WO2015196774A1 - Virtual machine migration method and device - Google Patents

Virtual machine migration method and device Download PDF

Info

Publication number
WO2015196774A1
WO2015196774A1 PCT/CN2014/095477 CN2014095477W WO2015196774A1 WO 2015196774 A1 WO2015196774 A1 WO 2015196774A1 CN 2014095477 W CN2014095477 W CN 2014095477W WO 2015196774 A1 WO2015196774 A1 WO 2015196774A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
virtual machine
management platform
network configuration
destination host
Prior art date
Application number
PCT/CN2014/095477
Other languages
French (fr)
Chinese (zh)
Inventor
李金明
涂彬
王丽娜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015196774A1 publication Critical patent/WO2015196774A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating

Definitions

  • the present invention relates to the field of computer information security technologies, and in particular, to a virtual machine migration method and device.
  • Virtualization technology has become a core technology and backbone technology in cloud computing, grid computing and high-performance computing environments with good isolation, easy maintenance, cost saving and support for cross-platform applications.
  • Virtualization One of the most important advantages of technology is the migration of virtual machines.
  • software-defined virtual network configurations and network security policies need to be migrated synchronously with virtual machine migration.
  • VMM Virtual Machine Monitor
  • VMs virtual machines
  • the representative technology in this regard is VMware's Vmotion.
  • Vmotion encapsulates virtual machine state on a shared storage device and quickly transfers the virtual machine's active memory and execution state over a high-speed network, ensuring seamless migration.
  • the embodiment of the invention provides a virtual machine migration method and device, which is used to implement synchronous migration of the network configuration corresponding to the virtual machine when the virtual machine is migrated.
  • a first aspect of the embodiments of the present invention provides a virtual machine migration method, including:
  • the management platform When the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host.
  • the first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
  • the management platform When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as a communication target, and the communication host uses the source host as the virtual machine. The host of the communication target.
  • the method further includes:
  • the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  • the method further includes:
  • the management platform sends a redundancy policy to the communication host according to the migration request, where the redundancy policy is used to enable the source host and the destination host to simultaneously receive network data of the virtual machine;
  • the management platform receives virtual network interface information that is sent by the destination host and allocated to the virtual machine
  • the management platform sends the virtual network interface information to the communication host, so that the communication host sends the virtual to the source host and the destination host simultaneously according to the redundancy policy and the network interface information.
  • Machine network data
  • the method further includes:
  • the management platform When the management platform receives the migration request for the virtual machine, the management platform sends the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host. And causing the destination host to inject the original security policy into the destination host.
  • a second aspect of the embodiments of the present invention provides a virtual machine migration method, including:
  • the destination host receives the first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
  • the destination host injects the first network configuration into the destination host
  • the destination host When the destination host detects that the virtual machine migration is completed, the destination host sends migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication
  • the host is the host of the source host as the communication target of the virtual machine.
  • the injecting, by the destination host, the first network configuration into the destination host includes:
  • the method further includes:
  • the destination host sends the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  • the method further includes:
  • the destination host sends virtual network interface information allocated to the virtual machine to the management platform.
  • the method further includes:
  • the destination host receives the original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host;
  • the destination host injects the original security policy into the destination host.
  • a third aspect of the embodiments of the present invention provides a configuration distribution method, including:
  • the management platform When the management platform detects that the virtual machine is created in the host, the management platform acquires a network configuration corresponding to the virtual machine;
  • the management platform sends a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
  • the management platform When the management platform detects that the virtual machine is created in the host, the management platform sends a security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
  • the acquiring, by the management platform, the network configuration corresponding to the virtual machine includes:
  • the management platform displays a list of network card information corresponding to the virtual machine, and prompts the user to set a network configuration corresponding to the virtual machine according to the network card information list;
  • the management platform receives a network configuration corresponding to the virtual machine set by a user.
  • the acquiring, by the management platform, the network configuration corresponding to the virtual machine includes:
  • the management platform generates a network configuration corresponding to the virtual machine according to a communication state of the virtual machine.
  • a fourth aspect of the embodiments of the present invention provides a configuration distribution method, including:
  • the host When the host detects that the virtual machine is created in the host, the host receives a network configuration and a security policy corresponding to the virtual machine sent by the management platform, where the security policy is performed by an administrator on each virtual network of the virtual machine. Interface settings are generated;
  • the host updates the forwarding table according to the network configuration
  • the host executes the security policy.
  • the method further includes:
  • the host When the host detects that the virtual machine is created in the host, the host creates a rule chain for each virtual network interface of the virtual machine;
  • the security policy includes: a filtering rule
  • the executing the security policy by the host specifically includes:
  • the host adds the filtering rule to a corresponding rule chain.
  • the security policy further includes: a quality of service QoS policy;
  • the executing the security policy by the host specifically includes:
  • the host adds the filtering rule to a corresponding rule chain and sets a classifier for the corresponding virtual network interface according to the QoS policy.
  • a fifth aspect of the embodiments of the present invention provides a management platform, including:
  • a first configuration sending module configured to send a first network configuration to the destination host according to the migration request, when the migration request is received, so that the destination host injects the first network configuration into the destination host
  • the first network is configured as a network configuration of the virtual machine in a source host, where The migration request is used to request to migrate the virtual machine from the source host to the destination host;
  • a selection module configured to notify the communication host to select the destination host as a communication target when receiving the migration completion information sent by the destination host, where the communication host is the source host as a communication target of the virtual machine Host.
  • the management platform further includes:
  • a second configuration receiving module configured to receive a second network configuration sent by the destination host, where the second network configuration is a network configuration that is matched by the target host and generated by the destination host according to the first network configuration ;
  • a configuration saving module configured to save the second network configuration as a network configuration of the virtual machine in the destination host.
  • the management platform further includes:
  • a redundancy issuing module configured to send a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive network data of the virtual machine ;
  • An interface information receiving module configured to receive virtual network interface information that is sent by the destination host and allocated to the virtual machine
  • An interface information sending module configured to send the virtual network interface information to the communication host, so that the communication host sends the network interface information to the source host and the destination host according to the redundancy policy and the network interface information Network data of the virtual machine.
  • the management platform further includes:
  • the first policy sending module is configured to: when the management platform migrates the virtual machine, send the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host And causing the destination host to inject the original security policy into the destination host.
  • a sixth aspect of the embodiments of the present invention provides a host, which is used as a destination host, and includes:
  • a first configuration receiving module configured to receive a first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
  • Configuring an injection module configured to inject the first network configuration into the destination host
  • the communication host is a host that uses the source host as a communication target of the virtual machine.
  • the configuration injection module is specifically configured to perform the first network configuration, and generate a match with the destination host.
  • Second network configuration
  • the host also includes:
  • the second configuration sending module is configured to send the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  • the host further includes:
  • An interface information distribution module is configured to send virtual network interface information allocated to the virtual machine to the management platform.
  • the host further includes:
  • a first policy receiving module configured to receive an original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in a source host;
  • the security policy injection module is configured to inject the original security policy into the destination host.
  • a seventh aspect of the embodiments of the present invention provides a management platform, including:
  • the acquiring module is configured to acquire a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host;
  • a third configuration sending module configured to send a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration
  • a second policy sending module configured to send a security policy corresponding to the virtual machine to the host when the management platform detects that the virtual machine is created in the host, so that the host performs the security policy.
  • the configuration acquiring module specifically includes:
  • An information display unit configured to display a network card information list corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list;
  • the receiving unit is configured to receive a network configuration corresponding to the virtual machine set by the user.
  • the configuration acquiring module is configured to automatically generate, according to a communication state of the virtual machine, a virtual machine corresponding to the virtual machine Network Configuration.
  • An eighth aspect of the embodiments of the present invention provides a host, including:
  • a receiving module configured to: when the host detects that the virtual machine is created in the host, receive a network configuration and a security policy corresponding to the virtual machine sent by the management platform;
  • an execution execution module configured to update the forwarding table according to the network configuration
  • a policy execution module configured to execute the security policy.
  • the host further includes:
  • a creating module configured to create a rule chain for each virtual network interface of the virtual machine when the host monitors that the virtual machine is created in the host;
  • the policy execution module is specifically configured to add the filtering rule to a corresponding rule chain.
  • the policy execution module is specifically configured to: Adding the filtering rule to the corresponding rule chain and setting a classifier for the corresponding virtual network interface according to the QoS policy.
  • the embodiment of the present invention has the following advantages:
  • the management platform when the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request.
  • the first network is configured as a network configuration of the virtual machine in the source host, so that the destination host injects the first network configuration into the destination host.
  • the management platform When the migration is completed, the management platform notifies the communication host to select the destination host as the communication target.
  • the communication host is the host of the source host as the communication target of the virtual machine, so that through the interaction between the management platform and the destination host, during the migration process, Synchronize the network configuration of the virtual machine in the source host to the destination host of the virtual machine migration, and realize the synchronous migration of the corresponding network configuration when the virtual machine is migrated.
  • FIG. 1 is a schematic flowchart of a virtual machine migration method according to an embodiment of the present invention
  • FIG. 2 is another schematic flowchart of a virtual machine migration method according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a configuration and distribution method according to an embodiment of the present invention.
  • FIG. 4 is another schematic flowchart of a configuration distribution method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 6 is another schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 7 is another schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 8 is another schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a host in an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another structure of a host according to an embodiment of the present invention.
  • FIG. 11 is another schematic structural diagram of a host in an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of another structure of a host according to an embodiment of the present invention.
  • FIG. 13 is another schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 14 is another schematic structural diagram of a management platform according to an embodiment of the present invention.
  • FIG. 15 is a schematic diagram of another structure of a host according to an embodiment of the present invention.
  • 16 is a schematic structural diagram of another host in an embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a virtual machine migration method according to an embodiment of the present invention.
  • FIG. 18 is a schematic structural diagram of a policy management system according to an embodiment of the present invention.
  • FIG. 19 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • an embodiment of a virtual machine migration method in an embodiment of the present invention includes:
  • the management platform When the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host. ;
  • the first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host.
  • the virtual machine management system When a migration event for a virtual machine is issued, the virtual machine management system starts to migrate the virtual machine.
  • the management platform may send the first to the destination host according to the migration request generated by the migration event.
  • a network configuration the destination host injects the first network configuration into the destination host.
  • injecting the first network configuration into the destination host may be a kernel control module injected into the destination host, where the first network is configured as The network configuration of the virtual machine saved in the database in the source host.
  • the migration request is used to request that the virtual machine be migrated from the source host to the destination host.
  • the migration request may be directly received by the management platform, or may be forwarded to the management platform after receiving the migration request by the virtual machine management system, which is not limited herein.
  • the virtual machine management system is used to migrate the virtual machine itself, and the management platform is used to manage and migrate the virtual machine configuration and policies.
  • the management platform may be located in the virtual machine management system or may be independent of the virtual machine management system. This is not a limitation.
  • the network configuration of the virtual machine can be saved in the database, or other storage manners can be used. If the data is saved in the database, the network configuration of the virtual machine stored in the database in the source host can be a virtual machine.
  • the source host is synchronized to the database by the source host.
  • the migration event may be sent by the administrator, or may be issued by the management platform or other related system according to a preset trigger condition, which is not limited herein.
  • the network configuration may include a virtual network interface address, a kernel forwarding table, and a tunnel configuration.
  • the management platform When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as a communication target.
  • the communication host is a host that uses the source host as a communication target of the virtual machine.
  • the management platform When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as the communication target.
  • the management platform may send a selection message to the communication host, and the migration completion information may be Is sent by the control node of the destination host, the selection message is used to notify the communication host to select the destination host as the communication target of the virtual machine, and the migration completion information is used to indicate that the virtual machine migration is completed, and the communication host is the source host The host of the virtual machine's communication target.
  • the management platform when the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, where the first network configuration is a network configuration of the virtual machine in the source host. And causing the destination host to inject the first network configuration into the destination host.
  • the management platform notifies the communication host to select the destination host as the communication target, and the communication host is the host of the source host as the communication target of the virtual machine, such that Through the interaction between the management platform and the destination host, during the migration process, the network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration, and the virtual network is synchronized when the virtual machine is migrated. migrate.
  • the management platform may receive the second network configuration sent by the destination host, where the second network configuration is generated by the destination host according to the first network configuration. a network configuration matching the destination host.
  • the management platform may save the second network configuration as a network configuration of the virtual machine in the destination host.
  • the network configuration in the source host is migrated to the new host, and the new network configuration is saved after matching with the new host, so that the next migration can be prepared, so that when the virtual machine is migrated at any time, the virtual
  • the network configuration corresponding to the machine can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
  • the management system may issue a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to receive the same
  • the network data of the virtual machine may be implemented by the virtual machine management system, and the virtual machine management system may send the migration instruction information to the destination host, and trigger the destination host to send the virtual information allocated to the virtual machine.
  • the network interface information is sent to the management platform.
  • the management platform may send the virtual network interface information to the communication host, so that the communication host follows the redundancy.
  • the policy and the virtual network interface information simultaneously send network data of the virtual machine to the source host and the destination host, and the management platform may further synchronize the virtual network interface information into the interface database.
  • the management platform can also send a message to the communication host to cancel the redundancy policy.
  • the message for canceling the redundancy policy may not be sent, and is not limited herein.
  • the source host and the destination host can simultaneously receive the network data of the virtual machine sent by the communication host during the virtual machine migration process, thereby avoiding the loss of the network data sent by the communication host to the virtual machine during the migration process.
  • the redundancy policy is cancelled, and the efficiency of the system operation is improved.
  • the management platform may send the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host.
  • the destination host injects the original security policy into the destination host, and in an actual application, may be injected into the kernel control module of the destination host.
  • the management platform can also use the new security policy as the security policy of the virtual machine in the destination host. Save and prepare for the next migration.
  • the security policy can be a rule chain or a quality of service (QoS) policy.
  • QoS quality of service
  • the unified configuration of the network configuration and the security policy is implemented.
  • the network configuration and the security policy can be simultaneously migrated to ensure that the security level of the migrated virtual machine is not affected.
  • FIG. 2 another embodiment of the virtual machine migration method in the embodiment of the present invention includes:
  • the destination host receives the first network configuration sent by the management platform.
  • the management platform When the management platform receives the migration request for the virtual machine, and sends the first network configuration corresponding to the virtual machine to the destination host, the destination host receives the first network configuration sent by the management platform, and in actual application, The first network configuration may be received by a control node of the destination host, where the first network is configured as a network configuration of the virtual machine in the source host saved in the database.
  • the virtual machine management system is migrating the virtual machine according to the migration request.
  • the destination host injects the first network configuration into the destination host.
  • the destination host After receiving the first network configuration, the destination host injects the first network configuration into the destination host.
  • the control node of the destination host may inject the first network configuration into the kernel control module of the destination host.
  • the destination host detects that the virtual machine migration is completed, the destination host sends the migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target.
  • the virtual machine management system migrates the virtual machine.
  • the destination host in the actual application, the control node in the destination host
  • a migration process when the destination host detects that the virtual machine migration is completed, sending migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication host is
  • the source host is the host of the communication target of the virtual machine.
  • the destination host receives the first network configuration sent by the management platform, where the first network is configured as a network configuration of the virtual machine in the source host, and the first network configuration is injected into the destination host, and the target host monitors
  • the migration completion information is sent to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target, so that the interaction between the management platform and the destination host is performed during the migration process.
  • the network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration. When the virtual machine is migrated, the corresponding network configuration is synchronously migrated.
  • the destination host injecting the first network configuration into the destination host may perform the first network configuration.
  • the kernel control module of the destination host may perform the first network configuration, generate a second network configuration that matches the destination host, and then the destination host may further send the second network configuration to the management platform. And causing the management platform to save the second network configuration as a network configuration of the virtual machine in the destination host.
  • the network configuration in the source host is injected into the destination host, matched with the destination host, and then saved, so that the next migration can be prepared, so that when the virtual machine is migrated at any time, the network configuration corresponding to the virtual machine is configured.
  • Migration can also be synchronized to ensure synchronization of virtual machine migration and network configuration migration.
  • the destination host may send the virtual network interface information allocated to the virtual machine to the management platform, so that the management platform sends the virtual network interface to the communication host.
  • the communication host sends the network data of the virtual machine to the source host and the destination host at the same time, and the management platform can also synchronize the virtual network interface information to the interface database.
  • the communication host simultaneously sends the network data of the virtual machine to the source host and the destination host, and avoids the loss of the network data sent by the communication host to the virtual machine during the virtual machine migration process, thereby ensuring the integrity of the virtual machine receiving data during the migration process.
  • the destination host can receive the original security policy sent by the management platform, and in the actual application, the control node sent by the management platform can receive the original security sent by the management platform.
  • the policy is that the original security policy is a security policy of the virtual machine in the source host, and the control node of the destination host can inject the original security policy into the kernel control module of the destination host.
  • the kernel control module of the destination host can adapt the new security policy to match the destination host after executing the original security policy, and can send the new security policy to the management platform, so that the management platform can The new security policy is used as a security policy for the virtual machine in the destination host to prepare for the next migration.
  • the security policy can include a rule chain or a quality of service QoS policy.
  • an embodiment of the configuration distribution method in the embodiment of the present invention includes:
  • the management platform detects that the virtual machine is created in the host, the management platform acquires a network configuration corresponding to the virtual machine.
  • the management platform can detect whether the virtual machine is created in the host at a certain time, and can also determine that the virtual machine is created by receiving the virtual machine creation completion message sent by the host, which is not limited herein.
  • the management platform sends a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration.
  • the management platform After obtaining the network configuration corresponding to the virtual machine, the management platform sends the network configuration to the host where the virtual machine is located, so that the host updates the forwarding table according to the network configuration, and the forwarding module in the host can also perform related policies according to the network configuration. .
  • the management platform When the management platform detects that the virtual machine is created in the host, the management platform sends the security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
  • the management platform When the management platform detects that the virtual machine is created in the host, the management platform can also send the security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
