CN115189948A - Method and system for realizing container network plug-in CaaS platform - Google Patents
Method and system for realizing container network plug-in CaaS platform Download PDFInfo
- Publication number
- CN115189948A CN115189948A CN202210813616.5A CN202210813616A CN115189948A CN 115189948 A CN115189948 A CN 115189948A CN 202210813616 A CN202210813616 A CN 202210813616A CN 115189948 A CN115189948 A CN 115189948A
- Authority
- CN
- China
- Prior art keywords
- container
- macvlan
- interface
- subinterface
- arp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001914 filtration Methods 0.000 claims description 36
- 238000006243 chemical reaction Methods 0.000 claims description 16
- 238000002955 isolation Methods 0.000 abstract description 11
- 230000006870 function Effects 0.000 description 21
- 238000010586 diagram Methods 0.000 description 16
- 238000004590 computer program Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for realizing a container network plug-in a CaaS platform, wherein the system for realizing the container network plug-in the CaaS platform comprises the following steps: a plurality of containers, each container comprising a corresponding container network card; a plurality of virtual routing forwarding vrf routing domains which are respectively connected with each container network card in a one-to-one correspondence manner; and, a macvlan parent interface connected to the plurality of vrf routing domains; wherein, every vrf routing domain includes: a veth interface of the virtual network equipment correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address; and the macvlan subinterface is connected with the veth interface and is configured with the same IP address and mac address as the container network card. The technical scheme of the invention can solve the problem that the prior art cannot realize the flow isolation and the K8 service function between the containers at the same time.
Description
Technical Field
The invention relates to the technical field of CaaS (content as a service), in particular to a method and a system for realizing a container network plug-in a CaaS platform.
Background
The CaaS (Container as a Service) has a Container as a basic resource, can perform Container-based abstract management and application deployment, and is a common deployment mechanism for cloud native applications and micro services. In addition, caaS can also improve portability between application environments, whether in a mixed environment or a cloudy environment.
As shown in fig. 1, a structure of a conventional CaaS platform includes: a container 101, a node network card 102, a kubel 103, a kube-proxy104, and a node 110; the node 110 is a virtual machine for bearing a container, and all nodes are kubernets nodes; actual services run in the container 101; network card 102 is the data path outside of node 110 and container 101. kubel 103 is the module used by K8s to manage the node, and kube-proxy104 is the network proxy component that maintains the network rules on the node. In order to realize network communication between the container in the CaaS platform and the outside, a container network plug-in CNI is required. The work flow of CNI is as follows: 1. a user initiates a container creating instruction; kubelet103 receives a container creating instruction and calls a container runtime plug-in CRI to create a Pause container; 3. calling the CNI by using the CRI, and transferring the container related parameters to a related module of the CNI; and 4, after receiving the container creating instruction, the CNI sets a container IP of the node network card, configures the connectivity of a container network, adds network equipment such as a route and the like, and finally returns a creating result.
In addition, the implementation of the container network plug-in CNI includes various schemes such as MacVlan and Linux Bridge. The Macvlan architecture is shown in fig. 2: the MacVlan scheme directly creates two MacVlan subinterfaces 203, namely MacVlan1 and MacVlan2, on the network card eth0202 of the node 210, and data directly passes from the container 201 to the switching device outside the network card. The Linux Bridge scheme is as shown in fig. 3, in a node 310, a Linux Bridge module 301 provided by the Linux is used as a forwarding plane of a container 303, and a three-layer iptables rule of an iptable module 302 is called in two-layer forwarding through Bridge-nfables upstream, so that a service rule of K8s is realized.
However, in the MacVlan scheme, the container data directly passes through the outside of the node without passing through a protocol stack of the node, so that the container cannot interact with iptables to realize the K8s service function; the Linux Bridge scheme can realize the related functions of K8s services through Bridge-objects, but the internal traffic of the bridges can be directly forwarded to each other, so that the traffic isolation between containers cannot be realized. In summary, there is a need for a container network plug-in that enables inter-container traffic isolation.
Disclosure of Invention
The invention provides a method and a system for realizing a container network plug-in a CaaS platform, and aims to solve the problem that the prior art cannot realize flow isolation between containers.
To achieve the above object, according to a first aspect of the present invention, the present invention provides a system for implementing a container network plug-in a CaaS platform, including:
a plurality of containers, each container including a corresponding container network card;
a plurality of virtual routing forwarding vrf routing domains which are respectively connected with the container network cards in a one-to-one correspondence manner;
and, a macvlan parent interface connected to the plurality of vrf routing domains;
wherein, every vrf routing domain includes:
a veth interface of the virtual network equipment correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address;
and the macvlan subinterface is connected with the veth interface and is configured with the same IP address and mac address as the container network card.
Preferably, in the system for implementing the container network plug-in, the veth interface is configured with a mac address and an arp proxy, and is configured to respond to arp requests sent by all containers using the mac address of the veth interface.
Preferably, in the system for implementing a container network plug-in, the vrf routing domain further includes:
the service conversion module is connected between the container network card and the veth interface;
and an iptable module connected with the service conversion module;
the service conversion module is used for forwarding data traffic flowing in the container or the veth interface to the kernel protocol stack so as to realize the K8s service function with the iptable module in an interactive manner.
Preferably, the system for implementing the container network plug-in further includes:
the arp request filtering module is arranged between the vrf routing domain and the macvlan parent interface; wherein,
an arptables submodule is arranged in the arp request filtering module, and contains arp request filtering rules.
Preferably, the system for implementing the container network plug-in further includes: the node connected to each container manages the network card.
According to a second aspect of the present invention, the present invention further provides an implementation method of a container network plug-in a CaaS platform, which is used in the implementation system of the container network plug-in any of the above technical solutions, where the implementation method of the container network plug-in includes:
a veth interface of a vrf routing domain acquires an arp request packet sent by a corresponding container;
the veth interface replies an arp request packet by using a mac address of the veth interface, and obtains and feeds back an arp reply packet to the container;
the veth interface acquires the IP message generated by the container according to the arp reply packet, and forwards the IP message to the macvlan subinterface of the vrf routing domain;
and the macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message.
Preferably, before the step of obtaining the arp packet sent by the container through the veth interface, the method for implementing the container network plug-in further includes:
the macvlan subinterface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the macvlan subinterface;
and the macvlan subinterface acquires the IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
Preferably, in the method for implementing a container network plug-in, the step of sending the IP packet by the macvlan sub-interface according to the real mac address corresponding to the IP packet includes:
the macvlan subinterface sends an arp request packet according to the IP address corresponding to the IP message to obtain a real mac address;
and the macvlan subinterface sends the IP message to the client corresponding to the real mac address.
Preferably, in the method for implementing the container network plug-in, the step of acquiring, by the macvlan subinterface, the arp request packet sent by the external client, and generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan subinterface includes:
the macvlan subinterface uses the IP address and mac address of the container, and configures the IP address and mac address of the macvlan subinterface;
the macvlan subinterface acquires an arp request packet sent by an external client according to the IP address of the macvlan subinterface;
the macvlan subinterface generates an arp reply packet corresponding to the arp request packet, the arp reply packet including the mac address of the macvlan subinterface.
Preferably, the method for implementing the container network plug-in further includes:
the service conversion module sends the data flow flowing in from the container or the veth interface to a kernel protocol stack;
the kernel protocol stack realizes the K8s service function through the interaction of data flow and the iptable module.
Preferably, before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan sub-interface, the method for implementing the container network plug-in further includes:
filtering the obtained arp request packet by using an arp filtering module according to the arp request filtering rule to obtain an arp request packet allowed by the arp request filtering rule;
the arp filter module sends the arp request packet allowed by the arp request filter rule to the macvlan subinterface.
In summary, in the implementation scheme of the container network plug-in for the CaaS platform provided by the technical solution of the present invention, by setting a plurality of containers, and each container includes a corresponding container network card, each container has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains are respectively connected to each container in a one-to-one correspondence manner, so that the vrf routing domain can directly send data of the corresponding container to the outside through the macvlan parent interface, and forward the outside data to the corresponding container, thereby implementing traffic isolation between the containers. Each vrf routing domain comprises a virtual network identification (veth) interface correspondingly connected with the container network card, the veth interface is configured with a virtual IP address, the veth interface is connected with a macvlan subinterface, and the macvlan subinterface is configured with the same IP address and mac address as the container network card. Thus, the veth interface of the vrf routing domain obtains the arp request packet sent by the corresponding container; the veth interface can reply the arp request packet by using the mac address of the veth interface, and obtain and feed back an arp reply packet to the container; therefore, the veth interface can isolate the container from other external nodes or other containers, thereby protecting the safety of the data inside the container. In addition, the veth interface acquires the IP message generated by the container according to the arp reply packet, and forwards the IP message to the macvlan sub-interface of the vrf routing domain; and the macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message, so that information interaction between the container and an external node or an external container can be isolated, and the data security of the container is protected. To sum up, can solve the problem that prior art can't realize flow isolation between the container through above-mentioned mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a CaaS platform provided in the prior art;
fig. 2 is a schematic structural diagram of a Macvlan architecture provided in the prior art;
FIG. 3 is a schematic diagram of a Linux Bridge architecture provided in the prior art;
fig. 4 is a schematic structural diagram of an implementation system of a container network plug-in a CaaS platform according to an embodiment of the present disclosure;
FIG. 5 is a diagram illustrating a vrf routing domain according to the embodiment of FIG. 4;
FIG. 6 is a schematic structural diagram of a service conversion module provided in the embodiment shown in FIG. 4;
FIG. 7 is a block diagram illustrating an arp request filter module according to the embodiment shown in FIG. 4;
fig. 8 is a schematic flowchart of a method for implementing a container network plug-in a CaaS platform according to an embodiment of the present invention;
fig. 9 is a schematic flowchart of a method for forwarding an IP packet according to the embodiment shown in fig. 8;
fig. 10 is a schematic flowchart of a method for implementing a container network plug-in a CaaS platform according to a second embodiment of the present invention;
fig. 11 is a flowchart illustrating a method for providing a proxy response to an arp request packet according to the embodiment shown in fig. 10;
fig. 12 is a schematic flowchart of a method for implementing a container network plug-in a CaaS platform according to a third embodiment of the present invention;
fig. 13 is a flowchart illustrating a method for implementing a container network plug-in a CaaS platform according to a third embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention mainly solves the technical problems that:
implementation of the container network plug-in: in the Linux Bridge scheme, related functions of K8s services can be realized through Bridge-nfables, but internal flows of the bridges can be directly transmitted to each other, so that flow isolation among containers cannot be realized.
In order to solve the above problem, the following embodiments of the present application provide an implementation scheme of a container network plug-in a CaaS platform, where the container network plug-in is connected between a container and a macvlan interface through a vrf routing domain, so that traffic between the container and other containers can be isolated, and the security of IO data of the container can be protected.
To achieve the above object, referring to fig. 4, fig. 4 is a system for implementing a container network plug-in a CaaS platform according to a first aspect of the present invention, which is provided by an embodiment of the present invention and includes:
and each container comprises a corresponding container network card. Each container comprises a corresponding container network card, and the network card is provided with a unique IP address, so that each container can be connected with the outside through the container network card.
And the virtual routing forwarding vrf routing domains are correspondingly connected with the container network cards one to one respectively. vrf routing domain is multiple, each vrf routing domain is connected with each container network card in a one-to-one correspondence manner, so that data flowing in or out of a container needs to be forwarded through the vrf routing domain, the container is isolated from node external equipment or other containers in the node, and the purpose of protecting container data security is achieved, and the vrf routing domain utilizes linux native components, does not depend on external components, and can realize a container network connectivity scheme facing a container platform. In addition, the vrf is a linux native module, and the flow can be forwarded between the network card and the external interface through vrf and can pass through the whole kernel protocol stack, so that the service function is realized. In which Macvlan parent interface 4023
And a macvlan parent interface 4023 connected to the plurality of vrf routing domains 402. The Macvlan parent interface 4023 can receive external data and send the external data to vrf routing domain 402, the routing domain 402 discriminates and feeds back the data to the container 401 through vrf, and the routing domain vrf can send the data to an external device through the Macvlan parent interface 4023, so that the container 401 is hidden, and data protection of the container 401 is realized.
Wherein each vrf routing domain 402 comprises:
and a virtual network device path interface 4021 correspondingly connected with the container network card 4011, wherein the path interface 4021 is configured with a virtual IP address.
The macvlan sub-interface 4022 connected to the veth interface 4021, and the macvlan sub-interface 4022 is configured with the same IP address and mac address as the container network card 4011.
The macvlan interface corresponding to the container 401 is configured with the same ip address and mac address as the container 401; similarly, the macvlan interface configures proxy _ ary, and when the external request container 401mac address, although the macvlan interface responds to the arp packet instead, the macvlan interface configures the same address as the container 401, so the macvlan interface of vrf routing field 402 achieves the same effect as the container 401 itself responds to the external arp packet.
Wherein, the veth interface 4021 and the macvlan interface are added into the same vrf routing domain, and each vrf contains the following routing rules: 1. the forwarding container 401 sends packet traffic to the same subnet, and normal two-layer forwarding is performed; 2. forwarding the default packet sending traffic of the container 401 to the subnet gateway; 3. forwarding the incoming packet traffic of the external device to the container 401.
In summary, in the implementation scheme of the container 401 network plug-in of the CaaS platform provided in the above embodiment of the present invention, a plurality of containers 401 are arranged in the node 410, and each container 401 includes a corresponding container network card 4011, so that each container 401 has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains 402 are respectively connected to each container 401 in a one-to-one correspondence manner, so that the vrf routing domain 402 can directly send data of the corresponding container 401 to the outside through the macvlan parent interface 4023, and forward the external data to the corresponding container 401, thereby achieving isolation of traffic between the containers 401. Each of the vrf routing domains 402 includes a virtual network identification veth interface 4021 correspondingly connected to a container network card 4011, a virtual IP address is configured on the veth interface 4021, the veth interface 4021 is connected to a macvlan sub-interface 4022, and an IP address and a mac address which are the same as those of the container network card 4011 are configured on the mancvlan sub-interface. Thus, the veth interface 4021 of the vrf routing domain 402 obtains the arp request packet sent by the corresponding container 401; the veth interface 4021 can reply to the arp request packet by using the mac address of itself, and obtain and feed back an arp reply packet to the container 401; in this way, the veth interface 4021 can isolate the container 401 from other external nodes or other containers 401, thereby protecting the data inside the container 401. In addition, the veth interface 4021 acquires an IP packet generated by the container 401 according to the arp reply packet, and forwards the IP packet to the macvlan sub-interface 4022 of the vrf routing domain 402; the macvlan sub-interface 4022 sends the IP packet according to the real mac address corresponding to the IP packet, so as to isolate information interaction between the container 401 and an external node or an external container 401 and protect data security of the container 401. In summary, the problem that flow isolation between the containers 401 cannot be achieved in the prior art can be solved through the method.
As a preferred embodiment, as shown in fig. 5, in the implementation system of the container 401 network plug-in provided in this embodiment of the present application, a veth interface 4021 is configured with a mac address and an arp proxy, and is configured to use the mac address of the veth interface 4021 to answer arp requests sent by all containers 401.
In the technical scheme provided by the embodiment of the application, the veth interface 4021 configures a virtual IP address, and the IP address is used as a next hop address forwarded by a route and is not exposed; and the veth interface 4021 configures proxy _ arp to answer all arp sent out in container 401 with the mac address of veth interface 4021. Specifically, the veth interface 4021 of the vrf routing domain 402 acquires an arp request packet sent by the corresponding container 401; then the veth interface 4021 replies the arp request packet by using the mac address of itself to obtain the arp reply packet and feeds back the arp reply packet to the container 401; the veth interface 4021 acquires an IP packet generated by the container 401 according to the arp reply packet, and forwards the IP packet to the macvlan subinterface 4022 of the vrf routing domain 402; the macvlan sub-interface 4022 sends the IP packet according to the real mac address corresponding to the IP packet.
In addition, as a preferred embodiment, as shown in fig. 6, in the implementation system of the container 401 network plug-in, the vrf routing domain 402 further includes:
a service conversion module 501 connected between the container network card 4011 and the veth interface 4021;
and an iptable module 4024 connected to the service conversion module 501;
the service conversion module is configured to forward the data traffic flowing in the container 401 or the veth interface 4021 to the kernel protocol stack 502, so as to interact with the iptable module 4024 to implement a K8s service function (i.e., a service function).
One of the most important functions in the network of the container 401 is to implement K8s service functions, including K8s service functions such as ClusterIP and nodoport. In the embodiment of the application, the service conversion module 501 is provided, and the service conversion module 501 can be set as a kube-proxy module, because the service rule of K8s is managed by the kube-proxy module. The kube-proxy module is realized by using an iptable4024 module as a default, so that the service of the container 401 network is realized by allowing the traffic to correctly pass through an iptbytes path. vrf routing domain 402 is a linux native module, and traffic is forwarded between veth4021 and container network card 4011 through vrf routing domain 402, and will pass through the whole Kernel protocol stack Kernel, so that a service function can be realized.
In addition, as a preferred embodiment, as shown in fig. 7, the system for implementing the network plug-in of the container 401 provided in the above embodiment of the present application further includes:
the arp request filtering module 601 is arranged between the vrf routing domain 402 and the macvlan parent interface 4023; wherein,
an arpables submodule is built in the arp request filtering module 601, and contains arp request filtering rules.
According to the technical scheme provided by the embodiment of the application, the request arp request filtering module 601 is set, the arptables sub-module is built in the arp request filtering module 601, the arp request filtering rule is built in the arptables sub-module, and the filtering rule, namely the drop rule, is used for setting the arp filtering requirement of the user. In the routing domain shown in fig. 4, the macvlan interface sets an arp proxy-arp, and then the proxy-arp can respond to all external arp requests, resulting in traffic anomalies in other nodes, so that the present application includes an arp request filtering module, which can filter incoming traffic and prevent incorrect arp responses. The Arp request filtering module is implemented by arpables, a default drop rule (i.e., the Arp request filtering rule) is added by default, and each container 401 can set its own drop rule.
In addition, as a preferred embodiment, as shown in fig. 4, the system for implementing the network plug-in of the container 401 provided in the embodiment of the present application further includes, in addition to the above modules: a node management network card 4025 connected to each container 401. By setting the node management network card 4025, the number of nodes can be managed, and the node management network card 4025 can provide a uniform IP address for all the containers 401, thereby forming a local area network inside the nodes.
Fig. 8 and fig. 8 are schematic flow diagrams of an implementation method of a container network plug-in a CaaS platform according to an embodiment of the present invention, and are used in an implementation system of the container network plug-in according to any embodiment of the present invention. As shown in fig. 8, the method for implementing the container network plug-in includes:
s110: the veth interface of the vrf routing domain acquires an arp request packet sent by a corresponding container.
S120: the veth interface replies to the arp request packet by using the mac address of the veth interface, and obtains and feeds back an arp reply packet to the container. The Veth interface replies to the arp request packet by using the mac address of the Veth interface and feeds back the arp reply packet to the container, so that the Veth interface can check the data of the arp request packet, spoof the container and reply the arp reply packet instead, thereby isolating the container from external equipment and other containers.
S130: and the veth interface acquiring container generates an IP message according to the arp reply packet, and forwards the IP message to the macvlan subinterface of the vrf routing domain.
S140: and the macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message.
As a preferred embodiment, as shown in fig. 9, in the implementation method of the container network plug-in provided in the embodiment of the present application, the step S140: the macvlan sub-interface sends the IP packet according to the real mac address corresponding to the IP packet, including:
s141: and the macvlan subinterface sends an arp request packet according to the IP address corresponding to the IP message to obtain the real mac address.
S142: and the macvlan subinterface sends the IP message to the client corresponding to the real mac address.
The macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message, so that the macvlan subinterface can verify the mac address sent by the container, and the IP and mac address corresponding to the macvlan interface and the container are used for sending the IP message to an external client.
In summary, in the method for implementing a container network plugin of a CaaS platform provided in the above embodiments of the present invention, a plurality of containers are set, and each container includes a corresponding container network card, so that each container has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains are respectively connected to each container in a one-to-one correspondence manner, so that the vrf routing domain can directly send data of the corresponding container to the outside through a macvlan parent interface, and forward the outside data to the corresponding container, thereby implementing traffic isolation between the containers. Each vrf routing domain comprises a virtual network identification veth interface correspondingly connected with the container network card, the veth interface is configured with a virtual IP address, the veth interface is connected with a macvlan subinterface, and the macvlan subinterface is configured with the same IP address and mac address as the container network card. Thus, a veth interface of the vrf routing domain obtains an arp request packet sent by a corresponding container; the veth interface can reply the arp request packet by using the mac address of the veth interface, and obtain and feed back an arp reply packet to the container; therefore, the veth interface can isolate the container from other external nodes or other containers, thereby protecting the safety of the data in the container. In addition, the veth interface acquires the IP message generated by the container according to the arp reply packet, and forwards the IP message to the macvlan sub-interface of the vrf routing domain; and the macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message, so that information interaction between the container and an external node or an external container can be isolated, and the data security of the container is protected. To sum up, can solve the problem that prior art can't realize flow isolation between the container through above-mentioned mode.
In addition, as a preferred embodiment, as shown in fig. 10, in the implementation method of the container network plug-in provided in the embodiment of the present application, in the step S110: before the step of obtaining the arp request packet sent by the corresponding container, the veth interface further includes:
s210: the macvlan subinterface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the macvlan subinterface;
s220: and the macvlan subinterface acquires the IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
According to the technical scheme provided by the embodiment of the application, when the external client requests to access the container, the arp request is firstly sent to the eth0.1 port of the macvlan subinterface, the eth0.1 port uses the mac address of the port to substitute for the answer, and a corresponding arp answer packet is generated and fed back. After an IP data packet sent by an external client arrives at the macvlan subinterface eth0.1, the flow is forwarded to a container according to the routing rule in the vrf routing domain. Through the mode, the vrf routing domain can act as a container to reply the arp request of the external client and acquire the IP data packet of the external client, so that the IP data packet is conveniently checked and processed to isolate the container from the outsourced client, and the protection of the container data is realized.
In addition, as a preferred embodiment, as shown in fig. 11, in the implementation method of the container network plug-in provided in the embodiment of the present application, the step S210: the macvlan subinterface acquires an arp request packet sent by an external client, and the generating and feeding back a corresponding arp reply packet according to the mac address of the macvlan subinterface comprises:
s211: the macvlan subinterface uses the IP address and mac address of the container, and configures the IP address and mac address of the macvlan subinterface;
s212: the macvlan subinterface acquires an arp request packet sent by an external client according to the IP address of the macvlan subinterface;
s213: and the macvlan subinterface generates an arp reply packet corresponding to the arp request packet, wherein the arp reply packet comprises the mac address of the macvlan subinterface.
In the technical solution provided in the embodiment of the present application, the macvlan subinterface uses the IP address and mac address of the container, and configures the IP address and mac address of the macvlan subinterface itself, so that the macvlan subinterface and the container have the same IP address and mac address, and thus the macvlan subinterface can be disguised as the container, and intercept and capture an arp request packet and an IP data packet of an external client, thereby implementing verification of external incoming data and implementing protection of container data.
As a preferred embodiment, as shown in fig. 12, the method for implementing the container network plug-in further includes:
s310: and the service conversion module sends the data traffic flowing in the container or the veth interface to the kernel protocol stack.
S320: the kernel protocol stack realizes the K8s service function through the interaction of data flow and the iptable module.
In the technical solution provided in the embodiment of the present application, one of the most important functions in the container network is to implement K8s service functions, including K8s service functions such as ClusterIP and nodoport. The service conversion module is arranged in the embodiment of the application and can be set as a kube-proxy module, and service rules of K8s can be managed through the kube-proxy module. The kube-proxy module is realized by using an iptable module by default, so that the service of the container network is realized by allowing the flow to correctly pass through an ipttables path. vrf routing domain is a linux native module, and traffic is forwarded between veth and a container network card through vrf routing domain, and will pass through the whole kernel protocol stack, thereby realizing service function.
In addition, the macvlan interface sets an arp proxy-arp, so that the proxy-arp can respond to all external arp requests, and traffic anomalies of other nodes are caused. In order to solve the above problem, as a preferred embodiment, as shown in fig. 13, the method for implementing the container network plug-in includes step S210: before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan sub-interface, the method further includes:
s410: and filtering the obtained arp request packet by using an arp filtering module according to the arp request filtering rule to obtain an arp request packet allowed by the arp request filtering rule.
S420: the arp filter module sends the arp request packet allowed by the arp request filter rule to the macvlan subinterface.
According to the technical scheme provided by the embodiment of the application, the arp request packet is filtered by using the arp request filtering module and the arp request filtering rule, so that the arp request packet allowed by the arp request filtering rule is obtained. Incoming traffic can be filtered to prevent false arp replies. The Arp request filtering module is realized by arpables, a default Arp request filtering rule is added by default, and each container can set a own drop rule.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (11)
1. A system for realizing a container network plug-in a CaaS platform is characterized by comprising:
a plurality of containers, each container including a corresponding container network card;
a plurality of virtual routing forwarding vrf routing domains which are respectively connected with each container network card in a one-to-one correspondence manner;
and a macvlan parent interface connected to the plurality of vrf routing domains;
wherein each of the vrf routing domains comprises:
a veth interface of the virtual network equipment correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address;
and the macvlan subinterface is connected with the veth interface, and is configured with the same IP address and mac address as the container network card.
2. The system of claim 1, wherein the veth interface is configured with a mac address and an arp proxy, and configured to use the mac address of the veth interface to answer arp requests issued by all containers.
3. The system for implementing a container network plug-in of claim 1, wherein the vrf routing domain further comprises:
the service conversion module is connected between the container network card and the veth interface;
and an iptable module connected with the service conversion module;
the service conversion module is configured to forward data traffic flowing in through the container or the veth interface to a kernel protocol stack, so as to interact with the iptable module to implement a K8s service function.
4. The system for implementing a container network plug-in according to claim 1, further comprising:
the arp request filtering module is arranged between the vrf routing domain and the macvlan parent interface; wherein,
the arp request filtering module is internally provided with arpables submodules, and the arpables submodules contain arp request filtering rules.
5. The system for implementing a container network plug-in according to claim 1, further comprising: and the node management network card is connected with each container.
6. An implementation method of a container network plug-in a CaaS platform, which is used in the implementation system of the container network plug-in of any one of claims 1 to 5, and the implementation method of the container network plug-in includes:
a veth interface of a vrf routing domain acquires an arp request packet sent by a corresponding container;
the veth interface replies the arp request packet by using a mac address of the veth interface to obtain and feed back an arp reply packet to the container;
the veth interface acquires the IP message generated by the container according to the arp reply packet, and forwards the IP message to the macvlan subinterface of the vrf routing domain;
and the macvlan subinterface sends the IP message according to the real mac address corresponding to the IP message.
7. The method for implementing a container network plug-in according to claim 6, wherein before the step of obtaining, by the path interface, an arp request packet sent by a corresponding container, the method further comprises:
the macvlan subinterface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the macvlan subinterface;
and the macvlan subinterface acquires the IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
8. The method for implementing a container network plug-in according to claim 6 or 7, wherein the step of sending the IP packet by the macvlan subinterface according to the real mac address corresponding to the IP packet includes:
the macvlan subinterface sends an arp request packet according to the IP address corresponding to the IP message to obtain the real mac address;
and the macvlan subinterface sends the IP message to the client corresponding to the real mac address.
9. The method for implementing a container network plug-in according to claim 7, wherein the step of the macvlan subinterface acquiring an arp request packet sent by the external client, and generating and feeding back a corresponding arp reply packet according to a mac address of the macvlan subinterface itself includes:
the macvlan subinterface uses the IP address and the mac address of the container to configure the IP address and the mac address of the macvlan subinterface;
the macvlan subinterface acquires an arp request packet sent by the external client according to the IP address of the macvlan subinterface;
and the macvlan subinterface generates an arp reply packet corresponding to the arp request packet, wherein the arp reply packet comprises the mac address of the macvlan subinterface.
10. The method for implementing a container network plug-in according to claim 6, further comprising:
the service conversion module sends the data traffic flowing in the container or the veth interface to a kernel protocol stack;
and the kernel protocol stack interacts with the iptable module through the data flow to realize the K8 service function.
11. The method for implementing a container network plug-in according to claim 7, wherein before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan subinterface itself, the method further comprises:
filtering the obtained arp request packet by using an arp filtering module according to an arp request filtering rule to obtain an arp request packet allowed by the arp request filtering rule;
and the arp filtering module sends the arp request packet allowed by the arp request filtering rule to the macvlan subinterface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813616.5A CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813616.5A CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115189948A true CN115189948A (en) | 2022-10-14 |
| CN115189948B CN115189948B (en) | 2023-05-12 |
Family
ID=83517528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210813616.5A Active CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189948B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116016448A (en) * | 2022-11-30 | 2023-04-25 | 上海浦东发展银行股份有限公司 | Service network access method, device, equipment and storage medium |
| CN116132542A (en) * | 2023-01-13 | 2023-05-16 | 国信证券股份有限公司 | Container network management method, container network plug-in and related equipment |
| CN119814868A (en) * | 2025-01-16 | 2025-04-11 | 中电云计算技术有限公司 | A container cross-network communication method and device based on VRF |
Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103384255A (en) * | 2011-12-31 | 2013-11-06 | 华为数字技术(成都)有限公司 | Load balancing method, server and system for virtual machine cluster |
| CN105407140A (en) * | 2015-10-23 | 2016-03-16 | 上海比林电子科技有限公司 | Calculation resource virtualization system of networked test system and method thereof |
| CN105430110A (en) * | 2015-10-30 | 2016-03-23 | 浪潮(北京)电子信息产业有限公司 | Container configuration method and network transmission device for a virtual network system |
| CN108475251A (en) * | 2016-01-22 | 2018-08-31 | 环球互连及数据中心公司 | Virtual Networking, Hot Swapping, Hot Scaling and Disaster Recovery for Containers |
| CN109561108A (en) * | 2019-01-07 | 2019-04-02 | 中国人民解放军国防科技大学 | A policy-based container network resource isolation control method |
| CN111049796A (en) * | 2019-10-25 | 2020-04-21 | 中国通信服务股份有限公司 | Method for realizing Overlay multi-tenant CNI (CNI) container network based on Open vSwitch |
| CN111147450A (en) * | 2019-12-09 | 2020-05-12 | 江苏艾佳家居用品有限公司 | A container network isolation method based on macvlan mode |
| CN111404753A (en) * | 2020-03-23 | 2020-07-10 | 星环信息科技(上海)有限公司 | Flat network configuration method, computer equipment and storage medium |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN112202615A (en) * | 2020-09-30 | 2021-01-08 | 上海道客网络科技有限公司 | Multi-CNI cooperative work system and method |
| CN112637135A (en) * | 2020-12-04 | 2021-04-09 | 同盾控股有限公司 | Method, device and system for host network isolation based on macvlan |
| US20210112093A1 (en) * | 2019-10-14 | 2021-04-15 | AVAST Software s.r.o. | Measuring address resolution protocol spoofing success |
| US11159366B1 (en) * | 2018-09-28 | 2021-10-26 | Juniper Networks, Inc. | Service chaining for virtual execution elements |
| CN113726632A (en) * | 2021-07-31 | 2021-11-30 | 新华三信息安全技术有限公司 | Message forwarding method and device |
| US20220027310A1 (en) * | 2020-07-21 | 2022-01-27 | EMC IP Holding Company LLC | Techniques for providing client interfaces |
| CN114172802A (en) * | 2021-12-01 | 2022-03-11 | 百果园技术(新加坡)有限公司 | Container network configuration method and device, computing node, main node and storage medium |
| CN114301868A (en) * | 2021-12-30 | 2022-04-08 | 上海观安信息技术股份有限公司 | Method for quickly generating floating IP of virtual container and method and device for network direct connection |
| CN114338594A (en) * | 2022-03-14 | 2022-04-12 | 江苏博云科技股份有限公司 | ARP (Address resolution protocol) response-substituting method, device, equipment and storage medium in Kubernetes environment |
| CN114363170A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Container service network configuration method and related product |
| CN114615109A (en) * | 2020-11-23 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Container network creating method and device, electronic equipment and storage medium |
| CN114629744A (en) * | 2022-01-25 | 2022-06-14 | 浙江大华技术股份有限公司 | Data access method, system and related device based on macvlan host computer network |
-
2022
- 2022-07-11 CN CN202210813616.5A patent/CN115189948B/en active Active
Patent Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103384255A (en) * | 2011-12-31 | 2013-11-06 | 华为数字技术(成都)有限公司 | Load balancing method, server and system for virtual machine cluster |
| CN105407140A (en) * | 2015-10-23 | 2016-03-16 | 上海比林电子科技有限公司 | Calculation resource virtualization system of networked test system and method thereof |
| CN105430110A (en) * | 2015-10-30 | 2016-03-23 | 浪潮(北京)电子信息产业有限公司 | Container configuration method and network transmission device for a virtual network system |
| CN108475251A (en) * | 2016-01-22 | 2018-08-31 | 环球互连及数据中心公司 | Virtual Networking, Hot Swapping, Hot Scaling and Disaster Recovery for Containers |
| US11159366B1 (en) * | 2018-09-28 | 2021-10-26 | Juniper Networks, Inc. | Service chaining for virtual execution elements |
| CN109561108A (en) * | 2019-01-07 | 2019-04-02 | 中国人民解放军国防科技大学 | A policy-based container network resource isolation control method |
| US20210112093A1 (en) * | 2019-10-14 | 2021-04-15 | AVAST Software s.r.o. | Measuring address resolution protocol spoofing success |
| CN111049796A (en) * | 2019-10-25 | 2020-04-21 | 中国通信服务股份有限公司 | Method for realizing Overlay multi-tenant CNI (CNI) container network based on Open vSwitch |
| CN111147450A (en) * | 2019-12-09 | 2020-05-12 | 江苏艾佳家居用品有限公司 | A container network isolation method based on macvlan mode |
| CN111404753A (en) * | 2020-03-23 | 2020-07-10 | 星环信息科技(上海)有限公司 | Flat network configuration method, computer equipment and storage medium |
| US20220027310A1 (en) * | 2020-07-21 | 2022-01-27 | EMC IP Holding Company LLC | Techniques for providing client interfaces |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN112202615A (en) * | 2020-09-30 | 2021-01-08 | 上海道客网络科技有限公司 | Multi-CNI cooperative work system and method |
| CN114615109A (en) * | 2020-11-23 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Container network creating method and device, electronic equipment and storage medium |
| CN112637135A (en) * | 2020-12-04 | 2021-04-09 | 同盾控股有限公司 | Method, device and system for host network isolation based on macvlan |
| CN113726632A (en) * | 2021-07-31 | 2021-11-30 | 新华三信息安全技术有限公司 | Message forwarding method and device |
| CN114172802A (en) * | 2021-12-01 | 2022-03-11 | 百果园技术(新加坡)有限公司 | Container network configuration method and device, computing node, main node and storage medium |
| CN114363170A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Container service network configuration method and related product |
| CN114301868A (en) * | 2021-12-30 | 2022-04-08 | 上海观安信息技术股份有限公司 | Method for quickly generating floating IP of virtual container and method and device for network direct connection |
| CN114629744A (en) * | 2022-01-25 | 2022-06-14 | 浙江大华技术股份有限公司 | Data access method, system and related device based on macvlan host computer network |
| CN114338594A (en) * | 2022-03-14 | 2022-04-12 | 江苏博云科技股份有限公司 | ARP (Address resolution protocol) response-substituting method, device, equipment and storage medium in Kubernetes environment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116016448A (en) * | 2022-11-30 | 2023-04-25 | 上海浦东发展银行股份有限公司 | Service network access method, device, equipment and storage medium |
| CN116016448B (en) * | 2022-11-30 | 2024-12-17 | 上海浦东发展银行股份有限公司 | Service network access method, device, equipment and storage medium |
| CN116132542A (en) * | 2023-01-13 | 2023-05-16 | 国信证券股份有限公司 | Container network management method, container network plug-in and related equipment |
| CN119814868A (en) * | 2025-01-16 | 2025-04-11 | 中电云计算技术有限公司 | A container cross-network communication method and device based on VRF |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115189948B (en) | 2023-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115189948B (en) | Method and system for realizing container network plug-in CaaS platform | |
| CN106161335A (en) | A kind for the treatment of method and apparatus of network packet | |
| CN107342895A (en) | A kind of network optimized approach of multi-tenant, system, computing device and storage medium | |
| CN105933248B (en) | Service insertion within a basic virtual network environment | |
| CN102255785A (en) | Network isolation method in VPLS (Virtual Private Lan Service) and device thereof | |
| CN112099913A (en) | Method for realizing safety isolation of virtual machine based on OpenStack | |
| CN103631652A (en) | Method and system for achieving virtual machine migration | |
| CN114070637A (en) | Access control method and system based on attribute label, electronic device and storage medium | |
| CN105939267B (en) | Outband management method and device | |
| CN104363243A (en) | Method and device for preventing gateway deceit | |
| CN116599900A (en) | Cloud environment access method and device | |
| CN109474713B (en) | Message forwarding method and device | |
| CN106130926A (en) | A kind of processing method and processing device of message | |
| CN116112435B (en) | Message transmission method, device, equipment and storage medium | |
| CN116366337A (en) | Flow detection system, construction method of flow detection system, and flow detection method | |
| US9929951B1 (en) | Techniques for using mappings to manage network traffic | |
| CN103391251A (en) | Method and device for reducing redundant flow in PBB (provider backbone bridge) network | |
| CN111490961A (en) | Communication connection blocking system, method, device and equipment | |
| CN101309154B (en) | Datagram sending method, sending apparatus and transmission system | |
| CN100576815C (en) | Router Discovery Method on Mobile Internet Protocol-Based Network | |
| CN110336793B (en) | Intranet access method and related device | |
| EP3172867A1 (en) | Network architecture with fixed routing | |
| CN110247778A (en) | Installation method of operating system, device, electronic equipment and storage medium | |
| CN115412527A (en) | Method and communication device for one-way communication between virtual private networks | |
| US10554618B2 (en) | Domain identifier based access policy control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 8b, building 1, No. 48, Zhichun Road, Haidian District, Beijing 100086 Patentee after: Beijing Zhiling Haina Technology Co.,Ltd. Country or region after: China Address before: 8b, building 1, No. 48, Zhichun Road, Haidian District, Beijing 100086 Patentee before: Beijing zhilinghaina Technology Co.,Ltd. Country or region before: China |