CN115189948B - Method and system for realizing container network plug-in CaaS platform - Google Patents
Method and system for realizing container network plug-in CaaS platform Download PDFInfo
- Publication number
- CN115189948B CN115189948B CN202210813616.5A CN202210813616A CN115189948B CN 115189948 B CN115189948 B CN 115189948B CN 202210813616 A CN202210813616 A CN 202210813616A CN 115189948 B CN115189948 B CN 115189948B
- Authority
- CN
- China
- Prior art keywords
- interface
- container
- macvlan
- sub
- veth
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000001914 filtration Methods 0.000 claims description 37
- 238000006243 chemical reaction Methods 0.000 claims description 17
- 230000004044 response Effects 0.000 claims description 8
- 238000002955 isolation Methods 0.000 abstract description 12
- 230000006870 function Effects 0.000 description 21
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004075 alteration Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for realizing a container network plug-in a CaaS platform, wherein the system for realizing the container network plug-in the CaaS platform comprises the following steps: the system comprises a plurality of containers, a plurality of storage units and a plurality of storage units, wherein each container comprises a corresponding container network card; a plurality of virtual routing forwarding vrf routing domains respectively connected with each container network card in a one-to-one correspondence manner; and, a macvlan parent interface connected to a plurality of vrf routing domains; wherein each vrf routing domain comprises: the virtual network equipment veth interface is correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address; the macvlan sub-interface connected to the veth interface is configured with the same IP address and mac address as the container network card. The technical scheme of the invention can solve the problem that the flow isolation and the K8 service function between containers cannot be realized simultaneously in the prior art.
Description
Technical Field
The invention relates to the technical field of CaaS, in particular to a method and a system for realizing a container network plug-in a CaaS platform.
Background
CaaS (Container as a Service, container is a service), the basic resource of the CaaS is a container, abstract management and application deployment based on the container can be performed, and the CaaS is a common deployment mechanism of cloud native applications and micro services. In addition, caaS can also improve portability between application environments, whether hybrid or cloudy.
As shown in fig. 1, the structure of the conventional CaaS platform includes: container 101, node network card 102, kubelet103, kube-proxy104, and node 110; the node 110 is a virtual machine bearing a container, and all nodes are kubernetes nodes; the actual service runs in the container 101; network card 102 is a data path external to node 110 and container 101. kubelet103 is a module used by K8s to manage nodes, kube-proxy104 is a network proxy component for maintaining network rules on nodes. In order to realize network communication between the container and the outside in the CaaS platform, a container network plug-in CNI is required. The working inflow of CNI is as follows: 1. a user initiates a container creation instruction; kubelet103 receives a create container instruction, invokes the container runtime plug-in CRI create Pause container; 3. calling the CNI by using CRI, and transmitting the container related parameters to a related module of the CNI; after receiving the instruction for creating the container, the CNI sets the container IP of the node network card, configures the connectivity of the container network, adds network equipment such as routing and the like, and finally returns the creation result.
In addition, the implementation of the container network plug-in CNI comprises a plurality of schemes such as Macvlan and Linux Bridge. The Macvlan architecture is shown in FIG. 2: the MacVlan scheme creates two MacVlan sub-interfaces 203, macVlan1 and MacVlan2, directly on network card eth0202 of node 210, and data is passed directly from container 201 to switching devices external to the network card. As shown in FIG. 3, in the Linux Bridge scheme, in the node 310, a Bridge module 301 with Linux is used as a forwarding plane of a container 303, and three-layer iptables rules of the iptable module 302 are called in two-layer forwarding through upcall of Bridge-nftables, so that a K8s service rule is realized.
However, in the Macvlan scheme, the container data is directly communicated to the outside of the node and does not pass through the protocol stack of the node, so that the container cannot interact with the iptables to realize the K8s service function; the Linux Bridge scheme can realize related functions of K8s service through bridges-nftables, but internal traffic of the bridges can be directly forwarded to each other, so that traffic isolation between containers cannot be realized. In view of the foregoing, there is a need for a container network plug-in that enables inter-container traffic isolation.
Disclosure of Invention
The invention provides a method and a system for realizing a container network plug-in a CaaS platform, and aims to solve the problem that the flow isolation between containers cannot be realized in the prior art.
To achieve the above object, according to a first aspect of the present invention, there is provided a system for implementing a container network plug-in a CaaS platform, including:
the system comprises a plurality of containers, wherein each container comprises a corresponding container network card;
a plurality of virtual routing forwarding vrf routing domains respectively connected with each container network card in a one-to-one correspondence manner;
and, a macvlan parent interface connected to a plurality of vrf routing domains;
wherein each vrf routing domain comprises:
the virtual network equipment veth interface is correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address;
the macvlan sub-interface connected to the veth interface is configured with the same IP address and mac address as the container network card.
Preferably, in the implementation system of the container network plug-in, the veth interface is configured with a mac address and an arp proxy, and the mac address of the veth interface is used for replacing the arp requests sent by all the containers.
Preferably, in the implementation system of the container network plug-in, the vrf routing domain further includes:
the service conversion module is connected between the container network card and the veth interface;
the iptable module is connected with the service conversion module;
the service conversion module is used for forwarding the data flow flowing in the container or the veth interface to the kernel protocol stack so as to realize the K8s service function in an interactive way with the iptable module.
Preferably, the implementation system of the container network plug-in further includes:
an arp request filtering module arranged between the vrf routing domain and the macvlan parent interface; wherein,,
the arp request filtering module is internally provided with an arptables submodule which contains an arp request filtering rule.
Preferably, the implementation system of the container network plug-in further includes: a node connected to each container manages the network card.
According to a second aspect of the present invention, the present invention further provides a method for implementing a container network plug-in a CaaS platform, which is used for the system for implementing a container network plug-in according to any one of the foregoing technical solutions, where the method for implementing a container network plug-in includes:
vrf the veth interface of the routing domain acquires an arp request packet sent by a corresponding container;
the veth interface replies an arp request packet by using the mac address of the veth interface, and obtains and feeds back an arp response packet to the container;
the veth interface obtains an IP message generated by the container according to the arp reply packet, and forwards the IP message to a macvlan sub-interface of the vrf routing domain;
and the macvlan sub-interface sends the IP message according to the real mac address corresponding to the IP message.
Preferably, the implementation method of the container network plug-in further includes, before the step of acquiring the arp packet sent by the container by the veth interface:
the mac vlan sub-interface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the mac vlan sub-interface;
the macvlan sub-interface acquires the IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
Preferably, in the implementation method of the container network plug-in, the step of sending the IP packet by the macvlan sub-interface according to the real mac address corresponding to the IP packet includes:
the mac vlan sub-interface sends an arp request packet according to an IP address corresponding to the IP message to obtain a real mac address;
and the macvlan sub-interface is used for sending the IP message to the client corresponding to the real mac address.
Preferably, the implementation method of the container network plug-in includes the steps that the macvlan sub-interface obtains an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to a mac address of the macvlan sub-interface, wherein the steps include:
the mac vlan sub-interface uses the IP address and mac address of the container to configure the IP address and mac address of the mac vlan sub-interface itself;
the macvlan sub-interface acquires an arp request packet sent by an external client according to the IP address of the macvlan sub-interface;
the macvlan sub-interface generates an arp reply packet corresponding to the arp request packet, the arp reply packet including a mac address of the macvlan sub-interface.
Preferably, the implementation method of the container network plug-in further includes:
the service conversion module sends the data flow flowing in by the container or the veth interface to the kernel protocol stack;
the kernel protocol stack interacts with the iptable module through data flow to realize the K8s service function.
Preferably, the implementation method of the container network plug-in further includes, before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan sub-interface itself:
filtering the obtained arp request packet according to an arp request filtering rule by using an arp filtering module to obtain an arp request packet allowed by the arp request filtering rule;
the arp filter module sends an arp request packet allowed by an arp request filter rule to the macvlan sub-interface.
In summary, according to the implementation scheme of the container network plug-in of the CaaS platform provided by the above technical scheme of the present invention, by setting a plurality of containers, and each container includes a corresponding container network card, so that each container has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains are respectively connected to each container in a one-to-one correspondence manner, so that the vrf routing domains can directly send the data of the corresponding container to the outside through the macvlan father interface, and forward the external data to the corresponding container, thereby implementing traffic isolation between the containers. Each vrf routing domain comprises a virtual network identification (veth) interface correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address, is connected with a macvlan sub-interface, and is configured with the same IP address and mac address as the container network card. The veth interface of the vrf routing domain obtains an arp request packet sent by a corresponding container; the veth interface can reply to the arp request packet by using the mac address of the veth interface, and obtain and feed back an arp reply packet to the container; the veth interface can isolate the container from other nodes or other containers outside, thereby protecting the security of the data inside the container. In addition, the veth interface acquires an IP message generated by the container according to the arp reply packet, and forwards the IP message to a macvlan sub-interface of the vrf routing domain; and the macvlan sub-interface transmits the IP message according to the real mac address corresponding to the IP message, so that information interaction between the container and an external node or an external container can be isolated, and the data security of the container is protected. In conclusion, the problem that the flow isolation between containers cannot be realized in the prior art can be solved through the mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the structures shown in these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a CaaS platform provided in the prior art;
FIG. 2 is a schematic diagram of a Macvlan architecture as provided in the prior art;
FIG. 3 is a schematic diagram of a Linux Bridge architecture provided in the prior art;
fig. 4 is a schematic structural diagram of an implementation system of a container network plug-in a CaaS platform according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a vrf routing domain provided by the embodiment of FIG. 4;
FIG. 6 is a schematic diagram of a service conversion module according to the embodiment shown in FIG. 4;
FIG. 7 is a schematic diagram of an arp request filtering module according to the embodiment shown in FIG. 4;
fig. 8 is a flow chart of a method for implementing a container network plug-in a first CaaS platform according to an embodiment of the present invention;
fig. 9 is a flow chart of a forwarding method of an IP packet according to the embodiment shown in fig. 8;
fig. 10 is a flow chart of a method for implementing a container network plug-in a second CaaS platform according to the embodiment of the present invention;
FIG. 11 is a flow chart of a proxy response method for an arp request packet according to the embodiment shown in FIG. 10;
fig. 12 is a flow chart of a method for implementing a container network plug-in a third CaaS platform according to an embodiment of the present invention;
fig. 13 is a flow chart of a method for implementing a container network plug-in a third CaaS platform according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The technical problems mainly solved by the embodiment of the invention are as follows:
the implementation scheme of the container network plug-in is as follows: according to the Linux Bridge scheme, related functions of K8s service can be realized through bridges-nftables, but traffic in the bridges can be directly forwarded to each other, so that traffic isolation between containers cannot be realized.
In order to solve the above problem, the following embodiments of the present application provide an implementation scheme of a container network plug-in a CaaS platform, which is connected between a container and a macvlan interface through a vrf routing domain, so that traffic between the container and other containers can be isolated, and the security of IO data of the container is protected.
In order to achieve the above objective, referring to fig. 4, fig. 4 is a schematic diagram of an implementation system of a container network plug-in a CaaS platform according to a first aspect of the present invention, where the implementation system includes:
and each container comprises a corresponding container network card. Each container contains a corresponding container network card provided with a unique IP address so that each container can be connected to the outside through the container network card.
