CN117294649A - Container communication method, device, equipment and medium - Google Patents
Container communication method, device, equipment and medium Download PDFInfo
- Publication number
- CN117294649A CN117294649A CN202311270789.8A CN202311270789A CN117294649A CN 117294649 A CN117294649 A CN 117294649A CN 202311270789 A CN202311270789 A CN 202311270789A CN 117294649 A CN117294649 A CN 117294649A
- Authority
- CN
- China
- Prior art keywords
- container
- data packet
- target
- management node
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims description 80
- 238000004891 communication Methods 0.000 title claims description 77
- 238000000034 method Methods 0.000 title claims description 55
- 238000012545 processing Methods 0.000 claims description 27
- 238000012795 verification Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 13
- 238000010586 diagram Methods 0.000 description 21
- 238000002955 isolation Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 101100491335 Caenorhabditis elegans mat-2 gene Proteins 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 102100033121 Transcription factor 21 Human genes 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 101150109289 tcf21 gene Proteins 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/76—Routing in software-defined topologies, e.g. routing between virtual machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/34—Source routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
In the embodiment of the application, a work node does not delete a network inside each container, but stores access connection relations of two containers communicated in a management node, so that an access path can be acquired based on the access connection relations when the containers are communicated later, and a data packet is sent to a target container according to the access path. In addition, in the embodiment of the application, when the container mutual access is carried out, the history access connection relation is stored in the management node, and the secondary access does not need to be authenticated again, so that the access is safer and more efficient.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a medium for container communications.
Background
In a trunking network, in order to implement data interaction between two containers in different working nodes or in the same working node, in the related art, the working node where the container is located may delete the routing information and the network information of the container, so that the containers exchange data through a self-created communication mode.
However, this manner of communication between containers removes the network of each container itself and re-builds the network, resulting in greater resource consumption and longer time-consuming communication between containers.
Disclosure of Invention
The application provides a container communication method, device, equipment and medium, which are used for solving the problems of high resource consumption and long time consumption of container communication in the prior art.
In a first aspect, an embodiment of the present application provides a container communication method, applied to a working node, where the method includes:
identifying that any local container has a data packet to be sent to a target container;
sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
and sending the data packet to the target container according to the access path carried in the access connection relation.
In a second aspect, embodiments of the present application further provide a container communication device applied to a working node, where the device includes:
The processing module is used for identifying that any local container has a data packet to be sent to the target container; sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
and the communication module is used for sending the data packet to the target container according to the access path carried in the access connection relation.
In a third aspect, embodiments of the present application provide an electronic device comprising a processor configured to implement steps of a container communication method as described in any of the above when executing a computer program stored in a memory.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of a container communication method as described in any one of the above.
In the embodiment of the application, the working node identifies that any local container has a data packet to be sent to the target container; sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to the management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container; and sending the data packet to the target container according to the access path carried in the access connection relation. In the embodiment of the application, the working node does not delete the network inside each container, but stores the access connection relation of the two communicated containers in the management node, so that the access path can be acquired based on the access connection relation when the subsequent communication between the containers is performed, and the data packet is sent to the target container according to the access path.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a communication process of a container according to an embodiment of the present application;
fig. 2 is a schematic diagram of a cluster network according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a micro isolation client according to an embodiment of the present application;
FIG. 4 is a workflow diagram of a micro quarantine client when access connection does not exist according to an embodiment of the present application;
fig. 5 is a schematic diagram of a data packet after repackaging according to an embodiment of the present disclosure;
FIG. 6 is a schematic diagram of lifecycle management provided in an embodiment of the present application;
FIG. 7 is a flow chart of a container data exchange provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of a container communication device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, wherein it is apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In order to reduce resource consumption and improve communication reliability, the embodiment of the application provides a container communication method, device, equipment and medium.
In the embodiment of the application, the working node identifies that any local container has a data packet to be sent to the target container; sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to the management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container; and sending the data packet to the target container according to the access path carried in the access connection relation.
Example 1:
fig. 1 is a schematic diagram of a container communication process according to an embodiment of the present application, where the process includes:
s101: identifying that any local container has a data packet to be sent to a target container; and sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container.
The container communication method provided by the embodiment of the application is applied to the working node, and the working node can be a PC, a server, electronic equipment and the like.
The container communication method provided by the embodiment of the application can be deployed in a cluster network, wherein the cluster network comprises a management node and a plurality of working nodes, each working node comprises a micro isolation client and at least one deployment unit pod, and each pod comprises at least two containers, namely a service container and a pause container.
Fig. 2 is a schematic diagram of a cluster network provided in an embodiment of the present application, where, as shown in fig. 2, the cluster network includes two working nodes and a management node. Each working node comprises a micro isolation client and three deployment units pod1, pod2 and pod3, wherein each pod comprises two containers docker1 and docker2; the management node comprises a comprehensive security risk analysis module, a container network identification library and a trusted container access connection relation library.
In this embodiment of the present application, the micro-isolated client in the working node is composed of a container network identifier generator, a container trusted verification module, a container network identifier manager, a dynamic management module, a data packet filter, and a communication module. The working node repackages and filters the flow of the trusted container through the micro-isolation client, so that some safety problems caused by fake and tampered data packets are avoided; and isolating, deleting and the like are performed on the untrusted container. The specific description of each module is as follows:
the container trusted verification module is used for verifying whether the local newly-added container is a trusted container or not;
the container network identifier generator is used for generating a container network identifier corresponding to each container in the cluster network, wherein the container network identifier is a unique identifier;
the container network identifier manager is used for managing the container network identifier of the working node where the container network identifier manager is located;
the data packet filter is used for filtering the data packets;
the dynamic adjustment module is used for monitoring the starting and the exiting of the container;
the communication module is used for processing communication between the micro-isolated client and the management node.
Fig. 3 is a schematic structural diagram of a micro isolation client according to an embodiment of the present application, where, as shown in fig. 3, the working node includes a micro isolation client, a pod2, a pod3, and a network card. The micro-isolation client comprises a container network identification generator, a container credibility checking module, a container network identification manager, a dynamic management module, a data packet filter and a communication module.
Based on this, in the embodiment of the present application, when a container has a need to communicate with a target container, that is, when a working node identifies that the container has a data packet to be sent to the target container, the working node may send an acquisition request to a management container to acquire an access connection relationship between the container and the target container. The target container may be a container located in the same working node as the container, or may be a container located in a different working node from the container, which is not limited herein. In this embodiment of the present application, the access connection relationship carries an access path from the container to the target container, and the container may send a data packet to the target container according to the access path.
Specifically, in the embodiment of the present application, if the working node identifies that any local container has a data packet to be sent to the target container, the working node sends an acquisition request to the management node, where the acquisition request requests to acquire the access connection relationship between the container and the target container. After receiving the acquisition request, the management node searches a local access connection relation library of the trusted container for the access connection relation between the container and the target container, if the access connection relation is found, the management node indicates that the container and the target container are communicated before, and the previous communication process is trusted, and the management node sends the access connection relation to the working node, so that the container can perform data transmission through the access connection relation without secondary verification, and the data transmission efficiency is improved.
In the embodiment of the application, when the container mutual visit is carried out, the history access connection relation is saved when the container mutual visit is carried out, the secondary security authentication is not needed during the secondary visit, and the visit is safer and more efficient.
In this embodiment of the present application, in order to facilitate management of the management node, the container network identifier generator of the micro-isolation client of the working node may allocate a container network identifier to each local container, and store the container network identifier corresponding to each container to the container network identifier manager and the container network identifier library of the management node, where the container network identifier corresponding to each container is different.
Based on this, in the embodiment of the present application, when the working node sends the request for obtaining the access connection relationship, the working node may obtain the container network identifier corresponding to the container stored in the container network identifier manager, and send the container network identifier and the communication request for communicating with the target container to the management node, so that the management node determines, according to the container network identifier and the communication request, the access connection relationship between the container and the target container.
After receiving an acquisition request carrying a container network identifier and a communication request sent by a working node, a management node acquires a target communication address of a target container carried in the communication request, and searches a target container network identifier corresponding to the target communication address according to a local container network identifier library. And the management node searches the access connection relation corresponding to the target container network identifier and the container network identifier according to the local trusted container access connection relation library. If the management node finds the access connection relation, the management node indicates that the container and the target container have previously sent data packets, and sends the access connection relation to the working node.
S102: and sending the data packet to the target container according to the access path carried in the access connection relation.
In the embodiment of the application, the network card in the working node may send the data packet to the target container by accessing the access path carried in the connection relationship.
In the embodiment of the application, the working node does not delete the network inside each container, but stores the access connection relation of the two communicated containers in the management node, so that the access path can be acquired based on the access connection relation when the subsequent communication between the containers is performed, and the data packet is sent to the target container according to the access path.
Example 2:
in order to reduce resource consumption and improve communication reliability, based on the above embodiments, in the embodiments of the present application, the method further includes:
if the response information which is sent by the management node and does not have the access connection relation is received, writing the container network identification into a preset position of the data packet;
and determining a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and transmitting the data packet to the target container based on the path so that the target container verifies the data packet according to the container network identifier carried in the data packet.
In the embodiment of the present application, if the working node receives the response information sent by the management node and having no access connection relationship, the container establishes an access connection relationship with the target container.
Specifically, in the embodiment of the present application, if the working node determines that the response information carries information that has not been previously communicated between the container and the other containers, the working node writes the container network identifier into a preset location of the data packet. And determining a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and transmitting the data packet to the target container based on the path so that the target container verifies the data packet according to the container network identifier carried in the data packet.
In this embodiment, the process of writing the network container identifier to the preset location of the data packet by the working node may be completed inside the container. And the data packet filter in the working node can further check the data packet written in the container according to the container network identifier, so that the security of the data packet is improved.
Specifically, in this embodiment, when the containers are visited mutually, if the working node determines that there is no access connection relationship, the micro-isolation client of the working node will implement binding of the data packet to be sent by the container in the Overlay network mode based on a Traffic Control (TC) framework, so as to implement safe forwarding of the data packet. The method comprises the following specific steps: the container network identification manager of the micro isolation client of the working node sends the container network identification corresponding to the container to the data packet filter and the container respectively; copying the container network identifier generator into the container, so that the copied container network identifier generator binds the container network identifier of the container with the data packet, and the container network identifier is attached to the SKB; the data packet arrives at the Overlay network and is encapsulated by the VXLAN and the host UDP; the data packet reaches the data packet filter, and the data packet filter checks the data packet according to the received container network identifier to judge which containers the data packet comes from, so that some safety problems caused by fake and tampered data packets are avoided.
Among them, linux provides a very rich tool to manage and operate the transmission of data packets, and among them, a framework named TC, which is derived from 2.2.X by Linux kernel, is mainly used in the main stream, and can provide network flow control and isolation for processes, process groups and virtual machines, and is mainly composed of three components of class, filter and queue rule. In the Linux system, there is a network packet control information structure, namely a socket buffer (abbreviated as SKB), which is used for storing all information related to packet control.
Fig. 4 is a workflow diagram of a micro-isolated client when no access connection relationship exists, provided in an embodiment of the present application, and as shown in fig. 4, the flow includes:
(1) the container network identifier manager sends the container network identifier corresponding to the container to the data packet filter and the container respectively.
(2) Copying the container network identification generator into the container, so that the container network identification generator obtained by copying binds the container network identification of the container with the data packet, and the container network identification is attached to the SKB.
(3) The packet arrives at the Overlay network and is encapsulated by VXLAN and host UDP.
(4) And sending the encapsulated data packet to a data packet filter.
(5) And the data packet filter checks the data packet according to the received container network identification.
(6) If the data packet passes the verification, the data packet filter sends the data packet to the network card, and sends the data to the target container through the network card.
In order to maintain a constant and independent information storage manner after spanning the network namespaces, and in the embodiment of the application, the working node marks the container network identifier as a member variable of the SKB.
Fig. 5 is a schematic diagram of a data packet after repackaging according to an embodiment of the present application, where, as shown in fig. 5, the data packet (sk_buffer) includes a header (head), data (data), a tail (tail), and an end (end). Wherein the header includes a header residual space, a host IP header, a host UDP header, VXLAN, a container IP header, and a container TCP header; the data comprises a container network identifier and actual data; the tail portion includes a tail remaining space.
Example 3:
in order to reduce resource consumption and improve communication reliability, in the embodiment of the present application, the generating process of the container network identifier includes:
if the container is identified to be created, acquiring a container ID, a container label and a container mirror path of the container;
And carrying out credibility verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
In the embodiment of the application, a dynamic adjustment module in a micro-isolated client of a working node mainly monitors the start and the exit of a container. When a trusted container is newly added, the dynamic adjustment module calls a container network identifier generator for the container, so that the container network identifier generator obtains the container ID, the container label and the container mirror path of the container; and carrying out credible verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
Wherein, since the TC component identifier consists of 32 bits, for better compatibility with TCs, the container network identifier is in the same format as its identifier, i.e. the preset length is typically a 32 bit identifier.
It should be noted that, in this embodiment of the present application, if it is identified that a container is created, before the container network identifier corresponding to the container is generated, the container trusted verification module in the micro-isolation client of the working node further performs trusted verification on the newly added container, and if the verification passes, the subsequent process of generating the container network identifier corresponding to the container is executed. The container trusted verification module may perform trusted verification and the like through a container mirror path pair of the container, which is not described herein.
In order to facilitate management of containers, in an embodiment of the present application, on the basis of the foregoing embodiments, the method further includes:
and sending the container network identification to the management node so that the management node stores the container network identification.
In the embodiment of the application, after the container network identifier generator generates the container network identifier corresponding to the container, the dynamic management module sends the container network identifier to the container network identifier manager for management.
In order to facilitate management of containers, in an embodiment of the present application, on the basis of the foregoing embodiments, the method further includes:
and if the container is identified to be deleted, deleting the stored container network identifier, and sending a deleting instruction for deleting the container network identifier to the management node.
In this embodiment of the present application, the dynamic management module is further configured to monitor for a container to be withdrawn, and when the container is withdrawn, the dynamic management module notifies the container network identifier manager to delete the container network identifier of the container, and notifies the container network identifier library of the management node to delete the container network identifier of the container.
Fig. 6 is a life cycle management schematic provided in an embodiment of the present application, where the dynamic management module monitors the container as shown in fig. 6. If the dynamic management module monitors that the container is deleted, the micro isolation client deletes the container network identifier corresponding to the deleted container stored in the container network identifier manager; and the dynamic management module informs the container network identification library of the management node to delete the container network identification of the deleted container. If the dynamic management module monitors the newly-added container, the dynamic management module calls a container credibility checking module to check the credibility of the newly-added container; if the trusted verification is passed, the dynamic management module calls a container network identifier generator to generate a container network identifier corresponding to the newly added container, and the container network identifier is respectively submitted to a container network identifier library of a network identifier manager and a management node.
Example 4:
in order to reduce resource consumption and improve communication reliability, based on the above embodiments, in the embodiments of the present application, the method further includes:
receiving a first other container network identifier of the other container which is sent by the management node and is used for requesting communication with the container;
receiving other data packets sent by other containers, and analyzing a second other container network identifier from the other data packets;
and if the first other container network identification is consistent with the second other container network identification, processing the other data packet.
In the embodiment of the application, the container can also be used as a receiving party to accept other data packets sent by other containers.
Specifically, in the embodiment of the present application, the working node receives a first other container network identifier of the other container that requests to communicate with the container and is sent by the management node; the working node receives other data packets sent by other containers and analyzes the network identifications of the second other containers from the other data packets; and if the first other container network identification is consistent with the second other container network identification, the working node processes other data packets.
In this embodiment of the present application, the working node may further receive an unpacking rule sent by the management node while receiving a first other container network identifier of another container that requests to communicate with the container and sent by the management node, where the working node stores the first other container network identifier and the unpacking rule. After receiving other data packets, the working node analyzes the other data packets according to the unpacking rule.
Example 5:
in order to reduce resource consumption and improve communication reliability, based on the above embodiments, in the embodiments of the present application, the method further includes:
determining a second access path according to the communication addresses of the other containers and the stored routing table;
and sending response information to the other containers through the second access path, and sending the access path to the management node so that the management node can correspondingly store the access path, the containers and the other containers.
In this embodiment of the present application, after the container receives the other data packet sent by the other container and determines that the other data packet is safe, the container sends a response to the other container, so that the container may communicate with the other container.
Specifically, in the embodiment of the present application, the container determines the second access path according to the communication addresses of other containers and the stored routing table; the container sends response information to other containers through the second access path, and sends the access path to the management node, so that the management node correspondingly saves the access path, the containers and the other containers.
Fig. 7 is a flow chart of container data exchange provided in an embodiment of the present application, where, as shown in fig. 7, a container of a data sender requests an access connection relationship with a communication container (data receiver) from a management node; if the management node determines that the access connection relation does not exist, the management node sends response information that the access connection relation does not exist to the data sender and sends an unpacking rule to the data receiver; after receiving the response information that the access connection relation does not exist, the data sender obtains the container network identifier of the container from the node container network identifier manager, attaches the container network identifier to the data packet, and sends the data packet after repackaging to the data receiver; and the data receiver checks the data packet, if the data packet passes the check, the data receiver submits the access connection relation to the management node, and then the data receiver and the data sender can send the data packet through the access connection relation. If the management node determines that the access connection relationship exists, the management node sends the access connection relationship to the data sender, and the data sender sends a data packet according to the access connection relationship.
The patent proposes a container communication method, firstly, carrying out credibility verification on a newly added container, then generating a container network identifier of the container, and submitting the container network identifier to a container network identifier library of a management node. When the containers are visited mutually, if the access connection relationship exists between the two communication containers, carrying out data transmission according to the data link corresponding to the access connection relationship; if the access connection relation does not exist, the data sender firstly acquires the container network identification of the data sender before sending the data packet, and binds and sends the container network identification and the data packet sent by the container network identification. After the data receiver receives the data packet, the data receiver checks the data packet by acquiring the container network identifier carried in the data packet, and after the data packet passes the check, the data receiver submits the access connection relationship to a trusted container access connection relationship library of the management node, thereby realizing the trusted communication of the container.
In the embodiment of the application, when the container mutual access is carried out, the history access connection relation is stored in the management node, and the secondary access does not need to be authenticated again, so that the access is safer and more efficient; according to the embodiment of the application, the security authentication is performed at the angle of the container data packet, and the container network identification of the container and the data packet sent by the container are bound, so that the filtering and the security forwarding of the data packet are realized, and some security problems caused by fake and tampered data packets are avoided.
Example 6:
based on the foregoing embodiments, fig. 8 is a schematic structural diagram of a container communication device according to an embodiment of the present application, where the device includes:
a processing module 801, configured to identify that any local container has a data packet to be sent to a target container; sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
and a communication module 802, configured to send the data packet to the target container according to the access path carried in the access connection relationship.
In a possible implementation manner, the processing module 801 is further configured to write the container network identifier to a preset location of the data packet if receiving response information sent by the management node that there is no access connection relationship;
the communication module 802 is further configured to determine a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and send the data packet to the target container based on the path, so that the target container verifies the data packet according to the container network identifier carried in the data packet.
In a possible implementation manner, the processing module 801 is specifically configured to obtain a container ID, a container label, and a container mirror path of the container if the container is identified as being created; and carrying out credibility verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
In a possible implementation manner, the processing module 801 is further configured to send the container network identifier to the management node, so that the management node saves the container network identifier.
In a possible implementation manner, the processing module 801 is further configured to delete the saved container network identifier if the container is identified to be deleted, and send a deletion instruction for deleting the container network identifier to the management node.
In a possible implementation manner, the communication module 802 is further configured to receive a first other container network identifier of another container that is sent by the management node and requests to communicate with the container; receiving other data packets sent by other containers;
The processing module 801 is further configured to parse a second other container network identifier from the other data packet; and if the first other container network identification is consistent with the second other container network identification, processing the other data packet.
In a possible implementation manner, the processing module 801 is further configured to determine a second access path according to the communication address of the other container and the stored routing table;
the communication module 802 is further configured to send response information to the other containers through the second access path, and send the access path to the management node, so that the management node stores the access path, the containers, and the other containers correspondingly.
Example 7:
on the basis of the foregoing embodiments, the embodiment of the present application further provides an electronic device, and fig. 9 is a schematic structural diagram of the electronic device provided in the embodiment of the present application, as shown in fig. 9, including: the processor 91, the communication interface 92, the memory 93 and the communication bus 94, wherein the processor 91, the communication interface 92 and the memory 93 complete communication with each other through the communication bus 94;
the memory 93 has stored therein a computer program which, when executed by the processor 91, causes the processor 91 to perform the steps of:
Identifying that any local container has a data packet to be sent to a target container;
sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
and sending the data packet to the target container according to the access path carried in the access connection relation.
