conversion rule in the header conversion table 126A of the virtual machine that has issued the direct access setting request (step F146a in FIG. 10). On the other hand, when the packet header conversion rule is not notified (No in Step F144a in FIG. 10), the conversion management manager 146A waits.

  Next, the conversion management manager 146A issues a notification that the direct access setting is completed to the virtual machine 12A that has issued the direct access setting request (step F147a in FIG. 10).

  In this way, the direct access setting of the transmitting hypervisor 14A in the sequence diagram of FIG. 4 is completed.

  FIG. 11 is a flowchart showing in detail the processing of the conversion management manager 146B provided in the hypervisor 14B in the sequence diagram of FIG.

  Referring to FIG. 11, when there is a notification of direct access setting (Yes in step F140b in FIG. 11), the conversion management manager 146B is registered in the communication identification information included in the notification and the header management table 144B. Based on the information, a packet header conversion rule is determined and registered in the header management table 144B (step F142b in FIG. 11). On the other hand, when the notification of the direct access setting is not made from the hypervisor 14A side (No in Step F140b in FIG. 11), the conversion management manager 146B does not particularly start the process.

  Next, the conversion management manager 146B registers the packet header conversion rule determined in step F142b in FIG. 11 in the header conversion table 126B of the virtual machine 12B that is the notified direct access communication destination (step F144b in FIG. 11). ). Further, the conversion management manager 146B adds an entry to the filter table 164B of the network interface card 16B based on the conversion rule (step F146b in FIG. 11).

  Next, the conversion management manager 146B notifies the packet management rule determined in step F142b of FIG. 11 to the conversion management manager 146A of the server 10A that has notified the direct access setting (step F148b of FIG. 11).

  In this way, the direct access setting of the receiving hypervisor 14B in the sequence diagram of FIG. 4 is completed.

  FIG. 12 is a flowchart showing in detail the processing of the conversion management manager 146A of the hypervisor 14A in the sequence diagram of FIG. The same processes as those in the sequence diagram of FIG. 10 are denoted by the same reference numerals and detailed description thereof is omitted.

  When the direct access setting request is issued from the virtual machine 12A, the conversion management manager 146A determines the packet header conversion rule based on the communication identification information included in the setting request and the information in the header management table, It is registered in the header management table 144A (step F141a in FIG. 12).

  The conversion management manager 146A notifies the communication management information 146B of the communication destination server 10B of the communication identification information and the packet header conversion rule determined in step F141a in FIG. 12 (step F143a in FIG. 12).

  A series of processing is performed on the hypervisor 14B side by transmission of the communication identification information and the packet header conversion rule (see FIG. 6), and the packet header conversion rule is notified from the conversion management manager 146B of the communication destination server 10B. Then, the conversion management manager 146A notifies the header conversion table 126A of the virtual machine 12A that issued the direct access setting request to the packet header conversion rule determined in step F141a of FIG. 12 and the communication destination conversion management manager 146A. The set packet header conversion rule is set (step F145a in FIG. 12).

  Next, an entry is registered in the filter table 164A of the network interface card 16A based on the packet header conversion rule determined in step F141a of FIG. 12 (step F148a of FIG. 12).

  In this way, the direct access setting of the transmitting hypervisor 14A in the sequence diagram of FIG. 6 is completed.

  FIG. 13 is a flowchart showing in detail the processing of the conversion management manager 146B provided in the hypervisor 14B in the sequence diagram of FIG. The same processes as those in the sequence diagram of FIG. 11 are denoted by the same reference numerals and detailed description thereof is omitted.

  When the conversion management manager 146B is notified of the direct access setting and determines the packet header conversion rule based on the notification, the conversion management manager 146B sends the direct access setting notification to the header conversion table 126B of the virtual machine 12B that is the direct access communication partner. The included packet header conversion rule and the packet header conversion rule determined based on the notification are registered (step F145b in FIG. 13).

  In this way, the direct access setting of the receiving hypervisor 14B in the sequence diagram of FIG. 6 is completed.

  As described above, in the present embodiment, for communication between virtual machines 12 using direct access, for direct access, information that can be registered in advance with each other's network interface card 16 and information relating to communication that already exists. The unique packet header conversion rule is determined, and the packet header is converted based on the rule when the packet is transmitted / received. Thereby, it is possible to realize communication using direct access while absorbing the difference of the network interface card 16.

  In the above-described embodiment, the difference between the network interface cards 16 is absorbed by packet header conversion. However, instead of packet header conversion, the converted packet header is encapsulated into the original packet and received. A form of unencapsulation on the side can also be adopted. In the present invention, there is no essential difference between the packet header conversion and the encapsulation.

[Second Embodiment]
Next, a second embodiment of the present invention in which changes have been made to the direct access setting opportunity will be described in detail with reference to the drawings. FIG. 14 is a block diagram illustrating a detailed configuration of the server 10A2 according to the second embodiment of this invention. The difference from the server of the first embodiment shown in FIG. 3 is a hypervisor 14-2, a virtual switch 142-2 constituting the hypervisor 14-2, a flow table 143, and a policy table 147. . Other components similar to those in the first embodiment of the present invention are denoted by the same reference numerals, and detailed description thereof is omitted.

  The hypervisor 14-2 includes a virtual switch 142-2, a flow table 143, a header management table 144, a conversion management manager 146-2, and a policy table 147.

  In the second embodiment, it is controlled whether or not the communication related to the virtual machine 12 performs direct access at the communication granularity determined by the administrator of the virtual environment. This granularity is a granularity at which at least the communication partner virtual machine 12 can be identified. For example, a combination of a VLAN ID and an IP address or a combination of a VLAN ID and a MAC address can be considered. In some cases, direct access may be controlled with a finer granularity. In that case, the communication granularity includes the port number and protocol. Hereinafter, such a packet flow in the communication granularity unit is referred to as a “flow”.

  The virtual switch 142-2 relays communication that does not use direct access among the communication related to the virtual machine 12. The virtual switch 142-2 has a function of managing communication statistical information in units of flows. For example, as the statistical information, the number of passing bytes, the number of passing packets, the number of dropped packets, and the like are managed in units of flows, and the flow generation time, the time when the packet belonging to the flow was last transferred, and the like are managed.

  The flow table 143 stores an entry that associates at least flow identification information used as a match condition with statistical information of the flow. The statistical information is read and updated by the virtual switch 142-2.

  When receiving the packet, the virtual switch 142-2 searches the flow table 143 for an entry having a matching condition that matches the header information of the packet, and updates the statistical information of the flow to which the packet belongs. When a packet belonging to a flow not registered in the flow table 143 arrives, identification information of the flow is generated based on information on the granularity for identifying communication held by the conversion management manager 146-2 or the virtual switch 142-2. , A new entry is added to the flow table 143.

  When the conversion management manager 146-2 holds information about the granularity for identifying communication, when a packet belonging to a flow not registered in the flow table 143 arrives at the virtual switch 142-2, the virtual switch 142-2 The conversion management manager 146-2 may be inquired, an entry to be registered in the flow table may be acquired, and registered in the flow table 143.

  The policy table 147 holds flow identification information and criteria for determining whether or not to use direct access for the flow. In the present embodiment, the flow identification information and the determination criterion are collectively referred to as a “policy”. As an example of the policy, for example, for a flow whose destination IP address is 192.168.1.1, when the number of packets passing through the virtual switch 142-2 exceeds a certain number within a certain time, the direct A policy using statistical information held in the flow table 143, such as using access, can be considered.

  The conversion management manager 146-2 determines whether to use direct access for a certain flow based on the policy held in the policy table 147, and sets direct access.

  Next, the operation of this embodiment will be described in detail with reference to the sequence diagrams of FIGS. 15 and 16.

  FIG. 15 is a sequence diagram illustrating a process in which the conversion management manager 146-2 performs direct access setting when a packet belonging to a flow not registered in the flow table 143 arrives at the virtual switch 142-2. . In the present embodiment, it is assumed that the virtual switch side has information regarding the granularity for identifying communication, but even if the conversion management manager 146-2 holds this information, there is essentially no change.

  First, the virtual switch 142-2 generates flow identification information using information on the granularity for identifying the packet header and communication, and notifies the conversion management manager 146-2 (S1420-2 in FIG. 15). The information for identifying this communication is, for example, a packet header.

  Next, the conversion management manager 146-2 refers to the policy table 147 using the communication identification information and the flow identification information, and if the flow corresponds to the policy using direct access, The setting process is started (S1460-2 in FIG. 15).

  The direct access setting procedure is the same as the process after S142a in FIG. 4 or the process after S140a in FIG.

  FIG. 16 shows a process in which the conversion management manager 146-2 uses the statistical information held in the flow table 143 to set the direct access or end the direct access setting.

  First, the conversion management manager 146-2 issues a statistical information acquisition request to the virtual switch 142-2 (S1462-2 in FIG. 16). This request may be one that reads all entries held in the flow table 143 or one that reads only entries that match a specific condition.

  Next, the virtual switch 142-2 accesses the flow table 143 according to the request issued by the conversion management manager 146-2, reads the flow statistical information, and transfers it to the conversion management manager 146-2 (S1422- of FIG. 16). 2).

  Next, the conversion management manager 146-2 refers to the policy table 147 using the acquired flow statistical information, and if there is a direct access target flow, starts the direct access setting process and ends the direct access. If there is a flow to be performed, direct access termination processing is started (S1464-2 in FIG. 16).

  The direct access setting procedure is the same as the process after S142a in FIG. 4 or the process after S140a in FIG. The direct access termination procedure is the same as that shown in FIG.

  As described above, according to the present embodiment, in the communication between virtual machines 12 using direct access, setting or deletion of direct access is performed based on the administrator's policy and statistical information. For this reason, communication using direct access can be realized even if the virtual machine 10 does not explicitly indicate whether direct access is required.

[Third Embodiment]
Next, a third embodiment of the present invention in which the configuration on the network interface card side is changed will be described in detail with reference to the drawings. FIG. 17 is a block diagram illustrating a detailed configuration of the server 10A3 according to the third embodiment of this invention. The difference from the server of the first embodiment shown in FIG. 3 is that the network interface card 16-3 includes a reception filter table (Ingress Filter Table) 164-3 constituting the network interface card 16-3, and a transmission filter. A table (Egress Filter Table) 165 is provided. Other components similar to those of the first embodiment of the present invention are denoted by the same reference numerals, and detailed description thereof is omitted. Further, the reception filter table 164-3 has the same function as the filter table 164 of the first embodiment, and thus detailed description thereof is omitted.

  The network interface card 16-3 includes a network interface controller 162, a reception filter table 164-3, a transmission filter table 165, a physical interface 166, a virtual interface 167, and a physical port 168. In FIG. 17, the reception filter table 164-3 and the transmission filter table 165 are illustrated as different tables, but the reception filter table 164-3 and the transmission filter table 165 are the same in implementation. It can also be realized using a memory or the like. In this case, the network interface controller 162 refers to the same filter table for the packets in both directions of transmission and reception, and executes processing for the packets.

  The transmission filter table 165 is a table for holding rules for filtering packets transmitted from the virtual machine 12 by the network interface card 16-3. In the transmission filter table, information for identifying communication such as a packet header and processing for a packet having the information can be registered. An example of the processing here is dropping a packet whose information in the destination IP address field in the packet header has a specific value. In addition, rewriting of a packet header by the network interface controller 162, filtering using data other than the packet header, and the like can be considered. Operations such as registration and deletion of rules in the transmission filter table 165 are performed from the hypervisor 14. Since the operation method is the same as that for the reception filter table 164-3, detailed description thereof is omitted.

  When the network interface controller 162 receives a packet from the virtual machine 12 via the virtual interface 167, the network interface controller 162 refers to the transmission filter table 165 using information for identifying communication included in the packet. The network interface 162 searches the transmission filter table 165 for an entry that matches the packet, and executes the processing contents registered in the entry. As a result of the search, if there is no entry, the network interface controller 162 considers that a packet related to communication for which direct access is not set is transmitted, and drops the packet.

  Next, the operation of this embodiment will be described in detail with reference to the sequence diagram of FIG. 18 and the flowcharts of FIGS. 19 and 20. In the description of this operation, it is assumed that a packet is dropped by the network interface card 16 in communication in which no entry exists in the transmission filter table 165.

  FIG. 18 shows the flow of processing for setting direct access using the transmission filter table 165. Since the basic operation flow is the same as that in the sequence diagram of FIG. 4, the same processes as those in FIG. 4 are denoted by the same reference numerals and detailed description thereof is omitted.

  When receiving a direct access request from the virtual machine 12A, the hypervisor 14A notifies the conversion management manager 146B of the hypervisor 14B of direct access (S142a-3 in FIG. 18). This notification includes communication identification information that can be registered in the transmission filter table 165A of the network interface card 16A and communication identification information included in the request from the virtual machine 12A.

  Next, the conversion management manager 146B uses the packet header conversion rule B based on the information included in the direct access notification and the communication identification information that can be registered in the reception filter table 164-3 of the network interface card 16B. Is registered in the header management table 144B (S140b-3 in FIG. 18).

  Thereafter, processing similar to the sequence of FIG. 4 is performed, and the packet header conversion rule B is notified to the conversion management manager 146A. Based on the packet header conversion rule B, the conversion management manager 146A registers information that can be registered in the transmission filter table 165A of the network interface card 16A in the converted packet header (S146a-3 in FIG. 18). .

  In this way, direct access is set on both the server 10A and the server 10B.

  FIG. 19 is a flowchart showing in detail the processing of the conversion management manager 146A of the hypervisor 14A in the sequence diagram of FIG. The same processes as those in the flowchart of FIG. 10 are denoted by the same reference numerals, and detailed description thereof is omitted.

  When the conversion management manager 146A receives a direct access request from the virtual machine 12A, it notifies the conversion management manager 146B of the hypervisor 14B of direct access (step F142a-3 in FIG. 19). This notification includes communication identification information that can be registered in the transmission filter table 165A of the network interface card 16A and communication identification information included in the request from the virtual machine 12A.

  When the packet management rule 146B is notified from the conversion management manager 146B, the conversion management manager 146A can register the packet header after conversion in the transmission filter table 165A of the network interface card 16A based on the packet header conversion rule B. Information is registered (F148a-3 in FIG. 19).

  FIG. 20 is a flowchart showing in detail the processing of the conversion management manager 146B of the hypervisor 14B in the sequence diagram of FIG. The same processes as those in the flowchart of FIG. 11 are denoted by the same reference numerals, and detailed description thereof is omitted.

  The conversion management manager 146B uses the packet header based on the information included in the direct access notification from the conversion management manager 146A and the communication identification information that can be registered in the reception filter table 164-3 of the network interface card 16B. The conversion rule B is determined and registered in the header management table 144B (F142b-3 in FIG. 20).

  When direct access is set for two-way communication between two servers 10 as shown in FIG. 6, before the conversion management manager 146A performs the processing of S140a in FIG. 6, the conversion management manager 146A. And the conversion management manager 146B exchange information regarding communication identification information that can be registered in the transmission filter table 165 of each network interface card 16 with each other, and the information exchanged in the processing after S140a in FIG. By determining the packet header conversion rule based on the above, direct access can be made to communication in both directions. Alternatively, the processing shown in the sequence diagram of FIG. 18 can be executed for each communication direction, or direct access can be set for communication in both directions.

  As described above, in this embodiment, in the communication between the virtual machines 12 using direct access, it is possible to prevent the virtual machine from giving a wrong packet header and executing the direct access, and the packet is the original communication. It is possible to prevent reaching the virtual machine 12 that is not the other party. The reason is that the transmission filter table 165 is provided in the network interface card 16.

  In this embodiment, the communication identification information that can be registered in the transmission filter table 165 of the virtual machine 10 on the packet transmission side is the identification of the communication that can be registered in the reception filter table 164-3 of the virtual machine 10 on the packet reception side. It is desirable to be a superset of information. In the case of a superset relationship, transmission of a packet having an erroneous packet header can be prevented even with any one of information that can be registered in the reception filter on the packet reception side. On the other hand, when the relationship is not superset, it is possible to prevent transmission of a packet having an erroneous packet header within the range of communication identification information that can be registered in the transmission filter table 165, but other information is incorrect. Packets with are detected on the receiving side.

  In addition, by replacing the network interface card 16 of the second embodiment with the network interface card 16-3 of the present embodiment, filtering of the packet transmission at the time of packet transmission, which is the effect of the present embodiment, is added to the second embodiment. Functions can be added. Since the operation of the transmission filter table 165 is the same as the method described in the description of the operation of the present embodiment, detailed description thereof is omitted.

[Fourth Embodiment]
Next, a fourth embodiment of the present invention in which conversion management manager functions are consolidated outside the server 10 will be described in detail with reference to the drawings. FIG. 21 is a block diagram showing the overall configuration of the fourth embodiment of the present invention. The basic configuration is the same as that of the first embodiment shown in FIG. 2, but is different in that the direct access controller 20 is connected. Constituent elements similar to those in FIG.

  The direct access controller 20 assigns and manages packet header conversion rules for setting direct access. At least one direct access controller 20 is arranged in the virtual environment of each user including virtual network resources and virtual computing resources.

  FIG. 22 is a block diagram illustrating detailed configurations of the server 10A4 and the direct access controller 20 according to the fourth embodiment of this invention. Referring to FIG. 22, a configuration in which a direct access controller 20, a virtual machine 12 operating on a server 10-4, and a hypervisor 14-4 are connected is shown.

  Referring to FIG. 22, a direct access controller 20 including a conversion management manager 146 and a header management table 144 according to the first embodiment, a conversion management local manager 146-4, and a virtual switch 142. -4 and a flow table 143-4, a hypervisor 14-4 and a virtual machine (VM) 12 are shown. Also in FIG. 22, the same components as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

  In the present embodiment, when setting the direct access, a request for direct access setting is issued from the virtual machine 12 or the hypervisor 14-4 to the direct access controller 20, and the direct access controller 20 The packet header conversion rule for direct access is determined, and the determined packet header conversion rule is notified to the conversion management local manager 146-4. The conversion management local manager 146-4 includes the filter table 164 and the header conversion table. It operates to set to 126.

  The direct access controller 20 includes a conversion management manager 146 and a header management table 144. The direct access controller 20 has a communication function for communicating with the server 10A4 via the network 18, a memory area for holding the header management table 144, and a calculation function for controlling direct access. Generally, the direct access controller 20 can be configured using a server.

  The conversion management manager 146 performs management of information related to direct access of each server, and negotiation and notification with the conversion management local manager 146-4 in each server for setting direct access. By this negotiation, information about information that can be registered in the filter table 164 of the network interface card 16 of the server on the packet receiving side is acquired, and a packet header conversion rule is determined. Further, the determined packet header conversion rule is notified to the conversion management local manager 146-4 provided in the server 10A4 in which both virtual machines 12 communicating using direct access are accommodated.

  The header management table 144 manages communication related to the virtual machine 12 running on the server 10A4. When the conversion management manager 146 determines a header conversion rule for direct access, the conversion management manager 146 is used to make it possible to distinguish between an existing communication and a new direct access communication.

  The hypervisor 14-4 of the server 10A4 includes a virtual switch 142-4, a flow table 143-4, and a conversion management manager 146-4.

  The virtual switch 142-4 relays communication that does not use direct access among the communication related to the virtual machine 12. The virtual switch 142-4 registers and manages the identifier of the currently active communication in the flow table 143-4. Also, every time a packet reaches the virtual switch 142-4, the virtual switch 142-4 refers to the flow table 143-4 and confirms whether or not the communication is new. In the case of new communication, the identifier of the new communication is notified to the conversion management local manager 146-4.

  The flow table 143-4 stores an identifier of a currently active communication.

  When the virtual machine 12 issues a direct access setting request, the conversion management local manager 146-4 notifies the direct access controller 20 of the communication identifier included in the request. Further, the conversion management local manager 146-4 identifies the communication that can be registered in the filter table 164 in response to an inquiry from the direct access controller 20 regarding the communication identification information that can be registered in the filter table 164 of the network interface card 16. Notify information about information. When the header conversion rule is notified from the direct access controller 20, the header conversion rule is registered in the header conversion table 126 of the corresponding virtual machine 12, and an entry is added to the filter table 164 depending on the case. Therefore, in order to identify which direct access setting request the notified header conversion rule corresponds to, an identifier associated with the direct access request is assigned to the header conversion rule.

  In addition, when the virtual switch 142-4 notifies that the new communication has occurred, the conversion management local manager 146-4 notifies the direct access controller 20 of the communication identifier. Also, the conversion management local manager 146-4 deletes the corresponding entry from the filter table 164 when the communication using the direct access ends, and the conversion management local manager 146-4 also displays the direct access controller. 20 is notified that the communication using the direct access has been completed together with the communication identifier.

  Next, the operation of this embodiment will be described in detail with reference to the sequence diagrams of FIGS. 23 and 24 and the flowcharts of FIGS. 25 and 26.

  FIG. 23 is a sequence diagram illustrating processing for setting direct access between two servers (server A and server B) based on a request from the virtual machine 12. In FIG. 23, the same processes as those in the sequence diagram of the first embodiment shown in FIG. 4 are denoted by the same reference numerals, and detailed description thereof is omitted. In the description of the operation of the present embodiment, the virtual machine 12 issues a direct access setting request to the direct access controller 20 via the conversion management local manager 146-4, but the virtual machine 12 directly issues the direct access controller 20. It is also possible to issue a direct access setting request. This does not give an essential difference to the present embodiment.

  Referring to FIG. 23, first, the virtual machine 12A transmits a direct access request to the conversion management local manager 146-4A (S120a-4 in FIG. 23). This request includes identification information for identifying communication.

  Next, the conversion management local manager 146-4A transfers the identification information of the direct access target communication to the direct access controller 20 (S142a-4 in FIG. 23).

  Next, the conversion management manager 146 provided in the direct access controller 20 sends a network interface card to the conversion management local manager 146-4B of the server 10B in which the virtual machine 12B that is a communication partner using direct access is accommodated. An inquiry is made for identification information for identifying a communication that can be registered in the filter table 164B of 16B (S200 in FIG. 23).

  Upon receiving the inquiry, the conversion management local manager 146-4B responds to the direct access controller 20 with identification information relating to information for identifying communication that can be registered in the filter table 164B (S140b-4 in FIG. 23).

  Next, the direct access controller 20 performs packet header conversion from the communication identification information received from the conversion management local manager 146-4A and the identification information that can be registered in the filter table 164B received from the conversion management local manager 146-4B. The rule is determined and registered in the header management table 144 (S202 in FIG. 23).

  Next, the direct access controller 20 notifies the packet header conversion rule to the conversion management local manager 146-4B (S204 in FIG. 23).

  Next, the conversion management local manager 146-4B registers the packet header conversion rule in the header conversion table 126B (S144b in FIG. 23). Also, the conversion management local manager 146-4B registers an entry in the filter table 164B based on the packet header conversion rule (S146b in FIG. 23). Since there is no dependency relationship between the processes of S144b in FIG. 23 and S146b in FIG. 23, the execution order may be switched. When the processing of steps S144b and S146b in FIG. 23 is completed, the conversion management local manager 146-4B notifies the direct access controller 20 that the setting of direct access has been completed (S152b-4 in FIG. 23).

  When the completion notification is received, the direct access controller 20 notifies the conversion management local manager 146-4A of the packet header conversion rule (S206 in FIG. 23).

  Upon receiving the packet header conversion rule, the conversion management local manager 146-4A registers the received packet header conversion rule in the header conversion table 126A of the virtual machine 12A that issued the direct access request (S144a- in FIG. 23). 4).

  Next, the conversion management local manager 146-4A notifies the virtual machine 12A that the direct access setting has been completed (S147a-4 in FIG. 22).

  In this way, the direct access setting using the direct access controller 20 is completed.

  FIG. 24 is a sequence diagram illustrating a process of deleting the direct access setting when communication using direct access is completed. In FIG. 24, the same processes as those in the sequence diagram of the first embodiment shown in FIG. 7 are denoted by the same reference numerals, and detailed description thereof is omitted.

  First, the virtual machine 12A deletes the corresponding entry from the header conversion table 126A (S126 in FIG. 24), and notifies the conversion management local manager 146-4A that communication using direct access has been completed. (S128 in FIG. 24). This notification includes identification information for identifying the communication targeted for direct access.

  Next, the conversion management local manager 146-4A notifies the direct access controller 20 that communication using direct access has been completed (S148a-4 in FIG. 24). This notification includes identification information for identifying the communication targeted for direct access.

  Next, the direct access controller 20 notifies the conversion management local manager 146-4B that communication using direct access has been completed (S208 in FIG. 24). This notification includes identification information for identifying the communication targeted for direct access.

  Next, the conversion management local manager 146-4B deletes the corresponding entry from the header conversion table 126 (S148b-4 in FIG. 24). Also, the conversion management local manager 146-4B deletes the corresponding entry from the filter table 164B (S149b-4 in FIG. 24). Note that since there is no dependency relationship between the processes of S148b-4 in FIG. 24 and S149b-4 in FIG. 24, the execution order may be switched.

  Next, the conversion management local manager 146-4B notifies the direct access controller 20 that the entry deletion has been completed (S150b-4 in FIG. 24). This notification includes identification information indicating which direct access is used to delete the communication entry.

  Next, the direct access controller 20 deletes the corresponding entry from the header management table 144 (S210 in FIG. 24).

  In this way, the deletion of the direct access setting is completed.

  FIG. 25 is a flowchart showing in detail a process for an inquiry related to identification information of communication that can be registered in the filter table 164B in the process of the conversion management local manager 146-4B of the hypervisor 14B in the sequence diagram of FIG. .

  When the conversion management local manager 146-4B has inquired about identification information of communication that can be registered in the filter table 164B (Yes in step F140b-4 in FIG. 25), the conversion management local manager 146-4B stores the filter table 164B in the filter table 164B. Notification information of communication that can be registered is notified (step F142b-4 in FIG. 25). When there is no inquiry regarding the identification information of communication that can be registered in the filter table 164B (No in Step F140b-4 in FIG. 25), the conversion management local manager 146-4B does not particularly start processing.

  FIG. 26 is a flowchart showing in detail a process of registering a header conversion rule among the processes of the conversion management local manager 146-4B of the hypervisor 14B in the sequence diagram of FIG.

  First, the conversion management local manager 146-4B registers the packet header conversion rule in the header conversion table 126 when the packet header conversion rule is notified from the direct access controller 20 (Yes in step F144b-4 in FIG. 26) ( Step F145b-4) in FIG. When the packet header conversion rule is not notified (No in Step F144b-4 in FIG. 25), the conversion management local manager 146-4B does not particularly start processing.

  Next, the conversion management local manager 146-4B adds an entry to the filter table 164B based on the packet header conversion rule (step F146b-4 in FIG. 26). At this time, only information that can be registered in the filter table 164B is registered among the information included in the packet header after conversion. In addition, since there is no dependence relationship in the process of step F145b-4 of FIG. 26 and step F146b-4 of FIG. 26, the order to perform may be switched.

  Next, the conversion management local manager 146-4B notifies the direct access controller 20 that the registration of the packet header conversion rule has been completed (step F150b-4 in FIG. 26). This notification includes identification information indicating which direct access the registration of the packet header conversion rule has been completed.

  Also in the present embodiment, direct access can be set for two-way communication between two servers 10 as shown in FIG. In this case, when the conversion management local manager 146-4A performs the process of S142a-4 in FIG. 6, the direct access controller 20 is notified of identification information that can be registered in the filter table 164A at the same time as the communication identification information. To do. Thereby, the direct access controller 20 can determine the header conversion rule regarding both communication directions. Alternatively, direct access can be set for communication in both directions by executing the processing shown in the sequence diagram of FIG. 23 for each communication direction.

  As another form of the direct access controller 20, communication identification information that can be registered in the filter table 164 of the network interface card 16 provided in each server, and functions supported by the network interface controller 162 are collected in advance, or direct access It is also conceivable to hold it when it is obtained at the time of setting. In this case, when setting the direct access, the direct access controller 20 sends a filter table to the hypervisor 14 of the server 10 in which the virtual machine that is the communication partner of the virtual machine 12 that has issued the direct access setting request is accommodated. It is not necessary to inquire about the identification information of communication that can be registered in 164, and the time required to complete the direct access setting can be shortened.

  As described above, in this embodiment, it is not necessary for the hypervisor 14 in each server 10 to check whether the converted packet header used for direct access is a unique value in the network. There is an effect. The reason is that a direct access controller 20 is provided in the network as an inquiry destination when direct access setting is performed, and the direct access controller 20 manages information regarding the direct access setting and information regarding the communication of the server 10. It is in the configuration.

[Fifth Embodiment]
Next, instead of placing the server-side header conversion function and header conversion rule generation function, refer to the drawing for the fifth embodiment of the present invention in which these functions are consolidated in an external data conversion device (direct access gateway). And will be described in detail.

  FIG. 27 is a block diagram showing the overall configuration of the fifth embodiment of the present invention. Referring to FIG. 27, a configuration in which the server 10 is connected to the direct access gateway 30 via the network 18-5 is shown.

  In this embodiment, the direct access gateway 30 applies the packet header conversion rule to the direct access target communication for the packet transmitted from the server connected to the network 18-5. In the example of FIG. 27, the server 10 is connected to the direct access gateway 30 via the network 18-5. However, the server 10 may be directly connected to the direct access gateway 30.

  The direct access gateway 30 includes a header conversion unit 122, a conversion management manager 146, a header management table 144, and a network interface 16-5. Since the operation of each unit and the direct access setting method are the same as those of the other embodiments of the present invention, detailed description thereof is omitted.

  In the present embodiment, setting for direct access and packet header conversion are executed by the direct access gateway 30. In this way, it is not necessary to provide the header conversion unit 122, the conversion management manager 146, and the header management table 144 in each server, and it is not necessary to change the server 10. When the server 10 having no such direct access setting function is the data transmission side and the data reception side is the server 10 having the direct access setting function as shown in other embodiments, communication by direct access is performed. Benefit from improved performance.

  Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and further modifications, substitutions, and adjustments are possible without departing from the basic technical idea of the present invention. Can be added. For example, there are no restrictions on the number of network configurations, servers, virtual machines, etc. used in the above-described embodiments.

Finally, a preferred form of the invention is summarized.
[First embodiment]
(Refer to the computer from the first viewpoint above)
[Second form]
In the first form of computer,
When the virtual machine management unit receives an access request from the first virtual machine,
An entry for transferring data received from the second virtual machine to the first virtual machine is added to the filter table of the network interface on the own apparatus side, and at least the match condition of the entry is set in the second computer. Send to
It is preferable that the data identifier of the data output from the second virtual machine is converted to a data identifier set as a match condition in the filter table of the first computer and then transmitted to the second computer.
[Third embodiment]
In the second form of computer,
A data identifier management table for managing a data identifier for uniquely identifying a communication between a virtual machine operating on its own device side and a second virtual machine operating on the second computer;
It is preferable to determine the match condition with reference to the data identifier management table.
[Fourth form]
In the computer according to any one of the first to third forms,
Requesting a centralized controller having a data identifier management table for managing a data identifier for uniquely identifying communication between the virtual machine and the second virtual machine to generate the conversion rule;
It is preferable that the conversion rule generated by the centralized controller is set in the conversion unit of the first virtual machine, and the filter table is updated using the conversion rule.
[Fifth embodiment]
In the computer according to any one of the first to fourth forms,
The virtual machine management unit includes a virtual switch that relays between the virtual machine and the network interface,
It is preferable to accept an access request from the virtual machine via the virtual switch.
[Sixth embodiment]
In the computer according to any one of the first to fifth aspects,
The virtual machine management unit further includes a policy management function for managing a policy that is a criterion for determining whether or not to perform direct access, and refers to the policy to set direct access for data between the virtual machines. It is preferable to determine whether or not.
[Seventh form]
In the computer of the sixth form,
A communication identifier can be used as the policy.
[Eighth form]
In the computer of the sixth or seventh aspect,
The virtual machine management unit includes a statistical information management function for acquiring and managing communication statistical information, and the communication statistical information can be used as the policy.
[Ninth Embodiment]
In the computer according to any one of the second to eighth forms,
The network interface further includes a data transmission control function for determining a data transfer destination or data discarding according to a data identifier for data in a direction from the application operating on the virtual machine to the network; A storage area for storing control contents for the transmission data,
It is preferable that the virtual machine management unit further has a function of setting control contents for transmission data in the storage area based on the conversion rule.
[Tenth embodiment]
In the computer according to any one of the first to ninth aspects,
Instead of converting the data identifier, data can be encapsulated and unencapsulated by referring to the conversion rule.
[Eleventh form]
(Refer to the data conversion device (direct access gateway) from the second viewpoint)
[Twelfth and thirteenth forms]
(Refer to the communication methods according to the third and fourth viewpoints.)
[14th form]
A filter table in which matching conditions for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and the received data is referred to the virtual machine on its own device side with reference to the filter table. A program to be executed by a computer connected to a second computer having a network interface having a switching function of transferring,
When an access request is received from the first virtual machine communicating with the second virtual machine operating on the second computer side via the network interface and the network interface on the own apparatus side, the second computer Processing to send a data identifier of data output from the first virtual machine to request update of the filter table of the second computer and return of a match condition of the updated filter table; ,
A process for setting a data identifier conversion rule in the conversion unit of the first virtual machine using the match condition returned from the second computer;
Based on the conversion rule, the data identifier of data to be transmitted to the second virtual machine is converted into a data identifier set as a match condition in the filter table of the second computer, and then the second computer A program for executing the transmission process.
[15th form]
A filter table in which matching conditions for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and the received data is referred to the virtual machine on its own device side with reference to the filter table. A program to be executed by a computer having a network interface having a switching function to transfer,
A process of adding an entry for transferring the data transmitted from the second computer to a corresponding virtual machine in the filter table using the data identifier transmitted from the second computer;
Causing the second computer to execute a process of returning a match condition of the added filter table;
A program for causing the second computer to convert a data identifier of data transmitted from a virtual machine operating on the second computer so that the data identifier is applied to a matching condition of the added filter table.
[Sixteenth embodiment]
A direct access control system in which any one of the first to tenth computers is connected.
[17th form]
A filter table in which a virtual machine, a virtual machine management unit, a matching condition to be matched with received data, and a virtual interface corresponding to an output destination virtual machine are associated with each other is received with reference to the filter table Two or more computers having a network interface having a switching function for transferring data to a virtual machine on the own device side are connected via a data conversion device (direct access gateway) of the eleventh form. Direct access control system.

  Each disclosure of the above-mentioned patent document and non-patent document is incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) within the scope of the claims of the present invention. Is possible. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.

  The present invention can realize communication using direct access even if each server is equipped with a different network interface card in a server virtualization environment, and services such as IaaS (Infrastructure as a Service). Therefore, high communication performance can be provided to the user.

10, 10A-10A5 Server 12, 12A, 12B, 1200 Virtual Machine (AM)
14, 14A, 14B, 14-2, 14-4 Hypervisor 16, 16-3, 16-5 Network interface card (NIC)
18, 18-5, 1800 Network 20 Direct access controller 30 Direct access gateway 122, 122A, 122B Header converter 124, 124A, 124B Application (program)
126, 126A, 126B Header conversion tables 142, 142-2, 142-4 Virtual switches 143, 143-4 Flow tables 144, 144A Header management tables 146, 146A, 146B, 146-2 Conversion management managers 146-4, 146 4A, 146-4B Conversion management local manager 147 Policy table 162 Network interface controller 164, 164A, 164B Filter table 164-3 Reception filter table 165 Transmission filter table 166 Physical interface (PI)
167 Virtual interface (VI)
168 Physical port 1000 Computer 1400 Virtual machine management unit 1600 Network interface

Claims (10)

A filter table in which matching conditions for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and the received data is referred to the virtual machine on its own device side with reference to the filter table. A computer connected to a second computer having a network interface having a switching function to transfer,
A first virtual machine communicating with a second virtual machine operating on the second computer side via the network interface and the network interface on the own device side;
When an access request is received from the first virtual machine, a data identifier of data output from the first virtual machine is transmitted to the second computer, and the filter table of the second computer Update request and return of the updated filter table match condition, and using the match condition returned from the second computer, the conversion rule of the data identifier is set in the conversion unit of the first virtual machine. A virtual machine management unit to be set;
Based on the conversion rule, the data identifier of data to be transmitted to the second virtual machine is converted into a data identifier set as a match condition in the filter table of the second computer, and then the second computer A conversion unit for transmitting,
After the setting of the conversion rule, the conversion unit transmits data output from the first virtual machine to the second computer without going through the virtual machine management unit. The virtual machine management unit, when receiving the access request from the first virtual machine,
An entry for transferring data received from the second virtual machine to the first virtual machine is added to the filter table of the network interface on the own apparatus side, and at least the match condition of the entry is set in the second computer. Send to
On the second computer, according to claim 1 for transmitting the data identifier of the data output from the second virtual machine, convert the filter table before Symbol calculations machine set data identifier as a match condition Calculator. The virtual machine management unit
A data identifier management table for managing a data identifier for uniquely identifying a communication between a virtual machine operating on its own device side and a second virtual machine operating on the second computer;
3. The computer according to claim 2 , wherein a match condition to be transmitted to the second computer is determined with reference to the data identifier management table. Instead of the conversion unit,
The virtual machine management unit
Requesting a centralized controller having a data identifier management table for managing a data identifier for uniquely identifying communication between the virtual machine and the second virtual machine to generate the conversion rule;
The computer according to any one of claims 1 to 3, wherein a conversion rule generated by the centralized controller is set in a conversion unit of the first virtual machine, and a filter table is updated using the conversion rule. The virtual machine management unit includes a virtual switch that relays between the virtual machine and the network interface,
The computer according to any one of claims 1 to 4, wherein an access request from the virtual machine is received via the virtual switch. The virtual machine management unit further includes a policy management function for managing a policy that is a criterion for determining whether or not to perform direct access, and refers to the policy to set direct access for data between the virtual machines. computer according to claims 1 to 3, 5 any one to determine whether. The network interface further includes a data transmission control function for determining a data transfer destination or data discarding according to a data identifier for data in a direction from the application operating on the virtual machine to the network; A storage area for storing control contents for data in the direction to the network ,
The virtual machine management unit is further based on the conversion rule, the storage area, computer according to claims 1 to 3, 6 any one having the ability to set the control content for the outgoing data. The computer according to any one of claims 1 to 3, 6, and 7, wherein data is encapsulated and unencapsulated with reference to the conversion rule instead of the conversion of the data identifier. A filter table in which matching conditions for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and the received data is referred to the virtual machine on its own device side with reference to the filter table. A network interface having a switching function of transferring , and a virtual machine that communicates with other virtual machines via the network interface;
When receiving a request from the virtual machine of one of the computers, the filter table is configured to transfer the data from the virtual machine of the one computer to the virtual machine of the communication destination. A conversion management manager for requesting an update and creating a data identifier conversion rule for converting data from the virtual machine of the one computer so as to conform to the matching condition of the updated filter table;
A data conversion apparatus comprising: a conversion unit that converts the data identifier with reference to the conversion rule. A filter table in which matching conditions for matching with received data and a virtual interface corresponding to an output destination virtual machine are associated is provided, and the received data is referred to the virtual machine on its own device side with reference to the filter table. On a computer connected to a second computer with a network interface with a switching function to transfer,
When an access request is received from the first virtual machine communicating with the second virtual machine operating on the second computer side via the network interface and the network interface on the own apparatus side, the second computer Transmitting a data identifier of data output from the first virtual machine to requesting update of the filter table of the second computer and return of a match condition of the updated filter table; ,
Using the match condition returned from the second computer to set a data identifier conversion rule in the conversion unit of the first virtual machine;
Based on the conversion rule, the data identifier of data to be transmitted to the second virtual machine is converted into a data identifier set as a match condition in the filter table of the second computer, and then the second computer And a step of transmitting.

Images