WO2017097116A1 - Inter-container communication method and apparatus - Google Patents

Inter-container communication method and apparatus Download PDF

Info

Publication number
WO2017097116A1
WO2017097116A1 PCT/CN2016/107228 CN2016107228W WO2017097116A1 WO 2017097116 A1 WO2017097116 A1 WO 2017097116A1 CN 2016107228 W CN2016107228 W CN 2016107228W WO 2017097116 A1 WO2017097116 A1 WO 2017097116A1
Authority
WO
WIPO (PCT)
Prior art keywords
container
communication
file
host
authentication request
Prior art date
Application number
PCT/CN2016/107228
Other languages
French (fr)
Chinese (zh)
Inventor
修剑锋
叶磊
于浩
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017097116A1 publication Critical patent/WO2017097116A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/543Local
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present application relates to the field of communications and, more particularly, to methods and apparatus for communication between containers.
  • the container is an operating system-level lightweight virtualization technology, and its underlying technical Linux namespace (Namespace), Linux Control Group (Control Group, C Group) is completely kernel-specific, without any intermediate layer overhead, for resources. High utilization and performance close to physical machines.
  • Namespace namespace
  • Control Group C Group
  • the Linux Namespace is an operating system level virtual machine technology that provides a resource isolation scheme.
  • System resources such as Unix Timesharing System (UTS), Inter-Process Communication (IPC), file system (MOUNT), and Process IDentifier (PID) are no longer global. Instead, it belongs to a specific namespace, and the resources in each namespace are transparent to other namespaces.
  • UTS Unix Timesharing System
  • IPC Inter-Process Communication
  • MOUNT file system
  • PID Process IDentifier
  • a container is similar to a virtual machine. It is a software sandbox, a security mechanism that provides an isolated environment for running programs and tightly controls the resources that can be accessed by programs in the container.
  • the Linux Namespaces mechanism provides a good foundation for implementing container-based virtualization technology. Containers use this feature to achieve resource isolation. Processes in different containers belong to different Namespaces, which are transparent to each other and do not interfere with each other.
  • the present application provides a method and apparatus for communication between containers that enables communication between two mutually isolated containers.
  • the present application provides a method for inter-container communication, the method comprising: receiving an authentication request sent by a first container for requesting communication with a second container, wherein the first container and the second The container is located on the same host, and the first container and the second container are mounted a shared directory of the host; generating, according to the authentication request, a communication file under the shared directory of the host, the communication file including a communication resource that the first container communicates with the second container; to the first container and the second The container sends the file information of the communication file, so that the first container and the second container determine the communication file under the shared directory of the host according to the file information of the communication file, and perform communication according to the communication file.
  • the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and the first container A container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container Sending the file information of the communication file enables communication between the two containers that are isolated from each other.
  • the method before the generating the communication file in the shared directory of the host according to the authentication request, the method further includes: determining, according to the authentication request, Whether the first container and the second container are in a preset trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container The containers are all in the preset list of trusted containers, and it is determined that the first container has the right to communicate with the second container.
  • the generating the communication file in the shared directory of the host according to the authentication request includes: And determining, according to the authentication request, a communication manner between the first container and the second container; and generating the communication file according to the communication manner.
  • the authentication request may include an identifier of the first container and an identifier of the second container, and may further include a communication manner used by the first container and the second container.
  • the generating the communication file according to the communication manner includes: determining the first container and the second container Using a Unix domain socket communication method, generating a socket file, the socket file is used to describe that the first container communicates with the second container to provide a socket; and/or if the first container and the first
  • the second container adopts a shared memory communication method to generate a shared memory file, and the shared memory file is used to provide shared memory for the first container to communicate with the second container in the host's memory.
  • the method for communication between containers provided by the present application, the first container and the second container adopt Unix
  • the domain socket communicates, the communication speed is fast, and the security is good; the first container and the second container communicate by using a shared memory mode, and the communication performance is good and the quality is high.
  • the present application provides another method for communication between containers, comprising: receiving file information of a communication file sent by an authentication module of a host, where the communication file includes a communication resource for communicating between the first container and the second container, The first container and the second container both mount a shared directory of the host, and the communication file is located in a shared directory of the host; the first container is in the shared directory of the host according to file information of the communication file. Determining the communication file; the first container communicates with the second container based on the communication file.
  • the method before receiving the file information of the communication file sent by the authentication module of the host, the method further includes: sending, by the first container, the authentication module An authentication request for requesting communication with the second container, the first container and the second container are both located in the host.
  • the authentication request carries a manner in which the first container communicates with the second container.
  • the communication manner between the first container and the second container may be set in advance by a user.
  • the communication file includes: a socket file and/or a shared memory file,
  • the set of interface files is used to describe that the first container communicates with the second container to provide a socket
  • the shared memory file is used to provide shared memory for the first container to communicate with the second container in the host's memory.
  • the present application provides an apparatus for inter-container communication for performing the method of any of the above first aspect or any of the possible implementations of the first aspect.
  • the apparatus comprises means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
  • the present application provides an apparatus for inter-container communication for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
  • the apparatus comprises means for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
  • the present application provides an apparatus for inter-container communication, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending Send a signal, And when the processor executes the instructions stored by the memory, the executing causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • the present application provides an apparatus for inter-container communication, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending
  • the transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
  • the application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
  • FIG. 1 is a schematic diagram of a Linux system to which an embodiment of the present invention is applied.
  • FIG. 2 is a schematic flowchart of a method for communication between containers according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of another method for communication between containers according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of another method for communication between containers according to an embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of an apparatus for communication between containers according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
  • FIG. 1 shows a schematic diagram of a Linux system 100 to which an embodiment of the present invention is applied.
  • the Linux system can include an authentication module and a plurality of containers.
  • all the containers in the Linux system share the same kernel, and the host of the Linux system provides a virtual environment with its own process and network space for each container.
  • the internal applications of multiple containers in the system are isolated from each other and do not interfere with each other.
  • FIG. 1 exemplarily shows an authentication module 110, a container 121, and a container 122.
  • the Linux system may include other containers in the host, which is not limited by the embodiment of the present invention.
  • the authentication module 110 is configured to receive an authentication request of the container 121 by using an authentication channel, where the authentication request is used to request communication with the container 122; according to the authentication request, determining the authority of the container 121 to communicate with the container 122, that is, determining the container 121 and whether the container 122 is a trusted container; if the container 121 and the container 122 are both trusted containers, generating a communication file for communicating between the two containers, the communication file includes communication resources for communicating between the two containers, and The file information of the communication file is sent to the container 121 and the container 122 through the authentication channel, respectively, so that the two containers find the communication file in the shared directory of the host according to the file information of the communication file, and perform the container between the containers through the communication file. Communication.
  • the container 121 and the container 122 are configured to receive the file information of the communication file sent by the authentication module 110, determine the communication file in the host shared directory that is respectively mounted, and perform communication according to the communication file.
  • the container 121 may request to communicate with the container 122, and the container 122 may also request to communicate with the container 121, which is not limited by the embodiment of the present invention.
  • the container 121 may also request to communicate with other containers in the host, and the other containers may be one or more.
  • the authentication module may send file information of the communication file to all containers having communication rights, such that one or A plurality of the other containers may communicate with each other between the container 121 and the container 122, which is not limited in the embodiment of the present invention.
  • the container 121 and the container 122 should first mount the shared directory of the host, so that the container 121 and the container 122 can read the shared directory of the host. .
  • the mounting process can be implemented by software, so that the container 121 and the container 122 can shield the details of the physical partition of the host, and use the logical concept uniformly, that is, everything is a file.
  • FIG. 2 illustrates a method 200 for inter-container communication provided by an embodiment of the present invention.
  • the method 200 for inter-container communication can be applied to the host system 100 shown in FIG. 1, but the embodiment of the present invention is not limited thereto.
  • the first container sends an authentication request to the authentication module of the host, where the authentication request is used to request to communicate with the second container.
  • the first container may request to establish communication with one or more containers, and the embodiment of the present invention only describes the communication of the embodiment of the present invention by taking the first container request to establish communication with the second container.
  • the embodiment of the present invention is not limited thereto.
  • the first container and the second container are located on the same host, and the first container and the second container both mount a shared directory of the host, so that the first container and the second container can be read. Take the host memory.
  • the authentication request may carry the identifier of the first container and the identifier of the second container.
  • the authentication module generates a communication file in the shared directory of the host according to the authentication request sent by the first container, where the communication file may include a communication resource that the first container communicates with the second container.
  • the first container and the second container may communicate in various manners, for example, by Unix domain socket communication, or by shared memory, or through a Unix domain socket and
  • the shared memory communicates in two ways, which is not limited in this embodiment of the present invention.
  • the communication between the two communicating containers may be determined by the user. If the user requests the performance and quality of the communication, the shared memory communication mode may be selected; if the user requests the communication speed and security, then The communication mode of the Unix domain socket may be selected, or other communication modes may be used according to actual needs, which is not limited in the embodiment of the present invention.
  • the communication manner between the first container and the second container may be carried in the authentication request of the first container, the communication mode is obtained by the authentication module, and the communication file is generated according to the authentication request, and may also be according to actual needs.
  • the communication mode used is set in advance in the authentication module, which is not limited in this embodiment of the present invention.
  • the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a set.
  • An interface file the socket file describes a socket for the authentication module to perform communication distribution between the first container and the second container.
  • the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a shared memory.
  • the shared memory file can be determined in the memory of the host as shared memory allocated by the first container to communicate with the second container.
  • the allocated shared memory may be a host memory other than the host memory occupied by the first container and the second container.
  • the authentication module may determine, according to the identifier of the first container and the identifier of the second container carried in the authentication request, whether the first container and the second container have Communication authority, if the first container has communication authority with the second container, generating a communication file, the communication file including a communication resource that the first container communicates with the second container.
  • the authentication module may preset a list of trusted containers, where all trusted containers in the host are listed, and the identifier of the first container and the second container are sent according to the authentication module. And determining whether the first container and the second container that need to establish communication are in the trusted container list, that is, determining whether the first container and the second container are both trusted containers, if the first container And the second container is a trusted container, and the first container and the second container have the right to communicate with each other.
  • the authentication module may also establish a communication list in which all containers in the host that can communicate with each other are listed, and the first container and the first are determined according to the communication list. Whether the second container has communication authority, but the embodiment of the present invention is not limited thereto.
  • the authentication module may configure the authentication module by using a mandatory access control technology, for example, by using Security Enhanced Linux (SE Linux) technology or Security App (Apparmor) technology, so that the communication file is The access rights are only open to the container of the access rights, but the embodiment of the invention is not limited thereto.
  • SE Linux Security Enhanced Linux
  • App Security App
  • the authentication module sends file information of the communication file to the first container and the second container.
  • the file information of the communication file may include a file name of the communication file.
  • the authentication module may separately send the file information of the communication file to the first container and the second container, and may also send the file name of the communication file to all containers having communication rights in a broadcast manner.
  • the embodiment of the invention is not limited thereto.
  • the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file.
  • the starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
  • the first container and the second container respectively determine the communication file in the host shared directory that is mounted according to the file information of the communication file.
  • the communication file may also be a file in a subdirectory of the shared directory, the communication file
  • the file information may further include information indicating a path of a file in a subdirectory of the shared directory, but the embodiment of the present invention is not limited thereto.
  • the first container and the second container communicate according to the communication file.
  • a kernel channel is established through the socket file, and the socket file is read during communication to read the kernel channel. It does not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, which is fast and safe.
  • the communication is performed through a shared memory allocated in the host, and the data packet of the communication can pass through the ring buffer (ring -buffer) is exchanged, that is, a ring-buffer provides a service entry for a pair of communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container is in the first container
  • the receiving end can read the message from the head of the ring-buffer
  • the sending end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high.
  • the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
  • first container and the second container perform communication in a shared memory communication manner
  • a synchronization mechanism is needed to ensure that the first container and the second container are sent and received in the communication process. Synchronization of data messages.
  • the first container and the second container may adopt a polling synchronization mechanism, and if the second container is a receiving end of the communication, the first container is a transmitting end of the communication, and the first container is in the first container
  • the sending end only sends a message to the ring-buffer without notifying the receiving end, and the receiving end actively queries whether there is a data packet in the ring-buffer. If there is a data packet, the receiving end receives the packet.
  • the terminal can read the message, otherwise, the receiving end continues to query.
  • the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and The first container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container
  • the container sends the file information of the communication file to enable communication between the two containers that are isolated from each other.
  • the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container and the second container are The device uses shared memory to communicate, and the communication performance is good and the quality is high.
  • FIG. 3 illustrates a method 300 for inter-container communication provided by an embodiment of the present invention.
  • the method 300 for inter-container communication can be applied to the Linux system 100 shown in FIG. 1 and can be performed by the authentication module in FIG. 1.
  • S310 Receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container and the second container are both The shared directory of the host is mounted.
  • the authentication module may receive an authentication request sent by the first container for requesting communication with a second container on the same host, where the first container and the second container both mount the host Shared directory.
  • the authentication request may include an identifier of the first container and an identifier of the second container.
  • S320 Generate, according to the authentication request, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container.
  • the authentication module may determine, according to the authentication request sent by the first container, a communication manner between the first container and the second container, and determine the first container and the first according to a specific communication manner.
  • the second container generates a communication file that includes communication resources for communication such that the first container and the second container can communicate based on communication resources in the communication file.
  • the authentication module may generate a communication file in the host shared directory, and the communication file For example, it may be a socket file, and the socket file describes a socket for the authentication module to perform communication distribution between the first container and the second container.
  • the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a shared memory.
  • the shared memory file can be determined in the memory of the host as shared memory allocated by the first container to communicate with the second container.
  • the allocated shared memory may be a host memory other than the host memory occupied by the first container and the second container.
  • the authentication module may determine, according to the authentication request, the communication authority of the first container and the second container, and the communication permission between the containers is only open to the container that is granted the permission.
  • the authentication module may determine, according to the authentication request, the first container and the second container Whether the device is in the default trusted container list, if yes, it indicates that the first container and the second container are both trusted lists and have communication authority.
  • the authentication module determines whether there may be a malicious container, and the two containers cannot be granted the right to communicate. Therefore, The communication file is not generated for the first container and the second container.
  • the authentication request may request to communicate with one or more second containers, the authentication module needs to authenticate all the containers in the request, when all the containers in the authentication request are trusted containers
  • the communication file for communication may be generated for the first container and the one or more of the second containers, which is not limited by the embodiment of the present invention.
  • the file information of the communication file may be sent to the first container and the second container, and information for indicating the communication resource is sent to the first container and the a second container, so that the first container and the second container determine a communication resource according to the indication information, and perform communication according to the communication resource.
  • the authentication module may broadcast the communication information of the communication file to the first container and the second container, and may also separately send the first container to the second container, which is not used by the embodiment of the present invention. limited.
  • the file information of the file may be a file name of the file, and may also be resource information included in the file.
  • the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file.
  • the starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
  • the communication file may also be a file in a subdirectory of the shared directory, and the file information of the communication file may further include information indicating a path of the file in the subdirectory of the shared directory, but the present invention implements The example is not limited to this.
  • a kernel channel is established through the socket file, and the socket file is read during communication to read the kernel channel. It does not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, which is fast and safe.
  • the communication when the first container communicates with the second container in a shared memory communication manner, the communication is performed through a shared memory allocated in the host, and the communication data packet can pass through the ring-buffer.
  • Mode exchange that is, a ring-buffer provides a service entry for a pair of mutually communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container and the second container are During communication, the receiving end can read the message from the head of the ring-buffer, and the transmitting end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high.
  • the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
  • first container and the second container perform communication in a shared memory communication manner
  • a synchronization mechanism is needed to ensure that the first container and the second container are sent and received in the communication process. Synchronization of data messages.
  • the first container and the second container may adopt a polling synchronization mechanism, and if the second container is a receiving end of the communication, the first container is a transmitting end of the communication, and the first container is in the first container
  • the sending end only sends a message to the ring-buffer without notifying the receiving end, and the receiving end actively queries whether there is a data packet in the ring-buffer. If there is a data packet, the receiving end receives the packet.
  • the terminal can read the message, otherwise, the receiving end continues to query.
  • the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and The first container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container
  • the container sends the file information of the communication file to enable communication between the two containers that are isolated from each other.
  • the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container is shared with the second container. Communication in memory mode, communication performance is good, and quality is high.
  • FIG. 4 illustrates a method 400 for inter-container communication provided by an embodiment of the present invention.
  • the method 400 for inter-container communication can be applied to the Linux system 100 shown in FIG. 1.
  • S410 Receive file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container both mount the host Shared directory, and the communication file is located under the shared directory of the host.
  • a plurality of mutually isolated containers may be included in the same host, and the multiple containers are mutually transparent due to the Linux Namespace mechanism.
  • the plurality of containers can mount the shared directory of the host, so that each container and the host can communicate with each other and read the files in the shared directory.
  • the plurality of containers in the host may receive file information sent by the authentication module for indicating a communication file of the communication resource, where the communication is located in a shared directory of the host that is mounted by the plurality of containers, the plurality of The container may determine, according to the file information, a communication resource allocated by the authentication module for communication between the plurality of containers, and the plurality of containers may establish communication with each other according to the communication resource.
  • a first one of the plurality of containers may send an authentication request to the authentication module to request communication with the second container.
  • the authentication request may include the identifier of the first container that identifies the second container, so that the authentication module authenticates the first container and the second container according to the authentication request.
  • the second container may be one or more, which is not limited by the embodiment of the present invention.
  • the first container determines the communication file according to the information of the communication file.
  • both the first container and the second container may determine the communication file according to the information of the communication file, and the communication file includes a communication resource that the first container communicates with the second container.
  • the resource information of the communication file may be a file name of the communication file, and may also be identifier information of the communication file or attribute information of the communication file, etc., and may be used for determining the first container and the second container.
  • the information of the communication file is not limited in this embodiment of the present invention.
  • the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file.
  • the starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
  • the communication file may also be a file in a subdirectory of the shared directory, the communication file
  • the file information may further include information indicating a path of a file in a subdirectory of the shared directory, but the embodiment of the present invention is not limited thereto.
  • the first container communicates with the second container according to the communication file.
  • the first container and the second container can communicate in accordance with the communication file, the communication file including communication resources for communication.
  • a kernel channel is established through a socket provided by the socket file, and the socket file is read during communication. Read the kernel channel, do not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, fast, and high security.
  • the communication when the first container communicates with the second container in a shared memory communication manner, the communication is performed through a shared memory allocated in the host, and the communication data packet can pass through the ring-buffer.
  • Mode exchange that is, a ring-buffer provides a service entry for a pair of mutually communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container and the second container are During communication, the receiving end can read the message from the head of the ring-buffer, and the transmitting end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high.
  • the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
  • the method for communicating between containers by receiving file information of a communication file sent by an authentication module, the communication file includes communication resources of the first container and the second container located in the same host, and the A container and the second container both mount a shared directory of the host, the first container determines the communication file according to the file information of the communication file, and communicates with the second container through the communication file, thereby being able to isolate each other Communicate between the two containers.
  • the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container is shared with the second container. Communication in memory mode, communication performance is good, and quality is high.
  • FIG. 5 shows an apparatus 500 for communication between containers according to an embodiment of the present invention.
  • the apparatus 500 includes:
  • the receiving unit 510 is configured to receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container is The second container both mounts the shared directory of the host;
  • the generating unit 520 is configured to generate, according to the authentication request received by the receiving unit 510, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
  • the sending unit 530 is configured to send, to the first container and the second container, file information of the communication file generated by the generating unit 520, so that the first container and the second container are in accordance with file information of the communication file.
  • the communication file is determined under the shared directory of the host, and communication is performed according to the communication file.
  • the apparatus 500 further includes: a determining unit, configured to determine, according to the authentication request, the first container and the authentication file according to the authentication request, before generating the communication file in the shared directory of the host Whether the second container is in the preset trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container are both in the In the set of trusted containers, it is determined that the first container has the right to communicate with the second container.
  • a determining unit configured to determine, according to the authentication request, the first container and the authentication file according to the authentication request, before generating the communication file in the shared directory of the host Whether the second container is in the preset trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container are both in the In the set of trusted containers, it is determined that the first container has the right to communicate with the second container.
  • the generating unit 520 is specifically configured to: according to the authentication request, determine a communication manner between the first container and the second container; and generate the communication file according to the communication manner.
  • the generating unit 520 generates a socket file, where the socket file is used for the first container and the second The container is configured to provide a socket; and/or, if it is determined that the first container and the second container are in a shared memory communication manner, the generating unit 520 generates a shared memory file, the shared memory file is used in the host memory Providing shared memory for the first container to communicate with the second container.
  • the apparatus 500 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • processors, etc. and memory, merge logic, and/or other suitable components that support the described functionality.
  • device 500 may be specifically configured as the authentication module in the foregoing embodiment, and the device 500 may be used to perform various processes and/or steps corresponding to the authentication module in the foregoing method embodiment. To avoid repetition, details are not described herein again.
  • FIG. 6 shows an apparatus 600 for inter-container communication provided by an embodiment of the present invention.
  • the apparatus 600 includes:
  • the receiving unit 610 is configured to receive file information of the communication file sent by the authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, and the first container and the second container are both mounted. a shared directory of the host, and the communication file is located in a shared directory of the host;
  • a determining unit 620 configured to determine, by the first container, the communication file in a shared directory of the host according to the file information of the communication file received by the receiving unit 610;
  • the communication unit 630 is configured to communicate with the second container according to the communication file determined by the determining unit 620.
  • the apparatus 600 further includes: a sending unit, where the sending unit is configured to send an authentication request to the authentication module before receiving the file information of the communication file sent by the authentication module of the host, where The authentication request is for requesting communication with the second container, and the first container and the second container are both located in the host.
  • a sending unit configured to send an authentication request to the authentication module before receiving the file information of the communication file sent by the authentication module of the host, where The authentication request is for requesting communication with the second container, and the first container and the second container are both located in the host.
  • the authentication request carries a manner in which the first container communicates with the second container.
  • the communication file includes: a socket file and/or a shared memory file, where the socket file is used to provide a socket for the first container to communicate with the second container, where the shared memory file is used in the host The memory provides shared memory for the first container to communicate with the second container.
  • the apparatus 600 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • the device 600 may be specifically the container in the above embodiment, and the device 600 may be used to perform various processes and/or steps corresponding to the container in the foregoing method embodiment, in order to avoid Repeat, no longer repeat them here.
  • FIG. 7 illustrates an apparatus 700 for inter-container communication provided by an embodiment of the present invention.
  • the apparatus 700 includes a receiver 710, a processor 720, a transmitter 730, a memory 740, and a bus system 750.
  • the receiver 710, the processor 720, the transmitter 730, and the memory 740 are connected by a bus system 750 for storing instructions for executing the fingers stored in the memory 740.
  • the receiver 710 is configured to receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container And sharing a shared directory of the host with the second container;
  • the processor 720 is configured to generate, according to the authentication request received by the receiver 710, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
  • the transmitter 730 is configured to send, to the first container and the second container, file information of the communication file generated by the processor 720, so that the first container and the second container are in accordance with file information of the communication file.
  • the communication file is determined under the shared directory of the host, and communication is performed according to the communication file.
  • the processor 720 is specifically configured to: according to the authentication request, determine a communication manner between the first container and the second container; and generate the communication file according to the communication manner.
  • the processor 720 determines that the first container and the second container use a Unix domain socket communication manner, the processor 720 generates a socket file, where the socket file is used to describe the first container and the second a socket for communicating with the container; and/or, if it is determined that the first container and the second container are in shared memory, the processor 720 generates a shared memory file for use in the memory of the host Providing shared memory for the first container to communicate with the second container.
  • the processor 720 is further configured to determine, according to the authentication request, whether the first container and the second container are preset before generating the communication file in the shared directory of the host according to the authentication request.
  • the trusted container list wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container are both in the preset trusted container list, Then determining that the first container has the right to communicate with the second container.
  • the device 700 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
  • the memory 740 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 720 can be configured to execute instructions stored in a memory, and when the processor executes the instructions, the processor can perform various steps corresponding to the terminal device in the above method embodiments.
  • FIG. 8 shows an apparatus 800 for inter-container communication provided by an embodiment of the present invention.
  • the device 800 packs A receiver 810, a processor 820, a transmitter 830, a memory 840, and a bus system 850 are included.
  • the receiver 810, the processor 820, the transmitter 830, and the memory 840 are connected by a bus system 850 for storing instructions for executing instructions stored in the memory 840 to control the receiver 810.
  • a signal is received and the transmitter 830 is controlled to transmit a signal.
  • the receiver 810 is configured to receive file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container are both The shared directory of the host is loaded, and the communication file is located in the shared directory of the host;
  • the processor 820 is configured to determine, by the first container, the communication file according to the file information of the communication file received by the receiver 810 in a shared directory of the host; and the communication file determined according to the processor, and the first The second container communicates.
  • the sender 830 is configured to send an authentication request to the authentication module before receiving the file information of the communication file sent by the authentication module of the host, where the authentication request is used to request the first The second container is in communication, and the first container and the second container are both located in the host.
  • the authentication request carries a manner in which the first container communicates with the second container.
  • the communication file includes: a socket file and/or a shared memory file, the socket file is used to describe a socket for communicating between the first container and the second container, and the shared memory file is used in the host
  • the shared memory is allocated in memory for the first container to communicate with the second container.
  • the device 800 may be specifically the network device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the network device in the foregoing method embodiments.
  • the memory 840 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 820 can be configured to execute instructions stored in a memory, and when the processor executes instructions stored in the memory, the processor is operative to perform various steps and/or processes of the method embodiments described above.
  • the processor may be a central processing unit (CPU), and the processor may also be other general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). ), off-the-shelf programmable gate arrays (FPGAs) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • each step of the above method can pass the integration logic of the hardware in the processor. Instructions in the form of circuits or software are completed.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in a memory, and the processor executes instructions in the memory, in combination with hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present application may be in essence or part of the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a USB flash drive, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a disk or a CD.
  • ROM Read-Only Memory
  • RAM Random Access Memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present invention provide an inter-container communication method and apparatus. The method comprises: receiving an authentication request sent by a first container for requesting communication with a second container, the first container and the second container being located on an identical host, and both the first container and the second container mounting a shared directory of the host; generating a communication file under the shared directory of the host according to the authentication request, the communication file comprising a communication resource for communication between the first container and the second container; and sending file information of the communication file to the first container and the second container, in order that the first container and the second container determine the communication file under the shared directory of the host according to the file information of the communication file and communicate according to the communication file. Two containers isolated from each other can communicate.

Description

容器间通信的方法与装置Method and device for communication between containers
本申请要求于2015年12月11日提交中国专利局、申请号为201510919506.7、发明名称为“容器间通信的方法与装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201510919506.7, entitled "Method and Apparatus for Inter-Container Communication" on December 11, 2015, the entire contents of which are incorporated herein by reference. .
技术领域Technical field
本申请涉及通信领域,并且更具体地,涉及容器间通信的方法与装置。The present application relates to the field of communications and, more particularly, to methods and apparatus for communication between containers.
背景技术Background technique
容器是操作系统级别的轻量级虚拟化技术,而且它底层依赖的技术Linux命名空间(Namespace)、Linux控制组(Control Group,C Group)完全是内核特性,没有任何中间层开销,对于资源的利用率极高,性能接近物理机。The container is an operating system-level lightweight virtualization technology, and its underlying technical Linux namespace (Namespace), Linux Control Group (Control Group, C Group) is completely kernel-specific, without any intermediate layer overhead, for resources. High utilization and performance close to physical machines.
Linux Namespace是操作系统级别的虚拟机技术,提供了一种资源隔离方案。Unix分时操作系统(Unix Timesharing System,UTS),进程间通信(Inter-Process Communication,IPC),文件系统(MOUNT),进程控制符(Process IDentifier,PID)等系统资源不再是全局性的,而是属于特定的namespace,每个namespace里面的资源对其他namespace都是透明的。The Linux Namespace is an operating system level virtual machine technology that provides a resource isolation scheme. System resources such as Unix Timesharing System (UTS), Inter-Process Communication (IPC), file system (MOUNT), and Process IDentifier (PID) are no longer global. Instead, it belongs to a specific namespace, and the resources in each namespace are transparent to other namespaces.
容器类似于虚拟机,是一种软件沙箱,一种安全机制,主要为运行中的程序提供的隔离环境,严格控制容器中的程序所能访问的资源。Linux Namespaces机制为实现基于容器的虚拟化技术提供了很好的基础,容器就是利用这一特性实现了资源的隔离,不同容器内的进程属于不同的Namespace,彼此透明,互不干扰。A container is similar to a virtual machine. It is a software sandbox, a security mechanism that provides an isolated environment for running programs and tightly controls the resources that can be accessed by programs in the container. The Linux Namespaces mechanism provides a good foundation for implementing container-based virtualization technology. Containers use this feature to achieve resource isolation. Processes in different containers belong to different Namespaces, which are transparent to each other and do not interfere with each other.
发明内容Summary of the invention
本申请提供了一种容器间通信的方法与装置,能够使两个相互隔离的容器之间进行通信。The present application provides a method and apparatus for communication between containers that enables communication between two mutually isolated containers.
第一方面,本申请提供了一种容器间通信的方法,该方法包括:接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该 主机的共享目录;根据该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源;向该第一容器与该第二容器发送该通信文件的文件信息,以便于该第一容器与该第二容器根据该通信文件的文件信息,在该主机的共享目录下确定该通信文件,并根据该通信文件进行通信。In a first aspect, the present application provides a method for inter-container communication, the method comprising: receiving an authentication request sent by a first container for requesting communication with a second container, wherein the first container and the second The container is located on the same host, and the first container and the second container are mounted a shared directory of the host; generating, according to the authentication request, a communication file under the shared directory of the host, the communication file including a communication resource that the first container communicates with the second container; to the first container and the second The container sends the file information of the communication file, so that the first container and the second container determine the communication file under the shared directory of the host according to the file information of the communication file, and perform communication according to the communication file.
本申请提供的容器间通信的方法,通过鉴权模块接收第一容器发送的用于请求第二容器通信的鉴权请求,该第一容器与该第二容器位于同一个主机中,并且该第一容器与该第二容器均挂载了该主机的共享目录,根据该鉴权请求生成包括该第一容器与该第二容器通信资源的通信文件,并向该第一容器与该第二容器发送该通信文件的文件信息,能够使相互隔离的两个容器之间进行通信。The method for communicating between containers provided by the present application, the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and the first container A container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container Sending the file information of the communication file enables communication between the two containers that are isolated from each other.
结合第一方面,在第一方面的第一种可能的实现方式中,在根据该鉴权请求,在该主机的共享目录下生成通信文件之前,该方法还包括:根据该鉴权请求,判断该第一容器与该第二容器是否在预设的可信容器名单中,其中,该鉴权请求携带该第一容器的标识与该第二容器的标识;若该第一容器与该第二容器均在该预设的可信容器名单中,则确定该第一容器与该第二容器具有通信的权限。With reference to the first aspect, in a first possible implementation manner of the first aspect, before the generating the communication file in the shared directory of the host according to the authentication request, the method further includes: determining, according to the authentication request, Whether the first container and the second container are in a preset trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container The containers are all in the preset list of trusted containers, and it is determined that the first container has the right to communicate with the second container.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,根据该鉴权请求,在该主机的共享目录下生成通信文件,包括:根据该鉴权请求,确定该第一容器与该第二容器的通信方式;根据该通信方式,生成该通信文件。With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the generating the communication file in the shared directory of the host according to the authentication request includes: And determining, according to the authentication request, a communication manner between the first container and the second container; and generating the communication file according to the communication manner.
可选地,该鉴权请求可以包括该第一容器的标识和该第二容器的标识,还可以包括该第一容器与该第二容器使用的通信方式。Optionally, the authentication request may include an identifier of the first container and an identifier of the second container, and may further include a communication manner used by the first container and the second container.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,根据该通信方式,生成该通信文件,包括:若确定该第一容器与该第二容器采用Unix域套接字的通信方式,则生成套接口文件,该套接口文件用于描述该第一容器与该第二容器进行通信提供套接口;和/或若确定该第一容器与该第二容器采用共享内存的通信方式,则生成共享内存文件,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信提供共享内存。In conjunction with the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, the generating the communication file according to the communication manner includes: determining the first container and the second container Using a Unix domain socket communication method, generating a socket file, the socket file is used to describe that the first container communicates with the second container to provide a socket; and/or if the first container and the first The second container adopts a shared memory communication method to generate a shared memory file, and the shared memory file is used to provide shared memory for the first container to communicate with the second container in the host's memory.
本申请提供的容器间通信的方法,该第一容器与该第二容器采用Unix 域套接字方式进行通信,通信的速度快,安全性好;该第一容器与该第二容器采用共享内存方式进行通信,通信的性能好,质量高。The method for communication between containers provided by the present application, the first container and the second container adopt Unix The domain socket communicates, the communication speed is fast, and the security is good; the first container and the second container communicate by using a shared memory mode, and the communication performance is good and the quality is high.
第二方面,本申请提供了另一种容器间通信的方法,包括:接收主机的鉴权模块发送的通信文件的文件信息,该通信文件包括第一容器与第二容器进行通信的通信资源,该第一容器与该第二容器均挂载了该主机的共享目录,并且该通信文件位于该主机的共享目录下;该第一容器根据该通信文件的文件信息,在该主机的共享目录下确定该通信文件;该第一容器根据该通信文件,与该第二容器进行通信。In a second aspect, the present application provides another method for communication between containers, comprising: receiving file information of a communication file sent by an authentication module of a host, where the communication file includes a communication resource for communicating between the first container and the second container, The first container and the second container both mount a shared directory of the host, and the communication file is located in a shared directory of the host; the first container is in the shared directory of the host according to file information of the communication file. Determining the communication file; the first container communicates with the second container based on the communication file.
结合第二方面,在第二方面的第一种可能的实现方式中,在接收主机的鉴权模块发送的通信文件的文件信息之前,该方法还包括:该第一容器向该鉴权模块发送鉴权请求,该鉴权请求用于请求与该第二容器进行通信,该第一容器与该第二容器均位于该主机中。With reference to the second aspect, in a first possible implementation manner of the second aspect, before receiving the file information of the communication file sent by the authentication module of the host, the method further includes: sending, by the first container, the authentication module An authentication request for requesting communication with the second container, the first container and the second container are both located in the host.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,该鉴权请求携带该第一容器与该第二容器的通信方式。In conjunction with the first possible implementation of the second aspect, in a second possible implementation of the second aspect, the authentication request carries a manner in which the first container communicates with the second container.
可选地,该第一容器与该第二容器之间的通信方式可以为用户提前设定的。Optionally, the communication manner between the first container and the second container may be set in advance by a user.
结合第二方面、第二方面的第一种或第二种可能的实现方式,在第二方面的第三种可能的实现方式中,该通信文件包括:套接口文件和/或共享内存文件,该套接口文件用于描述该第一容器与该第二容器进行通信提供套接口,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信提供共享内存。With reference to the second aspect, the first or the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the communication file includes: a socket file and/or a shared memory file, The set of interface files is used to describe that the first container communicates with the second container to provide a socket, and the shared memory file is used to provide shared memory for the first container to communicate with the second container in the host's memory.
第三方面,本申请提供了一种容器间通信的装置,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的单元。In a third aspect, the present application provides an apparatus for inter-container communication for performing the method of any of the above first aspect or any of the possible implementations of the first aspect. In particular, the apparatus comprises means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
第四方面,本申请提供了一种容器间通信的装置,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的单元。In a fourth aspect, the present application provides an apparatus for inter-container communication for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect. In particular, the apparatus comprises means for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect.
第五方面,本申请提供了一种容器间通信的装置,该装置包括:接收器、发送器、存储器、处理器和总线系统。其中,该接收器、该发送器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号, 并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第一方面或第一方面的任意可能的实现方式中的方法。In a fifth aspect, the present application provides an apparatus for inter-container communication, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system. Wherein the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending Send a signal, And when the processor executes the instructions stored by the memory, the executing causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
第六方面,本申请提供了一种容器间通信的装置,该装置包括:接收器、发送器、存储器、处理器和总线系统。其中,该接收器、该发送器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第二方面或第二方面的任意可能的实现方式中的方法。In a sixth aspect, the present application provides an apparatus for inter-container communication, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system. Wherein the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending The transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
第七方面,本申请提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。In a seventh aspect, the application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
第八方面,本申请提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的指令。In an eighth aspect, the present application provides a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or any of the possible implementations of the second aspect.
附图说明DRAWINGS
图1是本发明实施例应用的Linux系统的示意图。FIG. 1 is a schematic diagram of a Linux system to which an embodiment of the present invention is applied.
图2是本发明实施例提供的容器间通信的方法的示意性流程图。FIG. 2 is a schematic flowchart of a method for communication between containers according to an embodiment of the present invention.
图3是本发明实施例提供的另一容器间通信的方法的示意性流程图。FIG. 3 is a schematic flowchart of another method for communication between containers according to an embodiment of the present invention.
图4是本发明实施例提供的另一容器间通信的方法的示意性流程图。FIG. 4 is a schematic flowchart of another method for communication between containers according to an embodiment of the present invention.
图5是本发明实施例提供的容器间通信的装置的示意性框图。FIG. 5 is a schematic block diagram of an apparatus for communication between containers according to an embodiment of the present invention.
图6是本发明实施例提供的另一容器间通信的装置的示意性框图。FIG. 6 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
图7是本发明实施例提供的另一容器间通信的装置的示意性框图。FIG. 7 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
图8是本发明实施例提供的另一容器间通信的装置的示意性框图。FIG. 8 is a schematic block diagram of another apparatus for communication between containers according to an embodiment of the present invention.
具体实施方式detailed description
下面结合附图,对本申请的实施例进行描述。Embodiments of the present application will be described below with reference to the accompanying drawings.
图1示出了本发明实施例应用的Linux系统100的示意图。该Linux系统可以包括鉴权模块和多个容器。可选地,由于Linux操作系统的Namespace隔离机制,该Linux系统中的所有容器共享同一个内核,并且Linux系统的主机为每个容器提供了一个拥有自己进程和网络空间的虚拟环境,该Linux 系统中的多个容器各自内部的应用程序相互隔离,互不干扰。FIG. 1 shows a schematic diagram of a Linux system 100 to which an embodiment of the present invention is applied. The Linux system can include an authentication module and a plurality of containers. Optionally, due to the namespace isolation mechanism of the Linux operating system, all the containers in the Linux system share the same kernel, and the host of the Linux system provides a virtual environment with its own process and network space for each container. The internal applications of multiple containers in the system are isolated from each other and do not interfere with each other.
图1示例性地示出了鉴权模块110、容器121和容器122,可选地,该Linux系统可以包括主机中其他的容器,本发明实施例对此不作限定。FIG. 1 exemplarily shows an authentication module 110, a container 121, and a container 122. Alternatively, the Linux system may include other containers in the host, which is not limited by the embodiment of the present invention.
该鉴权模块110用于通过鉴权通道接收容器121的鉴权请求,该鉴权请求用于请求与容器122通信;根据该鉴权请求,判断容器121与容器122通信的权限,即判断容器121与容器122是否为可信任容器;若容器121与容器122均为可信任容器,则生成上述两个容器进行通信的通信文件,该通信文件包括上述两个容器进行通信的通信资源,并将该通信文件的文件信息分别通过鉴权通道发送给容器121与容器122,以便于这两个容器根据通信文件的文件信息,主机的共享目录中找到该通信文件,并通过该通信文件进行容器间通信。The authentication module 110 is configured to receive an authentication request of the container 121 by using an authentication channel, where the authentication request is used to request communication with the container 122; according to the authentication request, determining the authority of the container 121 to communicate with the container 122, that is, determining the container 121 and whether the container 122 is a trusted container; if the container 121 and the container 122 are both trusted containers, generating a communication file for communicating between the two containers, the communication file includes communication resources for communicating between the two containers, and The file information of the communication file is sent to the container 121 and the container 122 through the authentication channel, respectively, so that the two containers find the communication file in the shared directory of the host according to the file information of the communication file, and perform the container between the containers through the communication file. Communication.
该容器121与该容器122用于接收该鉴权模块110发送的通信文件的文件信息,在各自挂载的主机共享目录中确定该通信文件,并根据该通信文件进行通信。The container 121 and the container 122 are configured to receive the file information of the communication file sent by the authentication module 110, determine the communication file in the host shared directory that is respectively mounted, and perform communication according to the communication file.
可选地,该容器121可以请求与容器122通信,该容器122也可以请求与容器121通信,本发明实施例对此不作限定。Optionally, the container 121 may request to communicate with the container 122, and the container 122 may also request to communicate with the container 121, which is not limited by the embodiment of the present invention.
可选地,该容器121还可以请求与主机中的其他容器进行通信,该其他容器可以为一个或者多个,鉴权模块可以给所有具有通信权限的容器发送通信文件的文件信息,使得一个或多个该其他容器也可以与容器121和容器122之间相互通信,本发明实施例对此不作限定。Optionally, the container 121 may also request to communicate with other containers in the host, and the other containers may be one or more. The authentication module may send file information of the communication file to all containers having communication rights, such that one or A plurality of the other containers may communicate with each other between the container 121 and the container 122, which is not limited in the embodiment of the present invention.
应理解,在容器121向主机鉴权模块发送与容器122通信的鉴权请求之前,容器121与容器122应先挂载主机的共享目录,从而容器121与容器122可以读取该主机的共享目录。该挂载过程可以通过软件实现,使容器121与容器122可以将主机的物理分区的细节屏蔽掉,统一使用逻辑概念,即所有东西都是文件。It should be understood that before the container 121 sends an authentication request for communication with the container 122 to the host authentication module, the container 121 and the container 122 should first mount the shared directory of the host, so that the container 121 and the container 122 can read the shared directory of the host. . The mounting process can be implemented by software, so that the container 121 and the container 122 can shield the details of the physical partition of the host, and use the logical concept uniformly, that is, everything is a file.
图2示出了本发明实施例提供的容器间通信的方法200,该容器间通信的方法200可以应用于图1所示的主机系统100,但本发明实施例不限于此。FIG. 2 illustrates a method 200 for inter-container communication provided by an embodiment of the present invention. The method 200 for inter-container communication can be applied to the host system 100 shown in FIG. 1, but the embodiment of the present invention is not limited thereto.
S210,第一容器向主机的鉴权模块发送鉴权请求,该鉴权请求用于请求与第二容器通信。S210. The first container sends an authentication request to the authentication module of the host, where the authentication request is used to request to communicate with the second container.
应理解,该第一容器可以向一个或多个容器请求建立通信,本发明实施例仅以第一容器请求与第二容器建立通信为例描述本发明实施例的通信过 程,但本发明实施例不限于此。其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该主机的共享目录,以便于该第一容器与该第二容器可以读取主机内存。It should be understood that the first container may request to establish communication with one or more containers, and the embodiment of the present invention only describes the communication of the embodiment of the present invention by taking the first container request to establish communication with the second container. The embodiment of the present invention is not limited thereto. The first container and the second container are located on the same host, and the first container and the second container both mount a shared directory of the host, so that the first container and the second container can be read. Take the host memory.
可选地,该鉴权请求可以携带该第一容器的标识与该第二容器的标识。Optionally, the authentication request may carry the identifier of the first container and the identifier of the second container.
S220,该鉴权模块根据该第一容器发送的该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件可以包括该第一容器与该第二容器进行通信的通信资源。S220. The authentication module generates a communication file in the shared directory of the host according to the authentication request sent by the first container, where the communication file may include a communication resource that the first container communicates with the second container.
可选地,第一容器与第二容器可以通过多种方式进行通信,例如可以通过Unix域套接字通信方式进行通信,或者可以通过共享内存方式进行通信,或者可以通过Unix域套接字和共享内存两种方式进行通信,本发明实施例对此不作限定。Optionally, the first container and the second container may communicate in various manners, for example, by Unix domain socket communication, or by shared memory, or through a Unix domain socket and The shared memory communicates in two ways, which is not limited in this embodiment of the present invention.
应理解,通信双方的容器具体通过哪种通信方式进行通信,可以由用户决定,若用户要求通信的性能和质量,则可以选择共享内存的通信方式;若用户要求通信的速度和安全性,则可以选择Unix域套接字的通信方式,或者可以根据实际需要使用其他通信方式,本发明实施例对此不作限定。It should be understood that the communication between the two communicating containers may be determined by the user. If the user requests the performance and quality of the communication, the shared memory communication mode may be selected; if the user requests the communication speed and security, then The communication mode of the Unix domain socket may be selected, or other communication modes may be used according to actual needs, which is not limited in the embodiment of the present invention.
可选地,第一容器与第二容器的通信方式可以携带在第一容器的鉴权请求中,由鉴权模块获得该通信方式,并根据该鉴权请求生成通信文件,还可以根据实际需要,直接在鉴权模块中提前设定使用的通信方式,本发明实施例对此不作限定。Optionally, the communication manner between the first container and the second container may be carried in the authentication request of the first container, the communication mode is obtained by the authentication module, and the communication file is generated according to the authentication request, and may also be according to actual needs. The communication mode used is set in advance in the authentication module, which is not limited in this embodiment of the present invention.
作为一个可选实施例,若确定该第一容器与第二容器采用Unix域套接字的通信方式,则该鉴权模块可以在主机共享目录下生成一个通信文件,该通信文件例如可以为套接口文件,该套接口文件描述了该鉴权模块为该第一容器与该第二容器进行通信分配的套接口。As an optional embodiment, if it is determined that the first container and the second container use a Unix domain socket communication manner, the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a set. An interface file, the socket file describes a socket for the authentication module to perform communication distribution between the first container and the second container.
作为另一个可选实施例,若确定该第一容器与该第二容器采用共享内存的通信方式,则该鉴权模块可以在主机共享目录下生成一个通信文件,该通信文件例如可以为共享内存文件,该共享内存文件可以在主机的内存中可以确定为该第一容器与该第二容器通信分配的共享内存。可选地,该分配的共享内存,可以为除该第一容器与该第二容器占用的主机内存以外的主机内存。As another optional embodiment, if it is determined that the first container and the second container use a shared memory communication manner, the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a shared memory. A file, the shared memory file can be determined in the memory of the host as shared memory allocated by the first container to communicate with the second container. Optionally, the allocated shared memory may be a host memory other than the host memory occupied by the first container and the second container.
可选地,在S220之前,该鉴权模块可以根据该鉴权请求中携带的该第一容器的标识与该第二容器的标识,判断该第一容器与该第二容器是否具有 通信权限,若该第一容器与该第二容器具有通信权限,则生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源。Optionally, before S220, the authentication module may determine, according to the identifier of the first container and the identifier of the second container carried in the authentication request, whether the first container and the second container have Communication authority, if the first container has communication authority with the second container, generating a communication file, the communication file including a communication resource that the first container communicates with the second container.
作为一个可选实施例,鉴权模块可以预设一个可信容器名单,该名单中列出了主机内所有可信任容器,并根据鉴权模块发送的该第一容器的标识与该第二容器的标识,判断上述需要建立通信的该第一容器与该第二容器是否在该可信容器名单中,即判断该第一容器与该第二容器是否都为可信任容器,若该第一容器与该第二容器均为可信任容器,则该第一容器与该第二容器具有相互通信的权限。作为另一个可选实施例,该鉴权模块还可以通过建立一个通信列表,该通信列表中列出了该主机中所有可以相互通信的容器,并根据该通信列表确定该第一容器和该第二容器是否具有通信权限,但本发明实施例不限于此。As an optional embodiment, the authentication module may preset a list of trusted containers, where all trusted containers in the host are listed, and the identifier of the first container and the second container are sent according to the authentication module. And determining whether the first container and the second container that need to establish communication are in the trusted container list, that is, determining whether the first container and the second container are both trusted containers, if the first container And the second container is a trusted container, and the first container and the second container have the right to communicate with each other. As another optional embodiment, the authentication module may also establish a communication list in which all containers in the host that can communicate with each other are listed, and the first container and the first are determined according to the communication list. Whether the second container has communication authority, but the embodiment of the present invention is not limited thereto.
可选地,该鉴权模块可以通过强制访问控制技术配置该鉴权模块,例如可以通过安全增强式Linux(Security Enhanced Linux,SE Linux)技术或者安全应用程序(Apparmor)技术,使得该通信文件的访问权限只对通行权限的容器开放,但本发明实施例不限于此。Optionally, the authentication module may configure the authentication module by using a mandatory access control technology, for example, by using Security Enhanced Linux (SE Linux) technology or Security App (Apparmor) technology, so that the communication file is The access rights are only open to the container of the access rights, but the embodiment of the invention is not limited thereto.
S230,该鉴权模块向该第一容器和该第二容器发送该通信文件的文件信息。S230. The authentication module sends file information of the communication file to the first container and the second container.
可选地,该通信文件的文件信息可以包括该通信文件的文件名。Optionally, the file information of the communication file may include a file name of the communication file.
可选地,该鉴权模块可以分别向该第一容器与该第二容器发送该通信文件的文件信息,还可以以广播的形式向所有具有通信权限的容器发送该通信文件的文件名,本发明实施例对此不作限定。Optionally, the authentication module may separately send the file information of the communication file to the first container and the second container, and may also send the file name of the communication file to all containers having communication rights in a broadcast manner. The embodiment of the invention is not limited thereto.
作为一个可选实施例,若该鉴权模块生成套接口文件,则可以向该第一容器与该第二容器发送该套接口文件的文件名,若该鉴权模块生成共享内存文件,则可以向该第一容器与该第二容器发送共享内存文件的文件信息,该共享内存文件的文件信息可以包括文件名,可选地,该共享内存文件的文件信息还可以包括该共享内存文件确定的共享内存的起始地址和长度,通过该共享内存文件的文件信息可以确定出该鉴权模块为容器通信分配的具体内存。As an optional embodiment, if the authentication module generates a socket file, the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file. The starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
S240,该第一容器与该第二容器分别根据该通信文件的文件信息,在各自挂载的主机共享目录下确定该通信文件。S240. The first container and the second container respectively determine the communication file in the host shared directory that is mounted according to the file information of the communication file.
可选地,该通信文件还可为该共享目录的子目录下的文件,该通信文件 的文件信息还可以包括用于指示该共享目录的子目录下的文件的路径的信息,但本发明实施例不限于此。Optionally, the communication file may also be a file in a subdirectory of the shared directory, the communication file The file information may further include information indicating a path of a file in a subdirectory of the shared directory, but the embodiment of the present invention is not limited thereto.
S250,该第一容器与该第二容器根据该通信文件进行通信。S250. The first container and the second container communicate according to the communication file.
作为一个可选实施例,该第一容器与该第二容器采用Unix套机字的通信方式进行通信时,通过套接口文件建立一个内核通道,在通信时读取套接口文件即读取内核通道,不需要经过网络协议栈、打包拆包等,只是将应用层数据从一个进程拷贝到另一个进程,速度快,并且安全性高。As an optional embodiment, when the first container communicates with the second container by using a Unix socket communication mode, a kernel channel is established through the socket file, and the socket file is read during communication to read the kernel channel. It does not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, which is fast and safe.
作为另一个可选实施例,该第一容器与该第二容器采用共享内存的通信方式进行通信时,通过一块在主机中分配的共享内存进行通信,通信的数据报文可以通过环形缓存(ring-buffer)的方式进行交换,即一个ring-buffer为一对互相通信的容器提供服务入口,假设第二容器为通信的接收端,第一容器为通信的发送端,则在该第一容器与该第二容器通信时,接收端可以从该ring-buffer的头部读取报文,而发送端可以从该ring-buffer的尾部发送报文,通信的性能好,质量高。可选地,该第一容器与该第二容器还可以通过其他缓存或者其他方式交换数据报文,本发明实施例对此不作限定。In another optional embodiment, when the first container communicates with the second container in a shared memory communication manner, the communication is performed through a shared memory allocated in the host, and the data packet of the communication can pass through the ring buffer (ring -buffer) is exchanged, that is, a ring-buffer provides a service entry for a pair of communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container is in the first container When the second container communicates, the receiving end can read the message from the head of the ring-buffer, and the sending end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high. Optionally, the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
应理解,在第一容器与第二容器进行共享内存采用共享内存的通信方式进行通信时,除了数据交换,还需要有同步机制,以保证该第一容器与该第二容器在通信过程中收发数据报文的同步。It should be understood that when the first container and the second container perform communication in a shared memory communication manner, in addition to data exchange, a synchronization mechanism is needed to ensure that the first container and the second container are sent and received in the communication process. Synchronization of data messages.
作为一个可选实施例,该第一容器与该第二容器可以采用轮询的同步机制,假设第二容器为通信的接收端,第一容器为通信的发送端,则在该第一容器与该第二容器通信时,发送端只管往ring-buffer中发送报文,而不通知接收端,接收端会主动去查询ring-buffer中是否有数据报文,如果有数据报文,则该接收端可以读取报文,否则,该接收端继续查询。As an optional embodiment, the first container and the second container may adopt a polling synchronization mechanism, and if the second container is a receiving end of the communication, the first container is a transmitting end of the communication, and the first container is in the first container When the second container communicates, the sending end only sends a message to the ring-buffer without notifying the receiving end, and the receiving end actively queries whether there is a data packet in the ring-buffer. If there is a data packet, the receiving end receives the packet. The terminal can read the message, otherwise, the receiving end continues to query.
本发明实施例的容器间通信的方法,通过鉴权模块接收第一容器发送的用于请求第二容器通信的鉴权请求,该第一容器与该第二容器位于同一个主机中,并且该第一容器与该第二容器均挂载了该主机的共享目录,根据该鉴权请求生成包括该第一容器与该第二容器通信资源的通信文件,并向该第一容器与该第二容器发送该通信文件的文件信息,能够使相互隔离的两个容器之间进行通信。The method for communicating between containers according to the embodiment of the present invention, the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and The first container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container The container sends the file information of the communication file to enable communication between the two containers that are isolated from each other.
本发明实施例的容器间通信的方法,该第一容器与该第二容器采用Unix域套接字方式进行通信,通信的速度快,安全性好;该第一容器与该第二容 器采用共享内存方式进行通信,通信的性能好,质量高。In the method for communication between containers according to the embodiment of the present invention, the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container and the second container are The device uses shared memory to communicate, and the communication performance is good and the quality is high.
图3示出了本发明实施例提供的容器间通信的方法300,该容器间通信的方法300可以应用于图1所示的Linux系统100,并且可以由图1中的鉴权模块执行。FIG. 3 illustrates a method 300 for inter-container communication provided by an embodiment of the present invention. The method 300 for inter-container communication can be applied to the Linux system 100 shown in FIG. 1 and can be performed by the authentication module in FIG. 1.
S310,接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该主机的共享目录。S310. Receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container and the second container are both The shared directory of the host is mounted.
具体而言,该鉴权模块可以接收第一容器发送的用于请求与在同一个主机上的第二容器进行通信的鉴权请求,该第一容器与该第二容器均已挂载该主机的共享目录。Specifically, the authentication module may receive an authentication request sent by the first container for requesting communication with a second container on the same host, where the first container and the second container both mount the host Shared directory.
可选地,该鉴权请求可以包括该第一容器的标识与该第二容器的标识。Optionally, the authentication request may include an identifier of the first container and an identifier of the second container.
S320,根据该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源。S320. Generate, according to the authentication request, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container.
具体而言,鉴权模块可以根据该第一容器发送的鉴权请求,确定该第一容器与该第二容器之间通信的通信方式,并根据具体的通信方式为该第一容器与该第二容器生成通信文件,该通信文件包括用于通信的通信资源,以便于该第一容器与该第二容器可以根据该通信文件中的通信资源进行通信。Specifically, the authentication module may determine, according to the authentication request sent by the first container, a communication manner between the first container and the second container, and determine the first container and the first according to a specific communication manner. The second container generates a communication file that includes communication resources for communication such that the first container and the second container can communicate based on communication resources in the communication file.
具体而言,作为一个可选实施例,若确定该第一容器与第二容器采用Unix域套接字的通信方式,则该鉴权模块可以在主机共享目录下生成一个通信文件,该通信文件例如可以为套接口文件,该套接口文件描述了该鉴权模块为该第一容器与该第二容器进行通信分配的套接口。Specifically, as an optional embodiment, if it is determined that the first container and the second container use a Unix domain socket communication manner, the authentication module may generate a communication file in the host shared directory, and the communication file For example, it may be a socket file, and the socket file describes a socket for the authentication module to perform communication distribution between the first container and the second container.
作为另一个可选实施例,若确定该第一容器与该第二容器采用共享内存的通信方式,则该鉴权模块可以在主机共享目录下生成一个通信文件,该通信文件例如可以为共享内存文件,该共享内存文件可以在主机的内存中可以确定为该第一容器与该第二容器通信分配的共享内存。可选地,该分配的共享内存,可以为除该第一容器与该第二容器占用的主机内存以外的主机内存。As another optional embodiment, if it is determined that the first container and the second container use a shared memory communication manner, the authentication module may generate a communication file in the host shared directory, and the communication file may be, for example, a shared memory. A file, the shared memory file can be determined in the memory of the host as shared memory allocated by the first container to communicate with the second container. Optionally, the allocated shared memory may be a host memory other than the host memory occupied by the first container and the second container.
具体而言,在S310之前,鉴权模块可以根据该鉴权请求判断该第一容器与该第二容器的通信权限,容器间的通信权限只开放给被授予权限的容器。Specifically, before S310, the authentication module may determine, according to the authentication request, the communication authority of the first container and the second container, and the communication permission between the containers is only open to the container that is granted the permission.
可选地,该鉴权模块可以根据该鉴权请求,判断该第一容器与该第二容 器是否在预设的可信容器名单中,若在,则说明该第一容器与该第二容器均为可信名单,具有通信的权限。Optionally, the authentication module may determine, according to the authentication request, the first container and the second container Whether the device is in the default trusted container list, if yes, it indicates that the first container and the second container are both trusted lists and have communication authority.
可选地,若该第一容器与该第二容器中至少有一个不在该鉴权模块预设的可信容器名单中,则说明可能有恶意容器,不能授予两个容器通信的权限,因此,不会生成该通信文件给该第一容器与该第二容器。Optionally, if at least one of the first container and the second container is not in the trusted container list preset by the authentication module, it indicates that there may be a malicious container, and the two containers cannot be granted the right to communicate. Therefore, The communication file is not generated for the first container and the second container.
可选地,该鉴权请求可以请求与一个或多个的第二容器进行通信,该鉴权模块需要对请求中的所有容器进行鉴权,当鉴权请求中所有容器均为可信任容器时,可以为该第一容器与一个或多个该第二容器生成用于通信的通信文件,本发明实施例对此不作限定。Optionally, the authentication request may request to communicate with one or more second containers, the authentication module needs to authenticate all the containers in the request, when all the containers in the authentication request are trusted containers The communication file for communication may be generated for the first container and the one or more of the second containers, which is not limited by the embodiment of the present invention.
S330,向该第一容器与该第二容器发送该通信文件的文件信息,以便于该第一容器与该第二容器根据该通信文件的文件信息,在主机的共享目录下确定该通信文件,并根据该通信文件进行通信。S330. Send file information of the communication file to the first container and the second container, so that the first container and the second container determine the communication file in a shared directory of the host according to the file information of the communication file. And communicate according to the communication file.
具体而言,该鉴权模块在生成通信文件之后,可以将该通信文件的文件信息发送给该第一容器与该第二容器,即将用于指示通信资源的信息发送给该第一容器与该第二容器,以便于该第一容器与该第二容器根据该指示信息确定通信资源,并根据该通信资源进行通信。Specifically, after the communication module generates the communication file, the file information of the communication file may be sent to the first container and the second container, and information for indicating the communication resource is sent to the first container and the a second container, so that the first container and the second container determine a communication resource according to the indication information, and perform communication according to the communication resource.
可选地,该鉴权模块可以以将通信文件的通信信息广播给该第一容器与该第二容器,还可以分别发送给该第一容器与该第二容器,本发明实施例对此不作限定。Optionally, the authentication module may broadcast the communication information of the communication file to the first container and the second container, and may also separately send the first container to the second container, which is not used by the embodiment of the present invention. limited.
可选地,该文件的文件信息可以为该文件的文件名,还可以为该文件中包括的资源信息。Optionally, the file information of the file may be a file name of the file, and may also be resource information included in the file.
作为一个可选实施例,若该鉴权模块生成套接口文件,则可以向该第一容器与该第二容器发送该套接口文件的文件名,若该鉴权模块生成共享内存文件,则可以向该第一容器与该第二容器发送共享内存文件的文件信息,该共享内存文件的文件信息可以包括文件名,可选地,该共享内存文件的文件信息还可以包括该共享内存文件确定的共享内存的起始地址和长度,通过该共享内存文件的文件信息可以确定出该鉴权模块为容器通信分配的具体内存。As an optional embodiment, if the authentication module generates a socket file, the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file. The starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
可选地,该通信文件还可为该共享目录的子目录下的文件,该通信文件的文件信息还可以包括用于指示该共享目录的子目录下的文件的路径的信息,但本发明实施例不限于此。 Optionally, the communication file may also be a file in a subdirectory of the shared directory, and the file information of the communication file may further include information indicating a path of the file in the subdirectory of the shared directory, but the present invention implements The example is not limited to this.
作为一个可选实施例,该第一容器与该第二容器采用Unix套机字的通信方式进行通信时,通过套接口文件建立一个内核通道,在通信时读取套接口文件即读取内核通道,不需要经过网络协议栈、打包拆包等,只是将应用层数据从一个进程拷贝到另一个进程,速度快,并且安全性高。As an optional embodiment, when the first container communicates with the second container by using a Unix socket communication mode, a kernel channel is established through the socket file, and the socket file is read during communication to read the kernel channel. It does not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, which is fast and safe.
作为另一个可选实施例,该第一容器与该第二容器采用共享内存的通信方式进行通信时,通过一块在主机中分配的共享内存进行通信,通信的数据报文可以通过ring-buffer的方式进行交换,即一个ring-buffer为一对互相通信的容器提供服务入口,假设第二容器为通信的接收端,第一容器为通信的发送端,则在该第一容器与该第二容器通信时,接收端可以从该ring-buffer的头部读取报文,而发送端可以从该ring-buffer的尾部发送报文,通信的性能好,质量高。可选地,该第一容器与该第二容器还可以通过其他缓存或者其他方式交换数据报文,本发明实施例对此不作限定。In another optional embodiment, when the first container communicates with the second container in a shared memory communication manner, the communication is performed through a shared memory allocated in the host, and the communication data packet can pass through the ring-buffer. Mode exchange, that is, a ring-buffer provides a service entry for a pair of mutually communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container and the second container are During communication, the receiving end can read the message from the head of the ring-buffer, and the transmitting end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high. Optionally, the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
应理解,在第一容器与第二容器进行共享内存采用共享内存的通信方式进行通信时,除了数据交换,还需要有同步机制,以保证该第一容器与该第二容器在通信过程中收发数据报文的同步。It should be understood that when the first container and the second container perform communication in a shared memory communication manner, in addition to data exchange, a synchronization mechanism is needed to ensure that the first container and the second container are sent and received in the communication process. Synchronization of data messages.
作为一个可选实施例,该第一容器与该第二容器可以采用轮询的同步机制,假设第二容器为通信的接收端,第一容器为通信的发送端,则在该第一容器与该第二容器通信时,发送端只管往ring-buffer中发送报文,而不通知接收端,接收端会主动去查询ring-buffer中是否有数据报文,如果有数据报文,则该接收端可以读取报文,否则,该接收端继续查询。As an optional embodiment, the first container and the second container may adopt a polling synchronization mechanism, and if the second container is a receiving end of the communication, the first container is a transmitting end of the communication, and the first container is in the first container When the second container communicates, the sending end only sends a message to the ring-buffer without notifying the receiving end, and the receiving end actively queries whether there is a data packet in the ring-buffer. If there is a data packet, the receiving end receives the packet. The terminal can read the message, otherwise, the receiving end continues to query.
本发明实施例的容器间通信的方法,通过鉴权模块接收第一容器发送的用于请求第二容器通信的鉴权请求,该第一容器与该第二容器位于同一个主机中,并且该第一容器与该第二容器均挂载了该主机的共享目录,根据该鉴权请求生成包括该第一容器与该第二容器通信资源的通信文件,并向该第一容器与该第二容器发送该通信文件的文件信息,能够使相互隔离的两个容器之间进行通信。The method for communicating between containers according to the embodiment of the present invention, the authentication module receives an authentication request sent by the first container for requesting communication of the second container, where the first container and the second container are located in the same host, and The first container and the second container both mount a shared directory of the host, and generate a communication file including the first container and the second container communication resource according to the authentication request, and send the communication file to the first container and the second container The container sends the file information of the communication file to enable communication between the two containers that are isolated from each other.
本发明实施例的容器间通信的方法,该第一容器与该第二容器采用Unix域套接字方式进行通信,通信的速度快,安全性好;该第一容器与该第二容器采用共享内存方式进行通信,通信的性能好,质量高。In the method for communicating between containers according to the embodiment of the present invention, the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container is shared with the second container. Communication in memory mode, communication performance is good, and quality is high.
图4示出了本发明实施例提供的容器间通信的方法400,该容器间通信的方法400可以应用于图1所示的Linux系统100。 FIG. 4 illustrates a method 400 for inter-container communication provided by an embodiment of the present invention. The method 400 for inter-container communication can be applied to the Linux system 100 shown in FIG. 1.
S410,接收主机的鉴权模块发送的通信文件的文件信息,该通信文件包括该第一容器与该第二容器进行通信的通信资源,该第一容器与该第二容器均挂载了该主机的共享目录,并且该通信文件位于该主机的共享目录下。S410: Receive file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container both mount the host Shared directory, and the communication file is located under the shared directory of the host.
应理解,同一个主机中可以包括多个相互隔离的容器,该多个容器间由于Linux Namespace机制互相透明,彼此独立。该多个容器可以挂载主机的共享目录,以便于每个容器与主机可以互相通信,读取该共享目录中的文件。It should be understood that a plurality of mutually isolated containers may be included in the same host, and the multiple containers are mutually transparent due to the Linux Namespace mechanism. The plurality of containers can mount the shared directory of the host, so that each container and the host can communicate with each other and read the files in the shared directory.
具体而言,主机中的多个容器可以接收该鉴权模块发送的用于指示通信资源的通信文件的文件信息,该通信位于该多个容器挂载的该主机的共享目录下,该多个容器可以根据该文件信息确定该鉴权模块为该多个容器之间通信分配的通信资源,该多个容器可以根据该通信资源建立相互间的通信。Specifically, the plurality of containers in the host may receive file information sent by the authentication module for indicating a communication file of the communication resource, where the communication is located in a shared directory of the host that is mounted by the plurality of containers, the plurality of The container may determine, according to the file information, a communication resource allocated by the authentication module for communication between the plurality of containers, and the plurality of containers may establish communication with each other according to the communication resource.
作为一个可选实施例,在S410之前,该多个容器中的第一容器可以向该鉴权模块发送用于请求与第二容器进行通信的鉴权请求。As an alternative embodiment, prior to S410, a first one of the plurality of containers may send an authentication request to the authentication module to request communication with the second container.
可选地,该鉴权请求可以包括该第一容器的标识该第二容器的标识,以便于该鉴权模块根据该鉴权请求为该第一容器与该第二容器进行通信进行鉴权。Optionally, the authentication request may include the identifier of the first container that identifies the second container, so that the authentication module authenticates the first container and the second container according to the authentication request.
可选地,该第二容器可以为一个或多个,本发明实施例对此不作限定。Optionally, the second container may be one or more, which is not limited by the embodiment of the present invention.
S420,该第一容器根据该通信文件的信息,确定该通信文件。S420. The first container determines the communication file according to the information of the communication file.
具体而言,该第一容器与该第二容器都可以根据该通信文件的信息,确定该通信文件,该通信文件包括了该第一容器与该第二容器进行通信的通信资源。Specifically, both the first container and the second container may determine the communication file according to the information of the communication file, and the communication file includes a communication resource that the first container communicates with the second container.
可选地,该通信文件的资源信息可以为该通信文件的文件名,还可以为该通信文件的标识信息或者该通信文件的属性信息等,可以用于该第一容器与该第二容器确定该通信文件的信息,本发明实施例对此不作限定。Optionally, the resource information of the communication file may be a file name of the communication file, and may also be identifier information of the communication file or attribute information of the communication file, etc., and may be used for determining the first container and the second container. The information of the communication file is not limited in this embodiment of the present invention.
作为一个可选实施例,若该鉴权模块生成套接口文件,则可以向该第一容器与该第二容器发送该套接口文件的文件名,若该鉴权模块生成共享内存文件,则可以向该第一容器与该第二容器发送共享内存文件的文件信息,该共享内存文件的文件信息可以包括文件名,可选地,该共享内存文件的文件信息还可以包括该共享内存文件确定的共享内存的起始地址和长度,通过该共享内存文件的文件信息可以确定出该鉴权模块为容器通信分配的具体内存。As an optional embodiment, if the authentication module generates a socket file, the file name of the socket file may be sent to the first container and the second container, and if the authentication module generates a shared memory file, And sending the file information of the shared memory file to the first container and the second container, where the file information of the shared memory file may include a file name, and optionally, the file information of the shared memory file may further include the shared memory file. The starting address and length of the shared memory, through the file information of the shared memory file, the specific memory allocated by the authentication module for the container communication can be determined.
可选地,该通信文件还可为该共享目录的子目录下的文件,该通信文件 的文件信息还可以包括用于指示该共享目录的子目录下的文件的路径的信息,但本发明实施例不限于此。Optionally, the communication file may also be a file in a subdirectory of the shared directory, the communication file The file information may further include information indicating a path of a file in a subdirectory of the shared directory, but the embodiment of the present invention is not limited thereto.
S430,该第一容器根据该通信文件,与该第二容器进行通信。S430. The first container communicates with the second container according to the communication file.
具体而言,该第一容器与该第二容器可以根据该通信文件进行通信,该通信文件包括了用于通信的通信资源。In particular, the first container and the second container can communicate in accordance with the communication file, the communication file including communication resources for communication.
作为一个可选实施例,该第一容器与该第二容器采用Unix套机字的通信方式进行通信时,通过套接口文件提供的套接口建立一个内核通道,在通信时读取套接口文件即读取内核通道,不需要经过网络协议栈、打包拆包等,只是将应用层数据从一个进程拷贝到另一个进程,速度快,并且安全性高。As an optional embodiment, when the first container communicates with the second container by using a Unix socket communication mode, a kernel channel is established through a socket provided by the socket file, and the socket file is read during communication. Read the kernel channel, do not need to go through the network protocol stack, package unpacking, etc., just copy the application layer data from one process to another, fast, and high security.
作为另一个可选实施例,该第一容器与该第二容器采用共享内存的通信方式进行通信时,通过一块在主机中分配的共享内存进行通信,通信的数据报文可以通过ring-buffer的方式进行交换,即一个ring-buffer为一对互相通信的容器提供服务入口,假设第二容器为通信的接收端,第一容器为通信的发送端,则在该第一容器与该第二容器通信时,接收端可以从该ring-buffer的头部读取报文,而发送端可以从该ring-buffer的尾部发送报文,通信的性能好,质量高。可选地,该第一容器与该第二容器还可以通过其他缓存或者其他方式交换数据报文,本发明实施例对此不作限定。In another optional embodiment, when the first container communicates with the second container in a shared memory communication manner, the communication is performed through a shared memory allocated in the host, and the communication data packet can pass through the ring-buffer. Mode exchange, that is, a ring-buffer provides a service entry for a pair of mutually communicating containers, assuming that the second container is the receiving end of the communication, and the first container is the transmitting end of the communication, then the first container and the second container are During communication, the receiving end can read the message from the head of the ring-buffer, and the transmitting end can send the message from the tail of the ring-buffer, and the communication performance is good and the quality is high. Optionally, the first container and the second container may also exchange data packets by using other buffers or other manners, which is not limited in this embodiment of the present invention.
本发明实施例的容器间通信的方法,通过接收鉴权模块发送的通信文件的文件信息,该通信文件包括位于同一个主机中的该第一容器与该第二容器的通信资源,并且该第一容器与该第二容器均挂载了该主机的共享目录,该第一容器根据该通信文件的文件信息确定该通信文件,并通过该通信文件与该第二容器进行通信,能够使相互隔离的两个容器之间进行通信。The method for communicating between containers according to the embodiment of the present invention, by receiving file information of a communication file sent by an authentication module, the communication file includes communication resources of the first container and the second container located in the same host, and the A container and the second container both mount a shared directory of the host, the first container determines the communication file according to the file information of the communication file, and communicates with the second container through the communication file, thereby being able to isolate each other Communicate between the two containers.
本发明实施例的容器间通信的方法,该第一容器与该第二容器采用Unix域套接字方式进行通信,通信的速度快,安全性好;该第一容器与该第二容器采用共享内存方式进行通信,通信的性能好,质量高。In the method for communicating between containers according to the embodiment of the present invention, the first container and the second container communicate by using a Unix domain socket mode, and the communication speed is fast and the security is good; the first container is shared with the second container. Communication in memory mode, communication performance is good, and quality is high.
应理解,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the above processes does not imply a sequence of executions, and the order of execution of the processes should be determined by its function and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
上文中结合图1至图4,详细描述了根据本发明实施例的容器间通信的方法,下面将结合图5至图8,详细描述根据本发明实施例的容器间通信的装置。 The method of communication between containers according to an embodiment of the present invention is described in detail above with reference to FIGS. 1 through 4. Hereinafter, an apparatus for communication between containers according to an embodiment of the present invention will be described in detail with reference to FIGS. 5 through 8.
图5示出了本发明实施例提供的容器间通信的装置500,该装置500包括:FIG. 5 shows an apparatus 500 for communication between containers according to an embodiment of the present invention. The apparatus 500 includes:
接收单元510,用于接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该主机的共享目录;The receiving unit 510 is configured to receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container is The second container both mounts the shared directory of the host;
生成单元520,用于根据该接收单元510接收的该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源;The generating unit 520 is configured to generate, according to the authentication request received by the receiving unit 510, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
发送单元530,用于向该第一容器与该第二容器发送该生成单元520生成的该通信文件的文件信息,以便于该第一容器与该第二容器根据该通信文件的文件信息,在该主机的共享目录下确定该通信文件,并根据该通信文件进行通信。The sending unit 530 is configured to send, to the first container and the second container, file information of the communication file generated by the generating unit 520, so that the first container and the second container are in accordance with file information of the communication file. The communication file is determined under the shared directory of the host, and communication is performed according to the communication file.
可选地,该装置500还包括:确定单元,该确定单元用于在该根据该鉴权请求,在该主机的共享目录下生成通信文件之前,根据该鉴权请求,判断该第一容器与该第二容器是否在预设的可信容器名单中,其中,该鉴权请求携带该第一容器的标识与该第二容器的标识;若该第一容器与该第二容器均在该预设的可信容器名单中,则确定该第一容器与该第二容器具有通信的权限。Optionally, the apparatus 500 further includes: a determining unit, configured to determine, according to the authentication request, the first container and the authentication file according to the authentication request, before generating the communication file in the shared directory of the host Whether the second container is in the preset trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container are both in the In the set of trusted containers, it is determined that the first container has the right to communicate with the second container.
可选地,该生成单元520具体用于:根据该鉴权请求,确定该第一容器与该第二容器的通信方式;根据该通信方式,生成该通信文件。Optionally, the generating unit 520 is specifically configured to: according to the authentication request, determine a communication manner between the first container and the second container; and generate the communication file according to the communication manner.
可选地,若确定该第一容器与该第二容器采用Unix域套接字的通信方式,则该生成单元520生成套接口文件,该套接口文件用于为该第一容器与该第二容器进行通信提供套接口;和/或,若确定该第一容器与该第二容器采用共享内存的通信方式,则该生成单元520生成共享内存文件,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信提供共享内存。Optionally, if it is determined that the first container and the second container use a Unix domain socket communication manner, the generating unit 520 generates a socket file, where the socket file is used for the first container and the second The container is configured to provide a socket; and/or, if it is determined that the first container and the second container are in a shared memory communication manner, the generating unit 520 generates a shared memory file, the shared memory file is used in the host memory Providing shared memory for the first container to communicate with the second container.
应理解,这里的装置500以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(Application Specific Integrated Circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选例子中,本领域技术人员可以理解,装置500 可以具体为上述实施例中的鉴权模块,装置500可以用于执行上述方法实施例中与鉴权模块对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the apparatus 500 herein is embodied in the form of a functional unit. The term "unit" herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality. In an alternative example, those skilled in the art will appreciate that device 500 The device may be specifically configured as the authentication module in the foregoing embodiment, and the device 500 may be used to perform various processes and/or steps corresponding to the authentication module in the foregoing method embodiment. To avoid repetition, details are not described herein again.
图6示出了本发明实施例提供的容器间通信的装置600,该装置600包括:FIG. 6 shows an apparatus 600 for inter-container communication provided by an embodiment of the present invention. The apparatus 600 includes:
接收单元610,用于接收主机的鉴权模块发送的通信文件的文件信息,该通信文件包括第一容器与第二容器进行通信的通信资源,该第一容器与该第二容器均挂载了该主机的共享目录,并且该通信文件位于该主机的共享目录下;The receiving unit 610 is configured to receive file information of the communication file sent by the authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, and the first container and the second container are both mounted. a shared directory of the host, and the communication file is located in a shared directory of the host;
确定单元620,用于该第一容器根据该接收单元610接收的该通信文件的文件信息,在该主机的共享目录下确定该通信文件;a determining unit 620, configured to determine, by the first container, the communication file in a shared directory of the host according to the file information of the communication file received by the receiving unit 610;
通信单元630,用于该第一容器根据该确定单元620确定的该通信文件,与该第二容器进行通信。The communication unit 630 is configured to communicate with the second container according to the communication file determined by the determining unit 620.
可选地,该装置600还包括:发送单元,该发送单元用于在该接收主机的鉴权模块发送的通信文件的文件信息之前,该第一容器向该鉴权模块发送鉴权请求,该鉴权请求用于请求与该第二容器进行通信,该第一容器与该第二容器均位于该主机中。Optionally, the apparatus 600 further includes: a sending unit, where the sending unit is configured to send an authentication request to the authentication module before receiving the file information of the communication file sent by the authentication module of the host, where The authentication request is for requesting communication with the second container, and the first container and the second container are both located in the host.
可选地,该鉴权请求携带该第一容器与该第二容器的通信方式。Optionally, the authentication request carries a manner in which the first container communicates with the second container.
可选地,该通信文件包括:套接口文件和/或共享内存文件,该套接口文件用于为该第一容器与该第二容器进行通信提供套接口,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信提供共享内存。Optionally, the communication file includes: a socket file and/or a shared memory file, where the socket file is used to provide a socket for the first container to communicate with the second container, where the shared memory file is used in the host The memory provides shared memory for the first container to communicate with the second container.
应理解,这里的装置600以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(Application Specific Integrated Circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选例子中,本领域技术人员可以理解,装置600可以具体为上述实施例中的容器,装置600可以用于执行上述方法实施例中与容器对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the apparatus 600 herein is embodied in the form of a functional unit. The term "unit" herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality. In an alternative example, those skilled in the art may understand that the device 600 may be specifically the container in the above embodiment, and the device 600 may be used to perform various processes and/or steps corresponding to the container in the foregoing method embodiment, in order to avoid Repeat, no longer repeat them here.
图7示出了本发明实施例提供的容器间通信的装置700,该装置700包括接收器710、处理器720、发送器730、存储器740和总线系统750。其中,接收器710、处理器720、发送器730和存储器740通过总线系统750相连,该存储器740用于存储指令,该处理器720用于执行该存储器740存储的指 令,以控制该接收器710接收信号,并控制该发送器730发送指令。FIG. 7 illustrates an apparatus 700 for inter-container communication provided by an embodiment of the present invention. The apparatus 700 includes a receiver 710, a processor 720, a transmitter 730, a memory 740, and a bus system 750. The receiver 710, the processor 720, the transmitter 730, and the memory 740 are connected by a bus system 750 for storing instructions for executing the fingers stored in the memory 740. To control the receiver 710 to receive a signal and control the transmitter 730 to send an instruction.
其中,该接收器710用于接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该主机的共享目录;The receiver 710 is configured to receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container And sharing a shared directory of the host with the second container;
该处理器720用于根据该接收器710接收的该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源;The processor 720 is configured to generate, according to the authentication request received by the receiver 710, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
该发送器730用于向该第一容器与该第二容器发送该处理器720生成的该通信文件的文件信息,以便于该第一容器与该第二容器根据该通信文件的文件信息,在该主机的共享目录下确定该通信文件,并根据该通信文件进行通信。The transmitter 730 is configured to send, to the first container and the second container, file information of the communication file generated by the processor 720, so that the first container and the second container are in accordance with file information of the communication file. The communication file is determined under the shared directory of the host, and communication is performed according to the communication file.
可选地,该处理器720具体用于:根据该鉴权请求,确定该第一容器与该第二容器的通信方式;根据该通信方式,生成该通信文件。Optionally, the processor 720 is specifically configured to: according to the authentication request, determine a communication manner between the first container and the second container; and generate the communication file according to the communication manner.
可选地,若确定该第一容器与该第二容器采用Unix域套接字的通信方式,则该处理器720生成套接口文件,该套接口文件用于描述该第一容器与该第二容器进行通信的套接口;和/或,若确定该第一容器与该第二容器采用共享内存的通信方式,则该处理器720生成共享内存文件,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信提供共享内存。Optionally, if it is determined that the first container and the second container use a Unix domain socket communication manner, the processor 720 generates a socket file, where the socket file is used to describe the first container and the second a socket for communicating with the container; and/or, if it is determined that the first container and the second container are in shared memory, the processor 720 generates a shared memory file for use in the memory of the host Providing shared memory for the first container to communicate with the second container.
可选地,该处理器720还用于在根据该鉴权请求,在该主机的共享目录下生成通信文件之前,根据该鉴权请求,判断该第一容器与该第二容器是否在预设的可信容器名单中,其中,该鉴权请求携带该第一容器的标识与该第二容器的标识;若该第一容器与该第二容器均在该预设的可信容器名单中,则确定该第一容器与该第二容器具有通信的权限。Optionally, the processor 720 is further configured to determine, according to the authentication request, whether the first container and the second container are preset before generating the communication file in the shared directory of the host according to the authentication request. The trusted container list, wherein the authentication request carries the identifier of the first container and the identifier of the second container; if the first container and the second container are both in the preset trusted container list, Then determining that the first container has the right to communicate with the second container.
应理解,装置700可以具体为上述实施例中的终端设备,并且可以用于执行上述方法实施例中与终端设备对应的各个步骤和/或流程。可选地,该存储器740可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。该处理器720可以用于执行存储器中存储的指令,并且该处理器执行该指令时,该处理器可以执行上述方法实施例中与终端设备对应的各个步骤。It should be understood that the device 700 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments. Alternatively, the memory 740 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory. For example, the memory can also store information of the device type. The processor 720 can be configured to execute instructions stored in a memory, and when the processor executes the instructions, the processor can perform various steps corresponding to the terminal device in the above method embodiments.
图8示出了本发明实施例提供的容器间通信的装置800。该装置800包 括接收器810、处理器820、发送器830、存储器840和总线系统850。其中,接收器810、处理器820、发送器830和存储器840通过总线系统850相连,该存储器840用于存储指令,该处理器820用于执行该存储器840存储的指令,以控制该接收器810接收信号,并控制该发送器830发送信号。FIG. 8 shows an apparatus 800 for inter-container communication provided by an embodiment of the present invention. The device 800 packs A receiver 810, a processor 820, a transmitter 830, a memory 840, and a bus system 850 are included. The receiver 810, the processor 820, the transmitter 830, and the memory 840 are connected by a bus system 850 for storing instructions for executing instructions stored in the memory 840 to control the receiver 810. A signal is received and the transmitter 830 is controlled to transmit a signal.
其中,该接收器810用于接收主机的鉴权模块发送的通信文件的文件信息,该通信文件包括第一容器与第二容器进行通信的通信资源,该第一容器与该第二容器均挂载了该主机的共享目录,并且该通信文件位于该主机的共享目录下;The receiver 810 is configured to receive file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container are both The shared directory of the host is loaded, and the communication file is located in the shared directory of the host;
该处理器820用于该第一容器根据该接收器810接收的该通信文件的文件信息,在该主机的共享目录下确定该通信文件;并根据该处理器确定的该通信文件,与该第二容器进行通信。The processor 820 is configured to determine, by the first container, the communication file according to the file information of the communication file received by the receiver 810 in a shared directory of the host; and the communication file determined according to the processor, and the first The second container communicates.
可选地,该发送器830用于在接收主机的鉴权模块发送的通信文件的文件信息之前,该第一容器向该鉴权模块发送鉴权请求,该鉴权请求用于请求与该第二容器进行通信,该第一容器与该第二容器均位于该主机中。Optionally, the sender 830 is configured to send an authentication request to the authentication module before receiving the file information of the communication file sent by the authentication module of the host, where the authentication request is used to request the first The second container is in communication, and the first container and the second container are both located in the host.
可选地,该鉴权请求携带该第一容器与该第二容器的通信方式。Optionally, the authentication request carries a manner in which the first container communicates with the second container.
可选地,该通信文件包括:套接口文件和/或共享内存文件,该套接口文件用于描述该第一容器与该第二容器进行通信的套接口,该共享内存文件用于在该主机的内存中为该第一容器与该第二容器进行通信分配共享内存。Optionally, the communication file includes: a socket file and/or a shared memory file, the socket file is used to describe a socket for communicating between the first container and the second container, and the shared memory file is used in the host The shared memory is allocated in memory for the first container to communicate with the second container.
应理解,装置800可以具体为上述实施例中的网络设备,并且可以用于执行上述方法实施例中与网络设备对应的各个步骤和/或流程。可选地,该存储器840可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。该处理器820可以用于执行存储器中存储的指令,并且当该处理器执行存储器中存储的指令时,该处理器用于执行上述方法实施例的各个步骤和/或流程。It should be understood that the device 800 may be specifically the network device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the network device in the foregoing method embodiments. Optionally, the memory 840 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory. For example, the memory can also store information of the device type. The processor 820 can be configured to execute instructions stored in a memory, and when the processor executes instructions stored in the memory, the processor is operative to perform various steps and/or processes of the method embodiments described above.
应理解,在本发明实施例中,该处理器可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor may be a central processing unit (CPU), and the processor may also be other general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). ), off-the-shelf programmable gate arrays (FPGAs) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑 电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器执行存储器中的指令,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method can pass the integration logic of the hardware in the processor. Instructions in the form of circuits or software are completed. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor executes instructions in the memory, in combination with hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例中描述的各方法步骤和单元,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各实施例的步骤及组成。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art will appreciate that the various method steps and elements described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, in order to clearly illustrate hardware and software. Interchangeability, the steps and composition of the various embodiments have been generally described in terms of function in the foregoing description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. Different methods may be used to implement the described functionality for each particular application, but such implementation should not be considered to be beyond the scope of the application.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。 In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称为“ROM”)、随机存取存储器(Random Access Memory,简称为“RAM”)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be in essence or part of the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a USB flash drive, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a disk or a CD. A variety of media that can store program code.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。 The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any equivalents can be easily conceived by those skilled in the art within the technical scope disclosed in the present application. Modifications or substitutions are intended to be included within the scope of the present application. Therefore, the scope of protection of this application should be determined by the scope of protection of the claims.

Claims (24)

  1. 一种容器间通信的方法,其特征在于,包括:A method for communication between containers, comprising:
    接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,所述第一容器与所述第二容器位于同一个主机上,并且所述第一容器与所述第二容器均挂载了所述主机的共享目录;Receiving, by the first container, an authentication request for requesting communication with the second container, wherein the first container and the second container are located on the same host, and the first container and the second The container is mounted with a shared directory of the host;
    根据所述鉴权请求,在所述主机的共享目录下生成通信文件,所述通信文件包括所述第一容器与所述第二容器进行通信的通信资源;And generating, according to the authentication request, a communication file under a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
    向所述第一容器与所述第二容器发送所述通信文件的文件信息,以便于所述第一容器与所述第二容器根据所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件,并根据所述通信文件进行通信。Transmitting file information of the communication file to the first container and the second container, so that the first container and the second container are in a shared directory of the host according to file information of the communication file. The communication file is determined and communicated according to the communication file.
  2. 根据权利要求1所述的方法,其特征在于,在所述根据所述鉴权请求,在所述主机的共享目录下生成通信文件之前,所述方法还包括:The method according to claim 1, wherein before the generating a communication file in the shared directory of the host according to the authentication request, the method further includes:
    根据所述鉴权请求,判断所述第一容器与所述第二容器是否在预设的可信容器名单中,其中,所述鉴权请求携带所述第一容器的标识与所述第二容器的标识;Determining, according to the authentication request, whether the first container and the second container are in a preset trusted container list, wherein the authentication request carries the identifier of the first container and the second The identity of the container;
    若所述第一容器与所述第二容器均在所述预设的可信容器名单中,则确定所述第一容器与所述第二容器具有通信的权限。And if the first container and the second container are both in the preset trusted container list, determining that the first container has the right to communicate with the second container.
  3. 根据权利要求1或2所述的方法,其特征在于,所述根据所述鉴权请求,在所述主机的共享目录下生成通信文件,包括:The method according to claim 1 or 2, wherein the generating a communication file in the shared directory of the host according to the authentication request comprises:
    根据所述鉴权请求,确定所述第一容器与所述第二容器的通信方式;Determining, according to the authentication request, a manner of communication between the first container and the second container;
    根据所述通信方式,生成所述通信文件。The communication file is generated according to the communication method.
  4. 根据权利要求3所述的方法,其特征在于,所述根据所述通信方式,生成所述通信文件,包括:The method according to claim 3, wherein the generating the communication file according to the communication manner comprises:
    若确定所述第一容器与所述第二容器采用Unix域套接字的通信方式,则生成套接口文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口;和/或If it is determined that the first container and the second container use a Unix domain socket communication manner, generating a socket file, where the socket file is used to communicate the first container with the second container Providing a socket; and/or
    若确定所述第一容器与所述第二容器采用共享内存的通信方式,则生成共享内存文件,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。If it is determined that the first container and the second container adopt a shared memory communication manner, generating a shared memory file, where the shared memory file is used in the memory of the host as the first container and the first The second container communicates to provide shared memory.
  5. 一种容器间通信的方法,其特征在于,包括:A method for communication between containers, comprising:
    接收主机的鉴权模块发送的通信文件的文件信息,所述通信文件包括第 一容器与第二容器进行通信的通信资源,所述第一容器与所述第二容器均挂载了所述主机的共享目录,并且所述通信文件位于所述主机的共享目录下;Receiving file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource in communication between the container and the second container, wherein the first container and the second container both mount a shared directory of the host, and the communication file is located in a shared directory of the host;
    所述第一容器根据所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件;Determining, by the first container, the communication file in a shared directory of the host according to file information of the communication file;
    所述第一容器根据所述通信文件,与所述第二容器进行通信。The first container communicates with the second container in accordance with the communication file.
  6. 根据权利要求5所述的方法,其特征在于,在所述接收主机的鉴权模块发送的通信文件的文件信息之前,所述方法还包括:The method according to claim 5, wherein before the receiving the file information of the communication file sent by the authentication module of the host, the method further comprises:
    所述第一容器向所述鉴权模块发送鉴权请求,所述鉴权请求用于请求与所述第二容器进行通信,所述第一容器与所述第二容器均位于所述主机中。The first container sends an authentication request to the authentication module, where the authentication request is used to request communication with the second container, where the first container and the second container are both located in the host .
  7. 根据权利要求6所述的方法,其特征在于,所述鉴权请求携带所述第一容器与所述第二容器的通信方式。The method of claim 6 wherein said authentication request carries a manner of communication between said first container and said second container.
  8. 根据权利要求5至7中任一项所述的方法,其特征在于,所述通信文件包括:套接口文件和/或共享内存文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。The method according to any one of claims 5 to 7, wherein the communication file comprises: a socket file and/or a shared memory file, the socket file being used for the first container and the The second container communicates to provide a socket, and the shared memory file is configured to provide shared memory for the first container to communicate with the second container in the memory of the host.
  9. 一种容器间通信的装置,其特征在于,包括:An apparatus for communication between containers, comprising:
    接收单元,用于接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,所述第一容器与所述第二容器位于同一个主机上,并且所述第一容器与所述第二容器均挂载了所述主机的共享目录;a receiving unit, configured to receive an authentication request sent by the first container for requesting communication with the second container, where the first container and the second container are located on the same host, and the first container And sharing a shared directory of the host with the second container;
    生成单元,用于根据所述接收单元接收的所述鉴权请求,在所述主机的共享目录下生成通信文件,所述通信文件包括所述第一容器与所述第二容器进行通信的通信资源;a generating unit, configured to generate, according to the authentication request received by the receiving unit, a communication file in a shared directory of the host, where the communication file includes communication that the first container communicates with the second container Resource
    发送单元,用于向所述第一容器与所述第二容器发送所述生成单元生成的所述通信文件的文件信息,以便于所述第一容器与所述第二容器根据所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件,并根据所述通信文件进行通信。a sending unit, configured to send, to the first container and the second container, file information of the communication file generated by the generating unit, so that the first container and the second container are in accordance with the communication file File information, the communication file is determined under a shared directory of the host, and communication is performed according to the communication file.
  10. 根据权利要求9所述的装置,其特征在于,所述装置还包括:确定单元,The apparatus according to claim 9, wherein said apparatus further comprises: a determining unit,
    所述确定单元用于在所述根据所述鉴权请求,在所述主机的共享目录下生成通信文件之前,根据所述鉴权请求,判断所述第一容器与所述第二容器是否在预设的可信容器名单中,其中,所述鉴权请求携带所述第一容器的标 识与所述第二容器的标识;The determining unit is configured to determine, according to the authentication request, whether the first container and the second container are in the request according to the authentication request, before generating a communication file in a shared directory of the host a preset trusted container list, wherein the authentication request carries a label of the first container Identifying the identity of the second container;
    若所述第一容器与所述第二容器均在所述预设的可信容器名单中,则确定所述第一容器与所述第二容器具有通信的权限。And if the first container and the second container are both in the preset trusted container list, determining that the first container has the right to communicate with the second container.
  11. 根据权利要求9或10所述的装置,其特征在于,所述生成单元具体用于:The device according to claim 9 or 10, wherein the generating unit is specifically configured to:
    根据所述鉴权请求,确定所述第一容器与所述第二容器的通信方式;Determining, according to the authentication request, a manner of communication between the first container and the second container;
    根据所述通信方式,生成所述通信文件。The communication file is generated according to the communication method.
  12. 根据权利要求11所述的装置,其特征在于,所述生成单元具体用于:The device according to claim 11, wherein the generating unit is specifically configured to:
    若确定所述第一容器与所述第二容器采用Unix域套接字的通信方式,则生成套接口文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口;和/或If it is determined that the first container and the second container use a Unix domain socket communication manner, generating a socket file, where the socket file is used to communicate the first container with the second container Providing a socket; and/or
    若确定所述第一容器与所述第二容器采用共享内存的通信方式,则生成共享内存文件,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。If it is determined that the first container and the second container adopt a shared memory communication manner, generating a shared memory file, where the shared memory file is used in the memory of the host as the first container and the first The second container communicates to provide shared memory.
  13. 一种容器间通信的装置,其特征在于,包括:An apparatus for communication between containers, comprising:
    接收单元,用于接收主机的鉴权模块发送的通信文件的文件信息,所述通信文件包括第一容器与第二容器进行通信的通信资源,所述第一容器与所述第二容器均挂载了所述主机的共享目录,并且所述通信文件位于所述主机的共享目录下;a receiving unit, configured to receive file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container are both Carrying a shared directory of the host, and the communication file is located under a shared directory of the host;
    确定单元,用于所述第一容器根据所述接收单元接收的所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件;a determining unit, configured to determine, by the first container, the communication file in a shared directory of the host according to file information of the communication file received by the receiving unit;
    通信单元,用于所述第一容器根据所述确定单元确定的所述通信文件,与所述第二容器进行通信。a communication unit, configured to communicate with the second container by the first container according to the communication file determined by the determining unit.
  14. 根据权利要求13所述的装置,其特征在于,所述装置还包括:发送单元,The device according to claim 13, wherein the device further comprises: a transmitting unit,
    所述发送单元用于在所述接收主机的鉴权模块发送的通信文件的文件信息之前,所述第一容器向所述鉴权模块发送鉴权请求,所述鉴权请求用于请求与所述第二容器进行通信,所述第一容器与所述第二容器均位于所述主机中。The sending unit is configured to: before the file information of the communication file sent by the authentication module of the receiving host, the first container sends an authentication request to the authentication module, where the authentication request is used for requesting The second container communicates, the first container and the second container being both located in the host.
  15. 根据权利要求14所述的装置,其特征在于,所述鉴权请求携带所 述第一容器与所述第二容器的通信方式。The device according to claim 14, wherein said authentication request carrying station The manner in which the first container communicates with the second container is described.
  16. 根据权利要求13至15中任一项所述的装置,其特征在于,所述通信文件包括:套接口文件和/或共享内存文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。The apparatus according to any one of claims 13 to 15, wherein the communication file comprises: a socket file and/or a shared memory file, the socket file being used for the first container and the The second container communicates to provide a socket, and the shared memory file is configured to provide shared memory for the first container to communicate with the second container in the memory of the host.
  17. 一种容器间通信的装置,其特征在于,包括接收器、发送器、处理器和存储器,其中,所述存储器用于存储指令,所述处理器用于调用所述指令执行以下处理:An apparatus for communication between containers, comprising: a receiver, a transmitter, a processor, and a memory, wherein the memory is for storing an instruction, and the processor is configured to invoke the instruction to perform the following processing:
    通过所述接收器接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,所述第一容器与所述第二容器位于同一个主机上,并且所述第一容器与所述第二容器均挂载了所述主机的共享目录;Receiving, by the receiver, an authentication request sent by the first container for requesting communication with the second container, wherein the first container and the second container are located on the same host, and the first container And sharing a shared directory of the host with the second container;
    根据所述接收器接收的所述鉴权请求,在所述主机的共享目录下生成通信文件,所述通信文件包括所述第一容器与所述第二容器进行通信的通信资源;And generating, according to the authentication request received by the receiver, a communication file in a shared directory of the host, where the communication file includes a communication resource that the first container communicates with the second container;
    通过所述发送器向所述第一容器与所述第二容器发送所述处理器生成的所述通信文件的文件信息,以便于所述第一容器与所述第二容器根据所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件,并根据所述通信文件进行通信。Transmitting, by the sender, file information of the communication file generated by the processor to the first container and the second container, so that the first container and the second container are in accordance with the communication file File information, the communication file is determined under a shared directory of the host, and communication is performed according to the communication file.
  18. 根据权利要求17所述的装置,其特征在于,所述处理器还用于:The device according to claim 17, wherein the processor is further configured to:
    在所述根据所述鉴权请求,在所述主机的共享目录下生成通信文件之前,根据所述鉴权请求,判断所述第一容器与所述第二容器是否在预设的可信容器名单中,其中,所述鉴权请求携带所述第一容器的标识与所述第二容器的标识;Before the generating the communication file in the shared directory of the host according to the authentication request, determining, according to the authentication request, whether the first container and the second container are in a preset trusted container In the list, wherein the authentication request carries an identifier of the first container and an identifier of the second container;
    若所述第一容器与所述第二容器均在所述预设的可信容器名单中,则确定所述第一容器与所述第二容器具有通信的权限。And if the first container and the second container are both in the preset trusted container list, determining that the first container has the right to communicate with the second container.
  19. 根据权利要求17或18所述的装置,其特征在于,所述处理器具体用于:The device according to claim 17 or 18, wherein the processor is specifically configured to:
    根据所述鉴权请求,确定所述第一容器与所述第二容器的通信方式;Determining, according to the authentication request, a manner of communication between the first container and the second container;
    根据所述通信方式,生成所述通信文件。The communication file is generated according to the communication method.
  20. 根据权利要求19所述的装置,其特征在于,所述处理器具体用于:The device according to claim 19, wherein the processor is specifically configured to:
    若确定所述第一容器与所述第二容器采用Unix域套接字的通信方式, 则生成套接口文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口;和/或If it is determined that the first container and the second container use a Unix domain socket communication manner, Generating a socket file, the socket file being used to provide a socket for communication between the first container and the second container; and/or
    若确定所述第一容器与所述第二容器采用共享内存的通信方式,则生成共享内存文件,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。If it is determined that the first container and the second container adopt a shared memory communication manner, generating a shared memory file, where the shared memory file is used in the memory of the host as the first container and the first The second container communicates to provide shared memory.
  21. 一种容器间通信的装置,其特征在于,包括接收器、发送器、处理器和存储器,其中,所述存储器用于存储指令,所述处理器用于调用所述指令执行以下处理:An apparatus for communication between containers, comprising: a receiver, a transmitter, a processor, and a memory, wherein the memory is for storing an instruction, and the processor is configured to invoke the instruction to perform the following processing:
    通过所述接收器接收主机的鉴权模块发送的通信文件的文件信息,所述通信文件包括第一容器与第二容器进行通信的通信资源,所述第一容器与所述第二容器均挂载了所述主机的共享目录,并且所述通信文件位于所述主机的共享目录下;Receiving, by the receiver, file information of a communication file sent by an authentication module of the host, where the communication file includes a communication resource that the first container communicates with the second container, where the first container and the second container are both Carrying a shared directory of the host, and the communication file is located under a shared directory of the host;
    根据所述接收器接收的所述通信文件的文件信息,在所述主机的共享目录下确定所述通信文件;Determining, according to file information of the communication file received by the receiver, the communication file under a shared directory of the host;
    根据所述处理器确定的所述通信文件,通过所述接收器和/或所述发送器与所述第二容器进行通信。Communicating with the second container via the receiver and/or the transmitter in accordance with the communication file determined by the processor.
  22. 根据权利要求21所述的装置,其特征在于,所述发送器具体用于:The device according to claim 21, wherein the transmitter is specifically configured to:
    在所述接收主机的鉴权模块发送的通信文件的文件信息之前,向所述鉴权模块发送鉴权请求,所述鉴权请求用于请求与所述第二容器进行通信,所述第一容器与所述第二容器均位于所述主机中。Sending an authentication request to the authentication module, where the authentication request is used to request communication with the second container, before the file information of the communication file sent by the authentication module of the receiving host Both the container and the second container are located in the host.
  23. 根据权利要求22所述的装置,其特征在于,所述鉴权请求携带所述第一容器与所述第二容器的通信方式。The apparatus of claim 22 wherein said authentication request carries a manner of communication between said first container and said second container.
  24. 根据权利要求21至23中任一项所述的装置,其特征在于,所述通信文件包括:套接口文件和/或共享内存文件,所述套接口文件用于为所述第一容器与所述第二容器进行通信提供套接口,所述共享内存文件用于在所述主机的内存中为所述第一容器与所述第二容器进行通信提供共享内存。 The apparatus according to any one of claims 21 to 23, wherein the communication file comprises: a socket file and/or a shared memory file, the socket file being used for the first container and the The second container communicates to provide a socket, and the shared memory file is configured to provide shared memory for the first container to communicate with the second container in the memory of the host.
PCT/CN2016/107228 2015-12-11 2016-11-25 Inter-container communication method and apparatus WO2017097116A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510919506.7A CN105550576B (en) 2015-12-11 2015-12-11 The method and apparatus communicated between container
CN201510919506.7 2015-12-11

Publications (1)

Publication Number Publication Date
WO2017097116A1 true WO2017097116A1 (en) 2017-06-15

Family

ID=55829763

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/107228 WO2017097116A1 (en) 2015-12-11 2016-11-25 Inter-container communication method and apparatus

Country Status (2)

Country Link
CN (1) CN105550576B (en)
WO (1) WO2017097116A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11188345B2 (en) 2019-06-17 2021-11-30 International Business Machines Corporation High performance networking across docker containers
CN115242898A (en) * 2022-06-06 2022-10-25 浪潮通信技术有限公司 Method and device for communication between protocol stack and physical layer process

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550576B (en) * 2015-12-11 2018-09-11 华为技术服务有限公司 The method and apparatus communicated between container
WO2017202272A1 (en) * 2016-05-26 2017-11-30 Huawei Technologies Co., Ltd. System and method of software defined switches between light weight virtual machines using host kernel resources
CN107783854B (en) * 2016-08-29 2021-08-20 华为技术有限公司 Method and device for processing progress
CN108205623B (en) * 2016-12-16 2020-04-03 杭州华为数字技术有限公司 Method and apparatus for sharing a directory
CN108322307B (en) * 2017-01-16 2021-02-09 中标软件有限公司 Inter-container communication system and method based on kernel memory sharing
CN107329792B (en) * 2017-07-04 2020-05-22 北京奇艺世纪科技有限公司 Docker container starting method and device
CN109324908B (en) 2017-07-31 2021-09-07 华为技术有限公司 Container isolation method and device for Netlik resources
CN107544918B (en) * 2017-08-17 2021-01-15 海光信息技术股份有限公司 Memory page sharing method
CN108228313B (en) * 2017-11-30 2021-11-30 中国联合网络通信集团有限公司 Method and device for discovering downstream container
CN108875385B (en) * 2018-05-07 2021-09-17 麒麟合盛网络技术股份有限公司 Method and device for communication between applications
CN108880898B (en) * 2018-06-29 2020-09-08 新华三技术有限公司 Main and standby container system switching method and device
CN109361606B (en) * 2018-09-28 2021-05-25 新华三技术有限公司 Message processing system and network equipment
CN109359450B (en) * 2018-10-29 2021-03-05 北京猎户星空科技有限公司 Security access method, device, equipment and storage medium of Linux system
CN110308987B (en) * 2019-05-17 2023-08-01 深圳致星科技有限公司 Method for updating connection parameters of distributed training tasks on container cloud
CN110572288A (en) * 2019-11-04 2019-12-13 河南戎磐网络科技有限公司 Data exchange method based on trusted container
CN113468517A (en) * 2021-09-02 2021-10-01 北京交研智慧科技有限公司 Data sharing method, system and storage medium based on block chain

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101073239A (en) * 2004-10-29 2007-11-14 法国电信公司 Method and system for communication between a secure information storage device and at least one third party, corresponding entity, device and third party
US7707416B2 (en) * 2002-02-01 2010-04-27 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
CN104391694A (en) * 2014-11-05 2015-03-04 工业和信息化部电子科学技术情报研究所 Intelligent mobile terminal software public service support platform system
CN105550576A (en) * 2015-12-11 2016-05-04 华为技术服务有限公司 Communication method and device between containers

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7496613B2 (en) * 2006-01-09 2009-02-24 International Business Machines Corporation Sharing files among different virtual machine images
CN101819564B (en) * 2009-02-26 2013-04-17 国际商业机器公司 Method and device for assisting communication between virtual machines
CN101667144B (en) * 2009-09-29 2013-02-13 北京航空航天大学 Virtual machine communication method based on shared memory
CN101977195B (en) * 2010-10-29 2013-07-31 西安交通大学 Method for realizing virtual machine inter-domain communication protocol based on shared memory mechanism
US8819090B2 (en) * 2012-04-23 2014-08-26 Citrix Systems, Inc. Trusted file indirection
CN103491193B (en) * 2013-09-30 2018-06-05 华为技术有限公司 A kind of method and apparatus of file-sharing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707416B2 (en) * 2002-02-01 2010-04-27 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
CN101073239A (en) * 2004-10-29 2007-11-14 法国电信公司 Method and system for communication between a secure information storage device and at least one third party, corresponding entity, device and third party
CN104391694A (en) * 2014-11-05 2015-03-04 工业和信息化部电子科学技术情报研究所 Intelligent mobile terminal software public service support platform system
CN105550576A (en) * 2015-12-11 2016-05-04 华为技术服务有限公司 Communication method and device between containers

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11188345B2 (en) 2019-06-17 2021-11-30 International Business Machines Corporation High performance networking across docker containers
CN115242898A (en) * 2022-06-06 2022-10-25 浪潮通信技术有限公司 Method and device for communication between protocol stack and physical layer process
CN115242898B (en) * 2022-06-06 2024-04-19 浪潮通信技术有限公司 Communication method and device between protocol stack and physical layer process

Also Published As

Publication number Publication date
CN105550576A (en) 2016-05-04
CN105550576B (en) 2018-09-11

Similar Documents

Publication Publication Date Title
WO2017097116A1 (en) Inter-container communication method and apparatus
WO2023087938A1 (en) Data processing method, programmable network card device, physical server, and storage medium
US8898665B2 (en) System, method and computer program product for inviting other virtual machine to access a memory space allocated to a virtual machine
CN107515775B (en) Data transmission method and device
KR102460096B1 (en) Method and apparatus for managing encryption keys for cloud service
CN103259762B (en) A kind of file encryption based on cloud storage, decryption method and system
US20220150055A1 (en) Process-to-process secure data movement in network functions virtualization infrastructures
US10949235B2 (en) Network semantics integrated into central processing unit (CPU) chipset
EP3772009B1 (en) Device interface security management for computer buses
CN114244790B (en) PCIe device and host device communication method, system and device
US11095626B2 (en) Secure in-line received network packet processing
US11500666B2 (en) Container isolation method and apparatus for netlink resource
EP3736718A1 (en) A tpm-based secure multiparty computing system using a non-bypassable gateway
US20220391494A1 (en) Sharing container data inside a tenant's pod under different trusted execution environments (tees)
EP2863329A1 (en) Establishing physical locality between secure execution environments
US8024797B2 (en) Method, apparatus and system for performing access control and intrusion detection on encrypted data
WO2017142577A1 (en) Identity management of virtualized entities
CN110958216B (en) Secure online network packet transmission
CN109739615B (en) Mapping method and device of virtual hard disk and cloud computing platform
US9609080B2 (en) Systems and methods for device identity delegation for application software
WO2019201257A1 (en) Device-to-x (d2x) communication method, device, and storage medium
CN107770018B (en) Communication method and device for serial communication system
CN114389833B (en) Token-based zero-contact registration for provisioning edge computing applications
Xiang et al. Bindox: An Efficient and Secure Cross-System IPC Mechanism for Multi-Platform Containers.
CN115086959A (en) Position data processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16872308

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16872308

Country of ref document: EP

Kind code of ref document: A1