技术领域Technical Field
本发明涉及分布式集群技术领域,特别涉及一种资源分配方法,还涉及一种资源分配装置、电子设备、非易失性存储介质以及计算机程序产品。The present invention relates to the field of distributed cluster technology, and in particular to a resource allocation method, and also to a resource allocation device, an electronic device, a non-volatile storage medium and a computer program product.
背景技术Background Art
随着分布式计算技术的飞速发展,资源调度作为分布式计算的核心技术,也越来越得到人们的重视。资源调度的目标是为当前计算任务选择合适的计算方案,确保其高效运行,有效地利用有限的分布式集群资源。随着用户和企业对数据的机密性要求越来越严格,这就需要分布式集群能够实现对运行时数据的安全防护,因此,机密计算技术应运而生。With the rapid development of distributed computing technology, resource scheduling, as the core technology of distributed computing, has also received more and more attention. The goal of resource scheduling is to select a suitable computing solution for the current computing task, ensure its efficient operation, and effectively utilize limited distributed cluster resources. As users and enterprises have increasingly stringent requirements for data confidentiality, it is necessary for distributed clusters to be able to achieve security protection of runtime data. Therefore, confidential computing technology has emerged.
机密计算是一种用于保护计算过程中数据和代码的机密性和完整性的安全计算模式,该模式基于受信任的硬件通过可信执行环境(TEE,Trusted ExecutionEnvironment),使得环境内的代码和数据在计算时无法被同一设备上运行的其他软件(包括特权软件)监视与篡改。分布式机密计算集群包括众多机密计算节点,机密计算节点将使用时的数据运行在可信执行环境中,可以保证使用时数据的安全。同时,当节点间进行数据传输或者数据使用之前,需要对机密计算节点进行远程证明操作,进而证明机密计算节点以及响应程序确实运行在可信执行环境中,以建立安全的传输通道。然而,分布式集群节点相互之间建立的可信信道通信量大,结构复杂,导致任意两节点之间构造远程证明的过程也较为复杂,在实际中难以应用。Confidential computing is a secure computing mode used to protect the confidentiality and integrity of data and code during the computing process. This mode is based on trusted hardware through a trusted execution environment (TEE, Trusted Execution Environment), so that the code and data in the environment cannot be monitored and tampered by other software (including privileged software) running on the same device during computing. A distributed confidential computing cluster includes many confidential computing nodes. The confidential computing nodes run the data in a trusted execution environment when in use, which can ensure the security of the data when in use. At the same time, before data is transmitted or used between nodes, remote attestation operations need to be performed on the confidential computing nodes to prove that the confidential computing nodes and the responder are indeed running in a trusted execution environment to establish a secure transmission channel. However, the trusted channels established between distributed cluster nodes have a large amount of communication and a complex structure, which makes the process of constructing remote attestation between any two nodes also relatively complicated, making it difficult to apply in practice.
因此,如何针对分布式机密计算集群系统,构建高效的分布式机密计算资源分配方法是本领域技术人员亟待解决的问题。Therefore, how to build an efficient distributed confidential computing resource allocation method for a distributed confidential computing cluster system is an urgent problem to be solved by technicians in this field.
发明内容Summary of the invention
本发明的目的是提供一种资源分配方法,该资源分配方法在分布式机密计算集群系统中实现了高效的分布式机密计算资源分配;本发明的另一目的是提供一种资源分配装置、电子设备、非易失性存储介质以及计算机程序产品,均具有上述有益效果。An object of the present invention is to provide a resource allocation method, which realizes efficient distributed confidential computing resource allocation in a distributed confidential computing cluster system; another object of the present invention is to provide a resource allocation device, an electronic device, a non-volatile storage medium and a computer program product, all of which have the above-mentioned beneficial effects.
第一方面,本发明提供了一种资源分配方法,应用于分布式机密计算集群中的任一节点,所述方法包括:In a first aspect, the present invention provides a resource allocation method, which is applied to any node in a distributed confidential computing cluster, and the method comprises:
当接收到计算请求时,确定所述计算请求对应的请求节点;When receiving a computing request, determining a requesting node corresponding to the computing request;
获取当前节点的所有逻辑距离组,并在所有所述逻辑距离组中确定与所述请求节点距离最近的目标逻辑距离组;所述当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与所述当前节点之间的距离不超出相应逻辑距离组指定的距离范围;所述当前节点预存有所有所述可分配节点的节点信息;Acquire all logical distance groups of the current node, and determine the target logical distance group closest to the request node among all the logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of allocatable nodes, and the distance between each allocatable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all the allocatable nodes;
若所述请求节点命中所述目标逻辑距离组,则将所述计算请求分配至所述请求节点上;If the requesting node hits the target logical distance group, the computing request is allocated to the requesting node;
若所述请求节点未命中所述目标逻辑距离组,则根据所述目标逻辑距离组确定目标节点,并将所述计算请求分配至所述目标节点上。If the requesting node does not hit the target logical distance group, a target node is determined according to the target logical distance group, and the computing request is allocated to the target node.
其中,若所述请求节点命中所述目标逻辑距离组,则将所述计算请求分配至所述请求节点上,包括:If the requesting node hits the target logical distance group, allocating the computing request to the requesting node includes:
若所述请求节点命中所述目标逻辑距离组,则获取所述请求节点的网络状态;If the requesting node hits the target logical distance group, obtaining the network status of the requesting node;
若所述请求节点的网络状态为离线状态,则在所述目标逻辑距离组内选择目标可分配节点,并将所述计算请求分配至所述目标可分配节点上;If the network state of the requesting node is offline, selecting a target allocatable node in the target logical distance group, and allocating the computing request to the target allocatable node;
若所述请求节点的网络状态为在线状态,则将所述计算请求分配至所述请求节点上。If the network status of the requesting node is online, the computing request is allocated to the requesting node.
其中,若所述请求节点的网络状态为在线状态,则将所述计算请求分配至所述请求节点上,包括:If the network status of the requesting node is online, allocating the computing request to the requesting node includes:
若所述请求节点的网络状态为在线状态,则获取所述请求节点的可用资源;If the network status of the requesting node is online, obtaining available resources of the requesting node;
若所述请求节点的可用资源未达到预设阈值,则在所述目标逻辑距离组内选择目标可分配节点,并将所述计算请求分配至所述目标可分配节点上;If the available resources of the requesting node do not reach a preset threshold, selecting a target allocatable node in the target logical distance group, and allocating the computing request to the target allocatable node;
若所述请求节点的可用资源达到所述预设阈值,则将所述计算请求分配至所述请求节点上。If the available resources of the requesting node reach the preset threshold, the computing request is allocated to the requesting node.
其中,在所述目标逻辑距离组内选择目标可分配节点,并将所述计算请求分配至所述目标可分配节点上,包括:The step of selecting a target allocatable node in the target logical distance group and allocating the computing request to the target allocatable node comprises:
在所述目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为所述目标可分配节点;In the target logical distance group, select an allocatable node whose network status is online and whose available resources reach a preset threshold as the target allocatable node;
将所述计算请求分配至所述目标可分配节点上。The computing request is allocated to the target allocatable node.
其中,所述资源分配方法还包括:The resource allocation method further includes:
若所述请求节点的网络状态为离线状态,则将所述请求节点在所述目标逻辑距离组内删除。If the network status of the requesting node is offline, the requesting node is deleted from the target logical distance group.
其中,所述资源分配方法还包括:The resource allocation method further includes:
确定所述目标可分配节点的所有逻辑距离组,并在所有所述逻辑距离组中确定所述目标可分配节点对应的最近距离节点;Determine all logical distance groups of the target allocatable node, and determine the closest distance node corresponding to the target allocatable node in all the logical distance groups;
若所述最近距离节点命中所述目标逻辑距离组,则将所述最近距离节点添加至所述目标逻辑距离组。If the closest distance node hits the target logical distance group, the closest distance node is added to the target logical distance group.
其中,若所述请求节点未命中所述目标逻辑距离组,则根据所述目标逻辑距离组确定目标节点,并将所述计算请求分配至所述目标节点上,包括:If the requesting node does not hit the target logical distance group, determining a target node according to the target logical distance group and allocating the computing request to the target node includes:
若所述请求节点未命中所述目标逻辑距离组,则判断所述目标逻辑距离组中可分配节点的数量是否达到所述预设数量;If the requesting node does not hit the target logical distance group, determining whether the number of assignable nodes in the target logical distance group reaches the preset number;
若未达到所述预设数量,则将所述请求节点加入所述目标逻辑距离组并作为所述目标节点,将所述计算请求分配至所述目标节点上;If the preset number is not reached, adding the requesting node to the target logical distance group and serving as the target node, and allocating the computing request to the target node;
若达到所述预设数量,则在所述目标逻辑距离组内选择所述目标节点,并将所述计算请求分配至所述目标节点上。If the preset number is reached, the target node is selected within the target logical distance group, and the computing request is allocated to the target node.
其中,将所述请求节点加入所述目标逻辑距离组并作为所述目标节点,将所述计算请求分配至所述目标节点上,包括:The step of adding the requesting node to the target logical distance group and using it as the target node, and allocating the computing request to the target node, includes:
若所述请求节点的网络状态为在线状态,且可用资源达到预设阈值,则将所述请求节点加入所述目标逻辑距离组并作为所述目标节点,将所述计算请求分配至所述目标节点上;If the network status of the requesting node is online and the available resources reach a preset threshold, the requesting node is added to the target logical distance group and used as the target node, and the computing request is allocated to the target node;
若所述请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在所述目标逻辑距离组内选择所述目标节点,并将所述计算请求分配至所述目标节点上。If the network status of the requesting node is offline, or the available resources do not reach a preset threshold, the target node is selected within the target logical distance group, and the computing request is allocated to the target node.
其中,若所述请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在所述目标逻辑距离组内选择所述目标节点,并将所述计算请求分配至所述目标节点上之后,还包括:Wherein, if the network status of the requesting node is offline, or the available resources do not reach the preset threshold, then after selecting the target node in the target logical distance group and allocating the computing request to the target node, it also includes:
确定所述目标节点的所有逻辑距离组,并在所有所述逻辑距离组中确定所述目标节点对应的最近距离节点;Determine all logical distance groups of the target node, and determine the closest distance node corresponding to the target node in all the logical distance groups;
若所述最近距离节点命中所述目标逻辑距离组,则将所述最近距离节点添加至所述目标逻辑距离组。If the closest distance node hits the target logical distance group, the closest distance node is added to the target logical distance group.
其中,在所述目标逻辑距离组内选择所述目标节点,并将所述计算请求分配至所述目标节点上,包括:The step of selecting the target node in the target logical distance group and allocating the computing request to the target node comprises:
在所述目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为所述目标节点;In the target logical distance group, select an allocatable node whose network status is online and whose available resources reach a preset threshold as the target node;
将所述计算请求分配至所述目标节点上。The computing request is distributed to the target node.
其中,对于所述分布式机密计算集群中的每一节点,所述节点对应的所有逻辑距离组根据所述节点对应的逻辑拓扑网络得到,所述逻辑拓扑网络按照所述节点与所述分布式机密计算集群中其他节点之间的距离构建二叉树得到;Among them, for each node in the distributed confidential computing cluster, all logical distance groups corresponding to the node are obtained according to the logical topology network corresponding to the node, and the logical topology network is obtained by constructing a binary tree according to the distance between the node and other nodes in the distributed confidential computing cluster;
在所述当前节点对应的逻辑拓扑网络中,每个子树中不超出所述预设数量的节点组合为所述当前节点对应的一个逻辑距离组。In the logical topology network corresponding to the current node, nodes in each subtree that do not exceed the preset number are combined into a logical distance group corresponding to the current node.
其中,所述节点信息包括远程证明;若所述请求节点命中所述目标逻辑距离组,则将所述计算请求分配至所述请求节点上,包括:The node information includes remote proof; if the requesting node hits the target logical distance group, the computing request is allocated to the requesting node, including:
若所述请求节点命中所述目标逻辑距离组,则根据所述远程证明与所述请求节点协商会话密钥;If the requesting node hits the target logical distance group, negotiating a session key with the requesting node according to the remote attestation;
利用所述会话密钥对所述计算请求进行加密处理,获得加密计算请求;Encrypting the computing request using the session key to obtain an encrypted computing request;
将所述加密计算请求分配至所述请求节点上。The encryption computing request is distributed to the requesting node.
其中,所述节点信息还包括节点ID、节点IP、节点位置;将所述加密计算请求分配至所述请求节点上,包括:The node information further includes a node ID, a node IP, and a node location; allocating the encryption computing request to the requesting node includes:
根据所述节点ID、所述节点IP、所述节点位置将所述加密计算请求分配至所述请求节点上。The encryption computing request is distributed to the requesting node according to the node ID, the node IP, and the node location.
其中,所述节点ID包括所述节点位置的编码信息和所述节点IP的哈希信息。The node ID includes the encoding information of the node location and the hash information of the node IP.
其中,所述资源分配方法还包括:The resource allocation method further includes:
向所述请求节点发起远程证明挑战,并发送随机数至所述请求节点,以使所述请求节点响应所述远程证明挑战,以生成包含有所述随机数的请求节点远程证明;Initiating a remote attestation challenge to the requesting node, and sending a random number to the requesting node, so that the requesting node responds to the remote attestation challenge to generate a requesting node remote attestation including the random number;
获取所述请求节点远程证明进行验证,并在验证通过时保存所述请求节点远程证明。The remote certificate of the requesting node is obtained for verification, and the remote certificate of the requesting node is saved when the verification passes.
其中,所述资源分配方法还包括:The resource allocation method further includes:
实时获取本地可用资源;Get local available resources in real time;
若所述本地可用资源低于预设阈值,则在所述当前节点的所有逻辑距离组中确定最近节点;If the local available resources are lower than a preset threshold, determining the nearest node in all logical distance groups of the current node;
将所述当前节点中的节点负载迁移至所述最近节点上。Migrate the node load in the current node to the nearest node.
第二方面,本发明还公开了一种资源分配装置,应用于分布式机密计算集群中的任一节点,所述装置包括:In a second aspect, the present invention further discloses a resource allocation device, which is applied to any node in a distributed confidential computing cluster, and the device includes:
确定模块,用于当接收到计算请求时,确定所述计算请求对应的请求节点;A determination module, configured to, when receiving a computing request, determine a requesting node corresponding to the computing request;
获取模块,用于获取当前节点的所有逻辑距离组,并在所有所述逻辑距离组中确定与所述请求节点距离最近的目标逻辑距离组;所述当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与所述当前节点之间的距离不超出相应逻辑距离组指定的距离范围;所述当前节点预存有所有所述可分配节点的节点信息;An acquisition module, used for acquiring all logical distance groups of the current node, and determining the target logical distance group closest to the request node among all the logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of assignable nodes, and the distance between each assignable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all the assignable nodes;
第一分配模块,用于若所述请求节点命中所述目标逻辑距离组,则将所述计算请求分配至所述请求节点上;A first allocation module, configured to allocate the computing request to the requesting node if the requesting node hits the target logical distance group;
第二分配模块,用于若所述请求节点未命中所述目标逻辑距离组,则根据所述目标逻辑距离组确定目标节点,并将所述计算请求分配至所述目标节点上。The second allocation module is used to determine a target node according to the target logical distance group and allocate the computing request to the target node if the requesting node does not hit the target logical distance group.
第三方面,本发明还公开了一种电子设备,包括:In a third aspect, the present invention further discloses an electronic device, comprising:
存储器,用于存储计算机程序;Memory for storing computer programs;
处理器,用于执行所述计算机程序时实现如上所述的任一种资源分配方法的步骤。A processor is used to implement the steps of any one of the resource allocation methods described above when executing the computer program.
第四方面,本发明还公开了一种非易失性存储介质,所述非易失性存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的任一种资源分配方法的步骤。In a fourth aspect, the present invention further discloses a non-volatile storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of any one of the resource allocation methods described above are implemented.
第五方面,本发明还公开了一种计算机程序产品,包括计算机程序/指令,所述计算机程序/指令被处理器执行时实现如上所述的任一种资源分配方法的步骤。In a fifth aspect, the present invention further discloses a computer program product, including a computer program/instruction, which implements the steps of any one of the resource allocation methods described above when executed by a processor.
本发明提供了一种资源分配方法,应用于分布式机密计算集群中的任一节点,所述方法包括:当接收到计算请求时,确定所述计算请求对应的请求节点;获取当前节点的所有逻辑距离组,并在所有所述逻辑距离组中确定与所述请求节点距离最近的目标逻辑距离组;所述当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与所述当前节点之间的距离不超出相应逻辑距离组指定的距离范围;所述当前节点预存有所有所述可分配节点的节点信息;若所述请求节点命中所述目标逻辑距离组,则将所述计算请求分配至所述请求节点上;若所述请求节点未命中所述目标逻辑距离组,则根据所述目标逻辑距离组确定目标节点,并将所述计算请求分配至所述目标节点上。The present invention provides a resource allocation method, which is applied to any node in a distributed confidential computing cluster, and the method includes: when a computing request is received, determining the request node corresponding to the computing request; obtaining all logical distance groups of the current node, and determining the target logical distance group that is closest to the request node among all the logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of allocable nodes, and the distance between each allocable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all the allocable nodes; if the request node hits the target logical distance group, the computing request is allocated to the request node; if the request node does not hit the target logical distance group, the target node is determined according to the target logical distance group, and the computing request is allocated to the target node.
应用本发明所提供的技术方案,对于分布式机密计算集群中的每一个节点,均预先创建有其对应的多个逻辑距离组,且每一逻辑距离组内均包含有相对于当前节点指定距离范围内的不超过预设数量个的可分配节点,即不同的逻辑距离组对应于不同的距离范围,由此,当接收到针对某请求节点的计算请求时,可以在当前节点对应的所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组,并根据请求节点在目标逻辑距离组中的命中情况选择将计算请求分配至相应的节点上进行请求处理。由此可见,分布式机密计算集群中的每一个节点仅需要存储少量其他节点的节点信息,而不需要存储所有其他节点的节点信息,不仅有效地降低了节点存储压力,也大大减少了节点与节点之间的远程证明操作,实现了高效的分布式机密计算资源分配。By applying the technical solution provided by the present invention, for each node in the distributed confidential computing cluster, multiple corresponding logical distance groups are pre-created, and each logical distance group contains no more than a preset number of assignable nodes within a specified distance range relative to the current node, that is, different logical distance groups correspond to different distance ranges. Therefore, when a computing request for a requesting node is received, the target logical distance group closest to the requesting node can be determined in all logical distance groups corresponding to the current node, and the computing request can be assigned to the corresponding node for request processing according to the hit situation of the requesting node in the target logical distance group. It can be seen that each node in the distributed confidential computing cluster only needs to store a small amount of node information of other nodes, and does not need to store the node information of all other nodes, which not only effectively reduces the node storage pressure, but also greatly reduces the remote proof operations between nodes, and realizes efficient distributed confidential computing resource allocation.
本发明所提供的资源分配装置、电子设备、非易失性存储介质以及计算机程序产品,同样具有上述技术效果,本发明在此不再赘述。The resource allocation device, electronic device, non-volatile storage medium and computer program product provided by the present invention also have the above technical effects, and the present invention will not elaborate on them here.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明现有技术和本发明实施例中的技术方案,下面将对现有技术和本发明实施例描述中需要使用的附图作简要的介绍。当然,下面有关本发明实施例的附图描述的仅仅是本发明中的一部分实施例,对于本领域普通技术人员来说,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图,所获得的其他附图也属于本发明的保护范围。In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present invention, the following briefly introduces the drawings required for describing the prior art and the embodiments of the present invention. Of course, the drawings related to the embodiments of the present invention described below are only part of the embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on the provided drawings without creative work, and the obtained other drawings also belong to the protection scope of the present invention.
图1为本发明实施例所提供的一种资源分配方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a resource allocation method provided by an embodiment of the present invention;
图2为本发明实施例所提供的一种分布式机密计算集群的节点分布图;FIG2 is a node distribution diagram of a distributed confidential computing cluster provided by an embodiment of the present invention;
图3为本发明实施例所提供的一种节点ID构造示意图;FIG3 is a schematic diagram of a node ID structure provided by an embodiment of the present invention;
图4为本发明实施例所提供的一种基于距离的逻辑拓扑网络结构示意图;FIG4 is a schematic diagram of a distance-based logical topology network structure provided by an embodiment of the present invention;
图5为本发明实施例所提供的一种逻辑拓扑网络内的子树划分示意图;FIG5 is a schematic diagram of subtree division within a logical topology network provided by an embodiment of the present invention;
图6为本发明实施例所提供的一种逻辑距离组列表的示意图;FIG6 is a schematic diagram of a logical distance group list provided by an embodiment of the present invention;
图7为本发明实施例所提供的第一种资源分配情形示意图;FIG7 is a schematic diagram of a first resource allocation scenario provided by an embodiment of the present invention;
图8为本发明实施例所提供的第二种资源分配情形示意图;FIG8 is a schematic diagram of a second resource allocation scenario provided by an embodiment of the present invention;
图9为本发明实施例所提供的第三种资源分配情形示意图;FIG9 is a schematic diagram of a third resource allocation scenario provided by an embodiment of the present invention;
图10为本发明实施例所提供的第四种资源分配情形示意图;FIG10 is a schematic diagram of a fourth resource allocation scenario provided by an embodiment of the present invention;
图11为本发明实施例所提供的第五种资源分配情形示意图;FIG11 is a schematic diagram of a fifth resource allocation scenario provided by an embodiment of the present invention;
图12为本发明实施例所提供的第六种资源分配情形示意图;FIG12 is a schematic diagram of a sixth resource allocation scenario provided by an embodiment of the present invention;
图13为本发明实施例所提供的第七种资源分配情形示意图;FIG13 is a schematic diagram of a seventh resource allocation scenario provided by an embodiment of the present invention;
图14为本发明实施例所提供的第八种资源分配情形示意图;FIG14 is a schematic diagram of an eighth resource allocation scenario provided by an embodiment of the present invention;
图15为本发明实施例所提供的一种资源分配装置的结构示意图;FIG15 is a schematic diagram of the structure of a resource allocation device provided by an embodiment of the present invention;
图16为本发明实施例所提供的一种电子设备的结构示意图。FIG. 16 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
本发明的核心是提供一种资源分配方法,该资源分配方法在分布式机密计算集群系统中实现了高效的分布式机密计算资源分配;本发明的另一核心是提供一种资源分配装置、电子设备、非易失性存储介质以及计算机程序产品,均具有上述有益效果。The core of the present invention is to provide a resource allocation method, which realizes efficient distributed confidential computing resource allocation in a distributed confidential computing cluster system; another core of the present invention is to provide a resource allocation device, an electronic device, a non-volatile storage medium and a computer program product, all of which have the above-mentioned beneficial effects.
为了对本发明实施例中的技术方案进行更加清楚、完整地描述,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行介绍。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to describe the technical solutions in the embodiments of the present invention more clearly and completely, the technical solutions in the embodiments of the present invention will be introduced below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.
本发明实施例提供了一种资源分配方法。An embodiment of the present invention provides a resource allocation method.
需要说明的是,本发明实施例所提供的资源分配方法可以应用于分布式机密计算集群中的任一节点,可以理解的是,分布式机密计算集中的每一个节点均为机密计算节点。It should be noted that the resource allocation method provided in the embodiment of the present invention can be applied to any node in a distributed confidential computing cluster. It can be understood that each node in the distributed confidential computing cluster is a confidential computing node.
在此基础上,请参考图1,图1为本发明实施例所提供的一种资源分配方法的流程示意图,该资源分配方法可以包括如下S101至S104。On this basis, please refer to FIG. 1 , which is a flow chart of a resource allocation method provided in an embodiment of the present invention. The resource allocation method may include the following S101 to S104 .
S101:当接收到计算请求时,确定计算请求对应的请求节点。S101: When a computing request is received, a requesting node corresponding to the computing request is determined.
本步骤旨在实现请求节点的确定,该请求节点即计算请求所要申请进行请求处理的节点,可以在计算请求中直接指定。例如,使用者通过用户端向分布式机密计算集群上的某一节点A发送计算请求,请求将机密计算负载运行在节点B上,此处,节点A即为当前接收到计算请求的节点,也即下述当前节点,节点B即为请求节点。This step aims to determine the requesting node, which is the node that the computing request is to apply for request processing, and can be directly specified in the computing request. For example, a user sends a computing request to a node A on a distributed confidential computing cluster through a user terminal, requesting that the confidential computing load be run on node B. Here, node A is the node that currently receives the computing request, that is, the current node mentioned below, and node B is the requesting node.
S102:获取当前节点的所有逻辑距离组,并在所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组;当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与当前节点之间的距离不超出相应逻辑距离组指定的距离范围;当前节点预存有所有可分配节点的节点信息。S102: Obtain all logical distance groups of the current node, and determine the target logical distance group that is closest to the request node among all logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of allocatable nodes, and the distance between each allocatable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all allocatable nodes.
本步骤旨在实现最近逻辑距离组的确定,该最近逻辑距离组即当前节点对应的所有逻辑距离组中与请求节点距离最近的逻辑距离组,也即上述目标逻辑距离组。具体而言,对于分布式机密计算集群中的每一个节点,均预先创建有其对应的多个逻辑距离组,并且,每一逻辑距离组内均包含有相对于当前节点指定距离范围内的、不超过预设数量个的可分配节点,即不同的逻辑距离组对应于不同的距离范围;在此基础上,对于分布式机密计算集群中的每一个节点,其本地仅存储有其对应的所有可分配节点的节点信息,而无需存储分布式机密计算集群中其他节点的节点信息。由此,对于当前节点而言,在后续进行资源分配过程中,仅需要在其对应的可分配节点中进行资源分配即可,而无需考虑除可分配节点之外的其他节点,有效地降低了节点负载压力。其中,节点信息可以包括但不限于相应节点的节点ID、节点IP、节点坐标、节点远程证明等。此外,上述预设数量的取值并不影响本技术方案的实施,由技术人员根据实际需求进行设定即可,本发明对此不做限定。This step aims to determine the nearest logical distance group, which is the logical distance group that is closest to the requesting node among all logical distance groups corresponding to the current node, that is, the target logical distance group. Specifically, for each node in the distributed confidential computing cluster, multiple logical distance groups corresponding to it are pre-created, and each logical distance group contains no more than a preset number of allocable nodes within the specified distance range relative to the current node, that is, different logical distance groups correspond to different distance ranges; on this basis, for each node in the distributed confidential computing cluster, it only stores the node information of all the corresponding allocable nodes locally, without storing the node information of other nodes in the distributed confidential computing cluster. Therefore, for the current node, in the subsequent resource allocation process, it only needs to allocate resources in its corresponding allocable node, without considering other nodes other than the allocable node, which effectively reduces the node load pressure. Among them, the node information may include but is not limited to the node ID, node IP, node coordinates, node remote proof, etc. of the corresponding node. In addition, the value of the above preset number does not affect the implementation of the technical solution, and can be set by the technician according to actual needs, and the present invention does not limit this.
在本发明的一个实施例中,对于分布式机密计算集群中的每一节点,节点对应的所有逻辑距离组根据节点对应的逻辑拓扑网络得到,逻辑拓扑网络按照节点与分布式机密计算集群中其他节点之间的距离构建二叉树得到;In one embodiment of the present invention, for each node in the distributed confidential computing cluster, all logical distance groups corresponding to the node are obtained according to the logical topology network corresponding to the node, and the logical topology network is obtained by constructing a binary tree according to the distance between the node and other nodes in the distributed confidential computing cluster;
在当前节点对应的逻辑拓扑网络中,每个子树中不超出预设数量的节点组合为当前节点对应的一个逻辑距离组。In the logical topology network corresponding to the current node, nodes in each subtree that do not exceed a preset number are combined into a logical distance group corresponding to the current node.
本实施例提供了一种逻辑距离组的构建方法。具体而言,针对分布式机密计算集群中的每一个节点,可以构建其对应的二叉树,例如,根据节点位置和节点IP构造节点ID,从而可以根据节点ID构建二叉树,以生成基于距离的逻辑拓扑网络,其中,每个节点均为该基于距离的逻辑拓扑网络的叶子节点,由此,在逻辑拓扑网络中,通过在每一个子树中选择不超出预设数量的节点即可组合为一个对应的逻辑距离组,显而易见地,逻辑拓扑网络中子树的数量即为逻辑距离组的数量。This embodiment provides a method for constructing a logical distance group. Specifically, for each node in a distributed confidential computing cluster, a corresponding binary tree can be constructed. For example, a node ID can be constructed according to the node position and the node IP, so that a binary tree can be constructed according to the node ID to generate a distance-based logical topology network, wherein each node is a leaf node of the distance-based logical topology network. Thus, in the logical topology network, a corresponding logical distance group can be formed by selecting a preset number of nodes in each subtree. Obviously, the number of subtrees in the logical topology network is the number of logical distance groups.
S103:若请求节点命中目标逻辑距离组,则将计算请求分配至请求节点上。S103: If the requesting node hits the target logical distance group, the computing request is allocated to the requesting node.
本步骤旨在实现请求节点命中目标逻辑距离组情况下的计算请求分配处理。具体而言,当请求节点命中目标逻辑距离组时,说明当前节点恰好存储有该请求节点的节点信息,且请求节点与当前节点的距离较近,因此,可以直接根据请求节点的节点信息将计算请求分配至请求节点上,由请求节点对计算请求进行后续处理。This step aims to realize the allocation and processing of computing requests when the request node hits the target logical distance group. Specifically, when the request node hits the target logical distance group, it means that the current node happens to store the node information of the request node, and the distance between the request node and the current node is relatively close. Therefore, the computing request can be directly allocated to the request node according to the node information of the request node, and the request node performs subsequent processing on the computing request.
在本发明的一个实施例中,若请求节点命中目标逻辑距离组,则将计算请求分配至请求节点上,可以包括:In one embodiment of the present invention, if the requesting node hits the target logical distance group, allocating the computing request to the requesting node may include:
若请求节点命中目标逻辑距离组,则获取请求节点的网络状态;If the requesting node hits the target logical distance group, the network status of the requesting node is obtained;
若请求节点的网络状态为离线状态,则在目标逻辑距离组内选择目标可分配节点,并将计算请求分配至目标可分配节点上;If the network status of the requesting node is offline, a target allocatable node is selected in the target logical distance group, and the computing request is allocated to the target allocatable node;
若请求节点的网络状态为在线状态,则将计算请求分配至请求节点上。If the network status of the requesting node is online, the computing request is allocated to the requesting node.
其中,若请求节点的网络状态为在线状态,则将计算请求分配至请求节点上,可以包括:若请求节点的网络状态为在线状态,则获取请求节点的可用资源;若请求节点的可用资源未达到预设阈值,则在目标逻辑距离组内选择目标可分配节点,并将计算请求分配至目标可分配节点上;若请求节点的可用资源达到预设阈值,则将计算请求分配至请求节点上。Among them, if the network status of the requesting node is online, the computing request is allocated to the requesting node, which may include: if the network status of the requesting node is online, the available resources of the requesting node are obtained; if the available resources of the requesting node do not reach the preset threshold, the target allocatable node is selected in the target logical distance group, and the computing request is allocated to the target allocatable node; if the available resources of the requesting node reach the preset threshold, the computing request is allocated to the requesting node.
其中,在目标逻辑距离组内选择目标可分配节点,并将计算请求分配至目标可分配节点上,可以包括:在目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为目标可分配节点;将计算请求分配至目标可分配节点上。Among them, selecting a target allocatable node within the target logical distance group and allocating the computing request to the target allocatable node may include: within the target logical distance group, selecting an allocatable node whose network status is online and whose available resources reach a preset threshold as the target allocatable node; allocating the computing request to the target allocatable node.
可以理解的是,为保证计算请求的正常处理,可以优先保证被分配计算请求的节点网络状态在线且可用资源充足。因此,在请求节点命中目标逻辑距离组的情况下,可以分别获取该请求节点的网络状态和当前可用资源,只要当请求节点的网络状态在线,且当前可用资源达到预设阈值时,方可将计算请求分配至该请求节点上;否则,则可以在目标逻辑距离组内选择一个网络状态为在线状态且当前可用资源达到预设阈值的可分配节点作为目标可分配节点进行计算请求分配。其中,预设阈值的取值并不影响本技术方案的实施,由技术人员根据实际情况进行自定义设置即可,本发明对此不做限定。It is understandable that, in order to ensure the normal processing of the computing request, it is possible to give priority to ensuring that the network status of the node to which the computing request is assigned is online and that the available resources are sufficient. Therefore, when the requesting node hits the target logical distance group, the network status and current available resources of the requesting node can be obtained respectively. As long as the network status of the requesting node is online and the current available resources reach the preset threshold, the computing request can be assigned to the requesting node; otherwise, an assignable node whose network status is online and the current available resources reach the preset threshold can be selected in the target logical distance group as the target assignable node for computing request assignment. Among them, the value of the preset threshold does not affect the implementation of the present technical solution, and the technical personnel can customize the setting according to the actual situation, and the present invention does not limit this.
更进一步地,该资源分配方法还可以包括:若请求节点的网络状态为离线状态,则将请求节点在目标逻辑距离组内删除。也就是说,针对命中目标逻辑距离组但网络状态离线的请求节点,可以将其在目标逻辑组内删除,避免不必要的资源占用。Furthermore, the resource allocation method may further include: if the network status of the requesting node is offline, deleting the requesting node in the target logical distance group. That is, for the requesting node that hits the target logical distance group but has an offline network status, it can be deleted in the target logical group to avoid unnecessary resource occupation.
在一种可能的实现方式中,该资源分配方法还可以包括:确定目标可分配节点的所有逻辑距离组,并在所有逻辑距离组中确定目标可分配节点对应的最近距离节点;若最近距离节点命中目标逻辑距离组,则将最近距离节点添加至目标逻辑距离组。In a possible implementation, the resource allocation method may further include: determining all logical distance groups of the target allocatable node, and determining the nearest distance node corresponding to the target allocatable node in all logical distance groups; if the nearest distance node hits the target logical distance group, adding the nearest distance node to the target logical distance group.
在本实施例中,针对目标逻辑距离组内可分配节点数量不足预设数量的情况,或者将离线请求节点在目标逻辑距离组删除的情况,可以重新寻找新的集群节点作为可分配节点加入目标逻辑距离组,以有效保证目标逻辑距离组内可分配节点的数量充足,为后续新的计算请求提供分配服务。具体而言,当请求节点的网络状态离线或者当前可用资源不满预设阈值时,在确定目标可分配节点之后,可以基于该目标可分配节点寻找新的可分配节点,即上述最近距离节点,并将其添加至目标逻辑距离组内。其中,最近距离节点则可以在目标可分配节点对应的所有逻辑距离组中筛选得到,其是指所有逻辑距离组内与目标可分配节点距离最近的集群节点。In this embodiment, in the case where the number of allocable nodes in the target logical distance group is less than the preset number, or the offline request node is deleted in the target logical distance group, a new cluster node can be searched again as an allocable node to be added to the target logical distance group, so as to effectively ensure that the number of allocable nodes in the target logical distance group is sufficient and provide allocation services for subsequent new computing requests. Specifically, when the network status of the requesting node is offline or the current available resources are not satisfied with the preset threshold, after determining the target allocable node, a new allocable node, that is, the above-mentioned nearest distance node, can be searched based on the target allocable node and added to the target logical distance group. Among them, the nearest distance node can be screened in all logical distance groups corresponding to the target allocable node, which refers to the cluster node that is closest to the target allocable node in all logical distance groups.
S104:若请求节点未命中目标逻辑距离组,则根据目标逻辑距离组确定目标节点,并将计算请求分配至目标节点上。S104: If the requesting node does not hit the target logical distance group, determine the target node according to the target logical distance group, and distribute the computing request to the target node.
本步骤旨在实现请求节点未命中目标逻辑距离组情况下的计算请求分配处理。具体而言,当请求节点未命中目标逻辑距离组时,说明当前节点并未存储有该请求节点的节点信息,且请求节点与当前节点的距离未知,因此,可以根据目标逻辑距离组确定目标节点,由目标节点对计算请求进行后续处理。其中,目标节点优选为目标逻辑距离组之内的节点。This step is intended to implement the computation request allocation processing when the request node does not hit the target logical distance group. Specifically, when the request node does not hit the target logical distance group, it means that the current node does not store the node information of the request node, and the distance between the request node and the current node is unknown. Therefore, the target node can be determined according to the target logical distance group, and the target node performs subsequent processing on the computation request. Among them, the target node is preferably a node within the target logical distance group.
在本发明的一个实施例中,若请求节点未命中目标逻辑距离组,则根据目标逻辑距离组确定目标节点,并将计算请求分配至目标节点上,可以包括:In one embodiment of the present invention, if the requesting node does not hit the target logical distance group, determining the target node according to the target logical distance group and allocating the computing request to the target node may include:
若请求节点未命中目标逻辑距离组,则判断目标逻辑距离组中可分配节点的数量是否达到预设数量;If the requesting node does not hit the target logical distance group, then determine whether the number of assignable nodes in the target logical distance group reaches a preset number;
若未达到预设数量,则将请求节点加入目标逻辑距离组并作为目标节点,将计算请求分配至目标节点上;If the preset number is not reached, the requesting node is added to the target logical distance group and used as the target node, and the computing request is allocated to the target node;
若达到预设数量,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上。If the preset number is reached, a target node is selected within the target logical distance group and the computing request is distributed to the target node.
本实施例提供了一种根据目标逻辑距离组确定目标节点以分配计算请求的实现方法。当请求节点未命中目标逻辑距离组时,针对目标逻辑距离组内可分配节点数量不足预设数量的情况,可以直接将请求节点加入至该目标逻辑距离组,并将其作为目标节点实现计算请求处理,以有效避免不必要的资源浪费;针对目标逻辑距离组内可分配节点数量达到预设阈值的情况,则可以直接选择目标逻辑距离组内的一个可分配节点作为目标节点实现计算请求处理。This embodiment provides a method for determining a target node according to a target logical distance group to allocate a computing request. When a requesting node does not hit the target logical distance group, if the number of allocatable nodes in the target logical distance group is less than a preset number, the requesting node can be directly added to the target logical distance group and used as the target node to implement computing request processing, so as to effectively avoid unnecessary resource waste; if the number of allocatable nodes in the target logical distance group reaches a preset threshold, an allocatable node in the target logical distance group can be directly selected as the target node to implement computing request processing.
其中,将请求节点加入目标逻辑距离组并作为目标节点,将计算请求分配至目标节点上,可以包括:若请求节点的网络状态为在线状态,且可用资源达到预设阈值,则将请求节点加入目标逻辑距离组并作为目标节点,将计算请求分配至目标节点上;若请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上。Among them, adding the requesting node to the target logical distance group and using it as the target node, and allocating the computing request to the target node may include: if the network status of the requesting node is online and the available resources reach a preset threshold, then adding the requesting node to the target logical distance group and using it as the target node, and allocating the computing request to the target node; if the network status of the requesting node is offline, or the available resources do not reach the preset threshold, then selecting a target node in the target logical distance group, and allocating the computing request to the target node.
其中,在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上,可以包括:在目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为目标节点;将计算请求分配至目标节点上。Among them, selecting a target node within the target logical distance group and allocating the computing request to the target node may include: within the target logical distance group, selecting an allocatable node whose network status is online and whose available resources reach a preset threshold as the target node; allocating the computing request to the target node.
也就是说,无论是将请求节点作为目标节点进行请求处理,还是在目标逻辑距离组内选择目标节点进行请求处理,均需要保证目标节点的网络状态为在线状态且当前可用资源满足预设阈值,以有效保证计算请求的正常处理。That is to say, whether the requesting node is used as the target node for request processing, or the target node is selected within the target logical distance group for request processing, it is necessary to ensure that the network status of the target node is online and the current available resources meet the preset threshold to effectively ensure the normal processing of the computing request.
更进一步地,若请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上之后,还可以包括:确定目标节点的所有逻辑距离组,并在所有逻辑距离组中确定目标节点对应的最近距离节点;若最近距离节点命中目标逻辑距离组,则将最近距离节点添加至目标逻辑距离组。Furthermore, if the network status of the requesting node is offline, or the available resources do not reach the preset threshold, then after selecting the target node within the target logical distance group and allocating the computing request to the target node, it may also include: determining all logical distance groups of the target node, and determining the nearest distance node corresponding to the target node in all logical distance groups; if the nearest distance node hits the target logical distance group, the nearest distance node is added to the target logical distance group.
同样地,针对目标逻辑距离组内可分配节点数量不足预设数量的情况,可以重新寻找新的集群节点作为可分配节点加入目标逻辑距离组,以有效保证目标逻辑距离组内可分配节点的数量充足,为后续新的计算请求提供分配服务。具体而言,当请求节点的网络状态离线或者当前可用资源不满预设阈值时,在目标逻辑距离组内选择目标节点之后,可以基于该目标节点寻找新的可分配节点,即上述最近距离节点,并将其添加至目标逻辑距离组内。其中,最近距离节点则可以在目标节点对应的所有逻辑距离组中筛选得到,其是指所有逻辑距离组内与目标节点距离最近的集群节点。Similarly, in the case where the number of allocatable nodes in the target logical distance group is less than the preset number, new cluster nodes can be searched for as allocatable nodes to be added to the target logical distance group, so as to effectively ensure that the number of allocatable nodes in the target logical distance group is sufficient and to provide allocation services for subsequent new computing requests. Specifically, when the network status of the requesting node is offline or the current available resources are not satisfied with the preset threshold, after selecting the target node in the target logical distance group, a new allocatable node, i.e. the above-mentioned nearest distance node, can be searched based on the target node and added to the target logical distance group. Among them, the nearest distance node can be screened in all logical distance groups corresponding to the target node, which refers to the cluster node that is closest to the target node in all logical distance groups.
可见,本发明实施例所提供的资源分配方法,对于分布式机密计算集群中的每一个节点,均预先创建有其对应的多个逻辑距离组,且每一逻辑距离组内均包含有相对于当前节点指定距离范围内的不超过预设数量个的可分配节点,即不同的逻辑距离组对应于不同的距离范围,由此,当接收到针对某请求节点的计算请求时,可以在当前节点对应的所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组,并根据请求节点在目标逻辑距离组中的命中情况选择将计算请求分配至相应的节点上进行请求处理。由此可见,分布式机密计算集群中的每一个节点仅需要存储少量其他节点的节点信息,而不需要存储所有其他节点的节点信息,不仅有效地降低了节点存储压力,也大大减少了节点与节点之间的远程证明操作,实现了高效的分布式机密计算资源分配。It can be seen that the resource allocation method provided by the embodiment of the present invention pre-creates multiple logical distance groups corresponding to each node in the distributed confidential computing cluster, and each logical distance group contains no more than a preset number of allocable nodes within the specified distance range relative to the current node, that is, different logical distance groups correspond to different distance ranges. Therefore, when a computing request for a requesting node is received, the target logical distance group closest to the requesting node can be determined in all logical distance groups corresponding to the current node, and the computing request can be allocated to the corresponding node for request processing according to the hit situation of the requesting node in the target logical distance group. It can be seen that each node in the distributed confidential computing cluster only needs to store a small amount of node information of other nodes, and does not need to store the node information of all other nodes, which not only effectively reduces the node storage pressure, but also greatly reduces the remote proof operations between nodes, and realizes efficient distributed confidential computing resource allocation.
在上述实施例的基础上:Based on the above embodiments:
在本发明的一个实施例中,节点信息包括远程证明;若请求节点命中目标逻辑距离组,则将计算请求分配至请求节点上,可以包括:In one embodiment of the present invention, the node information includes remote proof; if the requesting node hits the target logical distance group, the computing request is allocated to the requesting node, which may include:
若请求节点命中目标逻辑距离组,则根据远程证明与请求节点协商会话密钥;If the requesting node hits the target logical distance group, it negotiates a session key with the requesting node based on the remote proof;
利用会话密钥对计算请求进行加密处理,获得加密计算请求;The computing request is encrypted using the session key to obtain an encrypted computing request;
将加密计算请求分配至请求节点上。Distribute encryption computing requests to requesting nodes.
如上所述,分布式机密计算集群中的各个节点均为机密计算节点,其中部署有机密计算环境,在此基础上,分布式机密计算集群内节点与节点之间进行数据通信时需要对彼此进行远程证明验证,以有效保证信息安全与完整。因此,当前节点所存储的节点信息可以包括各可分配节点的远程证明,同样的,各个可分配节点也会存储有当前节点的远程证明,需要说明的是,此流程基于当前节点与可分配节点进行双向远程证明验证通过的基础上实现。那么,在将计算请求分配至请求节点的过程中,当前节点可以先与请求节点通过彼此的远程证明进行会话密钥协商,并通过该会话密钥将计算请求加密分配至请求节点上。可以想到的是,在将计算请求分配至目标可分配节点或目标节点上的过程中,同样可以参照上述流程进行会话密钥协商与计算请求的加密分配。As mentioned above, each node in the distributed confidential computing cluster is a confidential computing node, in which a confidential computing environment is deployed. On this basis, when data is communicated between nodes in the distributed confidential computing cluster, remote attestation verification needs to be performed on each other to effectively ensure information security and integrity. Therefore, the node information stored by the current node can include the remote attestation of each assignable node. Similarly, each assignable node will also store the remote attestation of the current node. It should be noted that this process is implemented based on the two-way remote attestation verification between the current node and the assignable node. Then, in the process of assigning the computing request to the requesting node, the current node can first negotiate the session key with the requesting node through each other's remote attestation, and encrypt the computing request and assign it to the requesting node through the session key. It can be imagined that in the process of assigning the computing request to the target assignable node or the target node, the above process can also be referred to for session key negotiation and encryption assignment of the computing request.
更进一步地,节点信息还可以包括节点ID、节点IP、节点位置;则上述将加密计算请求分配至请求节点上,可以包括:根据节点ID、节点IP、节点位置将加密计算请求分配至请求节点上。可见,为便于进行计算请求分配,当前节点上所存储的节点信息还可以进一步包括各可分配节点的节点ID、节点IP、节点位置等,由此,即可参照这些节点信息实现计算请求的加密分配。Furthermore, the node information may also include node ID, node IP, and node location; the above-mentioned allocation of encrypted computing requests to requesting nodes may include: allocating encrypted computing requests to requesting nodes according to node ID, node IP, and node location. It can be seen that in order to facilitate the allocation of computing requests, the node information stored on the current node may further include the node ID, node IP, node location, etc. of each assignable node, thereby enabling the encrypted allocation of computing requests to be achieved with reference to these node information.
其中,节点ID可以包括节点位置的编码信息和节点IP的哈希信息。为有效保证集群节点的唯一性,本实施例提供了一种节点ID设定方法:首先,可以对节点位置的横纵坐标进行交替编码,得到节点ID的前40位;然后,对节点IP进行256位哈希值计算,并截取哈希值的前40位作为节点ID的后40位;最后,前40位和后40位相拼接即可得到节点ID。The node ID may include the encoding information of the node location and the hash information of the node IP. To effectively ensure the uniqueness of the cluster node, this embodiment provides a node ID setting method: first, the horizontal and vertical coordinates of the node location may be alternately encoded to obtain the first 40 bits of the node ID; then, a 256-bit hash value is calculated for the node IP, and the first 40 bits of the hash value are intercepted as the last 40 bits of the node ID; finally, the first 40 bits and the last 40 bits are concatenated to obtain the node ID.
在本发明的一个实施例中,该资源分配方法还可以包括:In one embodiment of the present invention, the resource allocation method may further include:
向请求节点发起远程证明挑战,并发送随机数至请求节点,以使请求节点响应远程证明挑战,以生成包含有随机数的请求节点远程证明;Initiate a remote proof challenge to the requesting node, and send a random number to the requesting node, so that the requesting node responds to the remote proof challenge to generate a requesting node remote proof containing the random number;
获取请求节点远程证明进行验证,并在验证通过时保存请求节点远程证明。Obtain the request node remote proof for verification, and save the request node remote proof when the verification passes.
本实施例提供了一种当前节点对请求节点进行远程证明验证的实现方法,可以理解的是,由于远程证明需要进行双向验证,因此,请求节点对当前节点的远程证明验证同样可以参照上述流程实现。This embodiment provides a method for implementing remote attestation verification of a requesting node by a current node. It can be understood that since remote attestation requires two-way verification, the remote attestation verification of the current node by the requesting node can also be implemented by referring to the above process.
在本发明的一个实施例中,该资源分配方法还可以包括:In one embodiment of the present invention, the resource allocation method may further include:
实时获取本地可用资源;Get local available resources in real time;
若本地可用资源低于预设阈值,则在当前节点的所有逻辑距离组中确定最近节点;If the local available resources are lower than the preset threshold, the nearest node is determined in all logical distance groups of the current node;
将当前节点中的节点负载迁移至最近节点上。Migrate the node load in the current node to the nearest node.
可以理解的是,分布式机密计算集群中的资源分配可以分为两种情况,一种是将接收到的计算请求分配到合适的集群节点上进行请求处理,即对应于上述各实施例,另一种则是集群内某节点负载压力过高需要进行负载压力转移的情况,即对应于本实施例。对于分布式机密计算集群中的每一个节点,其可以对本地可用资源进行实时监控,并在确定本地可用资源低于预设阈值时进行节点负载迁移,以将自身节点负载迁移至距离当前节点最近的集群节点(即上述最近节点)上,以有效避免节点压力过大的问题。It is understandable that resource allocation in a distributed confidential computing cluster can be divided into two situations. One is to allocate the received computing request to the appropriate cluster node for request processing, which corresponds to the above embodiments, and the other is the situation where the load pressure of a node in the cluster is too high and the load pressure needs to be transferred, which corresponds to this embodiment. For each node in the distributed confidential computing cluster, it can monitor the local available resources in real time, and migrate the node load when it determines that the local available resources are lower than the preset threshold, so as to migrate its own node load to the cluster node closest to the current node (that is, the above-mentioned nearest node), so as to effectively avoid the problem of excessive node pressure.
本发明实施例提供了另一种资源分配方法。An embodiment of the present invention provides another resource allocation method.
具体而言,分布式机密计算集群可能分布在不同的机房,由分布在不同地理区域的小集群组成,即不同的机密计算节点可以位于不同的城市。另外,机密计算节点在小的地理区域内呈现簇状分布。如图2所示,图2为本发明实施例所提供的一种分布式机密计算集群的节点分布图,根据机密计算节点的物理分布位置可以划分为不同的簇,簇内机密计算节点之间具有较近的物理距离和通信距离。在物理意义上,机密计算集群中的所有节点均可以实现全连接,但是这样每个机密计算节点需要存储集群内所有节点的信息,包括节点的IP、远程证明信息等。另外如果集群网络全连接,每个机密计算节点需要与所有节点进行两两双向远程证明,并存储远程证明信息,这对节点的通信和存储压力是非常大的。Specifically, the distributed confidential computing cluster may be distributed in different computer rooms and composed of small clusters distributed in different geographical areas, that is, different confidential computing nodes can be located in different cities. In addition, confidential computing nodes are distributed in clusters in small geographical areas. As shown in Figure 2, Figure 2 is a node distribution diagram of a distributed confidential computing cluster provided by an embodiment of the present invention. According to the physical distribution location of the confidential computing nodes, different clusters can be divided, and the confidential computing nodes in the cluster have a closer physical distance and communication distance. In a physical sense, all nodes in the confidential computing cluster can be fully connected, but in this way each confidential computing node needs to store information of all nodes in the cluster, including the node's IP, remote attestation information, etc. In addition, if the cluster network is fully connected, each confidential computing node needs to perform two-way remote attestation with all nodes and store remote attestation information, which puts a lot of pressure on the communication and storage of the nodes.
为此,在实际的分布式机密计算网络拓扑之上,本发明又重新构建了一层基于距离的逻辑拓扑网络,基于距离的逻辑拓扑网络通过二叉树形式构建。在基于距离的逻辑拓扑网络中,每个机密计算节点和使用者都被分配一个唯一的ID,所有ID具有相同的取值空间。如图3所示,图3为本发明实施例所提供的一种节点ID构造示意图,每个机密计算节点和使用者的ID由位置信息和IP信息计算得到,该ID由80位组成,其中前40位由节点位置信息的横纵坐标交替编码得到,后40位由节点IP信息的256位Hash值的前40位截取获得,将前40位和后40位拼接即可得到最终的ID,可以有效保证每个机密计算节点和使用者都具有一个唯一的ID。To this end, on top of the actual distributed confidential computing network topology, the present invention has reconstructed a layer of distance-based logical topology network, and the distance-based logical topology network is constructed in the form of a binary tree. In the distance-based logical topology network, each confidential computing node and user is assigned a unique ID, and all IDs have the same value space. As shown in Figure 3, Figure 3 is a schematic diagram of a node ID structure provided by an embodiment of the present invention. The ID of each confidential computing node and user is calculated by location information and IP information. The ID consists of 80 bits, of which the first 40 bits are obtained by alternating the horizontal and vertical coordinates of the node location information, and the last 40 bits are obtained by intercepting the first 40 bits of the 256-bit hash value of the node IP information. The first 40 bits and the last 40 bits are spliced to obtain the final ID, which can effectively ensure that each confidential computing node and user has a unique ID.
可以理解的是,每个机密计算节点都是基于距离的逻辑拓扑网络的叶子节点。如图4所示,图4为本发明实施例所提供的一种基于距离的逻辑拓扑网络结构示意图,其中,叶子节点为黑实心圆的表示此机密计算节点存在,能够正常进行网络通信;叶子节点为空心圆表示此位置上不存在机密计算节点。进一步,请参考图5,图5为本发明实施例所提供的一种逻辑拓扑网络内的子树划分示意图,根据基于距离的逻辑拓扑网络,每个机密计算节点可以将基于距离的逻辑拓扑网络中的其他机密计算节点划分为80个子树(以80为例),该机密计算节点可以将每个子树(如图5所示虚线圆圈所示)中的k(预设数量)个机密计算节点信息表示为一个对应的逻辑距离组,显然,该机密计算节点和其对应的每个逻辑距离组都有一个公共前缀。以机密计算节点0为例,最大的子树由不包含机密计算节点0的二叉树的一半组成;次之的子树由剩下基于距离的逻辑拓扑网络中不包含机密计算节点0的一半组成。按照这种划分方式,每个子树中的节点都可以看成是一个逻辑距离组(Distance i,i∈[0,80))。可以理解的是,不同机密计算节点ID的前40位具有相同的前缀越多,说明两个节点的物理位置更近,在一个局部区域内。衡量两个ID之间的距离可以采用异或距离表示,给定两个节点x和y,其两者的逻辑距离为:distance(x,y)=x⊕y。It can be understood that each confidential computing node is a leaf node of a distance-based logical topology network. As shown in FIG. 4, FIG. 4 is a schematic diagram of a distance-based logical topology network structure provided by an embodiment of the present invention, wherein a leaf node with a black solid circle indicates that the confidential computing node exists and can perform network communication normally; a leaf node with a hollow circle indicates that there is no confidential computing node at this position. Further, please refer to FIG. 5, which is a schematic diagram of subtree division in a logical topology network provided by an embodiment of the present invention. According to the distance-based logical topology network, each confidential computing node can divide other confidential computing nodes in the distance-based logical topology network into 80 subtrees (taking 80 as an example), and the confidential computing node can represent k (preset number) confidential computing node information in each subtree (as shown by the dotted circle in FIG. 5) as a corresponding logical distance group. Obviously, the confidential computing node and each corresponding logical distance group have a common prefix. Taking confidential computing node 0 as an example, the largest subtree is composed of half of the binary tree that does not contain confidential computing node 0; the second largest subtree is composed of half of the remaining distance-based logical topology network that does not contain confidential computing node 0. According to this division method, the nodes in each subtree can be regarded as a logical distance group (Distance i, i∈[0,80)). It can be understood that the more the first 40 bits of different confidential computing node IDs have the same prefix, the closer the physical locations of the two nodes are, in a local area. The distance between two IDs can be measured using the XOR distance representation. Given two nodes x and y, the logical distance between the two is: distance(x, y) = x⊕y.
由此,即可根据逻辑距离来判断将资源分配到合适的机密计算节点上。机密计算节点为了分配使用者的请求资源到合适节点上,需要保存其他节点的ID信息、IP信息以及远程证明信息,例如,可以表示为机密计算节点信息=<ID,位置,IP,远程证明>。为了降低机密计算节点对其他机密计算节点信息的存储压力,每个机密计算节点只会将每个子树中的k个机密计算节点信息进行存储,该k个机密计算节点信息表示为一个逻辑距离组。具体的,对于第i∈[0,80)个逻辑距离组,机密计算节点保存了距离范围在[2i,2i+1)内的k个机密计算节点信息。假设预设数量K取值为4,则可以得到图6所示的逻辑距离组列表,图6为本发明实施例所提供的一种逻辑距离组列表的示意图。由于[20,21)距离范围内只有1个机密计算节点存在,因此Distance0数组只包含1个节点;由于[21,22)距离范围内只有2个机密计算节点存在,因此Distance1数组只包含2个节点;由于[22,23)距离范围内只有2个机密计算节点存在,因此Distance2数组只包含2个节点;尽管[279,280)距离范围内存在多个机密计算节点,但是每个逻辑距离组最多包含有4个节点,因此distance79数组只包含4个节点。其中,每个逻辑距离组(Distance i,i∈[0,80))内的三元组存放数据都是根据节点资源的使用情况来决定的,最近被使用资源的节点放置于逻辑距离组的尾部,图6中左侧为头部,右侧为尾部。此时机密计算节点0会和这些节点进行远程证明操作,互相证明自身及程序代码运行在可信执行环境中,然后将远程证明信息存储在三元组列表中。Therefore, the resources can be allocated to the appropriate confidential computing node based on the logical distance. In order to allocate the user's requested resources to the appropriate node, the confidential computing node needs to save the ID information, IP information and remote proof information of other nodes. For example, it can be expressed as confidential computing node information = <ID, location, IP, remote proof>. In order to reduce the storage pressure of the confidential computing node on other confidential computing node information, each confidential computing node will only store the k confidential computing node information in each subtree, and the k confidential computing node information is represented as a logical distance group. Specifically, for the i∈[0,80)th logical distance group, the confidential computing node saves the k confidential computing node information within the distance range of [2i , 2i+1 ). Assuming that the preset number K is 4, the logical distance group list shown in Figure 6 can be obtained. Figure 6 is a schematic diagram of a logical distance group list provided in an embodiment of the present invention. Since there is only one confidential computing node in the distance range [20 , 21 ), the Distance0 array contains only one node; since there are only two confidential computing nodes in the distance range [21 , 22 ), the Distance1 array contains only two nodes; since there are only two confidential computing nodes in the distance range [22 , 23 ), the Distance2 array contains only two nodes; although there are multiple confidential computing nodes in the distance range [279 , 280 ), each logical distance group contains at most four nodes, so the distance79 array contains only four nodes. The data stored in the triples in each logical distance group (Distance i, i∈[0,80)) is determined according to the usage of node resources. The node with the most recently used resources is placed at the end of the logical distance group. The left side of Figure 6 is the head and the right side is the tail. At this time, confidential computing node 0 will perform remote attestation operations with these nodes to prove to each other that itself and the program code are running in a trusted execution environment, and then store the remote attestation information in a triple list.
可以想到的是,分布式机密计算资源调度分为两种情况,一种是使用者发送机密计算资源请求,将其分配到合适的节点上;另一种是机密计算集内某个机密计算节点负载过高,需要将其分配给其他节点。以上两种情况均需要分布式机密计算集群上的两个机密计算节点之间互相存储彼此的远程证明信息,进而验证彼此运行在可信执行环境中,以便可以将机密计算负载迁移到对方环境中。其中,两个机密计算节点之间相互进行远程证明的过程如下:假如两个机密计算节点A和B需要进行远程证明,首先节点A向节点B发起远程证明挑战,并将随机数发给节点B,节点B在可信执行环境中生成远程证明报告,此远程证明报告包含节点A发送来的随机数,用来防止重放攻击;然后节点B将生成的远程证明报告发送给节点A,节点A验证节点B的远程证明报告中的参考值和证书链,以确定节点B自身及程序代码运行在可信执行环境中,节点A即可存储远程证明信息。同理,节点B验证A节点的方法类似。由此,两节点即可根据远程证明信息建立安全的通信信道,以便机密计算负载在迁移的过程中能够保证数据传输时的安全性。It can be imagined that distributed confidential computing resource scheduling is divided into two situations. One is that the user sends a confidential computing resource request and allocates it to the appropriate node; the other is that the load of a confidential computing node in the confidential computing set is too high and needs to be allocated to other nodes. In both cases, the two confidential computing nodes on the distributed confidential computing cluster need to store each other's remote attestation information, and then verify that each other is running in a trusted execution environment, so that the confidential computing load can be migrated to the other environment. Among them, the process of remote attestation between two confidential computing nodes is as follows: If two confidential computing nodes A and B need to perform remote attestation, first node A initiates a remote attestation challenge to node B and sends a random number to node B. Node B generates a remote attestation report in the trusted execution environment. This remote attestation report contains the random number sent by node A to prevent replay attacks; then node B sends the generated remote attestation report to node A, and node A verifies the reference value and certificate chain in the remote attestation report of node B to determine that node B itself and the program code are running in a trusted execution environment, and node A can store the remote attestation information. Similarly, the method for node B to verify node A is similar. In this way, the two nodes can establish a secure communication channel based on the remote proof information so that the confidential computing load can ensure the security of data transmission during the migration process.
此外,分布式机密计算集群上的节点可能随时加入网络,也可能随时离开,因此,机密计算集群上的机密计算节点可以动态的更新其逻辑距离组。In addition, nodes on a distributed confidential computing cluster may join or leave the network at any time. Therefore, the confidential computing nodes on the confidential computing cluster can dynamically update their logical distance groups.
其中,分布式机密计算资源调度的两种情况的实现方法如下:Among them, the implementation methods of the two cases of distributed confidential computing resource scheduling are as follows:
情况一、使用者发送机密计算资源请求,将其分配到合适的节点上:Case 1: The user sends a request for confidential computing resources and allocates it to the appropriate node:
使用者向分布式机密计算集群上的机密计算节点A发送计算请求,请求将机密计算负载运行在机密计算节点B上。首先,机密计算节点A获取其所有的逻辑距离组,并查询确定距离机密计算节点B最近的目标逻辑距离组。The user sends a computing request to confidential computing node A on the distributed confidential computing cluster, requesting that the confidential computing load be run on confidential computing node B. First, confidential computing node A obtains all its logical distance groups and queries to determine the target logical distance group closest to confidential computing node B.
1、如果机密计算节点B在目标逻辑距离组中,那么向其发送查询是否在线的命令,如果机密计算节点B在线,那么发送计算资源剩余情况的命令,如果机密计算节点B的剩余计算资源大于阈值,那么将机密计算节点B移动到机密计算节点A的目标逻辑距离组的尾部。进一步,根据机密计算节点A和机密计算节点B之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点B上,并在机密计算节点B上执行。如图7所示,图7为本发明实施例所提供的第一种资源分配情形示意图。1. If confidential computing node B is in the target logical distance group, then send a command to query whether it is online. If confidential computing node B is online, then send a command to check the remaining computing resources. If the remaining computing resources of confidential computing node B are greater than the threshold, then move confidential computing node B to the end of the target logical distance group of confidential computing node A. Further, calculate the negotiation key based on the remote proof information stored between confidential computing node A and confidential computing node B, establish a secure transmission channel, and then confidential computing node A sends the user's computing request to confidential computing node B through the secure transmission channel, and executes it on confidential computing node B. As shown in Figure 7, Figure 7 is a schematic diagram of the first resource allocation scenario provided by an embodiment of the present invention.
2、如果机密计算节点B在目标逻辑距离组中,那么向其发送查询是否在线的命令,如果机密计算节点B在线,那么发送计算资源剩余情况的命令,如果机密计算节点B的剩余计算资源小于阈值,那么从目标逻辑距离组的队头开始,发送在线查询命令及资源剩余情况查询命令,如果在线且剩余计算资源大于阈值,那么将此机密计算节点称之为机密计算节点C,并移动到队尾。同时,根据机密计算节点A和机密计算节点C之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点C上,并在机密计算节点C上执行。如图8所示,图8为本发明实施例所提供的第二种资源分配情形示意图。2. If the confidential computing node B is in the target logical distance group, then send a command to query whether it is online. If the confidential computing node B is online, then send a command to calculate the remaining resources. If the remaining computing resources of the confidential computing node B are less than the threshold, then start from the head of the target logical distance group and send an online query command and a resource remaining query command. If it is online and the remaining computing resources are greater than the threshold, then this confidential computing node is called confidential computing node C and moved to the end of the team. At the same time, the negotiation key is calculated based on the remote proof information stored between the confidential computing node A and the confidential computing node C, and a secure transmission channel is established. Then the confidential computing node A sends the user's computing request to the confidential computing node C through the secure transmission channel and executes it on the confidential computing node C. As shown in Figure 8, Figure 8 is a schematic diagram of the second resource allocation scenario provided by an embodiment of the present invention.
3、如果机密计算节点B在逻辑距离组中,那么向其发送查询是否在线的命令,如果机密计算节点B不在线,首先从目标逻辑距离组中移除机密计算节点B;然后,从目标逻辑距离组的队头开始,发送在线查询命令及资源剩余情况查询命令,如果在线且剩余计算资源大于阈值,那么将此机密计算节点称之为机密计算节点C,并移动到队尾。同时,根据机密计算节点A和机密计算节点C之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点C上,并在机密计算节点C上执行。3. If the confidential computing node B is in the logical distance group, then send it a command to query whether it is online. If the confidential computing node B is not online, first remove the confidential computing node B from the target logical distance group; then, starting from the head of the target logical distance group, send an online query command and a resource remaining query command. If it is online and the remaining computing resources are greater than the threshold, then this confidential computing node is called confidential computing node C and moved to the end of the team. At the same time, the negotiation key is calculated based on the remote proof information stored between confidential computing nodes A and confidential computing node C, and a secure transmission channel is established. Then, confidential computing node A sends the user's computing request to confidential computing node C through the secure transmission channel and executes it on confidential computing node C.
进一步,机密计算节点C从自身对应的最小的逻辑距离组开始进行查询,查询到距离最近且在线的机密计算节点为机密计算节点D。如果机密计算节点D属于机密计算节点A的目标逻辑距离组,那么将机密计算节点D放置在目标逻辑距离组的队头,同时机密计算节点A和机密计算节点D之间进行双向远程证明操作,机密计算节点A存储机密计算节点D的节点信息=<ID,位置,IP,远程证明>,机密计算节点D仅存储A的远程证明;如图9所示,图9为本发明实施例所提供的第三种资源分配情形示意图。如果机密计算节点D不属于目标逻辑距离组,则不进行此操作。如图10所示,图10为本发明实施例所提供的第四种资源分配情形示意图。Further, confidential computing node C starts to query from the smallest logical distance group corresponding to itself, and finds that the confidential computing node that is closest and online is confidential computing node D. If confidential computing node D belongs to the target logical distance group of confidential computing node A, then confidential computing node D is placed at the head of the target logical distance group, and a two-way remote attestation operation is performed between confidential computing node A and confidential computing node D. Confidential computing node A stores the node information of confidential computing node D = <ID, location, IP, remote attestation>, and confidential computing node D only stores A's remote attestation; as shown in Figure 9, Figure 9 is a schematic diagram of the third resource allocation scenario provided in an embodiment of the present invention. If confidential computing node D does not belong to the target logical distance group, this operation is not performed. As shown in Figure 10, Figure 10 is a schematic diagram of the fourth resource allocation scenario provided in an embodiment of the present invention.
4、如果机密计算节点B的信息不在目标逻辑距离组中,且目标逻辑距离组中节点的数量小于k,那么查询机密计算节点B是否在线及剩余资源是否大于阈值。4. If the information of confidential computing node B is not in the target logical distance group and the number of nodes in the target logical distance group is less than k, then query whether the confidential computing node B is online and whether the remaining resources are greater than the threshold.
(1)如果机密计算节点B在线且剩余资源大于阈值,那么直接将机密计算节点B放置在目标逻辑距离组的队尾。同时机密计算节点A和机密计算节点B之间进行双向远程证明操作,机密计算节点A存储机密计算节点B的节点信息=<ID,位置,IP,远程证明>,机密计算节点B仅存储机密计算节点A的远程证明。二者基于远程证明计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点B上,并在机密计算节点B上执行。(1) If confidential computing node B is online and the remaining resources are greater than the threshold, then confidential computing node B is directly placed at the end of the target logical distance group. At the same time, a two-way remote attestation operation is performed between confidential computing node A and confidential computing node B. Confidential computing node A stores the node information of confidential computing node B = <ID, location, IP, remote attestation>, and confidential computing node B only stores the remote attestation of confidential computing node A. The two parties negotiate the key based on remote attestation computing and establish a secure transmission channel. Then, confidential computing node A sends the user's computing request to confidential computing node B through the secure transmission channel and executes it on confidential computing node B.
(2)如果机密计算节点B不在线或者剩余资源小于阈值,那么从目标逻辑距离组的队头开始,发送在线查询命令及资源剩余情况查询命令,如果在线且剩余资源大于阈值,那么将此机密计算节点称之为机密计算节点C,并移动到目标逻辑距离组的队尾。同时,根据机密计算节点A和机密计算节点C之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点C上,并在机密计算节点C上执行。如图11所示,图11为本发明实施例所提供的第五种资源分配情形示意图。(2) If confidential computing node B is not online or the remaining resources are less than the threshold, then starting from the head of the target logical distance group, send an online query command and a resource remaining query command. If it is online and the remaining resources are greater than the threshold, then this confidential computing node is called confidential computing node C and moved to the end of the target logical distance group. At the same time, the negotiation key is calculated based on the remote proof information stored between confidential computing node A and confidential computing node C, and a secure transmission channel is established. Then, confidential computing node A sends the user's computing request to confidential computing node C through the secure transmission channel and executes it on confidential computing node C. As shown in Figure 11, Figure 11 is a schematic diagram of the fifth resource allocation scenario provided by an embodiment of the present invention.
另外,机密计算节点C从自身对应的最小的逻辑距离组开始查询,查询到距离最近且在线的机密计算节点D。如果机密计算节点D属于机密计算节点A的目标逻辑距离组,那么将机密计算节点D放置在目标逻辑距离组的队头,机密计算节点A存储机密计算节点D的节点信息=<ID,位置,IP,远程证明>,机密计算节点D仅存储机密计算节点A的远程证明;如图12所示,图12为本发明实施例所提供的第六种资源分配情形示意图。如果机密计算节点D不属于目标逻辑距离组,则不进行此操作,如图13所示,图13为本发明实施例所提供的七种资源分配情形示意图。In addition, confidential computing node C starts querying from the smallest logical distance group corresponding to itself, and queries the closest and online confidential computing node D. If confidential computing node D belongs to the target logical distance group of confidential computing node A, then confidential computing node D is placed at the head of the target logical distance group, and confidential computing node A stores the node information of confidential computing node D = <ID, location, IP, remote proof>, and confidential computing node D only stores the remote proof of confidential computing node A; as shown in Figure 12, Figure 12 is a schematic diagram of the sixth resource allocation scenario provided by an embodiment of the present invention. If confidential computing node D does not belong to the target logical distance group, this operation is not performed, as shown in Figure 13, which is a schematic diagram of the seven resource allocation scenarios provided by an embodiment of the present invention.
5、如果机密计算节点B不在目标逻辑距离组中,且目标逻辑距离组中节点的数量已达到k,那么机密计算节点A查询该目标逻辑距离组的头部机密计算节点C。5. If the confidential computing node B is not in the target logical distance group and the number of nodes in the target logical distance group has reached k, then the confidential computing node A queries the head confidential computing node C of the target logical distance group.
(1)如果机密计算节点C在线且剩余资源大于阈值,那么将机密计算节点C移动到目标逻辑距离组的队尾。同时,根据机密计算节点A和机密计算节点C之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将使用者的计算请求通过安全传输信道发送到机密计算节点C上,并在机密计算节点C上执行。如图14所示,图14为本发明实施例所提供的第八种资源分配情形示意图。(1) If the confidential computing node C is online and the remaining resources are greater than the threshold, the confidential computing node C is moved to the end of the queue of the target logical distance group. At the same time, the negotiation key is calculated based on the remote proof information stored between the confidential computing node A and the confidential computing node C, and a secure transmission channel is established. Then the confidential computing node A sends the user's computing request to the confidential computing node C through the secure transmission channel, and executes it on the confidential computing node C. As shown in Figure 14, Figure 14 is a schematic diagram of the eighth resource allocation scenario provided by an embodiment of the present invention.
(2)如果机密计算节点C不在线或者剩余资源小于阈值,则继续向队尾方向查找。(2) If the confidential computing node C is not online or the remaining resources are less than the threshold, continue searching towards the end of the queue.
情况二、将某一个节点负载超过资源阈值的计算节点A的负载迁移到其他节点上:Case 2: Migrate the load of computing node A, whose load exceeds the resource threshold, to other nodes:
首先,机密计算节点A获取其所有的逻辑距离组,然后从其中最近的机密计算节点开始查询。如果查询到了一个在线且剩余计算资源大于阈值的节点,此节点称之为机密计算节点C,将机密计算节点C移动到相应逻辑距离组的队尾。同时,根据机密计算节点A和机密计算节点C之间互相存储的远程证明信息计算协商密钥,建立安全传输信道,进而机密计算节点A将机密计算负载通过安全传输信道迁移到机密计算节点C上,并在机密计算节点C上执行。First, confidential computing node A obtains all its logical distance groups, and then starts querying from the nearest confidential computing node. If a node that is online and has remaining computing resources greater than the threshold is found, this node is called confidential computing node C, and confidential computing node C is moved to the end of the queue of the corresponding logical distance group. At the same time, the negotiation key is calculated based on the remote proof information stored between confidential computing node A and confidential computing node C, and a secure transmission channel is established. Then, confidential computing node A migrates the confidential computing load to confidential computing node C through the secure transmission channel and executes it on confidential computing node C.
由此可见,本发明实施例所提供的资源分配方法具有如下优势:It can be seen that the resource allocation method provided by the embodiment of the present invention has the following advantages:
(1)在大规模分布式机密计算资源分配过程中可以实现高效的计算负载分配;(1) Efficient computing load distribution can be achieved in the process of large-scale distributed confidential computing resource allocation;
(2)每个机密计算节点仅需存储少量的其他节点信息,无需存储全网信息,进而减少了每个节点的存储压力;(2) Each confidential computing node only needs to store a small amount of information about other nodes, without having to store information about the entire network, thereby reducing the storage pressure on each node;
(3)可以有效应对机密计算节点动态加入网络和离开网络;(3) It can effectively deal with confidential computing nodes dynamically joining and leaving the network;
(4)不需要每个节点与其他所有节点均进行双向的远程证明操作,大大减少了远程证明操作;(4) It is not necessary for each node to perform two-way remote attestation operations with all other nodes, which greatly reduces the number of remote attestation operations;
(5)通过机密计算技术可以保护数据使用时的安全,实现数据可用不可见;(5) Confidential computing technology can protect the security of data when it is used, making the data available but invisible;
(6)通过机密计算技术可以建立安全的数据传输通道,实现数据传输时的安全。(6) Confidential computing technology can be used to establish a secure data transmission channel and achieve data transmission security.
本发明实施例提供了一种资源分配装置。An embodiment of the present invention provides a resource allocation device.
请参考图15,图15为本发明所提供的一种资源分配装置的结构示意图,该资源分配装置应用于分布式机密计算集群中的任一节点,可以包括:Please refer to FIG. 15 , which is a schematic diagram of the structure of a resource allocation device provided by the present invention. The resource allocation device is applied to any node in a distributed confidential computing cluster and may include:
确定模块1,用于当接收到计算请求时,确定计算请求对应的请求节点;Determining module 1, used for determining a request node corresponding to the computing request when receiving the computing request;
获取模块2,用于获取当前节点的所有逻辑距离组,并在所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组;当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与当前节点之间的距离不超出相应逻辑距离组指定的距离范围;当前节点预存有所有可分配节点的节点信息;Acquisition module 2, used to acquire all logical distance groups of the current node, and determine the target logical distance group closest to the request node in all logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of allocatable nodes, and the distance between each allocatable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all the allocatable nodes;
第一分配模块3,用于若请求节点命中目标逻辑距离组,则将计算请求分配至请求节点上;A first allocation module 3, configured to allocate the computing request to the requesting node if the requesting node hits the target logical distance group;
第二分配模块4,用于若请求节点未命中目标逻辑距离组,则根据目标逻辑距离组确定目标节点,并将计算请求分配至目标节点上。The second allocation module 4 is used to determine the target node according to the target logical distance group if the request node does not hit the target logical distance group, and allocate the calculation request to the target node.
可见,本发明实施例所提供的资源分配装置,对于分布式机密计算集群中的每一个节点,均预先创建有其对应的多个逻辑距离组,且每一逻辑距离组内均包含有相对于当前节点指定距离范围内的不超过预设数量个的可分配节点,即不同的逻辑距离组对应于不同的距离范围,由此,当接收到针对某请求节点的计算请求时,可以在当前节点对应的所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组,并根据请求节点在目标逻辑距离组中的命中情况选择将计算请求分配至相应的节点上进行请求处理。由此可见,分布式机密计算集群中的每一个节点仅需要存储少量其他节点的节点信息,而不需要存储所有其他节点的节点信息,不仅有效地降低了节点存储压力,也大大减少了节点与节点之间的远程证明操作,实现了高效的分布式机密计算资源分配。It can be seen that the resource allocation device provided in the embodiment of the present invention has pre-created multiple corresponding logical distance groups for each node in the distributed confidential computing cluster, and each logical distance group contains no more than a preset number of allocable nodes within the specified distance range relative to the current node, that is, different logical distance groups correspond to different distance ranges. Therefore, when a computing request for a requesting node is received, the target logical distance group closest to the requesting node can be determined in all logical distance groups corresponding to the current node, and the computing request can be allocated to the corresponding node for request processing according to the hit situation of the requesting node in the target logical distance group. It can be seen that each node in the distributed confidential computing cluster only needs to store a small amount of node information of other nodes, and does not need to store the node information of all other nodes, which not only effectively reduces the node storage pressure, but also greatly reduces the remote proof operation between nodes, and realizes efficient distributed confidential computing resource allocation.
在本发明的一个实施例中,上述第一分配模块3可以包括:In one embodiment of the present invention, the first allocation module 3 may include:
获取单元,用于若请求节点命中目标逻辑距离组,则获取请求节点的网络状态;an acquisition unit, configured to acquire a network status of a requesting node if the requesting node hits a target logical distance group;
第一分配单元,用于若请求节点的网络状态为离线状态,则在目标逻辑距离组内选择目标可分配节点,并将计算请求分配至目标可分配节点上;A first allocation unit, configured to select a target allocatable node in a target logical distance group and allocate the computing request to the target allocatable node if the network status of the requesting node is an offline status;
第二分配单元,用于若请求节点的网络状态为在线状态,则将计算请求分配至请求节点上。The second allocation unit is used to allocate the computing request to the requesting node if the network status of the requesting node is online.
在本发明的一个实施例中,上述第二分配单元可具体用于若请求节点的网络状态为在线状态,则获取请求节点的可用资源;若请求节点的可用资源未达到预设阈值,则在目标逻辑距离组内选择目标可分配节点,并将计算请求分配至目标可分配节点上;若请求节点的可用资源达到预设阈值,则将计算请求分配至请求节点上。In one embodiment of the present invention, the above-mentioned second allocation unit can be specifically used to obtain the available resources of the requesting node if the network status of the requesting node is online; if the available resources of the requesting node do not reach the preset threshold, select the target allocatable node in the target logical distance group, and allocate the computing request to the target allocatable node; if the available resources of the requesting node reach the preset threshold, allocate the computing request to the requesting node.
在本发明的一个实施例中,上述第一分配单元可具体用于在目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为目标可分配节点;将计算请求分配至目标可分配节点上。In one embodiment of the present invention, the first allocation unit may be specifically configured to select an allocatable node whose network status is online and whose available resources reach a preset threshold as a target allocatable node within the target logical distance group; and allocate the computing request to the target allocatable node.
在本发明的一个实施例中,上述第一分配模块3还可以包括删除单元,用于若请求节点的网络状态为离线状态,则将请求节点在目标逻辑距离组内删除。In one embodiment of the present invention, the first allocation module 3 may further include a deleting unit, which is used to delete the requesting node in the target logical distance group if the network status of the requesting node is offline.
在本发明的一个实施例中,上述第一分配模块3还可以包括添加单元,用于确定目标可分配节点的所有逻辑距离组,并在所有逻辑距离组中确定目标可分配节点对应的最近距离节点;若最近距离节点命中目标逻辑距离组,则将最近距离节点添加至目标逻辑距离组。In one embodiment of the present invention, the above-mentioned first allocation module 3 may also include an adding unit, which is used to determine all logical distance groups of the target allocatable node, and determine the nearest distance node corresponding to the target allocatable node in all logical distance groups; if the nearest distance node hits the target logical distance group, the nearest distance node is added to the target logical distance group.
在本发明的一个实施例中,上述第二分配模块4可以包括:In one embodiment of the present invention, the second allocation module 4 may include:
判断单元,用于若请求节点未命中目标逻辑距离组,则判断目标逻辑距离组中可分配节点的数量是否达到预设数量;A determination unit, configured to determine whether the number of assignable nodes in the target logical distance group reaches a preset number if the requesting node does not hit the target logical distance group;
第三分配单元,用于若未达到预设数量,则将请求节点加入目标逻辑距离组并作为目标节点,将计算请求分配至目标节点上;A third allocation unit is used to add the requesting node to the target logical distance group and use it as a target node if the preset number is not reached, and allocate the computing request to the target node;
第四分配单元,用于若达到预设数量,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上。The fourth allocation unit is used to select a target node in the target logical distance group and allocate the computing request to the target node if the preset number is reached.
在本发明的一个实施例中,上述第三分配单元可具体用于若请求节点的网络状态为在线状态,且可用资源达到预设阈值,则将请求节点加入目标逻辑距离组并作为目标节点,将计算请求分配至目标节点上;若请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上。In one embodiment of the present invention, the above-mentioned third allocation unit can be specifically used to add the requesting node to the target logical distance group and serve as the target node if the network status of the requesting node is online and the available resources reach a preset threshold, and allocate the computing request to the target node; if the network status of the requesting node is offline, or the available resources do not reach the preset threshold, select the target node in the target logical distance group and allocate the computing request to the target node.
在本发明的一个实施例中,上述第三分配单元还可用于在上述若请求节点的网络状态为离线状态,或可用资源未达到预设阈值,则在目标逻辑距离组内选择目标节点,并将计算请求分配至目标节点上之后,确定目标节点的所有逻辑距离组,并在所有逻辑距离组中确定目标节点对应的最近距离节点;若最近距离节点命中目标逻辑距离组,则将最近距离节点添加至目标逻辑距离组。In one embodiment of the present invention, the third allocation unit may also be used to select a target node in the target logical distance group if the network status of the requesting node is offline, or the available resources do not reach a preset threshold, and allocate the calculation request to the target node, determine all logical distance groups of the target node, and determine the nearest distance node corresponding to the target node in all logical distance groups; if the nearest distance node hits the target logical distance group, the nearest distance node is added to the target logical distance group.
在本发明的一个实施例中,上述第四分配单元可具体用于在目标逻辑距离组内,选择网络状态为在线状态且可用资源达到预设阈值的可分配节点作为目标节点;将计算请求分配至目标节点上。In one embodiment of the present invention, the fourth allocation unit may be specifically configured to select an allocatable node whose network status is online and whose available resources reach a preset threshold as a target node within the target logical distance group; and allocate the computing request to the target node.
在本发明的一个实施例中,对于分布式机密计算集群中的每一节点,节点对应的所有逻辑距离组根据节点对应的逻辑拓扑网络得到,逻辑拓扑网络按照节点与分布式机密计算集群中其他节点之间的距离构建二叉树得到;In one embodiment of the present invention, for each node in the distributed confidential computing cluster, all logical distance groups corresponding to the node are obtained according to the logical topology network corresponding to the node, and the logical topology network is obtained by constructing a binary tree according to the distance between the node and other nodes in the distributed confidential computing cluster;
在当前节点对应的逻辑拓扑网络中,每个子树中不超出预设数量的节点组合为当前节点对应的一个逻辑距离组。In the logical topology network corresponding to the current node, nodes in each subtree that do not exceed a preset number are combined into a logical distance group corresponding to the current node.
在本发明的一个实施例中,节点信息包括远程证明;上述第一分配模块3可以包括:In one embodiment of the present invention, the node information includes remote proof; the first allocation module 3 may include:
协商单元,用于若请求节点命中目标逻辑距离组,则根据远程证明与请求节点协商会话密钥;a negotiation unit, configured to negotiate a session key with the requesting node according to the remote proof if the requesting node hits the target logical distance group;
加密单元,用于利用会话密钥对计算请求进行加密处理,获得加密计算请求;The encryption unit is used to encrypt the computing request using the session key to obtain the encrypted computing request;
分配单元,用于将加密计算请求分配至请求节点上。The allocation unit is used to allocate encryption computing requests to requesting nodes.
在本发明的一个实施例中,节点信息还包括节点ID、节点IP、节点位置;上述分配单元可具体用于根据节点ID、节点IP、节点位置将加密计算请求分配至请求节点上。In one embodiment of the present invention, the node information also includes node ID, node IP, and node location; the above-mentioned allocation unit can be specifically used to allocate the encryption calculation request to the requesting node according to the node ID, node IP, and node location.
在本发明的一个实施例中,节点ID包括节点位置的编码信息和节点IP的哈希信息。In one embodiment of the present invention, the node ID includes encoding information of the node location and hash information of the node IP.
在本发明的一个实施例中,该资源分配装置还可以包括远程证明模块,用于向请求节点发起远程证明挑战,并发送随机数至请求节点,以使请求节点响应远程证明挑战,以生成包含有随机数的请求节点远程证明;获取请求节点远程证明进行验证,并在验证通过时保存请求节点远程证明。In one embodiment of the present invention, the resource allocation device may also include a remote proof module, which is used to initiate a remote proof challenge to the requesting node and send a random number to the requesting node so that the requesting node responds to the remote proof challenge to generate a requesting node remote proof containing a random number; obtain the requesting node remote proof for verification, and save the requesting node remote proof when the verification passes.
在本发明的一个实施例中,该资源分配装置还可以包括迁移模块,用于实时获取本地可用资源;若本地可用资源低于预设阈值,则在当前节点的所有逻辑距离组中确定最近节点;将当前节点中的节点负载迁移至最近节点上。In one embodiment of the present invention, the resource allocation device may also include a migration module for acquiring local available resources in real time; if the local available resources are lower than a preset threshold, determining the nearest node in all logical distance groups of the current node; and migrating the node load in the current node to the nearest node.
对于本发明实施例提供的装置的介绍请参照上述方法实施例,本发明在此不做赘述。For an introduction to the device provided in the embodiment of the present invention, please refer to the above method embodiment, and the present invention will not be elaborated here.
本发明实施例提供了一种电子设备。An embodiment of the present invention provides an electronic device.
请参考图16,图16为本发明所提供的一种电子设备的结构示意图,该电子设备可包括:Please refer to FIG. 16 , which is a schematic diagram of the structure of an electronic device provided by the present invention. The electronic device may include:
存储器11,用于存储计算机程序;A memory 11, used for storing computer programs;
处理器10,用于执行计算机程序时可实现如上述任意一种资源分配方法的步骤。The processor 10 can implement the steps of any one of the above resource allocation methods when being used to execute a computer program.
如图16所示,为电子设备的组成结构示意图,电子设备可以包括:处理器10、存储器11、通信接口12和通信总线13。处理器10、存储器11、通信接口12均通过通信总线13完成相互间的通信。As shown in FIG16 , it is a schematic diagram of the composition structure of an electronic device, which may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through the communication bus 13.
在本发明实施例中,处理器10可以为中央处理器(Central Processing Unit,CPU)、特定应用集成电路、数字信号处理器、现场可编程门阵列或者其他可编程逻辑器件等。In the embodiment of the present invention, the processor 10 may be a central processing unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic devices.
处理器10可以调用存储器11中存储的程序,具体的,处理器10可以执行资源分配方法的实施例中的操作。The processor 10 may call a program stored in the memory 11. Specifically, the processor 10 may execute operations in the embodiment of the resource allocation method.
存储器11中用于存放一个或者一个以上程序,程序可以包括程序代码,程序代码包括计算机操作指令,在本发明实施例中,存储器11中至少存储有用于实现以下功能的程序:The memory 11 is used to store one or more programs, which may include program codes, and the program codes include computer operation instructions. In the embodiment of the present invention, the memory 11 at least stores programs for implementing the following functions:
当接收到计算请求时,确定计算请求对应的请求节点;When receiving a computing request, determining a requesting node corresponding to the computing request;
获取当前节点的所有逻辑距离组,并在所有逻辑距离组中确定与请求节点距离最近的目标逻辑距离组;当前节点对应的每一逻辑距离组中包括有不超过预设数量的可分配节点,且每一可分配节点与当前节点之间的距离不超出相应逻辑距离组指定的距离范围;当前节点预存有所有可分配节点的节点信息;Obtain all logical distance groups of the current node, and determine the target logical distance group closest to the request node among all logical distance groups; each logical distance group corresponding to the current node includes no more than a preset number of allocatable nodes, and the distance between each allocatable node and the current node does not exceed the distance range specified by the corresponding logical distance group; the current node pre-stores the node information of all the allocatable nodes;
若请求节点命中目标逻辑距离组,则将计算请求分配至请求节点上;If the requesting node hits the target logical distance group, the computing request is assigned to the requesting node;
若请求节点未命中目标逻辑距离组,则根据目标逻辑距离组确定目标节点,并将计算请求分配至目标节点上。If the requesting node does not hit the target logical distance group, the target node is determined according to the target logical distance group, and the computing request is allocated to the target node.
在一种可能的实现方式中,存储器11可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统,以及至少一个功能所需的应用程序等;存储数据区可存储使用过程中所创建的数据。In a possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system and an application required for at least one function, etc.; the data storage area may store data created during use.
此外,存储器11可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件或其他易失性固态存储器件。In addition, the memory 11 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one disk storage device or other volatile solid-state storage device.
通信接口12可以为通信模块的接口,用于与其他设备或者系统连接。The communication interface 12 may be an interface of a communication module, and is used to connect to other devices or systems.
当然,需要说明的是,图16所示的结构并不构成对本发明实施例中电子设备的限定,在实际应用中电子设备可以包括比图16所示的更多或更少的部件,或者组合某些部件。Of course, it should be noted that the structure shown in FIG. 16 does not constitute a limitation on the electronic device in the embodiment of the present invention. In actual applications, the electronic device may include more or fewer components than those shown in FIG. 16, or combine certain components.
本发明实施例提供了一种非易失性存储介质。An embodiment of the present invention provides a non-volatile storage medium.
本发明实施例所提供的非易失性存储介质上存储有计算机程序,计算机程序被处理器执行时可实现如上述任意一种资源分配方法的步骤。The non-volatile storage medium provided in the embodiment of the present invention stores a computer program, and when the computer program is executed by a processor, the steps of any one of the above-mentioned resource allocation methods can be implemented.
其中,非易失性存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备,例如,可以是磁性介质(如软盘、硬盘、磁带等)、光介质(如DVD)或半导体介质(如固态硬盘)等各种可以存储计算机程序代码的介质。Among them, the non-volatile storage medium can be any available medium that can be stored by a computer or a data storage device such as a server or data center that includes one or more available media integrated. For example, it can be a magnetic medium (such as a floppy disk, hard disk, magnetic tape, etc.), an optical medium (such as a DVD) or a semiconductor medium (such as a solid-state hard disk) and other media that can store computer program codes.
对于本发明实施例提供的非易失性存储介质的介绍请参照上述方法实施例,本发明在此不做赘述。For an introduction to the non-volatile storage medium provided in the embodiment of the present invention, please refer to the above method embodiment, and the present invention will not be elaborated here.
本发明实施例提供了一种计算机程序产品。An embodiment of the present invention provides a computer program product.
本发明实施例所提供的计算机程序产品包括计算机程序/指令,计算机程序/指令被处理器执行时可以实现如上述任意一种资源分配方法的步骤。The computer program product provided by the embodiment of the present invention includes a computer program/instruction. When the computer program/instruction is executed by a processor, the steps of any one of the above-mentioned resource allocation methods can be implemented.
具体而言,在上述各实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。Specifically, in the above embodiments, all or part of them can be implemented by software, hardware, firmware or any combination thereof. When implemented by software, all or part of them can be implemented in the form of a computer program product.
其中,计算机程序产品可以包括一个或多个计算机程序/指令,在计算机上加载和执行该计算机程序/指令时,可以全部或部分地产生按照本发明实施例所述的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在非易失性存储介质中,或者从一个非易失性存储介质向另一非易失性存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线等)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。Among them, the computer program product may include one or more computer programs/instructions, and when the computer program/instructions are loaded and executed on a computer, the process or function described in the embodiment of the present invention may be generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. Computer instructions may be stored in a non-volatile storage medium, or transmitted from one non-volatile storage medium to another non-volatile storage medium. For example, computer instructions may be transmitted from one website site, computer, server or data center to another website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line, etc.) or wireless (e.g., infrared, wireless, microwave, etc.) means.
对于本发明实施例提供的计算机程序产品的介绍请参照上述方法实施例,本发明在此不做赘述。For an introduction to the computer program product provided by the embodiment of the present invention, please refer to the above method embodiment, and the present invention will not be elaborated here.
说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part description.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, the composition and steps of each example have been generally described in the above description according to function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professionals and technicians may use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM或技术领域内所公知的任意其它形式的存储介质中。The steps of the method or algorithm described in conjunction with the embodiments disclosed herein may be implemented directly using hardware, a software module executed by a processor, or a combination of the two. The software module may be placed in a random access memory (RAM), a memory, a read-only memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
以上对本发明所提供的技术方案进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明的保护范围内。The technical solution provided by the present invention is described in detail above. Specific examples are used herein to illustrate the principle and implementation of the present invention, and the description of the above embodiments is only used to help understand the method of the present invention and its core idea. It should be pointed out that for ordinary technicians in this technical field, without departing from the principle of the present invention, the present invention can also be improved and modified, and these improvements and modifications also fall within the scope of protection of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411346159.9ACN118860673B (en) | 2024-09-26 | 2024-09-26 | Resource allocation method, device, electronic equipment, storage medium and program product |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411346159.9ACN118860673B (en) | 2024-09-26 | 2024-09-26 | Resource allocation method, device, electronic equipment, storage medium and program product |
| Publication Number | Publication Date |
|---|---|
| CN118860673Atrue CN118860673A (en) | 2024-10-29 |
| CN118860673B CN118860673B (en) | 2025-04-25 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411346159.9AActiveCN118860673B (en) | 2024-09-26 | 2024-09-26 | Resource allocation method, device, electronic equipment, storage medium and program product |
| Country | Link |
|---|---|
| CN (1) | CN118860673B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040210630A1 (en)* | 2003-04-17 | 2004-10-21 | Microsoft Corporation | Systems and methods for discovering, acquiring and maintaining nodes in a logical network |
| US20110208828A1 (en)* | 2010-02-24 | 2011-08-25 | Fujitsu Limited | Node apparatus and computer-readable storage medium for computer program |
| US20130318534A1 (en)* | 2012-05-23 | 2013-11-28 | Red Hat, Inc. | Method and system for leveraging performance of resource aggressive applications |
| CN105743980A (en)* | 2016-02-03 | 2016-07-06 | 上海理工大学 | Constructing method of self-organized cloud resource sharing distributed peer-to-peer network model |
| CN111338785A (en)* | 2018-12-18 | 2020-06-26 | 北京京东尚科信息技术有限公司 | Resource scheduling method and device, electronic equipment and storage medium |
| US20210209235A1 (en)* | 2020-01-08 | 2021-07-08 | Bank Of America Corporation | Big Data Distributed Processing and Secure Data Transferring with Resource Allocation and Rebate |
| US11093252B1 (en)* | 2019-04-26 | 2021-08-17 | Cisco Technology, Inc. | Logical availability zones for cluster resiliency |
| CN114661462A (en)* | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Resource allocation method, system, computer-readable storage medium, and electronic device |
| US20220276899A1 (en)* | 2021-07-07 | 2022-09-01 | Beijing Baidu Netcom Science Technology Co., Ltd. | Resource scheduling method, device, and storage medium |
| CN115098269A (en)* | 2022-07-26 | 2022-09-23 | 中科曙光国际信息产业有限公司 | Resource allocation method, device, electronic equipment and storage medium |
| WO2022257791A1 (en)* | 2021-06-07 | 2022-12-15 | 贵州白山云科技股份有限公司 | Service code processing method and apparatus based on distributed network, and device and medium |
| CN117749807A (en)* | 2022-09-15 | 2024-03-22 | 腾讯科技(北京)有限公司 | Resource acquisition method and device, electronic equipment and storage medium |
| CN117749784A (en)* | 2022-09-15 | 2024-03-22 | 腾讯科技(北京)有限公司 | Resource acquisition method and device, electronic equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040210630A1 (en)* | 2003-04-17 | 2004-10-21 | Microsoft Corporation | Systems and methods for discovering, acquiring and maintaining nodes in a logical network |
| US20110208828A1 (en)* | 2010-02-24 | 2011-08-25 | Fujitsu Limited | Node apparatus and computer-readable storage medium for computer program |
| US20130318534A1 (en)* | 2012-05-23 | 2013-11-28 | Red Hat, Inc. | Method and system for leveraging performance of resource aggressive applications |
| CN105743980A (en)* | 2016-02-03 | 2016-07-06 | 上海理工大学 | Constructing method of self-organized cloud resource sharing distributed peer-to-peer network model |
| CN111338785A (en)* | 2018-12-18 | 2020-06-26 | 北京京东尚科信息技术有限公司 | Resource scheduling method and device, electronic equipment and storage medium |
| US11093252B1 (en)* | 2019-04-26 | 2021-08-17 | Cisco Technology, Inc. | Logical availability zones for cluster resiliency |
| US20210209235A1 (en)* | 2020-01-08 | 2021-07-08 | Bank Of America Corporation | Big Data Distributed Processing and Secure Data Transferring with Resource Allocation and Rebate |
| WO2022257791A1 (en)* | 2021-06-07 | 2022-12-15 | 贵州白山云科技股份有限公司 | Service code processing method and apparatus based on distributed network, and device and medium |
| US20220276899A1 (en)* | 2021-07-07 | 2022-09-01 | Beijing Baidu Netcom Science Technology Co., Ltd. | Resource scheduling method, device, and storage medium |
| CN114661462A (en)* | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Resource allocation method, system, computer-readable storage medium, and electronic device |
| CN115098269A (en)* | 2022-07-26 | 2022-09-23 | 中科曙光国际信息产业有限公司 | Resource allocation method, device, electronic equipment and storage medium |
| CN117749807A (en)* | 2022-09-15 | 2024-03-22 | 腾讯科技(北京)有限公司 | Resource acquisition method and device, electronic equipment and storage medium |
| CN117749784A (en)* | 2022-09-15 | 2024-03-22 | 腾讯科技(北京)有限公司 | Resource acquisition method and device, electronic equipment and storage medium |
| Title |
|---|
| 曹慧;董健全;: "基于IPv6、簇和超节点的P2P路由模型研究", 计算机工程, no. 20, 20 October 2008 (2008-10-20)* |
| 齐宏旭;唐亮;卜智勇;: "一种多层Chord的资源定位算法", 信息技术, no. 08, 23 August 2018 (2018-08-23)* |
| Publication number | Publication date |
|---|---|
| CN118860673B (en) | 2025-04-25 |
| Publication | Publication Date | Title |
|---|---|---|
| CN113515364B (en) | A method and apparatus for data migration, computer equipment and storage medium | |
| CN113010897B (en) | Cloud computing security management method and system | |
| US8989706B2 (en) | Automated secure pairing for wireless devices | |
| CN112948842A (en) | Authentication method and related equipment | |
| CN109302311B (en) | Block chain network for realizing network situation awareness, awareness method and electronic equipment | |
| CN112311543B (en) | GBA key generation method, terminal and NAF network element | |
| CN114039753B (en) | Access control method and device, storage medium and electronic equipment | |
| WO2021159818A1 (en) | Secret key access control method and apparatus | |
| CN115859261A (en) | Password cloud service method, platform, equipment and storage medium | |
| US20130166677A1 (en) | Role-based access control method and apparatus in distribution system | |
| CN118523966A (en) | Resource access method, computer device, and computer-readable storage medium | |
| CN115314558B (en) | Resource allocation method and device in computing power network, storage medium and electronic equipment | |
| CN112367160B (en) | Virtual quantum link service method and device | |
| CN103428260A (en) | System and method for allocating server to terminal and efficiently delivering messages to the terminal | |
| US20060200469A1 (en) | Global session identifiers in a multi-node system | |
| CN119691723A (en) | Service authorization method and related device | |
| CN118368063A (en) | A cluster implementation method and device for massive key management | |
| CN110602690B (en) | Encryption method and device applied to ZigBee system | |
| CN118860673A (en) | Resource allocation method, device, electronic device, storage medium and program product | |
| US10243870B1 (en) | Distributed computing system node management | |
| CN114124404B (en) | A data processing method, device, server and storage medium | |
| CN115643028A (en) | Business certificate management method and device, storage medium and electronic device | |
| US10826971B1 (en) | Distributed computing system node management | |
| US10742718B1 (en) | Distributed computing system node management | |
| CN115412557A (en) | Block chain resource management method and device based on multi-chain cooperation |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |