Specific embodiment
The method of controlling security flow chart that Fig. 1 is communicated between container provided in an embodiment of the present invention;Fig. 2 is that the present invention is implementedThe applicable network structure of the method for controlling security communicated between the container that example provides.The embodiment of the present invention, which is directed to, works as Docker containerAfter 2 move to other Docker servers from Docker server 2, Docker container 1 will be unable to be led to Docker container 2Letter, reduces the reliability communicated between Docker container, and then not can guarantee the beam communication between Docker container, providesThe method of controlling security communicated between container, the method steps are as follows:
Step S101, the first virtual container gateway receives the access request that Docker container in source is sent, the access requestThe first subnet address including target Docker container;
As shown in Fig. 2, Docker container 21, Docker container 22 and Docker engine 31 are located at Docker server 11,Docker engine 32 is located at Docker server 12, and Docker container 22 can move to Docker service from Docker server 11Device 12, container gateway 40 can be communicated with Docker engine 31 and Docker engine 32 respectively, composer 30 can respectively with DockerServer 11 and Docker server 12 communicate.
In the present embodiment, it in container gateway 40 may include multiple virtual container gateways, and virtually hold in container gateway 40The number of the number of device gateway subnet according to belonging to the container connecting with container gateway 40 determines, for example, Docker container 21Subnet address be 192.168.0.X, the subnet address of Docker container 22 is 192.168.1.X, if 192.168.0.X andIt may include two virtual container gateways, two virtual container nets when 192.168.1.X belonging to different subnets, in container gateway 40Close includes the first virtual container gateway and the second virtual container gateway, it is assumed that the first virtual container gateway corresponds to Docker container21, the second virtual container gateway corresponds to Docker container 22.
In the present embodiment, Docker container 21 is source Docker container, and Docker container 22 is target Docker container, meshFirst subnet address of mark Docker container is the subnet address i.e. 192.168.1.X of Docker container 22.Docker container 21Docker container 22 is accessed, is communicated with Docker container 22.Specifically, Docker container 21 is previously stored with first virtuallyThe IP address and port numbers of container gateway, Docker container 21 send access request, the access request to the first virtual container netIn include Docker container 22 subnet address, that is, 192.168.1.X.
Step S102, it is virtual that the described first virtual container gateway obtains corresponding with the first virtual container gateway secondThe address information of container gateway, the second virtual container gateway are corresponding with the target Docker container;
Specifically, the first virtual container gateway inquires acl rule, obtains corresponding with the first virtual container gatewayThe second virtual container gateway address information, the acl rule include the first virtual container gateway address information withThe corresponding relationship of the address information of the second virtual container gateway.
The first virtual container gateway can be set in the present embodiment in composer 30 in advance and the second virtual container gateway is logicalAccesses control list (Access Control List, the abbreviation ACL) rule of letter, such as the acl rule allow first virtually to holdDevice gateway and the second virtual container gateway communication, in addition, the acl rule may also include the address information of the first virtual container gatewayWith the corresponding relationship of the address information of the second virtual container gateway, the address information and the second void of the first virtual container gateway are indicatedIt can be communicated between the address information of quasi- container gateway.
Step S103, the described first virtual container gateway is according to the address information of the second virtual container gateway, by instituteIt states access request and is sent to the second virtual container gateway, so that the second virtual container gateway turns the access requestIssue the target Docker container.
After first virtual container gateway gets the address information of the second virtual container gateway, access request is sent toTwo virtual container gateways, the destination address that the second virtual container gateway is checked in access request are the subnets of Docker container 22The access request is then sent to Docker container 22 by location, that is, 192.168.1.X.
In addition, the communication mode between the first virtual container gateway and source Docker container can be tunnel in the present embodimentRoad mode, the communication mode between the second virtual container gateway and target Docker container are also possible to tunnel style.
The embodiment of the present invention passes through the beam communication between virtual container gateway, instant source Docker container and targetDocker container is migrated, from a Docker server migration to another Docker server, after migrationSource Docker container and the corresponding virtual container gateway of target Docker container are changed, but pass through virtual containerThe beam communication between Docker container still may be implemented in beam communication between gateway, ensure that between Docker containerThe reliability of communication.
Fig. 3 be another embodiment of the present invention provides container between the method for controlling security flow chart that communicates;As shown in figure 3,On the basis of embodiment shown in Fig. 1, specific step is as follows for the method for controlling security communicated between container provided in this embodiment:
Step S301, the described first virtual container gateway gives the second subnet address of the source Docker container allocation;
In the present embodiment, Docker container 21 and Docker container 22 be in the same subnet, then the first virtual containerGateway can distribute the second subnet address such as 192.168.0.1 to Docker container 21, can also distribute to Docker container 22First subnet address such as 192.168.0.2.
Step S302, the described first virtual container gateway stores the second subnet address of the source Docker container;
Second subnet address 192.168.0.1 and Docker of the first virtual container gateway storage Docker container 21First subnet address 192.168.0.2 of container 22.
Step S303, the first virtual container gateway receives the access request that Docker container in source is sent, the access requestThe first subnet address including target Docker container;
When source Docker container, that is, Docker container 21 needs and target Docker container, that is, Docker container 22 communicates,Access request is sent to the first virtual container gateway by tunnel style, includes the first of target Docker container in access requestThe second subnet address, that is, 192.168.0.1 of subnet address, that is, 192.168.0.2 and source Docker container.
Step S304, the described first virtual container gateway is according to the first subnet address of the target Docker container, reallyWhether the fixed target Docker container and the source Docker container are in same subnet;
After first virtual container gateway receives the access request, the first of target Docker container is obtained from access requestThe second subnet address, that is, 192.168.0.1 of subnet address, that is, 192.168.0.2 and source Docker container, determine targetWhether the first subnet address of Docker container and the second subnet address of source Docker container are in the same subnet.
If step S305, the described target Docker container and the source Docker container, will be described in same subnetAccess request is sent to the target Docker container.
Since 192.168.0.2 and 192.168.0.1 is in the same subnet, then the first virtual container gateway does not need to look intoThe second virtual container gateway corresponding with the first virtual container gateway is ask, access request is directly sent to target Docker container?.
In the present embodiment, after the first virtual container gateway receives the access request of source Docker container transmission, mesh is obtainedThe first subnet address for marking Docker container, according to the of the first subnet address of target Docker container and source Docker containerTwo subnet address determine target Docker container and source Docker container whether in the same subnet, if asking accessIt asks and is transmitted directly to target Docker container, do not need inquiry the second virtual container net corresponding with the first virtual container gatewayIt closes, improves the forward efficiency of access request.
The structure chart for the safety control that Fig. 4 is communicated between container provided in an embodiment of the present invention.The embodiment of the present inventionThe safety control communicated between the container of offer can execute the place that the method for controlling security embodiment communicated between container providesProcess is managed, as shown in figure 4, the safety control 40 communicated between container includes: receiving module 41, obtains module 42, sends mouldBlock 43, wherein receiving module 41 is used to receive the access request of source Docker container transmission, and the access request includes targetFirst subnet address of Docker container;It is empty for obtaining corresponding with the first virtual container gateway second to obtain module 42The address information of quasi- container gateway, the second virtual container gateway are corresponding with the target Docker container;Sending module 43For the address information according to the second virtual container gateway, the access request is sent to the second virtual container netIt closes, so that the access request is transmitted to the target Docker container by the second virtual container gateway.
The safety control communicated between container provided in an embodiment of the present invention can be specifically used for the above-mentioned Fig. 1 of execution and be mentionedThe embodiment of the method for confession, details are not described herein again for concrete function.
The embodiment of the present invention passes through the beam communication between virtual container gateway, instant source Docker container and targetDocker container is migrated, from a Docker server migration to another Docker server, after migrationSource Docker container and the corresponding virtual container gateway of target Docker container are changed, but pass through virtual containerThe beam communication between Docker container still may be implemented in beam communication between gateway, ensure that between Docker containerThe reliability of communication.
Fig. 5 be another embodiment of the present invention provides container between the structure chart of safety control that communicates.Such as Fig. 5 instituteShow, on the basis of the embodiment shown in fig. 4, obtaining module 42 includes query unit 421, acquiring unit 422, wherein cargo tracerMember 421 is for inquiring acl rule;Acquiring unit 422 is virtual for obtaining corresponding with the first virtual container gateway secondThe address information of container gateway, the acl rule include the address information and second void of the first virtual container gatewayThe corresponding relationship of the address information of quasi- container gateway.
The safety control 40 communicated between container further includes distribution module 44 and memory module 45, wherein distribution module44 for giving the source Docker container allocation the second subnet address, and memory module 45 is for storing the source Docker containerSecond subnet address.
Further, the access request further includes the second subnet address of the source Docker container;It is communicated between containerSafety control 40 further include determining module 46, determining module 46 is used for the first son according to the target Docker containerWhether net address determines the target Docker container and the source Docker container in same subnet.
It, will when sending module 43 is also used to the target Docker container and the source Docker container in same subnetThe access request is sent to the target Docker container.
The safety control communicated between container provided in an embodiment of the present invention can be specifically used for the above-mentioned Fig. 3 of execution and be mentionedThe embodiment of the method for confession, details are not described herein again for concrete function.
In the present embodiment, after the first virtual container gateway receives the access request of source Docker container transmission, mesh is obtainedThe first subnet address for marking Docker container, according to the of the first subnet address of target Docker container and source Docker containerTwo subnet address determine target Docker container and source Docker container whether in the same subnet, if asking accessIt asks and is transmitted directly to target Docker container, do not need inquiry the second virtual container net corresponding with the first virtual container gatewayIt closes, improves the forward efficiency of access request.
In conclusion the embodiment of the present invention passes through the beam communication between virtual container gateway, instant source Docker containerIt is migrated with target Docker container, from a Docker server migration to another Docker server, is movedThe corresponding virtual container gateway of opisthogenesis Docker container and target Docker container of shifting is changed, but passes through voidBeam communication between quasi- container gateway, still may be implemented the beam communication between Docker container, ensure that Docker holdsThe reliability communicated between device;After first virtual container gateway receives the access request of source Docker container transmission, mesh is obtainedThe first subnet address for marking Docker container, according to the of the first subnet address of target Docker container and source Docker containerTwo subnet address determine target Docker container and source Docker container whether in the same subnet, if asking accessIt asks and is transmitted directly to target Docker container, do not need inquiry the second virtual container net corresponding with the first virtual container gatewayIt closes, improves the forward efficiency of access request.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through itIts mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, onlyOnly a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be tiedAnother system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussedMutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or unitLetter connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unitThe component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multipleIn network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unitIt is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated listMember both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at oneIn storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computerIt is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present inventionThe part steps of embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. it is variousIt can store the medium of program code.
Those skilled in the art can be understood that, for convenience and simplicity of description, only with above-mentioned each functional moduleDivision progress for example, in practical application, can according to need and above-mentioned function distribution is complete by different functional modulesAt the internal structure of device being divided into different functional modules, to complete all or part of the functions described above.OnThe specific work process for stating the device of description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extentPipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according toSo be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features intoRow equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solutionThe range of scheme.