  • the management platform when the management platform detects that the virtual machine is created in the host, the management platform may obtain the network configuration corresponding to the virtual machine, and then send the network configuration to the host, and the management platform may also send the virtual
  • the security policy corresponding to the machine is sent to the host, so that the host executes the security policy, so that the management platform performs unified distribution of the network configuration and the security policy, simplifies the operations required by the user, and improves the efficiency of network configuration and security policy distribution. Accuracy.
  • the management platform obtains the network configuration corresponding to the virtual machine.
  • the management platform can obtain the network configuration corresponding to the virtual machine in multiple manners.
  • the management platform may display a list of network card information corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list. After the user is configured, the management platform may receive the virtual machine corresponding to the user. Network configuration.
  • the management platform may further generate a network setting corresponding to the virtual machine according to the communication state of the virtual machine.
  • This automated generation of network settings further reduces the need for users to perform operations and improves the efficiency of virtual machine network configuration creation.
  • the management platform may also send a security policy corresponding to the virtual machine to the host, so that The security policy may be implemented by the host.
  • the security policy may include a filtering rule or a QoS policy.
  • the management platform sends the security policy corresponding to the virtual machine to the host, so that the host performs the security policy, which may include: the management platform may send the filtering rule to the host. (In an actual application, it may be a control node of the host), so that the host adds the filtering rule to a corresponding rule chain, and the rule chain is generated by the host for each virtual network interface of the virtual machine.
  • each virtual network interface can be distinguished from each other by distinguishing the mark mark (composed of the virtual machine ID and the virtual network interface ID) of the kernel network data structure sk_buff in the kernel communication module. This flag is stored in sk_buff (not in the data frame). This tag can be identified by the existing firewall and QoS mechanism, so that each virtual network interface can be identified locally without modifying the contents of the network frame.
  • the control node of the host can use NF_HOOK to hand over the data frame to the netfilter, and the control node of the host receives the data frame processed by the netfilter in the PREROUTING and POSTROUTING rule list of the ebtables.
  • the source of the frame can be identified, so that the data can be transmitted to the corresponding rule chain for processing, and finally, the tunnel technology can be used for packet forwarding.
  • the management platform sends the security policy corresponding to the virtual machine to the host, so that the host performs the security policy, and may further include: when the virtual machine is created in the host, the management platform may further save the QoS policy.
  • the QoS policy Sent to the host (in the actual application, it can be the control node of the host), the QoS policy is generated by the administrator for each virtual network interface setting of the virtual machine, so that the host (in actual applications, the The control node of the host sets a classifier for the corresponding virtual network interface according to the QoS policy.
  • the QoS policy can also be saved in the management platform, and the transmitting end of the virtual network interface corresponds to the input end QoS, and the receiving end of the virtual network interface corresponds to the output end QoS.
  • the data is processed.
  • the same flag can be marked on the sk_buff, and the data frame is handed over to the Ingress QoS processing using the Qdisc->enqueue method.
  • the tag finds the corresponding QoS policy for processing, and after the processing is completed, the data is encapsulated into a UDP packet and sent out; at the receiving end, the kernel obtains After the packet is decapsulated and tagged with the receiver, the data frame is handed over to Qdisc for output QoS.
  • the management platform can uniformly distribute security policies including filtering rules or QoS policies, and implement centralized distribution of network configuration and security policies, which can effectively improve the efficiency of distribution.
  • FIG. 4 another embodiment of the configuration distribution method in the embodiment of the present invention includes:
  • the host detects that the virtual machine is created in the host, the host receives a network configuration and a security policy corresponding to the virtual machine sent by the management platform.
  • the management platform When the host detects that the virtual machine is created in the host, the management platform sends the network configuration and security policy corresponding to the virtual machine to the host (in actual applications, it may be the control node of the host), and the security policy may be The administrator generates a virtual network interface setting for the virtual machine, and the host receives the network configuration and security policy sent by the management platform.
  • the host updates the forwarding table according to the network configuration.
  • the host After receiving the network configuration, the host updates the forwarding table according to the network configuration.
  • the control node of the host may inject the network configuration into the kernel control module of the host, and the kernel control module Update the forwarding table according to the network configuration.
  • the host executes the security policy.
  • the host After receiving the security policy, the host executes the security policy.
  • the security policy may be received by the control node in the host, and then injected into the kernel control module in the host, and the kernel control module of the host executes the security policy. .
  • step 403 can also be located before step 402, which is not limited herein.
  • the host when the virtual machine is created in the host, the host receives the network configuration and the security policy sent by the management platform, so that the host updates the forwarding table according to the network configuration, and executes the policy, so that the management platform performs Network configuration and security policy distribution, the control node in the host performs network configuration and security policy receiving and injecting, which simplifies the operations that users need to perform, and realizes centralized distribution of network configuration and security policies.
  • the host when the host detects that the virtual machine is created in the host, the host may create a rule chain for each virtual network interface of the virtual machine;
  • the security policy may include a filtering rule.
  • the host performs the security policy, and the host may add the filtering rule to the corresponding rule chain.
  • each virtual network interface can be distinguished from each other by distinguishing the mark mark (composed of the virtual machine ID and the virtual network interface ID) of the kernel network data structure sk_buff in the kernel communication module. This flag is stored in sk_buff (not in the data frame). This tag can be identified by the existing firewall and QoS mechanism, so that each virtual network interface can be identified locally without modifying the contents of the network frame.
  • the control node of the host can use NF_HOOK to hand over the data frame to the netfilter, and the control node of the host receives the data frame processed by the netfilter in the PREROUTING and POSTROUTING rule list of the ebtables.
  • the source of the frame can be identified, so that the data can be transmitted to the corresponding rule chain for processing, and finally, the tunnel technology can be used for packet forwarding.
  • the filtering rule can be set by the user, or can be automatically generated by the management platform according to the running environment of the virtual machine or the preset rule, which is not limited herein.
  • the security policy may further include: a QoS policy, where the QoS policy is generated by the administrator for each virtual network interface setting of the virtual machine; the executing the security policy by the host may include: Join the corresponding rule chain and set the classifier for the corresponding virtual network interface according to the QoS policy.
  • the QoS policy can also be saved in the management platform, and the transmitting end of the virtual network interface corresponds to the input end QoS, and the receiving end of the virtual network interface corresponds to the output end QoS.
  • the data is processed.
  • the same flag can be marked on the sk_buff, and the data frame is handed over to the Ingress QoS processing using the Qdisc->enqueue method.
  • the tag finds the corresponding QoS policy for processing.
  • the data is encapsulated into UDP data packets and sent out.
  • the kernel obtains the data packet, decapsulates and marks the receiving end, and then passes the data frame to Qdisc for output. End QoS.
  • an embodiment of the management platform 500 in the embodiment of the present invention includes:
  • the first configuration sending module 501 is configured to: when receiving the migration request for the virtual machine, send the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination a host, the first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
  • the selecting module 502 is configured to notify the communication host to select the destination host as the communication target when receiving the migration completion information sent by the destination host, where the communication host is the source host as the communication target of the virtual machine Host.
  • the first configuration sending module 501 when receiving the migration request for the virtual machine, sends the first network configuration to the destination host according to the migration request, where the first network is configured as the network of the virtual machine in the source host.
  • the configuration is such that the destination host injects the first network configuration into the destination host.
  • the selection module 502 notifies the communication host to select the destination host as the communication target, so that the interaction between the management platform and the destination host is performed.
  • the network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration, and the virtual network is migrated synchronously.
  • the management platform 600 may further include:
  • the second configuration receiving module 601 is configured to receive a second network configuration that is sent by the destination host, where the second network is configured to be a network that is matched by the target host and configured by the destination host according to the first network configuration.
  • the configuration saving module 602 is configured to save the second network configuration as a network configuration of the virtual machine in the destination host.
  • the network configuration in the source host is migrated to the new host, and after matching with the new host, the configuration save module 602 is synchronized to the database, and the next migration can be prepared to migrate the virtual machine at any time.
  • the network configuration corresponding to the virtual machine can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
  • the management platform 700 may further include:
  • a redundancy issuing module 701 configured to send a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive the virtual machine Network data;
  • the interface information receiving module 702 is configured to receive virtual network interface information that is sent by the destination host and that is allocated to the virtual machine.
  • the interface information sending module 703 is configured to send the virtual network interface information to the communication host, so that the communication host simultaneously sends the network interface information to the source host and the destination host according to the redundancy policy. Sending network data of the virtual machine;
  • the source host and the destination host can simultaneously receive the network data of the virtual machine sent by the relevant host during the virtual machine migration process, thereby avoiding the loss of the network data sent by the relevant host to the virtual machine during the migration process.
  • the redundancy policy is cancelled, and the efficiency of the system operation is improved.
  • the management platform 800 may further include:
  • the first policy sending module 801 is configured to: when the virtual machine management system migrates the virtual machine, send the original security policy to the destination host according to the migration request, where the original security policy is that the virtual machine is in the source host.
  • the security policy causes the destination host to inject the original security policy into the destination host.
  • the unified configuration of the network configuration and the security policy is implemented.
  • the network configuration and the security policy can be simultaneously migrated to ensure that the security level of the migrated virtual machine is not affected.
  • an embodiment of the host 900 in the embodiment of the present invention includes:
  • the first configuration receiving module 901 is configured to receive a first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
  • the configuration injection module 902 is configured to inject the first network configuration into the destination host
  • the completion information sending module 903 is configured to: when the destination host detects that the virtual machine migration is completed, send migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target.
  • the communication host is a host that uses the source host as a communication target of the virtual machine.
  • the first configuration receiving module 901 receives the first network configuration sent by the management platform.
  • the first network is configured as a network configuration of the virtual machine in the source host, and the configuration injection module 902 injects the first network configuration into the destination host.
  • the destination host detects that the virtual machine migration is completed, the information is sent.
  • the module 903 sends the migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target, so that the virtual machine is at the source host during the migration process by the interaction between the management platform and the destination host.
  • the network configuration in the synchronization is synchronized to the destination host of the virtual machine migration, and the virtual network migration is synchronized with the corresponding network configuration.
  • the configuration injection module 902 is specifically configured to execute the first network configuration, and generate a second network that matches the destination host.
  • the host 1000 further includes: a second configuration sending module 1001, configured to send the second network configuration to the management platform, so that the management platform uses the second network configuration as the virtual machine in the destination host The network configuration in the middle is saved.
  • a second configuration sending module 1001 configured to send the second network configuration to the management platform, so that the management platform uses the second network configuration as the virtual machine in the destination host The network configuration in the middle is saved.
  • the network configuration in the source host is injected into the destination host, matched with the destination host, and then synchronized to the database, which can prepare for the next migration, so that when the virtual machine is migrated at any time, the corresponding network of the virtual machine Configurations can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
  • the host 1100 may further include:
  • the interface information distribution module 1101 is configured to send virtual network interface information allocated to the virtual machine to the management platform, so that the management platform sends the virtual network interface to the communication host, so that the communication host simultaneously sends the source host and the destination The host sends the network data of the virtual machine, and the management platform can also synchronize the virtual network interface information to the interface database.
  • the communication host simultaneously sends the network data of the virtual machine to the source host and the destination host, and avoids the loss of the network data sent by the related host to the virtual machine during the virtual machine migration process, thereby ensuring the integrity of the virtual machine receiving data during the migration process.
  • the host 1200 may further include:
  • the first policy receiving module 1201 is configured to receive an original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host.
  • the security policy injection module 1202 is configured to inject the original security policy into the destination host.
  • FIG. 13 another embodiment of the management platform 1300 in the embodiment of the present invention includes:
  • the configuration obtaining module 1301 is configured to acquire a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host.
  • the third configuration sending module 1302 is configured to send a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
  • the second policy sending module 1303 is configured to: when the management platform detects that the virtual machine is created in the host, send the security policy corresponding to the virtual machine to the host, so that the host performs the security policy.
  • the configuration obtaining module 1301 may obtain the network configuration corresponding to the virtual machine, and the third configuration sending module 1302 sends the network configuration to the host,
  • the second policy sending module 1303 sends the security policy to the host, so that the management platform performs network configuration and unified distribution of the security policy, which simplifies the operations required by the user, and improves the efficiency and accuracy of network configuration and security policy distribution.
  • the configuration obtaining module 1301 obtains the network configuration corresponding to the virtual machine. In an actual application, the configuration obtaining module 1301 can obtain the network configuration corresponding to the virtual machine in multiple manners.
  • the configuration obtaining module 1301 may specifically include:
  • the information display unit 14011 is configured to display a network card information list corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list;
  • the configuration receiving unit 14012 is configured to receive a network configuration corresponding to the virtual machine set by the user.
  • the configuration obtaining module 1301 may be configured to automatically generate a network configuration corresponding to the virtual machine according to the communication state of the virtual machine.
  • This automated generation of network settings further reduces the number of operations users need to perform, increasing the efficiency of virtual machine creation.
  • the second policy sending module 1303 may be specifically configured to: when the virtual machine is created in the host, send the filtering rule to the host, so that The host adds the filtering rule to a corresponding rule chain, and the rule chain is generated by the host for each virtual network interface of the virtual machine.
  • the second policy sending module 1303 may be further configured to: when the virtual machine is created in the host, send the saved QoS policy to the host,
  • the QoS policy is generated by an administrator for each virtual network interface setting of the virtual machine, so that the host sets a classifier for the corresponding virtual network interface according to the QoS policy.
  • the second policy sending module 1303 can uniformly distribute the security policy including the filtering rule or the QoS policy, thereby realizing the centralized distribution of the network configuration and the security policy. More effective in improving the efficiency of distribution.
  • FIG. 15 another embodiment of the host 1500 in the embodiment of the present invention includes:
  • the receiving module 1501 is configured to: when the host monitors that the virtual machine is created in the host, receive a network configuration and a security policy corresponding to the virtual machine sent by the management platform, where the security policy may be used by an administrator to the virtual Each virtual network interface setting of the machine is generated;
  • the configuration execution module 1502 is configured to update the forwarding table according to the network configuration.
  • the policy execution module 1503 is configured to execute the security policy.
  • the receiving module 1501 receives the network configuration and security policy sent by the management platform, and the configuration execution module 1502 updates the forwarding table according to the network configuration, and the policy execution module 1503 executes the security policy.
  • the management platform performs unified distribution of network configuration and security policies, which simplifies the operations that users need to perform, and improves the efficiency and accuracy of network configuration and security policy distribution.
  • the host 1600 may further include:
  • a creating module 1601 configured to create a rule chain for each virtual network interface of the virtual machine when the host detects that the virtual machine is created in the host;
  • the policy execution module 1505 is specifically configured to add the filtering rule to a corresponding rule chain.
  • the policy execution module 1505 is specifically configured to add the filtering rule to the corresponding rule chain and follow the The QoS policy sets a classifier for the corresponding virtual network interface.
  • modules for performing configuration and policy execution in the host may be located in the kernel control module of the host, such as the policy execution module 1504 and the configuration execution module 1503, and the modules for configuration and policy reception and distribution are both It can be located in the control node of the host, for example, the third configuration sending module 1302, etc.
  • FIG. 17 is a structural diagram of a specific scenario of the management platform and the source host and the destination host in the virtual machine migration.
  • control node and the kernel control module in each host connected to the management platform may constitute a policy management system, wherein the set of control nodes in each host may be regarded as the main control program of the policy management system.
  • the set of kernel control modules in each host can be seen as the kernel communication module of the policy management system.
  • each part of the policy management system is:
  • Management platform maintains the status information of virtual machines and virtual network interfaces in the entire data center in the database of the management platform, and saves the network configuration and network security policy information for the virtual network interface.
  • the management platform automatically updates the configuration and policy information to the master program based on the configuration information saved by the database and the virtual machine running state changes submitted by the master program (including the startup, shutdown, and migration of the virtual machine).
  • the main control program the communication process is synchronized between the main control program and the upper management platform.
  • the main control program needs to be timely transmitted to the kernel communication module when receiving the communication strategy information sent from the management platform.
  • the master program also needs to monitor the status of the local virtual machine and notify the management platform of the virtual machine status update event in time to issue a security policy according to the change of the virtual machine state.
  • Kernel communication module The kernel communication module is responsible for information interaction with the upper layer master program, and the kernel communication module has a Cache cache to record the existing policies and complete the local communication policy Cache filtering work.
  • the management platform and the host in the embodiment of the present invention are described above from the perspective of the unitized functional entity.
  • the management platform and the host in the embodiment of the present invention are described from the perspective of hardware processing. It can be understood that in practical applications, , management platform, source host, destination host, related host
  • the device can be a server, as shown in FIG. 19, which is a schematic diagram of the structure of the server, and can also be used as a schematic diagram of the management platform or the host in the embodiment of the present invention.
  • FIG. 19 Another embodiment of the management platform in the embodiment of the present invention includes:
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19).
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
  • the processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
  • the migration request is used to request to migrate the virtual machine from the source host to the destination host;
  • the processor 1903 is further configured to perform the following steps:
  • the processor 1903 is further configured to perform the following steps:
  • redundancy policy is configured to enable the source host and the destination host to simultaneously receive network data of the virtual machine
  • the processor 1903 is further configured to perform the following steps:
  • the original security policy is sent to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host, so that the destination is The host injects the original security policy into the destination host.
  • the following describes the host for the virtual machine migration in the embodiment of the present invention from the perspective of the hardware processing.
  • the host is used as the destination host.
  • another embodiment of the host in the embodiment of the present invention includes:
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19).
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
  • the processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
  • the processor 1903 specifically performs the following steps:
  • the processor 1903 also performs the following steps:
  • the processor 1903 further performs the following steps:
  • the processor 1903 further performs the following steps:
  • the management platform for configuration distribution in the embodiment of the present invention is performed from the perspective of hardware processing. Description, please refer to FIG. 19, another embodiment of the management platform in the embodiment of the present invention includes:
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19).
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
  • the processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
  • the management platform detects that the virtual machine is created in the host, the security policy corresponding to the virtual machine is sent to the host, so that the host executes the security policy;
  • the processor 1903 specifically performs the following steps:
  • the processor 1903 specifically performs the following steps:
  • Another embodiment of the host in the embodiment of the present invention includes:
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19).
  • the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
  • the processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
  • the host detects that the virtual machine is created in the host, the network configuration and the security policy corresponding to the virtual machine sent by the management platform are received, and the security policy is generated by the administrator for each virtual network interface setting of the virtual machine. ;
  • the processor 1903 also performs the following operations:
  • a rule chain is created for each virtual network interface of the virtual machine
  • the processor 1903 specifically performs the following operations:
  • the processor 1903 when the security policy further includes a QoS policy, the processor 1903 specifically performs the following operations:
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold as a standalone product Or when used, it can be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Stored Programmes (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed are a virtual machine migration method and device, which are used for realizing the synchronization migration of a network configuration corresponding to a virtual machine when the virtual machine is migrated. The method in the embodiments of the present invention comprises: when a management platform receives a migration request for a virtual machine, sending, by the management platform, a first network configuration to a destination host according to the migration request, wherein the first network configuration is a network configuration of the virtual machine in a source host, so that the destination host injects the first network configuration into the destination host; and when the migration is completed, sending, by the management platform, a selection message to a related host so as to select the destination host as a communication object of the virtual machine.

Description

虚拟机迁移方法及设备Virtual machine migration method and device
本申请要求于2014年06月24日提交中国专利局、申请号为201410289648.5、发明名称为“虚拟机迁移方法及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201410289648.5, the entire disclosure of which is incorporated herein by reference.
技术领域Technical field
本发明涉及计算机信息安全技术领域,尤其涉及虚拟机迁移方法及设备。The present invention relates to the field of computer information security technologies, and in particular, to a virtual machine migration method and device.
背景技术Background technique
近年来,虚拟化技术以隔离性强、易维护、节约成本和支持跨平台应用等良好特性逐渐成为了云计算、网格计算以及高性能计算等应用环境的核心技术及中坚技术力量,虚拟化技术带来的最重要优势之一就是虚拟机的迁移。然而,在网络虚拟化的环境下,软件定义(Software-defined)的虚拟网络配置和网络安全策略需要随虚拟机迁移而同步迁移。In recent years, virtualization technology has become a core technology and backbone technology in cloud computing, grid computing and high-performance computing environments with good isolation, easy maintenance, cost saving and support for cross-platform applications. Virtualization One of the most important advantages of technology is the migration of virtual machines. However, in a network virtualization environment, software-defined virtual network configurations and network security policies need to be migrated synchronously with virtual machine migration.
目前,主流的虚拟机管理器(Virtual Machine Monitor,VMM)都支持虚拟机(Virtual Manufacturing,VM)的迁移,这方面的代表技术有VMware的Vmotion。Vmotion将虚拟机状态封装在共享存储设备上,并通过高速网络迅速传输虚拟机的活动内存和执行状态,从而确保实现无缝迁移。Currently, the mainstream Virtual Machine Monitor (VMM) supports the migration of virtual machines (VMs). The representative technology in this regard is VMware's Vmotion. Vmotion encapsulates virtual machine state on a shared storage device and quickly transfers the virtual machine's active memory and execution state over a high-speed network, ensuring seamless migration.
但是,现有迁移方法大都只是对虚拟机本身的迁移,不能有效管理虚拟机迁移时,其网络配置的同步迁移。However, most of the existing migration methods are only the migration of the virtual machine itself, and cannot effectively manage the synchronous migration of the network configuration when the virtual machine is migrated.
发明内容Summary of the invention
本发明实施例提供了虚拟机迁移方法及设备,用于当虚拟机迁移时,实现该虚拟机对应的网络配置的同步迁移。The embodiment of the invention provides a virtual machine migration method and device, which is used to implement synchronous migration of the network configuration corresponding to the virtual machine when the virtual machine is migrated.
本发明实施例第一方面提供了一种虚拟机迁移方法,包括:A first aspect of the embodiments of the present invention provides a virtual machine migration method, including:
当管理平台接收到对虚拟机的迁移请求时,所述管理平台根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机; When the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host. The first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
当所述管理平台接收到所述目的主机发送的迁移完成信息时,所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as a communication target, and the communication host uses the source host as the virtual machine. The host of the communication target.
结合本发明实施例的第一方面,本发明实施例第一方面的第一种实现方式中,所述管理平台根据所述迁移请求向目的主机发送第一网络配置之后还包括:With reference to the first aspect of the embodiments of the present invention, in a first implementation manner of the first aspect of the embodiments of the present disclosure, after the management platform sends the first network configuration to the destination host according to the migration request, the method further includes:
所述管理平台接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;Receiving, by the management platform, a second network configuration that is sent by the destination host, where the second network is configured as a network configuration that is matched by the destination host and that is generated by the target host according to the first network configuration;
所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
结合本发明实施例的第一方面或第一方面的第一种实现方式,本发明实施例第一方面的第二种实现方式中,所述方法还包括:With reference to the first aspect of the embodiment of the present invention or the first implementation manner of the first aspect, in a second implementation manner of the first aspect of the embodiments, the method further includes:
所述管理平台根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机的网络数据;And the management platform sends a redundancy policy to the communication host according to the migration request, where the redundancy policy is used to enable the source host and the destination host to simultaneously receive network data of the virtual machine;
所述管理平台接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;The management platform receives virtual network interface information that is sent by the destination host and allocated to the virtual machine;
所述管理平台将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据。The management platform sends the virtual network interface information to the communication host, so that the communication host sends the virtual to the source host and the destination host simultaneously according to the redundancy policy and the network interface information. Machine network data.
结合本发明实施例的第一方面至第一方面的第二种实现方式中任一种实现方式,本发明实施例第一方面的第三种实现方式中,所述方法还包括:With reference to any one of the first aspect of the embodiment of the present invention to the second implementation of the first aspect, in a third implementation manner of the first aspect of the embodiment, the method further includes:
当管理平台接收到对虚拟机的迁移请求时,所述管理平台根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机。When the management platform receives the migration request for the virtual machine, the management platform sends the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host. And causing the destination host to inject the original security policy into the destination host.
本发明实施例第二方面提供了一种虚拟机迁移方法,包括:A second aspect of the embodiments of the present invention provides a virtual machine migration method, including:
目的主机接收管理平台发送的第一网络配置,所述第一网络配置为所述虚拟机在源主机中的网络配置;The destination host receives the first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
所述目的主机将所述第一网络配置注入所述目的主机中; The destination host injects the first network configuration into the destination host;
当所述目的主机监测到所述虚拟机迁移完成时,所述目的主机发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。When the destination host detects that the virtual machine migration is completed, the destination host sends migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication The host is the host of the source host as the communication target of the virtual machine.
结合本发明实施例的第二方面,本发明实施例第二方面的第一种实现方式中,所述目的主机将所述第一网络配置注入所述目的主机具体包括:With reference to the second aspect of the embodiments of the present invention, in a first implementation manner of the second aspect of the embodiments of the present disclosure, the injecting, by the destination host, the first network configuration into the destination host includes:
所述目的主机执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;Performing, by the destination host, the first network configuration, to generate a second network configuration that matches the destination host;
所述目的主机将所述第一网络配置注入所述目的主机之后还包括:After the destination host injects the first network configuration into the destination host, the method further includes:
所述目的主机发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The destination host sends the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
结合本发明实施例第二方面的第一种实现方式,本发明实施例第二方面的第二种实现方式中,所述方法还包括:With reference to the first implementation manner of the second aspect of the embodiment of the present invention, in a second implementation manner of the second aspect of the embodiment, the method further includes:
所述目的主机发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台中。The destination host sends virtual network interface information allocated to the virtual machine to the management platform.
结合本发明实施例的第二方面至第二方面的第二种实现方式中任一种实现方式,本发明实施例第二方面的第三种实现方式中,所述方法还包括:With reference to the implementation of the second aspect of the second aspect of the present invention, the second implementation manner of the second aspect of the embodiment of the present disclosure, the method further includes:
所述目的主机接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略;The destination host receives the original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host;
所述目的主机将所述原安全策略注入所述目的主机。The destination host injects the original security policy into the destination host.
本发明实施例第三方面提供了一种配置分发方法,包括:A third aspect of the embodiments of the present invention provides a configuration distribution method, including:
当管理平台检测到虚拟机在主机中创建完成时,所述管理平台获取所述虚拟机对应的网络配置;When the management platform detects that the virtual machine is created in the host, the management platform acquires a network configuration corresponding to the virtual machine;
所述管理平台发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;The management platform sends a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
当管理平台检测到虚拟机在主机中创建完成时,所述管理平台发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。When the management platform detects that the virtual machine is created in the host, the management platform sends a security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
结合本发明实施例的第三方面,本发明实施例第三方面的第一种实现方式中,所述管理平台获取所述虚拟机对应的网络配置具体包括: With reference to the third aspect of the embodiments of the present invention, in a first implementation manner of the third aspect of the embodiments of the present disclosure, the acquiring, by the management platform, the network configuration corresponding to the virtual machine includes:
所述管理平台显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;The management platform displays a list of network card information corresponding to the virtual machine, and prompts the user to set a network configuration corresponding to the virtual machine according to the network card information list;
所述管理平台接收用户设置的所述虚拟机对应的网络配置。The management platform receives a network configuration corresponding to the virtual machine set by a user.
结合本发明实施例的第三方面,本发明实施例第三方面的第二种实现方式中,所述管理平台获取所述虚拟机对应的网络配置具体包括:With reference to the third aspect of the embodiments of the present invention, in a second implementation manner of the third aspect of the embodiments of the present disclosure, the acquiring, by the management platform, the network configuration corresponding to the virtual machine includes:
所述管理平台根据所述虚拟机的通信状态生成所述虚拟机对应的网络配置。The management platform generates a network configuration corresponding to the virtual machine according to a communication state of the virtual machine.
本发明实施例第四方面提供了一种配置分发方法,包括:A fourth aspect of the embodiments of the present invention provides a configuration distribution method, including:
当主机监测到虚拟机在主机中创建完成时,所述主机接收管理平台发送的所述虚拟机对应的网络配置与安全策略,所述安全策略由管理员对所述虚拟机的每个虚拟网络接口设置生成;When the host detects that the virtual machine is created in the host, the host receives a network configuration and a security policy corresponding to the virtual machine sent by the management platform, where the security policy is performed by an administrator on each virtual network of the virtual machine. Interface settings are generated;
所述主机按照所述网络配置更新转发表;The host updates the forwarding table according to the network configuration;
所述主机执行所述安全策略。The host executes the security policy.
结合本发明实施例的第四方面,本发明实施例第四方面的第一种实现方式中,所述方法还包括:With reference to the fourth aspect of the embodiments of the present invention, in a first implementation manner of the fourth aspect of the embodiments, the method further includes:
当所述主机监测到虚拟机在所述主机中创建完成时,所述主机为所述虚拟机的每个虚拟网络接口创建一条规则链;When the host detects that the virtual machine is created in the host, the host creates a rule chain for each virtual network interface of the virtual machine;
所述安全策略包括:过滤规则;The security policy includes: a filtering rule;
所述主机执行所述安全策略具体包括:The executing the security policy by the host specifically includes:
所述主机将所述过滤规则加入到对应的规则链中。The host adds the filtering rule to a corresponding rule chain.
结合本发明实施例第四方面的第一种实现方式,本发明实施例第四方面的第二种实现方式中,所述安全策略还包括:服务质量QoS策略;With reference to the first implementation manner of the fourth aspect of the embodiments of the present invention, in the second implementation manner of the fourth aspect of the embodiments, the security policy further includes: a quality of service QoS policy;
所述主机执行所述安全策略具体包括:The executing the security policy by the host specifically includes:
所述主机将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。The host adds the filtering rule to a corresponding rule chain and sets a classifier for the corresponding virtual network interface according to the QoS policy.
本发明实施例第五方面提供了一种管理平台,包括:A fifth aspect of the embodiments of the present invention provides a management platform, including:
第一配置发送模块,用于当接收到对虚拟机的迁移请求时,根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所 述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机;a first configuration sending module, configured to send a first network configuration to the destination host according to the migration request, when the migration request is received, so that the destination host injects the first network configuration into the destination host The first network is configured as a network configuration of the virtual machine in a source host, where The migration request is used to request to migrate the virtual machine from the source host to the destination host;
选择模块,用于当接收到所述目的主机发送的迁移完成信息时,通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。a selection module, configured to notify the communication host to select the destination host as a communication target when receiving the migration completion information sent by the destination host, where the communication host is the source host as a communication target of the virtual machine Host.
结合本发明实施例的第五方面,本发明实施例第五方面的第一种实现方式中,所述管理平台还包括:With reference to the fifth aspect of the embodiments of the present invention, in a first implementation manner of the fifth aspect of the embodiments, the management platform further includes:
第二配置接收模块,用于接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;a second configuration receiving module, configured to receive a second network configuration sent by the destination host, where the second network configuration is a network configuration that is matched by the target host and generated by the destination host according to the first network configuration ;
配置保存模块,用于将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。And a configuration saving module, configured to save the second network configuration as a network configuration of the virtual machine in the destination host.
结合本发明实施例的第五方面或第五方面的第一种实现方式,本发明实施例第五方面的第二种实现方式中,所述管理平台还包括:With reference to the fifth aspect of the embodiment of the present invention or the first implementation manner of the fifth aspect, in the second implementation manner of the fifth aspect of the embodiment, the management platform further includes:
冗余发出模块,用于根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机的网络数据;a redundancy issuing module, configured to send a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive network data of the virtual machine ;
接口信息接收模块,用于接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;An interface information receiving module, configured to receive virtual network interface information that is sent by the destination host and allocated to the virtual machine;
接口信息发送模块,用于将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据。An interface information sending module, configured to send the virtual network interface information to the communication host, so that the communication host sends the network interface information to the source host and the destination host according to the redundancy policy and the network interface information Network data of the virtual machine.
结合本发明实施例的第五方面至第五方面的第二种实现方式中任一种实现方式,本发明实施例第五方面的第三种实现方式中,所述管理平台还包括:With reference to any one of the implementation manners of the fifth to fifth aspects of the embodiments of the present invention, in a third implementation manner of the fifth aspect of the embodiments, the management platform further includes:
第一策略发送模块,用于当管理平台对虚拟机进行迁移时,根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机。The first policy sending module is configured to: when the management platform migrates the virtual machine, send the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host And causing the destination host to inject the original security policy into the destination host.
本发明实施例第六方面提供了一种主机,作为目的主机使用,包括:A sixth aspect of the embodiments of the present invention provides a host, which is used as a destination host, and includes:
第一配置接收模块,用于接收管理平台发送的第一网络配置,所述第一网络配置为所述虚拟机在源主机中的网络配置; a first configuration receiving module, configured to receive a first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
配置注入模块,用于将所述第一网络配置注入所述目的主机;Configuring an injection module, configured to inject the first network configuration into the destination host;
完成信息发送模块,用于当所述目的主机监测到所述虚拟机迁移完成时,发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。And completing the information sending module, configured to send the migration completion information to the management platform when the destination host detects that the virtual machine migration is completed, so that the management platform notifies the communication host to select the destination host as a communication target, The communication host is a host that uses the source host as a communication target of the virtual machine.
结合本发明实施例的第六方面,本发明实施例第六方面的第一种实现方式中,所述配置注入模块具体用于,执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;With reference to the sixth aspect of the embodiments of the present invention, in a first implementation manner of the sixth aspect, the configuration injection module is specifically configured to perform the first network configuration, and generate a match with the destination host. Second network configuration;
所述主机还包括:The host also includes:
第二配置发送模块,用于发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The second configuration sending module is configured to send the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
结合本发明实施例第六方面的第一种实现方式,本发明实施例第六方面的第二种实现方式中,所述主机还包括:With reference to the first implementation manner of the sixth aspect of the embodiments of the present invention, in a second implementation manner of the sixth aspect of the embodiments, the host further includes:
接口信息分配模块,用于发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台。An interface information distribution module is configured to send virtual network interface information allocated to the virtual machine to the management platform.
结合本发明实施例的第六方面至第六方面的第二种实现方式中任一种实现方式,本发明实施例第六方面的第三种实现方式中,该主机还包括:With reference to any one of the implementation manners of the sixth to sixth aspects of the embodiments of the present invention, in a third implementation manner of the sixth aspect of the embodiments, the host further includes:
第一策略接收模块,用于接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略;a first policy receiving module, configured to receive an original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in a source host;
安全策略注入模块,用于将所述原安全策略注入所述目的主机。The security policy injection module is configured to inject the original security policy into the destination host.
本发明实施例第七方面提供了一种管理平台,包括:A seventh aspect of the embodiments of the present invention provides a management platform, including:
配置获取模块,用于当所述管理平台监测到虚拟机在主机中创建完成时,获取所述虚拟机对应的网络配置;The acquiring module is configured to acquire a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host;
第三配置发送模块,用于发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;a third configuration sending module, configured to send a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
第二策略发送模块,用于当所述管理平台监测到虚拟机在主机中创建完成时,发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。 And a second policy sending module, configured to send a security policy corresponding to the virtual machine to the host when the management platform detects that the virtual machine is created in the host, so that the host performs the security policy.
结合本发明实施例的第七方面,本发明实施例第七方面的第一种实现方式中,所述配置获取模块具体包括:With reference to the seventh aspect of the embodiments of the present invention, in the first implementation manner of the seventh aspect of the embodiments, the configuration acquiring module specifically includes:
信息显示单元,用于显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;An information display unit, configured to display a network card information list corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list;
配置接收单元,用于接收用户设置的所述虚拟机对应的网络配置。The receiving unit is configured to receive a network configuration corresponding to the virtual machine set by the user.
结合本发明实施例的第七方面,本发明实施例第七方面的第二种实现方式中,所述配置获取模块具体用于,根据所述虚拟机的通信状态自动生成所述虚拟机对应的网络配置。With reference to the seventh aspect of the embodiments of the present invention, in a second implementation manner of the seventh aspect, the configuration acquiring module is configured to automatically generate, according to a communication state of the virtual machine, a virtual machine corresponding to the virtual machine Network Configuration.
本发明实施例第八方面提供了一种主机,包括:An eighth aspect of the embodiments of the present invention provides a host, including:
接收模块,用于当所述主机监测到虚拟机在主机中创建完成时,接收管理平台发送的所述虚拟机对应的网络配置与安全策略;a receiving module, configured to: when the host detects that the virtual machine is created in the host, receive a network configuration and a security policy corresponding to the virtual machine sent by the management platform;
配置执行模块,用于按照所述网络配置更新转发表;And an execution execution module, configured to update the forwarding table according to the network configuration;
策略执行模块,用于执行所述安全策略。a policy execution module, configured to execute the security policy.
结合本发明实施例的第八方面,本发明实施例第八方面的第一种实现方式中,所述主机还包括:With reference to the eighth aspect of the embodiments of the present invention, in a first implementation manner of the eighth aspect of the embodiments, the host further includes:
创建模块,用于当所述主机监测到虚拟机在所述主机中创建完成时,为所述虚拟机的每个虚拟网络接口创建一条规则链;a creating module, configured to create a rule chain for each virtual network interface of the virtual machine when the host monitors that the virtual machine is created in the host;
当所述安全策略包括过滤规则时,所述策略执行模块具体用于,将所述过滤规则加入到对应的规则链中。When the security policy includes a filtering rule, the policy execution module is specifically configured to add the filtering rule to a corresponding rule chain.
结合本发明实施例第八方面的第一种实现方式,本发明实施例第八方面的第二种实现方式中,当所述安全策略还包括QoS策略时,所述策略执行模块具体用于,将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。With reference to the first implementation manner of the eighth aspect of the embodiment of the present invention, in the second implementation manner of the eighth aspect of the embodiment of the present invention, when the security policy further includes a QoS policy, the policy execution module is specifically configured to: Adding the filtering rule to the corresponding rule chain and setting a classifier for the corresponding virtual network interface according to the QoS policy.
从以上技术方案可以看出,本发明实施例具有以下优点:本发明实施例中,当管理平台接收到对虚拟机的迁移请求时,该管理平台根据迁移请求发送第一网络配置到目的主机,该第一网络配置为该虚拟机在源主机中的网络配置,使得目的主机将该第一网络配置注入该目的主机,当迁移完成时,管理平台通知通信主机选择该目的主机作为通信目标,该通信主机是以源主机作为虚拟机的通信目标的主机,这样,通过管理平台与目的主机的交互配合,在迁移过程中, 将虚拟机在源主机中的网络配置同步到了虚拟机迁移的目的主机中,实现了虚拟机迁移时,其对应的网络配置的同步迁移。As can be seen from the foregoing technical solutions, the embodiment of the present invention has the following advantages: In the embodiment of the present invention, when the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request. The first network is configured as a network configuration of the virtual machine in the source host, so that the destination host injects the first network configuration into the destination host. When the migration is completed, the management platform notifies the communication host to select the destination host as the communication target. The communication host is the host of the source host as the communication target of the virtual machine, so that through the interaction between the management platform and the destination host, during the migration process, Synchronize the network configuration of the virtual machine in the source host to the destination host of the virtual machine migration, and realize the synchronous migration of the corresponding network configuration when the virtual machine is migrated.
附图说明DRAWINGS
图1为本发明实施例中虚拟机迁移方法一个流程示意图;FIG. 1 is a schematic flowchart of a virtual machine migration method according to an embodiment of the present invention;
图2为本发明实施例中虚拟机迁移方法另一个流程示意图;2 is another schematic flowchart of a virtual machine migration method according to an embodiment of the present invention;
图3为本发明实施例中配置分发方法一个流程示意图;3 is a schematic flowchart of a configuration and distribution method according to an embodiment of the present invention;
图4为本发明实施例中配置分发方法另一个流程示意图;4 is another schematic flowchart of a configuration distribution method according to an embodiment of the present invention;
图5为本发明实施例中管理平台一个结构示意图;FIG. 5 is a schematic structural diagram of a management platform according to an embodiment of the present invention; FIG.
图6为本发明实施例中管理平台另一个结构示意图;6 is another schematic structural diagram of a management platform according to an embodiment of the present invention;
图7为本发明实施例中管理平台另一个结构示意图;FIG. 7 is another schematic structural diagram of a management platform according to an embodiment of the present invention; FIG.
图8为本发明实施例中管理平台另一个结构示意图;FIG. 8 is another schematic structural diagram of a management platform according to an embodiment of the present invention; FIG.
图9为本发明实施例中主机一个结构示意图;9 is a schematic structural diagram of a host in an embodiment of the present invention;
图10为本发明实施例中主机另一个结构示意图;FIG. 10 is a schematic diagram of another structure of a host according to an embodiment of the present invention; FIG.
图11为本发明实施例中主机另一个结构示意图;11 is another schematic structural diagram of a host in an embodiment of the present invention;
图12为本发明实施例中主机另一个结构示意图;FIG. 12 is a schematic diagram of another structure of a host according to an embodiment of the present invention; FIG.
图13为本发明实施例中管理平台另一个结构示意图;FIG. 13 is another schematic structural diagram of a management platform according to an embodiment of the present invention; FIG.
图14为本发明实施例中管理平台另一个结构示意图;FIG. 14 is another schematic structural diagram of a management platform according to an embodiment of the present invention; FIG.
图15为本发明实施例中主机另一个结构示意图;FIG. 15 is a schematic diagram of another structure of a host according to an embodiment of the present invention; FIG.
图16为本发明实施例中主机另一个结构示意图;16 is a schematic structural diagram of another host in an embodiment of the present invention;
图17为本发明实施例中虚拟机迁移方法一个场景结构图;FIG. 17 is a schematic structural diagram of a virtual machine migration method according to an embodiment of the present invention; FIG.
图18为本发明实施例中策略管理系统一个结构示意图;FIG. 18 is a schematic structural diagram of a policy management system according to an embodiment of the present invention; FIG.
图19为本发明实施例中服务器一个结构示意图。FIG. 19 is a schematic structural diagram of a server according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
下面分别从管理平台与主机的角度对本发明实施例中虚拟机迁移方法进行描述:The following describes the virtual machine migration method in the embodiment of the present invention from the perspective of the management platform and the host:
一、管理平台的操作:First, the operation of the management platform:
请参阅图1,本发明实施例中虚拟机迁移方法一个实施例包括:Referring to FIG. 1, an embodiment of a virtual machine migration method in an embodiment of the present invention includes:
101、当管理平台接收到对虚拟机的迁移请求时,所述管理平台根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机;When the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host. ;
其中,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机。The first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host.
当有对虚拟机的迁移事件发出时,虚拟机管理系统开始对虚拟机进行迁移,当虚拟机管理系统对虚拟机进行迁移时,管理平台可以根据该迁移事件产生的迁移请求向目的主机发送第一网络配置,使得该目的主机将该第一网络配置注入该目的主机,在实际应用中,将第一网络配置注入该目的主机可以为注入该目的主机的内核控制模块,该第一网络配置为数据库中保存的该虚拟机在源主机中的网络配置,该迁移请求用于请求将该虚拟机从源主机迁移到目的主机。When a migration event for a virtual machine is issued, the virtual machine management system starts to migrate the virtual machine. When the virtual machine management system migrates the virtual machine, the management platform may send the first to the destination host according to the migration request generated by the migration event. a network configuration, the destination host injects the first network configuration into the destination host. In an actual application, injecting the first network configuration into the destination host may be a kernel control module injected into the destination host, where the first network is configured as The network configuration of the virtual machine saved in the database in the source host. The migration request is used to request that the virtual machine be migrated from the source host to the destination host.
可以理解的是,该迁移请求可以由管理平台直接接收到,也可以由虚拟机管理系统接收到迁移请求之后转发给该管理平台,此处不作限定。It is to be understood that the migration request may be directly received by the management platform, or may be forwarded to the management platform after receiving the migration request by the virtual machine management system, which is not limited herein.
虚拟机管理系统用于对虚拟机本身进行迁移,而管理平台用于对虚拟机的配置及策略进行管理与迁移,管理平台可以位于虚拟机管理系统中,也可以独立于虚拟机管理系统外,此处不作限定。The virtual machine management system is used to migrate the virtual machine itself, and the management platform is used to manage and migrate the virtual machine configuration and policies. The management platform may be located in the virtual machine management system or may be independent of the virtual machine management system. This is not a limitation.
需要说明的是,该虚拟机的网络配置可以保存在数据库中,也可以采用其他的保存方式,若保存在数据库中,则数据库中保存的该虚拟机在源主机中的网络配置可以是虚拟机在源主机中时由源主机同步到该数据库中的,另外,该迁移事件可以为管理员发出的,也可以是管理平台或其他相关系统根据预先设置的触发条件发出的,此处不作限定。It should be noted that the network configuration of the virtual machine can be saved in the database, or other storage manners can be used. If the data is saved in the database, the network configuration of the virtual machine stored in the database in the source host can be a virtual machine. The source host is synchronized to the database by the source host. In addition, the migration event may be sent by the administrator, or may be issued by the management platform or other related system according to a preset trigger condition, which is not limited herein.
其中,网络配置可以包括虚拟网络接口地址,内核转发表以及隧道配置等。The network configuration may include a virtual network interface address, a kernel forwarding table, and a tunnel configuration.
102、当所述管理平台接收到所述目的主机发送的迁移完成信息时,所述管理平台通知通信主机选择所述目的主机作为通信目标。 102. When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as a communication target.
其中,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。The communication host is a host that uses the source host as a communication target of the virtual machine.
当该管理平台接收到该目的主机发送的迁移完成信息时,该管理平台通知通信主机选择目的主机作为通信目标,在实际应用中,该管理平台可以向通信主机发送选择消息,该迁移完成信息可以由目的主机的控制节点发出,该选择消息用于通知通信主机选择该目的主机作为该虚拟机的通信目标,该迁移完成信息用于表示该虚拟机迁移完成,该通信主机是以源主机作为该虚拟机的通信目标的主机。When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as the communication target. In an actual application, the management platform may send a selection message to the communication host, and the migration completion information may be Is sent by the control node of the destination host, the selection message is used to notify the communication host to select the destination host as the communication target of the virtual machine, and the migration completion information is used to indicate that the virtual machine migration is completed, and the communication host is the source host The host of the virtual machine's communication target.
本发明实施例中,当管理平台接收到对虚拟机的迁移请求时,该管理平台根据迁移请求发送第一网络配置到目的主机,该第一网络配置为该虚拟机在源主机中的网络配置,使得目的主机将该第一网络配置注入该目的主机,当迁移完成时,管理平台通知通信主机选择该目的主机作为通信目标,该通信主机是以源主机作为虚拟机的通信目标的主机,这样,通过管理平台与目的主机的交互配合,在迁移过程中,将虚拟机在源主机中的网络配置同步到了虚拟机迁移的目的主机中,实现了虚拟机迁移时,其对应的网络配置的同步迁移。In the embodiment of the present invention, when the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, where the first network configuration is a network configuration of the virtual machine in the source host. And causing the destination host to inject the first network configuration into the destination host. When the migration is completed, the management platform notifies the communication host to select the destination host as the communication target, and the communication host is the host of the source host as the communication target of the virtual machine, such that Through the interaction between the management platform and the destination host, during the migration process, the network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration, and the virtual network is synchronized when the virtual machine is migrated. migrate.
可选的,管理平台根据迁移请求向目的主机发送第一网络配置后,管理平台可以接收该目的主机发送的第二网络配置,该第二网络配置为该目的主机根据该第一网络配置生成的与该目的主机相匹配的网络配置,在实际应用中,可以为目的主机将该第一网络配置注入该目的主机时,该目的主机的内核控制模块根据该第一网络配置生成的与该目的主机相匹配的网络配置,该管理平台接收到该第二网络配置后,可以将该第二网络配置作为该虚拟机在该目的主机中的网络配置进行保存。Optionally, after the management platform sends the first network configuration to the destination host according to the migration request, the management platform may receive the second network configuration sent by the destination host, where the second network configuration is generated by the destination host according to the first network configuration. a network configuration matching the destination host. In an actual application, when the destination host injects the first network configuration into the destination host, the kernel control module of the destination host generates the host corresponding to the destination network according to the first network configuration. The matching network configuration, after receiving the second network configuration, the management platform may save the second network configuration as a network configuration of the virtual machine in the destination host.
这样,将源主机中的网络配置迁移到新的主机,与新的主机相匹配之后对新的网络配置进行保存,可以为下一次迁移作准备,以便随时对虚拟机进行迁移时,与该虚拟机相对应的网络配置也可以同步的进行迁移,确保了虚拟机迁移与网络配置迁移的同步。In this way, the network configuration in the source host is migrated to the new host, and the new network configuration is saved after matching with the new host, so that the next migration can be prepared, so that when the virtual machine is migrated at any time, the virtual The network configuration corresponding to the machine can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
可选的,管理平台接收到对虚拟机的迁移请求时,该管理系统可以根据迁移请求向通信主机发出冗余策略,该冗余策略用于使该源主机与该目的主机能同时接收到该虚拟机的网络数据,冗余策略的实现具体可以为,虚拟机管理系统可以向目的主机发送迁移指令信息,触发目的主机发送分配给该虚拟机的虚 拟网络接口信息给该管理平台,该管理平台接收到该目的主机发送的分配给该虚拟机的虚拟网络接口信息之后,可将该虚拟网络接口信息发送给通信主机,使得通信主机按照该冗余策略与该虚拟网络接口信息同时向该源主机与该目的主机发送该虚拟机的网络数据,管理平台还可以将该虚拟网络接口信息同步到接口数据库中。Optionally, when the management platform receives the migration request for the virtual machine, the management system may issue a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to receive the same The network data of the virtual machine may be implemented by the virtual machine management system, and the virtual machine management system may send the migration instruction information to the destination host, and trigger the destination host to send the virtual information allocated to the virtual machine. The network interface information is sent to the management platform. After receiving the virtual network interface information sent by the destination host and allocated to the virtual machine, the management platform may send the virtual network interface information to the communication host, so that the communication host follows the redundancy. The policy and the virtual network interface information simultaneously send network data of the virtual machine to the source host and the destination host, and the management platform may further synchronize the virtual network interface information into the interface database.
可以理解的是,通信主机选择目的主机作为通信目标后,管理平台还可以向通信主机发送取消该冗余策略的消息,在实际应用中,由于已经选择了目的主机作为通信主机的通信目标,也可以不发送取消该冗余策略的消息,此处不作限定。It can be understood that after the communication host selects the destination host as the communication target, the management platform can also send a message to the communication host to cancel the redundancy policy. In the actual application, since the destination host has been selected as the communication target of the communication host, The message for canceling the redundancy policy may not be sent, and is not limited herein.
这样,利用冗余策略,在虚拟机迁移过程中源主机与目的主机能同时接收到通信主机发送的该虚拟机的网络数据,避免了迁移过程中通信主机发送给该虚拟机的网络数据的遗失,保证了迁移过程中该虚拟机接收数据的完整,在迁移完成后,取消该冗余策略,提高了系统运行的效率。In this way, by using the redundancy policy, the source host and the destination host can simultaneously receive the network data of the virtual machine sent by the communication host during the virtual machine migration process, thereby avoiding the loss of the network data sent by the communication host to the virtual machine during the migration process. To ensure the integrity of the data received by the virtual machine during the migration process, after the migration is completed, the redundancy policy is cancelled, and the efficiency of the system operation is improved.
可选的,当管理平台接收到对虚拟机的迁移请求时,该管理平台还可以根据迁移请求向该目的主机发送原安全策略,该原安全策略为该虚拟机在源主机中的安全策略,使得该目的主机将该原安全策略注入该目的主机,在实际应用中,可以注入该目的主机的内核控制模块中。Optionally, when the management platform receives the migration request for the virtual machine, the management platform may send the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host. The destination host injects the original security policy into the destination host, and in an actual application, may be injected into the kernel control module of the destination host.
可以理解的是,将原安全策略发送到目的主机中适配出对应与新的主机的新的安全策略后,管理平台也可以将该新的安全策略作为该虚拟机在目的主机中的安全策略进行保存,为下一次迁移作准备。It can be understood that after the original security policy is sent to the destination host to adapt the new security policy corresponding to the new host, the management platform can also use the new security policy as the security policy of the virtual machine in the destination host. Save and prepare for the next migration.
该安全策略可以为规则链或服务质量QoS(Quality of Service)策略。The security policy can be a rule chain or a quality of service (QoS) policy.
这样,便实现了网络配置与安全策略的统一迁移,在虚拟机迁移时,能同时将网络配置与安全策略同步迁移,确保了迁移后的虚拟机的安全等级不受影响。In this way, the unified configuration of the network configuration and the security policy is implemented. When the virtual machine is migrated, the network configuration and the security policy can be simultaneously migrated to ensure that the security level of the migrated virtual machine is not affected.
二、主机的操作:Second, the operation of the host:
请参阅图2,本发明实施例中虚拟机迁移方法另一个实施例包括:Referring to FIG. 2, another embodiment of the virtual machine migration method in the embodiment of the present invention includes:
201、目的主机接收管理平台发送的第一网络配置;201. The destination host receives the first network configuration sent by the management platform.
当管理平台接收到对虚拟机的迁移请求,发送该虚拟机对应的第一网络配置给目的主机时,目的主机接收管理平台发送的第一网络配置,在实际应用中, 可以为目的主机的控制节点接收该第一网络配置,该第一网络配置为数据库中保存的该虚拟机在源主机中的网络配置。When the management platform receives the migration request for the virtual machine, and sends the first network configuration corresponding to the virtual machine to the destination host, the destination host receives the first network configuration sent by the management platform, and in actual application, The first network configuration may be received by a control node of the destination host, where the first network is configured as a network configuration of the virtual machine in the source host saved in the database.
可以理解的是,与此同时,虚拟机管理系统正在根据该迁移请求对虚拟机进行迁移。It can be understood that, at the same time, the virtual machine management system is migrating the virtual machine according to the migration request.
202、该目的主机将该第一网络配置注入该目的主机;202. The destination host injects the first network configuration into the destination host.
目的主机接收到该第一网络配置后,将该第一网络配置注入该目的主机,在实际应用中,可以为该目的主机的控制节点将该第一网络配置注入该目的主机的内核控制模块。After receiving the first network configuration, the destination host injects the first network configuration into the destination host. In an actual application, the control node of the destination host may inject the first network configuration into the kernel control module of the destination host.
203、当该目的主机监测到该虚拟机迁移完成时,该目的主机发送迁移完成信息到该管理平台,以使得该管理平台通知通信主机选择所述目的主机作为通信目标。203. When the destination host detects that the virtual machine migration is completed, the destination host sends the migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target.
管理员发出对虚拟机的迁移事件后,虚拟机管理系统会对虚拟机进行迁移,目的主机(在实际应用中,可以是目的主机中的控制节点)可以监测该虚拟机管理系统对该虚拟机的迁移过程,当该目的主机监测到该虚拟机迁移完成时,发送迁移完成信息到该管理平台,以使得该管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。After the administrator issues a migration event to the virtual machine, the virtual machine management system migrates the virtual machine. The destination host (in the actual application, the control node in the destination host) can monitor the virtual machine management system for the virtual machine. a migration process, when the destination host detects that the virtual machine migration is completed, sending migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication host is The source host is the host of the communication target of the virtual machine.
本发明实施例中,目的主机接收管理平台发送的第一网络配置,该第一网络配置为该虚拟机在源主机中的网络配置,将该第一网络配置注入该目的主机,当目的主机监测到该虚拟机迁移完成时,发送迁移完成信息到该管理平台,以使得该管理平台通知通信主机选择该目的主机作为通信目标,这样通过管理平台与目的主机的交互配合,在迁移过程中,将虚拟机在源主机中的网络配置同步到了虚拟机迁移的目的主机中,实现了虚拟机迁移时,其对应的网络配置的同步迁移。In the embodiment of the present invention, the destination host receives the first network configuration sent by the management platform, where the first network is configured as a network configuration of the virtual machine in the source host, and the first network configuration is injected into the destination host, and the target host monitors After the virtual machine migration is completed, the migration completion information is sent to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target, so that the interaction between the management platform and the destination host is performed during the migration process. The network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration. When the virtual machine is migrated, the corresponding network configuration is synchronously migrated.
可选的,目的主机将所述第一网络配置注入所述目的主机可以为执行该第一网络配置。在实际应用中,可以是目的主机的内核控制模块执行该第一网络配置,生成与该目的主机相匹配的第二网络配置,然后,该目的主机还可以发送该第二网络配置给该管理平台,使得该管理平台将该第二网络配置作为该虚拟机在该目的主机中的网络配置进行保存。 Optionally, the destination host injecting the first network configuration into the destination host may perform the first network configuration. In an actual application, the kernel control module of the destination host may perform the first network configuration, generate a second network configuration that matches the destination host, and then the destination host may further send the second network configuration to the management platform. And causing the management platform to save the second network configuration as a network configuration of the virtual machine in the destination host.
这样,将源主机中的网络配置注入到目的主机,与目的主机相匹配之后再进行保存,可以为下一次迁移作准备,以便随时对虚拟机进行迁移时,与该虚拟机相对应的网络配置也可以同步的进行迁移,确保了虚拟机迁移与网络配置迁移的同步。In this way, the network configuration in the source host is injected into the destination host, matched with the destination host, and then saved, so that the next migration can be prepared, so that when the virtual machine is migrated at any time, the network configuration corresponding to the virtual machine is configured. Migration can also be synchronized to ensure synchronization of virtual machine migration and network configuration migration.
可选的,虚拟机管理平台对虚拟机进行迁移时,该目的主机可以发送分配给该虚拟机的虚拟网络接口信息到该管理平台中,使得该管理平台将该虚拟网络接口发送给通信主机,使通信主机同时向源主机与目的主机发送该虚拟机的网络数据,也可以使管理平台将该虚拟网络接口信息同步到接口数据库中。Optionally, when the virtual machine management platform migrates the virtual machine, the destination host may send the virtual network interface information allocated to the virtual machine to the management platform, so that the management platform sends the virtual network interface to the communication host. The communication host sends the network data of the virtual machine to the source host and the destination host at the same time, and the management platform can also synchronize the virtual network interface information to the interface database.
通信主机同时向源主机与目的主机发送该虚拟机的网络数据,在虚拟机迁移过程中避免了通信主机发送给该虚拟机的网络数据的遗失,保证了迁移过程中该虚拟机接收数据的完整。The communication host simultaneously sends the network data of the virtual machine to the source host and the destination host, and avoids the loss of the network data sent by the communication host to the virtual machine during the virtual machine migration process, thereby ensuring the integrity of the virtual machine receiving data during the migration process. .
可选的,虚拟机管理系统对虚拟机进行迁移时,该目的主机可以接收该管理平台发送的原安全策略,在实际应用中,可以为该目的主机的控制节点接收该管理平台发送的原安全策略,该原安全策略为该虚拟机在源主机中的安全策略,该目的主机的控制节点可以将该原安全策略注入该目的主机的内核控制模块。Optionally, when the virtual machine management system migrates the virtual machine, the destination host can receive the original security policy sent by the management platform, and in the actual application, the control node sent by the management platform can receive the original security sent by the management platform. The policy is that the original security policy is a security policy of the virtual machine in the source host, and the control node of the destination host can inject the original security policy into the kernel control module of the destination host.
可以理解的是,目的主机的内核控制模块执行该原安全策略后可以适配出与目的主机向匹配的新的安全策略,并可以将该新的安全策略发送给管理平台,使得管理平台能将该新的安全策略作为该虚拟机在目的主机中的安全策略进行保存中,为下一次迁移作准备。It can be understood that the kernel control module of the destination host can adapt the new security policy to match the destination host after executing the original security policy, and can send the new security policy to the management platform, so that the management platform can The new security policy is used as a security policy for the virtual machine in the destination host to prepare for the next migration.
该安全策略可以包括规则链或服务质量QoS策略。The security policy can include a rule chain or a quality of service QoS policy.
这样,在虚拟机迁移时,实现了网络配置与安全策略的统一迁移,确保了迁移后的虚拟机的安全等级不受影响。In this way, when the virtual machine is migrated, the unified migration of the network configuration and the security policy is implemented, ensuring that the security level of the migrated virtual machine is not affected.
下面分别从管理平台与主机的角度对本发明实施例中配置分发方法进行描述。The configuration and distribution method in the embodiment of the present invention is described below from the perspective of the management platform and the host.
一、管理平台的操作:First, the operation of the management platform:
请参阅图3,本发明实施例中配置分发方法一个实施例包括:Referring to FIG. 3, an embodiment of the configuration distribution method in the embodiment of the present invention includes:
301、当管理平台监测到虚拟机在主机中创建完成时,管理平台获取该虚拟机对应的网络配置; 301. When the management platform detects that the virtual machine is created in the host, the management platform acquires a network configuration corresponding to the virtual machine.
可以理解的是,管理平台可以每隔一段时间主动检测虚拟机是否在主机中创建完成,也可以通过接收到主机发送的虚拟机创建完成消息来确定虚拟机创建完成,此处不做限定。It can be understood that the management platform can detect whether the virtual machine is created in the host at a certain time, and can also determine that the virtual machine is created by receiving the virtual machine creation completion message sent by the host, which is not limited herein.
302、管理平台发送该虚拟机对应的网络配置到该主机,使得该主机按照该网络配置更新转发表;302. The management platform sends a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration.
管理平台获取到该虚拟机对应的网络配置后,将该网络配置发送到虚拟机所在的主机,使得该主机按照该网络配置更新转发表,主机中的转发模块还可以按照该网络配置执行相关策略。After obtaining the network configuration corresponding to the virtual machine, the management platform sends the network configuration to the host where the virtual machine is located, so that the host updates the forwarding table according to the network configuration, and the forwarding module in the host can also perform related policies according to the network configuration. .
303、当管理平台监测到虚拟机在主机中创建完成时,所述管理平台发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。303. When the management platform detects that the virtual machine is created in the host, the management platform sends the security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
当管理平台监测到虚拟机在主机中创建完成时,该管理平台还可以发送该虚拟机对应的安全策略到该主机,使得该主机执行该安全策略。When the management platform detects that the virtual machine is created in the host, the management platform can also send the security policy corresponding to the virtual machine to the host, so that the host executes the security policy.
本发明实施例中,当管理平台监测到虚拟机在主机中创建时,管理平台可以获取该虚拟机对应的网络配置,再将该网络配置发送给该主机,同时,管理平台还可以发送该虚拟机对应的安全策略到该主机,使得该主机执行该安全策略,这样由管理平台进行网络配置与安全策略的统一分发,简化了用户需要进行的操作,提高了网络配置与安全策略分发的效率与准确度。In the embodiment of the present invention, when the management platform detects that the virtual machine is created in the host, the management platform may obtain the network configuration corresponding to the virtual machine, and then send the network configuration to the host, and the management platform may also send the virtual The security policy corresponding to the machine is sent to the host, so that the host executes the security policy, so that the management platform performs unified distribution of the network configuration and the security policy, simplifies the operations required by the user, and improves the efficiency of network configuration and security policy distribution. Accuracy.
上面实施例中,管理平台获取该虚拟机对应的网络配置,在实际应用中,管理平台可以通过多种方式获取到该虚拟机对应的网络配置,下面以其中两种为例:In the above embodiment, the management platform obtains the network configuration corresponding to the virtual machine. In the actual application, the management platform can obtain the network configuration corresponding to the virtual machine in multiple manners.
可选的,管理平台可以显示该虚拟机对应的网卡信息列表,提示用户根据该网卡信息列表设置该虚拟机对应的网络配置,当用户设置完成后,管理平台可以接收用户设置的该虚拟机对应的网络配置。Optionally, the management platform may display a list of network card information corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list. After the user is configured, the management platform may receive the virtual machine corresponding to the user. Network configuration.
这样可以减少用户的操作,准确的将用户设置的网络配置发送到主机。This can reduce the user's operation and accurately send the network configuration set by the user to the host.
可选的,管理平台还可以根据该虚拟机的通信状态生成该虚拟机对应的网络设置。Optionally, the management platform may further generate a network setting corresponding to the virtual machine according to the communication state of the virtual machine.
这样自动化的生成网络设置,进一步减少了用户需要进行的操作,提高了虚拟机网络配置创建的效率。This automated generation of network settings further reduces the need for users to perform operations and improves the efficiency of virtual machine network configuration creation.
上面实施例中管理平台还可以发送该虚拟机对应的安全策略到该主机,使 得该主机执行该安全策略,在实际应用中,该安全策略可以包括过滤规则或QoS策略等。In the above embodiment, the management platform may also send a security policy corresponding to the virtual machine to the host, so that The security policy may be implemented by the host. In actual applications, the security policy may include a filtering rule or a QoS policy.
可选的,作为配置分发方法另一个实施例,管理平台发送该虚拟机对应的安全策略到该主机,使得该主机执行该安全策略,具体可以包括,该管理平台可以将过滤规则发送给该主机(在实际应用中,可以为该主机的控制节点),使得该主机将该过滤规则加入到对应的规则链中,该规则链由该主机对该虚拟机的每个虚拟网络接口生成。Optionally, as another embodiment of the configuration distribution method, the management platform sends the security policy corresponding to the virtual machine to the host, so that the host performs the security policy, which may include: the management platform may send the filtering rule to the host. (In an actual application, it may be a control node of the host), so that the host adds the filtering rule to a corresponding rule chain, and the rule chain is generated by the host for each virtual network interface of the virtual machine.
需要说明的是,每个虚拟网络接口都可以互相区分开,区分的方式可以为在内核通信模块中,设置内核网络数据结构sk_buff的标记mark(由虚拟机ID和虚拟网络接口ID组成),在sk_buff中(非数据帧中)保存这个标记,这个标记能够被已有的防火墙与QoS机制识别,这样便可以在不修改网络帧内容的情况下在本地识别出各虚拟网络接口。It should be noted that each virtual network interface can be distinguished from each other by distinguishing the mark mark (composed of the virtual machine ID and the virtual network interface ID) of the kernel network data structure sk_buff in the kernel communication module. This flag is stored in sk_buff (not in the data frame). This tag can be identified by the existing firewall and QoS mechanism, so that each virtual network interface can be identified locally without modifying the contents of the network frame.
当规则链设置好后,进行数据处理时,主机的控制节点可以使用NF_HOOK将数据帧交给netfilter处理,主机的控制节点在ebtables的PREROUTING和POSTROUTING规则链表会接收到交给netfilter处理的数据帧,根据设置好的标记即可以识别帧的来源,以便将数据传给对应的规则链处理,最后还可以通过隧道技术封装转发。When the rule chain is set, when the data processing is performed, the control node of the host can use NF_HOOK to hand over the data frame to the netfilter, and the control node of the host receives the data frame processed by the netfilter in the PREROUTING and POSTROUTING rule list of the ebtables. According to the set mark, the source of the frame can be identified, so that the data can be transmitted to the corresponding rule chain for processing, and finally, the tunnel technology can be used for packet forwarding.
可选的,管理平台发送该虚拟机对应的安全策略到该主机,使得该主机执行该安全策略,还可以包括,当虚拟机在主机中创建时,该管理平台还可以将保存有的QoS策略发送给该主机(在实际应用中,可以为该主机的控制节点),该QoS策略由管理员对该虚拟机的每个虚拟网络接口设置生成,使得该主机(在实际应用中,可以为该主机的控制节点)按照该QoS策略为对应的虚拟网络接口设置分类器。Optionally, the management platform sends the security policy corresponding to the virtual machine to the host, so that the host performs the security policy, and may further include: when the virtual machine is created in the host, the management platform may further save the QoS policy. Sent to the host (in the actual application, it can be the control node of the host), the QoS policy is generated by the administrator for each virtual network interface setting of the virtual machine, so that the host (in actual applications, the The control node of the host sets a classifier for the corresponding virtual network interface according to the QoS policy.
其中,QoS策略也可以保存在管理平台中,并且,虚拟网络接口的发送端对应输入端QoS,虚拟网络接口的接收端对应输出端QoS。The QoS policy can also be saved in the management platform, and the transmitting end of the virtual network interface corresponds to the input end QoS, and the receiving end of the virtual network interface corresponds to the output end QoS.
当QoS策略设置完成后,对数据进行处理时,在发送端,内核封装数据UDP之前,可以在sk_buff上打上同样的标记,使用Qdisc->enqueue方法将数据帧交给Ingress QoS处理,Qdisc在根据该标记找到对应的QoS策略进行处理,处理完成之后再将数据封装成UDP数据包发送出去;在接收端,内核得 到数据包后解封装并打上接收端标记后,将数据帧交给Qdisc进行输出端QoS。When the QoS policy is set, the data is processed. On the sender side, before the kernel encapsulates the data UDP, the same flag can be marked on the sk_buff, and the data frame is handed over to the Ingress QoS processing using the Qdisc->enqueue method. The tag finds the corresponding QoS policy for processing, and after the processing is completed, the data is encapsulated into a UDP packet and sent out; at the receiving end, the kernel obtains After the packet is decapsulated and tagged with the receiver, the data frame is handed over to Qdisc for output QoS.
这样,管理平台在进行网络配置的分发后,可以统一的分发包括过滤规则或QoS策略在内的安全策略,实现了网络配置与安全策略的集中分发,能更有效提高分发的效率。In this way, after the network configuration is distributed, the management platform can uniformly distribute security policies including filtering rules or QoS policies, and implement centralized distribution of network configuration and security policies, which can effectively improve the efficiency of distribution.
二、主机的操作:Second, the operation of the host:
请参与图4,本发明实施例中配置分发方法另一个实施例包括:Please refer to FIG. 4, another embodiment of the configuration distribution method in the embodiment of the present invention includes:
401、当主机监测到虚拟机在该主机中创建完成时,所述主机接收管理平台发送的所述虚拟机对应的网络配置与安全策略;401. When the host detects that the virtual machine is created in the host, the host receives a network configuration and a security policy corresponding to the virtual machine sent by the management platform.
当主机监测到虚拟机在主机中创建完成时,管理平台会发送该虚拟机对应的网络配置与安全策略到主机(在实际应用中,可以为该主机的控制节点),所述安全策略可以由管理员对所述虚拟机的每个虚拟网络接口设置生成,该主机接收该管理平台发送的网络配置与安全策略。When the host detects that the virtual machine is created in the host, the management platform sends the network configuration and security policy corresponding to the virtual machine to the host (in actual applications, it may be the control node of the host), and the security policy may be The administrator generates a virtual network interface setting for the virtual machine, and the host receives the network configuration and security policy sent by the management platform.
402、该主机按照该网络配置更新转发表;402. The host updates the forwarding table according to the network configuration.
主机接收到该网络配置后,按照该网络配置更新转发表,在实际应用中,可以为主机的控制节点接收该网络配置后,将该网络配置注入该主机的内核控制模块,由该内核控制模块按照该网络配置更新转发表。After receiving the network configuration, the host updates the forwarding table according to the network configuration. In the actual application, after receiving the network configuration, the control node of the host may inject the network configuration into the kernel control module of the host, and the kernel control module Update the forwarding table according to the network configuration.
403、该主机执行该安全策略;403. The host executes the security policy.
主机接收到该安全策略后,执行该安全策略,在实际应用中,可以由主机中的控制节点接收该安全策略,然后注入主机中的内核控制模块,由该主机的内核控制模块执行该安全策略。After receiving the security policy, the host executes the security policy. In an actual application, the security policy may be received by the control node in the host, and then injected into the kernel control module in the host, and the kernel control module of the host executes the security policy. .
可以理解的是,步骤403也可以位于步骤402之前,此处不作限定。It can be understood that step 403 can also be located before step 402, which is not limited herein.
本发明实施例中,当虚拟机在主机中创建完成时,该主机接收管理平台发送的网络配置及安全策略,使得该主机按照该网络配置更新转发表,并执行该策略,这样由管理平台进行网络配置与安全策略的分发,主机中的控制节点进行网络配置与安全策略的接收和注入,简化了用户需要进行的操作,实现了网络配置与安全策略的集中分发。In the embodiment of the present invention, when the virtual machine is created in the host, the host receives the network configuration and the security policy sent by the management platform, so that the host updates the forwarding table according to the network configuration, and executes the policy, so that the management platform performs Network configuration and security policy distribution, the control node in the host performs network configuration and security policy receiving and injecting, which simplifies the operations that users need to perform, and realizes centralized distribution of network configuration and security policies.
可选的,作为配置分发方法另一个实施例,当主机监测到虚拟机在所述主机中创建完成时,该主机可以为该虚拟机的每个虚拟网络接口创建一条规则链; Optionally, as another embodiment of the configuration distribution method, when the host detects that the virtual machine is created in the host, the host may create a rule chain for each virtual network interface of the virtual machine;
安全策略中可以包括过滤规则,此时主机执行所述安全策略,具体可以为:主机将该过滤规则加入到对应的规则链。The security policy may include a filtering rule. In this case, the host performs the security policy, and the host may add the filtering rule to the corresponding rule chain.
需要说明的是,每个虚拟网络接口都可以互相区分开,区分的方式可以为在内核通信模块中,设置内核网络数据结构sk_buff的标记mark(由虚拟机ID和虚拟网络接口ID组成),在sk_buff中(非数据帧中)保存这个标记,这个标记能够被已有的防火墙与QoS机制识别,这样便可以在不修改网络帧内容的情况下在本地识别出各虚拟网络接口。It should be noted that each virtual network interface can be distinguished from each other by distinguishing the mark mark (composed of the virtual machine ID and the virtual network interface ID) of the kernel network data structure sk_buff in the kernel communication module. This flag is stored in sk_buff (not in the data frame). This tag can be identified by the existing firewall and QoS mechanism, so that each virtual network interface can be identified locally without modifying the contents of the network frame.
当规则链设置好后,进行数据处理时,主机的控制节点可以使用NF_HOOK将数据帧交给netfilter处理,主机的控制节点在ebtables的PREROUTING和POSTROUTING规则链表会接收到交给netfilter处理的数据帧,根据设置好的标记即可以识别帧的来源,以便将数据传给对应的规则链处理,最后还可以通过隧道技术封装转发。When the rule chain is set, when the data processing is performed, the control node of the host can use NF_HOOK to hand over the data frame to the netfilter, and the control node of the host receives the data frame processed by the netfilter in the PREROUTING and POSTROUTING rule list of the ebtables. According to the set mark, the source of the frame can be identified, so that the data can be transmitted to the corresponding rule chain for processing, and finally, the tunnel technology can be used for packet forwarding.
可以理解的是,该过滤规则可以为用户设定,也可以由管理平台根据虚拟机运行环境或预置规则自动生成,此处不作限定。It can be understood that the filtering rule can be set by the user, or can be automatically generated by the management platform according to the running environment of the virtual machine or the preset rule, which is not limited herein.
可选的,该安全策略还可以包括QoS策略,该QoS策略由管理员对该虚拟机的每个虚拟网络接口设置生成;此时主机执行所述安全策略,具体可以包括:将所述过滤规则加入到对应的规则链并按照该QoS策略为对应的虚拟网络接口设置分类器。Optionally, the security policy may further include: a QoS policy, where the QoS policy is generated by the administrator for each virtual network interface setting of the virtual machine; the executing the security policy by the host may include: Join the corresponding rule chain and set the classifier for the corresponding virtual network interface according to the QoS policy.
其中,QoS策略也可以保存在管理平台中,并且,虚拟网络接口的发送端对应输入端QoS,虚拟网络接口的接收端对应输出端QoS。The QoS policy can also be saved in the management platform, and the transmitting end of the virtual network interface corresponds to the input end QoS, and the receiving end of the virtual network interface corresponds to the output end QoS.
当QoS策略设置完成后,对数据进行处理时,在发送端,内核封装数据UDP之前,可以在sk_buff上打上同样的标记,使用Qdisc->enqueue方法将数据帧交给Ingress QoS处理,Qdisc在根据该标记找到对应的QoS策略进行处理,处理完成之后再将数据封装成UDP数据包发送出去;在接收端,内核得到数据包后解封装并打上接收端标记后,将数据帧交给Qdisc进行输出端QoS。When the QoS policy is set, the data is processed. On the sender side, before the kernel encapsulates the data UDP, the same flag can be marked on the sk_buff, and the data frame is handed over to the Ingress QoS processing using the Qdisc->enqueue method. The tag finds the corresponding QoS policy for processing. After the processing is completed, the data is encapsulated into UDP data packets and sent out. At the receiving end, the kernel obtains the data packet, decapsulates and marks the receiving end, and then passes the data frame to Qdisc for output. End QoS.
这样,主机分发安全策略时,不仅可以分发过滤规则,还可以分发QoS策略,进一步的保障了虚拟机的安全性。In this way, when the host distributes the security policy, not only the filtering rules can be distributed, but also the QoS policy can be distributed, which further ensures the security of the virtual machine.
下面对本发明实施例中用于虚拟机迁移的管理平台进行描述,请参阅图5,本发明实施例中管理平台500一个实施例包括: The following describes the management platform for the virtual machine migration in the embodiment of the present invention. Referring to FIG. 5, an embodiment of the management platform 500 in the embodiment of the present invention includes:
第一配置发送模块501,用于当接收到对虚拟机的迁移请求时,根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机;The first configuration sending module 501 is configured to: when receiving the migration request for the virtual machine, send the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination a host, the first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
选择模块502,用于当接收到所述目的主机发送的迁移完成信息时,通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。The selecting module 502 is configured to notify the communication host to select the destination host as the communication target when receiving the migration completion information sent by the destination host, where the communication host is the source host as the communication target of the virtual machine Host.
本发明实施例中,当接收到对虚拟机的迁移请求时,第一配置发送模块501根据迁移请求发送第一网络配置到目的主机,该第一网络配置为该虚拟机在源主机中的网络配置,使得目的主机将该第一网络配置注入该目的主机,当迁移完成时,选择模块502通知通信主机选择所述目的主机作为通信目标,这样,通过管理平台与目的主机的交互配合,在迁移过程中,将虚拟机在源主机中的网络配置同步到了虚拟机迁移的目的主机中,实现了虚拟机迁移时,其对应的网络配置的同步迁移。In the embodiment of the present invention, when receiving the migration request for the virtual machine, the first configuration sending module 501 sends the first network configuration to the destination host according to the migration request, where the first network is configured as the network of the virtual machine in the source host. The configuration is such that the destination host injects the first network configuration into the destination host. When the migration is completed, the selection module 502 notifies the communication host to select the destination host as the communication target, so that the interaction between the management platform and the destination host is performed. During the process, the network configuration of the virtual machine in the source host is synchronized to the destination host of the virtual machine migration, and the virtual network is migrated synchronously.
可选的,请参阅图6,本发明实施例中管理平台600另一个实施例中,该管理平台600还可以包括:Optionally, referring to FIG. 6, in another embodiment of the management platform 600 in the embodiment of the present invention, the management platform 600 may further include:
第二配置接收模块601,用于接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;The second configuration receiving module 601 is configured to receive a second network configuration that is sent by the destination host, where the second network is configured to be a network that is matched by the target host and configured by the destination host according to the first network configuration. Configuration
配置保存模块602,用于将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The configuration saving module 602 is configured to save the second network configuration as a network configuration of the virtual machine in the destination host.
这样,将源主机中的网络配置迁移到新的主机,与新的主机相匹配之后配置保存模块602再将其同步到数据库中,可以为下一次迁移作准备,以便随时对虚拟机进行迁移时,与该虚拟机相对应的网络配置也可以同步的进行迁移,确保了虚拟机迁移与网络配置迁移的同步。In this way, the network configuration in the source host is migrated to the new host, and after matching with the new host, the configuration save module 602 is synchronized to the database, and the next migration can be prepared to migrate the virtual machine at any time. The network configuration corresponding to the virtual machine can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
可选的,请参阅图7,本发明实施例中管理平台700另一个实施例中,该管理平台700还可以包括:Optionally, referring to FIG. 7, in another embodiment of the management platform 700 in the embodiment of the present invention, the management platform 700 may further include:
冗余发出模块701,用于根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机 的网络数据;a redundancy issuing module 701, configured to send a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive the virtual machine Network data;
接口信息接收模块702,用于接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;The interface information receiving module 702 is configured to receive virtual network interface information that is sent by the destination host and that is allocated to the virtual machine.
接口信息发送模块703,用于将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据;The interface information sending module 703 is configured to send the virtual network interface information to the communication host, so that the communication host simultaneously sends the network interface information to the source host and the destination host according to the redundancy policy. Sending network data of the virtual machine;
这样,利用冗余策略,在虚拟机迁移过程中源主机与目的主机能同时接收到相关主机发送的该虚拟机的网络数据,避免了迁移过程中相关主机发送给该虚拟机的网络数据的遗失,保证了迁移过程中该虚拟机接收数据的完整,在迁移完成后,取消该冗余策略,提高了系统运行的效率。In this way, with the redundancy policy, the source host and the destination host can simultaneously receive the network data of the virtual machine sent by the relevant host during the virtual machine migration process, thereby avoiding the loss of the network data sent by the relevant host to the virtual machine during the migration process. To ensure the integrity of the data received by the virtual machine during the migration process, after the migration is completed, the redundancy policy is cancelled, and the efficiency of the system operation is improved.
可选的,请参阅图8,本发明实施例中管理平台800另一个实施例中,该管理平台800还可以包括:Optionally, referring to FIG. 8, in another embodiment of the management platform 800 in the embodiment of the present invention, the management platform 800 may further include:
第一策略发送模块801,用于当虚拟机管理系统对虚拟机进行迁移时,根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机。The first policy sending module 801 is configured to: when the virtual machine management system migrates the virtual machine, send the original security policy to the destination host according to the migration request, where the original security policy is that the virtual machine is in the source host. The security policy causes the destination host to inject the original security policy into the destination host.
这样,便实现了网络配置与安全策略的统一迁移,在虚拟机迁移时,能同时将网络配置与安全策略同步迁移,确保了迁移后的虚拟机的安全等级不受影响。In this way, the unified configuration of the network configuration and the security policy is implemented. When the virtual machine is migrated, the network configuration and the security policy can be simultaneously migrated to ensure that the security level of the migrated virtual machine is not affected.
下面对本发明实施例中用于虚拟机迁移的作为目的主机使用的主机进行描述,请参阅图9,本发明实施例中主机900一个实施例包括:The following describes the host used as the destination host for the virtual machine migration in the embodiment of the present invention. Referring to FIG. 9, an embodiment of the host 900 in the embodiment of the present invention includes:
第一配置接收模块901,用于接收管理平台发送的第一网络配置,所述第一网络配置为所述虚拟机在源主机中的网络配置;The first configuration receiving module 901 is configured to receive a first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
配置注入模块902,用于将所述第一网络配置注入所述目的主机中;The configuration injection module 902 is configured to inject the first network configuration into the destination host;
完成信息发送模块903,用于当所述目的主机监测到所述虚拟机迁移完成时,发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。The completion information sending module 903 is configured to: when the destination host detects that the virtual machine migration is completed, send migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target. The communication host is a host that uses the source host as a communication target of the virtual machine.
本发明实施例中,第一配置接收模块901接收管理平台发送的第一网络配 置,该第一网络配置为该虚拟机在源主机中的网络配置,配置注入模块902将该第一网络配置注入该目的主机中,当目的主机监测到该虚拟机迁移完成时,完成信息发送模块903发送迁移完成信息到该管理平台,以使得该管理平台通知通信主机选择所述目的主机作为通信目标,这样通过管理平台与目的主机的交互配合,在迁移过程中,将虚拟机在源主机中的网络配置同步到了虚拟机迁移的目的主机中,实现了虚拟机迁移时,其对应的网络配置的同步迁移。In the embodiment of the present invention, the first configuration receiving module 901 receives the first network configuration sent by the management platform. The first network is configured as a network configuration of the virtual machine in the source host, and the configuration injection module 902 injects the first network configuration into the destination host. When the destination host detects that the virtual machine migration is completed, the information is sent. The module 903 sends the migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as the communication target, so that the virtual machine is at the source host during the migration process by the interaction between the management platform and the destination host. The network configuration in the synchronization is synchronized to the destination host of the virtual machine migration, and the virtual network migration is synchronized with the corresponding network configuration.
可选的,请参阅图10,本发明实施例中主机1000另一个实施例中,配置注入模块902具体,用于执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;Optionally, referring to FIG. 10, in another embodiment of the host 1000 in the embodiment of the present invention, the configuration injection module 902 is specifically configured to execute the first network configuration, and generate a second network that matches the destination host. Configuration
该主机1000还包括:第二配置发送模块1001,用于发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The host 1000 further includes: a second configuration sending module 1001, configured to send the second network configuration to the management platform, so that the management platform uses the second network configuration as the virtual machine in the destination host The network configuration in the middle is saved.
这样,将源主机中的网络配置注入到目的主机,与目的主机相匹配之后再同步到数据库中,可以为下一次迁移作准备,以便随时对虚拟机进行迁移时,该虚拟机相对应的网络配置也可以同步的进行迁移,确保了虚拟机迁移与网络配置迁移的同步。In this way, the network configuration in the source host is injected into the destination host, matched with the destination host, and then synchronized to the database, which can prepare for the next migration, so that when the virtual machine is migrated at any time, the corresponding network of the virtual machine Configurations can also be migrated synchronously, ensuring synchronization of virtual machine migration and network configuration migration.
可选的,请参阅图11,本发明实施例中主机1100另一个实施例中,该主机1100还可以包括:Optionally, referring to FIG. 11, in another embodiment of the host 1100 in the embodiment of the present invention, the host 1100 may further include:
接口信息分配模块1101,用于发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台中,使得该管理平台将该虚拟网络接口发送给通信主机,使通信主机同时向源主机与目的主机发送该虚拟机的网络数据,也可以使管理平台将该虚拟网络接口信息同步到接口数据库中。The interface information distribution module 1101 is configured to send virtual network interface information allocated to the virtual machine to the management platform, so that the management platform sends the virtual network interface to the communication host, so that the communication host simultaneously sends the source host and the destination The host sends the network data of the virtual machine, and the management platform can also synchronize the virtual network interface information to the interface database.
通信主机同时向源主机与目的主机发送该虚拟机的网络数据,在虚拟机迁移过程中避免了相关主机发送给该虚拟机的网络数据的遗失,保证了迁移过程中该虚拟机接收数据的完整。The communication host simultaneously sends the network data of the virtual machine to the source host and the destination host, and avoids the loss of the network data sent by the related host to the virtual machine during the virtual machine migration process, thereby ensuring the integrity of the virtual machine receiving data during the migration process. .
可选的,请参阅图12,本发明实施例中主机1200另一个实施例中,该主机1200还可以包括:Optionally, referring to FIG. 12, in another embodiment of the host 1200 in the embodiment of the present invention, the host 1200 may further include:
第一策略接收模块1201,用于接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略; The first policy receiving module 1201 is configured to receive an original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host.
安全策略注入模块1202,用于将所述原安全策略注入所述目的主机。The security policy injection module 1202 is configured to inject the original security policy into the destination host.
这样,在虚拟机迁移时,实现了网络配置与安全策略的统一迁移,确保了迁移后的虚拟机的安全等级不受影响。In this way, when the virtual machine is migrated, the unified migration of the network configuration and the security policy is implemented, ensuring that the security level of the migrated virtual machine is not affected.
下面对本发明实施例中用于配置分发的管理平台进行描述,请参阅图13,本发明实施例中管理平台1300另一个实施例包括:The following describes the management platform for configuring the distribution in the embodiment of the present invention. Referring to FIG. 13, another embodiment of the management platform 1300 in the embodiment of the present invention includes:
配置获取模块1301,用于当所述管理平台监测到虚拟机在主机中创建完成时,获取所述虚拟机对应的网络配置;The configuration obtaining module 1301 is configured to acquire a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host.
第三配置发送模块1302,用于发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;The third configuration sending module 1302 is configured to send a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
第二策略发送模块1303,用于当所述管理平台监测到虚拟机在主机中创建完成时,发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。The second policy sending module 1303 is configured to: when the management platform detects that the virtual machine is created in the host, send the security policy corresponding to the virtual machine to the host, so that the host performs the security policy.
本发明实施例中,当管理平台监测到虚拟机在主机中创建时,配置获取模块1301可以获取该虚拟机对应的网络配置,第三配置发送模块1302再将该网络配置发送给该主机,第二策略发送模块1303发送安全策略到主机,这样由管理平台进行网络配置与安全策略的统一分发,简化了用户需要进行的操作,提高了网络配置与安全策略分发的效率与准确度。In the embodiment of the present invention, when the management platform detects that the virtual machine is created in the host, the configuration obtaining module 1301 may obtain the network configuration corresponding to the virtual machine, and the third configuration sending module 1302 sends the network configuration to the host, The second policy sending module 1303 sends the security policy to the host, so that the management platform performs network configuration and unified distribution of the security policy, which simplifies the operations required by the user, and improves the efficiency and accuracy of network configuration and security policy distribution.
上面实施例中,配置获取模块1301获取该虚拟机对应的网络配置,在实际应用中,配置获取模块1301可以通过多种方式获取到该虚拟机对应的网络配置,下面以其中两种为例:In the above embodiment, the configuration obtaining module 1301 obtains the network configuration corresponding to the virtual machine. In an actual application, the configuration obtaining module 1301 can obtain the network configuration corresponding to the virtual machine in multiple manners.
可选的,请参阅图14,本发明实施例中管理平台1400另一个实施例中,该配置获取模块1301具体可以包括:Optionally, referring to FIG. 14, in another embodiment of the management platform 1400 in the embodiment of the present invention, the configuration obtaining module 1301 may specifically include:
信息显示单元14011,用于显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;The information display unit 14011 is configured to display a network card information list corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list;
配置接收单元14012,用于接收用户设置的所述虚拟机对应的网络配置。The configuration receiving unit 14012 is configured to receive a network configuration corresponding to the virtual machine set by the user.
这样可以减少用户的操作,准确的将用户设置的网络配置发送到主机中。This can reduce the user's operation and accurately send the network configuration set by the user to the host.
可选的,本发明实施例中管理平台另一个实施例中,该配置获取模块1301具体可以用于,根据所述虚拟机的通信状态自动生成所述虚拟机对应的网络配置。 Optionally, in another embodiment of the management platform in the embodiment of the present invention, the configuration obtaining module 1301 may be configured to automatically generate a network configuration corresponding to the virtual machine according to the communication state of the virtual machine.
这样自动化的生成网络设置,进一步减少了用户需要进行的操作,提高了虚拟机创建的效率。This automated generation of network settings further reduces the number of operations users need to perform, increasing the efficiency of virtual machine creation.
可选的,本发明实施例中管理平台另一个实施例中,该第二策略发送模块1303具体可以用于,当虚拟机在主机中创建完成时,将过滤规则发送给所述主机,使得所述主机将所述过滤规则加入到对应的规则链中,所述规则链由所述主机对所述虚拟机的每个虚拟网络接口生成。Optionally, in another embodiment of the management platform in the embodiment of the present invention, the second policy sending module 1303 may be specifically configured to: when the virtual machine is created in the host, send the filtering rule to the host, so that The host adds the filtering rule to a corresponding rule chain, and the rule chain is generated by the host for each virtual network interface of the virtual machine.
可选的,本发明实施例中管理平台另一个实施例中,该第二策略发送模块1303还可以用于,当虚拟机在主机中创建时,将保存有的QoS策略发送给所述主机,所述QoS策略由管理员对所述虚拟机的每个虚拟网络接口设置生成,使得所述主机的按照所述QoS策略为对应的虚拟网络接口设置分类器。Optionally, in another embodiment of the management platform in the embodiment of the present invention, the second policy sending module 1303 may be further configured to: when the virtual machine is created in the host, send the saved QoS policy to the host, The QoS policy is generated by an administrator for each virtual network interface setting of the virtual machine, so that the host sets a classifier for the corresponding virtual network interface according to the QoS policy.
这样,第三配置发送模块1302在进行网络配置的分发后,第二策略发送模块1303可以统一的分发包括过滤规则或QoS策略在内的安全策略,实现了网络配置与安全策略的集中分发,能更有效提高分发的效率。In this way, after the third configuration sending module 1302 performs the distribution of the network configuration, the second policy sending module 1303 can uniformly distribute the security policy including the filtering rule or the QoS policy, thereby realizing the centralized distribution of the network configuration and the security policy. More effective in improving the efficiency of distribution.
下面对本发明实施例中用于配置分发的主机进行描述,请参阅图15,本发明实施例中主机1500另一个实施例包括:The following describes the host for configuring the distribution in the embodiment of the present invention. Referring to FIG. 15, another embodiment of the host 1500 in the embodiment of the present invention includes:
接收模块1501,用于当所述主机监测到虚拟机在主机中创建完成时,接收管理平台发送的所述虚拟机对应的网络配置与安全策略,所述安全策略可以由管理员对所述虚拟机的每个虚拟网络接口设置生成;The receiving module 1501 is configured to: when the host monitors that the virtual machine is created in the host, receive a network configuration and a security policy corresponding to the virtual machine sent by the management platform, where the security policy may be used by an administrator to the virtual Each virtual network interface setting of the machine is generated;
配置执行模块1502,用于按照所述网络配置更新转发表;The configuration execution module 1502 is configured to update the forwarding table according to the network configuration.
策略执行模块1503,用于执行所述安全策略。The policy execution module 1503 is configured to execute the security policy.
本发明实施例中,当虚拟机在主机中创建完成时,接收模块1501接收管理平台发送的网络配置与安全策略,配置执行模块1502按照该网络配置更新转发表,策略执行模块1503执行该安全策略,这样由管理平台进行网络配置与安全策略的统一分发,简化了用户需要进行的操作,提高了网络配置与安全策略分发的效率与准确度。In the embodiment of the present invention, when the virtual machine is created in the host, the receiving module 1501 receives the network configuration and security policy sent by the management platform, and the configuration execution module 1502 updates the forwarding table according to the network configuration, and the policy execution module 1503 executes the security policy. In this way, the management platform performs unified distribution of network configuration and security policies, which simplifies the operations that users need to perform, and improves the efficiency and accuracy of network configuration and security policy distribution.
可选的,请参阅图16,本发明实施例中主机1600另一个实施例中,该主机1600还可以包括:Optionally, referring to FIG. 16, in another embodiment of the host 1600 in the embodiment of the present invention, the host 1600 may further include:
创建模块1601,用于当所述主机监测到虚拟机在所述主机中创建时,为所述虚拟机的每个虚拟网络接口创建一条规则链; a creating module 1601, configured to create a rule chain for each virtual network interface of the virtual machine when the host detects that the virtual machine is created in the host;
当所述安全策略包括过滤规则时,所述策略执行模块1505具体用于,将所述过滤规则加入到对应的规则链中。When the security policy includes a filtering rule, the policy execution module 1505 is specifically configured to add the filtering rule to a corresponding rule chain.
可选的,本发明实施例中主机另一个实施例中,当所述安全策略还包括QoS策略时,所述策略执行模块1505具体用于,将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。Optionally, in another embodiment of the host in the embodiment of the present invention, when the security policy further includes a QoS policy, the policy execution module 1505 is specifically configured to add the filtering rule to the corresponding rule chain and follow the The QoS policy sets a classifier for the corresponding virtual network interface.
可以理解的是,在实际应用中,主机中进行配置与策略执行的模块都可以位于主机的内核控制模块中,例如策略执行模块1504与配置执行模块1503,进行配置与策略接收和分发的模块都可以位于主机的控制节点中,例如第三配置发送模块1302等,请参阅图17,为虚拟机迁移中管理平台与源主机和目的主机在一个具体场景的结构图。It can be understood that, in practical applications, modules for performing configuration and policy execution in the host may be located in the kernel control module of the host, such as the policy execution module 1504 and the configuration execution module 1503, and the modules for configuration and policy reception and distribution are both It can be located in the control node of the host, for example, the third configuration sending module 1302, etc. Please refer to FIG. 17, which is a structural diagram of a specific scenario of the management platform and the source host and the destination host in the virtual machine migration.
请参阅图18,管理平台和与其相连的各主机中的控制节点和内核控制模块可以构成一个策略管理系统,其中,各主机中的控制节点的集合可以看作该策略管理系统的主控程序,各主机中的内核控制模块的集合可以看作该策略管理系统的内核通信模块。Referring to FIG. 18, the control node and the kernel control module in each host connected to the management platform may constitute a policy management system, wherein the set of control nodes in each host may be regarded as the main control program of the policy management system. The set of kernel control modules in each host can be seen as the kernel communication module of the policy management system.
其中,策略管理系统中各部分的用途分别为:Among them, the purpose of each part of the policy management system is:
管理平台:在管理平台的数据库中维护了整个数据中心内虚拟机及虚拟网络接口的状态信息,并为虚拟网络接口保存了网络配置和网络安全策略信息。根据数据库保存的配置信息和主控程序提交的虚拟机运行状态变化(包括虚拟机的启动、关闭和迁移),管理平台自动更新配置及策略信息到主控程序。Management platform: maintains the status information of virtual machines and virtual network interfaces in the entire data center in the database of the management platform, and saves the network configuration and network security policy information for the virtual network interface. The management platform automatically updates the configuration and policy information to the master program based on the configuration information saved by the database and the virtual machine running state changes submitted by the master program (including the startup, shutdown, and migration of the virtual machine).
主控程序:主控程序与上层管理平台之间完成通信策略的同步,另一方面,主控程序在接收到从管理平台发来的通信策略信息时需要及时传递给内核通信模块。另外,主控程序还需要监测本地虚拟机状态,并将虚拟机状态更新事件及时通知管理平台,以便根据虚拟机状态的变化发放安全策略。The main control program: the communication process is synchronized between the main control program and the upper management platform. On the other hand, the main control program needs to be timely transmitted to the kernel communication module when receiving the communication strategy information sent from the management platform. In addition, the master program also needs to monitor the status of the local virtual machine and notify the management platform of the virtual machine status update event in time to issue a security policy according to the change of the virtual machine state.
内核通信模块:内核通信模块负责与上层主控程序之间的信息交互,内核通信模块有一个Cache缓存记录了已有的策略,完成本地通信策略Cache过滤工作。Kernel communication module: The kernel communication module is responsible for information interaction with the upper layer master program, and the kernel communication module has a Cache cache to record the existing policies and complete the local communication policy Cache filtering work.
上面从单元化功能实体的角度对本发明实施例中的管理平台和主机进行了描述,下面从硬件处理的角度对本发明实施例中的管理平台和主机进行描述,可以理解的是,在实际应用中,管理平台,源主机,目的主机,相关主机 等都可以为服务器,如图19所示为服务器一个结构示意图,也可以作为本发明实施例中管理平台或主机的结构示意图。The management platform and the host in the embodiment of the present invention are described above from the perspective of the unitized functional entity. The management platform and the host in the embodiment of the present invention are described from the perspective of hardware processing. It can be understood that in practical applications, , management platform, source host, destination host, related host The device can be a server, as shown in FIG. 19, which is a schematic diagram of the structure of the server, and can also be used as a schematic diagram of the management platform or the host in the embodiment of the present invention.
下面从硬件处理的角度对本发明实施例中用于虚拟机迁移的管理平台进行描述,请参阅图19,本发明实施例中管理平台另一个实施例包括:The management platform for virtual machine migration in the embodiment of the present invention is described below from the perspective of hardware processing. Referring to FIG. 19, another embodiment of the management platform in the embodiment of the present invention includes:
输入装置1901、输出装置1902、处理器1903和存储器1904(其中处理器1903的数量可以一个或多个,图19中以一个处理器1903为例)。在本发明的一些实施例中,输入装置1901、输出装置1902、处理器1903和存储器1904可通过总线或其它方式连接,其中,图19中以通过总线连接为例;The input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19). In some embodiments of the present invention, the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
通过调用存储器1904存储的操作指令,处理器1903,用于执行如下步骤:The processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
当接收到对虚拟机的迁移请求时,根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机;When receiving the migration request for the virtual machine, sending the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host, where the first network is configured as a network configuration of the virtual machine in the source host, the migration request is used to request to migrate the virtual machine from the source host to the destination host;
当接收到所述目的主机发送的迁移完成信息时,通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机;Receiving the migration completion information sent by the destination host, notifying the communication host to select the destination host as a communication target, and the communication host is the host of the communication target of the virtual machine;
本发明的一些实施例中,该处理器1903还用于执行如下步骤:In some embodiments of the present invention, the processor 1903 is further configured to perform the following steps:
接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;Receiving a second network configuration that is sent by the destination host, where the second network is configured as a network configuration that is matched by the destination host and that is generated according to the first network configuration;
将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存;And saving the second network configuration as a network configuration of the virtual machine in the destination host;
本发明的一些实施例中,该处理器1903还用于执行如下步骤:In some embodiments of the present invention, the processor 1903 is further configured to perform the following steps:
根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机的网络数据;And issuing a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive network data of the virtual machine;
接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;Receiving virtual network interface information that is sent by the destination host and allocated to the virtual machine;
将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据;Sending the virtual network interface information to the communication host, so that the communication host simultaneously sends the network data of the virtual machine to the source host and the destination host according to the redundancy policy and the network interface information. ;
本发明的一些实施例中,该处理器1903还用于执行如下步骤: In some embodiments of the present invention, the processor 1903 is further configured to perform the following steps:
当管理平台接收到对虚拟机的迁移请求时,根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机中。When the management platform receives the migration request for the virtual machine, the original security policy is sent to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host, so that the destination is The host injects the original security policy into the destination host.
下面从硬件处理的角度对本发明实施例中用于虚拟机迁移的主机进行描述,该主机作为目的主机使用,请参阅图19,本发明实施例中主机另一个实施例包括:The following describes the host for the virtual machine migration in the embodiment of the present invention from the perspective of the hardware processing. The host is used as the destination host. Referring to FIG. 19, another embodiment of the host in the embodiment of the present invention includes:
输入装置1901、输出装置1902、处理器1903和存储器1904(其中处理器1903的数量可以一个或多个,图19中以一个处理器1903为例)。在本发明的一些实施例中,输入装置1901、输出装置1902、处理器1903和存储器1904可通过总线或其它方式连接,其中,图19中以通过总线连接为例;The input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19). In some embodiments of the present invention, the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
通过调用存储器1904存储的操作指令,处理器1903,用于执行如下步骤:The processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
接收管理平台发送的第一网络配置,所述第一网络配置为所述虚拟机在源主机中的网络配置;Receiving, by the management platform, a first network configuration, where the first network is configured as a network configuration of the virtual machine in the source host;
将所述第一网络配置注入所述目的主机;Injecting the first network configuration into the destination host;
当监测到所述虚拟机迁移完成时,发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机;Sending migration completion information to the management platform when the virtual machine migration is completed, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication host is the source host a host of a communication target of the virtual machine;
本发明的一些实施例中,该处理器1903具体执行如下步骤:In some embodiments of the present invention, the processor 1903 specifically performs the following steps:
执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;Performing the first network configuration to generate a second network configuration that matches the destination host;
该处理器1903还执行如下步骤:The processor 1903 also performs the following steps:
发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存;Sending the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host;
本发明的一些实施例中,该处理器1903还执行如下步骤:In some embodiments of the present invention, the processor 1903 further performs the following steps:
发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台中;Sending virtual network interface information allocated to the virtual machine to the management platform;
本发明的一些实施例中,该处理器1903还执行如下步骤:In some embodiments of the present invention, the processor 1903 further performs the following steps:
接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略;Receiving the original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host;
将所述原安全策略注入所述目的主机。Injecting the original security policy into the destination host.
下面从硬件处理的角度对本发明实施例中用于配置分发的管理平台进行 描述,请参阅图19,本发明实施例中管理平台另一个实施例包括:The management platform for configuration distribution in the embodiment of the present invention is performed from the perspective of hardware processing. Description, please refer to FIG. 19, another embodiment of the management platform in the embodiment of the present invention includes:
输入装置1901、输出装置1902、处理器1903和存储器1904(其中处理器1903的数量可以一个或多个,图19中以一个处理器1903为例)。在本发明的一些实施例中,输入装置1901、输出装置1902、处理器1903和存储器1904可通过总线或其它方式连接,其中,图19中以通过总线连接为例;The input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19). In some embodiments of the present invention, the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
通过调用存储器1904存储的操作指令,处理器1903,用于执行如下步骤:The processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
当管理平台监测到虚拟机在主机中创建完成时,获取所述虚拟机对应的网络配置;Obtaining a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host;
发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;Sending a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
当管理平台监测到虚拟机在主机中创建完成时,发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略;When the management platform detects that the virtual machine is created in the host, the security policy corresponding to the virtual machine is sent to the host, so that the host executes the security policy;
本发明的一些实施例中,该处理器1903具体执行如下步骤:In some embodiments of the present invention, the processor 1903 specifically performs the following steps:
显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;Displaying a network card information list corresponding to the virtual machine, and prompting the user to set a network configuration corresponding to the virtual machine according to the network card information list;
接收用户设置的所述虚拟机对应的网络配置;Receiving a network configuration corresponding to the virtual machine set by the user;
本发明的一些实施例中,该处理器1903具体执行如下步骤:In some embodiments of the present invention, the processor 1903 specifically performs the following steps:
根据所述虚拟机的通信状态生成所述虚拟机对应的网络配置。Generating a network configuration corresponding to the virtual machine according to a communication state of the virtual machine.
下面从硬件处理的角度对本发明实施例中用于配置分发的主机进行描述,请参阅图19,本发明实施例中主机另一个实施例包括:The host for configuring the distribution in the embodiment of the present invention is described below from the perspective of hardware processing. Referring to FIG. 19, another embodiment of the host in the embodiment of the present invention includes:
输入装置1901、输出装置1902、处理器1903和存储器1904(其中处理器1903的数量可以一个或多个,图19中以一个处理器1903为例)。在本发明的一些实施例中,输入装置1901、输出装置1902、处理器1903和存储器1904可通过总线或其它方式连接,其中,图19中以通过总线连接为例;The input device 1901, the output device 1902, the processor 1903, and the memory 1904 (wherein the number of the processors 1903 may be one or more, and one processor 1903 is taken as an example in FIG. 19). In some embodiments of the present invention, the input device 1901, the output device 1902, the processor 1903, and the memory 1904 may be connected by a bus or other manner, wherein the bus connection is taken as an example in FIG. 19;
通过调用存储器1904存储的操作指令,处理器1903,用于执行如下步骤:The processor 1903 is configured to perform the following steps by calling an operation instruction stored in the memory 1904:
当主机监测到虚拟机在主机中创建完成时,接收管理平台发送的所述虚拟机对应的网络配置与安全策略,所述安全策略由管理员对所述虚拟机的每个虚拟网络接口设置生成;When the host detects that the virtual machine is created in the host, the network configuration and the security policy corresponding to the virtual machine sent by the management platform are received, and the security policy is generated by the administrator for each virtual network interface setting of the virtual machine. ;
按照所述网络配置更新转发表; Updating the forwarding table according to the network configuration;
执行所述安全策略;Executing the security policy;
本发明的一些实施例中,该处理器1903还执行如下操作:In some embodiments of the invention, the processor 1903 also performs the following operations:
当主机监测到虚拟机在主机中创建完成时,为所述虚拟机的每个虚拟网络接口创建一条规则链;When the host detects that the virtual machine is created in the host, a rule chain is created for each virtual network interface of the virtual machine;
当所述安全策略包括过滤规则时,该处理器1903具体执行如下操作:When the security policy includes a filtering rule, the processor 1903 specifically performs the following operations:
将所述过滤规则加入到对应的规则链;Adding the filtering rule to a corresponding rule chain;
本发明的一些实施例中,当所述安全策略还包括QoS策略时,该处理器1903具体执行如下操作:In some embodiments of the present invention, when the security policy further includes a QoS policy, the processor 1903 specifically performs the following operations:
将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。Adding the filtering rule to the corresponding rule chain and setting a classifier for the corresponding virtual network interface according to the QoS policy.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售 或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit is implemented in the form of a software functional unit and sold as a standalone product Or when used, it can be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents of the technical solutions of the embodiments of the present invention.

Claims (28)

  1. 一种虚拟机迁移方法,其特征在于,包括:A virtual machine migration method, comprising:
    当管理平台接收到对虚拟机的迁移请求时,所述管理平台根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机;When the management platform receives the migration request for the virtual machine, the management platform sends the first network configuration to the destination host according to the migration request, so that the destination host injects the first network configuration into the destination host. The first network is configured as a network configuration of the virtual machine in a source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
    当所述管理平台接收到所述目的主机发送的迁移完成信息时,所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。When the management platform receives the migration completion information sent by the destination host, the management platform notifies the communication host to select the destination host as a communication target, and the communication host uses the source host as the virtual machine. The host of the communication target.
  2. 根据权利要求1所述的方法,其特征在于,所述管理平台根据所述迁移请求向目的主机发送第一网络配置之后还包括:The method of claim 1, further comprising: after the management platform sends the first network configuration to the destination host according to the migration request, further comprising:
    所述管理平台接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;Receiving, by the management platform, a second network configuration that is sent by the destination host, where the second network is configured as a network configuration that is matched by the destination host and that is generated by the target host according to the first network configuration;
    所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    所述管理平台根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机的网络数据;And the management platform sends a redundancy policy to the communication host according to the migration request, where the redundancy policy is used to enable the source host and the destination host to simultaneously receive network data of the virtual machine;
    所述管理平台接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;The management platform receives virtual network interface information that is sent by the destination host and allocated to the virtual machine;
    所述管理平台将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据。The management platform sends the virtual network interface information to the communication host, so that the communication host sends the virtual to the source host and the destination host simultaneously according to the redundancy policy and the network interface information. Machine network data.
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, further comprising:
    当管理平台接收到对虚拟机的迁移请求时,所述管理平台根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机。 When the management platform receives the migration request for the virtual machine, the management platform sends the original security policy to the destination host according to the migration request, where the original security policy is a security policy of the virtual machine in the source host. And causing the destination host to inject the original security policy into the destination host.
  5. 一种虚拟机迁移方法,其特征在于,包括:A virtual machine migration method, comprising:
    目的主机接收管理平台发送的第一网络配置,所述第一网络配置为所述虚拟机在源主机中的网络配置;The destination host receives the first network configuration sent by the management platform, where the first network configuration is a network configuration of the virtual machine in the source host;
    所述目的主机将所述第一网络配置注入所述目的主机;The destination host injects the first network configuration into the destination host;
    当所述目的主机监测到所述虚拟机迁移完成时,所述目的主机发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。When the destination host detects that the virtual machine migration is completed, the destination host sends migration completion information to the management platform, so that the management platform notifies the communication host to select the destination host as a communication target, and the communication The host is the host of the source host as the communication target of the virtual machine.
  6. 根据权利要求5所述的方法,其特征在于,所述目的主机将所述第一网络配置注入所述目的主机具体包括:The method according to claim 5, wherein the injecting, by the destination host, the first network configuration into the destination host comprises:
    所述目的主机执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;Performing, by the destination host, the first network configuration, to generate a second network configuration that matches the destination host;
    所述目的主机将所述第一网络配置注入所述目的主机之后还包括:After the destination host injects the first network configuration into the destination host, the method further includes:
    所述目的主机发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The destination host sends the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  7. 根据权利要求6所述的方法,其特征在于,所述方法还包括:The method of claim 6 wherein the method further comprises:
    所述目的主机发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台。The destination host sends virtual network interface information assigned to the virtual machine to the management platform.
  8. 根据权利要求5至7中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 5 to 7, wherein the method further comprises:
    所述目的主机接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略;The destination host receives the original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in the source host;
    所述目的主机将所述原安全策略注入所述目的主机。The destination host injects the original security policy into the destination host.
  9. 一种配置分发方法,其特征在于,包括:A configuration distribution method, comprising:
    当管理平台监测到虚拟机在主机中创建完成时,所述管理平台获取所述虚拟机对应的网络配置;When the management platform detects that the virtual machine is created in the host, the management platform acquires a network configuration corresponding to the virtual machine;
    所述管理平台发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;The management platform sends a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
    当管理平台监测到虚拟机在主机中创建完成时,所述管理平台发送所述虚 拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。When the management platform detects that the virtual machine is created in the host, the management platform sends the virtual The security policy corresponding to the virtual machine is sent to the host, so that the host executes the security policy.
  10. 根据权利要求9所述的方法,其特征在于,所述管理平台获取所述虚拟机对应的网络配置具体包括:The method according to claim 9, wherein the acquiring, by the management platform, the network configuration corresponding to the virtual machine comprises:
    所述管理平台显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;The management platform displays a list of network card information corresponding to the virtual machine, and prompts the user to set a network configuration corresponding to the virtual machine according to the network card information list;
    所述管理平台接收用户设置的所述虚拟机对应的网络配置。The management platform receives a network configuration corresponding to the virtual machine set by a user.
  11. 根据权利要求9所述的方法,其特征在于,所述管理平台获取所述虚拟机对应的网络配置具体包括:The method according to claim 9, wherein the acquiring, by the management platform, the network configuration corresponding to the virtual machine comprises:
    所述管理平台根据所述虚拟机的通信状态生成所述虚拟机对应的网络配置。The management platform generates a network configuration corresponding to the virtual machine according to a communication state of the virtual machine.
  12. 一种配置分发方法,其特征在于,包括:A configuration distribution method, comprising:
    当主机监测到虚拟机在所述主机中创建完成时,所述主机接收管理平台发送的所述虚拟机对应的网络配置与安全策略;When the host detects that the virtual machine is created in the host, the host receives a network configuration and a security policy corresponding to the virtual machine sent by the management platform;
    所述主机按照所述网络配置更新转发表;The host updates the forwarding table according to the network configuration;
    所述主机执行所述安全策略。The host executes the security policy.
  13. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method of claim 12, wherein the method further comprises:
    当所述主机监测到虚拟机在所述主机中创建完成时,所述主机为所述虚拟机的每个虚拟网络接口创建一条规则链;When the host detects that the virtual machine is created in the host, the host creates a rule chain for each virtual network interface of the virtual machine;
    所述安全策略包括:过滤规则;The security policy includes: a filtering rule;
    所述主机执行所述安全策略具体包括:The executing the security policy by the host specifically includes:
    所述主机将所述过滤规则加入到对应的规则链。The host adds the filtering rule to a corresponding rule chain.
  14. 根据权利要求13所述的方法,其特征在于,所述安全策略还包括:服务质量QoS策略;The method according to claim 13, wherein the security policy further comprises: a quality of service QoS policy;
    所述主机执行所述安全策略具体包括:The executing the security policy by the host specifically includes:
    所述主机将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。The host adds the filtering rule to a corresponding rule chain and sets a classifier for the corresponding virtual network interface according to the QoS policy.
  15. 一种管理平台,其特征在于,包括:A management platform, comprising:
    第一配置发送模块,用于当接收到对虚拟机的迁移请求时,根据所述迁移请求向目的主机发送第一网络配置,使得所述目的主机将所述第一网络配置注 入所述目的主机,所述第一网络配置为所述虚拟机在源主机中的网络配置,所述迁移请求用于请求将所述虚拟机从所述源主机迁移到所述目的主机;a first configuration sending module, configured to send a first network configuration to the destination host according to the migration request, when the migration request for the virtual machine is received, so that the destination host configures the first network configuration Entering the destination host, the first network is configured as a network configuration of the virtual machine in the source host, and the migration request is used to request to migrate the virtual machine from the source host to the destination host;
    选择模块,用于当接收到所述目的主机发送的迁移完成信息时,通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。a selection module, configured to notify the communication host to select the destination host as a communication target when receiving the migration completion information sent by the destination host, where the communication host is the source host as a communication target of the virtual machine Host.
  16. 根据权利要求15所述的管理平台,其特征在于,所述管理平台还包括:The management platform according to claim 15, wherein the management platform further comprises:
    第二配置接收模块,用于接收所述目的主机发送的第二网络配置,所述第二网络配置为所述目的主机根据所述第一网络配置生成的与所述目的主机相匹配的网络配置;a second configuration receiving module, configured to receive a second network configuration sent by the destination host, where the second network configuration is a network configuration that is matched by the target host and generated by the destination host according to the first network configuration ;
    配置保存模块,用于将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。And a configuration saving module, configured to save the second network configuration as a network configuration of the virtual machine in the destination host.
  17. 根据权利要求15或16所述的管理平台,其特征在于,所述管理平台还包括:The management platform according to claim 15 or 16, wherein the management platform further comprises:
    冗余发出模块,用于根据所述迁移请求向所述通信主机发出冗余策略,所述冗余策略用于使所述源主机与所述目的主机能同时接收到所述虚拟机的网络数据;a redundancy issuing module, configured to send a redundancy policy to the communication host according to the migration request, where the redundancy policy is configured to enable the source host and the destination host to simultaneously receive network data of the virtual machine ;
    接口信息接收模块,用于接收所述目的主机发送的分配给所述虚拟机的虚拟网络接口信息;An interface information receiving module, configured to receive virtual network interface information that is sent by the destination host and allocated to the virtual machine;
    接口信息发送模块,用于将所述虚拟网络接口信息发送给所述通信主机,使得所述通信主机根据所述冗余策略与所述网络接口信息同时向所述源主机与所述目的主机发送所述虚拟机的网络数据。An interface information sending module, configured to send the virtual network interface information to the communication host, so that the communication host sends the network interface information to the source host and the destination host according to the redundancy policy and the network interface information Network data of the virtual machine.
  18. 根据权利要求15至17中任一项所述的方法,其特征在于,所述管理平台还包括:The method according to any one of claims 15 to 17, wherein the management platform further comprises:
    第一策略发送模块,用于当接收到对虚拟机的迁移请求时,根据所述迁移请求向所述目的主机发送原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略,使得所述目的主机将所述原安全策略注入所述目的主机。a first policy sending module, configured to send an original security policy to the destination host according to the migration request, when the migration request for the virtual machine is received, where the original security policy is the security of the virtual machine in the source host The policy is such that the destination host injects the original security policy into the destination host.
  19. 一种主机,作为目的主机使用,其特征在于,包括:A host, used as a destination host, is characterized by:
    第一配置接收模块,用于接收管理平台发送的第一网络配置,所述第一网 络配置为所述虚拟机在源主机中的网络配置;a first configuration receiving module, configured to receive a first network configuration sent by the management platform, where the first network Network configuration is the network configuration of the virtual machine in the source host;
    配置注入模块,用于将所述第一网络配置注入所述目的主机;Configuring an injection module, configured to inject the first network configuration into the destination host;
    完成信息发送模块,用于当所述目的主机监测到所述虚拟机迁移完成时,发送迁移完成信息到所述管理平台,以使得所述管理平台通知通信主机选择所述目的主机作为通信目标,所述通信主机是以所述源主机作为所述虚拟机的通信目标的主机。And completing the information sending module, configured to send the migration completion information to the management platform when the destination host detects that the virtual machine migration is completed, so that the management platform notifies the communication host to select the destination host as a communication target, The communication host is a host that uses the source host as a communication target of the virtual machine.
  20. 根据权利要求19所述的主机,其特征在于,A host according to claim 19, wherein:
    所述配置注入模块具体用于,执行所述第一网络配置,生成与所述目的主机相匹配的第二网络配置;The configuration injection module is specifically configured to: execute the first network configuration, and generate a second network configuration that matches the destination host;
    所述主机还包括:The host also includes:
    第二配置发送模块,用于发送所述第二网络配置给所述管理平台,使得所述管理平台将所述第二网络配置作为所述虚拟机在所述目的主机中的网络配置进行保存。The second configuration sending module is configured to send the second network configuration to the management platform, so that the management platform saves the second network configuration as a network configuration of the virtual machine in the destination host.
  21. 根据权利要求20所述的主机,其特征在于,所述主机还包括:The host according to claim 20, wherein the host further comprises:
    接口信息分配模块,用于发送分配给所述虚拟机的虚拟网络接口信息到所述管理平台。An interface information distribution module is configured to send virtual network interface information allocated to the virtual machine to the management platform.
  22. 根据权利要求19至21中任一项所述的主机,其特征在于,所述主机还包括:The host according to any one of claims 19 to 21, wherein the host further comprises:
    第一策略接收模块,用于接收所述管理平台发送的原安全策略,所述原安全策略为所述虚拟机在源主机中的安全策略;a first policy receiving module, configured to receive an original security policy sent by the management platform, where the original security policy is a security policy of the virtual machine in a source host;
    安全策略注入模块,用于将所述原安全策略注入所述目的主机。The security policy injection module is configured to inject the original security policy into the destination host.
  23. 一种管理平台,其特征在于,包括:A management platform, comprising:
    配置获取模块,用于当所述管理平台监测到虚拟机在主机中创建完成时,获取所述虚拟机对应的网络配置;The acquiring module is configured to acquire a network configuration corresponding to the virtual machine when the management platform detects that the virtual machine is created in the host;
    第三配置发送模块,用于发送所述虚拟机对应的网络配置到所述主机,使得所述主机按照所述网络配置更新转发表;a third configuration sending module, configured to send a network configuration corresponding to the virtual machine to the host, so that the host updates the forwarding table according to the network configuration;
    第二策略发送模块,用于当所述管理平台监测到虚拟机在主机中创建完成时,发送所述虚拟机对应的安全策略到所述主机,使得所述主机执行所述安全策略。 And a second policy sending module, configured to send a security policy corresponding to the virtual machine to the host when the management platform detects that the virtual machine is created in the host, so that the host performs the security policy.
  24. 根据权利要求23所述的管理平台,其特征在于,所述配置获取模块具体包括:The management platform of claim 23, wherein the configuration obtaining module specifically comprises:
    信息显示单元,用于显示所述虚拟机对应的网卡信息列表,提示用户根据所述网卡信息列表设置所述虚拟机对应的网络配置;An information display unit, configured to display a network card information list corresponding to the virtual machine, and prompt the user to set a network configuration corresponding to the virtual machine according to the network card information list;
    配置接收单元,用于接收用户设置的所述虚拟机对应的网络配置。The receiving unit is configured to receive a network configuration corresponding to the virtual machine set by the user.
  25. 根据权利要求23所述的管理平台,其特征在于,所述配置获取模块具体用于,根据所述虚拟机的通信状态生成所述虚拟机对应的网络配置。The management platform according to claim 23, wherein the configuration obtaining module is configured to generate a network configuration corresponding to the virtual machine according to a communication state of the virtual machine.
  26. 一种主机,其特征在于,包括:A host characterized by comprising:
    接收模块,用于当所述主机监测到虚拟机在主机中创建完成时,接收管理平台发送的所述虚拟机对应的网络配置与安全策略;a receiving module, configured to: when the host detects that the virtual machine is created in the host, receive a network configuration and a security policy corresponding to the virtual machine sent by the management platform;
    配置执行模块,用于按照所述网络配置更新转发表;And an execution execution module, configured to update the forwarding table according to the network configuration;
    策略执行模块,用于执行所述安全策略。a policy execution module, configured to execute the security policy.
  27. 根据权利要求26所述的主机,其特征在于,所述主机还包括:The host according to claim 26, wherein the host further comprises:
    创建模块,用于当所述主机监测到虚拟机在所述主机中创建完成时,为所述虚拟机的每个虚拟网络接口创建一条规则链;a creating module, configured to create a rule chain for each virtual network interface of the virtual machine when the host monitors that the virtual machine is created in the host;
    当所述安全策略包括过滤规则时,所述策略执行模块具体用于,将所述过滤规则加入到对应的规则链中。When the security policy includes a filtering rule, the policy execution module is specifically configured to add the filtering rule to a corresponding rule chain.
  28. 根据权利要求27所述的主机,其特征在于,当所述安全策略还包括QoS策略时,所述策略执行模块具体用于,将所述过滤规则加入到对应的规则链并按照所述QoS策略为对应的虚拟网络接口设置分类器。 The host according to claim 27, wherein when the security policy further includes a QoS policy, the policy execution module is specifically configured to add the filtering rule to a corresponding rule chain and follow the QoS policy. Set the classifier for the corresponding virtual network interface.
PCT/CN2014/095477 2014-06-24 2014-12-30 Virtual machine migration method and device WO2015196774A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410289648.5A CN105262604B (en) 2014-06-24 2014-06-24 Virtual machine migration method and equipment
CN201410289648.5 2014-06-24

Publications (1)

Publication Number Publication Date
WO2015196774A1 true WO2015196774A1 (en) 2015-12-30

Family

ID=54936673

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/095477 WO2015196774A1 (en) 2014-06-24 2014-12-30 Virtual machine migration method and device

Country Status (2)

Country Link
CN (1) CN105262604B (en)
WO (1) WO2015196774A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107306230A (en) * 2016-04-18 2017-10-31 中兴通讯股份有限公司 A kind of method, device, controller and the equipment of the core network of Internet resources deployment
WO2020024978A1 (en) * 2018-07-31 2020-02-06 中兴通讯股份有限公司 Device, method, apparatus, and readable storage medium for virtual machine migration
CN114143087A (en) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 Virtual machine migration system and method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10650157B2 (en) * 2017-04-30 2020-05-12 Microsoft Technology Licensing, Llc Securing virtual execution environments
CN108092810A (en) * 2017-12-13 2018-05-29 锐捷网络股份有限公司 A kind of virtual machine management method, VTEP equipment and management equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102412978A (en) * 2010-09-21 2012-04-11 杭州华三通信技术有限公司 Method for carrying out network configuration for VM and system thereof
CN103246561A (en) * 2012-11-16 2013-08-14 佳都新太科技股份有限公司 Real-time virtual machine shifting technology based on XEN
CN103399778A (en) * 2013-07-01 2013-11-20 华为技术有限公司 Method and device for on-line integral migration of virtual machine
CN103457933A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 System and method for dynamically configuring virtual machine migration security policy
CN103607430A (en) * 2013-10-30 2014-02-26 中兴通讯股份有限公司 Network processing method and system, and network control center
CN103699429A (en) * 2013-12-31 2014-04-02 华为技术有限公司 Virtual machine migration method and virtual machine migration device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413041B (en) * 2011-11-08 2015-04-15 华为技术有限公司 Method, device and system for moving security policy
CN102739645B (en) * 2012-04-23 2016-03-16 杭州华三通信技术有限公司 The moving method of secure virtual machine strategy and device
CN103067356B (en) * 2012-12-12 2017-03-08 北京启明星辰信息技术股份有限公司 Ensure the system and method for business virtual machine safety

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102412978A (en) * 2010-09-21 2012-04-11 杭州华三通信技术有限公司 Method for carrying out network configuration for VM and system thereof
CN103246561A (en) * 2012-11-16 2013-08-14 佳都新太科技股份有限公司 Real-time virtual machine shifting technology based on XEN
CN103399778A (en) * 2013-07-01 2013-11-20 华为技术有限公司 Method and device for on-line integral migration of virtual machine
CN103457933A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 System and method for dynamically configuring virtual machine migration security policy
CN103607430A (en) * 2013-10-30 2014-02-26 中兴通讯股份有限公司 Network processing method and system, and network control center
CN103699429A (en) * 2013-12-31 2014-04-02 华为技术有限公司 Virtual machine migration method and virtual machine migration device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107306230A (en) * 2016-04-18 2017-10-31 中兴通讯股份有限公司 A kind of method, device, controller and the equipment of the core network of Internet resources deployment
WO2020024978A1 (en) * 2018-07-31 2020-02-06 中兴通讯股份有限公司 Device, method, apparatus, and readable storage medium for virtual machine migration
CN114143087A (en) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 Virtual machine migration system and method
CN114143087B (en) * 2021-11-30 2023-09-26 北京天融信网络安全技术有限公司 Virtual machine migration system and method

Also Published As

Publication number Publication date
CN105262604A (en) 2016-01-20
CN105262604B (en) 2019-01-08

Similar Documents

Publication Publication Date Title
US11200079B2 (en) System and method for virtual machine live migration
US9325630B2 (en) Wild card flows for switches and virtual switches based on hints from hypervisors
WO2015196774A1 (en) Virtual machine migration method and device
US9104460B2 (en) Inter-cloud live migration of virtualization systems
JP6787573B2 (en) Virtual network function management equipment, systems, healing methods and programs
CN104115121B (en) The system and method that expansible signaling mechanism is provided virtual machine (vm) migration in middleware machine environment
US9432304B2 (en) System and method for supporting live migration of virtual machines based on an extended host channel adaptor (HCA) model
WO2015081766A1 (en) Sdn based virtual machine security policy migration system and method
US9749182B2 (en) Method and apparatus for configuring network policy of virtual network
EP2731010A1 (en) Method, device, and system for migrating configuration information during live migration of virtual machine
US9348646B1 (en) Reboot-initiated virtual machine instance migration
CN103441867B (en) A kind of method updating virtual machine internal Network resource allocation
US11422843B2 (en) Virtual machine migration method and apparatus having automatic user registration at a destination virtual machine
US10572291B2 (en) Virtual network management
US20160105381A1 (en) Distributed virtual switch configuration and state management
US9928107B1 (en) Fast IP migration in a hybrid network environment
WO2015117401A1 (en) Information processing method and device
JP2015514270A5 (en)
US20110032944A1 (en) Method and System for Switching in a Virtualized Platform
US9830181B2 (en) Method and system for gracefully shutdown virtual system
JP2015514271A5 (en)
US11997015B2 (en) Route updating method and user cluster
WO2018201461A1 (en) Method and device for migrating virtual machine and virtualization system
WO2016015633A1 (en) Multicast migration
CN107797844A (en) A kind of method and apparatus for creating virtual machine

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14896019

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14896019

Country of ref document: EP

Kind code of ref document: A1