Disclosure of Invention
The application provides a tenant isolation method, device and related equipment.
In a first aspect, the present application provides a tenant isolation method, the method comprising:
determining a target computing server allocated to a target tenant, and determining a tenant network segment allocated to the target tenant;
splitting the tenant network segment into m server network segments based on the number n of the parameter network cards of the target computing servers, and distributing a server network segment for each parameter network card of the same Leaf equipment to each target computing server, wherein m and n are positive integers, and m is greater than or equal to n;
For each Leaf device, respectively creating a logic virtual interface corresponding to each target tenant on each Leaf device according to each physical downlink interface for accessing each target computing server;
and on each logical virtual interface, configuring an access strategy for isolating the target tenant from other tenants based on the tenant network segment.
Optionally, the step of determining a target computing server allocated to a target tenant, and determining a tenant network segment allocated to the target tenant comprises:
Receiving target tenant information sent by a cloud, wherein the target tenant information comprises a target tenant name, target computing server information distributed for the target tenant and tenant network segment information distributed for the target tenant;
And determining a target computing server and a tenant network segment allocated to the target tenant based on the target tenant information.
Optionally, if the target tenant information does not include the tenant network segment information allocated for the target tenant, the step of determining the tenant network segment allocated for the target tenant includes:
And determining an available network segment meeting preset conditions from a preset address pool, and distributing the available network segment serving as a tenant network segment to the target tenant.
Optionally, on each logical virtual interface, the step of configuring an access policy for isolating the target tenant from other tenants based on the tenant network segment includes:
distributing Vlan IDs for all the logic virtual interfaces, and taking all the logic virtual interfaces as gateway interfaces of corresponding server network segments;
and configuring ACLs which reject all traffic by default on each logical virtual interface, and configuring ACLs which allow the tenant network segment to correspond to the traffic.
Optionally, the method further comprises:
when a tenant is detected as being offline, the computing server and the tenant network segment assigned to the tenant are recovered.
In a second aspect, the present application provides a tenant isolation device, the device comprising:
A determining unit, configured to determine a target computing server allocated to a target tenant, and determine a tenant network segment allocated to the target tenant;
The splitting unit is used for splitting the tenant network segment into m server network segments based on the number n of the parameter network cards of the target computing servers, and distributing a server network segment for each parameter network card of the same Leaf equipment accessed to each target computing server, wherein m and n are positive integers, and m is greater than or equal to n;
The creating unit is used for respectively creating a logic virtual interface corresponding to each Leaf device according to each physical downlink interface for accessing each target computing server;
and the configuration unit is used for configuring access strategies for isolating the target tenant from other tenants on the basis of the tenant network segments on each logical virtual interface.
Optionally, when determining a target computing server allocated to a target tenant and determining a tenant network segment allocated to the target tenant, the determining unit is specifically configured to:
Receiving target tenant information sent by a cloud, wherein the target tenant information comprises a target tenant name, target computing server information distributed for the target tenant and tenant network segment information distributed for the target tenant;
And determining a target computing server and a tenant network segment allocated to the target tenant based on the target tenant information.
Optionally, if the target tenant information does not include the tenant network segment information allocated to the target tenant, the determining unit is specifically configured to:
And determining an available network segment meeting preset conditions from a preset address pool, and distributing the available network segment serving as a tenant network segment to the target tenant.
Optionally, on each logical virtual interface, when the access policy for isolating the target tenant from other tenants is configured based on the tenant network segment, the configuration unit is specifically configured to:
distributing Vlan IDs for all the logic virtual interfaces, and taking all the logic virtual interfaces as gateway interfaces of corresponding server network segments;
and configuring ACLs which reject all traffic by default on each logical virtual interface, and configuring ACLs which allow the tenant network segment to correspond to the traffic.
Optionally, the apparatus further comprises:
And the recovery unit is used for recovering the computing server and the tenant network segment allocated to the tenant when the fact that one tenant is offline is detected.
In a third aspect, an embodiment of the present application provides a tenant isolation device, including:
a memory for storing program instructions;
A processor for invoking program instructions stored in said memory, performing the steps of the method according to any of the first aspects above in accordance with the obtained program instructions.
In a fourth aspect, embodiments of the present application also provide a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the steps of the method according to any one of the first aspects.
In summary, it can be seen that the tenant isolation method provided by the embodiment of the application determines a target computing server allocated to a target tenant, determines a tenant network segment allocated to the target tenant, splits the tenant network segment into m server network segments based on the number n of parameter network cards of the target computing server, accesses each parameter network card of the same Leaf device for each target computing server, allocates one server network segment, wherein m and n are positive integers, and m is greater than or equal to n, respectively creates a logic virtual interface corresponding to the target tenant on each Leaf device according to each physical downlink interface for accessing each target computing server for each Leaf device, and configures an access strategy for isolating the target tenant from other tenants based on the tenant network segments on each logic virtual interface.
By adopting the tenant isolation method provided by the embodiment of the application, the network-segment-based ACL rule setting is realized on the premise of meeting the requirement of multi-track networking through the splitting and management of the tenant network segment and the service network segment, and the ACL pressure of access equipment during tenant traffic isolation is reduced by using the tenant network segment to control the ACL traffic, so that the limitation of the tenant network specification due to insufficient ACL capability of the equipment is avoided.
Detailed Description
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. Depending on the context, furthermore, the word "if" used may be interpreted as "at..once" or "when..once" or "in response to a determination".
Currently, in intelligent computing center networking, there is a communication requirement of the same-number GPU (Graphics Processing Unit, graphics processor) between each computing server, and networking is required to be performed according to a multi-track communication mode. In the following, the downlink port of the Leaf device is 128 (the same number network card (same number network card accessing GPU) capable of accessing 128 servers), the parameter network card of the server is 8, as shown in fig. 1, one Leaf (Leaf-1) accesses the first network card of the 128 servers (only the first network card accessing the 4 servers is shown in the figure), the first network card of the 128 servers belongs to one network segment 192.168.10.1/24 (network segment 1), one Leaf (Leaf-2) accesses the second network card of the 128 servers, the second network card of the 128 servers belongs to one network segment 192.168.20.1/24 (network segment 2), the second network card accessing the 4 servers is shown in the figure (only the second network card accessing the 4 servers is shown in the figure), the fourth network card accessing the 4 servers is shown in the figure, and the fourth network card of the 128 servers belongs to one network segment 192.168.20.1/24 (network segment 192.168.40.1).
When tenant isolation is performed under the networking mode, when tenant 1 is allocated to server 1 (assuming that the server is an 8-network card server, network card 1 of server 1 is accessed to Leaf-1, network card 2 is accessed to Leaf-2,) and network card 8 is accessed to Leaf-8), server 2 (network card 1 of server 2 is accessed to Leaf-1, network card 2 is accessed to Leaf-2,) and network card 8 is accessed to Leaf-8), tenant 2 is allocated to server 3 (network card 1 of server 3 is accessed to Leaf-1, network card 2 is accessed to Leaf-2,) and network card 8 is accessed to Leaf-8), and if tenant 1 and 2 are required to be isolated, network card ACL for each of the devices is required to be on the Leaf, network card ACL for each of the devices is required to be configured, and network card 1 of the devices is required to be configured, and the network card 1 is required to be disabled for the network card 1 of the server, and the network card 1 is required to be configured for the network card 1 of the configuration. Even so, when the number of computing servers allocated to tenant 1 is large, a large number of ACLs need to be configured for each network card IP of each server, and the requirements for device ACL rules are high, and the device ACL capability becomes a limitation of the single-tenant (number of computing servers) scale. And the manual configuration ACL process is complicated, the service abnormality is caused by easy configuration errors, and the maintenance is complex.
The embodiment of the application provides a technology for carrying out dynamic distribution management of a network, which reduces configuration pressure, improves the support specification of network tenants and provides operation convenience for users through the cooperation of an SE controller and a cloud side.
Exemplary, referring to fig. 2, a detailed flowchart of a tenant isolation method according to an embodiment of the present application is shown, where the method includes the following steps:
step 200, determining a target computing server allocated to a target tenant, and determining a tenant network segment allocated to the target tenant.
It should be noted that, the tenant isolation method provided by the embodiment of the present application may be applied to a controller of a computing network, where the controller performs network planning based on allocation conditions of each computing server in the computing network, so as to implement isolation between tenants.
Specifically, in the embodiment of the present application, when determining the target computing server allocated to the target tenant and determining the tenant network segment allocated to the target tenant, a preferred implementation manner is as follows:
The method comprises the steps of receiving target tenant information sent by a cloud, wherein the target tenant information comprises a target tenant name, target computing server information distributed for the target tenant and tenant network segment information distributed for the target tenant, and determining the target computing server and the tenant network segment distributed for the target tenant based on the target tenant information.
That is, when the administrator creates a tenant in the cloud, the size of computing resources (i.e., the number of computing servers required) required by the tenant may be determined based on the tenant requirements, thereby selecting a target computing server allocated to the newly created tenant from the idle computing servers. For example, it is determined that server 1 and server 2 are allocated to tenant a, and server 1 and server 2 have 8 parameter network cards respectively to access the Leaf device, i.e. the total number of parameter network cards of server 1 and server 2 is 16. Next, based on the total number of parameter network cards, a network segment with the number of available IP addresses greater than or equal to the total number of parameter network cards may be allocated to the tenant a as a tenant network segment (tenant network segment a) allocated to the tenant a. The cloud end sends the information of the computing servers (the server 1 and the server 2) and the tenant network segment information allocated to the tenant to the controller, and the controller determines the computing server and the tenant network segment allocated to the tenant A based on the received tenant information.
In practical applications, the user may not specify the tenant network segment of the newly created tenant, that is, if the target tenant information does not include the tenant network segment information allocated to the target tenant, a preferred implementation manner when determining the tenant network segment allocated to the target tenant is:
And determining an available network segment meeting preset conditions from a preset address pool, and distributing the available network segment serving as a tenant network segment to the target tenant.
That is, the controller is preset with an address pool, which includes a plurality of segments, and when determining that the network segments are not allocated to the target tenant at the cloud, the number of the target computing servers allocated to the target tenant and the number of the parameter network cards of each computing server can be determined according to the network topology information, and the size of the network segments required by the target tenant is determined, so that a network segment with an available address meeting the preset requirement is allocated to the target tenant from the address pool, and is used as the tenant network segment of the target tenant.
For example, if the number of addresses required by the tenant a is p, the number of available addresses in the tenant network segment allocated to the tenant a needs to be greater than or equal to p.
Step 210, splitting the tenant network segment into m server network segments based on the number n of the parameter network cards of the target computing servers, and allocating one server network segment for each parameter network card of the same Leaf equipment accessed by each target computing server.
In the embodiment of the application, m and n are positive integers, and m is greater than or equal to n. In the following, m=n is taken as an example.
Specifically, after determining the target servers allocated to the target tenants (in the embodiment of the present application, the number of parameter network cards of the target servers accessing the Leaf is the same), the controller splits the tenant network segment into n server network segments according to the number n of parameter network cards of one target server.
Taking n as 8 as an example for illustration, the tenant 1 network segment is 192.168.1.0/24, and the tenant 1 network segment is split into 8 server network segments, wherein each subnet mask is/27, and each subnet contains 32 IP addresses.
Server segment 1:192.168.1.0/27 (gw: 192.168.1.30),
Address range 192.168.1.0-192.168.1.31;
server segment 2:192.168.1.32/27 (gw: 192.168.1.62),
Address range 192.168.1.32-192.168.1.63;
Server segment 3:192.168.1.64/27 (gw: 192.168.1.94),
Address range 192.168.1.64-192.168.1.95;
server segment 4:192.168.1.96/27 (gw: 192.168.1.126),
Address range 192.168.1.96-192.168.1.127;
server segment 5:192.168.1.128/27 (gw: 192.168.1.158),
Address range 192.168.1.128-192.168.1.159;
Server segment 6:192.168.1.160/27 (gw: 192.168.1.190),
Address range 192.168.1.160-192.168.1.191;
server segment 7:192.168.1.192/27 (gw: 192.168.1.222),
Address range 192.168.1.192-192.168.1.223;
Server segment 8:192.168.1.224/27 (gw: 192.168.1.254)
Address range 192.168.1.224-192.168.1.255.
Next, the controller assigns the server segment 1 to a first network card of the target computing server (the target computing server is exemplified by server 1 and server 2) to access the Leaf-1, assigns the server segment 2 to a second network card of the server 1 and server 2 to access the Leaf-2, and assigns the server segment 8 to an eighth network card of the server 1 and server 2 to access the Leaf-8.
220, Respectively creating a logic virtual interface corresponding to each target tenant on each Leaf device according to each physical downlink interface for accessing each target computing server.
The controller determines, based on the network topology, the physical downstream ports on Leaf-1 for accessing server 1 and server 2 (the physical interfaces of the same tenant (target tenant) accessing the same Leaf), creates a logical virtual interface (e.g., VLAN virtual interface) on Leaf-1, and joins the physical downstream ports for accessing server 1 and server 2 to the VLAN virtual interface. Likewise, leaf-2 was determined, a.i., the physical downstream ports on Leaf-8 for accessing server 1 and server 2 (the physical interface of the same tenant (target tenant) accessing the same Leaf), and creates a logical virtual interface on the corresponding Leaf.
For example, referring to fig. 3, a schematic diagram of logical virtual interface and server network segment allocation is provided in an embodiment of the present application, where server 1 and server 2 are computing servers allocated to tenant a, network cards 1 of server 1 and server 2 access Leaf-1, physical downstream interfaces of network cards used for accessing server 1 and server 2 on Leaf-1 form logical virtual interface 1, and server network segment 1 is allocated to logical virtual interface 1 and network cards 1 of server 1 and server 2.
And 230, configuring access policies for isolating the target tenant from other tenants on each logical virtual interface based on the tenant network segment.
In the embodiment of the present application, when the access policy for isolating the target tenant from other tenants is configured on each logical virtual interface based on the tenant network segment, a preferred implementation manner is as follows:
And configuring ACLs which defaults to reject all traffic on each logic virtual interface, and configuring ACLs which allow the tenant network segment to correspond to the traffic.
That is, after creating the virtual VLAN interface, a VLAN ID is assigned to the virtual VLAN interface, and the virtual VLAN interface is used as a gateway interface of the assigned server network segment to configure a gateway address. The IP address of the network card of each target server accessing the virtual interface is other available IP addresses in the server network segment, and at this time, ACLs for isolating the target tenant from other tenants may be configured on the VLAN virtual interface.
For example, ACL rules 1,rule 999deny all// defaults reject all traffic and 2, permission source tenant network segments (192.168.1.0/24) destination tenant network (192.168.1.0/24)/allow only local tenant intranet traffic interworking are configured on VLAN virtual interfaces corresponding to target tenants of Leaf-1 through Leaf-8. Therefore, mutual access between the parameter network cards of the server 1 and the server 2 is realized, interaction between the parameter network cards of the server 1 and the server 2 and the servers of other tenants is limited, and the purpose of tenant isolation is realized.
Further, in the embodiment of the present application, when a tenant is detected to be down, the computing server and the tenant network segment allocated to the tenant are recovered.
Based on the same inventive concept as the above-described embodiments of the present application, an exemplary schematic structural diagram of a tenant isolation device provided in the embodiment of the present application is shown in fig. 4, where the device includes:
A determining unit 40, configured to determine a target computing server allocated to a target tenant, and determine a tenant network segment allocated to the target tenant;
A splitting unit 41, configured to split the tenant network segment into m server network segments based on the number n of parameter network cards of the target computing servers, and allocate a server network segment for each parameter network card of the same Leaf device to which each target computing server is connected, where m and n are positive integers, and m is greater than or equal to n;
A creating unit 42, configured to, for each Leaf device, create, on each Leaf device, a logical virtual interface corresponding to the target tenant according to each physical downlink interface used to access each target computing server;
and the configuration unit 43 is configured to configure access policies for isolating the target tenant from other tenants based on the tenant network segments on each logical virtual interface.
Optionally, when determining the target computing server allocated to the target tenant and determining the tenant network segment allocated to the target tenant, the determining unit 40 is specifically configured to:
Receiving target tenant information sent by a cloud, wherein the target tenant information comprises a target tenant name, target computing server information distributed for the target tenant and tenant network segment information distributed for the target tenant;
And determining a target computing server and a tenant network segment allocated to the target tenant based on the target tenant information.
Optionally, if the target tenant information does not include the tenant network segment information allocated to the target tenant, the determining unit 40 is specifically configured to:
And determining an available network segment meeting preset conditions from a preset address pool, and distributing the available network segment serving as a tenant network segment to the target tenant.
Optionally, on each logical virtual interface, when the access policy for isolating the target tenant from other tenants is configured based on the tenant network segment, the configuration unit 43 is specifically configured to:
distributing Vlan IDs for all the logic virtual interfaces, and taking all the logic virtual interfaces as gateway interfaces of corresponding server network segments;
and configuring ACLs which reject all traffic by default on each logical virtual interface, and configuring ACLs which allow the tenant network segment to correspond to the traffic.
Optionally, the apparatus further comprises:
And the recovery unit is used for recovering the computing server and the tenant network segment allocated to the tenant when the fact that one tenant is offline is detected.
The above elements may be one or more integrated circuits configured to implement the above methods, such as one or more Application SPECIFIC INTEGRATED Circuits (ASIC), or one or more microprocessors (DIGITAL SIGNAL processor, DSP), or one or more field programmable gate arrays (Field Programmable GATE ARRAY, FPGA), or the like. For another example, when a unit is implemented in the form of a processing element scheduler code, the processing element may be a general purpose processor, such as a central processing unit (Central Processing Unit, CPU) or other processor that may invoke the program code. For another example, the units may be integrated together and implemented in the form of a system-on-a-chip (SOC).
Further, in terms of hardware level, the tenant isolation device provided by the embodiment of the present application may be shown in fig. 5, where the tenant isolation device may include a memory 50 and a processor 51,
The memory 50 is used for storing program instructions and the processor 51 calls the program instructions stored in the memory 50 and executes the above-described method embodiments according to the obtained program instructions. The specific implementation manner and the technical effect are similar, and are not repeated here.
Optionally, the present application also provides a controller comprising at least one processing element (or chip) for performing the above-described method embodiments.
Alternatively, the application also provides a program product, such as a computer-readable storage medium, having stored thereon computer-executable instructions for causing a computer to perform the above-described method embodiments.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, the machine-readable storage medium may be RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state disk, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.