技术领域technical field
本发明涉及共享技术,尤其涉及一种云资源池中跨安全域资源共享的方法及系统。The invention relates to sharing technology, in particular to a method and system for sharing resources across security domains in a cloud resource pool.
背景技术Background technique
本申请发明人在实现本申请实施例技术方案的过程中,至少发现相关技术中存在如下技术问题:In the process of implementing the technical solutions of the embodiments of the present application, the inventors of the present application at least found the following technical problems in the related art:
在多个安全域网络环境中,利用成熟的技术对IT基础架构进行资源整合,要求在服务器数量大幅减少的情况下,提高计算资源的灵活共享,并尽可能地维持原有安全域环境,以满足企业的网络安全规范要求。对于未做虚拟化的物理服务器,常规的思路是:为服务器添加尽可能多的网卡,以满足多个网络安全域的接入需要。而服务器网卡扩展能力比较有限,因此目前常见的设计方法是:In the network environment of multiple security domains, using mature technologies to integrate IT infrastructure resources requires improving the flexible sharing of computing resources and maintaining the original security domain environment as much as possible when the number of servers is greatly reduced. Meet the requirements of enterprise network security regulations. For a physical server that has not been virtualized, the general idea is to add as many network cards as possible to the server to meet the access needs of multiple network security domains. The expansion capability of the server network card is relatively limited, so the current common design method is:
方案1、对于安全性要求比较高的应用系统,着重考虑安全性的要求,分别为相应安全域规划独立的资源池,以独立资源池的方式来构造,从如图1所示的独立安全域与资源池的构造示意图可以看出:是以一个资源池对应一个安全域,更好地为计算资源及应用环境的安全性提供保障。Solution 1. For application systems with relatively high security requirements, focus on security requirements, plan independent resource pools for corresponding security domains, and construct independent resource pools. From the independent security domains shown in Figure 1 It can be seen from the schematic diagram of the structure of the resource pool: a resource pool corresponds to a security domain, which better guarantees the security of computing resources and application environments.
方案2、对于安全性要求一般的应用系统,着重考虑计算资源的灵活共享要求,可将原有的多个安全域整合为一个大的安全域,同时规划一个大的资源池,从如图2所示的整合安全域与资源池的构造示意图可以看出:是以一个大的资源池对应一个大的安全域,更好地实现计算资源的灵活共享和动态迁移。Solution 2. For application systems with general security requirements, focus on the flexible sharing of computing resources. The original multiple security domains can be integrated into a large security domain, and a large resource pool can be planned at the same time, as shown in Figure 2 It can be seen from the schematic diagram of the structure of the integrated security domain and resource pool that a large resource pool corresponds to a large security domain to better realize flexible sharing and dynamic migration of computing resources.
通过对上述方案的分析可知,现有技术存在的缺点为:传统思路下进行IT基础架构整合,安全与资源利用率之间必须做出选择。对安全性要求高的应用系统适用于“独立安全域与资源池”方式,维持原有安全规范的要求可以得到保障,但这种方式使不同安全域之间的资源无法实现共享,资源利用率比较低;对安全性要求一般的应用系统适用于“整合安全域与资源池”方式,资源池内的物理服务器资源可以实现有限范围内资源共享,但所有应用部署在一个大的安全域内,应用系统的安全性较整合前将会有所降低。Through the analysis of the above solutions, it can be seen that the disadvantages of the existing technology are: the integration of IT infrastructure under the traditional thinking, a choice must be made between security and resource utilization. Application systems with high security requirements are suitable for the "independent security domain and resource pool" method, and the requirements for maintaining the original security specifications can be guaranteed, but this method makes it impossible to share resources between different security domains, and the resource utilization rate Relatively low; application systems with general security requirements are suitable for "integrating security domains and resource pools". Physical server resources in resource pools can share resources within a limited range, but all applications are deployed in a large security domain. Application systems The security will be lower than before integration.
如果简单的采用“一个资源池对应多个安全域”的接入方式,将增大后期的运维工作量和风险。比如,计算资源需要从安全域1变更到安全域2,将面临机房空间(准备与搬迁)、电力、跳线、网络配置更新、系统重新部署等变更工作,且对资源的手工简单调整在一个整合集中式环境中无疑是一个巨大的风险点。If the access method of "one resource pool corresponds to multiple security domains" is simply adopted, it will increase the workload and risks of later operation and maintenance. For example, if computing resources need to be changed from security domain 1 to security domain 2, there will be changes in computer room space (preparation and relocation), power, jumper, network configuration update, system redeployment, etc., and simple manual adjustment of resources can be done in one Integration in a centralized environment is undoubtedly a huge risk point.
综上所述,现有的跨安全域技术只能实现跨安全域的访问,但无法实现物理服务器资源的跨安全域动态迁移,所以存在安全与资源利用率之间无法兼得的局限。To sum up, the existing cross-security domain technology can only achieve cross-security domain access, but cannot realize the dynamic migration of physical server resources across security domains, so there is a limitation that security and resource utilization cannot be achieved at the same time.
发明内容Contents of the invention
有鉴于此,本发明实施例希望提供一种云资源池中跨安全域资源共享的方法及系统,至少解决了现有技术存在的问题。In view of this, the embodiments of the present invention hope to provide a method and system for sharing resources across security domains in a cloud resource pool, which at least solves the problems existing in the prior art.
本发明实施例的技术方案是这样实现的:The technical scheme of the embodiment of the present invention is realized like this:
本发明实施例的一种云资源池中跨安全域资源共享的方法,该方法包括:A method for sharing resources across security domains in a cloud resource pool according to an embodiment of the present invention, the method comprising:
云计算资源管理平台配置资源池,将多个网络安全域规划在同一个资源池中;The cloud computing resource management platform configures resource pools and plans multiple network security domains in the same resource pool;
云计算资源管理平台采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;The cloud computing resource management platform collects the data of each network element including the server for performance analysis and resource requirements;
云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享。The cloud computing resource management platform adopts a pre-configured server security policy, and dynamically schedules resources in the same resource pool according to the resource requirements, so as to dynamically change the service network settings and network security settings of the server, so that the servers in the same resource pool Migrate across security domains to realize dynamic resource sharing of servers across security domains.
上述方案中,所述云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,包括:In the above solution, the cloud computing resource management platform adopts a pre-configured server security policy, and performs dynamic scheduling of resources in the same resource pool according to the resource requirements, so as to dynamically change the service network settings and network security settings of the server, include:
云计算资源管理平台根据资源需求进行调度时进行判断,得到判断结果;The cloud computing resource management platform makes judgments when scheduling according to resource requirements, and obtains judgment results;
如果所述判断结果为能回收符合所述资源需求的服务器资源,则由所述云计算资源管理平台重新配置;If the judgment result is that server resources that meet the resource requirements can be reclaimed, the cloud computing resource management platform will reconfigure them;
如果所述判断结果为不能回收符合所述资源需求的服务器资源,则所述云计算资源管理平台处于回收轮询状态,直到回收到所述资源需求的服务器资源后重新分配。If the judging result is that the server resources meeting the resource requirements cannot be reclaimed, the cloud computing resource management platform is in a recycling polling state until the server resources meeting the resource requirements are reclaimed and redistributed.
上述方案中,所述云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,还进一步包括:In the above solution, the cloud computing resource management platform adopts a pre-configured server security policy, and performs dynamic scheduling of resources in the same resource pool according to the resource requirements, so as to dynamically change the service network settings and network security settings of the server, It further includes:
云计算资源管理平台根据资源调度结果,确认需要动态共享调整的服务器集合;The cloud computing resource management platform confirms the set of servers that need to be dynamically shared and adjusted according to the resource scheduling results;
云计算资源管理平台根据对应所述资源需求的安全域,动态配置所述服务器集合中服务器的网络IP配置及网络安全策略,并调用至少包括IPtables的网元进行网络安全控制。The cloud computing resource management platform dynamically configures the service according to the security domain corresponding to the resource requirementThe network IP configuration and network security policy of the server in the server set, and call the network including at least IPtableselement for network security control.
上述方案中,所云计算资源管理平台配置资源池,包括:In the above solution, the resource pool configured by the cloud computing resource management platform includes:
将所述资源池划分为预设固定资源和可调动态资源;dividing the resource pool into preset fixed resources and adjustable dynamic resources;
所述预设固定资源为:根据系统架构规划而预先配置好资源,不需要进行更改;The preset fixed resources are: the resources are pre-configured according to the system architecture planning and do not need to be changed;
所述可调动态资源为:基于资源的实际使用情况,根据业务计算需要进行动态调度的资源。The adjustable dynamic resources are resources that are dynamically scheduled according to business computing needs based on actual usage of resources.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
通过将所述资源池的业务网与管理网分别从服务器的不同网络端口接入不同的交换机,将所述资源池在业务网与管理网上实现物理上的相互独立,从物理层面上实现了完全的隔离;By connecting the service network and the management network of the resource pool to different switches through different network ports of the server, the resource pool is physically independent from each other on the service network and the management network, and completely realized from the physical level. isolation;
所述管理网为所述资源池提供管理服务;所述业务网为所述资源池上各服务器对外提供服务的网络,承载各个业务系统的数据。The management network provides management services for the resource pool; the service network is a network that provides external services for each server on the resource pool, and carries data of each service system.