And a plurality of virtual routing forwarding vrf routing domains which are respectively connected with each container network card in a one-to-one correspondence manner. The number of vrf routing domains is multiple, each vrf routing domain is connected with each container network card in a one-to-one correspondence manner, so that data flowing in or out of a container needs to be forwarded through the vrf routing domain, the container is isolated from node external equipment or other containers in the node, the purpose of protecting the data security of the container is achieved, and the vrf routing domain utilizes a linux native component and does not depend on external components, so that a container network connectivity scheme facing a container platform can be realized. In addition, the vrf is a linux native module, and traffic can be forwarded between the network card and the external interface through vrf and can pass through the whole kernel protocol stack, so that a service function is realized. Wherein the Macvlan parent interface 4023
And a macvlan parent interface 4023 connected to the plurality of vrf routing domains 402. The Macvlan parent interface 4023 can receive external data and send the external data to the vrf routing domain 402, the external data is screened by the vrf routing domain 402 and fed back to the container 401, and the vrf routing domain 402 can send the data to external devices through the Macvlan parent interface 4023, so that the container 401 is hidden, and data protection of the container 401 is achieved.
Wherein each vrf routing domain 402 comprises:
the virtual network device veth interface 4021 correspondingly connected to the container network card 4011, wherein the veth interface 4021 is configured with a virtual IP address.
The macvlan sub-interface 4022 connected to the veth interface 4021, and the macvlan sub-interface 4022 is configured with the same IP address and mac address as the container network card 4011.
The mac vlan interface corresponding to the container 401 is configured with the same ip address and mac address as those of the container 401; similarly, the mac vlan interface configures proxy_ary, and when the mac address of the container 401 is requested externally, the mac vlan interface replies with an arp packet, but the mac vlan interface of the vrf routing domain 402 achieves the same effect as the container 401 replies with an external arp packet itself, because the same address as the container 401 is configured.
Wherein the veth interface 4021 and the macvlan interface join the same vrf routing domain, each vrf contains the following routing rules: 1. forwarding container 401 forwards packet traffic to the same subnet, normally two-layer forwarding; 2. forwarding the default packet traffic of container 401 to the subnet gateway; 3. forwarding the packet-received traffic entered by the external device to the container 401.
In summary, in the implementation scheme of the container 401 network plug-in of the CaaS platform provided by the foregoing embodiment of the present invention, by setting a plurality of containers 401 in the node 410, and each container 401 includes a corresponding container network card 4011, so that each container 401 has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains 402 are respectively connected to each container 401 in a one-to-one correspondence manner, so that the vrf routing domains 402 can directly send the data of the corresponding container 401 to the outside through the macvlan parent interface 4023, and forward the external data to the corresponding container 401, thereby implementing traffic isolation between the containers 401. Each vrf routing domain 402 includes a virtual network identification veth interface 4021 correspondingly connected to the container network card 4011, the veth interface 4021 is configured with a virtual IP address, the veth interface 4021 is connected to a macvlan sub-interface 4022, and the macvlan sub-interface is configured with the same IP address and mac address as the container network card 4011. The veth interface 4021 of the routing domain 402 of vrf thus obtains the arp request packet sent by the corresponding container 401; the veth interface 4021 can reply to the arp request packet by using its mac address, obtain and feed back an arp reply packet to the container 401; the veth interface 4021 can isolate the container 401 from other external nodes or other containers 401, thereby protecting the security of the data inside the container 401. In addition, the veth interface 4021 obtains an IP packet generated by the container 401 according to the arp reply packet, and forwards the IP packet to the macvlan sub-interface 4022 of the vrf routing domain 402; the macvlan sub-interface 4022 sends an IP packet according to the real mac address corresponding to the IP packet, so that information interaction between the container 401 and an external node or the external container 401 can be isolated, and data security of the container 401 can be protected. In summary, the above manner can solve the problem that the flow isolation between the containers 401 cannot be achieved in the prior art.
As a preferred embodiment, as shown in fig. 5, in the implementation system of the network plug-in of the container 401 provided in the embodiment of the present application, the veth interface 4021 is configured with a mac address and an arp proxy, so that the mac address of the veth interface 4021 is used to answer the arp requests sent by all the containers 401.
In the technical scheme provided by the embodiment of the application, the veth interface 4021 configures a virtual IP address, and the IP address is used as a next hop address for route forwarding, so that the virtual IP address is not exposed to the outside; and the veth interface 4021 configures proxy_arp to replace all the issued arp within the container 401 with the mac address of the veth interface 4021. Specifically, the veth interface 4021 of the vrf routing domain 402 acquires an arp request packet sent by the corresponding container 401; then the veth interface 4021 replies to the arp request packet with its own mac address, obtains the arp reply packet, and feeds back the arp reply packet to the container 401; the veth interface 4021 obtains an IP packet generated by the container 401 according to the arp reply packet, and forwards the IP packet to the macvlan sub-interface 4022 of the vrf routing domain 402; the macvlan sub-interface 4022 transmits the IP packet according to the real mac address corresponding to the IP packet.
In addition, as a preferred embodiment, as shown in fig. 6, in the implementation system of the network plug-in of the container 401, the vrf routing domain 402 further includes:
a service conversion module 501 connected between the container network card 4011 and the veth interface 4021;
and an iptable module 4024 connected to the service conversion module 501;
the service conversion module is configured to forward the data traffic flowing in the container 401 or the veth interface 4021 to the kernel protocol stack 502, so as to implement a K8s service function (i.e., a service function) in interaction with the iptable module 4024.
One of the most important functions in the network of container 401 is to implement K8s service functions, including K8s service functions such as ClusterIP and nodort. In the embodiment of the present application, a service conversion module 501 is provided, and the service conversion module 501 can be configured as a kube-proxy module, because the service rule of K8s is managed by the kube-proxy module. The kube-proxy module is realized by using the iptable4024 module by default, so that the service of the container 401 network is realized by allowing traffic to pass through the iptbanks path correctly. vrf routing domain 402 is a linux native module, and traffic is forwarded between veth4021 and container network card 4011 through vrf routing domain 402 and passes through the whole Kernel protocol stack Kernel, so that service function can be realized.
In addition, as a preferred embodiment, as shown in fig. 7, the implementation system of the network plug-in of the container 401 provided in the foregoing embodiment of the present application further includes:
an arp request filtering module 601 disposed between the vrf routing domain 402 and the macvlan parent interface 4023; wherein,,
the arp request filtering module 601 is built with an arptables submodule, and the arptables submodule contains an arp request filtering rule.
According to the technical scheme provided by the embodiment of the application, the request arp request filtering module 601 is arranged, the arptables sub-module is arranged in the arp request filtering module 601, the arp request filtering rule is arranged in the arptables sub-module, and the filtering rule, namely the drop rule, is used for setting the arp filtering requirement of a user. In the routing domain shown in fig. 4, the macvlan interface sets an proxy-arp, so that the proxy-arp can answer all external arp requests, and cause traffic abnormality of other nodes, so that the present application includes an arp request filtering module, which filters incoming traffic and prevents erroneous arp responses. The Arp request filtering module is implemented by the arptables, and a default drop rule (i.e. the above-mentioned Arp request filtering rule) is added by default, and each container 401 can set its drop rule.
In addition, as a preferred embodiment, as shown in fig. 4, the implementation system of the network plug-in of the container 401 provided in the embodiment of the present application further includes, in addition to the above modules: a node management network card 4025 is connected to each container 401. By providing the node management network card 4025, the number of nodes can be managed, and by this node management network card 4025, a unified IP address can be provided for all the containers 401, forming a local area network inside the nodes.
Fig. 8 is a schematic flow chart of an implementation method of a container network plug-in a CaaS platform according to an embodiment of the present invention, which is used in the implementation system of the container network plug-in any one of the foregoing embodiments. As shown in fig. 8, the implementation method of the container network plug-in includes:
s110: vrf the veth interface of the routing domain obtains the arp request packet sent by the corresponding container.
S120: the veth interface replies to the arp request packet by using the mac address of the veth interface, and obtains and feeds back an arp reply packet to the container. The Veth interface replies the arp request packet by using the mac address of the Veth interface and feeds back the arp response packet to the container, so that the Veth interface can verify the data of the arp request packet and deceive the container instead of replying to the arp response packet, thereby isolating the container from external devices and other containers.
S130: the veth interface obtains the IP message generated by the container according to the arp reply packet, and forwards the IP message to the macvlan sub-interface of the vrf routing domain.
S140: and the macvlan sub-interface sends the IP message according to the real mac address corresponding to the IP message.
As a preferred embodiment, as shown in fig. 9, in the implementation method of the container network plug-in provided in the embodiment of the present application, the step S140 is: the macvlan sub-interface sends the IP message according to the real mac address corresponding to the IP message, and the method comprises the following steps:
s141: and the macvlan sub-interface sends an arp request packet according to the IP address corresponding to the IP message to obtain a real mac address.
S142: and the macvlan sub-interface is used for sending the IP message to the client corresponding to the real mac address.
The mac vlan sub-interface transmits the IP message according to the real mac address corresponding to the IP message, so that the mac vlan sub-interface can verify the mac address transmitted by the container, and transmit the IP message to an external client by using the IP and mac addresses corresponding to the mac vlan interface and the container, because the IP address and mac address of the mac vlan interface are the same as those of the external client, the external client can be deceived, the data isolation between the container and the external client is ensured, and the data security of the container is ensured.
In summary, in the implementation method of the container network plug-in of the CaaS platform provided by the foregoing embodiment of the present invention, by setting a plurality of containers, and each container includes a corresponding container network card, so that each container has a unique corresponding IP, and a plurality of virtual routing forwarding vrf routing domains are respectively connected to each container in a one-to-one correspondence manner, so that the vrf routing domains can directly send data of the corresponding container to the outside through a macvlan father interface, and forward the external data to the corresponding container, thereby implementing traffic isolation between the containers. Each vrf routing domain comprises a virtual network identification (veth) interface correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address, is connected with a macvlan sub-interface, and is configured with the same IP address and mac address as the container network card. The veth interface of the vrf routing domain obtains an arp request packet sent by a corresponding container; the veth interface can reply to the arp request packet by using the mac address of the veth interface, and obtain and feed back an arp reply packet to the container; the veth interface can isolate the container from other nodes or other containers outside, thereby protecting the security of the data inside the container. In addition, the veth interface acquires an IP message generated by the container according to the arp reply packet, and forwards the IP message to a macvlan sub-interface of the vrf routing domain; and the macvlan sub-interface transmits the IP message according to the real mac address corresponding to the IP message, so that information interaction between the container and an external node or an external container can be isolated, and the data security of the container is protected. In conclusion, the problem that the flow isolation between containers cannot be realized in the prior art can be solved through the mode.
In addition, as a preferred embodiment, as shown in fig. 10, the implementation method of the container network plug-in provided in the embodiment of the present application is in step S110 described above: before the step of acquiring the arp request packet sent by the corresponding container, the veth interface further includes:
s210: the mac vlan sub-interface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the mac vlan sub-interface;
s220: the macvlan sub-interface acquires the IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
According to the technical scheme provided by the embodiment of the application, when an external client requests to access a container, an arp request is firstly sent to an eth0.1 port of a macvlan sub-interface, and the eth0.1 port uses a mac address of the user to answer, so that a corresponding arp response packet is generated and fed back. After the IP packet sent by the external client arrives at the macvlan sub-interface eth0.1, the traffic is forwarded to the container according to the routing rules inside the routing domain vrf. By the method, the vrf routing domain can proxy the container to answer the arp request of the external client and acquire the IP data packet of the external client, so that the IP data packet is conveniently checked and processed to isolate the container from the outsourcing client, and the protection of the container data is realized.
In addition, as a preferred embodiment, as shown in fig. 11, the implementation method of the container network plug-in provided in the embodiment of the present application, the step S210 is as follows: the macvlan sub-interface obtains an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to a mac address of the macvlan sub-interface itself, where the step of generating and feeding back the map request packet includes:
s211: the mac vlan sub-interface uses the IP address and mac address of the container to configure the IP address and mac address of the mac vlan sub-interface itself;
s212: the macvlan sub-interface acquires an arp request packet sent by an external client according to the IP address of the macvlan sub-interface;
s213: the macvlan sub-interface generates an arp reply packet corresponding to the arp request packet, the arp reply packet including a mac address of the macvlan sub-interface.