In one possible implementation, the processor is further configured to:
if the response information which is sent by the management node and does not have the access connection relation is received, writing the container network identification into a preset position of the data packet;
and determining a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and transmitting the data packet to the target container based on the path so that the target container verifies the data packet according to the container network identifier carried in the data packet.
In one possible implementation, the processor is further configured to:
if the container is identified to be created, acquiring a container ID, a container label and a container mirror path of the container;
and carrying out credibility verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
In one possible implementation, the processor is further configured to:
and sending the container network identification to the management node so that the management node stores the container network identification.
In one possible implementation, the processor is further configured to:
and if the container is identified to be deleted, deleting the stored container network identifier, and sending a deleting instruction for deleting the container network identifier to the management node.
In one possible implementation, the processor is further configured to:
receiving a first other container network identifier of the other container which is sent by the management node and is used for requesting communication with the container;
Receiving other data packets sent by other containers, and analyzing a second other container network identifier from the other data packets;
and if the first other container network identification is consistent with the second other container network identification, processing the other data packet.
In one possible implementation, the processor is further configured to:
determining a second access path according to the communication addresses of the other containers and the stored routing table;
and sending response information to the other containers through the second access path, and sending the access path to the management node so that the management node can correspondingly store the access path, the containers and the other containers.
Since the principle of the electronic device for solving the problem is similar to that of the container communication method, the implementation of the electronic device may refer to the embodiment of the method, and the repetition is omitted.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus. The communication interface 92 is used for communication between the above-described electronic device and other devices. The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Since the principle of the electronic device for solving the problem is similar to that of the container communication method, the implementation of the electronic device may refer to the embodiment of the method, and the repetition is omitted.
Example 8:
on the basis of the above embodiments, the embodiments of the present invention further provide a computer readable storage medium, in which a computer program executable by a processor is stored, which when executed on the processor causes the processor to perform the steps of:
identifying that any local container has a data packet to be sent to a target container;
sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
And sending the data packet to the target container according to the access path carried in the access connection relation.
In one possible embodiment, the method further comprises:
if the response information which is sent by the management node and does not have the access connection relation is received, writing the container network identification into a preset position of the data packet;
and determining a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and transmitting the data packet to the target container based on the path so that the target container verifies the data packet according to the container network identifier carried in the data packet.
In one possible implementation manner, the generating process of the container network identifier includes:
if the container is identified to be created, acquiring a container ID, a container label and a container mirror path of the container;
and carrying out credibility verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
In one possible embodiment, the method further comprises:
and sending the container network identification to the management node so that the management node stores the container network identification.
In one possible embodiment, the method further comprises:
and if the container is identified to be deleted, deleting the stored container network identifier, and sending a deleting instruction for deleting the container network identifier to the management node.
In one possible embodiment, the method further comprises:
receiving a first other container network identifier of the other container which is sent by the management node and is used for requesting communication with the container;
receiving other data packets sent by other containers, and analyzing a second other container network identifier from the other data packets;
and if the first other container network identification is consistent with the second other container network identification, processing the other data packet.
In one possible embodiment, the method further comprises:
determining a second access path according to the communication addresses of the other containers and the stored routing table;
and sending response information to the other containers through the second access path, and sending the access path to the management node so that the management node can correspondingly store the access path, the containers and the other containers.
Since the principle of the solution of the problem of the computer readable storage medium is similar to that of the container communication method, the implementation of the computer readable storage medium may refer to the embodiment of the method, and the repetition is omitted.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method of container communication, for application to a working node, the method comprising:
identifying that any local container has a data packet to be sent to a target container;
sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
and sending the data packet to the target container according to the access path carried in the access connection relation.
2. The method according to claim 1, wherein the method further comprises:
if the response information which is sent by the management node and does not have the access connection relation is received, writing the container network identification into a preset position of the data packet;
and determining a path from the container to the target container according to the stored routing table and the target communication address of the target container carried in the data packet, and transmitting the data packet to the target container based on the path so that the target container verifies the data packet according to the container network identifier carried in the data packet.
3. The method of claim 1, wherein the generating of the container network identification comprises:
if the container is identified to be created, acquiring a container ID, a container label and a container mirror path of the container;
and carrying out credibility verification on the container according to the container mirror image path, if the verification is passed, processing the container ID, the container label and the container mirror image path according to a Hash algorithm to obtain an identifier with a preset length, and determining the identifier as the container network identifier.
4. A method according to claim 3, characterized in that the method further comprises:
and sending the container network identification to the management node so that the management node stores the container network identification.
5. The method according to claim 4, wherein the method further comprises:
and if the container is identified to be deleted, deleting the stored container network identifier, and sending a deleting instruction for deleting the container network identifier to the management node.
6. The method according to claim 1, wherein the method further comprises:
receiving a first other container network identifier of the other container which is sent by the management node and is used for requesting communication with the container;
Receiving other data packets sent by other containers, and analyzing a second other container network identifier from the other data packets;
and if the first other container network identification is consistent with the second other container network identification, processing the other data packet.
7. The method of claim 6, wherein the method further comprises:
determining a second access path according to the communication addresses of the other containers and the stored routing table;
and sending response information to the other containers through the second access path, and sending the access path to the management node so that the management node can correspondingly store the access path, the containers and the other containers.
8. A container communication device for application to a working node, the device comprising:
the processing module is used for identifying that any local container has a data packet to be sent to the target container; sending an acquisition request for requesting to acquire the access connection relation between the container and the target container to a management node, and if the access connection relation sent by the management node is received, determining that the data packet is sent before the container and the target container, wherein the access connection relation carries an access path from the container to the target container;
And the communication module is used for sending the data packet to the target container according to the access path carried in the access connection relation.
9. An electronic device comprising a processor for implementing the steps of the container communication method according to any of claims 1-7 when executing a computer program stored in a memory.
10. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the container communication method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311270789.8A CN117294649A (en) | 2023-09-27 | 2023-09-27 | Container communication method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311270789.8A CN117294649A (en) | 2023-09-27 | 2023-09-27 | Container communication method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117294649A true CN117294649A (en) | 2023-12-26 |
Family
ID=89251508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311270789.8A Pending CN117294649A (en) | 2023-09-27 | 2023-09-27 | Container communication method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117294649A (en) |
-
2023
- 2023-09-27 CN CN202311270789.8A patent/CN117294649A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107819891B (en) | Data processing method, data processing device, computer equipment and storage medium | |
| CN111953770B (en) | Route forwarding method and device, route equipment and readable storage medium | |
| CN108881158A (en) | Data interaction system and method | |
| CN105530266B (en) | A kind of license passport management method, apparatus and system | |
| CN110830442A (en) | Message processing method, device and gateway | |
| CN111899019A (en) | Method and system for cross validation and sharing of blacklist and multiple parties | |
| CN110602234B (en) | Block chain network node management method, device, equipment and storage medium | |
| CN110661853A (en) | Data proxy method, device, computer equipment and readable storage medium | |
| CN114238262A (en) | Image distribution method, image distribution device, electronic device, and storage medium | |
| CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
| CN108337116A (en) | Message order-preserving method and device | |
| US9847927B2 (en) | Information processing device, method, and medium | |
| CN112650710B (en) | Data migration sending method and device, storage medium and electronic device | |
| EP3276914A1 (en) | Data sharing method and device for virtual desktop | |
| CN111447273B (en) | Cloud processing system and data processing method based on cloud processing system | |
| US7333430B2 (en) | Systems and methods for passing network traffic data | |
| CN117294649A (en) | Container communication method, device, equipment and medium | |
| CN109714337B (en) | Data encryption transmission method and equipment | |
| CN113922972B (en) | Data forwarding method and device based on MD5 identification code | |
| CN114338795B (en) | Data communication method and device of blockchain client | |
| CN113873041B (en) | Message transmission method, device, network equipment and computer readable storage medium | |
| CN115509917A (en) | Method, system, equipment and storage medium for verifying encryption and decryption algorithm | |
| US20150334016A1 (en) | Relay device | |
| CN110071868B (en) | Link aggregation method, device and network equipment | |
| KR20220165783A (en) | Method and system for transferring software artifacts from a source network to a target network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |