The application be the applying date be on April 16th, 2018, application No. is 201810339750.X, entitled " dataThe divisional application of service system, method, server and computer readable storage medium ".
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hairEmbodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative effortsExample, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of structural schematic diagram of data service system provided in an embodiment of the present invention.Referring to Fig. 1, data clothesBusiness system includes: at least one access server, multiple main frames and multiple containers cluster, storage server and Baas(Blockchain as a Service, the service of block chain) bus.
Wherein, which is used to provide access service at least one block platform chain, and provides base for userIn the block chain management of webpage and look facility.
The access server is located at the access layer of block chain network, as shown in Fig. 2, the access server may includeRestful (Representational State Transfer indicates that state transmits interface) API (applicationProgram interface, application programming interfaces), SDK etc., user can access block chain network by the access serverPlatform checks the publicity chain in block chain network platform, and in block chain network platform login user personal account, checkData in the private network of individual subscriber.Meanwhile the user can also in the block chain network platform to personal account intoRow management, is configured the permission of the private network of oneself.For example, setting permission is only to allow to audit to visit with supervisorIt asks.
In a kind of possible design, which is also used to mention based on multiple main frames and multiple containers clusterIt configures and services for private network.Wherein, which can provide the entrance of creation private network in Webpage, whenWhen user needs to define privately owned block chain network, which can be user configuration private network based on the entrance.
In block chain network platform, which can be used for receiving the creation instruction of block chain network, the blockChain network creation instruction is used to indicate the private network that user is created in block chain network platform;Access server can be based onBlock chain network creation instruction carries out private network configuration.In private network configuration process, which can be firstIt determines destination host, and obtains the address of target private network VPC, target private network is distributed in the address based on target VPC.Further, user can choose multiple containers, and multiple container can form target container cluster, can be on the destination hostThe selected target container cluster of user is disposed, multiple types of service needed for user can be disposed on the target container cluster.The access server determines target container cluster, and obtains target block chain engine and mirror image, by running on destination hostTarget container cluster run the mirror image, realize the deployment of the block chain engine in the target private network space.Then,Access server obtains target outer net domain names, the address of the associated storage target private network, the target outer net network domainsMapping relations between name and the mirror path.
Wherein, it after user logs in personal account in block chain network platform, can trigger in the block chain network platformBlock chain network create instruction, to define the private network of oneself in the block platform chain.When access server receivesWhen creating instruction to block chain network, which can prompt user to select to provide the master of service in current web pageMachine, user can according to the available area of region and each region where alternative host, select in the using area of user andThe destination host of available area.
It should be noted that the destination host can be CDH (Cloud Virtual Machine DedicatedHost, the dedicated host of Cloud Server).Deployment virtualization system, user can be real based on the virtualization system in advance on the CDHService needed for existing.In the embodiment of the present invention, which can also define multiple dedicated handsets on the host, and configure specialWith the CPU of handset, memory etc..Wherein, dedicated handset, that is, user uses dedicated host by the virtualization system put upPhysical resource creation virtual machine, a CVM (Cloud Virtual Machine, cloud can be disposed in a dedicated handsetServer) example, so that Cloud Server example cluster can be deployed on the destination host.Dedicated handset is created on CDH,It is that physical server resource is allocated to the process of multiple virtual machines.
After user's selected target host, it is also based on IP address and defines private network in block chain network platform.WithFamily can pass through the form of CIDR (Classless Inter-Domain Routing, uncategorized inter-domain routing) block, Lai ZhidingIP address group.The IP address group that access server is specified based on user is user configuration private network.Also, the access serviceDevice can be the Regional Property of user configuration private network.For example, user, which can choose North China (Beijing), is used as using area,Regional Property of the Huawei regional (Beijing) that access server selects user as private network.Certainly, access server is alsoIt can be the region where user's Auto-matching current location, or close to the current location according to the current location of userRegion.Then, the destination host that access server selectes user is added in the private network.
It should be noted that private network (Virtual Private Cloud, VPC) is that block chain network platform providesCan trustship the cloud services resource such as Service Source, including Cloud Server, load balancing, cloud database.User can be customizedNetwork segment division, IP address and routing policy etc., the essential information progress carried out to private network is customized, and user can also be arrangedThe access authority of private network, so that other users are inaccessible without permission, to realize Network Isolation.The cidr block is based onUser defines IP address, is combined by IP address and mask, realizes and divides to the entirety of network.By taking 10.1.0.0/16 as an example, tiltedlyThe thick stick left side is the IP of the private network of user's selection, is the mask of private network on the right of slash.By set mask size comeAdjust the space size of private network.IP address number=2^ (32- mask) that private network includes, 10.1.0.0/16 network blockContain up to 65536 IP address.In addition, private network has Regional Property, for example, private network A Regional Property is south ChinaRegional (Guangzhou), user can not cross-region creation VPC.
In a kind of possible design, user can also define at least one subnet in the private network, wherein accessServer creates subnet based on the available area of selection, and the available area is where private network in region.Correspondingly, by target masterMachine is added to the private network, that is to say, adds dedicated handset into each subnet of private network.
In the embodiment of the present invention, block chain network platform can also provide CCS (Cloud Container Service, cloudContainer service), which is highly scalable high-performance container management service, and user defines destination host and privately ownedAfter network, it can be serviced by the CCS and fast and efficiently run application program on target container cluster.
Access server is after user configuration destination host, which is also based on block chain network platform and mentionsThe cloud container service of confession creates target container cluster for user, and the service needed for deployment user on the target container cluster.Wherein, which includes the container of multiple same configurations.When receiving container creation instruction, access server is logicalCross creation cluster, the process of creation service realizes the creation of target container cluster.Wherein, cluster can be target container cluster instituteIncluding multiple containers run needed for cloud resource set.In the embodiment of the present invention, which can be host, load balancerEtc. cloud resources.Service can be the micro services of target container cluster and the rule composition of access target container cluster.
The process of the creation cluster can be with are as follows: access server obtains the basic of the cluster that user is arranged in current web pageInformation is based on the essential information, creates cluster for user.Meanwhile access server can also show the cluster that creation is completedIn cluster-list, checked with standby user.Wherein, the essential information of the cluster may include: cluster name, charge mode, instituteIn information such as region, available area, meshed network, capacitor network, cluster descriptions.
Wherein, access server, should using target private network as the corresponding network operation space of the target container clusterThe meshed network of cluster can be a certain subnet in private network.The capacitor network is the distribution of target container cluster inner pressurd vesselNetwork, access server can be using the corresponding networks of privately owned network segment in meshed network as capacitor network.Wherein, access serviceDevice can distribute appropriately sized IP address section automatically, be used for according to the upper limit of quantity of service in the cluster that user selectsKubernetes service, while capacitor network is every cloud host assignment one 24 in cluster network segments for being somebody's turn to do automaticallyThe IP address of host assignment Pod (example).
Access server obtains the essential information of service set by user, and obtains the corresponding extension of target container clusterCarry path and the corresponding storage equipment of the target container cluster.In the embodiment of the present invention, which can be hungIt is loaded on destination host.Access server obtains the configuration information of target container cluster to be created, is based on the configuration information, isUser creates target container cluster.Wherein, which may include the information such as the title of the target container cluster, mirror image.
In the embodiment of the present invention, multiple host and multiple container cluster, for being connect based on multiple users by thisEnter the private network configuration that server is carried out, mutually isolated private network service is provided for multiple user.
Wherein, which can be CDH host, which can provide the physical server exclusively enjoyed for userResource meets user resources and exclusively enjoys, resource physical isolation, safety, closes rule demand, and each user can be by the CDH master that exclusively enjoysMachine realizes resource isolation.Also, access server can set IP address and routing policy with wildcard, by the CDH host, realize notIt is isolated with the private network between user.
As shown in Fig. 2, providing multiple containers on block chain network platform, and more to this by Kubernetes programming facilityA container carries out layout, management, so that the private network of user, uses in Kubernetes programming facility predefined containerTo realize the function of a certain type of service, so as to which one or more types of service can be disposed on target container cluster.Also, InIn business actual moving process, which can also provide the multiple business run on container clusterSource scheduling, dynamic retractility etc..
It should be noted that being serviced by the CCS, without installation, O&M, extension cluster management on block chain network platformInfrastructure only need to carry out simple API Calls, can start and stop Docker application program, inquire the complete shape of clusterState, and use various cloud services.In addition, Kubernetes can for containerization application provide deployment operation, scheduling of resource,A series of complete functions such as service discovery and dynamic retractility, can help user fast implement application program containerization deployment,Extension and management, to substantially increase business processing efficiency.
The multiple main frames of the block chain network platform with multiple containers cluster, can be also used for through multiple sets of containersGroup runs the block chain engine of the private network service of multiple users.In the embodiment of the present invention, the access server is availableTarget block chain engine and mirror image run the mirror image by the target container cluster, realize the area in the private network spaceThe deployment of block chain engine.Wherein, it is calculated on block chain engine configured with the algorithm for guiding entire operation flow, such as common recognitionMethod, the block chain engine can be deployed on target container cluster, can be by running the target area on the target container clusterBlock chain engine, to complete business needed for user.Wherein, user can be with customized mirror image, alternatively, selecting from block chain network platformSelect a mirror image.
Further, which can also obtain target outer net domain names, and by the target container clusterIt is associated between mirror path, the corresponding private network address of target container cluster and the target outer net domain names, andThe mapping relations between the mirror path, the address of private network and target outer net domain names are stored, thus in outer net, IntranetCorresponding relationship is established between container cluster, by running block chain engine on target container, to realize container clusterAutomatically dispose.In the embodiment of the present invention, which starts the block chain engine on the target container cluster, thusThe automatically dispose of the block chain engine is realized in the private network space.
In fact, as shown in figure 3, the data service system can dispose BaaS interface, super account book from logical construction(Hyperleger), intelligent contract (Corda) and multiple Docker container clusters based on Kubernetes layout management, shouldFor multiple containers cluster carry in multiple main frames, the operation system of user can access the data service system by BaaS interfaceSystem, the administrator of data service system can be based on BaaS background monitoring multiple containers cluster.Certainly, the data service system is alsoSome other services can be provided based on the private network, for example, big data analysis, artificial intelligence, cloud security, automation O&MDeng.
It should be noted that multiple users can use aforesaid way, it is customized certainly based on IP address in private networkOneself target private network passes through the secure group and ACL (Access Control List, accesses control list) of private networkRealize the Network Isolation between the private network of multi-user.Also, it is corresponding to provide the different multiple containers cluster of encapsulationMultiple block chain engines, the operating system disk of destination host uses CBS cloud disk, using the storage service of CFS and CRS, and canEach storage deployed with devices is disposed in physics inclosure or privatization with the security needs based on user, so as to support solelyStandpipe control operation and maintenance.Also, it is also based on the storage service of the equipment such as CBS cloud disk, the CFS, the data of storage are standbyAt least three points of part, and support that strange land semireal time is synchronous, to substantially increase data service system with real-time data synchronization in citySafety, flexibility and practicability.
In addition, the data service system can also provide the integration from network, host to data and service security etc.Security protection ensures that the business of user can be with safe operation, such as provides industry certification safety and close rule, Network Isolation, DDoS(Distributed Denial of service, distributed denial of service) protection, vulnerability scanning, Main Engine Safeguard, business continuityProperty guarantee, platform safety is realized in the services such as safety management and audit, greatly improve the safety of user data.
It should be noted that the prior art is usually in traditional Vlan (Virtual Local Area Network, voidQuasi- local area network) network is that user creates block chain network, to realize block chain service, still, and in traditional network, block link networkAll user sharing common network resources pond on network platform, not can be carried out Network Isolation between user and other users, also, byManagement equipment is unified for user and distributes IP address, and user cannot customized private network.In the embodiment of the present invention, user can be certainlyBy the division of definition network segment, IP address and routing policy, also, access server can be user's Automation based on user demandThe service of block chain is affixed one's name to, to substantially increase deployment efficiency.Meanwhile user can realize multilayer peace by secure group and ACL etc.Full protection, to substantially increase the flexibility and safety of block chain service.
In a kind of possible design, which also supports the shift function of target container cluster, and user is alsoTarget container cluster can be migrated.The access server is also used to: when the migration for receiving target container cluster instructsWhen, access server can be held the target in the mapping relations based on the address of the corresponding private network of target container clusterThe corresponding private network address of device cluster is revised as the private network address after migration, to realize the target container cluster in privateThere is the dynamic migration in network.
In the embodiment of the present invention, which further includes Baas bus, which is used in each serviceSafe data channel is provided between device, between host and server, between at least one access server and outer net.
Wherein, which is used to provide the encryption and decryption functions and digital certificate issuance and the function of maintenance of interaction dataEnergy.The enciphering and deciphering algorithm and key that the data service system can call hardware encryption equipment to provide by the interface of the Baas busThe number card that (Certificate Authority, the digital certificate authentication) center CA of storage service and Notified body providesBookmark hair and the function of maintenance, also, the hardware encryption equipment and the CA center function can be deployed in physics inclosure, Huo ZheweiEach user carries out privatization deployment, and supports to manage independently and control, to substantially increase the safety of encryption and decryption and certificationProperty.
A kind of other either blocks in possible design, in the block chain network platform, other than a certain alliance's chainChain tissue can issue to alliance's chain and request is added, to share the transaction data of each member of alliance's chain.Work as access serverWhen receiving the addition request of other members, which passes through the exit passageway that the Baas bus provides, and realizes otherMember's is rapidly added.Wherein, which can carry out the docking in docking or private network by third-party platformRealization is rapidly added.When access server receives the addition request of other either block chain tissues, if the addition is requestedIt is to be initiated by third-party platform, the special line or ipsec (safety Virtual Private Network) VPN provided by the Baas bus,It is docked with the third-party platform;Alternatively, when access server receives the addition request of other either block chain tissues,If addition request is initiated by any private network in system, by the Baas bus and any private network intoRow peer to peer connection.Wherein, in docking, which calls the authentication service at the center CA by interface, to other areasThe addition request of block chain tissue carries out License Authentication, and by common recognition algorithm, establishes and communicate between other block chain tissuesConnection, wherein other block chain tissues can first pass through the digital certificate that Baas bus calls the center CA, then to current allianceChain initiates that request is added.
It should be noted that can be awarded in each member when aditing agency needs to exercise supervision to each member of alliance's chainUnder the premise of power, directly exercised supervision audit to each member by intervention server.It is of course also possible to by it is above-mentioned other atMember initiates that the mode requested and docked is added, and obtains authorization of each member to monitoring information in alliance's chain, and pass through foundationDocking realizes that the supervision to each member is audited.
In the embodiment of the present invention, which further includes storage server, and the storage server is negative for providingCarry balanced Distributed Storage function.The storage server may include that (Cloud Block Storage, cloud are hard by CBSDisk) and CFS (Cloud File Storage, file storage).
It should be noted that the CBS can be to provide block level other data storage, cloud hard disk can use more copiesDistributed mechanism, data to be stored are subjected to more copy redundant fashions automatically and are stored, can in any one copy failureQuickly to carry out Data Migration recovery, to avoid the Single Point of Faliure risk of data, the reliability of data storage is greatly improved.Also, the CBS can carry out persistent storage to data, and can be mounted to any running example in same available areaOn, without closing or restarting server, data storage service can be provided for the example, to substantially increase data storageEfficiency and convenience.
The CFS has shared store function, which is that multiple CVM can pass through NFS (Network FileSystem, Network File System) agreement shares the same memory space.Also, the CFS can also be according to the size of file sizeAutomatically resilient expansion is carried out to file system memory capacity, allows user according to the actual conditions of own service, using notSame scheme is realized to be accessed across available area, cross network file, can be adjusted space based on currently stored situation, be improved and depositThe flexibility of storage.
In a kind of possible design, loading condition of the data service system based on equipment each in system, to each equipmentIt is scheduled.As shown in figure 4, the data service system can be accessed access request by the domain name mapping function of dnspodThe server nearest from access request;For the outer net other than private network, which can be according to service requestType of service, service request is distributed to router corresponding with type of service, and pass through the load-balancing function of gateway TGWDynamic dispatching is carried out to service request;For private network inside, which can be associated according to Baas busService request is carried out dynamic dispatching in available multiple servers by the load of multiple servers.
In addition, in the embodiment of the present invention, which is also used to realize disaster tolerance and the backup of the data service systemFunction.As shown in figure 4, the CDH host, target container cluster in the data service system carry out more copies by CBS, CFSBackup storage, for example, saving 3 divided datas in same city difference computer room.In addition, user can also be carried out together by customized mirror imageStep is partly synchronized to strange land storage, to reduce the risk of data degradation.
In a kind of possible design, it is total that data server system can be based on the Baas by the target block chain engineThe interface publication monitoring and O&M service of line, allow other block chain tissues to carry out subscription use to the monitoring and O&M service;Also, the monitoring and O&M service issued using other block chain engines can also be subscribed to by the interface of the Baas bus.The BaaS bus can be according to different blocks chain engine adaptive associated monitoring O&M interface.Different blocks platform chain can be with simultaneouslyThe functions such as CA, encryption and decryption, key storage, cloud OS are ordered using the interface of BaaS bus.
In a kind of possible design, which can support target container cluster to be based on IP address and dynamically moveMove, the service being currently running on target container cluster can online thermophoresis even if current container is impaired can also pass through otherContainer runs the service, substantially increases the redundancy ability of target container cluster.Data safety area data this can pass throughDCI (Data Center Interconnect, data center network cluster) encrypted tunnel, is backed up in same city or strange landStorage.Also, the disaster tolerance between more ground is realized by dnspod, by outer net load balancing, is realized with carrying out disaster tolerance in city.WhenUsed in alliance's chain when member's authorization, the data service system can also by the data in block chain network platform into export,It imports, and based on globally unique number of trading, orderly arrangement is carried out to the transaction data of backup and disaster tolerance, to improve standbyThe accuracy of part and disaster tolerance.
In the embodiment of the present invention, the data service system can by least one access server provide access service,The management of block chain and the configuration service of look facility and private network;Based on multiple main frames and multiple containers cluster, Yong HukeWith customized network, to realize mutually isolated private network service, also, multiple users are run by multiple containers clusterPrivate network service block chain engine so that the automatically dispose mistake of block chain service may be implemented in the data service systemJourney is omitted user and uploads chain code and manual configuration application program manually, establishes the process of the manual operations such as channel, mention significantlyThe high efficiency of practical operation.
Fig. 5 is a kind of flow chart of data service method provided in an embodiment of the present invention, which is applied toIn the data service system of above-described embodiment, as shown in figure 5, this method comprises:
501, at least one access server provides access service at least one block platform chain, and provides base for userIn the block chain management of webpage and look facility;
502, the access server is based on multiple main frames and multiple containers cluster, provides private network configuration service;
503, multiple host and multiple container cluster are carried out based on multiple users by the access serverPrivate network configuration provides mutually isolated private network service for multiple user, and is run by multiple container clusterThe block chain engine of the private network service of multiple user;
504, storage server provides the Distributed Storage function of load balancing;
505, block chain service Baas bus between each server, between host and server, this at least one connectEnter and safe data channel is provided between server and outer net.
Optionally, this method further include:
The access server receives the creation instruction of block chain network, and block chain network creation instruction is used to indicate in blockThe private network of user is created in chain network platform;
The access server determines destination host, and obtains the address of target private network, is based on the target private networkAddress distribute target private network;
The access server determines target container cluster, target block chain engine and mirror image is obtained, by target masterThe target container cluster run on machine runs the mirror image, realizes the portion of the block chain engine in the target private network spaceAdministration;
The access server obtains target outer net domain names, the associated storage corresponding private network of target container clusterAddress, the mapping relations between the target outer net domain names and the mirror path of the target container cluster.
Optionally, this method further include:
When the migration for receiving target private network instructs, the access server is by the target container in the mapping relationsIt is revised as the address of the private network after migration in the address of the corresponding private network of cluster.
Optionally, this method further include:
The encryption and decryption functions and digital certificate issuance and the function of maintenance of Baas bus offer interaction data.
Optionally, this method further include:
When the addition for receiving either block chain tissue is requested, if addition request is sent out by third-party platformIt rises, which passes through the special line or safety Virtual Private Network ipsec VPN that the Baas bus provides, with the thirdFang Pingtai is docked;
Alternatively, when the addition for receiving either block chain tissue is requested, if addition request is by the systemAny private network initiate, which carries out peer to peer connection by the Baas bus and any private network.
Optionally, this method further include:
When docking with the either block chain tissue, which calls recognizing for the center CA by the Baas busCard service carries out License Authentication to the addition request of the block chain tissue, and by common recognition algorithm, with the either block chain tissueEstablish communication connection, wherein the either block chain tissue calls the digital certificate at the center CA by the Baas bus, to current connectionAlliance's chain initiates that request is added.
Optionally, this method further include:
The data service system is also used to be scheduled each equipment based on the loading condition of equipment each in system.
Optionally, this method further include:
The storage server is also used to realize the disaster tolerance and backup functionality of the data service system.
In the embodiment of the present invention, the data service system can by least one access server provide access service,The management of block chain and the configuration service of look facility and private network;Based on multiple main frames and multiple containers cluster, Yong HukeWith customized network, to realize mutually isolated private network service, also, multiple users are run by multiple containers clusterPrivate network service block chain engine so that the automatically dispose mistake of block chain service may be implemented in the data service systemJourney is omitted user and uploads chain code and manual configuration application program manually, establishes the process of the manual operations such as channel, mention significantlyThe high efficiency of practical operation.
Fig. 6 is a kind of structural schematic diagram of server provided in an embodiment of the present invention, which can be because of configuration or propertyEnergy is different and generates bigger difference, may include one or more processors (central processingUnits, CPU) 601 and one or more memory 602, wherein at least one finger is stored in the memory 602It enables, at least one instruction is loaded by the processor 601 and executed to realize any network in above-mentioned data service systemOperation performed by equipment.Certainly, which can also have wired or wireless network interface, keyboard and input and output to connectThe components such as mouth, to carry out input and output, which can also include other components for realizing functions of the equipments, herein notIt repeats.
In the exemplary embodiment, a kind of computer readable storage medium is additionally provided, the memory for example including instruction,Above-metioned instruction can be executed by the processor in terminal to complete any network equipment in the data service system in following embodimentsPerformed operation.For example, the computer readable storage medium can be ROM, random access memory (RAM), CD-ROM,Tape, floppy disk and optical data storage devices etc..
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardwareIt completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readableIn storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention andWithin principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.