上述方案中,所述可调动态资源包括:In the above solution, the adjustable dynamic resources include:
服务器安全策略、业务IP地址和业务网络VLAN;Server security policy, business IP address and business network VLAN;
所述方法还包括:The method also includes:
在所述服务器上根据运行的业务,基于所述服务器安全策略,执行所述管理网与所述业务网之间的隔离,从物理层面上实现不可互访;According to the running business on the server, based on the server security policy, the isolation between the management network and the service network is implemented, and mutual access is not realized at the physical level;
在所述交换机上,通过所述业务网络VLAN的方式从逻辑层面上隔离不同安全域的数据,且使交换机与防火墙上的端口物理隔离,实现二层网络隔离。On the switch, the data of different security domains are logically isolated by means of the service network VLAN, and the switch is physically isolated from ports on the firewall to realize layer-2 network isolation.
上述方案中,所述根据所述分析结果进行所述同一个资源池中的资源动态调度,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享,包括:In the above solution, the dynamic scheduling of resources in the same resource pool is performed according to the analysis results, so that the server migrates across security domains in the same resource pool, and realizes the dynamic resource sharing of servers across security domains, including:
获取所述同一资源池中当前安全域资源申请,根据所述分析结果得到当前可供调度的所述可调动态资源;Obtaining the current security domain resource application in the same resource pool, and obtaining the adjustable dynamic resource currently available for scheduling according to the analysis result;
通过所述可调动态资源来实现对服务器跨安全域的资源共享。The resource sharing of servers across security domains is realized through the adjustable dynamic resources.
上述方案中,所述通过所述可调动态资源来实现对服务器跨安全域的资源共享,包括:In the above solution, the realization of resource sharing of servers across security domains through the adjustable dynamic resources includes:
所述第一服务器集合中的至少一个服务器初始工作于所述业务网中的第一安全域;At least one server in the first server set initially works in the first security domain in the service network;
当检测到所述第一服务器集合中有服务器取消与第一安全域的关联并从所述第一安全域中释放出来,处于空闲状态时,将所述服务器确定为闲置服务器,通过所述闲置服务器构成第二服务器集合;When it is detected that a server in the first server set has canceled its association with the first security domain and is released from the first security domain, and is in an idle state, determine the server as an idle server, and through the idle the servers constitute a second set of servers;
获取第二安全域的资源申请或第二安全域至第j安全域的资源申请,所述云计算资源管理平台调度所述第二服务器集合中的闲置服务器与所述第二安全域或所述第二安全域至第j安全域进行对应关联,使所述第二服务器集合中的闲置服务器工作于所述第二安全域或所述第二安全域至第j安全域,以实现对服务器跨安全域的资源共享。Obtain resource applications from the second security domain or resource applications from the second security domain to the jth security domain, and the cloud computing resource management platform schedules idle servers in the second server set to communicate with the second security domain or the jth security domain. The second security domain is correspondingly associated with the jth security domain, so that the idle servers in the second server set work in the second security domain or the second security domain to the jth security domain, so as to realize cross-connection of servers Resource sharing in security domains.
本发明实施例的一种云资源池中跨安全域资源共享的系统,该系统包括:A system for sharing resources across security domains in a cloud resource pool according to an embodiment of the present invention, the system includes:
云计算资源池管理平台,用于配置资源池,将多个网络安全域规划在同一个资源池中;采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享;The cloud computing resource pool management platform is used to configure resource pools and plan multiple network security domains in the same resource pool; collect data of each network element including servers for performance analysis and obtain resource requirements; The configured server security policy, according to the resource requirements, performs dynamic scheduling of resources in the same resource pool, to dynamically change the server's business network settings and network security settings, so that the server can migrate across security domains in the same resource pool, realizing server Dynamic resource sharing across security domains;
所述服务器,用于接受所述云计算资源池管理平台的动态调度,以在同一资源池内跨安全域迁移,实现跨安全域的动态资源共享。The server is configured to accept the dynamic scheduling of the cloud computing resource pool management platform, so as to migrate across security domains in the same resource pool, and realize dynamic resource sharing across security domains.
上述方案中,所述云计算资源管理平台,进一步用于根据资源需求进行调度时进行判断,得到判断结果;如果所述判断结果为能回收符合所述资源需求的服务器资源,则由所述云计算资源管理平台重新配置;如果所述判断结果为不能回收符合所述资源需求的服务器资源,则所述云计算资源管理平台处于回收轮询状态,直到回收到所述资源需求的服务器资源后重新分配。In the above solution, the cloud computing resource management platform is further used to judge according to resource requirements when scheduling, and obtain a judgment result; if the judgment result is that server resources that meet the resource requirements can be recovered, the cloud The computing resource management platform is reconfigured; if the judgment result is that the server resources that meet the resource requirements cannot be recovered, the cloud computing resource management platform is in the recovery polling state until the server resources that meet the resource requirements are recovered and restarted distribute.
上述方案中,所述云计算资源管理平台,进一步用于根据资源调度结果,确认需要动态共享调整的服务器集合;根据对应所述资源需求的安全域,动态配置所述服务器集合中服务器的网络IP配置及网络安全策略,并调用至少包括IPtables的网元进行网络安全控制。In the above solution, the cloud computing resource management platform is further used to:Confirm the set of servers that need to be dynamically shared and adjusted; according to the security domain corresponding to the resource requirements, dynamicallyConfigure the network IP configuration and network security policy of the servers in the server set, and call at least theNetwork elements of IPtables perform network security control.
上述方案中,所述云计算资源管理平台,进一步用于在所述第一服务器集合中的至少一个服务器初始工作于所述业务网中的第一安全域的情况下,当检测到所述第一服务器集合中有服务器取消与第一安全域的关联并从所述第一安全域中释放出来,处于空闲状态时,将所述服务器确定为闲置服务器,通过所述闲置服务器构成第二服务器集合;获取第二安全域的资源申请或第二安全域至第j安全域的资源申请,所述云计算资源管理平台调度所述第二服务器集合中的闲置服务器与所述第二安全域或所述第二安全域至第j安全域进行对应关联,使所述第二服务器集合中的闲置服务器工作于所述第二安全域或所述第二安全域至第j安全域,以实现对服务器跨安全域的资源共享。In the above solution, the cloud computing resource management platform is further configured to, when at least one server in the first server set initially works in the first security domain in the service network, when detecting that the first When a server in a server set cancels its association with the first security domain and is released from the first security domain, and is in an idle state, the server is determined as an idle server, and a second server set is formed by the idle server ; Obtain the resource application of the second security domain or the resource application from the second security domain to the jth security domain, and the cloud computing resource management platform schedules idle servers in the second server set to communicate with the second security domain or the jth security domain The second security domain to the jth security domain are correspondingly associated, so that the idle servers in the second server set work in the second security domain or the second security domain to the jth security domain, so as to realize the server Resource sharing across security domains.
本发明实施例的云资源池中跨安全域资源共享的方法,该方法包括:云计算资源管理平台配置资源池,将多个网络安全域规划在同一个资源池中;云计算资源管理平台采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享。The method for sharing resources across security domains in a cloud resource pool in an embodiment of the present invention includes: a cloud computing resource management platform configures a resource pool, and plans multiple network security domains in the same resource pool; the cloud computing resource management platform collects The data of each network element including the server is used for performance analysis to obtain resource requirements; the cloud computing resource management platform adopts pre-configured server security policies, and performs dynamic scheduling of resources in the same resource pool according to the resource requirements , to dynamically change the server's business network settings and network security settings, so that the server can migrate across security domains in the same resource pool, and realize the dynamic resource sharing of servers across security domains.
采用本发明实施例,通过云计算资源管理平台的调配,能进行所述同一个资源池中的资源动态调度,使服务器在同一资源池内跨安全域迁移,实现了服务器跨安全域的动态资源共享。By adopting the embodiment of the present invention, through the deployment of the cloud computing resource management platform, dynamic scheduling of resources in the same resource pool can be performed, so that servers can be migrated across security domains in the same resource pool, and dynamic resource sharing of servers across security domains is realized. .
