WO2020001617A1 - Method for obtaining verification information and data center - Google Patents

Method for obtaining verification information and data center Download PDF

Info

Publication number
WO2020001617A1
WO2020001617A1 PCT/CN2019/093687 CN2019093687W WO2020001617A1 WO 2020001617 A1 WO2020001617 A1 WO 2020001617A1 CN 2019093687 W CN2019093687 W CN 2019093687W WO 2020001617 A1 WO2020001617 A1 WO 2020001617A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
data center
verification information
metadata
host
Prior art date
Application number
PCT/CN2019/093687
Other languages
French (fr)
Chinese (zh)
Inventor
刘亮
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020001617A1 publication Critical patent/WO2020001617A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Abstract

A method for obtaining verification information. The method is used for a first virtual machine of a first data center to obtain verification information from a host. The method comprises: a metadata server of the first data center receives an upload request comprising the virtual machine ID of the first virtual machine and verification information from the host, and stores the verification information into a storage space of the first virtual machine according to the upload request; the metadata server receives a metadata obtaining request of the first virtual machine, and sends the verification information to the first virtual machine according to the metadata obtaining request, wherein the verification information is used for verification for channel establishment between the virtual machine and the host. By means of a security access mode that can be provided by a metadata server, the risk of leakage of verification information caused by a virtual machine directly obtaining the verification information from a host is avoided, the security of obtaining verification information is improved, and the security of data migration between a host outside a data center and a virtual machine on the data center is ensured.

Description

获取验证信息的方法和数据中心Method and data center for obtaining verification information 技术领域Technical field
本申请涉及信息处理技术领域,特别涉及一种获取验证信息的方法和数据中心。The present application relates to the field of information processing technology, and in particular, to a method and a data center for acquiring verification information.
背景技术Background technique
近年来,云计算技术得到了越来越多的普及,越来越多的互联网和IT厂商推出云计算服务。企业如果需要将自身业务迁移到云平台,除了重新在云平台上部署业务系统外,另外一种重要的方式就是将云下的主机数据迁移到云平台的虚拟机上。该过程需要在源主机上安装源端代理软件,同时在公有云平台的目的虚拟机上安装目的端代理。源端代理用于读取源主机上的数据并且通过网络传输到目的端代理,目的端代理将接收到的数据写到目的虚拟机磁盘,以实现数据在源主机和目的虚拟机之间的传输,从而完成源主机的迁移。In recent years, cloud computing technology has gained more and more popularity, and more and more Internet and IT vendors have launched cloud computing services. If an enterprise needs to migrate its business to a cloud platform, in addition to re-deploying business systems on the cloud platform, another important way is to migrate host data under the cloud to virtual machines on the cloud platform. This process requires the source agent software to be installed on the source host and the destination agent to be installed on the destination virtual machine of the public cloud platform. The source agent is used to read the data on the source host and transfer it to the destination agent through the network. The destination agent writes the received data to the destination virtual machine disk to realize the data transmission between the source host and the destination virtual machine. To complete the migration of the source host.
为了保证用户数据迁移过程中的安全性,源主机和目的虚拟机之间的数据传输需要采用安全套接层(Secure Sockets Layer,SSL)通道。SSL通道的配置需要分别在源主机端和目的虚拟机端配置验证信息,具体地,每次迁移前,需在源主机生成验证信息,并把源主机生成的验证信息发送给目的虚拟机,以完成SSL通道所需的安全验证。而现有技术中,验证信息需要手动配置,同时将验证信息从源主机发送给目的虚拟机的过程没有安全保障,因此可能导致验证虚拟机的泄露,从而产生数据安全的极大风险。In order to ensure the security during user data migration, the data transmission between the source host and the destination virtual machine needs to use a Secure Sockets Layer (SSL) channel. The configuration of the SSL channel needs to configure authentication information on the source host and the destination virtual machine. Specifically, before each migration, the authentication information needs to be generated on the source host and the verification information generated by the source host is sent to the destination virtual machine. Complete the security verification required for the SSL channel. In the prior art, the authentication information needs to be manually configured. At the same time, the process of sending the authentication information from the source host to the destination virtual machine has no security guarantee. Therefore, it may lead to the leakage of the authentication virtual machine, which will cause a great risk of data security.
发明内容Summary of the invention
第一方面,本发明提供一种获取验证信息方法的实施例,该方法用于第一数据中心的第一虚拟机获取来自主机的该验证信息,该第一数据中心不包括该主机。该方法包括:该第一数据中心的元数据服务器接收该主机的上传请求,该上传请求包括该第一虚拟机的虚拟机ID和该验证信息。该元数据服务器根据该上传请求中的该虚拟机ID访问该元数据服务器中该第一虚拟机的存储空间,将该验证信息存储至该第一虚拟机的存储空间,其中,该第一虚拟机的存储空间具有该虚拟机ID。该元数据服务器接收该第一虚拟机的元数据获取请求,该元数据获取请求包含该虚拟机ID。该元数据服务器根据该元数据获取请求中的该虚拟机ID访问该元数据服务器中该第一虚拟机的存储空间,将存储在该第一虚拟机的存储空间中的该验证信息发送至该第一虚拟机,该验证信息用于该虚拟机与该主机之间进行通道建立的验证。In a first aspect, the present invention provides an embodiment of a method for acquiring authentication information. The method is used for a first virtual machine in a first data center to acquire the authentication information from a host, and the first data center does not include the host. The method includes: the metadata server of the first data center receives an upload request from the host, the upload request including a virtual machine ID of the first virtual machine and the verification information. The metadata server accesses the storage space of the first virtual machine in the metadata server according to the virtual machine ID in the upload request, and stores the verification information in the storage space of the first virtual machine, where the first virtual machine The storage space of the machine has the virtual machine ID. The metadata server receives a metadata acquisition request of the first virtual machine, and the metadata acquisition request includes the virtual machine ID. The metadata server accesses the storage space of the first virtual machine in the metadata server according to the virtual machine ID in the metadata acquisition request, and sends the verification information stored in the storage space of the first virtual machine to the The first virtual machine, the verification information is used for verification of establishing a channel between the virtual machine and the host.
利用数据中心的元数据服务器来获取验证信息,从而利用元数据服务器所能提供的安全的访问方式,可以避免虚拟机直接从主机获取验证信息从而导致的验证信息泄露的风险,提高了获取验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Using the metadata server of the data center to obtain the verification information, so that the secure access method provided by the metadata server can be used to avoid the risk of leakage of verification information caused by the virtual machine directly obtaining the verification information from the host, which improves the acquisition of verification information Security, thereby ensuring the security of data migration between hosts outside the data center and virtual machines on the data center.
结合第一方面,在第一方面的第一种实施方式中,该主机为第二数据中心中的物理机或第二虚拟机。With reference to the first aspect, in a first implementation manner of the first aspect, the host is a physical machine or a second virtual machine in a second data center.
结合第一方面或第一方面的第一种实施方式,在第一方面的第二种实施方式中, 该验证信息由该主机根据时间戳生成,该时间戳与该主机生成验证信息的时间相关。With reference to the first aspect or the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the verification information is generated by the host according to a timestamp, and the timestamp is related to a time when the verification information is generated by the host. .
利用时间戳生成验证信息,使得主机能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Generate verification information using timestamp, so that the host can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
结合第一方面、第一方面的第一或第二种实施方式,在第一方面的第三种实施方式中,建立的通道为SSL通道,该验证信息包括证书和私钥,该证书和该私钥用于该SSL通道建立的验证。With reference to the first aspect, the first or second implementation manner of the first aspect, in a third implementation manner of the first aspect, the established channel is an SSL channel, and the verification information includes a certificate and a private key, and the certificate and the The private key is used to verify the establishment of this SSL channel.
结合第一方面、第一方面的第一至第三种实施方式,在第一方面的第四种实施方式中,该上传请求还包括验证签名,该元数据服务器根据该上传请求中的该虚拟机ID访问该元数据服务器中该第一虚拟机的存储空间之前,该方法还包括:该元数据服务器根据该验证签名成功验证该物理机的上传权限。With reference to the first aspect and the first to third implementation manners of the first aspect, in a fourth implementation manner of the first aspect, the upload request further includes a verification signature, and the metadata server according to the virtual request in the upload request Before the machine ID accesses the storage space of the first virtual machine in the metadata server, the method further includes: the metadata server successfully verifies the upload permission of the physical machine according to the verification signature.
第二方面,本发明提供一种数据中心的实施例,该数据中心部署有至少一个元数据服务器和至少一个第一虚拟机服务器。该至少一个元数据服务器用于:接收主机的上传请求,该上传请求包括该第一虚拟机的虚拟机ID和该验证信息,该据中心不包括该主机;根据该上传请求中的该虚拟机ID访问该至少一个元数据服务器中该第一虚拟机的存储空间,将所述验证信息存储至该第一虚拟机的存储空间,其中所述第一虚拟机的存储空间具有该虚拟机ID。该至少一个第一虚拟机服务器用于通过运行该第一虚拟机,用于:向该至少一个元数据服务器发起元数据获取请求,该元数据获取请求包含该虚拟机ID。该至少一个元数据服务器还用于:接收该元数据获取请求,根据该元数据获取请求中的该虚拟机ID访问该至少一个元数据服务器中该第一虚拟机的存储空间,将存储在该第一虚拟机的存储空间中的该验证信息发送至该第一虚拟机,该验证信息用于该虚拟机与该主机之间进行通道建立的验证。In a second aspect, the present invention provides an embodiment of a data center. The data center is deployed with at least one metadata server and at least one first virtual machine server. The at least one metadata server is configured to receive an upload request from a host, where the upload request includes a virtual machine ID of the first virtual machine and the verification information, and the data center does not include the host; according to the virtual machine in the upload request The ID accesses the storage space of the first virtual machine in the at least one metadata server, and stores the verification information to the storage space of the first virtual machine, wherein the storage space of the first virtual machine has the virtual machine ID. The at least one first virtual machine server is configured to run the first virtual machine to initiate a metadata acquisition request to the at least one metadata server, where the metadata acquisition request includes the virtual machine ID. The at least one metadata server is further configured to receive the metadata acquisition request, access the storage space of the first virtual machine in the at least one metadata server according to the virtual machine ID in the metadata acquisition request, and store the storage space in the first virtual machine. The verification information in the storage space of the first virtual machine is sent to the first virtual machine, and the verification information is used for verification of establishing a channel between the virtual machine and the host.
利用数据中心的至少一个元数据服务器来获取验证信息,从而利用元数据服务器所能提供的安全的访问方式,可以避免虚拟机直接从主机获取验证信息从而导致的验证信息泄露的风险,提高了获取验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Use at least one metadata server in the data center to obtain authentication information, so that the secure access method provided by the metadata server can avoid the risk of leakage of authentication information caused by the virtual machine directly obtaining authentication information from the host, which improves the acquisition Verify the security of the information, thereby ensuring the security of data migration between hosts outside the data center and virtual machines on the data center.
结合第二方面,在第二方面的第一种实施方式中,该主机为不属于该数据中心的物理机或第二虚拟机,该第二虚拟机运行在至少一个第二虚拟机服务器上。With reference to the second aspect, in a first implementation manner of the second aspect, the host is a physical machine or a second virtual machine that does not belong to the data center, and the second virtual machine runs on at least one second virtual machine server.
结合第二方面或第二方面的第一种实施方式,在第二方面的第二种实施方式中,该验证信息由该主机根据时间戳生成,该时间戳与该主机生成验证信息的时间相关。With reference to the second aspect or the first implementation manner of the second aspect, in the second implementation manner of the second aspect, the verification information is generated by the host according to a timestamp, and the timestamp is related to a time when the verification information is generated by the host. .
利用时间戳生成验证信息,使得主机能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Generate verification information using timestamp, so that the host can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
结合第二方面、第二方面的第一或第二种实施方式,在第二方面的第三种实施方式中,建立的通道为SSL通道,该验证信息包括证书和私钥,该证书和该私钥用于该SSL通道建立的验证。With reference to the second aspect and the first or second implementation manner of the second aspect, in a third implementation manner of the second aspect, the established channel is an SSL channel, and the verification information includes a certificate and a private key, and the certificate and the The private key is used to verify the establishment of this SSL channel.
结合第二方面、第二方面的第一至第三种实施方式,在第二方面的第四种实施方式中,该上传请求还包括验证签名,该根据该上传请求中的该虚拟机ID访问该至少一个元数据服务器中该第一虚拟机的存储空间之前,该元数据服务器还用于根据该验证签名成功验证该物理机的上传权限。With reference to the second aspect and the first to third implementation manners of the second aspect, in a fourth implementation manner of the second aspect, the upload request further includes a verification signature, which is accessed according to the virtual machine ID in the upload request Before the storage space of the first virtual machine in the at least one metadata server, the metadata server is further configured to successfully verify the upload permission of the physical machine according to the verification signature.
第三方面,本发明提供一种数据中心的实施例,该数据中心包括至少一个计算设备,每个计算设备包括处理器和存储器。该至少一个计算设备的处理器,用于运行元数据服务单元和第一虚拟机。该元数据服务单元用于:接收主机的上传请求,该上传请求包括该第一虚拟机的虚拟机ID和该验证信息,该据中心不包括该主机;根据该上传请求中的该虚拟机ID访问该元数据服务单元中该第一虚拟机的存储空间,将所述验证信息存储至该第一虚拟机的存储空间,其中所述第一虚拟机的存储空间具有该虚拟机ID。该第一虚拟机用于:向该元数据服务单元发起元数据获取请求,该元数据获取请求包含该虚拟机ID。该元数据服务单元还用于:接收该元数据获取请求,根据该元数据获取请求中的该虚拟机ID访问该元数据服务单元中该第一虚拟机的存储空间,将存储在该第一虚拟机的存储空间中的该验证信息发送至该第一虚拟机,该验证信息用于该虚拟机与该主机之间进行通道建立的验证。In a third aspect, the present invention provides an embodiment of a data center. The data center includes at least one computing device, and each computing device includes a processor and a memory. The processor of the at least one computing device is configured to run a metadata service unit and a first virtual machine. The metadata service unit is configured to receive an upload request from a host, where the upload request includes a virtual machine ID of the first virtual machine and the verification information, and the data center does not include the host; according to the virtual machine ID in the upload request Accessing the storage space of the first virtual machine in the metadata service unit, and storing the verification information to the storage space of the first virtual machine, wherein the storage space of the first virtual machine has the virtual machine ID. The first virtual machine is configured to initiate a metadata acquisition request to the metadata service unit, where the metadata acquisition request includes the virtual machine ID. The metadata service unit is further configured to receive the metadata acquisition request, access the storage space of the first virtual machine in the metadata service unit according to the virtual machine ID in the metadata acquisition request, and store the storage space in the first virtual machine. The verification information in the storage space of the virtual machine is sent to the first virtual machine, and the verification information is used for verification of establishing a channel between the virtual machine and the host.
利用数据中心的元数据服务单元来获取验证信息,从而利用元数据服务单元所能提供的安全的访问方式,可以避免虚拟机直接从主机获取验证信息从而导致的验证信息泄露的风险,提高了获取验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。The metadata service unit of the data center is used to obtain the verification information, so that the secure access method provided by the metadata service unit can be used to avoid the risk of leakage of verification information caused by the virtual machine directly obtaining the verification information from the host, which improves the acquisition Verify the security of the information, thereby ensuring the security of data migration between hosts outside the data center and virtual machines on the data center.
结合第三方面,在第三方面的第一种实施方式中,该主机为第二数据中心的物理机或第二虚拟机。With reference to the third aspect, in a first implementation manner of the third aspect, the host is a physical machine or a second virtual machine in a second data center.
结合第三方面或第三方面的第一种实施方式,在第二方面的第二种实施方式中,该验证信息由该主机根据时间戳生成,该时间戳与该主机生成验证信息的时间相关。With reference to the third aspect or the first implementation manner of the third aspect, in the second implementation manner of the second aspect, the verification information is generated by the host according to a timestamp, and the timestamp is related to a time when the verification information is generated by the host. .
利用时间戳生成验证信息,使得主机能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Generate verification information using timestamp, so that the host can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
结合第三方面、第三方面的第一或第二种实施方式,在第三方面的第三种实施方式中,建立的通道为SSL通道,该验证信息包括证书和私钥,该证书和该私钥用于该SSL通道建立的验证。With reference to the third aspect and the first or second implementation manner of the third aspect, in a third implementation manner of the third aspect, the established channel is an SSL channel, and the verification information includes a certificate and a private key, and the certificate and the The private key is used to verify the establishment of this SSL channel.
结合第三方面、第三方面的第一至第三种实施方式,在第三方面的第四种实施方式中,该上传请求还包括验证签名,该根据该上传请求中的该虚拟机ID访问该元数据服务单元中该第一虚拟机的存储空间之前,该元数据服务单元还用于根据该验证签名成功验证该物理机的上传权限。With reference to the third aspect and the first to third implementation manners of the third aspect, in a fourth implementation manner of the third aspect, the upload request further includes a verification signature, which is accessed according to the virtual machine ID in the upload request Before the storage space of the first virtual machine in the metadata service unit, the metadata service unit is further configured to successfully verify the upload right of the physical machine according to the verification signature.
第四方面,本发明提供一种计算机程序产品和非瞬态的可读存储介质,该计算机程序产品和该可读存储池分别包含计算机指令,控制器执行该计算机指令用于实现第一方面中的方法。According to a fourth aspect, the present invention provides a computer program product and a non-transitory readable storage medium. The computer program product and the readable storage pool each contain computer instructions, and the controller executes the computer instructions for implementing the first aspect. Methods.
第五方面,本发明提供一种数据迁移模块300。该数据迁移模块可以运行在主机上,用于向第一数据中心的第一虚拟机提供用于建立SSL通道的验证信息。该数据迁 移模块包括验证信息上传单元。该验证信息上传单元用于生成包括第一虚拟机的虚拟机ID和验证信息的上传请求,并向第一数据中心的元数据服务器发起该上传请求。In a fifth aspect, the present invention provides a data migration module 300. The data migration module may run on the host and is configured to provide verification information for establishing an SSL channel to a first virtual machine in a first data center. The data migration module includes a verification information upload unit. The verification information uploading unit is configured to generate an upload request including a virtual machine ID and verification information of the first virtual machine, and initiate the upload request to a metadata server of the first data center.
结合第五方面,在第五方面的第一种实施方式中,该数据迁移模块还包括验证信息生成模块,该验证信息生成模块用于根据时间戳生成该验证信息,该时间戳与该主机生成验证信息的时间相关。With reference to the fifth aspect, in a first implementation manner of the fifth aspect, the data migration module further includes a verification information generating module, the verification information generating module is configured to generate the verification information according to a timestamp, and the timestamp is generated by the host Validation information is time dependent.
结合第五方面或第五方面的第一种实施方式,在第五方面的第二种实施方式中,该主机为物理机或第二虚拟机,该第二虚拟机为第二数据中心的虚拟机。With reference to the fifth aspect or the first implementation manner of the fifth aspect, in a second implementation manner of the fifth aspect, the host is a physical machine or a second virtual machine, and the second virtual machine is a virtual machine of the second data center. machine.
第六方面,本发明提供一种计算机程序产品和非瞬态的可读存储介质,该计算机程序产品和该可读存储介质分别包含计算机指令,控制器执行该计算机指令用于实现第五方面中的数据迁移模块。According to a sixth aspect, the present invention provides a computer program product and a non-transitory readable storage medium. The computer program product and the readable storage medium each contain computer instructions, and the controller executes the computer instructions to implement the fifth aspect. Data migration module.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明实施例提供的一种获取验证信息的系统的示意图;FIG. 1 is a schematic diagram of a system for obtaining authentication information according to an embodiment of the present invention; FIG.
图2为本发明实施例提供的一种获取验证信息的方法的流程示意图;FIG. 2 is a schematic flowchart of a method for obtaining verification information according to an embodiment of the present invention; FIG.
图3为本发明实施例提供的一种数据迁移模块的示意图;3 is a schematic diagram of a data migration module according to an embodiment of the present invention;
图4为本发明实施例提供的一种数据中心的示意图;4 is a schematic diagram of a data center according to an embodiment of the present invention;
图5为本发明实施例提供的另一种数据中心的第一种架构的示意图;5 is a schematic diagram of a first architecture of another data center according to an embodiment of the present invention;
图6为本发明实施例提供的另一种数据中心的第二种架构的示意图。FIG. 6 is a schematic diagram of a second architecture of another data center according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例提供的一种获取验证信息的系统100如图1所示。系统100包括数据中心110和主机120。数据中心110包括元数据服务器111和至少一个虚拟机,示例性地,图1中绘制出虚拟机112(即第一虚拟机)。主机120不属于数据中心110,主机120可以是虚拟机或者物理机,本发明实施例对此不作限制。为了将主机120的数据迁移至数据中心110中,需将主机120的数据迁移至数据中心110中的虚拟机112上。在主机120上配置源端代理,源端代理可以将主机120接入数据中心110的网络,以实现数据的迁移。A system 100 for obtaining authentication information provided by an embodiment of the present invention is shown in FIG. 1. The system 100 includes a data center 110 and a host 120. The data center 110 includes a metadata server 111 and at least one virtual machine. For example, a virtual machine 112 (ie, a first virtual machine) is drawn in FIG. 1. The host 120 does not belong to the data center 110, and the host 120 may be a virtual machine or a physical machine, which is not limited in the embodiment of the present invention. In order to migrate the data of the host 120 to the data center 110, the data of the host 120 needs to be migrated to the virtual machine 112 in the data center 110. A source-side proxy is configured on the host 120, and the source-side proxy can connect the host 120 to the network of the data center 110 to implement data migration.
当主机120上的源端代理将主机120接入数据中心110的网络后,若直接令主机120通过数据中心110的网络向虚拟机112发送SSL通道的验证信息,数据中心110的开放性可能导致验证信息被第三方截获,造成数据安全的重大隐患,因此,借助元数据服务器111实现验证信息从主机120向虚拟机112的传递。After the source agent on the host 120 connects the host 120 to the data center 110 network, if the host 120 directly sends the SSL channel authentication information to the virtual machine 112 through the data center 110 network, the openness of the data center 110 may cause The authentication information is intercepted by a third party, which causes a significant hidden danger to data security. Therefore, the metadata server 111 is used to implement the transmission of the authentication information from the host 120 to the virtual machine 112.
元数据服务器位于数据中心,是为数据中心的各虚拟机提供元数据服务的服务器。虚拟机的元数据是用于描述虚拟机数据的数据,例如包括:对虚拟机上的数据及信息资源的描述性信息,虚拟机的配置信息等。元数据服务器中存储有数据中心的各个虚拟机的配置信息、秘钥等元数据。为保证元数据服务器上存储的各个虚拟机的元数据的安全性,元数据服务器上,各虚拟机的元数据是隔离的。元数据服务器规定,数据中心上的每个虚拟机仅能访问该虚拟机对应的元数据。具体地,元数据服务器将其上的存储空间划分为若干个分区,对应数据中心的若干个虚拟机,每个分区用对应虚拟机的虚拟机ID标识,每个虚拟机仅能访问元数据服务器上与自己对应的元数据存储空间,不能访问其他虚拟机的元数据存储空间。如图1所示,元数据服务器111上具有虚拟机112的存储空间113,存储空间113具有虚拟机112的虚拟机ID,使用虚拟机 112的虚拟机ID可以定位到存储空间113。The metadata server is located in the data center and is a server that provides metadata services for each virtual machine in the data center. The metadata of the virtual machine is data used to describe the data of the virtual machine, and includes, for example, descriptive information about data and information resources on the virtual machine, and configuration information of the virtual machine. The metadata server stores metadata such as configuration information and secret keys of each virtual machine in the data center. To ensure the security of the metadata of each virtual machine stored on the metadata server, the metadata of each virtual machine is isolated on the metadata server. The metadata server specifies that each virtual machine in the data center can only access metadata corresponding to the virtual machine. Specifically, the metadata server divides the storage space on it into several partitions, corresponding to several virtual machines in the data center, each partition is identified by the virtual machine ID of the corresponding virtual machine, and each virtual machine can only access the metadata server The metadata storage space corresponding to itself cannot be accessed by other virtual machines. As shown in FIG. 1, the metadata server 111 has a storage space 113 of a virtual machine 112, and the storage space 113 has a virtual machine ID of the virtual machine 112. The virtual machine ID of the virtual machine 112 can be used to locate the storage space 113.
基于图1中的系统100,本发明实施例提供一种获取验证信息的方法如图2所示。Based on the system 100 in FIG. 1, an embodiment of the present invention provides a method for obtaining verification information, as shown in FIG. 2.
s201,主机120向元数据服务器111发起上传请求。该上传请求包括虚拟机112的虚拟机ID和验证信息。s201. The host 120 initiates an upload request to the metadata server 111. The upload request includes a virtual machine ID and verification information of the virtual machine 112.
可选地,上传请求可以是数据中心100提供的增加服务器元数据接口(Application Programming Interface,API)来将验证信息上传到元数据服务器111。Optionally, the upload request may be an additional server metadata interface (Application Programming Interface) provided by the data center 100 to upload the verification information to the metadata server 111.
可选地,发起上传请求之前,主机120自动生成验证信息。验证信息由该主机根据时间戳生成,该时间戳与该主机生成验证信息的时间相关,例如:把主机生成验证信息的时间作为时间戳;或者,把主机生成验证信息的时间作为时间戳加上固定的时间常数作为时间戳。主机120也可以利用主机的名称等来命名验证信息。Optionally, before initiating the upload request, the host 120 automatically generates verification information. The verification information is generated by the host according to the timestamp, and the timestamp is related to the time when the host generates verification information. For example, the time when the host generates verification information is used as the timestamp; A fixed time constant is used as the timestamp. The host 120 may also use the name of the host to name the authentication information.
利用时间戳生成验证信息,使得主机能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Generate verification information using timestamp, so that the host can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
可选地,验证信息可以是用于生成SSL通道的证书或者私钥。Optionally, the verification information may be a certificate or a private key used to generate an SSL channel.
可选地,上传请求还包括验证签名。该验证签名可以是访问秘钥或私有访问秘钥。元数据服务器111通过验证签名来验证主机120的数据上传权限。Optionally, the upload request further includes a verification signature. The verification signature can be an access key or a private access key. The metadata server 111 verifies the data upload authority of the host 120 by verifying the signature.
s202,元数据服务器111接收主机120的上传请求,将所述验证信息存储至虚拟机112的存储空间113。S202: The metadata server 111 receives the upload request from the host 120, and stores the verification information in the storage space 113 of the virtual machine 112.
可选地,元数据服务器111将所述验证信息存储至虚拟机112的存储空间113之前,根据上传请求中的验证签名成功验证该物理机的上传权限。Optionally, before the metadata server 111 stores the verification information in the storage space 113 of the virtual machine 112, the upload right of the physical machine is successfully verified according to the verification signature in the upload request.
s203,虚拟机112向元数据服务器111发起元数据获取请求,元数据获取请求包含该虚拟机ID。s203. The virtual machine 112 initiates a metadata acquisition request to the metadata server 111, and the metadata acquisition request includes the virtual machine ID.
可选地,虚拟机112监听元数据服务器,即,虚拟机112定时访问元数据服务器111中的存储空间113,定时向元数据服务器111发起元数据获取请求,直到获取存储空间113中的验证信息。Optionally, the virtual machine 112 listens to the metadata server, that is, the virtual machine 112 periodically accesses the storage space 113 in the metadata server 111, and periodically issues a metadata acquisition request to the metadata server 111 until the verification information in the storage space 113 is obtained. .
可选地,若虚拟机112被配置为,重新启动时向元数据服务器111发起元数据获取请求,可在需要主机120完成验证信息的上传后,重新启动虚拟机112,则虚拟机112自动向元数据服务器获取验证信息。一般情况下,重启虚拟机112是数据迁移的必要步骤,因此,在此种情况下,通过重启虚拟机112来实现验证信息的获取,可以简化流程,不需要定时元数据服务器111发起元数据获取请求,节约计算和网络资源。Optionally, if the virtual machine 112 is configured to initiate a metadata acquisition request to the metadata server 111 upon restart, the virtual machine 112 may be restarted after the host 120 is required to complete uploading the verification information, and the virtual machine 112 automatically The metadata server obtains authentication information. Generally, restarting the virtual machine 112 is a necessary step for data migration. Therefore, in this case, restarting the virtual machine 112 to obtain verification information can simplify the process and does not require the regular metadata server 111 to initiate metadata acquisition. Request, save computing and network resources.
s204,元数据服务器111根据元数据获取请求中的虚拟机ID访问存储空间113,将存储在存储空间113中的验证信息发送至虚拟机112。s204. The metadata server 111 accesses the storage space 113 according to the virtual machine ID in the metadata acquisition request, and sends the verification information stored in the storage space 113 to the virtual machine 112.
使用数据中心的元数据服务器来获取验证信息,利用了元数据服务器所能提供的安全的访问方式,可以避免虚拟机直接从主机获取验证信息从而导致的验证信息泄露的风险,提高了获取验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。The metadata server of the data center is used to obtain the verification information, and the secure access method provided by the metadata server can be used to avoid the risk of the verification information leakage caused by the virtual machine directly obtaining the verification information from the host, which improves the acquisition of the verification information Security, thereby ensuring the security of data migration between hosts outside the data center and virtual machines on the data center.
本发明实施例提供一种数据迁移模块300如图3所示。数据迁移模块300可以运行在主机120上,用于向虚拟机112提供用于建立SSL通道的验证信息。数据迁移模 块300包括验证信息生成单元301和验证信息上传单元302。An embodiment of the present invention provides a data migration module 300 as shown in FIG. 3. The data migration module 300 may be run on the host 120 and configured to provide the virtual machine 112 with authentication information for establishing an SSL channel. The data migration module 300 includes a verification information generating unit 301 and a verification information uploading unit 302.
验证信息生成单元301用于自动生成验证信息。验证信息由主机120根据时间戳生成,该时间戳与主机120生成验证信息的时间相关。主机120也可以利用主机的名称等来命名验证信息。The verification information generating unit 301 is configured to automatically generate verification information. The verification information is generated by the host 120 according to a timestamp, which is related to the time when the verification information is generated by the host 120. The host 120 may also use the name of the host to name the authentication information.
利用时间戳生成验证信息,使得主机120能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。The verification information is generated using a timestamp, so that the host 120 can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
验证信息上传单元302用于生成包括虚拟机112的虚拟机ID和验证信息的上传请求,并向元数据服务器111发起上传请求,验证信息为验证信息生成单元301生成的验证信息。The verification information uploading unit 302 is configured to generate an upload request including a virtual machine ID of the virtual machine 112 and verification information, and initiate an upload request to the metadata server 111. The verification information is verification information generated by the verification information generating unit 301.
可选地,上传请求可以是数据中心100提供的增加服务器元数据接口(Application Programming Interface,API)来将验证信息上传到元数据服务器111。Optionally, the upload request may be an additional server metadata interface (Application Programming Interface) provided by the data center 100 to upload the verification information to the metadata server 111.
可选地,验证信息生成单元301及验证信息上传单元302可以在安装在主机120上的源端代理软件中实现。Optionally, the verification information generating unit 301 and the verification information uploading unit 302 may be implemented in a source-side proxy software installed on the host 120.
本发明实施例还提供一种数据中心400如图4所示。数据中心400包括元数据服务单元401和虚拟机402。元数据服务单元401可以是一个软件模块,运行在一个计算设备上,或者由多个计算设备共同运行。图1中所示的数据中心110为数据中心400的一种实施方式,数据中心110中的元数据服务器111即数据中心400中的元数据服务单元401,数据中心110中的虚拟机112即数据中心400中的虚拟机402。An embodiment of the present invention also provides a data center 400 as shown in FIG. 4. The data center 400 includes a metadata service unit 401 and a virtual machine 402. The metadata service unit 401 may be a software module running on a computing device, or may be jointly run by multiple computing devices. The data center 110 shown in FIG. 1 is an embodiment of the data center 400. The metadata server 111 in the data center 110 is the metadata service unit 401 in the data center 400, and the virtual machine 112 in the data center 110 is data. Virtual machine 402 in the center 400.
元数据服务单元401用于管理数据中心400中的元数据存储空间,虚拟机402的存储空间用于存储虚拟机402的元数据。The metadata service unit 401 is used to manage metadata storage space in the data center 400, and the storage space of the virtual machine 402 is used to store metadata of the virtual machine 402.
接收主机的上传请求,上传请求包括虚拟机402的虚拟机ID和验证信息,数据中心400不包括该主机。元数据服务单元401根据上传请求中的虚拟机ID访问元数据服务单元401中的虚拟机402的存储空间,将所述验证信息存储至虚拟机402的存储空间,其中所述虚拟机402的存储空间具有该虚拟机ID。Receive an upload request from a host. The upload request includes the virtual machine ID and verification information of the virtual machine 402. The data center 400 does not include the host. The metadata service unit 401 accesses the storage space of the virtual machine 402 in the metadata service unit 401 according to the virtual machine ID in the upload request, and stores the verification information to the storage space of the virtual machine 402, where the storage of the virtual machine 402 is The space has the virtual machine ID.
虚拟机402用于:向元数据服务单元401发起元数据获取请求,该元数据获取请求包含虚拟机402的虚拟机ID。The virtual machine 402 is configured to initiate a metadata acquisition request to the metadata service unit 401, where the metadata acquisition request includes a virtual machine ID of the virtual machine 402.
元数据服务单元401还用于:接收该元数据获取请求,根据该元数据获取请求中的该虚拟机ID访问元数据服务单元401中虚拟机402的存储空间,将存储在虚拟机402的存储空间中的该验证信息发送至虚拟机402,验证信息用于该虚拟机与该主机之间进行通道建立的验证。The metadata service unit 401 is further configured to receive the metadata acquisition request, access the storage space of the virtual machine 402 in the metadata service unit 401 according to the virtual machine ID in the metadata acquisition request, and store the storage space in the storage of the virtual machine 402. The verification information in the space is sent to the virtual machine 402, and the verification information is used for verification of establishing a channel between the virtual machine and the host.
利用数据中心的元数据服务器来获取验证信息,利用元数据服务器所能提供的安全的访问方式,可以避免虚拟机直接从主机获取验证信息从而导致的验证信息泄露的风险,提高了获取验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Use the metadata server of the data center to obtain the authentication information, and use the secure access method provided by the metadata server to avoid the risk of authentication information leakage caused by the virtual machine directly obtaining the authentication information from the host, and improve the access to the authentication information. Security, thereby ensuring the security of data migration between hosts outside the data center and virtual machines on the data center.
可选地,该主机为物理机或其他数据中心上的虚拟机。Optionally, the host is a physical machine or a virtual machine on another data center.
可选地,该验证信息由该主机根据时间戳生成,该时间戳与该主机生成验证信息的时间相关。Optionally, the verification information is generated by the host according to a timestamp, and the timestamp is related to a time when the host generates verification information.
利用时间戳生成验证信息,使得主机能够自动生成验证信息。相较于用户或运维人员手动配置验证信息的方式,主机自动生成的验证信息可以降低验证信息在生成阶段泄露的风险,进一步验证信息的安全性,从而保障了数据中心外的主机与数据中心上虚拟机的之间数据迁移的安全。Generate verification information using timestamp, so that the host can automatically generate verification information. Compared with the way that users or operation and maintenance personnel manually configure verification information, the verification information automatically generated by the host can reduce the risk of leakage of the verification information during the generation phase, further verify the security of the information, and thus protect the hosts and data centers outside the data center. Security of data migration between virtual machines.
可选地,该验证信息包括证书和私钥。Optionally, the verification information includes a certificate and a private key.
可选地,该数据上传请求还包括验证签名,该根据该上传请求中的该虚拟机ID访问该元数据服务器中虚拟机402的存储空间之前,该元数据服务器还用于根据该验证签名成功验证该物理机的上传权限。Optionally, the data upload request further includes a verification signature. Before accessing the storage space of the virtual machine 402 in the metadata server according to the virtual machine ID in the upload request, the metadata server is further configured to successfully verify the signature according to the verification signature. Verify the upload permissions of the physical machine.
本发明还提供一种数据中心500。数据中心500包括至少一个计算设备510。至少一个计算设备510包括一个或多个处理器及一个或多个存储器,处理器和存储器之间可以通过内部总线连接,或者外部接口连接。所述一个或多个处理器用于运行前述数据中心400中的元数据服务单元401、虚拟机402和虚拟机402的存储空间,虚拟机402的存储空间用来存储虚拟机402的元数据。元数据服务单元401可以是一个软件模块,运行在一个计算设备上,或者由多个计算设备共同运行。示例性地,图5中绘制出运行在计算设备510上的处理器511、存储器512和总线513;计算设备520上具有处理器521、存储器522和总线523,元数据服务单元401和虚拟机402运行在处理器511上。除此之外,元数据服务单元401及虚拟机402均可以运行在多个计算设备的处理器上。元数据服务单元401和虚拟机402也可以运行在数据中心500中的不同计算设备上,此种实施方式在图6中介绍。The invention also provides a data center 500. The data center 500 includes at least one computing device 510. The at least one computing device 510 includes one or more processors and one or more memories. The processors and the memories may be connected through an internal bus, or connected through an external interface. The one or more processors are used to run the metadata service unit 401, the virtual machine 402, and the storage space of the virtual machine 402 in the data center 400, and the storage space of the virtual machine 402 is used to store the metadata of the virtual machine 402. The metadata service unit 401 may be a software module running on a computing device, or may be jointly run by multiple computing devices. Exemplarily, a processor 511, a memory 512, and a bus 513 running on a computing device 510 are plotted in FIG. 5; a computing device 520 has a processor 521, a memory 522, and a bus 523, a metadata service unit 401, and a virtual machine 402 Runs on the processor 511. In addition, both the metadata service unit 401 and the virtual machine 402 can run on processors of multiple computing devices. The metadata service unit 401 and the virtual machine 402 can also run on different computing devices in the data center 500. Such an implementation is described in FIG.
图6中所示的数据中心500包括至少一个元数据服务器601和至少一个虚拟机服务器602。至少一个虚拟机服务器602上运行有数据中心500中的虚拟机402,即虚拟机402可以运行在虚拟机服务器602上,可以运行在数据中心600中的至少两个虚拟机服务器上。至少一个元数据服务器601上运行有数据中心500中的元数据服务单元401和虚拟机402的存储空间,虚拟机402的存储空间用来存储虚拟机402的元数据。由于数据中心的各虚拟机的元数据对安全的要求较高,将元数据服务单元401与虚拟机402部署在不同的计算设备上,可以提高元数据服务单元401的安全性,进而进一步提高验证信息的安全性。存储系统500中的处理器包括一个或者多个通用处理器,其中,通用处理器可以是能够处理电子指令的任何类型的设备,包括中央处理器(Central Processing Unit,CPU)、微处理器、微控制器、主处理器、控制器以及ASIC(Application Specific Integrated Circuit,专用集成电路)等等。处理器执行各种类型的数字存储指令,例如存储在存储器95中的软件或者固件程序,它能使数据中心提供较宽的多种服务。例如,处理器能够执行程序或者处理数据,以执行本文讨论的方法的至少一部分。The data center 500 shown in FIG. 6 includes at least one metadata server 601 and at least one virtual machine server 602. The at least one virtual machine server 602 runs a virtual machine 402 in the data center 500, that is, the virtual machine 402 can run on the virtual machine server 602, and can run on at least two virtual machine servers in the data center 600. The at least one metadata server 601 runs a storage space of the metadata service unit 401 and the virtual machine 402 in the data center 500, and the storage space of the virtual machine 402 is used to store metadata of the virtual machine 402. Because the metadata of each virtual machine in the data center has high requirements for security, deploying the metadata service unit 401 and the virtual machine 402 on different computing devices can improve the security of the metadata service unit 401 and further improve verification. Information security. The processor in the storage system 500 includes one or more general-purpose processors, where the general-purpose processor may be any type of device capable of processing electronic instructions, including a central processing unit (CPU), a microprocessor, a microprocessor, Controller, main processor, controller, ASIC (Application Specific Integrated Circuit), etc. The processor executes various types of digital storage instructions, such as software or firmware programs stored in the memory 95, which enables the data center to provide a wide variety of services. For example, a processor can execute a program or process data to perform at least a portion of a method discussed herein.
存储系统500中的存储器可以包括易失性存储器(Volatile Memory),例如随机存取存储器(Random Access Memory,RAM);存储器也可以包括非易失性存储器(Non-Volatile Memory),例如只读存储器(Read-Only Memory,ROM)、快闪存储器(Flash Memory)、硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD)存储器还可以包括上述种类的存储器的组合。存储器中可以存储有服务程序, 用于为数据中心提供服务。The memory in the storage system 500 may include volatile memory (Volatile memory), such as Random Access Memory (RAM); the memory may also include non-volatile memory (Non-Volatile Memory), such as read-only memory (Read-Only Memory (ROM), Flash Memory (Flash), Hard Disk (HDD), or Solid-State Drive (Solid-State Drive (SSD)) memory may also include a combination of the above types of memories. A service program may be stored in the memory to provide services for the data center.
在本发明所提供的几个实施例中,应该理解到,所公开的数据中心、装置、方法,可以通过其它的方式实现。例如,以上所描述的装置实施例所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed data center, device, and method may be implemented in other manners. For example, the division of the modules described in the device embodiments described above is only a logical function division. In actual implementation, there may be another division manner. For example, multiple modules or components may be combined or integrated into another system, or Some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or modules, and may be electrical, mechanical or other forms.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, which may be located in one place, or may be distributed on multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the objective of the solution of this embodiment.
另外,在本发明各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist separately physically, or two or more modules may be integrated into one module.

Claims (15)

  1. 一种获取验证信息方法,其特征在于,所述方法用于第一数据中心的第一虚拟机获取来自主机的所述验证信息,所述第一数据中心不包括所述主机;所述方法包括:A method for obtaining verification information, characterized in that the method is used for a first virtual machine in a first data center to obtain the verification information from a host, the first data center does not include the host; the method includes :
    所述第一数据中心的元数据服务器接收所述主机的上传请求,所述上传请求包括所述第一虚拟机的虚拟机ID和所述验证信息;Receiving, by the metadata server of the first data center, an upload request from the host, the upload request including a virtual machine ID of the first virtual machine and the verification information;
    所述元数据服务器根据所述上传请求中的所述虚拟机ID访问所述元数据服务器中所述第一虚拟机的存储空间,将所述验证信息存储至所述第一虚拟机的存储空间,其中,所述第一虚拟机的存储空间具有所述虚拟机ID;The metadata server accesses the storage space of the first virtual machine in the metadata server according to the virtual machine ID in the upload request, and stores the verification information in the storage space of the first virtual machine , Wherein the storage space of the first virtual machine has the virtual machine ID;
    所述元数据服务器接收所述第一虚拟机的元数据获取请求,所述元数据获取请求包含所述虚拟机ID;Receiving, by the metadata server, a metadata acquisition request of the first virtual machine, where the metadata acquisition request includes the virtual machine ID;
    所述元数据服务器根据所述元数据获取请求中的所述虚拟机ID访问所述元数据服务器中所述第一虚拟机的存储空间,将存储在所述第一虚拟机的存储空间中的所述验证信息发送至所述第一虚拟机,所述验证信息用于所述虚拟机与所述主机之间进行通道建立的验证。The metadata server accesses the storage space of the first virtual machine in the metadata server according to the virtual machine ID in the metadata acquisition request, and stores the storage space in the storage space of the first virtual machine. The verification information is sent to the first virtual machine, and the verification information is used for verification of establishing a channel between the virtual machine and the host.
  2. 根据权利要求1中所述的方法,其特征在于,所述主机为第二数据中心中的物理机或第二虚拟机。The method according to claim 1, wherein the host is a physical machine or a second virtual machine in a second data center.
  3. 根据权利要求1或2中任一所述的方法,其特征在于,所述验证信息由所述主机根据时间戳生成,所述时间戳与所述主机生成验证信息的时间相关。The method according to any one of claims 1 or 2, wherein the verification information is generated by the host according to a timestamp, and the timestamp is related to a time when the host generates verification information.
  4. 根据权利要求1-3中任一所述的方法,其特征在于,建立的通道为安全套接层SSL通道,所述验证信息包括证书和私钥,所述证书和所述私钥用于所述SSL通道建立的验证。The method according to any one of claims 1-3, wherein the established channel is a secure socket layer SSL channel, the verification information includes a certificate and a private key, and the certificate and the private key are used for the Verification of SSL tunnel establishment.
  5. 根据权利要求1-4中任一所述的方法,其特征在于,所述上传请求还包括验证签名,所述元数据服务器根据所述上传请求中的所述虚拟机ID访问所述元数据服务器中所述第一虚拟机的存储空间之前,所述方法还包括:The method according to any one of claims 1-4, wherein the upload request further comprises verifying a signature, and the metadata server accesses the metadata server according to the virtual machine ID in the upload request Before the storage space of the first virtual machine in the method, the method further includes:
    所述元数据服务器根据所述验证签名成功验证所述物理机的上传权限。The metadata server successfully verifies the upload authority of the physical machine according to the verification signature.
  6. 一种数据中心,其特征在于,所述数据中心部署有至少一个元数据服务器和至少一个第一虚拟机服务器,所述至少一个虚拟机服务器上运行有第一虚拟机;A data center characterized in that at least one metadata server and at least one first virtual machine server are deployed in the data center, and a first virtual machine is run on the at least one virtual machine server;
    所述至少一个元数据服务器用于:接收主机的上传请求,所述上传请求包括所述第一虚拟机的虚拟机ID和验证信息,所述据中心不包括所述主机;根据所述上传请求中的所述虚拟机ID访问所述至少一个元数据服务器中所述第一虚拟机的存储空间,将所述验证信息存储至所述第一虚拟机的存储空间,其中所述第一虚拟机的存储空间具有所述虚拟机ID;The at least one metadata server is configured to: receive an upload request from a host, where the upload request includes a virtual machine ID and verification information of the first virtual machine, and the data center does not include the host; according to the upload request The virtual machine ID in accessing the storage space of the first virtual machine in the at least one metadata server, and storing the verification information to the storage space of the first virtual machine, wherein the first virtual machine The storage space has the virtual machine ID;
    所述至少一个第一虚拟机服务器用于通过运行所述第一虚拟机,用于:向所述至少一个元数据服务器发起元数据获取请求,所述元数据获取请求包含所述虚拟机ID;The at least one first virtual machine server is configured to run the first virtual machine to initiate a metadata acquisition request to the at least one metadata server, where the metadata acquisition request includes the virtual machine ID;
    所述至少一个元数据服务器还用于:接收所述元数据获取请求,根据所述元数据获取请求中的所述虚拟机ID访问所述至少一个元数据服务器中所述第一虚拟机的存储空间,将存储在所述第一虚拟机的存储空间中的所述验证信息发送至所述第一虚拟机,所述验证信息用于所述虚拟机与所述主机之间进行通道建立的验证。The at least one metadata server is further configured to receive the metadata acquisition request, and access the storage of the first virtual machine in the at least one metadata server according to the virtual machine ID in the metadata acquisition request. Space, sending the verification information stored in the storage space of the first virtual machine to the first virtual machine, where the verification information is used for verification of channel establishment between the virtual machine and the host .
  7. 根据权利要求6中所述的数据中心,其特征在于,所述主机为物理机或第二虚拟机,所述第二虚拟机为第二数据中心的虚拟机。The data center according to claim 6, wherein the host is a physical machine or a second virtual machine, and the second virtual machine is a virtual machine of the second data center.
  8. 根据权利要求6-7中所述的任一数据中心,其特征在于,所述主机为不属于所述数据中心的物理机或第二虚拟机。The data center according to any one of claims 6 to 7, wherein the host is a physical machine or a second virtual machine that does not belong to the data center.
  9. 根据权利要求6-8中所述的任一数据中心,其特征在于,建立的通道为安全套接层SSL通道,所述验证信息包括证书和私钥,所述证书和所述私钥用于所述SSL通道建立的验证。The data center according to any one of claims 6-8, wherein the established channel is a secure socket layer SSL channel, the verification information includes a certificate and a private key, and the certificate and the private key are used for all The verification of SSL channel establishment is described.
  10. 根据权利要求6-9中所述的任一数据中心,其特征在于,所述上传请求还包括验证签名,所述根据所述上传请求中的所述虚拟机ID访问所述至少一个元数据服务器中所述第一虚拟机的存储空间之前,所述至少一个元数据服务器还用于根据所述验证签名成功验证所述物理机的上传权限。The data center according to any one of claims 6-9, wherein the upload request further includes a verification signature, and the accessing the at least one metadata server according to the virtual machine ID in the upload request Prior to the storage space of the first virtual machine, the at least one metadata server is further configured to successfully verify the upload right of the physical machine according to the verification signature.
  11. 一种数据中心,其特征在于,所述数据中心包括至少一个计算设备,每个计算设备包括处理器和存储器;所述至少一个计算设备的处理器,用于运行元数据服务单元和第一虚拟机;A data center is characterized in that the data center includes at least one computing device, and each computing device includes a processor and a memory; the processor of the at least one computing device is configured to run a metadata service unit and a first virtual device; machine;
    所述元数据服务单元用于:接收计算设备的上传请求,所述上传请求包括所述第一虚拟机的虚拟机ID和所述验证信息,所述据中心不包括所述计算设备;根据所述上传请求中的所述虚拟机ID访问所述元数据服务单元中所述第一虚拟机的存储空间,将所述验证信息存储至所述第一虚拟机的存储空间,其中所述第一虚拟机的存储空间具有所述虚拟机ID;The metadata service unit is configured to receive an upload request from a computing device, where the upload request includes a virtual machine ID of the first virtual machine and the verification information, and the data center does not include the computing device; The virtual machine ID in the upload request accesses a storage space of the first virtual machine in the metadata service unit, and stores the verification information in a storage space of the first virtual machine, wherein the first The storage space of the virtual machine has the virtual machine ID;
    所述第一虚拟机用于:向所述元数据服务单元发起元数据获取请求,所述元数据获取请求包含所述虚拟机ID;The first virtual machine is configured to initiate a metadata acquisition request to the metadata service unit, where the metadata acquisition request includes the virtual machine ID;
    所述元数据服务单元还用于:接收所述元数据获取请求,根据所述元数据获取请求中的所述虚拟机ID访问所述元数据服务单元中所述第一虚拟机的存储空间,将存储在所述第一虚拟机的存储空间中的所述验证信息发送至所述第一虚拟机,所述验证信息用于所述虚拟机与所述计算设备之间进行通道建立的验证。The metadata service unit is further configured to receive the metadata acquisition request, and access the storage space of the first virtual machine in the metadata service unit according to the virtual machine ID in the metadata acquisition request, Sending the verification information stored in the storage space of the first virtual machine to the first virtual machine, where the verification information is used for verification of channel establishment between the virtual machine and the computing device.
  12. 根据权利要求11中所述的数据中心,其特征在于,所述主机为第二数据中心的物理机或第二虚拟机。The data center according to claim 11, wherein the host is a physical machine or a second virtual machine of the second data center.
  13. 根据权利要求11-12中所述的任一数据中心,其特征在于,所述主机为第二数据中心的物理机或第二虚拟机,所述第二虚拟机为第二数据中心的虚拟机。The data center according to any one of claims 11-12, wherein the host is a physical machine or a second virtual machine of the second data center, and the second virtual machine is a virtual machine of the second data center .
  14. 根据权利要求11-13中所述的任一数据中心,其特征在于,建立的通道为安全套接层SSL通道,所述验证信息包括证书和私钥,所述证书和所述私钥用于所述SSL通道建立的验证。The data center according to any one of claims 11-13, wherein the established channel is a secure socket layer SSL channel, the verification information includes a certificate and a private key, and the certificate and the private key are used for all The verification of SSL channel establishment is described.
  15. 根据权利要求11-14中所述的任一数据中心,其特征在于,所述上传请求还包括验证签名,所述根据所述上传请求中的所述虚拟机ID访问所述元数据服务单元中所述第一虚拟机的存储空间之前,所述元数据服务单元还用于根据所述验证签名成功验证所述物理机的上传权限。The data center according to any one of claims 11-14, wherein the upload request further comprises a verification signature, and the accessing the metadata service unit according to the virtual machine ID in the upload request Before the storage space of the first virtual machine, the metadata service unit is further configured to successfully verify the upload right of the physical machine according to the verification signature.
PCT/CN2019/093687 2018-06-29 2019-06-28 Method for obtaining verification information and data center WO2020001617A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810712480.2A CN109120588B (en) 2018-06-29 2018-06-29 Method for acquiring verification information and data center
CN201810712480.2 2018-06-29

Publications (1)

Publication Number Publication Date
WO2020001617A1 true WO2020001617A1 (en) 2020-01-02

Family

ID=64822537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/093687 WO2020001617A1 (en) 2018-06-29 2019-06-28 Method for obtaining verification information and data center

Country Status (2)

Country Link
CN (1) CN109120588B (en)
WO (1) WO2020001617A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120588B (en) * 2018-06-29 2021-04-09 华为技术有限公司 Method for acquiring verification information and data center

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580496A (en) * 2015-01-22 2015-04-29 深圳先进技术研究院 Virtual machine visit system and server based on temporary agent
US20160342440A1 (en) * 2010-04-20 2016-11-24 International Business Machines Corporation Secure access to a virtual machine
CN107026860A (en) * 2017-04-01 2017-08-08 成都虫洞奇迹科技有限公司 Login authentication method, apparatus and system
CN107273186A (en) * 2017-06-28 2017-10-20 深信服科技股份有限公司 Access method, physical host and the virtual machine of virtual machine server
US20170339142A1 (en) * 2016-05-19 2017-11-23 Airwatch Llc Loading and running virtual working environments in a mobile device management system
CN109120588A (en) * 2018-06-29 2019-01-01 华为技术有限公司 Obtain method and the data center of verification information

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174429A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
CN102231746B (en) * 2011-07-11 2014-03-12 华为技术有限公司 Method for validating identification information and terminal thereof
JP6307815B2 (en) * 2013-08-26 2018-04-11 富士通株式会社 Access control program, access control method, and access control apparatus
CN105991590B (en) * 2015-02-15 2019-10-18 阿里巴巴集团控股有限公司 A kind of method, system, client and server for verifying user identity
CN105224385A (en) * 2015-09-03 2016-01-06 成都中机盈科科技有限公司 A kind of virtualization system based on cloud computing and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160342440A1 (en) * 2010-04-20 2016-11-24 International Business Machines Corporation Secure access to a virtual machine
CN104580496A (en) * 2015-01-22 2015-04-29 深圳先进技术研究院 Virtual machine visit system and server based on temporary agent
US20170339142A1 (en) * 2016-05-19 2017-11-23 Airwatch Llc Loading and running virtual working environments in a mobile device management system
CN107026860A (en) * 2017-04-01 2017-08-08 成都虫洞奇迹科技有限公司 Login authentication method, apparatus and system
CN107273186A (en) * 2017-06-28 2017-10-20 深信服科技股份有限公司 Access method, physical host and the virtual machine of virtual machine server
CN109120588A (en) * 2018-06-29 2019-01-01 华为技术有限公司 Obtain method and the data center of verification information

Also Published As

Publication number Publication date
CN109120588A (en) 2019-01-01
CN109120588B (en) 2021-04-09

Similar Documents

Publication Publication Date Title
US10880287B2 (en) Out of box experience application API integration
US11296934B2 (en) Device provisioning system
US10621350B2 (en) System integrity using attestation for virtual trusted platform module
EP3111618B1 (en) Securing client-specified credentials at cryptographically attested resources
US10958633B2 (en) Method and system for securely transmitting volumes into cloud
US10091001B2 (en) Autonomous private key recovery
US11182403B2 (en) Systems and methods of launching new nodes in a blockchain network
US9639691B2 (en) Dynamic database and API-accessible credentials data store
US11444785B2 (en) Establishment of trusted communication with container-based services
WO2016206414A1 (en) Method and device for merging multiple virtual desktop architectures
US10404702B1 (en) System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system
US10104163B1 (en) Secure transfer of virtualized resources between entities
CN114969713A (en) Equipment verification method, equipment and system
WO2018001023A1 (en) Virtual desktop login method and device for cloud terminal
CN107493204B (en) Mirror image detection method and device
WO2020001617A1 (en) Method for obtaining verification information and data center
US11520891B1 (en) Secure boot of an integrated circuit
US10977069B2 (en) Systems and methods for performing virtual machine updates without rebuild of distributed databases thereon
WO2022127583A1 (en) Virtual machine control method, cloud management device and storage medium
US11595358B2 (en) Two-way secure channels with certification by one party
US20220021532A1 (en) Tracking Tainted Connection Agents
WO2018233638A1 (en) Method and apparatus for determining security state of ai software system
WO2019056688A1 (en) Method for expanding zone resources of cloud service platform, apparatus, device and storage medium
CN109739615B (en) Mapping method and device of virtual hard disk and cloud computing platform
CN113761481A (en) Software authorization authentication method based on container cloud

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19824769

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19824769

Country of ref document: EP

Kind code of ref document: A1