TWI773200B - Provision and management system and method for container infrastructure service and computer readable medium - Google Patents

Provision and management system and method for container infrastructure service and computer readable medium Download PDF

Info

Publication number
TWI773200B
TWI773200B TW110109786A TW110109786A TWI773200B TW I773200 B TWI773200 B TW I773200B TW 110109786 A TW110109786 A TW 110109786A TW 110109786 A TW110109786 A TW 110109786A TW I773200 B TWI773200 B TW I773200B
Authority
TW
Taiwan
Prior art keywords
network
service
master
resource
management module
Prior art date
Application number
TW110109786A
Other languages
Chinese (zh)
Other versions
TW202238374A (en
Inventor
王志哲
黃耀德
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW110109786A priority Critical patent/TWI773200B/en
Application granted granted Critical
Publication of TWI773200B publication Critical patent/TWI773200B/en
Publication of TW202238374A publication Critical patent/TW202238374A/en

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Stored Programmes (AREA)
  • Hardware Redundancy (AREA)

Abstract

The present invention is a provision and management system and method for container infrastructure service and thereof, which performs the following steps: providing storage space and deploying the network according to parameters of service nodes to construct a shared environment required by a container service platform; and constructing master-slave computing nodes and firewalls and configuring the parameters of the cluster stored in the shared environment in the master-slave computing node, filtering out the only master computing node from the master-slave computing node by using a locking mechanism and a first-in-first-out algorithm and enabling the network between the storage space and the master-slave computing nodes. The goal of accelerating the installation service in the present invention can be achieved by judging the dependencies between various resources. The present invention further provides a computer-readable medium for performing a provision and management method for container infrastructure service.

Description

容器服務基礎設施供裝管理系統、方法及電腦可讀媒介 Container service infrastructure provisioning management system, method, and computer-readable medium

本發明係關於容器服務基礎設施之技術,尤指一種容器服務基礎設施供裝管理系統、方法及電腦可讀媒介。 The present invention relates to the technology of container service infrastructure, and more particularly, to a container service infrastructure provisioning management system, method and computer-readable medium.

隨著雲原生(Cloud Native)概念的興起,容器、軟體開發概念(DevOps,即是Development和Operations的結合)、微服務等技術崛起,讓整合與部署新版本的服務應用變的更加容易,並且在建置、測試、運行應用等階段,無須再耗費龐大的額外負擔,雲端化的成本降低,再加上容器的可攜性,更靈活地擴展延伸應用服務,吸引更多企業服務應用投入容器技術的環境中,讓企業開始將傳統應用搬到雲端上來規劃執行,達成服務應用雲端化的目的。 With the rise of the concept of cloud native (Cloud Native), the concept of containers, software development (DevOps, which is the combination of Development and Operations), microservices and other technologies have risen, making it easier to integrate and deploy new versions of service applications, and In the stages of building, testing, running applications, etc., there is no need to spend huge additional burdens, the cost of cloudification is reduced, coupled with the portability of containers, it is more flexible to expand and extend application services, attracting more enterprise service applications to invest in containers In the environment of technology, let enterprises start to move traditional applications to the cloud for planning and execution, so as to achieve the purpose of cloudification of service applications.

惟,即便整合與部署新版本的服務應用技術已有相當程度開發,但如何減化程序、提升供裝效率、降低資源和維應運的成本仍是相當重要。另外,服務平台的網路安全性也是服務使用者所重視的,此都將是企業服務提供者致力於研發改進之目標。 However, even though the service application technology for integrating and deploying new versions has been developed to a considerable extent, how to reduce procedures, improve supply and installation efficiency, and reduce resources and maintenance costs is still very important. In addition, the network security of the service platform is also valued by service users, which will be the goal of enterprise service providers committed to R&D and improvement.

有鑑於此,如何提供一種容器服務基礎設施之技術,能在整合與部署新版本的服務應用技術中,有更簡單快速之建置且能滿足低成本、高效率以及具安全性等需求,此將成為目前本技術領域人員努力追求之目標。 In view of this, how to provide a container service infrastructure technology, which can be built more simply and quickly in the integration and deployment of new versions of service application technology, and can meet the requirements of low cost, high efficiency and security. It will become the goal that those skilled in the art are striving to pursue.

為解決上述現有技術之問題,本發明針對供裝容器服務基礎設施提出一種新式容器服務基礎設施供裝管理機制之技術及方法,提供企業和個人一種簡單快速建置容器服務平台基礎設施的解決方案,藉由上述目的達到提升資源利用和供裝效率、降低資源和維營運的成本,並且能強化整個服務平台的網路安全性。 In order to solve the above-mentioned problems of the prior art, the present invention proposes a new technology and method for the supply and installation management mechanism of container service infrastructure for container service infrastructure, and provides enterprises and individuals with a simple and rapid solution for building container service platform infrastructure , through the above purpose to improve the efficiency of resource utilization and supply and installation, reduce the cost of resources and maintenance operations, and strengthen the network security of the entire service platform.

本發明提出一種容器服務基礎設施供裝管理系統,係包括:服務範本協同管理模組,係用以組織串聯運算資源、儲存資源、網路資源、網路位址轉換資源、防火牆資源、路由資源,以協同其狀態調整為能用於完成供裝基礎設施;運算資源管理模組,係連結該服務範本協同管理模組,用以設定該儲存資源之路徑、網路組態配置、虛擬機模板,以及平行處理與部署多個運算節點,以決定唯一主運算節點;以及網路資源管理模組,係連結該服務範本協同管理模組,用以決定部署主虛擬位址和邏輯隔離網路閘道位址之網路位址轉換(NAT),部署該多個運算節點、配置伺服器和儲存叢集的內對外和外對內之防火牆規則建立,以及部署該邏輯隔離網路外部網路路由表以連通該配置伺服器,其中,基於服務節點參數供裝儲存空間與部署網路,藉以建構出容器服務平台所需之共享環境,並於該多個運算節點中配置該共享環境中儲存叢集的參數,以完成容器服務平台之基礎設施的供裝與管理。 The invention provides a container service infrastructure supply and installation management system, which includes: a service template collaborative management module, which is used to organize serial computing resources, storage resources, network resources, network address translation resources, firewall resources, and routing resources. , to coordinate with its state to adjust to be able to complete the provisioning infrastructure; the computing resource management module, which is connected to the service template collaborative management module, is used to set the storage resource path, network configuration, and virtual machine template , and parallel processing and deployment of multiple computing nodes to determine a unique master computing node; and a network resource management module, which is linked to the service template collaborative management module for determining and deploying the master virtual address and logical isolation gateway Network address translation (NAT) of addresses, deployment of the multiple computing nodes, configuration of servers and storage clusters for internal-external and external-to-internal firewall rule establishment, and deployment of the logical isolation network external network routing table to connect the configuration server, wherein based on the service node parameters, the storage space and the deployment network are provided, so as to construct a shared environment required by the container service platform, and configure the storage cluster in the shared environment among the plurality of computing nodes parameters to complete the provisioning and management of the infrastructure of the container service platform.

於一實施例中,該容器服務基礎設施供裝管理系統復包括連結該服務範本協同管理模組之儲存資源管理模組,係用以管理並配置該儲存空間。 In one embodiment, the container service infrastructure provisioning management system further includes a storage resource management module connected to the service template collaborative management module, for managing and configuring the storage space.

於一實施例中,該容器服務基礎設施供裝管理系統復包括連結該服務範本協同管理模組之資源派發管理模組,係用以配發該網路資源、該儲存資源及該運算資源。 In one embodiment, the container service infrastructure provisioning management system further includes a resource distribution management module connected to the service template collaborative management module, for allocating the network resource, the storage resource and the computing resource.

於一實施例中,該網路資源管理模組復包括將該網路切割成管理網段和服務網段,以令該容器服務平台建立在該服務網段的該邏輯隔離網路上。 In one embodiment, the network resource management module further includes dividing the network into a management network segment and a service network segment, so that the container service platform is established on the logically isolated network of the service network segment.

本發明復提出一種容器服務基礎設施供裝管理方法,係包括:依據服務節點參數供裝儲存空間與部署網路,以建構容器服務平台所需之共享環境;以及建構主從運算節點與防火牆,並於該主從運算節點中配置該共享環境中儲存叢集的參數,再透過平行供裝該主從運算節點,對該主從運算節點採用鎖定機制以及先進先出演算法,以篩選出唯一主運算節點以及平行開通該儲存空間和該主從運算節點之間的網路。 The present invention further proposes a container service infrastructure provisioning management method, which includes: providing a storage space and deploying a network according to service node parameters, so as to construct a shared environment required by the container service platform; and constructing a master-slave computing node and a firewall, And configure the parameters of the storage cluster in the shared environment in the master-slave computing node, and then install the master-slave computing node in parallel, adopt a locking mechanism and a first-in-first-out algorithm on the master-slave computing node to filter out a unique master computing node The node and parallel open the network between the storage space and the master-slave computing node.

於上述方法中,該建構容器服務平台所需之共享環境之步驟係包括將該網路切割成管理網段和服務網段,以令該容器服務平台建立在該服務網段之邏輯隔離網路上。 In the above method, the step of constructing the shared environment required by the container service platform includes dividing the network into a management network segment and a service network segment, so that the container service platform is established on the logically isolated network of the service network segment. .

於上述方法中,該建構主從運算節點之步驟係包括自資料庫內取得預先建立之虛擬機模板,結合使用者輸入之該服務節點參數以及該虛擬機模板,以生成作為該主從運算節點之多組服務節點。 In the above method, the step of constructing a master-slave computing node includes obtaining a pre-established virtual machine template from a database, and combining the service node parameters input by the user and the virtual machine template to generate the master-slave computing node. multiple sets of service nodes.

於上述方法中,該建構防火牆之步驟復包括於資料庫取得配置伺服器管理配置來源之網路位址和網路資源派發之唯一主虛擬網路位址,以及取 得網路位址轉換伺服器於資源部署時產生與該配置伺服器服務對應之埠號,以建立防火牆規則穿透網路。 In the above method, the step of constructing the firewall further includes obtaining the network address of the configuration server management configuration source and the unique master virtual network address of the network resource distribution in the database, and obtaining the The network address translation server generates a port number corresponding to the configuration server service during resource deployment, so as to establish firewall rules to penetrate the network.

於前述方法中,依據運算節點之相依性,由該主從運算節點組合出不同的防火牆規則,以建立該唯一主運算節點連通該配置伺服器之第一防火牆規則以及該主從運算節點連線該儲存空間之第二防火牆規則。 In the aforementioned method, according to the dependencies of the computing nodes, the master and slave computing nodes combine different firewall rules to establish a first firewall rule for the only master computing node to connect to the configuration server and the master-slave computing node to connect. The second firewall rule for the storage space.

本發明復提供一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行上述之容器服務基礎設施供裝管理方法。 The present invention further provides a computer-readable medium, which is applied to a computing device or a computer and stores instructions for executing the above-mentioned container service infrastructure provisioning management method.

綜上可知,本發明提出容器服務基礎設施之供裝管理機制,係簡單快速的建置容器服務平台基礎設施,依照使用者輸入的資源需求參數,採用一鍵式供裝,結合容器服務平台基礎設施服務供裝範本,根據區域配置供裝資源,採用建構容器服務基礎設施供裝管理機制之樹狀圖的樹狀結構動態生成服務供裝節點,其中,根節點(root)主要作為是抽離容器服務平台所需要的共享環境,統一部署容器服務基礎設施供裝管理機制之網路架構和儲存空間,減少供裝所需的消耗,依照資源需求動態產生多個樹狀子節點(child),平行供裝主從運算節點和防火牆,達到加速供裝服務的目標。 To sum up, the present invention proposes a container service infrastructure supply and installation management mechanism, which is a simple and fast construction of container service platform infrastructure, one-click supply and installation according to the resource demand parameters input by the user, combined with the foundation of the container service platform Facility service supply and installation template, according to the regional configuration supply and installation resources, the tree structure of the tree diagram of the container service infrastructure supply and installation management mechanism is used to dynamically generate service supply and installation nodes, among which the root node (root) is mainly used to extract The shared environment required by the container service platform, unified deployment of the network architecture and storage space of the container service infrastructure supply and installation management mechanism, reduce the consumption required for supply and installation, and dynamically generate multiple tree-like child nodes (child) according to resource requirements, parallel Supply and install master-slave computing nodes and firewalls to achieve the goal of accelerating supply and installation services.

1:容器服務基礎設施供裝管理系統 1: Container service infrastructure supply management system

11:服務範本協同管理模組 11: Service Template Collaborative Management Module

12:運算資源管理模組 12: Computing resource management module

13:網路資源管理模組 13: Network resource management module

14:儲存資源管理模組 14: Storage resource management module

15:資源派發管理模組 15: Resource distribution management module

2:供裝流程管理資料庫 2: Supply and installation process management database

501-505:流程 501-505: Process

601-611:流程 601-611: Process

S41-S42:步驟 S41-S42: Steps

圖1為本發明之容器服務基礎設施供裝管理系統的示意架構圖。 FIG. 1 is a schematic structural diagram of a container service infrastructure provisioning management system of the present invention.

圖2為本發明之建構容器服務基礎設施供裝管理機制的樹狀圖。 FIG. 2 is a tree diagram of the provisioning management mechanism for building a container service infrastructure according to the present invention.

圖3為本發明之容器服務基礎設施供裝管理機制的網路架構圖。 FIG. 3 is a network architecture diagram of the container service infrastructure provisioning management mechanism of the present invention.

圖4為本發明之容器服務基礎設施供裝管理方法的步驟圖。 FIG. 4 is a step diagram of a container service infrastructure provisioning management method according to the present invention.

圖5為本發明之建構容器服務基礎設施供裝管理機制中各模組必要的流程圖。 FIG. 5 is a necessary flow chart of each module in the construction of the container service infrastructure provisioning management mechanism of the present invention.

圖6為本發明之建構容器服務基礎設施供裝管理機制一具體實施例的流程圖。 FIG. 6 is a flow chart of a specific embodiment of the provisioning management mechanism for constructing a container service infrastructure according to the present invention.

以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention through specific embodiments, and those skilled in the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied by other different specific embodiments.

圖1為本發明之容器服務基礎設施供裝管理系統的示意架構圖。如圖所示,本發明提出一種容器服務基礎設施供裝管理系統1,能執行容器服務基礎設施之供裝管理機制,當用戶於用戶端介面送出建構容器服務基礎設施平台資源需求後,服務範本協同管理模組11接收用戶需求並展開供裝,而在進行供裝整個服務平台的過程中,為了降低網路資源、儲存資源以及運算資源間資源整合之複雜度,並為了有效降低營維運成本,本發明藉由供裝流程來判斷各種資源間的相依性,進而確保供裝之容器服務基礎設施正確性,其中,容器服務基礎設施供裝管理系統1連結儲存相關資料之供裝流程管理資料庫2,該容器服務基礎設施供裝管理系統1包括服務範本協同管理模組11、運算資源管理模組12以及網路資源管理模組13。 FIG. 1 is a schematic structural diagram of a container service infrastructure provisioning management system of the present invention. As shown in the figure, the present invention proposes a container service infrastructure supply and installation management system 1, which can implement the container service infrastructure supply and installation management mechanism. The collaborative management module 11 receives user requirements and starts supplying and installing, and in the process of supplying and installing the entire service platform, in order to reduce the complexity of resource integration among network resources, storage resources and computing resources, and in order to effectively reduce the operation and maintenance operation. Cost, the present invention judges the dependencies between various resources through the supply process, thereby ensuring the correctness of the container service infrastructure for supply, wherein the container service infrastructure supply management system 1 is connected to the supply process management for storing relevant data The database 2 , the container service infrastructure provisioning management system 1 includes a service profile collaborative management module 11 , a computing resource management module 12 and a network resource management module 13 .

服務範本協同管理模組11用以組織串聯運算資源、儲存資源、網路資源、網路位址轉換資源、防火牆資源、路由資源,以協同其狀態調整為能用於完成供裝基礎設施。 The service template collaborative management module 11 is used to organize serial computing resources, storage resources, network resources, network address translation resources, firewall resources, and routing resources, so as to coordinate their state adjustment to be able to complete the provisioning infrastructure.

運算資源管理模組12係連結該服務範本協同管理模組11,用以設定該儲存資源之路徑、網路組態配置、虛擬機模板,以及平行處理與部署多個運算節點,以決策出並決定唯一主運算節點。簡言之,運算資源管理模組12提供從虛擬機(VM)範本部署運算節點並決策出唯一的主運算節點,設定叢集、儲存資源路徑、網路組態配置、配置所有運算節點唯一的主運算節點網路位址(IP)、設置不同的角色層級(例如:主(Master)、工作(Worker))。 The computing resource management module 12 is connected to the service template cooperative management module 11 to set the path of the storage resource, the network configuration, the virtual machine template, and to process and deploy a plurality of computing nodes in parallel to determine the Determine the only primary computing node. In short, the computing resource management module 12 provides for deploying computing nodes from a virtual machine (VM) template and determining a unique master computing node, setting clusters, storage resource paths, network configuration, and configuring a unique master computing node for all computing nodes. Compute node network address (IP), set different role levels (for example: master (Master), work (Worker)).

網路資源管理模組13係連結該服務範本協同管理模組11,用以決策並決定部署主虛擬位址和邏輯隔離網路閘道位址之網路位址轉換(NAT),部署該多個運算節點、配置伺服器和儲存叢集的內對外和外對內之防火牆規則建立,以及部署該邏輯隔離網路外部網路路由表以連通該配置伺服器。 The network resource management module 13 is connected to the service profile cooperative management module 11 to decide and decide to deploy the network address translation (NAT) of the main virtual address and the logically isolated network gateway address, and to deploy the multiple Internal-to-external and external-to-internal firewall rules are established for each computing node, configuration server and storage cluster, and the external network routing table of the logically isolated network is deployed to communicate with the configuration server.

該網路資源管理模組13復包括將網路切割成管理網段和服務網段,以令該容器服務平台建立在該服務網段的該邏輯隔離網路上。具體來說,為了資訊安全考量,網路架構切割成管理網段和服務網段,而容器服務平台建立在服務網段的邏輯隔離網路上,因而布建平台時,需要建構網路穿透。 The network resource management module 13 further includes dividing the network into a management network segment and a service network segment, so that the container service platform is established on the logically isolated network of the service network segment. Specifically, for information security considerations, the network architecture is divided into management network segments and service network segments, and the container service platform is built on a logically isolated network of service network segments. Therefore, network penetration needs to be constructed when deploying the platform.

本發明透過服務節點參數供裝儲存空間與部署網路,以建構出容器服務平台所需之共享環境,並於主從運算節點中配置該共享環境中儲存叢集的參數,以完成容器服務平台之基礎設施的供裝與管理。 The present invention provides storage space and deployment network through service node parameters to construct a shared environment required by the container service platform, and configures the parameters of the storage cluster in the shared environment in the master-slave computing node to complete the container service platform. Infrastructure provisioning and management.

於一實施例中,該容器服務基礎設施供裝管理系統1復包括連結該服務範本協同管理模組11之儲存資源管理模組14,係用以管理並配置該儲存空間。具體而言,儲存資源管理模組14能用以管理並配置儲存空間,並記錄空間資訊。 In one embodiment, the container service infrastructure provisioning management system 1 further includes a storage resource management module 14 connected to the service profile collaborative management module 11 for managing and configuring the storage space. Specifically, the storage resource management module 14 can be used to manage and configure storage space and record space information.

於另一實施例中,該容器服務基礎設施供裝管理系統1復包括連結該服務範本協同管理模組11之資源派發管理模組15,係用以配發該網路資源、該儲存資源及該運算資源。具體而言,資源派發管理模組15能用以配發網路資源、儲存資源與運算資源,並處理相關資源設定問題。 In another embodiment, the container service infrastructure provisioning management system 1 further includes a resource distribution management module 15 connected to the service template collaborative management module 11 for allocating the network resource, the storage resource and the resource distribution management module 15. the computing resource. Specifically, the resource allocation management module 15 can be used to allocate network resources, storage resources and computing resources, and to handle related resource setting issues.

另外,本發明新式容器服務基礎設施供裝管理機制中,涉及了網路資源、儲存資源以及運算資源等三類資源。在一實施例中,該網路資源可例如為介面網路位址(Interface IP)、閘道網路位址(Gateway IP)、虛擬區域網(VLAN)、網路功能虛擬化(NFV)網路介面、防火牆或路由表等資源;該儲存資源可例如儲存叢集(Storage Cluster)等資源;該運算資源可例如虛擬設備等資源。 In addition, the novel container service infrastructure supply and installation management mechanism of the present invention involves three types of resources, including network resources, storage resources, and computing resources. In one embodiment, the network resource may be, for example, an interface IP address, a gateway IP address, a virtual local area network (VLAN), or a network function virtualization (NFV) network. resources such as road interfaces, firewalls or routing tables; the storage resources may be resources such as storage clusters; the computing resources may be resources such as virtual devices.

綜上可知,本發明針對雲端服務設計出新式容器服務基礎設施供裝管理機制的配置系統與方法,為網路營運商提供低複雜度、高安全性的容器服務平台網路服務,且滿足於雲端環境的彈性配置,解決維運、異質雲端平台遷移,以達到降低服務應用上雲的困擾。 To sum up, the present invention designs a configuration system and method for a new container service infrastructure supply management mechanism for cloud services, providing network operators with low-complexity, high-security container service platform network services, and satisfying The elastic configuration of the cloud environment solves the maintenance and operation and the migration of heterogeneous cloud platforms, so as to reduce the trouble of migrating service applications to the cloud.

圖2為本發明之建構容器服務基礎設施供裝管理機制的樹狀圖,圖3為本發明之容器服務基礎設施供裝管理機制的網路架構圖。如圖2所示,本發明之圖1之服務範本協同管理模組11之容器服務基礎設施供裝管理機制所產生的架構圖為樹狀圖,以進行兩階段基礎設施組合供裝,其中,第一階段的根結點(root),主要用以供裝儲存空間和部署網路,以建構容器服務平台所需的共享環境,而第二階段的子結點(child),能建構主從運算節點和防火牆並配置第一階段產生之共享環境,透過平行供裝運算節點,對該主從運算節點採用鎖定(lock)機制,使用先進先出演算法篩選出唯一主節點、平行開通儲存空間和運算節點之間 的網路,亦即第二階段為主(Master)運算節點與其防火牆之部署以及工作(worker)運算節點與其防火牆之部署。 FIG. 2 is a tree diagram of a container service infrastructure provisioning management mechanism of the present invention, and FIG. 3 is a network architecture diagram of the container service infrastructure provisioning management mechanism of the present invention. As shown in FIG. 2 , the architecture diagram generated by the container service infrastructure supply and installation management mechanism of the service template collaborative management module 11 of FIG. 1 of the present invention is a tree diagram for performing two-stage infrastructure combination supply and installation, wherein, The root node (root) in the first stage is mainly used to install storage space and deploy the network to build the shared environment required by the container service platform, while the child node (child) in the second stage can build master-slave The computing nodes and firewalls are configured with the shared environment generated in the first stage. Through parallel provisioning computing nodes, the master-slave computing node is locked using a lock mechanism, and the first-in-first-out algorithm is used to filter out the only master node, parallel open storage space and between computing nodes The second stage is the deployment of the master computing node and its firewall, and the deployment of the worker computing node and its firewall.

為了資訊安全考量,本發明之容器服務基礎設施供裝管理機制在網路架構上,針對安全性提出邏輯隔離的機制,如圖3所示,網路切割成管理網段和服務網段,而容器服務平台則建立在服務網段之邏輯隔離網路上。簡言之,供裝伺服器和配置伺服器設置於管理網段中,與客戶端的服務網段是有所區隔,而服務網段中多個運算節點位於一邏輯隔離網路中,而儲存叢集則在另一邏輯隔離網路中,因為多個運算節點架構在邏輯隔離網路上,故在客戶端有資訊安全問題時,能避免影響到供裝配置端的伺服器。另外,布建平台時,需要網路穿透,透過部署管理路由規則、防火牆規則、網路位址轉換(Network Address Translation,NAT)以及使用通訊埠轉發(Port Forwarding)與配置伺服器建置管理配置所必需之安全連線。 In order to consider information security, the container service infrastructure provisioning management mechanism of the present invention proposes a logical isolation mechanism for security on the network architecture. As shown in Figure 3, the network is divided into management network segments and service network segments, and The container service platform is built on a logically isolated network of service network segments. In short, the provisioning server and the configuration server are set in the management network segment, which is separated from the service network segment of the client, and multiple computing nodes in the service network segment are located in a logically isolated The cluster is in another logically isolated network, because multiple computing nodes are structured on the logically isolated network, so when the client has information security problems, it can avoid affecting the server on the installation side. In addition, when deploying the platform, network penetration is required, through deployment management routing rules, firewall rules, Network Address Translation (NAT), and the use of port forwarding (Port Forwarding) and configuration servers to build management Configure the necessary secure connections.

圖4為本發明之容器服務基礎設施供裝管理方法的步驟圖。於步驟S41,依據服務節點參數供裝儲存空間與部署網路,以建構容器服務平台所需之共享環境。本步驟主要關於儲存空間與部署網路之供裝,藉以建立起容器服務平台所需之共享環境。 FIG. 4 is a step diagram of a container service infrastructure provisioning management method according to the present invention. In step S41, a storage space and a deployment network are provided according to the service node parameters, so as to construct a shared environment required by the container service platform. This step is mainly about the provision of storage space and deployment network, so as to establish the shared environment required by the container service platform.

上述建構容器服務平台所需之共享環境時,係將網路切割成管理網段和服務網段,以令該容器服務平台建立在該服務網段之邏輯隔離網路上,亦即將運算節點架構在邏輯隔離網路上,避免客戶端有資訊安全問題時,影響到供裝配置端的伺服器。 When constructing the shared environment required for the container service platform, the network is divided into a management network segment and a service network segment, so that the container service platform is built on the logically isolated network of the service network segment, that is, the computing node is constructed on the Logically isolate the network to prevent the server from being affected when the client has information security issues.

於步驟S42,建構主從運算節點與防火牆,並於該主從運算節點中配置該共享環境中儲存叢集的參數,透過平行供裝該主從運算節點,對該主從運 算節點採用鎖定機制以及先進先出演算法,以篩選出唯一主運算節點以及平行開通該儲存空間和該主從運算節點之間的網路。本步驟係建構主從運算節點及防火牆,並從共享環境切一塊儲存空間出來,讓運算節點掛載,亦即在運算節點中配置該共享環境中儲存叢集的參數,讓運算節點可藉此成功連到共享環境的儲存叢集切出來的儲存空間,並進一步依據節點之間的相依性,產生對應網路連線關係。 In step S42, a master-slave computing node and a firewall are constructed, and the parameters of the storage cluster in the shared environment are configured in the master-slave computing node. The computing node adopts a locking mechanism and a first-in-first-out algorithm to filter out the only master computing node and open the network between the storage space and the master-slave computing node in parallel. In this step, a master-slave computing node and a firewall are constructed, and a piece of storage space is cut out from the shared environment, and the computing node is mounted, that is, the parameters of the storage cluster in the shared environment are configured in the computing node, so that the computing node can succeed. The storage space cut out from the storage cluster connected to the shared environment, and further according to the dependencies between the nodes, the corresponding network connection relationship is generated.

上述建構防火牆時,係於資料庫取得配置伺服器管理配置來源之網路位址和網路資源派發之唯一主虛擬網路位址,以及取得網路位址轉換伺服器於資源部署時產生與該配置伺服器服務對應之埠號,以建立防火牆規則穿透網路。另外,根據運算節點之相依性,可由該主從運算節點組合出不同的防火牆規則,以建立該唯一主運算節點連通該配置伺服器之防火牆規則以及該主從運算節點連線該儲存空間之防火牆規則。 When the firewall is constructed above, the network address of the configuration server management configuration source and the unique main virtual network address of network resource distribution are obtained from the database, and the network address translation server is obtained when the resource is deployed. The port number corresponding to the configuration server service is used to establish firewall rules to penetrate the network. In addition, according to the dependencies of the computing nodes, the master-slave computing node can combine different firewall rules to establish a firewall rule for the only master computing node to connect to the configuration server and the master-slave computing node to connect the storage space. rule.

圖5為本發明之建構容器服務基礎設施供裝管理機制中各模組必要的流程圖,請一併參考圖1說明之。圖5係說明圖1之容器服務基礎設施供裝管理系統中須具備之必要資源管控流程,其包括五大步驟:建構服務範本協同管理模組必要之流程501、建構資源派發管理模組必要之流程502、建構儲存資源管理模組必要之流程503、建構網路資源管理模組必要之流程504以及建構運算資源管理模組必要之流程505。 FIG. 5 is a necessary flow chart of each module in the construction of the container service infrastructure supply management mechanism of the present invention, please refer to FIG. 1 for description. FIG. 5 illustrates the necessary resource management and control process that must be provided in the container service infrastructure supply and installation management system of FIG. 1 , which includes five steps: the necessary process 501 for constructing the service template collaborative management module, and the necessary process 502 for constructing the resource distribution management module. , the necessary flow 503 for constructing the storage resource management module, the necessary flow 504 for constructing the network resource management module, and the necessary flow 505 for constructing the computing resource management module.

建構服務範本協同管理模組必要之流程501為容器服務基礎設施供裝管理系統1之服務範本協同管理模組11可成功運行的前置作業。此外,須於資料庫設定服務節點參數、服務範本規格、服務範本,服務節點樹狀資料結構階 層、供裝應用需求介面、服務節點之流程狀態(例如申租、異動、退租)、供裝流程等驅動整體系統協同管理供裝所必須之配置。 The necessary process 501 for constructing the service template collaborative management module is a pre-operation for the service template collaborative management module 11 of the container service infrastructure provisioning management system 1 to be able to run successfully. In addition, service node parameters, service template specifications, service templates, and service node tree data structure levels must be set in the database. Layer, supply and installation application demand interface, process status of service nodes (such as lease application, change, lease cancellation), supply and installation process, etc. drive the configuration necessary for the overall system to collaboratively manage supply and installation.

建構資源派發管理模組必要之流程502為容器服務基礎設施供裝管理系統1之資源派發管理模組15可成功運行的前置作業。此外,須於資料庫設定所需監控三類資源進行查看動作,例如網路資源、儲存資源、運算資源等資源。再者,當資源監控項目設定完畢後,系統依照供裝資源狀態,於資料庫設定容器服務基礎設施供裝管理系統1所需的供裝資源狀態,包括申裝、異動及拆除。另外,容器服務基礎設施供裝管理系統1需建置多個資源選定規則,進行資源項目選定動作。 The necessary process 502 for constructing the resource distribution management module is a pre-operation for the resource distribution management module 15 of the container service infrastructure provisioning management system 1 to run successfully. In addition, three types of resources to be monitored must be set in the database for viewing actions, such as network resources, storage resources, computing resources and other resources. Furthermore, after the resource monitoring items are set, the system sets the supply resource status required by the container service infrastructure supply management system 1 in the database according to the supply resource status, including application, transaction and removal. In addition, the container service infrastructure provisioning management system 1 needs to establish a plurality of resource selection rules to perform resource item selection actions.

建構儲存資源管理模組必要之流程503為容器服務基礎設施供裝管理系統1之儲存資源管理模組14可成功運行的前置作業。此外,須於資料庫設定多組所需監控儲存資源資訊,例如儲存叢集(Storage cluster)資訊,資訊內容就是在實際的儲存資源進行操作所必要的資訊包含IP、帳號、密碼等。 The necessary process 503 for constructing the storage resource management module is a pre-operation for the storage resource management module 14 of the container service infrastructure provisioning management system 1 to run successfully. In addition, multiple sets of required monitoring storage resource information, such as storage cluster information, must be set in the database. The information content is the information necessary to operate the actual storage resource, including IP, account, password, etc.

建構網路資源管理模組必要之流程504為容器服務基礎設施供裝管理系統1之網路資源管理模組13可成功運行的前置作業。此外,須於資料庫設定所需監控網路資源資訊,例如網絡安全設備資訊,資訊內容包括網路資源進行操作所必要的資訊包含IP、帳號、密碼等。 The necessary process 504 for constructing the network resource management module is a pre-operation for the network resource management module 13 of the container service infrastructure provisioning management system 1 to run successfully. In addition, the required monitoring network resource information, such as network security equipment information, must be set in the database.

建構運算資源管理模組必要之流程505為容器服務基礎設施供裝管理系統1之運算資源管理模組12可成功運行的前置作業。此外,須預先建置必要之虛擬機模板,並在資料庫中管理相關資訊。 The necessary process 505 for constructing the computing resource management module is a pre-operation for the computing resource management module 12 of the container service infrastructure provisioning management system 1 to run successfully. In addition, necessary virtual machine templates must be created in advance, and related information must be managed in the database.

需說明者,上述流程並無絕對順序,亦即流程501-505可不按排序來執行。 It should be noted that the above-mentioned processes have no absolute order, that is, the processes 501-505 may be executed out of order.

圖6為本發明之建構容器服務基礎設施供裝管理機制一具體實施例的流程圖。如圖所示,可包括二個階段的決策資源供裝管理,第一階段包括流程601-606,第二階段包括流程607-611,請一併參考圖1說明之。 FIG. 6 is a flow chart of a specific embodiment of the provisioning management mechanism for constructing a container service infrastructure according to the present invention. As shown in the figure, the decision-making resource supply and installation management can include two stages. The first stage includes processes 601-606, and the second stage includes processes 607-611. Please refer to FIG. 1 for description.

於流程601,服務範本協同配置儲存、網路、網路位址轉換(NAT)、防火牆、路由資源。簡言之,服務範本協同管理模組11接收使用者服務指令,將儲存、網路、NAT、防火牆、路由等資源之指令參數與服務範本中的參數進行整合,形成服務節點參數,並根據服務節點參數組裝成介面所需參數,呼叫供裝應用程式介面,以進行流程602-606。 In process 601, the service profile cooperates to configure storage, network, network address translation (NAT), firewall, and routing resources. In short, the service profile collaborative management module 11 receives user service instructions, integrates the instruction parameters of resources such as storage, network, NAT, firewall, and routing with the parameters in the service profile to form service node parameters, and according to the service The node parameters are assembled into the parameters required by the interface, and the provisioning application programming interface is called to perform the processes 602-606.

於流程602,決策派發管理資源項目。簡言之,資源派發管理模組15接收服務節點參數,依照參數需求,查看資料庫下設定監控所需網路資源、儲存資源,進行派發所需供裝資源並更新資源狀態。 In process 602, a decision is made to distribute the management resource item. In short, the resource distribution management module 15 receives the service node parameters, checks the network resources and storage resources required for monitoring settings in the database according to the parameter requirements, distributes the required supply and installation resources, and updates the resource status.

於流程603,決定部署儲存資源項目。簡言之,儲存資源管理模組14接收服務節點參數,對儲存叢集(Storage Cluster)發出儲存空間請求,並返回儲存空間資訊,例如掛載路徑、儲存空間配置檔、登入帳密等資訊。 In process 603, it is determined to deploy the storage resource item. In short, the storage resource management module 14 receives the service node parameters, sends a storage space request to the storage cluster, and returns storage space information, such as mounting path, storage space configuration file, login account password and other information.

於流程604,決定部署NAT資源項目。簡言之,網路資源管理模組13接收服務節點參數,於資料庫中取得主虛擬位址和邏輯隔離網路資源的閘道位址,並從實體資源層隨機取得尚未占用和配置伺服器服務對應的多組埠號,完成內部的主虛擬位址和埠號轉換對應閘道位址和埠號之網路位址轉換設定。 In process 604, it is decided to deploy the NAT resource item. In short, the network resource management module 13 receives the service node parameters, obtains the main virtual address and the gateway address of the logically isolated network resource in the database, and randomly obtains the unoccupied and configured servers from the physical resource layer. Multiple groups of port numbers corresponding to the service, complete the internal main virtual address and port number translation corresponding to the gateway address and port number network address translation setting.

於流程605,決定部署配置伺服器防火牆資源項目。該網路資源管理模組13於資料庫取得配置伺服器管理配置來源網路位址(IP)和網路資源派發的唯一主虛擬IP,並取得NAT資源部署時產生與配置伺服器服務對應的埠號,建立 多組防火牆規則穿透網路,設置外部介面對應內部介面,透過連接埠轉發(port forward)連通內部資源。 In process 605, it is determined to deploy the configuration server firewall resource item. The network resource management module 13 obtains the configuration server management configuration source network address (IP) and the unique primary virtual IP distributed by the network resource from the database, and generates a corresponding configuration server service when the NAT resource is deployed. port number, create Multiple sets of firewall rules penetrate the network, set the external interface to correspond to the internal interface, and connect internal resources through port forwarding.

於流程606,決定部署路由資源項目。該網路資源管理模組13於資料庫取得配置伺服器對外IP和儲存叢集對外IP,並從邏輯隔離網路資源取得閘道位址和閘道介面,以建立外部網路路由表。 In process 606, it is determined to deploy the routing resource item. The network resource management module 13 obtains the external IP of the configuration server and the external IP of the storage cluster from the database, and obtains the gateway address and the gateway interface from the logically isolated network resource, so as to establish an external network routing table.

上述即完成第一階段之實體資源層配置供裝,接著將回到流程601,並依指示進入第二階段。 The above completes the physical resource layer configuration and installation of the first stage, and then returns to the process 601, and enters the second stage according to the instructions.

於流程607,服務範本協同配置運算、防火牆資源。也就是服務範本協同管理模組11產生多組服務節點平行處理供裝資源。 In the process 607, the service profile cooperates to configure computing and firewall resources. That is, the service profile collaborative management module 11 generates multiple groups of service nodes to process and supply resources in parallel.

於流程608,決策派發運算資源項目。資源派發管理模組15於資料庫設定監控所需網路資源以及運算資源,依照預建網路資源選定規則取得供裝資源並更新狀態設定。 In process 608, a decision is made to allocate the computing resource item. The resource distribution management module 15 sets the network resources and computing resources required for monitoring in the database, obtains the resources for installation and updates the status settings according to the pre-built network resource selection rules.

於流程609,決定部署運算資源項目。運算資源管理模組12於資料庫取得預先建立好的VM範本資訊,從虛擬機模板部署運算節點,並決策出並決定唯一的主運算節點,設定叢集、儲存資源路徑、網路組態配置、配置所有運算節點唯一的主運算節點IP、設置不同的主從角色層級。 In process 609, it is determined to deploy the computing resource item. The computing resource management module 12 obtains pre-established VM template information from the database, deploys computing nodes from the virtual machine template, and determines and determines the only main computing node, sets clusters, storage resource paths, network configuration, Configure the unique master computing node IP for all computing nodes, and set different master-slave role levels.

於流程610,決定部署運算節點防火牆項目。網路資源管理模組13相依於運算節點,對應主從運算節點組合不同的防火牆規則,建立唯一主節點連通配置伺服器的防火牆規則,且/或建立主從節點連線儲存空間的防火牆規則。 In process 610, it is decided to deploy the computing node firewall project. The network resource management module 13 depends on the computing nodes, and combines different firewall rules corresponding to the master and slave computing nodes, establishes a firewall rule for the only master node to connect to the configuration server, and/or establishes a firewall rule for the master and slave nodes to connect to the storage space.

於流程611,配置伺服器配置管理設定。本流程即透過流程604、605、606、610所建置之網路架構,配置伺服器主機連通部署的儲存資源和運算資源,完成配置設定容器服務基礎設施,並回報給客戶端介面。 In process 611, the server configuration management settings are configured. This process is to configure the server host to connect the deployed storage resources and computing resources through the network structure established in the processes 604, 605, 606, and 610, complete the configuration and configuration of the container service infrastructure, and report back to the client interface.

上述即完成第二階段之實體資源層配置供裝,假若流程602-611有失敗的情形,則會進入人工處理,即由維運端人工處理錯誤資訊。 The above is to complete the physical resource layer configuration and installation of the second stage. If the process 602-611 fails, it will enter manual processing, that is, the maintenance terminal will manually process the error information.

下面以一具體實施例說明本案技術,請一併參考圖6說明之。當用戶在用戶申請的虛擬網路中完成申租容器服務平台的參數設定並送出訂單後,系統後端會進入供裝程序。 The technology of the present application is described below with a specific embodiment, and please refer to FIG. 6 for the description. After the user completes the parameter settings of the rental container service platform in the virtual network applied by the user and sends the order, the back end of the system will enter the installation procedure.

於流程601中,接收到申租容器服務的需求,根據共同資源儲存叢集空間、資源決策派發和統一的NAT、防火牆和路由資源建立第一階段的服務範本,在第一階段服務範本配置儲存空間大小和虛擬網路參數。於流程602中,系統會根據第一服務範本配置的資源參數,決定配發資源區域、資源服務區、虛擬防火牆規格、主服務虛擬IP、虛擬網路對外介面等配置。於流程603中,在獨立虛擬網路裡已建好的共同儲存叢集空間資源池中,切出需要的資源空間,並在資料庫中記錄後續運算節點掛載需要使用到的儲存空間資訊。於流程604中,在用戶虛擬網路中建立一個網路轉址,連通配置伺服器和主服務IP。於流程605中,在用戶虛擬網路中開通防火牆的數個埠號,連通配置伺服器和主服務IP。於流程606中,在用戶虛擬網路中建立到儲存叢集空間和配置伺服器的路由,到這邊完成第一服務範本所有服務建置。 In the process 601, a request for renting a container service is received, a first-stage service template is established according to common resource storage cluster space, resource decision distribution and unified NAT, firewall and routing resources, and storage space is configured in the first-phase service template. size and virtual network parameters. In the process 602, the system determines the configuration of the allocation resource area, resource service area, virtual firewall specification, main service virtual IP, virtual network external interface, etc. according to the resource parameters configured in the first service template. In the process 603, the required resource space is cut out from the common storage cluster space resource pool that has been built in the independent virtual network, and the storage space information that needs to be used for subsequent mounting of the computing node is recorded in the database. In the process 604, a network forwarding is established in the user virtual network to connect the configuration server and the main service IP. In the process 605, several port numbers of the firewall are opened in the user virtual network to communicate with the configuration server and the main service IP. In the process 606, a route to the storage cluster space and the configuration server is established in the user virtual network, and all services of the first service template are established here.

於流程607中,在獨立資源的運算節點和防火牆開通服務,建立第二階段服務範本,把訂單帶下來的參數,儲存空間大小、運算節點數量和虛擬網路參數在第二階段服務範本配置,第二階段供裝以運算節點為主要,系統根據主從運算節點數量,產生數個服務範本(主要分成兩個種類範本,即控制運算節點範本和工作運算節點範本),服務範本間平行供裝。於流程608中,產生的每個服務範本分別決策派發資源區域、資源服務區、虛擬防火牆規格、虛擬網路對 外介面等資源配置。於流程609中,因為需要先決定出控制運算節點中的主運算節點中,工作節點也需要等待主運算節點出現,兩種範本供裝主要透過鎖定(lock),先決出主運算節點,唯一的主運算節點出現後,所有的控制運算節點和工作運算節點就會繼續完成供裝,並掛載第一階段切出來的儲存叢集空間。於流程610中,每一個服務範本建立自己運算節點的防火牆開通,在用戶的虛擬網路中,完成配置伺服器和運算節點間的網路連通。於流程611中,配置伺服器完成整個容器服務的建置。 In the process 607, the service is activated on the computing node and the firewall of the independent resource, the second-stage service template is established, the parameters brought down by the order, the storage space size, the number of computing nodes and the virtual network parameters are configured in the second-phase service template, The second stage of installation is mainly based on computing nodes. The system generates several service templates according to the number of master and slave computing nodes (mainly divided into two types of templates, namely control computing node templates and work computing node templates), and the service templates are installed in parallel. . In the process 608, each generated service profile decides to distribute resource areas, resource service areas, virtual firewall specifications, and virtual network pairs respectively. External interface and other resource configuration. In the process 609, since it is necessary to first determine the main operation node in the control operation node, the working node also needs to wait for the main operation node to appear. After the main computing node appears, all control computing nodes and working computing nodes will continue to complete the installation, and mount the storage cluster space cut out in the first stage. In the process 610, each service profile establishes its own computing node's firewall to open, and completes the network connection between the configuration server and the computing node in the user's virtual network. In the process 611, the configuration server completes the construction of the entire container service.

本發明之容器服務基礎設施供裝管理系統之各模組可於包括微處理器及記憶體之電腦設備或伺服器中運行,演算法、資料、程式等係儲存記憶體或晶片內,微處理器可從記憶體或晶片載入資料或演算法或程式進行資料分析或計算等處理,在此不予贅述。 Each module of the container service infrastructure supply management system of the present invention can run in a computer device or server including a microprocessor and a memory. The algorithm, data, programs, etc. are stored in the memory or chip. The device can load data or algorithms or programs from the memory or chip to perform data analysis or calculation processing, which will not be repeated here.

另外,本發明還揭示一種電腦可讀媒介,係應用於具有處理器(例如CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於執行此電腦可讀媒介時執行上述之方法及各步驟。 In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (such as a CPU, GPU, etc.) and/or memory, stores instructions, and can utilize the computing device or computer The computer-readable medium is executed by a processor and/or a memory, so as to execute the above-mentioned methods and steps when the computer-readable medium is executed.

綜上所述,本發明之容器服務基礎設施供裝管理系統、方法及電腦可讀媒介,係關於容器服務基礎設施供裝管理機制,採用建構容器服務基礎設施供裝管理機制之樹狀圖的樹狀結構,提供兩階段基礎設施組合並完成供裝容器服務平台,第一階段根節點(root)可供裝儲存空間和部署網路來建構容器服務平台所需的共享環境,對於資訊安全考量,本發明將網路架構切割成管理網段和服務網段,容器服務平台建立在服務網段的邏輯隔離網路上,透過部署網路資源穿透網路,第二階段根據資源需求產生多個樹狀子節點(child)建構主從運算節點 和防火牆並配置第一階段產生的共享環境,透過平行供裝運算節點,對主從節點採用鎖定機制,使用先進先出演算法篩選出唯一的主節點、平行開通儲存空間和運算節點之間的網路,建置容器服務供裝平台,提升供裝速度與品質,可調整平台運算和容量規格,提供擴展性,實現降低建置和管理的成本與複雜性,增加可用性。 In summary, the container service infrastructure provisioning management system, method and computer-readable medium of the present invention relate to the container service infrastructure provisioning management mechanism, using a tree diagram for constructing the container service infrastructure provisioning management mechanism A tree-like structure provides a two-stage infrastructure combination and completes the container service platform. The first stage root node (root) can be used to install storage space and deploy the network to build the shared environment required by the container service platform. Consideration of information security , the present invention divides the network architecture into management network segments and service network segments, the container service platform is built on the logically isolated network of the service network segment, and penetrates the network by deploying network resources. Tree-like child nodes (child) construct master-slave operation nodes The shared environment generated in the first stage is configured with the firewall, and the master-slave node is locked through a parallel supply of computing nodes, and the first-in-first-out algorithm is used to filter out the only master node, parallel open storage space and network between computing nodes. Road, build a container service supply platform, improve the supply speed and quality, can adjust the platform computing and capacity specifications, provide scalability, reduce the cost and complexity of construction and management, and increase availability.

上述實施例僅為例示性說明,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與改變。因此,本發明之權利保護範圍係由本發明所附之申請專利範圍所定義,只要不影響本發明之效果及實施目的,應涵蓋於此公開技術內容中。 The above-mentioned embodiments are only illustrative, and are not intended to limit the present invention. Any person skilled in the art can modify and change the above embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of the right protection of the present invention is defined by the scope of the patent application attached to the present invention, as long as the effect and implementation purpose of the present invention are not affected, it shall be included in the technical content disclosed herein.

1:容器服務基礎設施供裝管理系統 1: Container service infrastructure supply management system

11:服務範本協同管理模組 11: Service Template Collaborative Management Module

12:運算資源管理模組 12: Computing resource management module

13:網路資源管理模組 13: Network resource management module

14:儲存資源管理模組 14: Storage resource management module

15:資源派發管理模組 15: Resource distribution management module

2:供裝流程管理資料庫 2: Supply and installation process management database

Claims (8)

一種容器服務基礎設施供裝管理系統,係包括:服務範本協同管理模組,係用以組織串聯運算資源、儲存資源、網路資源、網路位址轉換資源、防火牆資源、路由資源,以協同其狀態調整為能用於完成供裝基礎設施;運算資源管理模組,係連結該服務範本協同管理模組,用以設定該儲存資源之路徑、網路組態配置、虛擬機模板,以及平行處理與部署多個運算節點,以決定唯一主運算節點;以及網路資源管理模組,係連結該服務範本協同管理模組,用以決定部署主虛擬位址和邏輯隔離網路閘道位址之網路位址轉換,部署該多個運算節點、配置伺服器和儲存叢集的內對外和外對內之防火牆規則建立,以及部署該邏輯隔離網路外部網路路由表以連通該配置伺服器,其中,基於服務節點參數供裝儲存空間與部署網路,藉以建構出容器服務平台所需之共享環境,並於該多個運算節點中配置該共享環境中儲存叢集的參數,以完成容器服務平台之基礎設施的供裝與管理。 A container service infrastructure supply and installation management system includes: a service template collaborative management module, which is used to organize serial computing resources, storage resources, network resources, network address translation resources, firewall resources, and routing resources to collaborate Its state is adjusted to be able to be used to complete the provisioning infrastructure; the computing resource management module is connected to the service template collaborative management module to set the storage resource path, network configuration, virtual machine template, and parallel Process and deploy a plurality of computing nodes to determine a unique main computing node; and a network resource management module, which is linked to the service template collaborative management module, used to determine the deployment of the main virtual address and the logically isolated network gateway address network address translation, deployment of the multiple computing nodes, configuration server and storage cluster internal-external and external-to-internal firewall rule establishment, and deployment of the logically isolated network external network routing table to connect the configuration server , wherein the storage space and deployment network are provided based on the service node parameters, thereby constructing a shared environment required by the container service platform, and the parameters of the storage cluster in the shared environment are configured in the plurality of computing nodes to complete the container service. Provisioning and management of platform infrastructure. 如請求項1之容器服務基礎設施供裝管理系統,復包括連結該服務範本協同管理模組之儲存資源管理模組,係用以管理並配置該儲存空間。 The container service infrastructure provisioning management system of claim 1 further includes a storage resource management module linked to the service template collaborative management module, which is used to manage and configure the storage space. 如請求項1之容器服務基礎設施供裝管理系統,復包括連結該服務範本協同管理模組之資源派發管理模組,係用以配發該網路資源、該儲存資源及該運算資源。 The container service infrastructure provisioning management system of claim 1 further includes a resource distribution management module linked to the service template collaborative management module for allocating the network resource, the storage resource and the computing resource. 如請求項1之容器服務基礎設施供裝管理系統,其中,該網路資源管理模組復包括將該網路切割成管理網段和服務網段,以令該容器服務平 台建立在該服務網段的該邏輯隔離網路上。 The container service infrastructure provisioning management system of claim 1, wherein the network resource management module further includes dividing the network into a management network segment and a service network segment, so as to make the container service level The station is established on the logically isolated network of the service network segment. 一種容器服務基礎設施供裝管理方法,係包括:依據服務節點參數供裝儲存空間與部署網路,以建構容器服務平台所需之共享環境;以及建構主從運算節點與防火牆,並於該主從運算節點中配置該共享環境中儲存叢集的參數,再透過平行供裝該主從運算節點,對該主從運算節點採用鎖定機制以及先進先出演算法,以篩選出唯一主運算節點以及平行開通該儲存空間和該主從運算節點之間的網路,其中,防火牆之建構包括於資料庫取得配置伺服器管理配置來源之網路位址和網路資源派發之唯一主虛擬網路位址,以及取得網路位址轉換伺服器於資源部署時產生與該配置伺服器服務對應之埠號,以建立防火牆規則穿透網路,進而依據運算節點之相依性,由該主從運算節點組合出不同的防火牆規則,以建立該唯一主運算節點連通該配置伺服器之第一防火牆規則以及該主從運算節點連線該儲存空間之第二防火牆規則。 A container service infrastructure provisioning management method, comprising: provisioning storage space and deploying a network according to service node parameters to construct a shared environment required by a container service platform; and constructing a master-slave computing node and a firewall, Configure the parameters of the storage cluster in the shared environment from the computing node, and then install the master-slave computing node in parallel, adopt a locking mechanism and a first-in-first-out algorithm for the master-slave computing node to filter out the only master computing node and parallel open The network between the storage space and the master-slave computing node, wherein the construction of the firewall includes obtaining the network address of the configuration server management configuration source and the unique master virtual network address of the network resource distribution from the database, and obtain the port number corresponding to the configuration server service generated by the network address translation server during resource deployment, so as to establish firewall rules to penetrate the network, and then combine the master and slave computing nodes according to the dependencies of the computing nodes. Different firewall rules are used to establish a first firewall rule for connecting the unique master computing node to the configuration server and a second firewall rule for connecting the master-slave computing node to the storage space. 如請求項5之容器服務基礎設施供裝管理方法,其中,該建構容器服務平台所需之共享環境之步驟係包括將該網路切割成管理網段和服務網段,以令該容器服務平台建立在該服務網段之邏輯隔離網路上。 The container service infrastructure provisioning management method of claim 5, wherein the step of constructing the shared environment required by the container service platform comprises dividing the network into a management network segment and a service network segment, so that the container service platform can Established on the logically isolated network of the service network segment. 如請求項5之容器服務基礎設施供裝管理方法,該建構主從運算節點之步驟係包括自資料庫內取得預先建立之虛擬機模板,結合該服務節點參數以及該虛擬機模板,以生成作為該主從運算節點之多組服務節點。 According to the container service infrastructure provisioning management method of claim 5, the step of constructing a master-slave computing node includes obtaining a pre-established virtual machine template from a database, and combining the service node parameters and the virtual machine template to generate an Multiple groups of service nodes of the master-slave computing node. 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項5至7之任一項所述之容器服務基礎設施供裝管理方法。 A computer-readable medium, applied in a computing device or a computer, stores instructions for executing the container service infrastructure provisioning management method as described in any one of claims 5 to 7.
TW110109786A 2021-03-18 2021-03-18 Provision and management system and method for container infrastructure service and computer readable medium TWI773200B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110109786A TWI773200B (en) 2021-03-18 2021-03-18 Provision and management system and method for container infrastructure service and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110109786A TWI773200B (en) 2021-03-18 2021-03-18 Provision and management system and method for container infrastructure service and computer readable medium

Publications (2)

Publication Number Publication Date
TWI773200B true TWI773200B (en) 2022-08-01
TW202238374A TW202238374A (en) 2022-10-01

Family

ID=83806880

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110109786A TWI773200B (en) 2021-03-18 2021-03-18 Provision and management system and method for container infrastructure service and computer readable medium

Country Status (1)

Country Link
TW (1) TWI773200B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201337626A (en) * 2011-10-24 2013-09-16 Ibm Non-intrusive method and apparatus for automatically dispatching security rules in cloud environment
CN111522653A (en) * 2020-02-07 2020-08-11 华中科技大学 Container-based network function virtualization platform
CN111782232A (en) * 2020-07-31 2020-10-16 平安银行股份有限公司 Cluster deployment method and device, terminal equipment and storage medium
CN112351034A (en) * 2020-11-06 2021-02-09 科大讯飞股份有限公司 Firewall setting method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201337626A (en) * 2011-10-24 2013-09-16 Ibm Non-intrusive method and apparatus for automatically dispatching security rules in cloud environment
CN111522653A (en) * 2020-02-07 2020-08-11 华中科技大学 Container-based network function virtualization platform
CN111782232A (en) * 2020-07-31 2020-10-16 平安银行股份有限公司 Cluster deployment method and device, terminal equipment and storage medium
CN112351034A (en) * 2020-11-06 2021-02-09 科大讯飞股份有限公司 Firewall setting method, device, equipment and storage medium

Also Published As

Publication number Publication date
TW202238374A (en) 2022-10-01

Similar Documents

Publication Publication Date Title
CN109067828B (en) Kubernetes and OpenStack container-based cloud platform multi-cluster construction method, medium and equipment
US11121906B2 (en) Data plane API in a distributed computing network
JP3948957B2 (en) Extensible computing system
US9246765B2 (en) Apparatus and methods for auto-discovery and migration of virtual cloud infrastructure
JP5102543B2 (en) Method for dynamically provisioning information technology infrastructure
JP4444695B2 (en) Generate virtual network topology
US7676552B2 (en) Automatic provisioning of services based on a high level description and an infrastructure description
US20050177600A1 (en) Provisioning of services based on declarative descriptions of a resource structure of a service
CN114553689A (en) Connecting template
US10230567B2 (en) Management of a plurality of system control networks
CN104679608A (en) Infrastructure visualization platform building method and mirror management structure of infrastructure visualization platform building method
EP3442201B1 (en) Cloud platform construction method and cloud platform
CN104468791A (en) Private cloud IaaS platform construction method
WO2020088340A1 (en) Method and system for providing cloud computing service
CN109587026A (en) A method of large and medium-sized enterprise's Network Programe Design based on Java
US9565130B2 (en) Cloud-based resource availability calculation of a network environment
CN109857490A (en) A kind of cloud desktop construction method based on cloud framework
TWI773200B (en) Provision and management system and method for container infrastructure service and computer readable medium
Romanov et al. Principles of Building Modular Control Plane in Software-Defined Network
JP5734421B2 (en) Management information generation method, management information generation program, and management information generation apparatus
CN111538569B (en) Cloud platform-based system one-key deployment method
US20180081846A1 (en) Firm channel paths
KR102554198B1 (en) Test bed system and its control method
US11212136B2 (en) Infrastructure support in cloud environments
Wang et al. Design and Research of SDN Unified Controller in Large Data Center