附图说明Description of drawings
图1为现有独立安全域与资源池的构造示意图;Figure 1 is a schematic diagram of the structure of an existing independent security domain and a resource pool;
图2为现有整合安全域与资源池的构造示意图;FIG. 2 is a schematic diagram of the structure of an existing integrated security domain and resource pool;
图3为本发明实施例的方法流程示意图;Fig. 3 is the schematic flow chart of the method of the embodiment of the present invention;
图4为应用本发明实施例的多安全域共享资源池场景的架构示意图;FIG. 4 is a schematic diagram of the architecture of a multi-security domain shared resource pool scenario applying an embodiment of the present invention;
图5为应用本发明实施例的二层组网场景的安全隔离示意图;FIG. 5 is a schematic diagram of security isolation in a Layer 2 networking scenario applying an embodiment of the present invention;
图6为应用本发明实施例的资源池逻辑组成场景的示意图;FIG. 6 is a schematic diagram of a logical composition scenario of a resource pool applying an embodiment of the present invention;
图7为应用本发明实施例的物理服务器动态调度场景的流程图。FIG. 7 is a flow chart of a dynamic scheduling scenario of a physical server applying an embodiment of the present invention.
具体实施方式detailed description
下面结合附图对技术方案的实施作进一步的详细描述。The implementation of the technical solution will be further described in detail below in conjunction with the accompanying drawings.
本发明实施例的一种云资源池中跨安全域资源共享的方法,如图3所示,该方法包括:A method for sharing resources across security domains in a cloud resource pool according to an embodiment of the present invention, as shown in FIG. 3 , the method includes:
步骤101、云计算资源管理平台配置资源池,将多个网络安全域规划在同一个资源池中;Step 101, the cloud computing resource management platform configures a resource pool, and plans multiple network security domains in the same resource pool;
步骤102、云计算资源管理平台采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;Step 102, the cloud computing resource management platform collects data of each network element including the server to perform performance analysis and obtain resource requirements;
步骤103、云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享。Step 103, the cloud computing resource management platform adopts a pre-configured server security policy, and performs dynamic scheduling of resources in the same resource pool according to the resource requirements, so as to dynamically change the service network settings and network security settings of the server, so that the server can Cross-security domain migration within the same resource pool realizes dynamic resource sharing of servers across security domains.
在本发明实施例一实施方式中,所述云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,包括:云计算资源管理平台根据资源需求进行调度时进行判断,得到判断结果;如果所述判断结果为能回收符合所述资源需求的服务器资源,则由所述云计算资源管理平台重新配置;如果所述判断结果为不能回收符合所述资源需求的服务器资源,则所述云计算资源管理平台处于回收轮询状态,直到回收到所述资源需求的服务器资源后重新分配。In the first embodiment of the present invention, the cloud computing resource management platform adopts a pre-configured server security policy, and performs dynamic scheduling of resources in the same resource pool according to the resource requirements, so as to dynamically change the service network of the server Settings and network security settings, including: the cloud computing resource management platform makes a judgment when scheduling according to resource requirements, and obtains a judgment result; if the judgment result is that server resources that meet the resource requirements can be recovered, the cloud computing resource The management platform is reconfigured; if the judgment result is that the server resources that meet the resource requirements cannot be recovered, the cloud computing resource management platform is in a recovery polling state until the server resources that meet the resource requirements are recovered and redistributed.
在本发明实施例一实施方式中,所述云计算资源管理平台采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,还进一步包括:云计算资源管理平台根据资源调度结果,确认需要动态共享调整的服务器集合;云计算资源管理平台根据对应所述资源需求的安全域,动态配置所述服务器集合中服务器的网络IP配置及网络安全策略,并调用至少包括IPtables的网元进行网络安全控制。In an implementation manner of an embodiment of the present invention, the cloud computing resource management platform adopts a pre-configured serviceserver security policy, and perform dynamic scheduling of resources in the same resource pool according to the resource requirements,To dynamically change the business network settings and network security settings of the server, it further includes: cloud computing resourcesThe source management platform confirms the set of servers that need to be dynamically shared and adjusted according to the resource scheduling results; cloud computingThe resource management platform dynamically configures the server in the server set according to the security domain corresponding to the resource requirement.network IP configuration and network security policy of the server, and call network elements including at least IPtables for networksafely control.
在本发明实施例一实施方式中,所云计算资源管理平台配置资源池,包括:In an implementation manner of an embodiment of the present invention, the resource pool configured by the cloud computing resource management platform includes:
将所述资源池划分为预设固定资源和可调动态资源;dividing the resource pool into preset fixed resources and adjustable dynamic resources;
所述预设固定资源为:根据系统架构规划而预先配置好资源,不需要进行更改;The preset fixed resources are: the resources are pre-configured according to the system architecture planning and do not need to be changed;
所述可调动态资源为:基于资源的实际使用情况,根据业务计算需要进行动态调度的资源。The adjustable dynamic resources are resources that are dynamically scheduled according to business computing needs based on actual usage of resources.
在本发明实施例一实施方式中,所述方法还包括:通过将所述资源池的业务网与管理网分别从服务器的不同网络端口接入不同的交换机,将所述资源池在业务网与管理网上实现物理上的相互独立,从物理层面上实现了完全的隔离。In an embodiment of the present invention, the method further includes: connecting the service network and the management network of the resource pool to different switches through different network ports of the server, and connecting the service network and the management network of the resource pool to different switches. The management network is physically independent from each other and completely isolated from the physical level.
其中,所述管理网为所述资源池提供管理服务;所述业务网为所述资源池上各服务器对外提供服务的网络,承载各个业务系统的数据。Wherein, the management network provides management services for the resource pool; the service network is a network that provides external services for each server on the resource pool, and carries data of each service system.
在本发明实施例一实施方式中,所述可调动态资源包括:服务器安全策略、业务IP地址和业务网络VLAN;In an embodiment of the present invention, the adjustable dynamic resources include: server security policy, service IP address and service network VLAN;
所述方法还包括:在所述服务器上根据运行的业务,基于所述服务器安全策略,执行所述管理网与所述业务网之间的隔离,从物理层面上实现不可互访;在所述交换机上,通过所述业务网络VLAN的方式从逻辑层面上隔离不同安全域的数据,且使交换机与防火墙上的端口物理隔离,实现二层网络隔离。The method further includes: performing isolation between the management network and the service network on the server according to the running service and based on the server security policy, so as to realize mutual inaccessibility at the physical level; On the switch, the data of different security domains are logically isolated by means of the service network VLAN, and the switch is physically isolated from ports on the firewall to realize layer-2 network isolation.
在本发明实施例一实施方式中,所述根据所述分析结果进行所述同一个资源池中的资源动态调度,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享,包括:获取所述同一资源池中当前安全域资源申请,根据所述分析结果得到当前可供调度的所述可调动态资源;通过所述可调动态资源来实现对服务器跨安全域的资源共享。In the first embodiment of the present invention, the dynamic scheduling of resources in the same resource pool is performed according to the analysis results, so that servers migrate across security domains in the same resource pool, and realize dynamic resource sharing of servers across security domains , including: obtaining the current security domain resource application in the same resource pool, and obtaining the adjustable dynamic resources that are currently available for scheduling according to the analysis results; using the adjustable dynamic resources to implement resource allocation across security domains for servers shared.
在本发明实施例一实施方式中,所述通过所述可调动态资源来实现对服务器跨安全域的资源共享,包括:In an implementation manner of an embodiment of the present invention, the realization of resource sharing for servers across security domains through the adjustable dynamic resources includes:
a1、所述第一服务器集合中的至少一个服务器初始工作于所述业务网中的第一安全域;a1. At least one server in the first server set initially works in the first security domain in the service network;
a2、当检测到所述第一服务器集合中有服务器取消与第一安全域的关联并从所述第一安全域中释放出来,处于空闲状态时,将所述服务器确定为闲置服务器,通过所述闲置服务器构成第二服务器集合;a2. When it is detected that there is a server in the first server set that has canceled its association with the first security domain and is released from the first security domain, and is in an idle state, determine the server as an idle server, and pass the Said idle server constitutes a second server set;
a3、获取第二安全域的资源申请或第二安全域至第j安全域的资源申请,所述云计算资源管理平台调度所述第二服务器集合中的闲置服务器与所述第二安全域或所述第二安全域至第j安全域进行对应关联,使所述第二服务器集合中的闲置服务器工作于所述第二安全域或所述第二安全域至第j安全域,以实现对服务器跨安全域的资源共享。a3. Obtain the resource application of the second security domain or the resource application from the second security domain to the jth security domain, and the cloud computing resource management platform schedules idle servers in the second server set to communicate with the second security domain or Corresponding association is made between the second security domain and the jth security domain, so that idle servers in the second server set work in the second security domain or the second security domain to the jth security domain, so as to implement Server resource sharing across security domains.
本发明实施例的一种云资源池中跨安全域资源共享的系统,该系统包括:云计算资源池管理平台和服务器,其中,云计算资源池管理平台用于配置资源池,将多个网络安全域规划在同一个资源池中;采集包括服务器在内的各个网元的数据,以进行性能分析,得到资源需求;采取预配置的服务器安全策略,根据所述资源需求进行所述同一个资源池中的资源动态调度,以动态变更服务器的业务网络设置及网络安全设置,使服务器在同一资源池内跨安全域迁移,实现服务器跨安全域的动态资源共享享;所述服务器用于接受所述云计算资源池管理平台的动态调度,以在同一资源池内跨安全域迁移,实现跨安全域的动态资源共享。A system for sharing resources across security domains in a cloud resource pool according to an embodiment of the present invention, the system includes: a cloud computing resource pool management platform and a server, wherein the cloud computing resource pool management platform is used to configure resource pools, and multiple network The security domain is planned in the same resource pool; the data of each network element including the server is collected for performance analysis to obtain resource requirements; the pre-configured server security policy is adopted, and the same resource is configured according to the resource requirements. The resources in the pool are dynamically scheduled to dynamically change the business network settings and network security settings of the server, so that the server can migrate across security domains in the same resource pool, and realize the dynamic resource sharing of servers across security domains; the server is used to accept the Dynamic scheduling of the cloud computing resource pool management platform to migrate across security domains within the same resource pool to achieve dynamic resource sharing across security domains.
在本发明实施例一实施方式中,所述云计算资源管理平台,进一步用于根据资源需求进行调度时进行判断,得到判断结果;如果所述判断结果为能回收符合所述资源需求的服务器资源,则由所述云计算资源管理平台重新配置;如果所述判断结果为不能回收符合所述资源需求的服务器资源,则所述云计算资源管理平台处于回收轮询状态,直到回收到所述资源需求的服务器资源后重新分配。In the first embodiment of the present invention, the cloud computing resource management platform is further used to judge according to resource requirements when scheduling, and obtain a judgment result; if the judgment result is that server resources that meet the resource requirements can be recycled , it will be reconfigured by the cloud computing resource management platform; if the judgment result is that the server resources that meet the resource requirements cannot be recovered, the cloud computing resource management platform will be in the recovery polling state until the resources are recovered After the required server resources are reallocated.
在本发明实施例一实施方式中,所述云计算资源管理平台,进一步用于根据资源调度结果,确认需要动态共享调整的服务器集合;根据对应所述资源需求的安全域,动态配置所述服务器集合中服务器的网络IP配置及网络安全策略,并调用至少包括IPtables的网元进行网络安全控制。In an implementation manner of the embodiment of the present invention, the cloud computing resource management platform is further used for rootAccording to the resource scheduling results, confirm the set of servers that need to be dynamically shared and adjusted;The requested security domain, dynamically configure the network IP configuration and network security policy of the servers in the server setstrategy, and invoke network elements including at least IPtables for network security control.
在本发明实施例一实施方式中,所云计算资源管理平台,进一步用于配置资源池时,将所述资源池划分为预设固定资源和可调动态资源;In the first embodiment of the present invention, when the cloud computing resource management platform is further used to configure the resource pool, the resource pool is divided into preset fixed resources and adjustable dynamic resources;
其中,所述预设固定资源为:根据系统架构规划而预先配置好资源,不需要进行更改;所述可调动态资源为:基于资源的实际使用情况,根据业务计算需要进行动态调度的资源。Wherein, the preset fixed resources are: resources pre-configured according to the system architecture planning and do not need to be changed; the adjustable dynamic resources are: resources that are dynamically scheduled according to business computing needs based on the actual usage of resources.
在本发明实施例一实施方式中,所述系统还包括:管理网和业务网;In an embodiment of the present invention, the system further includes: a management network and a service network;
所述管理网,用于为所述资源池提供管理服务,所述云计算资源池管理平台位于所述管理网;所述业务网,用于为所述资源池上各服务器对外提供服务的网络,承载各个业务系统的数据;所述多个网络安全域和所述资源池位于所述业务网;The management network is used to provide management services for the resource pool, and the cloud computing resource pool management platform is located on the management network; the service network is used to provide external services for each server on the resource pool, carrying the data of each service system; the plurality of network security domains and the resource pool are located in the service network;
所述云计算资源池管理平台,进一步用于通过所述管理网实现对资源池的调度管理,通过将所述资源池的业务网与管理网分别从服务器的不同网络端口接入不同的交换机,将所述资源池在业务网与管理网上实现物理上的相互独立,从物理层面上实现了完全的隔离。The cloud computing resource pool management platform is further used to realize the scheduling management of the resource pool through the management network, by connecting the service network and the management network of the resource pool to different switches from different network ports of the server, The resource pools are physically independent from each other on the service network and the management network, and complete isolation is realized on the physical level.
在本发明实施例一实施方式中,所述可调动态资源包括:服务器安全策略、业务IP地址和业务网络VLAN;In an embodiment of the present invention, the adjustable dynamic resources include: server security policy, service IP address and service network VLAN;
所述云计算资源池管理平台,进一步用于控制在所述服务器上根据运行的业务,基于所述服务器安全策略,执行所述管理网与所述业务网之间的隔离,从物理层面上实现不可互访;The cloud computing resource pool management platform is further used to control the isolation between the management network and the service network based on the server security policy based on the running business on the server, and realizes from the physical level No exchange of visits;
以及,控制在所述交换机上,通过所述业务网络VLAN的方式从逻辑层面上隔离不同安全域的数据,且使交换机与防火墙上的端口物理隔离,实现二层网络隔离。And, the switch is controlled on the switch, and the data of different security domains are logically isolated by means of the service network VLAN, and the switch is physically isolated from the ports on the firewall to realize layer-2 network isolation.
在本发明实施例一实施方式中,所述云计算资源池管理平台,进一步用于获取所述同一资源池中当前安全域资源申请,根据所述分析结果得到当前可供调度的所述可调动态资源;通过所述可调动态资源来实现对服务器跨安全域的资源共享。In an implementation manner of an embodiment of the present invention, the cloud computing resource pool management platform is further configured to obtain the current security domain resource application in the same resource pool, and obtain the currently adjustable resources available for scheduling according to the analysis results. Dynamic resources: the resource sharing of servers across security domains is realized through the adjustable dynamic resources.
在本发明实施例一实施方式中,所述云计算资源池管理平台,进一步用于在所述第一服务器集合中的至少一个服务器初始工作于所述业务网中的第一安全域的情况下,当检测到所述第一服务器集合中有服务器取消与第一安全域的关联并从所述第一安全域中释放出来,处于空闲状态时,将所述服务器确定为闲置服务器,通过所述闲置服务器构成第二服务器集合;获取第二安全域的资源申请或第二安全域至第j安全域的资源申请,所述云计算资源管理平台调度所述第二服务器集合中的闲置服务器与所述第二安全域或所述第二安全域至第j安全域进行对应关联,使所述第二服务器集合中的闲置服务器工作于所述第二安全域或所述第二安全域至第j安全域,以实现对服务器跨安全域的资源共享。In an implementation manner of an embodiment of the present invention, the cloud computing resource pool management platform is further configured to, when at least one server in the first server set initially works in the first security domain in the service network , when it is detected that there is a server in the first server set that has canceled its association with the first security domain and is released from the first security domain, and is in an idle state, determine the server as an idle server, through the Idle servers form a second server set; obtain resource applications from the second security domain or resource applications from the second security domain to the jth security domain, and the cloud computing resource management platform schedules idle servers in the second server set to communicate with all Corresponding association between the second security domain or the second security domain to the jth security domain, so that idle servers in the second server set work in the second security domain or the second security domain to the jth security domain Security domain to realize resource sharing of servers across security domains.
以下对应用本发明实施例的应用场景描述如下:The following describes the application scenarios of the embodiments of the present invention as follows:
针对x86架构机架式PC服务器的场景而言,应用本发明实施例,具体为一种云资源池中x86架构机架式PC服务器跨安全域资源共享的方案,简单来说,是通过设备组网设计和服务器与交换机链接方式的调整,以云计算资源管理平台作为管控工具,实现X86架构机架式PC服务器在同一资源池内跨安全域浮动,做到同一资源池内计算资源共享,即:能实现X86架构机架式PC服务器资源的跨安全域动态迁移,以解决物理服务器跨安全域的动态资源共享问题,既提高资源的利用率,又能满足网络安全域的安全规范要求,做到既确保网络安全,又可以同时提高资源利用率,兼顾二者的需求。For the scenario of an x86-architecture rack-mounted PC server, the application of the embodiment of the present invention is specifically a solution for cross-security domain resource sharing of an x86-architecture rack-mounted PC server in a cloud resource pool. The network design and the adjustment of the connection mode between the server and the switch, using the cloud computing resource management platform as a management and control tool, realize the X86 architecture rack PC server floating across security domains in the same resource pool, and achieve the sharing of computing resources in the same resource pool, that is: Realize the dynamic migration of X86 rack PC server resources across security domains to solve the problem of dynamic resource sharing of physical servers across security domains, which not only improves resource utilization, but also meets the security requirements of network security domains. Ensuring network security can also improve resource utilization at the same time, taking into account the needs of both.
具体的,采用“一个资源池内各安全域之间资源共享”的方式,即为各网络安全域共同规划一个大的资源池,同时利用云计算资源池管理平台对资源池内的资源进行性能采集、分析告警和动态调度,从而灵活地实现不同安全域之间的资源共享;同时,在资源池内采用二层组网技术,实现不同安全域资源的逻辑安全隔离,从而确保现有安全域的安全边界保持不变,主要包括以下内容:Specifically, adopt the method of "resource sharing between security domains in a resource pool", that is, jointly plan a large resource pool for each network security domain, and use the cloud computing resource pool management platform to collect performance of resources in the resource pool, Analyze alarms and dynamic scheduling, so as to flexibly realize resource sharing between different security domains; at the same time, use layer 2 networking technology in the resource pool to realize logical security isolation of resources in different security domains, thereby ensuring the security boundary of existing security domains remain unchanged, mainly including the following:
一、在物理服务器构成的云资源池中,通过对动态资源的灵活调度控制来实现物理服务器跨安全域资源共享。云资源池的业务网与管理网物理上相互独立,管理网络和业务网络分别从物理主机的不同的网络端口接入不同的物理网络交换机,从物理层面实现了完全的隔离。其中,管理网是为云资源池的管理服务,属于内部管理系统,云计算资源池管理平台位于该管理网,该管理网承载包括资源池配置管理、数据收集、资源动态调整、性能数据和告警等数据;业务网是云资源池上各应用服务器对外提供服务的网络,承载的数据是各个业务系统的数据。1. In the cloud resource pool composed of physical servers, the resource sharing of physical servers across security domains is realized through flexible scheduling and control of dynamic resources. The business network and the management network of the cloud resource pool are physically independent of each other. The management network and the business network are connected to different physical network switches through different network ports of the physical host, achieving complete isolation from the physical level. Among them, the management network is the management service for the cloud resource pool, which belongs to the internal management system. The cloud computing resource pool management platform is located on the management network. The management network carries resource pool configuration management, data collection, resource dynamic adjustment, performance data and alarms. and other data; the business network is the network that each application server on the cloud resource pool provides external services, and the data carried is the data of each business system.
二、核心是云计算资源池管理平台,云计算资源管理平台通过管理网实现对资源池的调度管理;将云资源池划分为:预设固定资源和可调动态资源两部分。通过对可调动态资源的灵活调度控制来实现物理服务器跨安全域资源共享,是本发明的核心技术。可调动态资源是指需要根据资源的实际使用情况,根据业务计算需要进行动态调度的资源。通过资源的动态调度,可方便灵活地实现资源的跨安全域共享,提高资源利用率。2. The core is the cloud computing resource pool management platform. The cloud computing resource management platform realizes the scheduling and management of the resource pool through the management network; the cloud resource pool is divided into two parts: preset fixed resources and adjustable dynamic resources. It is the core technology of the present invention to realize resource sharing of physical servers across security domains through flexible scheduling and control of adjustable dynamic resources. Adjustable dynamic resources refer to resources that need to be dynamically scheduled according to the actual usage of resources and business computing needs. Through the dynamic scheduling of resources, it is convenient and flexible to realize resource sharing across security domains and improve resource utilization.
三、动态资源主要包括:服务器安全策略、业务IP地址和业务网络VLAN;服务器根据运行的业务,配置具体的安全策略,做到管理网络和业务网络之间隔离,不可互访;在交换机上,通过VLAN方式逻辑隔离不同安全域数据,交换机与防火墙上端口物理隔离,实现真正的二层网络隔离的跨安全域的物理服务器资源共享。3. Dynamic resources mainly include: server security policy, business IP address and business network VLAN; the server configures specific security policies according to the running business, so that the management network and business network are isolated and cannot be accessed each other; on the switch, The data of different security domains is logically isolated by means of VLAN, and the ports on the switch and the firewall are physically isolated to realize real layer-2 network isolation and cross-security domain physical server resource sharing.
图4为应用本发明实施例的多安全域共享资源池场景的架构示意图,该架构中主要涉及云资源池(如x86架构机架式PC服务器)、云计算资源池管理平台、管理网、业务网以及各网络安全域。其中,业务网与管理网相互独立,云计算资源管理平台位于所述管理网,并通过管理网实现对资源池的调度管理,提高管理平台的安全性,避免受生产网业务流量的影响。多个网络安全域(网络安全域1-网络安全域n)在一个云资源池中,被所述云计算资源池管理平台所控制,动态进行资源调度。多个网络安全域和该云资源池位于业务网。Figure 4 is a schematic diagram of the architecture of a multi-security domain shared resource pool scenario applying an embodiment of the present invention, which mainly involves cloud resource pools (such as x86 architecture rack-mounted PC servers), cloud computing resource pool management platforms, management networks, and business network and various network security domains. Wherein, the business network and the management network are independent of each other, and the cloud computing resource management platform is located in the management network, and realizes the scheduling and management of the resource pool through the management network, improves the security of the management platform, and avoids being affected by the business traffic of the production network. Multiple network security domains (network security domain 1-network security domain n) are in a cloud resource pool, controlled by the cloud computing resource pool management platform, and resource scheduling is performed dynamically. Multiple network security domains and the cloud resource pool are located on the business network.
图5为应用本发明实施例的二层组网场景的安全隔离示意图,资源池的系统逻辑架构如图5所示,具体包括物理服务器、业务网络接口绑定设备(BOND)、交换机、管理平台和网络安全域(Secure Zone)等部分,本发明实施例通过对逻辑架构中各组件的规划配置和灵活调度,实现资源的跨网络安全域资源共享和安全域的边界安全。不同安全域服务器之间的数据流如图5中的粗体虚线所示。Fig. 5 is a schematic diagram of security isolation of a Layer 2 networking scenario in which an embodiment of the present invention is applied. The system logic architecture of the resource pool is shown in Fig. 5, specifically including a physical server, a service network interface binding device (BOND), a switch, and a management platform and the network security domain (Secure Zone), etc., the embodiment of the present invention realizes cross-network security domain resource sharing of resources and security domain boundary security through the planning, configuration and flexible scheduling of each component in the logical architecture. The data flow between servers in different security domains is shown by the bold dotted line in Figure 5.
图6为应用本发明实施例的资源池逻辑组成场景的示意图,由图6可见,资源池逻辑组成主要包括:FIG. 6 is a schematic diagram of a resource pool logic composition scenario applying an embodiment of the present invention. It can be seen from FIG. 6 that the resource pool logic composition mainly includes:
(1)管理网络交换机(M-SW):用于资源池设备与管理平台互连;(1) Management network switch (M-SW): used for interconnection between resource pool equipment and management platform;
(2)服务器管理端口(eth0):用于连接管理网络;(2) Server management port (eth0): used to connect to the management network;
(3)服务器管理IP地址:服务器与管理网络通信用IP地址;(3) Server management IP address: the IP address used for communication between the server and the management network;
(4)服务器安全策略:控制服务器与管理网络和业务网络信息交互的策略,基本的安全策略原则:a、管理网络与业务网络之间不互通;b、服务器管理网络只对管理平台开放,不允许其他服务器之间通过管理网络互通;c、服务器业务网络只提供指定业务数据交互,不支持系统用户通过业务网络登录服务器;d、安全策略由管理平台动态调整;(4) Server security strategy: the strategy for controlling the information interaction between the server and the management network and business network. Allow other servers to communicate through the management network; c. The server business network only provides designated business data interaction, and does not support system users logging in to the server through the business network; d. Security policies are dynamically adjusted by the management platform;
(5)服务器业务IP地址:用于提供业务数据交互的IP地址,该地址由资源管理平台根据具体业务需求动态设定,该IP地址配置在虚拟接口bond0.xxx,其中xxx表示业务IP地址所在VLAN的VLAN ID。(5) Server business IP address: used to provide the IP address for business data interaction. This address is dynamically set by the resource management platform according to specific business needs. The IP address is configured in the virtual interface bond0.xxx, where xxx indicates where the business IP address is located The VLAN ID of the VLAN.
(6)服务器业务网络端口绑定(bond0):业务网络接口绑定设备,默认为bond0;(6) Server service network port binding (bond0): service network interface binding device, the default is bond0;
(7)服务器业务网络接口:连接业务交换机的服务器网络接口,默认为2个网络接口;(7) Server business network interface: the server network interface connected to the business switch, the default is 2 network interfaces;
(8)业务链路:服务器业务网络接口与业务交换机之间的互连链路,该链路在交换机上的网络接口,须工作在trunk模式;(8) Service link: the interconnection link between the server service network interface and the service switch, the network interface of the link on the switch must work in trunk mode;
(9)业务VLAN:业务交换机(S-SW)上的VLAN,云计算资源管理平台将根据业务需求动态地对交换机中的VLAN进行调整;(9) Service VLAN: the VLAN on the service switch (S-SW), the cloud computing resource management platform will dynamically adjust the VLAN in the switch according to business requirements;
(10)安全链路:业务交换机与防火墙之间的数据链路。(10) Security link: the data link between the service switch and the firewall.
(11)Secure Zone:网络安全域,原生产网规划的网络安全域,有明确的网络安全边界和安全规范要求,不同安全域之间通过核心交换区实现网络互连互通。(11)Secure Zone: Network security domain, the network security domain of the original production network planning, has clear network security boundaries and security specification requirements, and realizes network interconnection and intercommunication between different security domains through the core switching area.
云计算资源池管理平台通过管理网实现对资源池的调度管理的前提是:本发明实施例预先将资源池划分为两个部分:预设固定资源和可调动态资源。通过对其中的所述可调动态资源的灵活调度控制来实现物理服务器跨安全域资源共享,是本发明的核心,以下具体阐述:The premise that the cloud computing resource pool management platform implements the scheduling management of the resource pool through the management network is that the embodiment of the present invention divides the resource pool into two parts in advance: preset fixed resources and adjustable dynamic resources. It is the core of the present invention to realize the resource sharing of physical servers across security domains through the flexible scheduling control of the adjustable dynamic resources, which will be described in detail below:
1)预设固定资源1) Default fixed resources
预设固定资源是指根据系统架构规划,可预先配置好的资源,一般情况下这部分资源配置不需要进行更改,确保整个云计算网络架构的稳定、可靠和安全性。固定资源主要包括(1)M-SW、(2)服务器网络接口、(3)服务器管理IP地址、(6)业务网络接口绑定、(7)服务器业务网络接口、(8)业务数据链路、(10)安全链路和(11)Secure Zone等部分,其部署方式如下:Preset fixed resources refer to resources that can be preconfigured according to system architecture planning. Generally, this part of resource configuration does not need to be changed to ensure the stability, reliability and security of the entire cloud computing network architecture. Fixed resources mainly include (1) M-SW, (2) server network interface, (3) server management IP address, (6) service network interface binding, (7) server service network interface, (8) service data link , (10) Secure Link and (11) Secure Zone and other parts, the deployment method is as follows:
第一部分:上述(1)-(2)-(7)-(8)-(10)-(11)部分,是根据资源池预先规划互连并配置好,实现整个资源池设备之间的物理链路固定,同时为(2)配上IP地址(3);The first part: the above parts (1)-(2)-(7)-(8)-(10)-(11) are pre-planned and configured interconnection according to the resource pool to realize the physical connection between devices in the entire resource pool. The link is fixed, and an IP address (3) is assigned to (2) at the same time;
第二部分:上述(6)服务器业务网络端口绑定(bond0)的bond部分,将服务器上两个业务网络接口进行绑定,绑定设备bind0工作模式应为4(BONDING_OPTS="mode=4");The second part: the bond part of the above (6) server service network port binding (bond0), binds the two service network interfaces on the server, and the binding device bind0 working mode should be 4 (BONDING_OPTS="mode=4" );
2)可调动态资源2) Adjustable dynamic resources
可调动态资源是指需要根据资源的实际使用情况,根据业务计算需要进行动态调度的资源。通过资源的动态调度,可方便灵活地实现资源的跨安全域共享,提高资源利用率。动态资源主要包括:Adjustable dynamic resources refer to resources that need to be dynamically scheduled according to the actual usage of resources and business computing needs. Through dynamic scheduling of resources, resources can be conveniently and flexibly shared across security domains to improve resource utilization. Dynamic resources mainly include:
第一部分:上述(4)服务器安全策略,根据服务器上运行实际业务,由资源管理平台对其进行动态调整;Part 1: The above (4) server security policy is dynamically adjusted by the resource management platform according to the actual business running on the server;
第二部分:上述(5)服务器业务IP地址,该地址由云计算资源管理平台动态进行分配和回收,业务IP地址设置在虚拟接口bond0.xxx(xxx代表业务IP地址所在VLAN的VLAN ID),同时进行分配和回收的资源还包括业务网段网关;The second part: the above (5) server service IP address, which is dynamically allocated and recycled by the cloud computing resource management platform, and the service IP address is set on the virtual interface bond0.xxx (xxx represents the VLAN ID of the VLAN where the service IP address is located), The resources allocated and recovered at the same time also include the business network segment gateway;
第三部分:上述(9)业务网络VLAN,云计算资源管理平台将根据实际情况调整交换机中的VLAN,以及与服务器互连端口所允许通过的具体VLAN流量。The third part: the above (9) business network VLAN, the cloud computing resource management platform will adjust the VLAN in the switch according to the actual situation, and the specific VLAN traffic allowed to pass through the interconnection port with the server.
图7为应用本发明实施例的物理服务器动态调度场景的流程图,本发明实施例针对资源动态共享实现而言,是通过云计算资源池管理平台对预设固定资源和可调动态资源的信息采用分析、资源分配、安全域网络接入检查、资源调度关联等,实现计算资源跨安全域快速部署和动态分配,满足同一资源池中各安全域的资源申请需要;同时,对空闲的资源可通过取消相应安全域的动态资源关联,进行资源释放回收,真正实现云计算环境下资源池的灵活性和可伸缩性。结合图7,说明跨安全域资源共享的具体流程,包括以下初始配置过程及步骤201-208的应用资源共享的过程。Fig. 7 is a flowchart of a dynamic scheduling scenario of a physical server applying an embodiment of the present invention. For the realization of dynamic resource sharing, the embodiment of the present invention is to use the cloud computing resource pool management platform to store information on preset fixed resources and adjustable dynamic resources. Use analysis, resource allocation, security domain network access check, resource scheduling association, etc. to realize rapid deployment and dynamic allocation of computing resources across security domains, and meet the resource application needs of each security domain in the same resource pool; at the same time, free resources can be allocated By canceling the dynamic resource association of the corresponding security domain and releasing and recycling resources, the flexibility and scalability of the resource pool in the cloud computing environment can be truly realized. With reference to FIG. 7 , the specific flow of cross-security domain resource sharing is described, including the following initial configuration process and the process of application resource sharing in steps 201-208.
初始配置过程包括:待分配的物理服务器处于默认配置状态,此时服务器远程带外管理接口可远程访问,系统管理接口可远程访问;业务网络接口上无IP地址,同时业务接口与业务交换机之间通过TRUNK接口互连,链路状态为物理UP,逻辑DOWN;服务器的安全配置为只允许指定系统用户(scmcc)从指定IP地址(管理网络)通过ssh远程登陆,其它任何用户不允许远程登陆,除了SSH之外,服务器不对外提供任何服务。一句话,处于待分配状态的物理服务器,只提供受限SSH服务,无任何其它服务对外提供。The initial configuration process includes: the physical server to be allocated is in the default configuration state, at this time, the remote out-of-band management interface of the server can be accessed remotely, and the system management interface can be accessed remotely; there is no IP address on the service network interface, and the connection between the service interface and the service switch Interconnected through the TRUNK interface, the link status is physical UP, logical DOWN; the security configuration of the server is to only allow the specified system user (scmcc) to log in remotely through ssh from the specified IP address (management network), and any other user is not allowed to log in remotely. Except for SSH, the server does not provide any external services. In a word, the physical server in the state to be allocated only provides limited SSH services, and no other services are provided externally.
步骤201,用户向云资源池管理平台提交物理服务器的资源需求,资源需求中包含资源数量、资源配置需求、资源用途以及资源所属的安全域等信息,如下表1所示;Step 201, the user submits the resource requirement of the physical server to the cloud resource pool management platform, and the resource requirement includes information such as resource quantity, resource configuration requirement, resource usage, and the security domain to which the resource belongs, as shown in Table 1 below;
表1Table 1
需要指出的是,表1中的网络端口bondx.12,bondx是指业务网络所用的网络接口(如bond0,或者bond1),12是指具体该服务IP地址所在的vlan ID。It should be pointed out that, the network port bondx.12 in Table 1, bondx refers to the network interface (such as bond0 or bond1) used by the service network, and 12 refers to the vlan ID where the IP address of the service is located.
步骤202,云资源池管理平台根据用户的资源需求,对资源池中空闲物理服务器状态进行匹配,如果目前资源池有足够的闲置资源可以满足需求,则进行步骤204,如果没有闲置资源,则进行步骤203;In step 202, the cloud resource pool management platform matches the status of idle physical servers in the resource pool according to the user's resource requirements. If there are enough idle resources in the resource pool to meet the demand, proceed to step 204. If there are no idle resources, proceed to Step 203;
这里,空闲物理服务器,可以通过管理网络与管理平台进行通信,但该服务器不属于任何业务网络安全域。本方案中所说的“跨安全域”是指跨业务网络的安全域。举例:某台物理服务器一开始工作在业务网络的安全域X中;一段时间后,该服务器被从业务网络的安全域X中释放出来,处于空闲状态;当业务网络的安全域Y需要增加物理服务器时,则该服务器可以通过管理平台使其工作在业务网络的安全域Y中。Here, the idle physical server can communicate with the management platform through the management network, but the server does not belong to any business network security domain. The "cross-security domain" mentioned in this solution refers to the security domain across the service network. Example: A certain physical server works in the security domain X of the business network at the beginning; after a period of time, the server is released from the security domain X of the business network and is in an idle state; server, the server can be made to work in the security domain Y of the service network through the management platform.
步骤203,云资源池管理平台根据资源需求进行调度,如果能回收足够的物理服务器资源交给云资源池管理平台重新配置,如果不能回收足够的物理服务器则处于回收轮询状态,知道回收够的物理服务器,并将其交给资源池管理平台重新分配。Step 203, the cloud resource pool management platform schedules according to the resource requirements. If enough physical server resources can be recovered, the cloud resource pool management platform can be reconfigured. If not enough physical servers can be recovered, it will be in the recovery polling state. physical server and hand it over to the resource pool management platform for reallocation.
步骤204,云资源池管理平台根据资源调度结果,确认需要动态共享调整的服务器集合A;Step 204, the cloud resource pool management platform confirms the server set A that needs to be dynamically shared and adjusted according to the resource scheduling result;
步骤205,云资源池管理平台根据需求的安全域,动态配置服务器集合A中物理服务器的网络ip配置及网络安全策略,如下表2所示;Step 205, the cloud resource pool management platform dynamically configures the network ip configuration and network security policy of the physical servers in the server set A according to the required security domain, as shown in Table 2 below;
表2Table 2
本步骤中,首先,通过云计算资源管理平台检查服务器上的操作系统是否满足要求,如果不满足则调用安装部署系统进行操作系统制备,通过用户的申请内容,云计算资源管理平台将进行操作系统管理网络设置,包括管理IP地址和网关。接下来进行业务服务IP地址及其网关的设置。In this step, first, through the cloud computing resource management platform, check whether the operating system on the server meets the requirements, if not, call the installation and deployment system to prepare the operating system, and through the user's application content, the cloud computing resource management platform will carry out the operating system Manage network settings, including managing IP addresses and gateways. Next, set the business service IP address and its gateway.
然后,云计算资源管理平台将通过运维工具,通过下发配置文件的方式对操作系统进行安全设置,包括两个部分:通用安全设置,以及针对具体业务的单独的安全设置。这里会用到Iptables、PAM、RBAC等安全技术。Then, the cloud computing resource management platform will issue configuration files through operation and maintenance tools toSecurity settings for the operating system, including two parts: general security settings, and business-specificIndividual security settings. Security technologies such as Iptables, PAM, and RBAC will be used here.
针对通用安全设置而言,1)对于网络安全方面来说,是通过IPtables工具只允许云计算资源管理平台和跳板机允许访问服务器的SSH服务以及ping服务器的管理IP地址,拒绝任何其它网络流量;2)对于操作系统安全方面来说,是修改远程登陆服务SSH的服务端口,将默认的TCP 22端口修改为大于1024的高端口,如TCP 41022端口。通过PAM,只允许用于操作系统管理的用户,如osadm,能远程登陆操作系统,拒绝其它所有用户登录系统;只允许操作系统管理用户(osadm)进行用户切换(su);对用户的密码强度和复杂度进行强制校验。For general security settings, 1) For network security, it is through the IPtables toolOnly the cloud computing resource management platform and the springboard machine are allowed to access the SSH service and ping service of the server.management IP address of the server and refuse any other network traffic; 2) For operating system security,It is to modify the service port of the remote login service SSH, and modify the default TCP port 22 to be greater than 1024High port, such as TCP port 41022. With PAM, only users allowed for OS administration,For example, osadm can remotely log in to the operating system, denying all other users to log in to the system; only allowing the operating systemsystem management user (osadm) to switch users (su); strengthen the password strength and complexity of userssystem verification.
针对具体业务的安全设置而言,1)对于网络安全方面来说,是通过IPtables在业务网络上放开具体的服务端口,例如,放开业务网络的TCP 80服务;允许通过业务网络ping通该服务器的业务IP地址;2)对于系统安全方面来说,是通过PAM,允许与该业务相关的操作系统用户,如oracle,从跳板机通过SSH登陆系统;限制业务相关操作系统用户不能通过服务器登陆其它系统(由于业务需求,做了信任的服务器除外)。In terms of security settings for specific businesses, 1) for network security, it is through IPtablesRelease specific service ports on the business network, for example, release the TCP 80 service of the business network; allowPing the business IP address of the server through the business network; 2) For system security, it isThrough PAM, allow operating system users related to the business, such as oracle, to pass SSH from the springboard machineLog in to the system; restrict business-related operating system users from logging in to other systems through the server (due to businessrequirements, except for trusted servers).
下表3所示是管理地址为10.95.1.4的服务器(归属于服务器集合A),通过云管理平台配置后的网络安全对比:Table 3 below shows the server with the management address of 10.95.1.4 (belonging to server set A), and the network security comparison after configuration through the cloud management platform:
表3table 3
从表3可以看出,服务器未分配之前管理网络是可用的,而业务网络则未做任何配置,即该服务器不属于任何业务网络。因此,服务器未分配之前只能与云管理平台进行通信。服务器被分配之后,则服务器管理网络仍然保持不变,单新增了业务网络,从业务网络的安全策略可以看出,业务网络只对外提供业务信息,非业务信息无法通过业务网络进行交互,所有的管理相关的操作必须通过管理平台或者指定的跳板机登陆服务器进行相关操作。It can be seen from Table 3 that the management network is available before the server is assigned, but no configuration is made on the service network, that is, the server does not belong to any service network. Therefore, the server can only communicate with the cloud management platform before it is allocated. After the server is allocated, the server management network remains unchanged, and only the business network is newly added. From the security policy of the business network, it can be seen that the business network only provides business information to the outside world, and non-business information cannot be exchanged through the business network. Management-related operations must be performed on the server through the management platform or a designated springboard machine.
物理服务器跨安全域的核心就是通过云管理平台动态变更服务器的业务网络设置,并调用IPtables进行网络安全控制。同时,采用PAM以及RBAC等技术进行系统用户安全限制,以增强系统的安全性。The core of physical servers crossing security domains is to dynamically change the service network of servers through the cloud management platform.Network settings, and call IPtables for network security control. At the same time, using technologies such as PAM and RBACThis technique restricts the security of system users to enhance the security of the system.
步骤206,云资源池管理平台部署系统根据需求在服务器集合A上进行业务部署,包括操作系统用户的创建等。Step 206, the deployment system of the cloud resource pool management platform performs service deployment on the server set A according to requirements, including the creation of operating system users.
步骤207,云资源池管理平台根据业务IP地址所在VLAN,在对应的交换机上进行相应设置,限制交换机互连端口上的VLAN流量,无关VLAN的流量拒绝通信。Step 207, the cloud resource pool management platform performs corresponding settings on the corresponding switch according to the VLAN where the service IP address is located, restricts the VLAN traffic on the interconnection port of the switch, and refuses communication for traffic not related to the VLAN.
步骤208,云资源池管理平台根据资源共享调度结果更新资源池信息,将调度的资源交付请求的用户;Step 208, the cloud resource pool management platform updates the resource pool information according to the resource sharing scheduling result, and delivers the scheduled resources to the requesting user;
至此,跨安全域资源共享的流程结束。So far, the process of resource sharing across security domains is over.
采用本发明实施例,基于云计算资源管理平台对x86架构机架式PC服务器与交换机之间联动管理,以及对物理服务器网络和操作系统的安全策略实施,实现了资源动态调度,相对应现有技术相比,在确保满足现有安全域网络架构和安全策略保持不变的同时,真正实现了在同一资源池中各安全域共享物理服务器资源。By adopting the embodiment of the present invention, based on the cloud computing resource management platform, the linkage management between the x86 architecture rack PC server and the switch, as well as the implementation of the security policy for the physical server network and operating system, realize the dynamic scheduling of resources, corresponding to the existing Compared with technology, while ensuring that the existing security domain network architecture and security policies remain unchanged, it truly realizes that all security domains share physical server resources in the same resource pool.
本发明实施例所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。If the integrated modules described in the embodiments of the present invention are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. . Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
相应的,本发明实施例还提供一种计算机存储介质,其中存储有计算机程序,该计算机程序用于执行本发明实施例的云资源池中跨安全域资源共享的方法。Correspondingly, an embodiment of the present invention also provides a computer storage medium, in which a computer program is stored, and the computer program is used to execute the method for sharing resources across security domains in a cloud resource pool according to an embodiment of the present invention.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510089965.7ACN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510089965.7ACN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
| Publication Number | Publication Date |
|---|---|
| CN105991738Atrue CN105991738A (en) | 2016-10-05 |
| CN105991738B CN105991738B (en) | 2019-05-14 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510089965.7AActiveCN105991738B (en) | 2015-02-27 | 2015-02-27 | Method and system across security domain resource-sharing in a kind of cloud resource pond |
| Country | Link |
|---|---|
| CN (1) | CN105991738B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789533A (en)* | 2016-12-27 | 2017-05-31 | 福建三元达网络技术有限公司 | Method and its system that service channel with management passage separate |
| CN107454082A (en)* | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| WO2018068671A1 (en)* | 2016-10-10 | 2018-04-19 | 烽火通信科技股份有限公司 | Network security protection method and system using pon to bear small base station backhaul |
| CN108241716A (en)* | 2016-12-27 | 2018-07-03 | 北京金山云网络技术有限公司 | Method and device for importing resources |
| CN108282462A (en)* | 2017-12-25 | 2018-07-13 | 曙光信息产业(北京)有限公司 | A kind of device of isolation service network and management net |
| CN109525581A (en)* | 2018-11-19 | 2019-03-26 | 中国移动通信集团广东有限公司 | A kind of cloud resource security control method and system |
| CN110008019A (en)* | 2019-02-28 | 2019-07-12 | 张帅辰 | Method and device, the system of shared server resource |
| CN110300013A (en)* | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | Enforce policies in cloud domains with different app naming |
| CN110928649A (en)* | 2018-09-19 | 2020-03-27 | 北京国双科技有限公司 | Resource scheduling method and device |
| CN113225375A (en)* | 2021-03-29 | 2021-08-06 | 北京城建智控科技有限公司 | Distributed central station integrated urban rail cloud architecture system |
| CN114443427A (en)* | 2022-01-19 | 2022-05-06 | 浪潮通信信息系统有限公司 | A cloud resource efficiency evaluation method based on big data analysis |
| CN119254539A (en)* | 2024-12-04 | 2025-01-03 | 中孚信息股份有限公司 | Application deployment isolation method, system and medium for container cloud scenarios |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719842A (en)* | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| US8041761B1 (en)* | 2002-12-23 | 2011-10-18 | Netapp, Inc. | Virtual filer and IP space based IT configuration transitioning framework |
| CN103650430A (en)* | 2012-06-21 | 2014-03-19 | 华为技术有限公司 | Packet processing method, apparatus, host and network system |
| CN104038444A (en)* | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8041761B1 (en)* | 2002-12-23 | 2011-10-18 | Netapp, Inc. | Virtual filer and IP space based IT configuration transitioning framework |
| CN101719842A (en)* | 2009-11-20 | 2010-06-02 | 中国科学院软件研究所 | Cloud computing environment-based distributed network security pre-warning method |
| CN103650430A (en)* | 2012-06-21 | 2014-03-19 | 华为技术有限公司 | Packet processing method, apparatus, host and network system |
| CN104038444A (en)* | 2013-03-05 | 2014-09-10 | 中国移动通信集团山西有限公司 | Resource allocation method, equipment and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018068671A1 (en)* | 2016-10-10 | 2018-04-19 | 烽火通信科技股份有限公司 | Network security protection method and system using pon to bear small base station backhaul |
| CN106789533A (en)* | 2016-12-27 | 2017-05-31 | 福建三元达网络技术有限公司 | Method and its system that service channel with management passage separate |
| CN108241716A (en)* | 2016-12-27 | 2018-07-03 | 北京金山云网络技术有限公司 | Method and device for importing resources |
| CN107454082A (en)* | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| CN108282462B (en)* | 2017-12-25 | 2021-08-31 | 中科曙光信息产业成都有限公司 | Device for isolating service network and management network |
| CN108282462A (en)* | 2017-12-25 | 2018-07-13 | 曙光信息产业(北京)有限公司 | A kind of device of isolation service network and management net |
| CN110300013A (en)* | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | Enforce policies in cloud domains with different app naming |
| CN110300013B (en)* | 2018-03-23 | 2022-07-12 | 瞻博网络公司 | Enforce policies in cloud domains with different app naming |
| US11765034B2 (en) | 2018-03-23 | 2023-09-19 | Juniper Networks, Inc. | Enforcing policies in cloud domains with different application nomenclatures |
| CN110928649A (en)* | 2018-09-19 | 2020-03-27 | 北京国双科技有限公司 | Resource scheduling method and device |
| CN109525581A (en)* | 2018-11-19 | 2019-03-26 | 中国移动通信集团广东有限公司 | A kind of cloud resource security control method and system |
| CN109525581B (en)* | 2018-11-19 | 2021-01-26 | 中国移动通信集团广东有限公司 | Cloud resource security management and control method and system |
| CN110008019A (en)* | 2019-02-28 | 2019-07-12 | 张帅辰 | Method and device, the system of shared server resource |
| CN110008019B (en)* | 2019-02-28 | 2021-06-08 | 张帅辰 | Method, device and system for sharing server resources |
| CN113225375A (en)* | 2021-03-29 | 2021-08-06 | 北京城建智控科技有限公司 | Distributed central station integrated urban rail cloud architecture system |
| CN114443427A (en)* | 2022-01-19 | 2022-05-06 | 浪潮通信信息系统有限公司 | A cloud resource efficiency evaluation method based on big data analysis |
| CN119254539A (en)* | 2024-12-04 | 2025-01-03 | 中孚信息股份有限公司 | Application deployment isolation method, system and medium for container cloud scenarios |
| Publication number | Publication date |
|---|---|
| CN105991738B (en) | 2019-05-14 |
| Publication | Publication Date | Title |
|---|---|---|
| CN105991738A (en) | Method and system for cross safety domain resource sharing in cloud resource pool | |
| EP3811206B1 (en) | Network-accessible computing service for micro virtual machines | |
| CN103607430B (en) | A kind of method and system of network processes and the network control center | |
| US12081451B2 (en) | Resource placement templates for virtual networks | |
| CN103930873B (en) | Dynamic policy-based interface configuration for virtualized environments | |
| CN102307246B (en) | Safety communication protection system between virtual machines based on cloud computing | |
| JP3948957B2 (en) | Extensible computing system | |
| US8490150B2 (en) | System, method, and software for enforcing access control policy rules on utility computing virtualization in cloud computing systems | |
| US6597956B1 (en) | Method and apparatus for controlling an extensible computing system | |
| CN108062482B (en) | Method and apparatus for providing virtual security appliance architecture to virtual cloud infrastructure | |
| CN108989091A (en) | Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment | |
| CN104468574B (en) | A kind of method, system and device of virtual machine dynamic access IP address | |
| CN106612225B (en) | Openstack-based agent deployment system and method | |
| CN103593229B (en) | Integrated and United Dispatching framework and the dispatching method of isomery cloud operating system | |
| CN103607432B (en) | A kind of method and system of network creation and the network control center | |
| JP5720324B2 (en) | Thin client environment providing system, server, thin client environment management method, and thin client environment management program | |
| JP5102543B2 (en) | Method for dynamically provisioning information technology infrastructure | |
| CN102981890B (en) | A kind of calculation task in Visualized data centre and virtual machine deployment method | |
| CN109768892B (en) | A microservice-based network security experimental system | |
| CN103138990A (en) | Virtual machine management method under cloud computing network and cloud computing network management device | |
| US10567242B2 (en) | Physical resource life-cycle in a template based orchestration of end-to-end service provisioning | |
| CN105024842A (en) | Method and device for capacity expansion of server | |
| CN109445912A (en) | A kind of configuration method of virtual machine, configuration system and SDN controller | |
| Andreetto et al. | Merging OpenStack-based private clouds: the case of CloudVeneto. it | |
| CN109587026A (en) | A method of large and medium-sized enterprise's Network Programe Design based on Java |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |