WO2020233205A1 - Container service management method and device - Google Patents
Container service management method and device Download PDFInfo
- Publication number
- WO2020233205A1 WO2020233205A1 PCT/CN2020/079320 CN2020079320W WO2020233205A1 WO 2020233205 A1 WO2020233205 A1 WO 2020233205A1 CN 2020079320 W CN2020079320 W CN 2020079320W WO 2020233205 A1 WO2020233205 A1 WO 2020233205A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vnfi
- token
- identification information
- container
- vnfm
- Prior art date
Links
- 238000007726 management method Methods 0.000 title claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000004891 communication Methods 0.000 claims description 73
- 238000012795 verification Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 description 77
- 238000012545 processing Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- OOXMVRVXLWBJKF-DUXPYHPUSA-N n-[3-[(e)-2-(5-nitrofuran-2-yl)ethenyl]-1,2,4-oxadiazol-5-yl]acetamide Chemical compound O1C(NC(=O)C)=NC(\C=C\C=2OC(=CC=2)[N+]([O-])=O)=N1 OOXMVRVXLWBJKF-DUXPYHPUSA-N 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Definitions
- This application relates to communication technology, and in particular to a container service management method and device.
- Network function virtualization is a technology that uses universal hardware and network virtualization to construct a communication network system. It can be used to carry the software processing functions in the communication network and realize the virtualization and flexible deployment of the communication network. , Flexible expansion, and reduce the expensive equipment cost of the communication network system.
- the VNF instance (VNFI) obtained after the virtualized network function (VNF) in the NFV system is instantiated can be deployed on a virtual machine and used as a softwareized network element to perform network element related functions.
- VNFI can correspond to a network element with physical network functions in a traditional non-virtualized communication network, and is used to implement, for example, mobile management entity (MME), serving gateway (SGW), and packet data.
- MME mobile management entity
- SGW serving gateway
- VNFM virtualized network function management
- PGW packet data network gateway
- VNFM virtualized network function management
- the container service instances in the NFV system can provide high-performance and scalable container application management services for each VNFI. These management services are packaged into portable containers (docker), while the container management in the NFV system
- the container manager is used to manage the container service instances in the NFV system.
- the VNFI needs to send a token application to the container manager through the VNFM; when the container manager receives the token application from the VNFI, it generates a token corresponding to the VNFI (token ), where the token includes the identification information (instance id) of the VNFI, the container service instance that the VNF can use, and the expiration time that the VNF can use the container service instance; then the container manager sends the token to the VNFI through the VNFM, so that the VNFI After receiving the token sent by the container manager, it can request the corresponding container service instance to provide services according to the token within the deadline.
- token includes the identification information (instance id) of the VNFI, the container service instance that the VNF can use, and the expiration time that the VNF can use the container service instance
- the token requested by the existing VNFI from the container manager can still be used when it is stolen by the VNFI managed by a different VNFM, resulting in low security performance of the token. Therefore, how to improve the security performance of the token used when VNFI requests the service provided by the container service instance is a technical problem to be solved urgently in this field.
- the present application provides a container service management method and device to improve the security performance of the token used when VNFI requests the service provided by the container service instance.
- the first aspect of the present application provides a container management method, including: if a virtual network function instance VNFI needs to use the service provided by the container service instance, the VNFI sends a token request to a container manager used to manage the container service instance; wherein , The token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the VNFI receives the token sent by the container manager; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all
- the container service instance verifies the VNFI that uses the token to request the service.
- VNFI sends a token request to the container manager when it needs to use the service provided by the container service instance
- the token generated by the container manager according to the token request includes the identification information of the VNFI and the VNFM The identification information. Since the generated token includes the identification information of the VNFM, when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the identification information of the VNFM in the token.
- the VNFI after the VNFI receives the token sent by the container manager, it further includes: the VNFI sends a service request to the container service instance, and the service request includes the token , So that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; if the verification is successful, the VNFI uses the service provided by the container service instance .
- the container service instance when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the identification information of the VNFM in the token. Only after the identification information of the VNFM and the identification information of the VNFM pass the verification, the container service instance will only provide the service.
- the container service instance will also perform the VNFM identification information when the VNFI requests the container service Verification, therefore, when a VNFI applies for a token to the container manager, even if its token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stolen VNFI is different from the actual VNFM identification information of the VNFI.
- the container service If the instance fails to verify the token, the container service instance will not provide container services to the VNFI that steals the token.
- the token further includes: identification information of the container service instance;
- the VNFI sending a service request to the container service instance according to the token includes: the VNFI sending a service request to a container service instance corresponding to the identification information of the container service instance according to the token.
- the VNFI when the container manager generates a VNFI token, the VNFI directly carries the VNFI in the token, and can determine the range of container service instances that can be provided to VNFI according to the identification information of the container service instance requested by the token. Qualify. As a result, VNFI needs to request service from the container service instance specified by the container manager in the token. Once the token is stolen across VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, which can also enhance the token. The security performance makes the token unusable after being stolen across VNFM.
- the VNFI sending a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFI sends the token to the container manager request;
- the VNFI sends the token request to the container manager.
- the second aspect of the present application provides a container service management method, including:
- the container manager receives the token request sent by the virtual network function instance VNFI; wherein the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the identification information of the VNFI , And the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all
- the container service instance verifies the VNFI that uses the token to request service;
- the container manager sends the token to the VNFI.
- the token further includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
- the third aspect of the present application provides a container service management method, including: if a virtual network function instance VNFI managed by a virtual network function manager VNFM needs to use the service provided by the container service instance, the VNFM provides information for managing the container service instance
- the container manager sends a token request; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the VNFM receives the token sent by the container manager, and sends the token to the VNFI; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification of the VNFI
- the information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
- the token further includes: identification information of the container service instance;
- the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- the VNFM sending a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFM sends the token to the container manager request;
- the VNFM sends the token request to the container manager.
- a fourth aspect of the present application provides a container service management method, including: a container manager receives a token request sent by a virtual network function manager VNFM; wherein the virtual network function instance VNFI managed by the VNFM needs to use the container management For services provided by the container service instance managed by the server, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all
- the container service instance verifies the VNFI that uses the token to request service;
- the container manager sends the token to the VNFM, so that the VNFM sends the token to the VNFI.
- the token further includes: the identification information of the container service instance; wherein the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
- a fifth aspect of the present application provides a container service management device, including:
- the sending module is used to send a token request to the container manager for managing the container service instance if the virtual network function instance VNFI needs to use the service provided by the container service instance; wherein the token request includes the VNFI identifier Information, and identification information of the virtual network function manager VNFM used to manage the VNFI;
- the receiving module is configured to receive the token sent by the container manager; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for The VNFI that uses the token to request the service is verified in the container service instance.
- it further includes: a processing module
- the sending module is further configured to send a service request to the container service instance, and the service request includes the token, so that the container service instance can according to the identification information of the VNFI in the token and the The identification information of the VNFM verifies the VNFI;
- the processing module is configured to use the service provided by the container service instance if the verification is successful.
- the token further includes: identification information of the container service instance;
- the sending module is specifically configured to send a service request to the container service instance corresponding to the identification information of the container service instance according to the token.
- the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, when the VNFM instantiates the VNFI After the VNFI, the token request is sent to the container manager.
- a sixth aspect of the present application provides a container service management device, including:
- the receiving module is configured to receive a token request sent by a virtual network function instance VNFI; wherein, the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the VNFI Identification information, and identification information of the virtual network function manager VNFM used to manage the VNFI;
- the processing module is configured to generate a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all
- the container service instance verifies the VNFI that uses the token to request service;
- the sending module is used to send the token to the VNFI.
- the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
- a seventh aspect of the present application provides a container service management device, including:
- the sending module is configured to send a token request to the container manager for managing the container service instance if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance; wherein, the token The request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the receiving module is configured to receive the token sent by the container manager, and send the token to the VNFI through the sending module; wherein the token includes the identification information of the VNFI and the identification of the VNFM Information, the identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
- the token further includes: identification information of the container service instance;
- the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, when the VNFM instantiates the VNFI After the VNFI, the token request is sent to the container manager.
- An eighth aspect of the present application provides a container management service device, including:
- the receiving module is configured to receive a token request sent by the virtual network function manager VNFM; wherein the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance managed by the container manager, and
- the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the processing module is configured to generate a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all
- the container service instance verifies the VNFI that uses the token to request service;
- the sending module is configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.
- the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
- a ninth aspect of the present application provides a VNFI, including: a processor and a communication interface;
- the processor is configured to send a token request to the communication interface; wherein, the token request includes the identification information of the VNFI and is used to manage the VNFI The identification information of the virtual network function manager VNFM;
- the communication interface is used to send the token request to a container manager for managing the container service instance
- the communication interface is also used to receive the token sent by the container manager and send the token to the processor; wherein the token includes the identification information of the VNFI and the identification information of the VNFM
- the identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
- the processor is further configured to send a service request to the communication interface, and the service request includes the token, so that the container service instance is configured according to the token
- the identification information of the VNFI and the identification information of the VNFM verify the VNFI;
- the communication interface is also used to send the service request to the container service instance
- the processor is further configured to use the service provided by the container service instance.
- the token further includes: identification information of the container service instance pair;
- the communication interface is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance.
- the processor is specifically configured to send the token request to the communication interface when the VNFM instantiates the VNFI; or the processor specifically uses Therefore, after the VNFM instantiates the VNFI, the token request is sent to the communication interface.
- a tenth aspect of the present application provides a container manager, including: a communication interface and a processor;
- the communication interface is used to receive a token request sent by a virtual network function instance VNFI, and send the token request to the processor; wherein, the VNFI needs to use a container service instance managed by the container manager For the provided service, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI
- the identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services;
- the communication interface is also used to send the token to the VNFI.
- the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
- the eleventh aspect of the present application provides a VNFM, including: a communication interface and a processor;
- the processor is configured to send a token request to the communication interface; wherein, the token request includes identification information of the VNFI, And the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the communication interface is used to send the token request to a container manager for managing the service instance
- the communication interface is also used to receive the token sent by the container manager and send the token to the VNFI; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, so The identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services.
- the token further includes: identification information of the container service instance;
- the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- a twelfth aspect of the present application provides a container manager, including: a communication interface and a processor;
- the communication interface is used to receive a token request sent by a virtual network function manager VNFM, and send the token request to the processor; wherein the virtual network function instance VNFI managed by the VNFM needs to use the container For services provided by the container service instance managed by the manager, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI
- the identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI using the token to request services; the communication interface is also used for sending the token to the VNFM so that the The VNFM sends the token to the VNFI.
- the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests service.
- the embodiments of the present application also provide a computer-readable storage medium, including instructions, which when run on a computer, cause the computer to execute the first, second, third or fourth aspects of the present application.
- an embodiment of the present application provides an NFV system, the system includes the device described in the fifth aspect and the device described in the sixth aspect; or, the system includes the device described in the seventh aspect.
- Figure 1 is a schematic structural diagram of an embodiment of an NFV system
- FIG. 2 is a schematic flowchart of an embodiment of a container service management method provided by this application.
- FIG. 3 is a schematic flowchart of an embodiment of a container service management method provided by this application.
- FIG. 4 is a schematic flowchart of an embodiment of a container service management method provided by this application.
- FIG. 5 is a schematic flowchart of an embodiment of a container service management method provided by this application.
- Figure 6 is a schematic structural diagram of another embodiment of an NFV system
- FIG. 7 is a schematic structural diagram of a container service management device provided by this application.
- FIG. 8 is a schematic structural diagram of a device for executing a container management method provided by this application.
- the container service management method and device provided by each embodiment of the present application can be applied to a network function virtualization (NFV) system.
- NFV network function virtualization
- FIG. 1 is a schematic diagram of the structure of the NFV system.
- the NFV system is a technology that uses universal hardware and network virtualization to build a communication network system.
- the NFV system includes: operation support system/business support system (operation support system/business support system, OSS/ BSS)11, element management system (EMS), virtualized network function (VNFI), container service instance, network function virtualization infrastructure: virtual machine (VM), network function Virtualized orchestrator (NFV orchestrator, NFVO) 16, virtualized network function management (VNFM) 17, container manager 18, and virtualized infrastructure manager (VIM) 19.
- operation support system/business support system operation support system/business support system
- EMS element management system
- VNFI virtualized network function
- container service instance container service instance
- network function virtualization infrastructure virtual machine
- NFV orchestrator NFV orchestrator
- NFVO network function Virtualized orchestrator
- VNFM virtualized network function management
- container manager 18 container manager
- VNFM virtualized infrastructure manager
- VNFM17 is used to manage the VNFI and perform various management functions, such as initialization, update, query, and/or termination of the VNFI.
- the VNFM 17 instantiates a virtualized network function (virtualized network function) VNF to obtain the VNFI.
- One VNFM can manage at least one VNFI.
- the VNFM 17 in FIG. 1 can manage VNFI131, VNFI132, and VNFI133.
- VNFM17 When the VNFM17 instantiates the VNF, it can be obtained that the VNFI can be deployed on the virtual machine VM, and perform its related functions as a network element as a softwareized network element.
- VNFI 131 is deployed on VM151
- VNFI132 is deployed on VM152
- VNFI133 is deployed on VM153.
- OSS/BSS11 provides integrated network management and business operation functions for telecom service operators, including network management (such as fault monitoring, network information collection, etc.), billing management, and customer service management.
- NFVO16 is used to manage the life cycle of VNFI, orchestrate management resources to implement VNFI services according to the service request of OSS/BSS11, and to monitor VNFI, network function virtualization infrastructure resources and operating status information in real time.
- Each VNFI corresponds to a physical network function (physical network function, PNF for short) in a traditional non-virtualized network, such as a virtualized evolved packet core (EPC) node.
- EPC nodes include: mobile management entity (mobile management entity, MME), serving gateway (serving gateway, SGW), packet data network gateway (packet data network gateway, PGW), etc.
- EMS can be used to manage one or more VNFIs. For each managed VNF13, it can implement fault management, configuration management, billing management, performance management, and security management (Fault Management, Configuration Management, Accounting Management, Performance Management, Security) of VNF13. Management, FCAPS) function.
- EMS121 is used to manage VNFI131
- EMS122 is used to manage VNFI132
- EMS123 is used to manage VNFI133.
- VIM 19 can be used to control and manage the network function virtualization infrastructure corresponding to VNFI.
- the network function virtualization infrastructure can include computing hardware, storage hardware, hardware resource layer composed of network hardware, virtualization layer, and virtual computing (such as virtual computing). Machine), virtual storage and virtual network.
- the network function virtualization infrastructure is implemented through a virtual machine (virtual machine, VM).
- the NFV system mainly includes the following related interfaces:
- VNFM and EMS Between VNFM and EMS, VNFM and VNFI, used for VNF life cycle management and exchange configuration information.
- Or-Vnfm Between NFVO and VNFM, it is used for VNF life cycle management to request resources, send configuration information, and collect status information.
- Vi-Vnfm between VNFM and VIM, used for resource allocation request, virtualized resource configuration and status information exchange.
- Or-Vi Between NFVO and VIM, it is used for resource reservation, allocation request, virtualized resource configuration and status information exchange.
- Nf-Vi between VIM and VM, used for specific resource allocation, virtual resource status information exchange, and hardware resource configuration.
- Vn-Nf Between VM and VNF, used for VM to provide actual execution environment to VNF.
- Os-Ma VNFI life cycle management, NS life cycle management, strategy management, etc.
- VNFM Between the VNFM and the container manager, it is used for the management of container service calls and queries.
- Nf-K8S Between the container service instance and the container manager, it is used for the management of container service creation, deletion, and update.
- Vi-K8S Between the container manager and VIM, it is used to request and call container resources.
- the container service instance 14 can provide VNFI with services such as load balancing in the form of a virtualized container.
- VNFI uses the service provided by the container service instance 14, it needs to request the container service instance 14 to provide the service for the VNFI from the container manager 18 for managing the container service instance 14.
- the service authorization mechanism based on Oauth2.0 is usually adopted.
- VNFI131 when VNFI131 needs to use the service provided by the container service instance, VNFI131 sends a token request to the container manager 18 through VNFM17 to obtain the container service from the container manager 18. Token. Then when the container manager 18 receives the VNFI service application, it authorizes the container service that VNFI131 can use, generates a token corresponding to the VNFI131 requesting the service, and returns it to the VNFI131 sending the service application through VNFM17; the token includes the VNFI131 The identification information (instance id), the container service instance that the VNF can use, and the expiration time for the VNF to use the container service instance.
- the token is used to ensure that the VNFI uses the container service instance to verify the VNFI and ensure that the container service instance can only Provide services to the VNFI (VNFI131) corresponding to the token.
- VNFI 13 sends a service request to the corresponding container service instance 141 according to the received token, and carries the token in the service request.
- the container service instance 141 receives the service request sent by the VNFI131, it verifies the token in the service request, and after the token verification is passed, the container service instance 141 provides the container service to the VNFI131.
- the supplier of the NFV system will set up multiple VNFMs to manage their respective VNFIs according to business requirements; and, the VNFMs set by the suppliers of different NFV systems must be different, and the VNFMs set by the different suppliers manage their respective VNFMs.
- VNFI the VNFI.
- all VNFMs will assign instant IDs to the VNFIs managed by the VNFM itself according to the same rules and sequence, resulting in the management of VNFMs belonging to different VNFMs.
- VNFI may have the same instant ID.
- VNFM1 in a certain NFV system assigns instant IDs to the VNFIs it manages as A1, B2, and C3; while VNFM2 in another NFV system assigns instant IDs to VNFIs it manages as A1. B2 and C3.
- the token requested by the VNFI11 managed by VNFM1 from the container manager is stolen by the VNFI21 managed by a different VNFM2, assuming that the instant ID assigned by VNFM1 to VNFI11 and the instant ID assigned by VNFM2 to VNFI21 If the assigned instant ID is the same, VNFI21 obtained by stolen token can directly use the container manager to request service from the container service instance from the token assigned by VNFI11, and the container service instance will still provide it to the VNFI21 who stolen the token after the token is verified.
- Container service which in turn causes the security performance of the token to be low.
- this application proposes a container service management method and device to improve the security performance of the token used when the VNFI requests services provided by the container service instance in the NFV system.
- Fig. 2 is a schematic flow chart of an embodiment of a container service management method provided by this application.
- the embodiment shown in Fig. 2 can be applied to the NFV system shown in Fig. 1, and objects in the NFV system execute the corresponding method ,
- the container service management method provided in this embodiment includes:
- the VNFI sends a token request to the container manager to request the token used when the VNFI requests services from the container service instance; wherein the token request includes identification information of the VNFI and identification information of the VNFM used to manage the VNFI.
- VNFI determines that it needs to use the container service provided by the container service instance, it needs to send a token request to the container manager used to manage the container service instance, so that the container manager can perform processing on the container service provided by VNFI using the container service example.
- Authorize and generate token wherein, the token request is used to request from the container manager the token used when VNFI requests a service from the container service example.
- the container manager receives the token request sent by VNFI in S101.
- the token request described in this embodiment includes: identification information of the VNFI and identification information of the VNFM used to manage the VNFI.
- the identification information of the VNFI may be the VNFM used to manage the VNFI, and the instant ID assigned to the VNFI when the VNF is instantiated as the VNFI.
- the instant ID allocated by the VNFM to the VNFI may be a string of characters such as "vnf-AMF-123", or may be a string of random numbers, such as "0x4257369973". This application does not limit the specific representation of the instant ID assigned by the VNFM to the VNFI.
- the identification information of the VNFM may be the VNFM ID used to identify the VNFM in the NFV system.
- the VNFM ID may be a character such as "vnfm-EPC-123", or may be a string of random numbers, such as "0x4257369973”. This application does not limit the specific representation of the VNFM ID in the NFV system.
- the token request specifically includes: "VNFI identification information, VNFM identification information, the requested service name (Expected service name), and the requested token Expiration”.
- VNFI For example, if a VNFI needs to use the load balancing service provided by the target container service instance, the VNFI needs to obtain authorization to use the container service instance from the container manager that manages the target container service instance, then the VNFI can send a token to the container manager Request to apply for the container manager to authorize VNFI to use the load balancing service provided by the target container service example, and provide tokens for VNFI. At the same time, the token sent by VNFI to the container manager also needs to carry the deadline of the requested token.
- the target container service instance can provide VNFI Load balancing service; after the deadline, if VNFI continues to use the token to send service requests to the target container service example, the target container service example will no longer provide load balancing services to VNFI.
- the token sent by the VNFI to the container manager in this embodiment may include: "VNFI instant ID (vnf-AMF-123), VNFM ID (vnfm-EPC-123), VNFI requested load Balanced service name (load balance) and deadline (2020-01-01)".
- a token request is sent to the container manager through S101.
- the VNFM specifically instantiates the VNF to obtain the VNFI.
- the implementation manner and principle of VNFM instantiating VNF can refer to the prior art, which is not limited in this embodiment.
- the container manager After receiving the token request sent by the VNFI through S101, the container manager authorizes the VNFI to use the service provided by the container service instance according to the token request, and generates a token corresponding to the VNFI; wherein the token includes: VNFI identification information And VNFM identification information.
- the token generated by the container manager in this embodiment includes: VNFI identification information and VNFM identification information.
- the identification information of the VNFI may be the VNFM used to manage the VNFI, the instant ID assigned to the VNFI when the VNF is instantiated as the VNFI, and the identification information of the VNFM may be the VNFM ID used to identify the VNFM in the NFV system.
- the identification information of the VNFI and the identification information of the VNFM included in the token are used by the container service instance to verify the VNFI that uses the token to request services.
- the container manager may specifically determine the identification information of the VNFI and the identification information of the VNFM through the token request received in S101.
- the token generated by the container manager in S102 specifically includes: after the container manager generates a claim (declaration) part according to the token request, it is signed by the container manager to obtain the token.
- the container manager can use the symmetric key shared with the container service instance to sign, and the subsequent container service instance can verify the token according to the symmetric key; or, the container manager can use the private key of the container manager to sign , The subsequent container service instance can verify the token according to the public key of the container manager.
- the claim in the token generated by the container manager in this embodiment includes:
- ID of service management The ID of the container service instance manager. That is, the identification information of the container manager is used to identify the container manager that generated the token.
- VNF Instance ID of the service consumer and VNFM ID of the service consumer the identification information of the VNFI requesting the container service and the identification information of the VNFM used to manage the VNFI. That is, the Instance ID of the VNFI and the VNFM ID of the VNFM.
- Service name of the producers the service name of the container service instance that can provide container services.
- the container service instance requested by the VNFI is usually a resource pool scenario such as load balancing, the VNFI can request container services from multiple container service instances through a token. Then the token generated by the container manager usually only carries the service name that the container service instance can provide, and the VNFI specifically determines to apply for service from one or more container service instances.
- Expiration time Expiration time. That is, before the deadline, when VNFI uses the token to send a service request to the container service instance, the container service instance will provide the container service to VNFI; and after the deadline, the token expires, VNFI uses the token to send services to the container service instance When requested, the container service instance will not provide container services to VNFI.
- the container manager sends the token generated in S102 to the VNFI, so that the VNFI can request the container service from the container service instance according to the token received by the VNFI.
- the container manager After the container manager authorizes the VNFI according to the token request in S102 and generates the VNFI token, the container manager sends the generated token to the VNFI, so that the VNFI can send the token to the VNFI after obtaining the container manager’s token.
- the corresponding container service instance requests the container service.
- FIG. 6 is a schematic structural diagram of another embodiment of the NFV system.
- the NFV system shown in Figure 6 is based on the NFV system shown in Figure 1.
- the VNFI and the container manager also include a Ve-Cm interface for VNFI to request an authorized container service instance from the container manager, then the VNFI
- the token request can be sent to the container manager through the Ve-Cm interface, and the token sent by the container manager can be received through the Ve-Cm interface.
- the VNFI when the VNFI needs to use the service provided by the container service instance, it sends a token request carrying the identification information of the VNFI and the identification information of the VNFM to the container manager to the container manager.
- the token generated according to the token request also includes the identification information of the VNFI and the identification information of the VNFM.
- VNFI can request service from the container service instance based on the received token.
- the container service instance since the token generated in this embodiment includes the identification information of the VNFM, when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the VNFM in the token. The identification information of the VNFI is verified. Only after the identification information of the VNFI and the identification information of the VNFM are both verified, the container service instance will be provided by the VNFI.
- the container service instance will also perform the VNFM identification information when the VNFI requests the container service Verification, therefore, when a VNFI applies for a token to the container manager, even if its token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stolen VNFI is different from the actual VNFM identification information of the VNFI.
- the container service If the instance fails to verify the token, the container service instance will not provide container services to the VNFI that steals the token.
- the VNFI uses the token to request a service from the container service instance.
- FIG. 3 is a schematic flow chart of an embodiment of a container service management method provided by this application, where this embodiment can be applied to the VNF system shown in FIG. 1, where the VNFI requests services from the container service instance.
- the container service management method provided by this embodiment after S103 shown in FIG. 1, further includes:
- S104 The VNFI sends a service request to the container service instance; the service request carries the token requested in S103.
- VNFI can request service from the container service instance corresponding to the token.
- the VNFI sends a service request to the container service instance that can provide the requested service according to the service name of the container service instance that can provide the container service included in the token, so as to request the container service instance to provide the service to the VNFI.
- the service request sent by the VNFI to the container service instance carries the token applied by the first device to the container manager in the embodiment shown in FIG. 2.
- the container service instance After the container service instance receives the service request sent by the VNFI, it can verify the token according to the public key of the container manager to determine whether the token is generated by the container manager. Moreover, in this embodiment, the container service instance is further based on whether the identification information of the VNFI that sends the service request and the identification information of the VNFM that manages the VNFI is related to the identification information of the VNFI and the identification information of the VNFM included in the token in the service request. Consistent.
- the identification information of the VNFI that sends the service request to the container service instance is recorded as A, and the identification information of the VNFM used to manage the VNFI is recorded as B; the identification information of the VNFI included in the token is recorded as C , And mark the identification information of the VNFM recorded in the token as D.
- the container service instance judges whether A and C are consistent, B and D are consistent, and only after A and C are consistent and B and D are consistent, the container service instance will execute the subsequent S203, that is, the container service instance provides services to VNFI .
- the VNFI requests the container manager to authorize the service provided by the container service instance, so that the container manager generates a token containing the identification information of the VNFI and the identification information of the VNFM for the VNFI. . Therefore, after VNFI obtains the token generated and sent by the container manager, it can carry the token when requesting services from the container service instance. At this time, the container service instance can successfully verify the identification information of the VNFI, the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNMF in the token. Therefore, in S106, the container service instance provides services to the VNFI, and correspondingly, the VNFI uses the service provided by the container service instance.
- FIG. 4 is a schematic flowchart of an embodiment of the container service management method provided by this application.
- the VNFI as shown in FIG. 3 applies for a token from the container manager, if it is stolen by the VNFI as shown in FIG. 4, the VNFI with the stolen token can send a service request to the container service instance through S201, and carry the stolen token.
- the container service instance after receiving the service request through S201, the container service instance will also verify the token, verifying whether the VNFI identification information and VNMF identification information included in the token are consistent with the VNFI identification information that sent the service request Whether the information and the identification information of the VNFM are the same.
- the container service instance fails to verify the token and will not provide services to the stolen VNFI, that is, step S203 in the figure will not be performed. If the VNFI identification information of the VNFI with the stolen token is the same as the VNFI identification information of the original VNFI, since two different VNFMs are assigned to the two VNFIs respectively, the identification information of the VNFM of the VNFI with the stolen token is the same as that of the original VNFI. The identification information of the VNFM is different. The container service instance fails to verify the token, and the container service instance will also not provide services to the VNFI that embezzled the token.
- VNFI obtains the token provided by the container manager, it can request service from the corresponding container service instance according to the token; then the corresponding container service instance The token needs to be verified to determine whether it can provide services to VNFI. Since the token includes the identification information of the VNFI and the identification information of the VNFM, when the container service instance verifies the token, it needs to verify the identification information of the VNFI and the identification information of the VNFM. Only after the two are verified to be consistent , The container service instance is determined to be able to provide services to VNFI.
- the verification of the token is strengthened through the identification information of the VNFI and the identification information of the VNFM carried in the token, so that after the token is stolen by the VNFI across VNFM, even if the identification information of the VNFI is the same, the container service will be due to the different identification information of the VNFM.
- the instance fails to pass the verification, which improves the security performance of the token used when VNFI requests the service provided by the container service instance.
- this application also provides another specific implementation manner of claim in the token generated by the container manager.
- the claim in the token generated by the container manager includes:
- ID of service management The ID of the container service instance manager.
- VNF Instance ID of the service consumer and VNFM ID of the service consumer The identification information of the VNFI and the identification information of the VNFM that request the container service.
- Service ID of the producers the identification information of the container service instance that can provide the container service.
- the identification information of the container service instance is set by the container manager, and it can be a string of characters assigned by the container manager when managing the container service instance, such as "LB-CONTAINER-service", or it can be a string of random numbers such as "0x254830203", this application does not limit the specific representation of the identification information of the container service instance.
- the specific descriptions of 1, 2, and 4 included in the claim, and the specific method of generating the token by the container management server can refer to the embodiment shown in FIG. 2. No longer.
- the claim of this embodiment includes the identification information of the container service instance that can provide the container service. That is, when the container manager authorizes the VNFI for the container service instance, it further determines the identification of the specific container service instance that the VNFI can use. Information, limiting VNFI can only request services from specific container service instances from the identification information included in the token.
- the token provided in this example can be applied to the embodiment shown in FIG. 3, and the VNFI needs to request service from the corresponding container service instance according to the identification information of the container service instance in the token.
- the container service instance For the container service instance to verify whether to provide services to VNFI, it is also necessary to verify the identification information of the container service instance included in the token.
- the container service instance After obtaining the token carried in the service request sent by VNFI, the container service instance verifies the identification information of the container service instance included in the token. If the container service instance determines that the token includes the token The identification information of the container service instance is determined to provide services to the VNFI; and if the container service instance determines that the token does not include the identification information of the container service instance, it means that the VNFI has not applied for the service from the correct container service instance, and the container service instance does not Provide services to VNFI.
- the VNFI when the container manager generates a VNFI token, the VNFI directly carries the VNFI in the token, and can provide the VNFI with the identification information of the container service instance requested by the token.
- the scope of the container service instance is limited.
- VNFI needs to request service from the container service instance specified by the container manager in the token, and once the token is stolen across VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, which can also enhance the token.
- the security performance makes the token unusable after being stolen across VNFM.
- VNFI sends a token request to the container manager and directly receives the token sent by the container manager.
- the VNFM that manages the VNFI can also send a token request to the container manager instead of the VNFI, and forward the received token to the VNFI, so that the VNFI can request service from the container service instance .
- FIG. 4 is a schematic flowchart of an embodiment of a container service management method provided by this application.
- the method provided in this embodiment includes:
- the VNFM sends a token request to the container manager that manages the container service instance.
- the token request is used to request from the container manager that the VNFI service the container.
- the token used when the sample requests the service.
- the container manager receives the token request sent by the VNFM in S301.
- the token request described in this embodiment includes: identification information of the VNFI and identification information of the VNFM used to manage the VNFI.
- the token request specifically includes: "VNFI identification information, VNFM identification information, the requested service name (Expected service name), and the requested token Expiration”.
- the VNFM sends a token request to the container manager through S301.
- the VNFM specifically instantiates the VNF to obtain the VNFI.
- the implementation manner and principle of VNFM instantiating VNF can refer to the prior art, which is not limited in this embodiment.
- VNFM replaces VNFI to send a token request to the container server.
- VNFI identification information and VNFM identification information included in the token request please refer to the description in the embodiment in FIG. 2 ,No longer.
- the VNFM since the VNFM allocates identification information to the VNFI when instantiating the VNFI, such as the instant ID of the VNFI, the VNFM can determine the identification information allocated to the VNFI before sending the token request to the container manager, then in S301 VNFM combines the identification information of the VNFM itself, and the VNFM can carry the identification information of the VNFI and the identification information of the VNFM together in the token and send it to the container manager.
- the VNFM plays the role of applying for a token from the container manager instead of the VNFI, and forwarding the token generated by the container manager to the VNFI.
- the container manager After receiving the token request sent by the VNFM through S301, the container manager authorizes the VNFI to use the service provided by the container service instance according to the token request, and generates a token corresponding to the VNFI; wherein the token includes: VNFI identification information And VNFM identification information.
- identification information of the VNFI and the identification information of the VNFM included in the token in this embodiment reference may be made to the description in the embodiment of FIG. 2 and will not be repeated.
- the container manager sends the token to the VNFM through S303.
- the VNFM When the VNFM receives the token sent by the container manager, the VNFM is further sent to the VNFI through S304. Accordingly, after the VNFI receives the token sent by the VNFM in S305, it can request service from the container service instance based on the token, and the VNFI sends the container
- the VNFI sends the container
- S104-S106 For the specific process of the service instance requesting service, please refer to the embodiment of S104-S106 shown in FIG. 3, which is not repeated here.
- the container service management method provided in this embodiment can be applied to the NFV system as shown in Figure 1.
- the VNFM instantiates the VNF through the Ve-Vnfm interface to obtain the VNFI
- the VNFM sends the VNFM through the Cm-Vnfm interface.
- the container manager sends a token request; the VNFM also receives the token sent by the container manager through the Cm-Vnfm interface, and sends the token to the VNFI through the Ve-Vnfm interface.
- VNFI, VNFM, and container manager may include a hardware structure and/or a software module, and the above functions are implemented in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above-mentioned functions is executed in a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraint conditions of the technical solution.
- FIG. 7 is a schematic structural diagram of a container service management apparatus provided by this application.
- the apparatus shown in FIG. 7 includes: a receiving module 701, a processing module 702, and a sending module 703.
- the sending module 703 is used to send the service provided by the container service instance if the virtual network function instance VNFI needs to use the service provided by the container service instance.
- the container manager of the container service instance sends a token request; the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the receiving module 701 is used to receive the token sent by the container manager; among them, the token includes the identification information of VNFI and the identification information of VNFM.
- the identification information of VNFI and the identification information of VNFM are used by the container service instance to perform the VNFI request service using the token. verification.
- the sending module is also used to send a service request to the container service instance, the service request includes a token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; the processing module uses Therefore, if the verification is successful, use the service provided by the container service instance.
- the token also includes: identification information of the container service instance; the sending module is specifically configured to send a service request to the container service instance corresponding to the identification information of the container service instance according to the token.
- the sending module 703 is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, send a token request to the container manager.
- the container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 2-3, and the implementation method and principle are the same, and will not be repeated.
- the receiving module 701 is configured to receive a token request sent by the virtual network function instance VNFI; among them, VNFI requires Using the service provided by the container service instance managed by the container manager, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the processing module 702 is used to generate the token according to the token request; Wherein, the token includes the identification information of the VNFI and the identification information of the VNFM.
- the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token to request the service; the sending module 703 is used for sending the token to the VNFI.
- the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- the container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 2-3, and the implementation method and principle are the same, and will not be repeated.
- the sending module 703 is used if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance , Send a token request to the container manager used to manage the container service instance; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the receiving module 701 is used to receive the container
- the token sent by the manager is sent to the VNFI through the sending module; the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to request services using the token VNFI for verification.
- the token also includes: the identification information of the container service instance; the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- the sending module is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, send a token request to the container manager.
- the container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 5, and its implementation manner and principle are the same, and will not be repeated.
- the receiving module 701 is used to receive a token request sent by the virtual network function manager VNFM; among them, the virtual network function manager VNFM
- the network function instance VNFI needs to use the service provided by the container service instance managed by the container manager
- the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the processing module 702 is used to generate the token according to the token request; among them, the token includes the identification information of the VNFI and the identification information of the VNFM The identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token request service; the sending module 703 is used for sending the token to the VNFM so that the VNFM sends the token to the VNFI.
- the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- the container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 5, and its implementation manner and principle are the same, and will not be repeated.
- the division of modules in the foregoing embodiments of the present application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
- the functional modules in the various embodiments of the present application may be integrated in A processor may also exist alone physically, or two or more modules may be integrated into one module.
- the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules.
- FIG. 8 is a schematic structural diagram of a device for executing the container management method provided by this application.
- the device shown in FIG. 8 includes a communication interface 1010, a processor 1020, and a memory 1030.
- the communication interface 1010 may be a transceiver, a circuit, a bus, or other forms of interfaces for communicating with other devices through a transmission medium; the communication interface 1010, the processor 1020 and the memory 1030 are coupled, the coupling in the embodiment of the present application It is an indirect coupling or communication connection between devices, units or modules, which can be electrical, mechanical or other forms, used for information exchange between devices, units or modules.
- the embodiment of the present application does not limit the specific connection medium between the communication interface 1010, the processor 1020, and the memory 1030.
- the communication interface 1010, the memory 1030, and the processor 1020 are connected by a bus 1040.
- the bus is represented by a thick line in FIG. 8.
- the connection mode between other components is only for schematic illustration. , Is not limited.
- the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in FIG. 8 to represent, but it does not mean that there is only one bus or one type of bus.
- the memory 1030 stores code.
- the processor 1020 calls and executes the instruction, if the VNFI needs to use the container service instance To provide services, the processor 1020 sends a token request to the communication interface; where the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the communication interface 1010 receives the processor 1020's transmission And send the token request to the container manager for managing the container service instance; the communication interface 1010 is also used to receive the token sent by the container manager and send the token to the processor 1020; where the token includes VNFI identification information and VNFM identification information, VNFI identification information and VNFM identification information are used by the container service instance to verify the VNFI that uses the token to request the service.
- the processor 1020 when the processor 1020 calls and executes the instruction, the processor 1020 is further configured to send a service request to the communication interface 1010, and the service request includes the token, so that the container service instance can be based on the identification information of the VNFI in the token. Verify the VNFI with the identification information of the VNFM;
- the communication interface 1010 is also used to receive the service request sent by the processor 1020 and send the service request to the container service instance; if the verification is successful, the processor 1020 is also used to use the service provided by the container service instance.
- the token also includes: identification information of the container service instance pair; the communication interface 1010 is specifically used to send the service request to the container service instance corresponding to the identification information of the container service instance.
- the processor 1020 is specifically configured to send a token request to the communication interface when the VNFM instantiates the VNFI; or the processor 1020 is specifically configured to, after the VNFM instantiates the VNFI, Send the token request to the communication interface.
- the communication interface 1010 is used to receive the token request sent by the virtual network function instance VNFI, and send the token request To the processor 1020; where the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; then the storage Code is stored in 1030.
- the processor 1020 When the processor 1020 calls and executes the instruction, the processor 1020 is used to generate a token according to the token request, and send the token to the communication interface 1010; among them, the token includes the identification information of VNFI and the identification of VNFM Information, the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token to request the service; the communication interface 1010 is also used to send the token to the VNFI.
- the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- code is stored in the memory 1030.
- the processor 1020 calls and executes the instruction, if the virtual network function instance VNFI managed by the VNFM is The service provided by the container service instance needs to be used, and the processor 1020 is used to send a token request to the communication interface 1010; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
- the communication interface 1010 is used to send a token request to the container manager for managing service instances; the communication interface 1010 is also used to receive the token sent by the container manager and send the token to VNFI; wherein the token includes the identification information of the VNFI And the identification information of the VNFM, the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI that uses the token to request the service.
- the token also includes: the identification information of the container service instance; the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- the communication interface 1010 is used to receive a token request sent by the virtual network function manager VNFM, and send the token request to the processing
- the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance managed by the container manager.
- the token request includes the identification information of the VNFI and the virtual network function manager VNFM used to manage the VNFI Identification information; the memory 1030 stores code, when the processor 1020 calls and executes the instruction, the processor 1020 is used to generate a token according to the token request, and send the token to the communication interface 1010; wherein the token includes the VNFI identification Information and VNFM identification information, VNFI identification information and VNFM identification information are used by the container service instance to verify the VNFI using the token request service; the communication interface 1010 is also used to send the token to the VNFM so that the VNFM can send the token To VNFI.
- the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
- the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, and may implement or Perform the methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
- the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
- the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., or a volatile memory (volatile memory), for example Random-access memory (random-access memory, RAM).
- the memory is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
- the memory in the embodiments of the present application may also be a circuit or any other device capable of realizing a storage function, for storing program instructions and/or data.
- the methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a dedicated computer, a computer network, network equipment, user equipment, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a digital video disc (digital video disc, DVD for short)), or a semiconductor medium (for example, SSD).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Provided are a container service management method and device. The method comprises: when a VNFI needs to use a service provided by a container service instance, sending, to a container manager, a token request carrying identification information of the VNFI and identification information of a VNFM. Moreover, a token generated by the container manager according to the token request also comprises the identification information of the VNFI and the identification information of the VNFM. Accordingly, it is ensured that a token generated by a container manager for a certain VNFI cannot be used if the token is stolen by a VNFI managed by a different VNFM, thereby improving the security performance of a token used when a VNFI in an NFV system requests a service provided by a container service instance.
Description
本申请要求于2019年05月22日提交中国专利局、申请号为201910429966X、申请名称为“容器服务管理方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910429966X, and the application name is "Container Service Management Method and Apparatus" on May 22, 2019, the entire content of which is incorporated into this application by reference.
本申请涉及通信技术,尤其涉及一种容器服务管理方法及装置。This application relates to communication technology, and in particular to a container service management method and device.
网络功能虚拟化(network function virtualization,NFV)是一种使用通用性硬件以及网络虚拟化构建通信网络系统的技术,能够用于承载通信网络中的软件处理功能,实现通信网络的虚拟化、灵活部署、灵活扩容,并降低通信网络系统昂贵的设备成本。NFV系统中虚拟网络功能(virtualized network function,VNF)经过实例化后得到的VNF实例(VNF instance,VNFI)能够部署在虚拟机上,并作为软件化后的网元执行网元相关功能。例如,VNFI可以对应于传统的非虚拟化通信网络中的具有物理网络功能的网元,用于实现例如移动管理实体(mobile management entity,MME)、服务网关(serving gate way,SGW)和分组数据网关(packet data network gate way,PGW)等功能。NFV系统中的虚拟网络功能管理器(virtualized network function management,VNFM)用于VNFI进行管理。同时,NFV系统中的容器服务(container service)实例能够为各VNFI提供高性能可伸缩的容器应用管理服务,该些管理服务被打包至可移植容器(docker)中,而NFV系统中的容器管理器(container manager)用于管理NFV系统中的各容器服务实例。Network function virtualization (NFV) is a technology that uses universal hardware and network virtualization to construct a communication network system. It can be used to carry the software processing functions in the communication network and realize the virtualization and flexible deployment of the communication network. , Flexible expansion, and reduce the expensive equipment cost of the communication network system. The VNF instance (VNFI) obtained after the virtualized network function (VNF) in the NFV system is instantiated can be deployed on a virtual machine and used as a softwareized network element to perform network element related functions. For example, VNFI can correspond to a network element with physical network functions in a traditional non-virtualized communication network, and is used to implement, for example, mobile management entity (MME), serving gateway (SGW), and packet data. Gateway (packet data network gateway, PGW) and other functions. The virtualized network function management (VNFM) in the NFV system is used for VNFI management. At the same time, the container service instances in the NFV system can provide high-performance and scalable container application management services for each VNFI. These management services are packaged into portable containers (docker), while the container management in the NFV system The container manager is used to manage the container service instances in the NFV system.
现有技术中,当VNFI需要使用容器服务实例提供的服务时,VNFI需要通过VNFM向容器管理器发送token申请;当容器管理器接收到VNFI的token申请后,生成与VNFI对应的令牌(token),其中token包括VNFI的标识信息(instance id)、VNF能够使用的容器服务实例以及VNF能够使用容器服务实例的截止时限(expiration time);随后容器管理器将token通过VNFM发送至VNFI,使得VNFI接收到容器管理器发送的token后,能够根据该token在截止时限内请求对应的容器服务实例提供服务。In the prior art, when the VNFI needs to use the service provided by the container service instance, the VNFI needs to send a token application to the container manager through the VNFM; when the container manager receives the token application from the VNFI, it generates a token corresponding to the VNFI (token ), where the token includes the identification information (instance id) of the VNFI, the container service instance that the VNF can use, and the expiration time that the VNF can use the container service instance; then the container manager sends the token to the VNFI through the VNFM, so that the VNFI After receiving the token sent by the container manager, it can request the corresponding container service instance to provide services according to the token within the deadline.
但是,现有的VNFI向容器管理器所请求的token,在被属于不同VNFM管理的VNFI盗用时依然能够使用,造成了token的安全性能较低。因此,如何提高VNFI请求容器服务实例提供的服务时使用的token的安全性能,是本领域亟待解决的技术问题。However, the token requested by the existing VNFI from the container manager can still be used when it is stolen by the VNFI managed by a different VNFM, resulting in low security performance of the token. Therefore, how to improve the security performance of the token used when VNFI requests the service provided by the container service instance is a technical problem to be solved urgently in this field.
发明内容Summary of the invention
本申请提供一种容器服务管理方法及装置,以提高VNFI请求容器服务实例提供的服务时使用的token的安全性能。The present application provides a container service management method and device to improve the security performance of the token used when VNFI requests the service provided by the container service instance.
本申请第一方面提供一种容器管理方法,包括:若虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述VNFI向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The first aspect of the present application provides a container management method, including: if a virtual network function instance VNFI needs to use the service provided by the container service instance, the VNFI sends a token request to a container manager used to manage the container service instance; wherein , The token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述VNFI接收所述容器管理器发送的token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The VNFI receives the token sent by the container manager; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request the service.
综上,在本实施例中,VNFI在需要使用容器服务实例提供的服务时,向容器管理器发送token请求,而容器管理器根据token请求所生成的token中,包括了VNFI的标识信息和VNFM的标识信息。由于所生成的token中包括VNFM的标识信息,VNFI在根据token向容器服务实例请求服务时,容器服务实例除了对token中VNFI的标识信息进行验证,还会对token中VNFM的标识信息进行验证,从而保证了容器管理器针对某个VNFI生成的token被属于不同VNFM管理的VNFI盗用后却不能使用,进而提高了NFV系统中VNFI请求容器服务实例提供的服务时使用的token的安全性能。In summary, in this embodiment, VNFI sends a token request to the container manager when it needs to use the service provided by the container service instance, and the token generated by the container manager according to the token request includes the identification information of the VNFI and the VNFM The identification information. Since the generated token includes the identification information of the VNFM, when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the identification information of the VNFM in the token. This ensures that the token generated by the container manager for a certain VNFI cannot be used after being stolen by the VNFI managed by a different VNFM, thereby improving the security performance of the token used when the VNFI requests the service provided by the container service instance in the NFV system.
在本申请第一方面一实施例中,所述VNFI接收所述容器管理器发送的token之后,还包括:所述VNFI向所述容器服务实例发送服务请求,所述服务请求中包括所述token,以使所述容器服务实例根据所述token中的所述VNFI的标识信息和所述VNFM的标识信息对所述VNFI进行验证;若验证成功,所述VNFI使用所述容器服务实例提供的服务。In an embodiment of the first aspect of the present application, after the VNFI receives the token sent by the container manager, it further includes: the VNFI sends a service request to the container service instance, and the service request includes the token , So that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; if the verification is successful, the VNFI uses the service provided by the container service instance .
综上,在本实施例中,VNFI在根据token向容器服务实例请求服务时,容器服务实例除了对token中VNFI的标识信息进行验证,还会对token中VNFM的标识信息进行验证,只有在VNFI的标识信息和VNFM的标识信息均通过验证后,容器服务实例才会VNFI提供服务。则对于被两个VNFM所管理的两个不同的VNFI即使拥有相同的VNFI的标识信息,由于两个VNFM的标识信息不同,并且容器服务实例在VNFI请求容器服务时还会对VNFM的标识信息进行验证,因此,当一个VNFI向容器管理器申请了token后,即使其token被另一个VNFI所盗用,盗用VNFI所发送的token中VNFM的标识信息与该VNFI实际的VNFM的标识信息不同,容器服务实例无法对token进行验证通过,容器服务实例也就不会向盗用token的VNFI提供容器服务。从而使得token即使被其他VNFI跨VNFM所盗用,盗用token的VNFI也不能根据该token使用容器服务实例提供的服务,即保证了容器管理器针对某个VNFI生成的token被属于不同VNFM管理的VNFI盗用后却不能使用,进而提高了NFV系统中VNFI请求容器服务实例提供的服务时使用的token的安全性能。In summary, in this embodiment, when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the identification information of the VNFM in the token. Only after the identification information of the VNFM and the identification information of the VNFM pass the verification, the container service instance will only provide the service. For two different VNFIs managed by two VNFMs, even if they have the same VNFI identification information, because the two VNFMs have different identification information, and the container service instance will also perform the VNFM identification information when the VNFI requests the container service Verification, therefore, when a VNFI applies for a token to the container manager, even if its token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stolen VNFI is different from the actual VNFM identification information of the VNFI. The container service If the instance fails to verify the token, the container service instance will not provide container services to the VNFI that steals the token. As a result, even if the token is stolen by other VNFIs across VNFMs, the VNFI that stolen the token cannot use the service provided by the container service instance based on the token, which ensures that the token generated by the container manager for a certain VNFI is stolen by VNFIs managed by different VNFMs. However, it cannot be used later, which improves the security performance of the token used when VNFI requests the service provided by the container service instance in the NFV system.
在本申请第一方面一实施例中,所述token中还包括:容器服务实例的标识信息;In an embodiment of the first aspect of the present application, the token further includes: identification information of the container service instance;
所述VNFI根据所述token向所述容器服务实例发送服务请求,包括:所述VNFI根据所述token向所述容器服务实例的标识信息对应的容器服务实例发送服务请求。The VNFI sending a service request to the container service instance according to the token includes: the VNFI sending a service request to a container service instance corresponding to the identification information of the container service instance according to the token.
综上,在本实施例中,容器管理器在生成VNFI的token时,在token中直接携带VNFI可根据该token所请求的容器服务实例的标识信息,对可向VNFI提供的容器服务实例的范围进行限定。从而使得VNFI需要向token中容器管理器所指定的容器服务实例请求服务,而一旦token被跨VNFM盗用,其他VNFI也无法向原token所在的VNF 系统中的容器服务实例请求服务,进而也能够增强token的安全性能,使得token被跨VNFM盗用后无法使用。To sum up, in this embodiment, when the container manager generates a VNFI token, the VNFI directly carries the VNFI in the token, and can determine the range of container service instances that can be provided to VNFI according to the identification information of the container service instance requested by the token. Qualify. As a result, VNFI needs to request service from the container service instance specified by the container manager in the token. Once the token is stolen across VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, which can also enhance the token. The security performance makes the token unusable after being stolen across VNFM.
在本申请第一方面一实施例中,所述VNFI向所述容器管理器发送token请求,包括:在所述VNFM实例化所述VNFI时,所述VNFI向所述容器管理器发送所述token请求;In an embodiment of the first aspect of the present application, the VNFI sending a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFI sends the token to the container manager request;
或者,在所述VNFM实例化所述VNFI后,所述VNFI向所述容器管理器发送所述token请求。Alternatively, after the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager.
本申请第二方面提供一种容器服务管理方法,包括:The second aspect of the present application provides a container service management method, including:
容器管理器接收虚拟网络功能实例VNFI发送的令牌token请求;其中,所述VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The container manager receives the token request sent by the virtual network function instance VNFI; wherein the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the identification information of the VNFI , And the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述容器管理器根据所述token请求生成token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;
所述容器管理器将所述token发送至所述VNFI。The container manager sends the token to the VNFI.
在本申请第二方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the second aspect of the present application, the token further includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
本申请第三方面提供一种容器服务管理方法,包括:若虚拟网络功能管理器VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述VNFM向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The third aspect of the present application provides a container service management method, including: if a virtual network function instance VNFI managed by a virtual network function manager VNFM needs to use the service provided by the container service instance, the VNFM provides information for managing the container service instance The container manager sends a token request; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述VNFM接收所述容器管理器发送的token,并将所述token发送至所述VNFI;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The VNFM receives the token sent by the container manager, and sends the token to the VNFI; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification of the VNFI The information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
在本申请第三方面一实施例中,所述token中还包括:容器服务实例的标识信息;In an embodiment of the third aspect of the present application, the token further includes: identification information of the container service instance;
所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
在本申请第三方面一实施例中,所述VNFM向所述容器管理器发送token请求,包括:在所述VNFM实例化所述VNFI时,所述VNFM向所述容器管理器发送所述token请求;In an embodiment of the third aspect of the present application, the VNFM sending a token request to the container manager includes: when the VNFM instantiates the VNFI, the VNFM sends the token to the container manager request;
或者,在所述VNFM实例化所述VNFI后,所述VNFM向所述容器管理器发送所述token请求。Alternatively, after the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager.
本申请第四方面提供一种容器服务管理方法,包括:容器管理器接收虚拟网络功能管理器VNFM发送的令牌token请求;其中,所述VNFM管理的虚拟网络功能实例VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;A fourth aspect of the present application provides a container service management method, including: a container manager receives a token request sent by a virtual network function manager VNFM; wherein the virtual network function instance VNFI managed by the VNFM needs to use the container management For services provided by the container service instance managed by the server, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述容器管理器根据所述token请求生成token;其中,所述token中包括所述 VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;
所述容器管理器将所述token发送至所述VNFM,以使所述VNFM将所述token发送至所述VNFI。The container manager sends the token to the VNFM, so that the VNFM sends the token to the VNFI.
在本申请第四方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the fourth aspect of the present application, the token further includes: the identification information of the container service instance; wherein the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
本申请第五方面提供一种容器服务管理装置,包括:A fifth aspect of the present application provides a container service management device, including:
发送模块,用于若虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The sending module is used to send a token request to the container manager for managing the container service instance if the virtual network function instance VNFI needs to use the service provided by the container service instance; wherein the token request includes the VNFI identifier Information, and identification information of the virtual network function manager VNFM used to manage the VNFI;
接收模块,用于接收所述容器管理器发送的token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The receiving module is configured to receive the token sent by the container manager; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for The VNFI that uses the token to request the service is verified in the container service instance.
在本申请第五方面一实施例中,还包括:处理模块;In an embodiment of the fifth aspect of the present application, it further includes: a processing module;
所述发送模块还用于,向所述容器服务实例发送服务请求,所述服务请求中包括所述token,以使所述容器服务实例根据所述token中的所述VNFI的标识信息和所述VNFM的标识信息对所述VNFI进行验证;The sending module is further configured to send a service request to the container service instance, and the service request includes the token, so that the container service instance can according to the identification information of the VNFI in the token and the The identification information of the VNFM verifies the VNFI;
所述处理模块用于,若验证成功,使用所述容器服务实例提供的服务。The processing module is configured to use the service provided by the container service instance if the verification is successful.
在本申请第五方面一实施例中,所述token中还包括:容器服务实例的标识信息;In an embodiment of the fifth aspect of the present application, the token further includes: identification information of the container service instance;
所述发送模块具体用于,根据所述token向所述容器服务实例的标识信息对应的容器服务实例发送服务请求。The sending module is specifically configured to send a service request to the container service instance corresponding to the identification information of the container service instance according to the token.
在本申请第五方面一实施例中,所述发送模块具体用于,在所述VNFM实例化所述VNFI时,向所述容器管理器发送所述token请求;或者,在所述VNFM实例化所述VNFI后,向所述容器管理器发送所述token请求。In an embodiment of the fifth aspect of the present application, the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, when the VNFM instantiates the VNFI After the VNFI, the token request is sent to the container manager.
本申请第六方面提供一种容器服务管理装置,包括:A sixth aspect of the present application provides a container service management device, including:
接收模块,用于接收虚拟网络功能实例VNFI发送的令牌token请求;其中,所述VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The receiving module is configured to receive a token request sent by a virtual network function instance VNFI; wherein, the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the VNFI Identification information, and identification information of the virtual network function manager VNFM used to manage the VNFI;
处理模块,用于根据所述token请求生成token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The processing module is configured to generate a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;
发送模块,用于将所述token发送至所述VNFI。The sending module is used to send the token to the VNFI.
在本申请第六方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the sixth aspect of the present application, the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
本申请第七方面提供一种容器服务管理装置,包括:A seventh aspect of the present application provides a container service management device, including:
发送模块,用于若虚拟网络功能管理器VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The sending module is configured to send a token request to the container manager for managing the container service instance if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance; wherein, the token The request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
接收模块,用于接收所述容器管理器发送的token,并通过所述发送模块将所述token发送至所述VNFI;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The receiving module is configured to receive the token sent by the container manager, and send the token to the VNFI through the sending module; wherein the token includes the identification information of the VNFI and the identification of the VNFM Information, the identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
在本申请第七方面一实施例中,所述token中还包括:容器服务实例的标识信息;In an embodiment of the seventh aspect of the present application, the token further includes: identification information of the container service instance;
所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
在本申请第七方面一实施例中,所述发送模块具体用于,在所述VNFM实例化所述VNFI时,向所述容器管理器发送所述token请求;或者,在所述VNFM实例化所述VNFI后,向所述容器管理器发送所述token请求。In an embodiment of the seventh aspect of the present application, the sending module is specifically configured to send the token request to the container manager when the VNFM instantiates the VNFI; or, when the VNFM instantiates the VNFI After the VNFI, the token request is sent to the container manager.
本申请第八方面提供一种容器管理服务装置,包括:An eighth aspect of the present application provides a container management service device, including:
接收模块,用于接收虚拟网络功能管理器VNFM发送的令牌token请求;其中,所述VNFM管理的虚拟网络功能实例VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The receiving module is configured to receive a token request sent by the virtual network function manager VNFM; wherein the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance managed by the container manager, and The token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
处理模块,用于根据所述token请求生成token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The processing module is configured to generate a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;
发送模块,用于将所述token发送至所述VNFM,以使所述VNFM将所述token发送至所述VNFI。The sending module is configured to send the token to the VNFM, so that the VNFM sends the token to the VNFI.
在本申请第八方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the eighth aspect of the present application, the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
本申请第九方面提供一种VNFI,包括:处理器和通信接口;A ninth aspect of the present application provides a VNFI, including: a processor and a communication interface;
若所述VNFI需要使用容器服务实例提供的服务,所述处理器用于将token请求发送至所述通信接口;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the VNFI needs to use the service provided by the container service instance, the processor is configured to send a token request to the communication interface; wherein, the token request includes the identification information of the VNFI and is used to manage the VNFI The identification information of the virtual network function manager VNFM;
所述通信接口用于,将所述token请求发送至用于管理所述容器服务实例的容器管理器;The communication interface is used to send the token request to a container manager for managing the container service instance;
所述通信接口还用于,接收所述容器管理器发送的token,并将所述token发送至所述处理器;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The communication interface is also used to receive the token sent by the container manager and send the token to the processor; wherein the token includes the identification information of the VNFI and the identification information of the VNFM The identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
在本申请第九方面一实施例中,所述处理器还用于,服务请求发送至所述通信接口,所述服务请求中包括所述token,以使所述容器服务实例根据所述token中的所 述VNFI的标识信息和所述VNFM的标识信息对所述VNFI进行验证;In an embodiment of the ninth aspect of the present application, the processor is further configured to send a service request to the communication interface, and the service request includes the token, so that the container service instance is configured according to the token The identification information of the VNFI and the identification information of the VNFM verify the VNFI;
所述通信接口还用于,将所述服务请求发送至所述容器服务实例;The communication interface is also used to send the service request to the container service instance;
若验证成功,所述处理器还用于,使用所述容器服务实例提供的服务。If the verification is successful, the processor is further configured to use the service provided by the container service instance.
在本申请第九方面一实施例中,所述token中还包括:容器服务实例对的标识信息;In an embodiment of the ninth aspect of the present application, the token further includes: identification information of the container service instance pair;
所述通信接口具体用于,将所述服务请求发送至所述容器服务实例的标识信息对应的容器服务实例。The communication interface is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance.
在本申请第九方面一实施例中,所述处理器具体用于,在所示VNFM实例化所示VNFI时,将所述token请求发送至所述通信接口;或者,所述处理器具体用于,在所示VNFM实例化所示VNFI后,将所述token请求发送至所述通信接口。In an embodiment of the ninth aspect of the present application, the processor is specifically configured to send the token request to the communication interface when the VNFM instantiates the VNFI; or the processor specifically uses Therefore, after the VNFM instantiates the VNFI, the token request is sent to the communication interface.
本申请第十方面提供一种容器管理器,包括:通信接口和处理器;A tenth aspect of the present application provides a container manager, including: a communication interface and a processor;
所述通信接口用于接收虚拟网络功能实例VNFI发送的令牌token请求,并将所述token请求发送至所述处理器;其中,所述VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The communication interface is used to receive a token request sent by a virtual network function instance VNFI, and send the token request to the processor; wherein, the VNFI needs to use a container service instance managed by the container manager For the provided service, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述处理器用于根据所述token请求生成token,并将所述token发送至所述通信接口;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI The identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services;
所述通信接口还用于,将所述token发送至所述VNFI。The communication interface is also used to send the token to the VNFI.
在本申请第十方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the tenth aspect of the present application, the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests the service.
本申请第十一方面提供一种VNFM,包括:通信接口和处理器;The eleventh aspect of the present application provides a VNFM, including: a communication interface and a processor;
若所述VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述处理器用于将token请求发送至所述通信接口;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance, the processor is configured to send a token request to the communication interface; wherein, the token request includes identification information of the VNFI, And the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述通信接口用于将所述token请求发送至用于管理所述服务实例的容器管理器;The communication interface is used to send the token request to a container manager for managing the service instance;
所述通信接口还用于接收所述容器管理器发送的token,并将所述token发送至所述VNFI;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The communication interface is also used to receive the token sent by the container manager and send the token to the VNFI; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, so The identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services.
在本申请第十一方面一实施例中,所述token中还包括:容器服务实例的标识信息;In an embodiment of the eleventh aspect of the present application, the token further includes: identification information of the container service instance;
所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
本申请第十二方面提供一种容器管理器,包括:通信接口和处理器;A twelfth aspect of the present application provides a container manager, including: a communication interface and a processor;
所述通信接口用于接收虚拟网络功能管理器VNFM发送的令牌token请求,并将所述token请求发送至所述处理器;其中,所述VNFM管理的虚拟网络功能实例VNFI需 要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The communication interface is used to receive a token request sent by a virtual network function manager VNFM, and send the token request to the processor; wherein the virtual network function instance VNFI managed by the VNFM needs to use the container For services provided by the container service instance managed by the manager, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
所述处理器用于根据所述token请求生成token,并将所述token发送至所述通信接口;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;所述通信接口还用于,将所述token发送至所述VNFM,以使所述VNFM将所述token发送至所述VNFI。The processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI The identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI using the token to request services; the communication interface is also used for sending the token to the VNFM so that the The VNFM sends the token to the VNFI.
在本申请第十二方面一实施例中,所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。In an embodiment of the twelfth aspect of the present application, the token further includes: identification information of the container service instance; wherein, the identification information of the container service instance is used to send the VNFI to the container service instance The container service instance corresponding to the identification information requests service.
第十三方面,本申请实施例中还提供一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行本申请第一方面、第二方面、第三方面或者第四方面任一项所述的方法。In the thirteenth aspect, the embodiments of the present application also provide a computer-readable storage medium, including instructions, which when run on a computer, cause the computer to execute the first, second, third or fourth aspects of the present application. The method of any one of aspects.
第十四方面,本申请实施例提供了一种NFV系统,所述系统包括上述第五方面所述的装置和第六方面所述的装置;或者,所述系统包括上述第七方面所述的装置和第八方面所述的通信装置;或者,所述系统包括上述第九方面所述的VNFI和上述第十方面所述的容器管理器;或者,所述系统包括上述第十一方面所述的VNFM和上述第十二方面所述的容器管理器。In a fourteenth aspect, an embodiment of the present application provides an NFV system, the system includes the device described in the fifth aspect and the device described in the sixth aspect; or, the system includes the device described in the seventh aspect. The device and the communication device according to the eighth aspect; or, the system includes the VNFI according to the ninth aspect and the container manager according to the tenth aspect; or, the system includes the eleventh aspect VNFM and the container manager described in the twelfth aspect above.
图1为NFV系统的一实施例的结构示意图;Figure 1 is a schematic structural diagram of an embodiment of an NFV system;
图2为本申请提供的容器服务管理方法一实施例的流程示意图;2 is a schematic flowchart of an embodiment of a container service management method provided by this application;
图3为本申请提供的容器服务管理方法一实施例的流程示意图;3 is a schematic flowchart of an embodiment of a container service management method provided by this application;
图4为本申请提供的容器服务管理方法一实施例的流程示意图;4 is a schematic flowchart of an embodiment of a container service management method provided by this application;
图5为本申请提供的容器服务管理方法一实施例的流程示意图;FIG. 5 is a schematic flowchart of an embodiment of a container service management method provided by this application;
图6为NFV系统的另一实施例的结构示意图;Figure 6 is a schematic structural diagram of another embodiment of an NFV system;
图7为本申请提供的容器服务管理装置的结构示意图;FIG. 7 is a schematic structural diagram of a container service management device provided by this application;
图8为本申请提供的用于执行容器管理方法的设备的结构示意图。FIG. 8 is a schematic structural diagram of a device for executing a container management method provided by this application.
本申请各实施例提供的容器服务管理方法及装置,可应用于网络功能虚拟化(network function virtualization,NFV)系统中。下面在正式介绍本申请之前,先结合附图1,对本申请各实施例所应用的NFV系统以及现有技术中存在的问题进行说明。The container service management method and device provided by each embodiment of the present application can be applied to a network function virtualization (NFV) system. Before formally introducing the application, the NFV system applied in each embodiment of the application and the problems existing in the prior art will be described with reference to FIG. 1.
图1为NFV系统的结构示意图。如图1所示,NFV系统是一种使用通用性硬件以及网络虚拟化构建通信网络系统的技术,其中,NFV系统包括:运营支撑系统/业务支撑系统(operation support system/business support system,OSS/BSS)11、网元管理系统(element management system,EMS)、虚拟网络功能实例(virtualized network function,VNFI)、容器服务实例、网络功能虚拟化基础设施:虚拟机(virtual machine, VM)、网络功能虚拟化编排器(NFV orchestrator,NFVO)16、虚拟网络功能管理器(virtualized network function management,VNFM)17,、容器管理器18和虚拟化基础设施管理器(virtualized infrastructure manager,VIM)19。Figure 1 is a schematic diagram of the structure of the NFV system. As shown in Figure 1, the NFV system is a technology that uses universal hardware and network virtualization to build a communication network system. Among them, the NFV system includes: operation support system/business support system (operation support system/business support system, OSS/ BSS)11, element management system (EMS), virtualized network function (VNFI), container service instance, network function virtualization infrastructure: virtual machine (VM), network function Virtualized orchestrator (NFV orchestrator, NFVO) 16, virtualized network function management (VNFM) 17, container manager 18, and virtualized infrastructure manager (VIM) 19.
VNFM17用于对VNFI进行管理,执行各种管理功能,如初始化、更新、查询、和/或终止VNFI。其中,VNFM17对虚拟网络功能(virtualized network function)VNF进行实例化后得到所述VNFI,一个VNFM可以管理至少一个VNFI,例如图1中VNFM17能够管理VNFI131、VNFI132和VNFI133。VNFM17 is used to manage the VNFI and perform various management functions, such as initialization, update, query, and/or termination of the VNFI. The VNFM 17 instantiates a virtualized network function (virtualized network function) VNF to obtain the VNFI. One VNFM can manage at least one VNFI. For example, the VNFM 17 in FIG. 1 can manage VNFI131, VNFI132, and VNFI133.
当VNFM17对VNF进行实例化后能够得到VNFI能够部署在虚拟机VM上,并作为软件化后的网元执行其作为网元的相关功能。例如,如图1所示的示例中,VNFI 131部署在VM151上、VNFI132部署在VM152上,以及VNFI133部署在VM153上。When the VNFM17 instantiates the VNF, it can be obtained that the VNFI can be deployed on the virtual machine VM, and perform its related functions as a network element as a softwareized network element. For example, in the example shown in Figure 1, VNFI 131 is deployed on VM151, VNFI132 is deployed on VM152, and VNFI133 is deployed on VM153.
OSS/BSS11面向电信服务运营商提供综合的网络管理和业务运营功能,包括网络管理(例如故障监控、网络信息收集等)、计费管理以及客户服务管理等。OSS/BSS11 provides integrated network management and business operation functions for telecom service operators, including network management (such as fault monitoring, network information collection, etc.), billing management, and customer service management.
NFVO16用于根据OSS/BSS11的服务请求,管理VNFI的生命周期、编排管理资源以实现VNFI的服务,以及用于实时监测VNFI、网络功能虚拟化基础设施资源及运行状态信息。NFVO16 is used to manage the life cycle of VNFI, orchestrate management resources to implement VNFI services according to the service request of OSS/BSS11, and to monitor VNFI, network function virtualization infrastructure resources and operating status information in real time.
每个VNFI均对应于传统非虚拟化网络中的物理网络功能(physical network function,简称PNF),如虚拟化的演进分组核心网(evolved packet core,EPC)节点。例如:虚拟化的EPC节点包括:移动管理实体(mobile management entity,MME)、服务网关(serving gate way,SGW)和分组数据网关(packet data network gate way,PGW)等。Each VNFI corresponds to a physical network function (physical network function, PNF for short) in a traditional non-virtualized network, such as a virtualized evolved packet core (EPC) node. For example, virtualized EPC nodes include: mobile management entity (mobile management entity, MME), serving gateway (serving gateway, SGW), packet data network gateway (packet data network gateway, PGW), etc.
EMS可用于管理一个或多个VNFI,针对每个所管理的VNF13,实现VNF13的故障管理、配置管理、计费管理、性能管理、安全管理(Fault Management,Configuration Management,Accounting Management,Performance Management,Security Management,FCAPS)功能。例如,在如图1所示的示例中,EMS121用于管理VNFI131,EMS122用于管理VNFI132,以及EMS123用于管理VNFI133。EMS can be used to manage one or more VNFIs. For each managed VNF13, it can implement fault management, configuration management, billing management, performance management, and security management (Fault Management, Configuration Management, Accounting Management, Performance Management, Security) of VNF13. Management, FCAPS) function. For example, in the example shown in FIG. 1, EMS121 is used to manage VNFI131, EMS122 is used to manage VNFI132, and EMS123 is used to manage VNFI133.
VIM 19可以用于控制和管理VNFI对应的网络功能虚拟化基础设施,网络功能虚拟化基础设施可以包括计算硬件、存储硬件、网络硬件组成的硬件资源层、虚拟化层、以及虚拟计算(例如虚拟机)、虚拟存储和虚拟网络组成的虚拟资源层。在如图1所示的系统示例中,网络功能虚拟化基础设施通过虚拟主机(virtual machine,VM)实现。 VIM 19 can be used to control and manage the network function virtualization infrastructure corresponding to VNFI. The network function virtualization infrastructure can include computing hardware, storage hardware, hardware resource layer composed of network hardware, virtualization layer, and virtual computing (such as virtual computing). Machine), virtual storage and virtual network. In the system example shown in Fig. 1, the network function virtualization infrastructure is implemented through a virtual machine (virtual machine, VM).
NFV系统中主要包括以下相关接口:The NFV system mainly includes the following related interfaces:
Ve-Vnfm:VNFM与EMS、VNFM与VNFI之间,用于VNF生命周期管理、交互配置信息。Ve-Vnfm: Between VNFM and EMS, VNFM and VNFI, used for VNF life cycle management and exchange configuration information.
Or-Vnfm:NFVO与VNFM之间,用于VNF生命周期管理请求资源,发送配置信息、收集状态信息。Or-Vnfm: Between NFVO and VNFM, it is used for VNF life cycle management to request resources, send configuration information, and collect status information.
Vi-Vnfm:VNFM与VIM之间,用于资源分配请求,虚拟化资源配置和状态信息交互。Vi-Vnfm: between VNFM and VIM, used for resource allocation request, virtualized resource configuration and status information exchange.
Or-Vi:NFVO与VIM之间,用于资源预留、分配请求,虚拟化资源配置和状态信息交互。Or-Vi: Between NFVO and VIM, it is used for resource reservation, allocation request, virtualized resource configuration and status information exchange.
Nf-Vi:VIM与VM之间,用于资源具体分配,虚拟资源状态信息交互,硬件资源配置。Nf-Vi: between VIM and VM, used for specific resource allocation, virtual resource status information exchange, and hardware resource configuration.
Vn-Nf:VM与VNF之间,用于VM向VNF提供实际执行环境。Vn-Nf: Between VM and VNF, used for VM to provide actual execution environment to VNF.
Os-Ma:VNFI生存周期管理、NS生存周期管理、策略管理等。Os-Ma: VNFI life cycle management, NS life cycle management, strategy management, etc.
Cm-Vnfm:VNFM与容器管理器之间,用于容器服务的调用、查询等管理。Cm-Vnfm: Between the VNFM and the container manager, it is used for the management of container service calls and queries.
Nf-K8S:容器服务实例与容器管理器之间,用于容器服务的创建、删除和更新等管理。Nf-K8S: Between the container service instance and the container manager, it is used for the management of container service creation, deletion, and update.
Vi-K8S:容器管理器与VIM之间,用于容器资源的请求调用等。Vi-K8S: Between the container manager and VIM, it is used to request and call container resources.
同时,容器服务实例14能够以虚拟化容器的形式向VNFI提供例如负载均衡等服务。则当VNFI使用容器服务实例14提供的服务时,需要向用于管理容器服务实例14的容器管理器18请求容器服务实例14为VNFI提供服务。现有的NFV系统中,通常采用基于Oauth2.0的机制服务授权机制。At the same time, the container service instance 14 can provide VNFI with services such as load balancing in the form of a virtualized container. When the VNFI uses the service provided by the container service instance 14, it needs to request the container service instance 14 to provide the service for the VNFI from the container manager 18 for managing the container service instance 14. In the existing NFV system, the service authorization mechanism based on Oauth2.0 is usually adopted.
例如,在如图1所示的NFV系统中,当VNFI131需要使用容器服务实例提供的服务时,VNFI131通过VNFM17向容器管理器18发送token申请,以从容器管理器18获得容使用容器服务时可用的token。则当容器管理器18接收到VNFI的服务申请后,授权VNFI131可使用的容器服务,生成请求服务的VNFI131对应的令牌(token)并通过VNFM17返回至发送服务申请的VNFI131;其中token包括VNFI131的标识信息(instance id)、VNF能够使用的容器服务实例以及VNF能够使用容器服务实例的截止时限(expiration time),token用于保证VNFI使用容器服务实例时对VNFI进行验证,保证容器服务实例只能向token对应的VNFI(即VNFI131)提供服务。随后,VNFI13根据所接收到的token,向对应的容器服务实例141发送服务请求,并在服务请求中携带token。而当容器服务实例141接收到VNFI131发送的服务请求后,对服务请求中的token进行验证,并在token验证通过后,容器服务实例141向VNFI131提供容器服务。For example, in the NFV system shown in Figure 1, when VNFI131 needs to use the service provided by the container service instance, VNFI131 sends a token request to the container manager 18 through VNFM17 to obtain the container service from the container manager 18. Token. Then when the container manager 18 receives the VNFI service application, it authorizes the container service that VNFI131 can use, generates a token corresponding to the VNFI131 requesting the service, and returns it to the VNFI131 sending the service application through VNFM17; the token includes the VNFI131 The identification information (instance id), the container service instance that the VNF can use, and the expiration time for the VNF to use the container service instance. The token is used to ensure that the VNFI uses the container service instance to verify the VNFI and ensure that the container service instance can only Provide services to the VNFI (VNFI131) corresponding to the token. Subsequently, VNFI 13 sends a service request to the corresponding container service instance 141 according to the received token, and carries the token in the service request. When the container service instance 141 receives the service request sent by the VNFI131, it verifies the token in the service request, and after the token verification is passed, the container service instance 141 provides the container service to the VNFI131.
现有技术中,NFV系统的供应商会根据业务需求设置多个VNFM分别管理各自的VNFI;以及,不同的NFV系统的供应商所设置的VNFM必然不同,不同供应商所设置的VNFM分别管理各自的VNFI。但是,在现有技术中,即使不同的VNFM管理各自不同的VNFI,但是所有VNFM却会依据相同的规则和顺序对该VNFM自身所管理的VNFI分配instant ID,从而导致了属于不同VNFM所管理的VNFI可能会出现instant ID相同的情况。例如:某NFV系统中的VNFM1向其所管理的VNFI所分配的instant ID为A1,B2,和C3;而另一NFV系统中的VNFM2向其所管理的VNFI所分配的instant ID也为A1,B2和C3。In the prior art, the supplier of the NFV system will set up multiple VNFMs to manage their respective VNFIs according to business requirements; and, the VNFMs set by the suppliers of different NFV systems must be different, and the VNFMs set by the different suppliers manage their respective VNFMs. VNFI. However, in the prior art, even if different VNFMs manage their own different VNFIs, all VNFMs will assign instant IDs to the VNFIs managed by the VNFM itself according to the same rules and sequence, resulting in the management of VNFMs belonging to different VNFMs. VNFI may have the same instant ID. For example: VNFM1 in a certain NFV system assigns instant IDs to the VNFIs it manages as A1, B2, and C3; while VNFM2 in another NFV system assigns instant IDs to VNFIs it manages as A1. B2 and C3.
因此,也就导致了在上述场景中,VNFM1所管理的VNFI11向容器管理器所请求的token,在被属于不同的VNFM2管理的VNFI21盗用后,假设VNFM1向VNFI11所分配的instant ID和VNFM2向VNFI21所分配的instant ID相同,盗用token得VNFI21可以直接使用该容器管理器向VNFI11所分配的token向容器服务实例请求服务,容器服务实例根据对token进行验证通过后,还是会向盗用token的VNFI21提供容器服务,进而造成了token的安全性能较低。Therefore, in the above scenario, the token requested by the VNFI11 managed by VNFM1 from the container manager is stolen by the VNFI21 managed by a different VNFM2, assuming that the instant ID assigned by VNFM1 to VNFI11 and the instant ID assigned by VNFM2 to VNFI21 If the assigned instant ID is the same, VNFI21 obtained by stolen token can directly use the container manager to request service from the container service instance from the token assigned by VNFI11, and the container service instance will still provide it to the VNFI21 who stolen the token after the token is verified. Container service, which in turn causes the security performance of the token to be low.
因此,本申请基于上述技术问题,提出一种容器服务管理方法及装置,以提高NFV系统中,VNFI请求容器服务实例提供的服务时使用的token的安全性能。Therefore, based on the above technical problems, this application proposes a container service management method and device to improve the security performance of the token used when the VNFI requests services provided by the container service instance in the NFV system.
下面结合附图,对本申请提供的容器服务管理方法及装置进行说明。The container service management method and device provided by the present application will be described below with reference to the accompanying drawings.
图2为本申请提供的容器服务管理方法一实施例的流程示意图,如图2所示的实施例可应用于如图1所示的NFV系统中,并由NFV系统中的对象执行对应的方法,本实施例提供的容器服务管理方法包括:Fig. 2 is a schematic flow chart of an embodiment of a container service management method provided by this application. The embodiment shown in Fig. 2 can be applied to the NFV system shown in Fig. 1, and objects in the NFV system execute the corresponding method , The container service management method provided in this embodiment includes:
S101:VNFI向容器管理器发送token请求,用于请求VNFI向容器服务实例请求服务时使用的token;其中,token请求包括VNFI的标识信息,和用于管理该VNFI的VNFM的标识信息。S101: The VNFI sends a token request to the container manager to request the token used when the VNFI requests services from the container service instance; wherein the token request includes identification information of the VNFI and identification information of the VNFM used to manage the VNFI.
具体地,当VNFI确定需要使用容器服务实例提供的容器服务时,需要向用于管理该容器服务实例的容器管理器发送token请求,以使容器管理器对VNFI使用容器服务示例提供的容器服务进行授权,并生成token。其中,所述token请求用于向容器管理器请求VNFI向所述容器服务示例请求服务时所使用的token。相对应地,容器管理器在S101中接收VNFI所发送的token请求。Specifically, when VNFI determines that it needs to use the container service provided by the container service instance, it needs to send a token request to the container manager used to manage the container service instance, so that the container manager can perform processing on the container service provided by VNFI using the container service example. Authorize and generate token. Wherein, the token request is used to request from the container manager the token used when VNFI requests a service from the container service example. Correspondingly, the container manager receives the token request sent by VNFI in S101.
特别地,本实施例中所述的token请求中,包括:VNFI的标识信息,以及用于管理该VNFI的VNFM的标识信息。其中,VNFI的标识信息可以是用于管理该VNFI的VNFM,在将VNF实例化为VNFI时为VNFI分配的instant ID。可选地,VNFM为VNFI分配的instant ID可以是一串字符例如“vnf-AMF-123”,或者可以是一串随机数,例如“0x4257369973”。本申请对VNFM向VNFI所分配的instant ID的具体表示方式不作限定。VNFM的标识信息可以是NFV系统中用于标识VNFM的VNFM ID。可选地,VNFM ID可以是字符例如“vnfm-EPC-123”,或者可以是一串随机数,例如“0x4257369973”。本申请对NFV系统中对于VNFM ID的具体表示方式不作限定。In particular, the token request described in this embodiment includes: identification information of the VNFI and identification information of the VNFM used to manage the VNFI. Wherein, the identification information of the VNFI may be the VNFM used to manage the VNFI, and the instant ID assigned to the VNFI when the VNF is instantiated as the VNFI. Optionally, the instant ID allocated by the VNFM to the VNFI may be a string of characters such as "vnf-AMF-123", or may be a string of random numbers, such as "0x4257369973". This application does not limit the specific representation of the instant ID assigned by the VNFM to the VNFI. The identification information of the VNFM may be the VNFM ID used to identify the VNFM in the NFV system. Optionally, the VNFM ID may be a character such as "vnfm-EPC-123", or may be a string of random numbers, such as "0x4257369973". This application does not limit the specific representation of the VNFM ID in the NFV system.
可选地,在本实施例一种具体的实现方式中,所述token请求中具体包括:“VNFI的标识信息、VNFM的标识信息、请求的服务名称(Expected service name)和所请求的token的截止时间(expiration)”。Optionally, in a specific implementation of this embodiment, the token request specifically includes: "VNFI identification information, VNFM identification information, the requested service name (Expected service name), and the requested token Expiration".
例如,若一个VNFI在需要使用目标容器服务实例提供的负载均衡服务时,VNFI需要从管理该目标容器服务示例的容器管理器获得使用容器服务实例的授权,则VNFI可以向该容器管理器发送token请求,以申请容器管理器授权VNFI使用目标容器服务示例所提供的负载均衡服务,并为VNFI提供token。同时,VNFI向容器管理器发送的token中还需要携带所请求的token的截止期,在截止期前,VNFI能够使用该token向目标容器服务实例发送服务请求时,目标容器服务实例能够向VNFI提供负载均衡服务;而在截止期后,VNFI若继续使用该token向目标容器服务示例发送服务请求,则目标容器服务示例不会再向VNFI提供负载均衡服务。For example, if a VNFI needs to use the load balancing service provided by the target container service instance, the VNFI needs to obtain authorization to use the container service instance from the container manager that manages the target container service instance, then the VNFI can send a token to the container manager Request to apply for the container manager to authorize VNFI to use the load balancing service provided by the target container service example, and provide tokens for VNFI. At the same time, the token sent by VNFI to the container manager also needs to carry the deadline of the requested token. Before the deadline, when VNFI can use the token to send service requests to the target container service instance, the target container service instance can provide VNFI Load balancing service; after the deadline, if VNFI continues to use the token to send service requests to the target container service example, the target container service example will no longer provide load balancing services to VNFI.
示例性地,本实施例VNFI向容器管理器发送的token中,可以包括:“VNFI的instant ID(vnf-AMF-123)、VNFM的VNFM ID(vnfm-EPC-123)、VNFI所请求的负载均衡的服务名称(load balance)和截止时间(2020-01-01)”。Exemplarily, the token sent by the VNFI to the container manager in this embodiment may include: "VNFI instant ID (vnf-AMF-123), VNFM ID (vnfm-EPC-123), VNFI requested load Balanced service name (load balance) and deadline (2020-01-01)".
可选地,VNFI具体实例化过程中,或者实例化之后,通过S101中向容器管理器发送token请求。其中,具体由VNFM对VNF进行实例化得到VNFI。VNFM实例化VNF的实现方式及原理可参照现有技术,本实施例不做限定。Optionally, during or after the specific instantiation of the VNFI, a token request is sent to the container manager through S101. Among them, the VNFM specifically instantiates the VNF to obtain the VNFI. The implementation manner and principle of VNFM instantiating VNF can refer to the prior art, which is not limited in this embodiment.
S102:当容器管理器通过S101接收到VNFI所发送的token请求后,根据token请求授权所述VNFI使用容器服务实例提供的服务,并生成VNFI对应的token;其中,token中包括:VNFI的标识信息和VNFM的标识信息。S102: After receiving the token request sent by the VNFI through S101, the container manager authorizes the VNFI to use the service provided by the container service instance according to the token request, and generates a token corresponding to the VNFI; wherein the token includes: VNFI identification information And VNFM identification information.
具体地,本实施例中容器管理器所生成的token中包括:VNFI的标识信息和VNFM的标识信息。其中,所述VNFI的标识信息可以是用于管理该VNFI的VNFM,在将VNF实例化为VNFI时为VNFI分配的instant ID,VNFM的标识信息可以是NFV系统中用于标识VNFM的VNFM ID。token中所包括的VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用该token请求服务的VNFI进行验证。Specifically, the token generated by the container manager in this embodiment includes: VNFI identification information and VNFM identification information. Wherein, the identification information of the VNFI may be the VNFM used to manage the VNFI, the instant ID assigned to the VNFI when the VNF is instantiated as the VNFI, and the identification information of the VNFM may be the VNFM ID used to identify the VNFM in the NFV system. The identification information of the VNFI and the identification information of the VNFM included in the token are used by the container service instance to verify the VNFI that uses the token to request services.
可选地,容器管理器可以具体通过S101中所接收到的token请求,确定VNFI的标识信息和VNFM的标识信息。Optionally, the container manager may specifically determine the identification information of the VNFI and the identification information of the VNFM through the token request received in S101.
在一种具体的实现方式中,S102中容器管理器生成的token具体包括:容器管理器根据token请求生成的claim(声明)部分后,通过容器管理器进行签名从而得到所述token。其中,容器管理器可以使用其与容器服务实例共享的对称密钥进行签名,则后续容器服务实例可以根据该对称密钥对token进行验证;或者,容器管理可以使用容器管理器的私钥进行签名,则后续容器服务实例可以根据容器管理器的公钥对token进行验证。In a specific implementation manner, the token generated by the container manager in S102 specifically includes: after the container manager generates a claim (declaration) part according to the token request, it is signed by the container manager to obtain the token. Among them, the container manager can use the symmetric key shared with the container service instance to sign, and the subsequent container service instance can verify the token according to the symmetric key; or, the container manager can use the private key of the container manager to sign , The subsequent container service instance can verify the token according to the public key of the container manager.
例如,本实施例中容器管理器所生成的token中的claim包括:For example, the claim in the token generated by the container manager in this embodiment includes:
1、ID of service management:容器服务实例管理者的ID。即,容器管理器的标识信息,用于对生成token的容器管理器进行标识。1. ID of service management: The ID of the container service instance manager. That is, the identification information of the container manager is used to identify the container manager that generated the token.
2、VNF Instance ID of the service consumer和VNFM ID of the service consumer:请求容器服务的VNFI的标识信息和用于管理该VNFI的VNFM的标识信息。即,VNFI的Instance ID,以及VNFM的VNFM ID。2. VNF Instance ID of the service consumer and VNFM ID of the service consumer: the identification information of the VNFI requesting the container service and the identification information of the VNFM used to manage the VNFI. That is, the Instance ID of the VNFI and the VNFM ID of the VNFM.
3、Service name of the producers:可提供容器服务的容器服务实例的服务名称。其中,由于NFV系统中,VNFI所请求的容器服务实例通常为负载均衡等资源池场景,VNFI可以通过一个token向不同的多个容器服务实例请求容器服务。则容器管理器所生成的token中通常只携带容器服务实例所能够提供的服务名称,由VNFI具体确定向某一个或多个容器服务实例申请服务。3. Service name of the producers: the service name of the container service instance that can provide container services. Among them, because in the NFV system, the container service instance requested by the VNFI is usually a resource pool scenario such as load balancing, the VNFI can request container services from multiple container service instances through a token. Then the token generated by the container manager usually only carries the service name that the container service instance can provide, and the VNFI specifically determines to apply for service from one or more container service instances.
4、Expiration time:截止时间。即,在该截止时间之前,VNFI使用token向容器服务实例发送服务请求时,容器服务实例会向VNFI提供容器服务;而在该截止时间之后token失效,VNFI使用该token向向容器服务实例发送服务请求时,容器服务实例不会向VNFI提供容器服务。4. Expiration time: Expiration time. That is, before the deadline, when VNFI uses the token to send a service request to the container service instance, the container service instance will provide the container service to VNFI; and after the deadline, the token expires, VNFI uses the token to send services to the container service instance When requested, the container service instance will not provide container services to VNFI.
S103:容器管理器将S102中生成的token发送至VNFI,以使得VNFI能够根据VNFI接收到的token向容器服务实例请求容器服务。S103: The container manager sends the token generated in S102 to the VNFI, so that the VNFI can request the container service from the container service instance according to the token received by the VNFI.
随后,容器管理器经过S102中根据token请求对VNFI进行授权,并生成VNFI的token之后,容器管理器将所生成的token发送至VNFI,使得VNFI在获得容器管理器的token之后,能够根据token向对应的容器服务实例请求容器服务。Subsequently, after the container manager authorizes the VNFI according to the token request in S102 and generates the VNFI token, the container manager sends the generated token to the VNFI, so that the VNFI can send the token to the VNFI after obtaining the container manager’s token. The corresponding container service instance requests the container service.
进一步地,为了实现如图2所示的实施例,本申请还提供一种NFV系统,其中,图6为NFV系统的另一实施例的结构示意图。如图6所示的NFV系统在如图1所示的NFV系统的基础上,VNFI和容器管理器之间还包括Ve-Cm接口,用于VNFI向容器管理器请求授权容器服务实例,则VNFI可通过Ve-Cm接口向容器管理器发送token申请,并通过Ve-Cm接口接收容器管理器发送的token。Further, in order to implement the embodiment shown in FIG. 2, this application also provides an NFV system, wherein FIG. 6 is a schematic structural diagram of another embodiment of the NFV system. The NFV system shown in Figure 6 is based on the NFV system shown in Figure 1. The VNFI and the container manager also include a Ve-Cm interface for VNFI to request an authorized container service instance from the container manager, then the VNFI The token request can be sent to the container manager through the Ve-Cm interface, and the token sent by the container manager can be received through the Ve-Cm interface.
综上,本实施例提供的容器服务管理方法中,当VNFI需要使用容器服务实例提供 的服务时,向容器管理器向容器管理器发送携带VNFI的标识信息和VNFM的标识信息的token请求。而当容器管理器接收到VNFI所发送的token请求后,根据token请求所生成的token中,也包括了VNFI的标识信息和VNFM的标识信息。最终,容器管理器将所生成的token发送至VNFI后,使得VNFI即可根据接收到的token向容器服务实例请求服务。In summary, in the container service management method provided in this embodiment, when the VNFI needs to use the service provided by the container service instance, it sends a token request carrying the identification information of the VNFI and the identification information of the VNFM to the container manager to the container manager. When the container manager receives the token request sent by the VNFI, the token generated according to the token request also includes the identification information of the VNFI and the identification information of the VNFM. Finally, after the container manager sends the generated token to VNFI, VNFI can request service from the container service instance based on the received token.
特别地,由于本实施例所生成的token中包括VNFM的标识信息,VNFI在根据token向容器服务实例请求服务时,容器服务实例除了对token中VNFI的标识信息进行验证,还会对token中VNFM的标识信息进行验证,只有在VNFI的标识信息和VNFM的标识信息均通过验证后,容器服务实例才会VNFI提供服务。则对于被两个VNFM所管理的两个不同的VNFI即使拥有相同的VNFI的标识信息,由于两个VNFM的标识信息不同,并且容器服务实例在VNFI请求容器服务时还会对VNFM的标识信息进行验证,因此,当一个VNFI向容器管理器申请了token后,即使其token被另一个VNFI所盗用,盗用VNFI所发送的token中VNFM的标识信息与该VNFI实际的VNFM的标识信息不同,容器服务实例无法对token进行验证通过,容器服务实例也就不会向盗用token的VNFI提供容器服务。In particular, since the token generated in this embodiment includes the identification information of the VNFM, when the VNFI requests services from the container service instance based on the token, the container service instance will not only verify the identification information of the VNFI in the token, but also verify the VNFM in the token. The identification information of the VNFI is verified. Only after the identification information of the VNFI and the identification information of the VNFM are both verified, the container service instance will be provided by the VNFI. For two different VNFIs managed by two VNFMs, even if they have the same VNFI identification information, because the two VNFMs have different identification information, and the container service instance will also perform the VNFM identification information when the VNFI requests the container service Verification, therefore, when a VNFI applies for a token to the container manager, even if its token is stolen by another VNFI, the identification information of the VNFM in the token sent by the stolen VNFI is different from the actual VNFM identification information of the VNFI. The container service If the instance fails to verify the token, the container service instance will not provide container services to the VNFI that steals the token.
从而使得token即使被其他VNFI跨VNFM所盗用,盗用token的VNFI也不能根据该token使用容器服务实例提供的服务,即保证了容器管理器针对某个VNFI生成的token被属于不同VNFM管理的VNFI盗用后却不能使用,进而提高了NFV系统中VNFI请求容器服务实例提供的服务时使用的token的安全性能。As a result, even if the token is stolen by other VNFIs across VNFMs, the VNFI that stolen the token cannot use the service provided by the container service instance based on the token, which ensures that the token generated by the container manager for a certain VNFI is stolen by VNFIs managed by different VNFMs. However, it cannot be used later, which improves the security performance of the token used when VNFI requests the service provided by the container service instance in the NFV system.
下面结合附图3,对本实施例中,当VNFI通过如图2所示的实施例获得token后,VNFI使用token向容器服务实例请求服务的流程进行说明。In the following, in conjunction with FIG. 3, in this embodiment, after the VNFI obtains a token through the embodiment shown in FIG. 2, the VNFI uses the token to request a service from the container service instance.
其中,图3为本申请提供的容器服务管理方法一实施例的流程示意图,其中,该实施例可应用于如图1所示的VNF系统中,VNFI向容器服务实例请求服务。如图3所示,本实施例提供的容器服务管理方法在如图1所示的S103之后,还包括:3 is a schematic flow chart of an embodiment of a container service management method provided by this application, where this embodiment can be applied to the VNF system shown in FIG. 1, where the VNFI requests services from the container service instance. As shown in FIG. 3, the container service management method provided by this embodiment, after S103 shown in FIG. 1, further includes:
S104:VNFI向容器服务实例发送服务请求;所述服务请求中携带S103中所请求的token。S104: The VNFI sends a service request to the container service instance; the service request carries the token requested in S103.
具体地,VNFI在S103接收到token之后,即可向token对应的容器服务实例请求服务。其中,VNFI根据token中包括的可提供容器服务的容器服务实例的服务名称,向可以提供所请求的服务的容器服务实例发送服务请求,以请求容器服务实例向VNFI提供服务。其中,VNFI向容器服务实例发送的服务请求中,携带如图2所示实施例中第一设备向容器管理器所申请的token。Specifically, after VNFI receives the token in S103, it can request service from the container service instance corresponding to the token. Among them, the VNFI sends a service request to the container service instance that can provide the requested service according to the service name of the container service instance that can provide the container service included in the token, so as to request the container service instance to provide the service to the VNFI. Among them, the service request sent by the VNFI to the container service instance carries the token applied by the first device to the container manager in the embodiment shown in FIG. 2.
S105:当容器服务实例接收到VNFI发送的服务请求后,可以根据容器管理器的公钥对token进行验证,确定token是否为容器管理器所生成。并且,本实施例中,容器服务实例还进一步根据发送服务请求的VNFI的标识信息和管理该VNFI的VNFM的标识信息,与服务请求中的token所包括的VNFI的标识信息和VNFM的标识信息是否一致。S105: After the container service instance receives the service request sent by the VNFI, it can verify the token according to the public key of the container manager to determine whether the token is generated by the container manager. Moreover, in this embodiment, the container service instance is further based on whether the identification information of the VNFI that sends the service request and the identification information of the VNFM that manages the VNFI is related to the identification information of the VNFI and the identification information of the VNFM included in the token in the service request. Consistent.
例如,将本实施例中向容器服务实例发送服务请求的VNFI的标识信息记为A,以及用于管理该VNFI的VNFM的标识信息记为B;将token中包括的VNFI的标识信息记为C,以及将token中所记录的VNFM的标识信息记为D。随后,容器服务实例判断A 与C是否一致、B与D是否一致,并且只有在A与C一致且B与D一致后,容器服务实例才会执行后续的S203,即容器服务实例向VNFI提供服务。For example, in this embodiment, the identification information of the VNFI that sends the service request to the container service instance is recorded as A, and the identification information of the VNFM used to manage the VNFI is recorded as B; the identification information of the VNFI included in the token is recorded as C , And mark the identification information of the VNFM recorded in the token as D. Subsequently, the container service instance judges whether A and C are consistent, B and D are consistent, and only after A and C are consistent and B and D are consistent, the container service instance will execute the subsequent S203, that is, the container service instance provides services to VNFI .
可以理解的是,由于在如图3所示VNFI请求容器管理器对其使用容器服务实例提供的服务进行授权,使得容器管理器针对该VNFI生成包含该VNFI的标识信息以及VNFM的标识信息的token。因此,当VNFI获得容器管理器生成并发送的token后,在向容器服务实例请求服务时即可携带该token。此时,容器服务实例对该VNFI的标识信息、VNFM的标识信息与token中的VNFI的标识信息、VNMF的标识信息能够验证成功。因此,在S106中容器服务实例向VNFI提供服务,对应地,VNFI使用容器服务实例所提供的服务。It is understandable that, as shown in Figure 3, the VNFI requests the container manager to authorize the service provided by the container service instance, so that the container manager generates a token containing the identification information of the VNFI and the identification information of the VNFM for the VNFI. . Therefore, after VNFI obtains the token generated and sent by the container manager, it can carry the token when requesting services from the container service instance. At this time, the container service instance can successfully verify the identification information of the VNFI, the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNMF in the token. Therefore, in S106, the container service instance provides services to the VNFI, and correspondingly, the VNFI uses the service provided by the container service instance.
特别地,如图3所示的实施例中,示出了向容器管理器请求token的VNFI使用所请求的token向容器服务实例请求服务。而在图4所示的实施例中,示出了盗用token的VNFI向容器服务实例请求服务的过程,其中,图4为本申请提供的容器服务管理方法一实施例的流程示意图。In particular, in the embodiment shown in FIG. 3, it is shown that the VNFI requesting a token from the container manager uses the requested token to request a service from the container service instance. In the embodiment shown in FIG. 4, the process of requesting service from the container service instance by the VNFI of the stolen token is shown. FIG. 4 is a schematic flowchart of an embodiment of the container service management method provided by this application.
若如图3所示的VNFI向容器管理器申请token之后,若被图4所示的VNFI所盗用,则盗用token的VNFI可以通过S201向容器服务实例发送服务请求,并携带其盗用的token。If the VNFI as shown in FIG. 3 applies for a token from the container manager, if it is stolen by the VNFI as shown in FIG. 4, the VNFI with the stolen token can send a service request to the container service instance through S201, and carry the stolen token.
此时,在S202中,容器服务实例通过S201接收到服务请求后,同样会对token进行验证,验证token中所包括的VNFI的标识信息、VNMF的标识信息,是否与发送服务请求的VNFI的标识信息、VNFM的标识信息是否相同。At this point, in S202, after receiving the service request through S201, the container service instance will also verify the token, verifying whether the VNFI identification information and VNMF identification information included in the token are consistent with the VNFI identification information that sent the service request Whether the information and the identification information of the VNFM are the same.
明显地,若盗用token的VNFI的VNFI标识信息与原VNFI的VNFI标识信息不同,则容器服务实例对token验证失败,不会向盗用token的VNFI提供服务,即不会执行图中S203步骤。若盗用token的VNFI的VNFI标识信息与原VNFI的VNFI标识信息相同,由于两个不同的VNFM分别为两个VNFI分配的VNFI标识信息,因此盗用token的VNFI的VNFM的标识信息,与原VNFI的VNFM的标识信息不同,容器服务实例对token验证失败,容器服务实例同样不会向盗用token的VNFI提供服务。Obviously, if the VNFI identification information of the stolen token is different from the VNFI identification information of the original VNFI, the container service instance fails to verify the token and will not provide services to the stolen VNFI, that is, step S203 in the figure will not be performed. If the VNFI identification information of the VNFI with the stolen token is the same as the VNFI identification information of the original VNFI, since two different VNFMs are assigned to the two VNFIs respectively, the identification information of the VNFM of the VNFI with the stolen token is the same as that of the original VNFI. The identification information of the VNFM is different. The container service instance fails to verify the token, and the container service instance will also not provide services to the VNFI that embezzled the token.
综上,在如图3和图4所示的实施例可以看出,当VNFI获取了容器管理器提供的token后,可以根据该token向对应的容器服务实例请求服务;则对应的容器服务实例需要对token进行验证以确定是否能够向VNFI提供服务。由于token中包括VNFI的标识信息,以及VNFM的标识信息,因此,容器服务实例在对token进行验证时,既需要验证VNFI的标识信息,还需要验证VNFM的标识信息,只有二者都验证一致后,容器服务实例才确定能够向VNFI提供服务。从而通过token中携带的VNFI的标识信息和VNFM的标识信息加强了对token的验证,使得token被跨VNFM的VNFI盗用后,即使VNFI的标识信息相同,也会由于VNFM的标识信息不同而容器服务实例无法验证通过,进而提高了VNFI请求容器服务实例提供的服务时使用的token的安全性能。In summary, it can be seen from the embodiments shown in Figures 3 and 4 that after VNFI obtains the token provided by the container manager, it can request service from the corresponding container service instance according to the token; then the corresponding container service instance The token needs to be verified to determine whether it can provide services to VNFI. Since the token includes the identification information of the VNFI and the identification information of the VNFM, when the container service instance verifies the token, it needs to verify the identification information of the VNFI and the identification information of the VNFM. Only after the two are verified to be consistent , The container service instance is determined to be able to provide services to VNFI. Therefore, the verification of the token is strengthened through the identification information of the VNFI and the identification information of the VNFM carried in the token, so that after the token is stolen by the VNFI across VNFM, even if the identification information of the VNFI is the same, the container service will be due to the different identification information of the VNFM. The instance fails to pass the verification, which improves the security performance of the token used when VNFI requests the service provided by the container service instance.
进一步地,在上述各实施例基础上,本申请还提供另一种容器管理器所生成的token中的claim的具体实现方式。其中,容器管理器所生成的token中的claim包括:Further, on the basis of the foregoing embodiments, this application also provides another specific implementation manner of claim in the token generated by the container manager. Among them, the claim in the token generated by the container manager includes:
1、ID of service management:容器服务实例管理者的ID。1. ID of service management: The ID of the container service instance manager.
2、VNF Instance ID of the service consumer和VNFM ID of the service consumer: 请求容器服务的VNFI的标识信息和VNFM的标识信息。2. VNF Instance ID of the service consumer and VNFM ID of the service consumer: The identification information of the VNFI and the identification information of the VNFM that request the container service.
3、Service ID of the producers:可提供容器服务的容器服务实例的标识信息。其中,容器服务实例的标识信息由容器管理器设置,可以是容器管理器在管理容器服务实例时所分配的一串字符例如“LB-CONTAINER-service”,或者,还可以是一串随机数例如“0x254830203”,本申请对容器服务实例的标识信息的具体表示方式不做限定。3. Service ID of the producers: the identification information of the container service instance that can provide the container service. The identification information of the container service instance is set by the container manager, and it can be a string of characters assigned by the container manager when managing the container service instance, such as "LB-CONTAINER-service", or it can be a string of random numbers such as "0x254830203", this application does not limit the specific representation of the identification information of the container service instance.
4、Expiration time:截止时间。4. Expiration time: Expiration time.
具体地,本实施例提供的token中的claim的具体实现方式中,claim所包括的1,2和4的具体描述,以及容器管理服务器生成token的具体方法可参照前述图2所示实施例,不再赘述。Specifically, in the specific implementation of the claim in the token provided in this embodiment, the specific descriptions of 1, 2, and 4 included in the claim, and the specific method of generating the token by the container management server can refer to the embodiment shown in FIG. 2. No longer.
所不同在于本实施例的claim中包括可提供容器服务的容器服务实例的标识信息,即,容器管理器在对VNFI进行容器服务实例授权时,进一步地确定VNFI能够使用的具体容器服务实例的标识信息,限定VNFI只能向token中包括的标识信息,向特定的容器服务实例请求服务。The difference is that the claim of this embodiment includes the identification information of the container service instance that can provide the container service. That is, when the container manager authorizes the VNFI for the container service instance, it further determines the identification of the specific container service instance that the VNFI can use. Information, limiting VNFI can only request services from specific container service instances from the identification information included in the token.
可选地,本示例提供的token可以应用在如图3所示的实施例中,VNFI需要根据token中容器服务实例的标识信息,向对应的容器服务实例请求服务。而对于容器服务实例在验证是否向VNFI提供服务,还需要对token中包括的容器服务实例的标识信息进行验证。Optionally, the token provided in this example can be applied to the embodiment shown in FIG. 3, and the VNFI needs to request service from the corresponding container service instance according to the identification information of the container service instance in the token. For the container service instance to verify whether to provide services to VNFI, it is also necessary to verify the identification information of the container service instance included in the token.
例如,在如图3所示的S105中,容器服务实例获取VNFI发送的服务请求中携带的token后,对token中包括的容器服务实例的标识信息进行验证,若容器服务实例判断token中包括该容器服务实例的标识信息,则确定可以向VNFI提供服务;而若容器服务实例判断token中不包括该容器服务实例的标识信息,说明VNFI未向正确的容器服务实例申请服务,则容器服务实例不向VNFI提供服务。For example, in S105 shown in Figure 3, after obtaining the token carried in the service request sent by VNFI, the container service instance verifies the identification information of the container service instance included in the token. If the container service instance determines that the token includes the token The identification information of the container service instance is determined to provide services to the VNFI; and if the container service instance determines that the token does not include the identification information of the container service instance, it means that the VNFI has not applied for the service from the correct container service instance, and the container service instance does not Provide services to VNFI.
因此,在本实施例提供的claim的具体实现方式中,容器管理器在生成VNFI的token时,在token中直接携带VNFI可根据该token所请求的容器服务实例的标识信息,对可向VNFI提供的容器服务实例的范围进行限定。从而使得VNFI需要向token中容器管理器所指定的容器服务实例请求服务,而一旦token被跨VNFM盗用,其他VNFI也无法向原token所在的VNF系统中的容器服务实例请求服务,进而也能够增强token的安全性能,使得token被跨VNFM盗用后无法使用。Therefore, in the specific implementation of the claim provided in this embodiment, when the container manager generates a VNFI token, the VNFI directly carries the VNFI in the token, and can provide the VNFI with the identification information of the container service instance requested by the token. The scope of the container service instance is limited. As a result, VNFI needs to request service from the container service instance specified by the container manager in the token, and once the token is stolen across VNFM, other VNFIs cannot request service from the container service instance in the VNF system where the original token is located, which can also enhance the token. The security performance makes the token unusable after being stolen across VNFM.
进一步地,在本申请上述如图2-4所示实施例中,提供了一种由VNFI向容器管理器发送token请求,并直接接收容器管理器所发送的token的方法。而在本申请另一种实现方式中,还可以由管理VNFI的VNFM代替VNFI向容器管理器发送token请求,并将所接收到的token转发至VNFI,以使VNFI向容器服务实例请求服务的方法。Further, in the above-mentioned embodiment shown in Figs. 2-4 of this application, a method is provided in which VNFI sends a token request to the container manager and directly receives the token sent by the container manager. In another implementation of this application, the VNFM that manages the VNFI can also send a token request to the container manager instead of the VNFI, and forward the received token to the VNFI, so that the VNFI can request service from the container service instance .
下面结合图5进行说明,其中,图4为本申请提供的容器服务管理方法一实施例的流程示意图,该实施例提供的方法包括:The following describes with reference to FIG. 5, where FIG. 4 is a schematic flowchart of an embodiment of a container service management method provided by this application. The method provided in this embodiment includes:
S301:若VNMF所管理的VNFI需要使用容器服务实例提供的服务,则VNFM向管理该容器服务实例的容器管理器发送token请求,所述token请求用于向容器管理器请求VNFI向所述容器服务示例请求服务时所使用的token。相对应地,容器管理器在S301中接收VNFM所发送的token请求。S301: If the VNFI managed by the VNMF needs to use the service provided by the container service instance, the VNFM sends a token request to the container manager that manages the container service instance. The token request is used to request from the container manager that the VNFI service the container. The token used when the sample requests the service. Correspondingly, the container manager receives the token request sent by the VNFM in S301.
特别地,本实施例中所述的token请求中,包括:VNFI的标识信息,以及用于管理该VNFI的VNFM的标识信息。In particular, the token request described in this embodiment includes: identification information of the VNFI and identification information of the VNFM used to manage the VNFI.
可选地,在本实施例一种具体的实现方式中,所述token请求中具体包括:“VNFI的标识信息、VNFM的标识信息、请求的服务名称(Expected service name)和所请求的token的截止时间(expiration)”。Optionally, in a specific implementation of this embodiment, the token request specifically includes: "VNFI identification information, VNFM identification information, the requested service name (Expected service name), and the requested token Expiration".
可选地,在VNFM实例化VNFI过程中,或者VNFM实例化VNFI之后,VNFM通过S301向容器管理器发送token请求。其中,具体由VNFM对VNF进行实例化得到VNFI。VNFM实例化VNF的实现方式及原理可参照现有技术,本实施例不做限定。Optionally, during the process of VNFM instantiating the VNFI, or after the VNFM instantiating the VNFI, the VNFM sends a token request to the container manager through S301. Among them, the VNFM specifically instantiates the VNF to obtain the VNFI. The implementation manner and principle of VNFM instantiating VNF can refer to the prior art, which is not limited in this embodiment.
需要说明的是,本实施例中强调由VNFM代替VNFI向容器服务器发送token请求,而对于token请求中包括的VNFI的标识信息和VNFM的标识信息的具体实现方式可参照图2实施例中的描述,不再赘述。It should be noted that this embodiment emphasizes that VNFM replaces VNFI to send a token request to the container server. For the specific implementation of the VNFI identification information and VNFM identification information included in the token request, please refer to the description in the embodiment in FIG. 2 ,No longer.
可选地,由于VNFM在实例化VNFI时会为VNFI分配标识信息例如VNFI的instant ID,则VNFM在向容器管理器发送token请求前,即可确定向VNFI所分配的标识信息,则在S301中,VNFM结合VNFM自身的标识信息,VNFM可以同时将VNFI的标识信息和VNFM的标识信息共同携带在token中发送至容器管理器。则本实施例中,VNFM起到了代替VNFI向容器管理器申请token,并转发容器管理器向VNFI生成的token的作用。Optionally, since the VNFM allocates identification information to the VNFI when instantiating the VNFI, such as the instant ID of the VNFI, the VNFM can determine the identification information allocated to the VNFI before sending the token request to the container manager, then in S301 VNFM combines the identification information of the VNFM itself, and the VNFM can carry the identification information of the VNFI and the identification information of the VNFM together in the token and send it to the container manager. In this embodiment, the VNFM plays the role of applying for a token from the container manager instead of the VNFI, and forwarding the token generated by the container manager to the VNFI.
S302:当容器管理器通过S301接收到VNFM所发送的token请求后,根据token请求授权所述VNFI使用容器服务实例提供的服务,并生成VNFI对应的token;其中,token中包括:VNFI的标识信息和VNFM的标识信息。S302: After receiving the token request sent by the VNFM through S301, the container manager authorizes the VNFI to use the service provided by the container service instance according to the token request, and generates a token corresponding to the VNFI; wherein the token includes: VNFI identification information And VNFM identification information.
本实施例中token中包括的VNFI的标识信息和VNFM的标识信息的具体实现方式可参照图2实施例中的描述,不再赘述。For the specific implementation of the identification information of the VNFI and the identification information of the VNFM included in the token in this embodiment, reference may be made to the description in the embodiment of FIG. 2 and will not be repeated.
随后,在生成token后,容器管理器通过S303将token发送至VNFM。Subsequently, after the token is generated, the container manager sends the token to the VNFM through S303.
当VNFM接收到容器管理器发送的token后,通过S304将VNFM进一步发送至VNFI,相应地,在S305中VNFI接收到VNFM发送的token后,即可根据token向容器服务实例请求服务,VNFI向容器服务实例请求服务的具体的流程可参照图3所示的S104-S106的实施例,不在赘述。When the VNFM receives the token sent by the container manager, the VNFM is further sent to the VNFI through S304. Accordingly, after the VNFI receives the token sent by the VNFM in S305, it can request service from the container service instance based on the token, and the VNFI sends the container For the specific process of the service instance requesting service, please refer to the embodiment of S104-S106 shown in FIG. 3, which is not repeated here.
可以理解的是,本实施例提供的容器服务管理方法可应用在如图1所示的NFV系统中,则VNFM具体通过Ve-Vnfm接口将VNF实例化得到VNFI后,VNFM通过Cm-Vnfm接口向容器管理器发送token请求;VNFM还通过Cm-Vnfm接口接收容器管理器发送的token,并通过过Ve-Vnfm接口将token发送至VNFI。It is understandable that the container service management method provided in this embodiment can be applied to the NFV system as shown in Figure 1. After the VNFM instantiates the VNF through the Ve-Vnfm interface to obtain the VNFI, the VNFM sends the VNFM through the Cm-Vnfm interface. The container manager sends a token request; the VNFM also receives the token sent by the container manager through the Cm-Vnfm interface, and sends the token to the VNFI through the Ve-Vnfm interface.
上述实本申请提供的实施例中,分别从VNFI、VNFM和容器管理器的角度对本申请提供的方法进行了介绍与说明,而为了实现上述本申请实施例提供的方法中的各功能,VNFI、VNFM和容器管理器可以包括硬件结构和/或软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能以硬件结构、软件模块、还是硬件结构加软件模块的方式来执行,取决于技术方案的特定应用和设计约束条件。In the embodiments provided by the foregoing embodiments of the present application, the methods provided by the present application are introduced and explained from the perspectives of VNFI, VNFM, and container manager. In order to realize the functions in the methods provided in the foregoing embodiments of the present application, VNFI, The VNFM and the container manager may include a hardware structure and/or a software module, and the above functions are implemented in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above-mentioned functions is executed in a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraint conditions of the technical solution.
例如,图7为本申请提供的容器服务管理装置的结构示意图,如图7所示的装置包括:接收模块701,处理模块702和发送模块703。For example, FIG. 7 is a schematic structural diagram of a container service management apparatus provided by this application. The apparatus shown in FIG. 7 includes: a receiving module 701, a processing module 702, and a sending module 703.
当如图7所示的容器服务管理装置为如图2-3所示实施例中的VNFI时,发送模块 703用于若虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,向用于管理容器服务实例的容器管理器发送token请求;其中,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;When the container service management apparatus shown in FIG. 7 is the VNFI in the embodiment shown in FIG. 2-3, the sending module 703 is used to send the service provided by the container service instance if the virtual network function instance VNFI needs to use the service provided by the container service instance. The container manager of the container service instance sends a token request; the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;
接收模块701用于接收容器管理器发送的token;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证。The receiving module 701 is used to receive the token sent by the container manager; among them, the token includes the identification information of VNFI and the identification information of VNFM. The identification information of VNFI and the identification information of VNFM are used by the container service instance to perform the VNFI request service using the token. verification.
可选地,发送模块还用于,向容器服务实例发送服务请求,服务请求中包括token,以使容器服务实例根据token中的VNFI的标识信息和VNFM的标识信息对VNFI进行验证;处理模块用于,若验证成功,使用容器服务实例提供的服务。Optionally, the sending module is also used to send a service request to the container service instance, the service request includes a token, so that the container service instance verifies the VNFI according to the identification information of the VNFI and the identification information of the VNFM in the token; the processing module uses Therefore, if the verification is successful, use the service provided by the container service instance.
可选地,token中还包括:容器服务实例的标识信息;发送模块具体用于,根据token向容器服务实例的标识信息对应的容器服务实例发送服务请求。Optionally, the token also includes: identification information of the container service instance; the sending module is specifically configured to send a service request to the container service instance corresponding to the identification information of the container service instance according to the token.
可选地,发送模块703具体用于,在VNFM实例化VNFI时,向容器管理器发送token请求;或者,在VNFM实例化VNFI后,向容器管理器发送token请求。Optionally, the sending module 703 is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, send a token request to the container manager.
本实施例提供的容器服务管理装置可具体实现如图2-3所示实施例中的容器服务管理方法,其实现方式与原理相同,不再赘述。The container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 2-3, and the implementation method and principle are the same, and will not be repeated.
当如图7所示的容器服务管理装置为如图2-3所示实施例中的容器管理器时,接收模块701用于接收虚拟网络功能实例VNFI发送的令牌token请求;其中,VNFI需要使用容器管理器所管理的容器服务实例提供的服务,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;处理模块702用于根据token请求生成token;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证;发送模块703用于将token发送至VNFI。When the container service management apparatus shown in FIG. 7 is the container manager in the embodiment shown in FIG. 2-3, the receiving module 701 is configured to receive a token request sent by the virtual network function instance VNFI; among them, VNFI requires Using the service provided by the container service instance managed by the container manager, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the processing module 702 is used to generate the token according to the token request; Wherein, the token includes the identification information of the VNFI and the identification information of the VNFM. The identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token to request the service; the sending module 703 is used for sending the token to the VNFI.
可选地,token中还包括:容器服务实例的标识信息;其中,容器服务实例的标识信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
本实施例提供的容器服务管理装置可具体实现如图2-3所示实施例中的容器服务管理方法,其实现方式与原理相同,不再赘述。The container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 2-3, and the implementation method and principle are the same, and will not be repeated.
当如图7所示的容器服务管理装置为如5所示实施例中的VNFM时,发送模块703用于若虚拟网络功能管理器VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,向用于管理容器服务实例的容器管理器发送token请求;其中,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;接收模块701用于接收容器管理器发送的token,并通过发送模块将token发送至VNFI;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证。When the container service management apparatus shown in FIG. 7 is the VNFM in the embodiment shown in 5, the sending module 703 is used if the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance , Send a token request to the container manager used to manage the container service instance; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the receiving module 701 is used to receive the container The token sent by the manager is sent to the VNFI through the sending module; the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to request services using the token VNFI for verification.
可选地,token中还包括:容器服务实例的标识信息;容器服务实例的标识信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
可选地,发送模块具体用于,在VNFM实例化VNFI时,向容器管理器发送token请求;或者,在VNFM实例化VNFI后,向容器管理器发送token请求。Optionally, the sending module is specifically configured to send a token request to the container manager when the VNFM instantiates the VNFI; or, after the VNFM instantiates the VNFI, send a token request to the container manager.
本实施例提供的容器服务管理装置可具体实现如图5所示实施例中的容器服务管理方法,其实现方式与原理相同,不再赘述。The container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 5, and its implementation manner and principle are the same, and will not be repeated.
当如图7所示的容器服务管理装置为如5所示实施例中的容器管理器时,接收模块701用于接收虚拟网络功能管理器VNFM发送的令牌token请求;其中,VNFM管理的虚拟网络功能实例VNFI需要使用容器管理器所管理的容器服务实例提供的服务,When the container service management apparatus shown in FIG. 7 is the container manager in the embodiment shown in 5, the receiving module 701 is used to receive a token request sent by the virtual network function manager VNFM; among them, the virtual network function manager VNFM The network function instance VNFI needs to use the service provided by the container service instance managed by the container manager,
token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;处理模块702用于根据token请求生成token;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证;发送模块703用于将token发送至VNFM,以使VNFM将token发送至VNFI。The token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the processing module 702 is used to generate the token according to the token request; among them, the token includes the identification information of the VNFI and the identification information of the VNFM The identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token request service; the sending module 703 is used for sending the token to the VNFM so that the VNFM sends the token to the VNFI.
可选地,token中还包括:容器服务实例的标识信息;其中,容器服务实例的标识信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
本实施例提供的容器服务管理装置可具体实现如图5所示实施例中的容器服务管理方法,其实现方式与原理相同,不再赘述。The container service management apparatus provided in this embodiment can specifically implement the container service management method in the embodiment shown in FIG. 5, and its implementation manner and principle are the same, and will not be repeated.
本申请上述各实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能模块可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。The division of modules in the foregoing embodiments of the present application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods. In addition, the functional modules in the various embodiments of the present application may be integrated in A processor may also exist alone physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or software functional modules.
进一步地,图8为本申请提供的用于执行容器管理方法的设备的结构示意图。如图8所示的设备包括:通信接口1010、处理器1020和存储器1030。其中,通信接口1010可以是收发器、电路、总线或者其他形式的接口,用于通过传输介质和其他设备通信;通信接口1010、处理器1020和存储器1030之间耦合,本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。Further, FIG. 8 is a schematic structural diagram of a device for executing the container management method provided by this application. The device shown in FIG. 8 includes a communication interface 1010, a processor 1020, and a memory 1030. Wherein, the communication interface 1010 may be a transceiver, a circuit, a bus, or other forms of interfaces for communicating with other devices through a transmission medium; the communication interface 1010, the processor 1020 and the memory 1030 are coupled, the coupling in the embodiment of the present application It is an indirect coupling or communication connection between devices, units or modules, which can be electrical, mechanical or other forms, used for information exchange between devices, units or modules.
本申请实施例中不限定上述通信接口1010、处理器1020以及存储器1030之间的具体连接介质。本申请实施例在图8中以通信接口1010、存储器1030以及处理器1020之间通过总线1040连接,总线在图8中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The embodiment of the present application does not limit the specific connection medium between the communication interface 1010, the processor 1020, and the memory 1030. In the embodiment of the present application in FIG. 8, the communication interface 1010, the memory 1030, and the processor 1020 are connected by a bus 1040. The bus is represented by a thick line in FIG. 8. The connection mode between other components is only for schematic illustration. , Is not limited. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in FIG. 8 to represent, but it does not mean that there is only one bus or one type of bus.
示例性地,若如图8所示的设备是如图2-3中所示的VNFI,则存储器1030中存储有代码,当处理器1020调用并执行该指令时,若VNFI需要使用容器服务实例提供的服务,处理器1020将token请求发送至通信接口;其中,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;通信接口1010接收处理器1020发送的token请求,并将token请求发送至用于管理容器服务实例的容器管理器;通信接口1010还用于,接收容器管理器发送的token,并将token发送至处理器1020;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证。Exemplarily, if the device shown in FIG. 8 is the VNFI shown in FIG. 2-3, the memory 1030 stores code. When the processor 1020 calls and executes the instruction, if the VNFI needs to use the container service instance To provide services, the processor 1020 sends a token request to the communication interface; where the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; the communication interface 1010 receives the processor 1020's transmission And send the token request to the container manager for managing the container service instance; the communication interface 1010 is also used to receive the token sent by the container manager and send the token to the processor 1020; where the token includes VNFI identification information and VNFM identification information, VNFI identification information and VNFM identification information are used by the container service instance to verify the VNFI that uses the token to request the service.
可选地,当处理器1020调用并执行该指令时,处理器1020还用于,将服务请求发送至通信接口1010,服务请求中包括token,以使容器服务实例根据token中的VNFI 的标识信息和VNFM的标识信息对VNFI进行验证;Optionally, when the processor 1020 calls and executes the instruction, the processor 1020 is further configured to send a service request to the communication interface 1010, and the service request includes the token, so that the container service instance can be based on the identification information of the VNFI in the token. Verify the VNFI with the identification information of the VNFM;
通信接口1010还用于,接收处理器1020发送的服务请求将服务请求发送至容器服务实例;若验证成功,处理器1020还用于,使用容器服务实例提供的服务。The communication interface 1010 is also used to receive the service request sent by the processor 1020 and send the service request to the container service instance; if the verification is successful, the processor 1020 is also used to use the service provided by the container service instance.
可选地,token中还包括:容器服务实例对的标识信息;通信接口1010具体用于,将服务请求发送至容器服务实例的标识信息对应的容器服务实例。Optionally, the token also includes: identification information of the container service instance pair; the communication interface 1010 is specifically used to send the service request to the container service instance corresponding to the identification information of the container service instance.
可选地,处理器1020具体用于,在所示VNFM实例化所示VNFI时,将token请求发送至通信接口;或者,处理器1020具体用于,在所示VNFM实例化所示VNFI后,将token请求发送至通信接口。Optionally, the processor 1020 is specifically configured to send a token request to the communication interface when the VNFM instantiates the VNFI; or the processor 1020 is specifically configured to, after the VNFM instantiates the VNFI, Send the token request to the communication interface.
又示例性地,若如图8所示的设备是如图2-3中所示的容器管理器,通信接口1010用于接收虚拟网络功能实例VNFI发送的令牌token请求,并将token请求发送至处理器1020;其中,VNFI需要使用容器管理器所管理的容器服务实例提供的服务,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;则存储器1030中存储有代码,当处理器1020调用并执行该指令时,处理器1020用于根据token请求生成token,并将token发送至通信接口1010;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证;通信接口1010还用于,将token发送至VNFI。For another example, if the device shown in FIG. 8 is the container manager shown in FIG. 2-3, the communication interface 1010 is used to receive the token request sent by the virtual network function instance VNFI, and send the token request To the processor 1020; where the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; then the storage Code is stored in 1030. When the processor 1020 calls and executes the instruction, the processor 1020 is used to generate a token according to the token request, and send the token to the communication interface 1010; among them, the token includes the identification information of VNFI and the identification of VNFM Information, the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI using the token to request the service; the communication interface 1010 is also used to send the token to the VNFI.
可选地,token中还包括:容器服务实例的标识信息;其中,容器服务实例的标识信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
示例性地,若如图8所示的设备是如图5中所示的VNFM,则存储器1030中存储有代码,当处理器1020调用并执行该指令时,若VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,处理器1020用于将token请求发送至通信接口1010;其中,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;通信接口1010用于将token请求发送至用于管理服务实例的容器管理器;通信接口1010还用于接收容器管理器发送的token,并将token发送至VNFI;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证。Exemplarily, if the device shown in FIG. 8 is the VNFM shown in FIG. 5, code is stored in the memory 1030. When the processor 1020 calls and executes the instruction, if the virtual network function instance VNFI managed by the VNFM is The service provided by the container service instance needs to be used, and the processor 1020 is used to send a token request to the communication interface 1010; wherein the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI; The communication interface 1010 is used to send a token request to the container manager for managing service instances; the communication interface 1010 is also used to receive the token sent by the container manager and send the token to VNFI; wherein the token includes the identification information of the VNFI And the identification information of the VNFM, the identification information of the VNFI and the identification information of the VNFM are used for the container service instance to verify the VNFI that uses the token to request the service.
可选地,token中还包括:容器服务实例的标识信息;容器服务实例的标识信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
示例性地,若如图8所示的设备是如图5中所示的容器管理器,通信接口1010用于接收虚拟网络功能管理器VNFM发送的令牌token请求,并将token请求发送至处理器1020;其中,VNFM管理的虚拟网络功能实例VNFI需要使用容器管理器所管理的容器服务实例提供的服务,token请求中包括VNFI的标识信息,和用于管理VNFI的虚拟网络功能管理器VNFM的标识信息;则存储器1030中存储有代码,当处理器1020调用并执行该指令时,处理器1020用于根据token请求生成token,并将token发送至通信接口1010;其中,token中包括VNFI的标识信息和VNFM的标识信息,VNFI的标识信息和VNFM的标识信息用于容器服务实例对使用token请求服务的VNFI进行验证;通信接口1010还用于,将token发送至VNFM,以使VNFM将token发送至VNFI。Exemplarily, if the device shown in FIG. 8 is the container manager shown in FIG. 5, the communication interface 1010 is used to receive a token request sent by the virtual network function manager VNFM, and send the token request to the processing The virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance managed by the container manager. The token request includes the identification information of the VNFI and the virtual network function manager VNFM used to manage the VNFI Identification information; the memory 1030 stores code, when the processor 1020 calls and executes the instruction, the processor 1020 is used to generate a token according to the token request, and send the token to the communication interface 1010; wherein the token includes the VNFI identification Information and VNFM identification information, VNFI identification information and VNFM identification information are used by the container service instance to verify the VNFI using the token request service; the communication interface 1010 is also used to send the token to the VNFM so that the VNFM can send the token To VNFI.
可选地,token中还包括:容器服务实例的标识信息;其中,容器服务实例的标识 信息用于,VNFI向容器服务实例的标识信息对应的容器服务实例请求服务。Optionally, the token also includes: the identification information of the container service instance; where the identification information of the container service instance is used for VNFI to request service from the container service instance corresponding to the identification information of the container service instance.
在本申请实施例中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, and may implement or Perform the methods, steps, and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
在本申请实施例中,存储器可以是非易失性存储器,比如硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)等,还可以是易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM)。存储器是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。In the embodiment of the present application, the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., or a volatile memory (volatile memory), for example Random-access memory (random-access memory, RAM). The memory is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory in the embodiments of the present application may also be a circuit or any other device capable of realizing a storage function, for storing program instructions and/or data.
本申请各实施例提供的方法中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、网络设备、用户设备或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,简称DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机可以存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(digital video disc,简称DVD))、或者半导体介质(例如,SSD)等。The methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present invention are generated in whole or in part. The computer may be a general-purpose computer, a dedicated computer, a computer network, network equipment, user equipment, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server, or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a digital video disc (digital video disc, DVD for short)), or a semiconductor medium (for example, SSD).
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.
Claims (21)
- 一种容器服务管理方法,其特征在于,包括:A container service management method is characterized in that it includes:若虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述VNFI向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the virtual network function instance VNFI needs to use the service provided by the container service instance, the VNFI sends a token request to the container manager for managing the container service instance; wherein the token request includes the identification information of the VNFI, And the identification information of the virtual network function manager VNFM used to manage the VNFI;所述VNFI接收所述容器管理器发送的token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The VNFI receives the token sent by the container manager; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request the service.
- 根据权利要求1所述的方法,其特征在于,所述VNFI接收所述容器管理器发送的token之后,还包括:The method according to claim 1, wherein after the VNFI receives the token sent by the container manager, the method further comprises:所述VNFI向所述容器服务实例发送服务请求,所述服务请求中包括所述token,以使所述容器服务实例根据所述token中的所述VNFI的标识信息和所述VNFM的标识信息对所述VNFI进行验证;The VNFI sends a service request to the container service instance, where the service request includes the token, so that the container service instance can pair the VNFI identification information and the VNFM identification information in the token The VNFI performs verification;若验证成功,所述VNFI使用所述容器服务实例提供的服务。If the verification is successful, the VNFI uses the service provided by the container service instance.
- 根据权利要求2所述的方法,其特征在于,The method according to claim 2, wherein:所述token中还包括:容器服务实例的标识信息;The token also includes: identification information of the container service instance;所述VNFI根据所述token向所述容器服务实例发送服务请求,包括:The VNFI sending a service request to the container service instance according to the token includes:所述VNFI根据所述token向所述容器服务实例的标识信息对应的容器服务实例发送服务请求。The VNFI sends a service request to the container service instance corresponding to the identification information of the container service instance according to the token.
- 根据权利要求1-3任一项所述的方法,其特征在于,所述VNFI向所述容器管理器发送token请求,包括:The method according to any one of claims 1-3, wherein the sending of the token request by the VNFI to the container manager comprises:在所述VNFM实例化所述VNFI时,所述VNFI向所述容器管理器发送所述token请求;When the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager;或者,or,在所述VNFM实例化所述VNFI后,所述VNFI向所述容器管理器发送所述token请求。After the VNFM instantiates the VNFI, the VNFI sends the token request to the container manager.
- 一种容器服务管理方法,其特征在于,包括:A container service management method is characterized in that it includes:容器管理器接收虚拟网络功能实例VNFI发送的令牌token请求;其中,所述VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The container manager receives the token request sent by the virtual network function instance VNFI; wherein the VNFI needs to use the service provided by the container service instance managed by the container manager, and the token request includes the identification information of the VNFI , And the identification information of the virtual network function manager VNFM used to manage the VNFI;所述容器管理器根据所述token请求生成token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;所述容器管理器将所述token发送至所述VNFI。The container manager sends the token to the VNFI.
- 根据权利要求5所述的方法,其特征在于,The method of claim 5, wherein:所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The token also includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- 一种容器服务管理方法,其特征在于,包括:A container service management method is characterized in that it includes:若虚拟网络功能管理器VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述VNFM向用于管理所述容器服务实例的容器管理器发送token请求;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the virtual network function instance VNFI managed by the virtual network function manager VNFM needs to use the service provided by the container service instance, the VNFM sends a token request to the container manager for managing the container service instance; wherein, in the token request Including the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;所述VNFM接收所述容器管理器发送的token,并将所述token发送至所述VNFI;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The VNFM receives the token sent by the container manager, and sends the token to the VNFI; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification of the VNFI The information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
- 根据权利要求7所述的方法,其特征在于,The method according to claim 7, wherein:所述token中还包括:容器服务实例的标识信息;The token also includes: identification information of the container service instance;所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- 根据权利要求7或8所述的方法,其特征在于,所述VNFM向所述容器管理器发送token请求,包括:The method according to claim 7 or 8, wherein the sending of the token request by the VNFM to the container manager comprises:在所述VNFM实例化所述VNFI时,所述VNFM向所述容器管理器发送所述token请求;When the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager;或者,or,在所述VNFM实例化所述VNFI后,所述VNFM向所述容器管理器发送所述token请求。After the VNFM instantiates the VNFI, the VNFM sends the token request to the container manager.
- 一种容器服务管理方法,其特征在于,包括:A container service management method is characterized in that it includes:容器管理器接收虚拟网络功能管理器VNFM发送的令牌token请求;其中,所述VNFM管理的虚拟网络功能实例VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The container manager receives the token request sent by the virtual network function manager VNFM; wherein the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance managed by the container manager, and the token request Includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;所述容器管理器根据所述token请求生成token;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The container manager generates a token according to the token request; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, and the identification information of the VNFI and the identification information of the VNFM are used for all The container service instance verifies the VNFI that uses the token to request service;所述容器管理器将所述token发送至所述VNFM,以使所述VNFM将所述token发送至所述VNFI。The container manager sends the token to the VNFM, so that the VNFM sends the token to the VNFI.
- 根据权利要求10所述的方法,其特征在于,The method according to claim 10, wherein:所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The token also includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- 一种虚拟网络功能实例VNFI,其特征在于,包括:处理器和通信接口;A virtual network function instance VNFI, which is characterized by comprising: a processor and a communication interface;若所述VNFI需要使用容器服务实例提供的服务,所述处理器用于将token请求发送至所述通信接口;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the VNFI needs to use the service provided by the container service instance, the processor is configured to send a token request to the communication interface; wherein, the token request includes the identification information of the VNFI and is used to manage the VNFI The identification information of the virtual network function manager VNFM;所述通信接口用于,将所述token请求发送至用于管理所述容器服务实例的容器管理器;The communication interface is used to send the token request to a container manager for managing the container service instance;所述通信接口还用于,接收所述容器管理器发送的token,并将所述token发送至所述处理器;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The communication interface is also used to receive the token sent by the container manager and send the token to the processor; wherein the token includes the identification information of the VNFI and the identification information of the VNFM The identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request the service.
- 根据权利要求12所述的VNFI,其特征在于,The VNFI according to claim 12, wherein:所述处理器还用于,服务请求发送至所述通信接口,所述服务请求中包括所述token,以使所述容器服务实例根据所述token中的所述VNFI的标识信息和所述VNFM的标识信息对所述VNFI进行验证;The processor is further configured to send a service request to the communication interface, and the service request includes the token, so that the container service instance can be based on the identification information of the VNFI and the VNFM in the token. To verify the VNFI;所述通信接口还用于,将所述服务请求发送至所述容器服务实例;The communication interface is also used to send the service request to the container service instance;若验证成功,所述处理器还用于,使用所述容器服务实例提供的服务。If the verification is successful, the processor is further configured to use the service provided by the container service instance.
- 根据权利要求13所述的VNFI,其特征在于,The VNFI according to claim 13, wherein:所述token中还包括:容器服务实例对的标识信息;The token also includes: identification information of the container service instance pair;所述通信接口具体用于,将所述服务请求发送至所述容器服务实例的标识信息对应的容器服务实例。The communication interface is specifically configured to send the service request to the container service instance corresponding to the identification information of the container service instance.
- 根据权利要求12-14任一项所述的VNFI,其特征在于,The VNFI according to any one of claims 12-14, wherein:所述处理器具体用于,在所示VNFM实例化所示VNFI时,将所述token请求发送至所述通信接口;The processor is specifically configured to send the token request to the communication interface when the VNFM instantiates the VNFI;或者,所述处理器具体用于,在所示VNFM实例化所示VNFI后,将所述token请求发送至所述通信接口。Alternatively, the processor is specifically configured to send the token request to the communication interface after the VNFM instantiates the VNFI.
- 一种容器管理器,其特征在于,包括:通信接口和处理器;A container manager, characterized by comprising: a communication interface and a processor;所述通信接口用于接收虚拟网络功能实例VNFI发送的令牌token请求,并将所述token请求发送至所述处理器;其中,所述VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The communication interface is used to receive a token request sent by a virtual network function instance VNFI, and send the token request to the processor; wherein, the VNFI needs to use a container service instance managed by the container manager For the provided service, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;所述处理器用于根据所述token请求生成token,并将所述token发送至所述通信接口;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI The identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services;所述通信接口还用于,将所述token发送至所述VNFI。The communication interface is also used to send the token to the VNFI.
- 根据权利要求16所述的容器管理器,其特征在于,The container manager of claim 16, wherein:所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The token also includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- 一种虚拟网络功能管理器VNFM,其特征在于,包括:通信接口和处理器;A virtual network function manager VNFM, which is characterized by comprising: a communication interface and a processor;若所述VNFM管理的虚拟网络功能实例VNFI需要使用容器服务实例提供的服务,所述处理器用于将token请求发送至所述通信接口;其中,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;If the virtual network function instance VNFI managed by the VNFM needs to use the service provided by the container service instance, the processor is configured to send a token request to the communication interface; wherein, the token request includes identification information of the VNFI, And the identification information of the virtual network function manager VNFM used to manage the VNFI;所述通信接口用于将所述token请求发送至用于管理所述服务实例的容器管理器;The communication interface is used to send the token request to a container manager for managing the service instance;所述通信接口还用于接收所述容器管理器发送的token,并将所述token发送至所 述VNFI;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证。The communication interface is also used to receive the token sent by the container manager and send the token to the VNFI; wherein the token includes the identification information of the VNFI and the identification information of the VNFM, so The identification information of the VNFI and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services.
- 根据权利要求18所述的VNFM,其特征在于,The VNFM according to claim 18, wherein:所述token中还包括:容器服务实例的标识信息;The token also includes: identification information of the container service instance;所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
- 一种容器管理器,其特征在于,包括:通信接口和处理器;A container manager, characterized by comprising: a communication interface and a processor;所述通信接口用于接收虚拟网络功能管理器VNFM发送的令牌token请求,并将所述token请求发送至所述处理器;其中,所述VNFM管理的虚拟网络功能实例VNFI需要使用所述容器管理器所管理的容器服务实例提供的服务,所述token请求中包括所述VNFI的标识信息,和用于管理所述VNFI的虚拟网络功能管理器VNFM的标识信息;The communication interface is used to receive a token request sent by a virtual network function manager VNFM, and send the token request to the processor; wherein the virtual network function instance VNFI managed by the VNFM needs to use the container For services provided by the container service instance managed by the manager, the token request includes the identification information of the VNFI and the identification information of the virtual network function manager VNFM used to manage the VNFI;所述处理器用于根据所述token请求生成token,并将所述token发送至所述通信接口;其中,所述token中包括所述VNFI的标识信息和所述VNFM的标识信息,所述VNFI的标识信息和所述VNFM的标识信息用于所述容器服务实例对使用所述token请求服务的VNFI进行验证;The processor is configured to generate a token according to the token request, and send the token to the communication interface; wherein, the token includes the identification information of the VNFI and the identification information of the VNFM, and the VNFI The identification information and the identification information of the VNFM are used by the container service instance to verify the VNFI that uses the token to request services;所述通信接口还用于,将所述token发送至所述VNFM,以使所述VNFM将所述token发送至所述VNFI。The communication interface is also used to send the token to the VNFM, so that the VNFM sends the token to the VNFI.
- 根据权利要求20所述的容器管理器,其特征在于,The container manager of claim 20, wherein:所述token中还包括:所述容器服务实例的标识信息;其中,所述容器服务实例的标识信息用于,所述VNFI向所述容器服务实例的标识信息对应的容器服务实例请求服务。The token also includes: identification information of the container service instance; wherein the identification information of the container service instance is used for the VNFI to request a service from the container service instance corresponding to the identification information of the container service instance.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910429966.XA CN111988263B (en) | 2019-05-22 | 2019-05-22 | Container service management method, container manager, virtual network function instance and virtual network function manager |
CN201910429966.X | 2019-05-22 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020233205A1 true WO2020233205A1 (en) | 2020-11-26 |
Family
ID=73437137
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/079320 WO2020233205A1 (en) | 2019-05-22 | 2020-03-13 | Container service management method and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111988263B (en) |
WO (1) | WO2020233205A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018013925A1 (en) * | 2016-07-15 | 2018-01-18 | Idac Holdings, Inc. | Adaptive authorization framework for communication networks |
WO2018120042A1 (en) * | 2016-12-30 | 2018-07-05 | 华为技术有限公司 | Credential distribution method and apparatus |
CN109286494A (en) * | 2017-07-20 | 2019-01-29 | 华为技术有限公司 | A kind of the initialization authority generation method and equipment of virtual network function VNF |
CN109343935A (en) * | 2018-09-25 | 2019-02-15 | 中国联合网络通信集团有限公司 | The instantiation method and device of consumer VNF |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10225335B2 (en) * | 2011-02-09 | 2019-03-05 | Cisco Technology, Inc. | Apparatus, systems and methods for container based service deployment |
WO2016197069A1 (en) * | 2015-06-05 | 2016-12-08 | Nutanix, Inc. | Architecture for managing i/o and storage for a virtualization environment using executable containers and virtual machines |
WO2017166136A1 (en) * | 2016-03-30 | 2017-10-05 | 华为技术有限公司 | Vnf resource allocation method and device |
CN109428764B (en) * | 2017-09-05 | 2021-10-15 | 华为技术有限公司 | Virtual network function instantiation method |
CN109756366B (en) * | 2018-12-24 | 2022-02-11 | 上海欣方智能系统有限公司 | Intelligent network SCP cloud service implementation system based on CAAS |
-
2019
- 2019-05-22 CN CN201910429966.XA patent/CN111988263B/en active Active
-
2020
- 2020-03-13 WO PCT/CN2020/079320 patent/WO2020233205A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018013925A1 (en) * | 2016-07-15 | 2018-01-18 | Idac Holdings, Inc. | Adaptive authorization framework for communication networks |
WO2018120042A1 (en) * | 2016-12-30 | 2018-07-05 | 华为技术有限公司 | Credential distribution method and apparatus |
CN109286494A (en) * | 2017-07-20 | 2019-01-29 | 华为技术有限公司 | A kind of the initialization authority generation method and equipment of virtual network function VNF |
CN109343935A (en) * | 2018-09-25 | 2019-02-15 | 中国联合网络通信集团有限公司 | The instantiation method and device of consumer VNF |
Non-Patent Citations (1)
Title |
---|
LI, FEI ET AL.: "Network Functions Virtualisation (NFV); Trust; Report on Certificate Management", ETSI DRAFT; ETSI GR NFV-SEC 005, no. V1.1.1, 16 January 2019 (2019-01-16), pages 1 - 38, XP014338106 * |
Also Published As
Publication number | Publication date |
---|---|
CN111988263B (en) | 2021-07-16 |
CN111988263A (en) | 2020-11-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10701139B2 (en) | Life cycle management method and apparatus | |
WO2020186911A1 (en) | Resource management method and device for containerized virtualised network function vnf | |
US20220004410A1 (en) | Method For Deploying Virtual Machine And Container, And Related Apparatus | |
US8914626B1 (en) | Providing configurable bootstrapping of software image execution | |
WO2016131172A1 (en) | Method and device for updating network service descriptor | |
WO2015100611A1 (en) | Network function virtualisation nfv fault management apparatus, device, and method | |
WO2017185303A1 (en) | Method and device for managing nfv mano policy descriptor | |
US10581619B2 (en) | Certificate management method, device, and system | |
US10447703B2 (en) | VNF package operation method and apparatus | |
WO2019100266A1 (en) | Mobile edge host-machine service notification method and apparatus | |
WO2017185251A1 (en) | Vnfm determining method and network function virtualization orchestrator | |
US11301284B2 (en) | Method for managing VNF instantiation and device | |
WO2017066931A1 (en) | Method and device for managing certificate in network function virtualization architecture | |
WO2020211652A1 (en) | Tenant resource management method and device in multi-tenant scenario | |
US10360057B1 (en) | Network-accessible volume creation and leasing | |
WO2018000394A1 (en) | Method and apparatus for arranging network resources | |
WO2021047227A1 (en) | Cross-region service sharing method, apparatus and management device, and storage medium | |
WO2019154017A1 (en) | Multipath establishing method and apparatus | |
WO2024140215A1 (en) | Tee resource orchestration method, system, and device in edge computing, and storage medium | |
WO2019109948A1 (en) | Paas management method and device, and storage medium | |
WO2020233205A1 (en) | Container service management method and device | |
WO2016141573A1 (en) | Method and apparatus for determining nsd to be uploaded | |
WO2021022947A1 (en) | Method for deploying virtual machine and related device | |
WO2018039878A1 (en) | Method, apparatus, and system for managing virtual resource | |
CN110121857A (en) | A kind of method and apparatus of authority distribution |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20809541 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20809541 Country of ref document: EP Kind code of ref document: A1 |