In the technical scheme provided by the embodiment of the application, the mac vlan sub-interface uses the IP address and the mac address of the container, and configures the IP address and the mac address of the mac vlan sub-interface, so that the mac vlan sub-interface has the same IP address and mac address as the container, and thus, the mac vlan sub-interface can be disguised as the container, and the arp request packet and the IP data packet of the external client are intercepted, thereby realizing verification of external inflow data and protection of container data.
As a preferred embodiment, as shown in fig. 12, the implementation method of the container network plug-in further includes:
s310: the service conversion module sends the data flow flowing in by the container or the veth interface to the kernel protocol stack.
S320: the kernel protocol stack interacts with the iptable module through data flow to realize the K8s service function.
In the technical scheme provided by the embodiment of the application, one of the most important functions in the container network is to realize the K8s service function, including the K8s service functions such as ClusterIP and NodePort. In the embodiment of the application, a service conversion module is set, and the service conversion module can be set as a kube-proxy module, because the K8s service rule can be managed through the kube-proxy module. The kube-proxy module is realized by using an iptable module by default, so that the service of the container network is realized by allowing traffic to pass through an iptbanks path correctly. vrf routing domain is a linux native module, and traffic is forwarded between veth and container network card through vrf routing domain, and then passes through the whole kernel protocol stack, so that service function can be realized.
In addition, the macvlan interface sets up the proxy-arp, so that the proxy-arp can answer all external arp requests, resulting in traffic anomalies for other nodes. In order to solve the above problem, as a preferred embodiment, as shown in fig. 13, the implementation method of the container network plug-in, step S210: before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan sub-interface, the method further comprises:
s410: and filtering the obtained arp request packet according to the arp request filtering rule by using an arp filtering module to obtain an arp request packet allowed by the arp request filtering rule.
S420: the arp filter module sends an arp request packet allowed by an arp request filter rule to the macvlan sub-interface.
According to the technical scheme provided by the embodiment of the application, the arp request filtering module filters the arp request packet by using the arp request filtering rule to obtain the arp request packet allowed by the arp request filtering rule. The incoming traffic can be filtered to prevent false arp responses. The Arp request filtering module is realized by the arptables, a default Arp request filtering rule is added by default, and each container can set a drop rule.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. The implementation system of the container network plug-in the CaaS platform is characterized by comprising:
a plurality of containers, each container comprising a unique container network card;
a plurality of virtual routing forwarding vrf routing domains respectively connected with each container network card in a one-to-one correspondence manner;
and, a macvlan parent interface connected to the plurality of vrf routing domains;
wherein each of the vrf routing domains comprises:
a virtual network device veth interface correspondingly connected with the container network card, wherein the veth interface is configured with a virtual IP address;
the macvlan sub-interface is connected with the veth interface and is configured with the same IP address and mac address as the container network card;
the vrf routing domain further comprises:
the service conversion module is connected between the container network card and the veth interface;
the iptable module is connected with the service conversion module;
the service conversion module is configured to forward the data traffic flowing in the container or the veth interface to a kernel protocol stack, so as to interact with the iptable module to implement a service function.
2. The system of claim 1, wherein the veth interface is configured with a mac address and an arp proxy for using the mac address of the veth interface to answer the arp requests from all containers.
3. The system for implementing a container network plug-in of claim 1, further comprising:
an arp request filtering module disposed between the vrf routing domain and the macvlan parent interface; wherein,,
the arp request filtering module is internally provided with an arptables submodule, and the arptables submodule comprises an arp request filtering rule.
4. The system for implementing a container network plug-in of claim 1, further comprising: and the nodes connected with each container manage the network card.
5. A method for implementing a container network plug-in a CaaS platform, which is used for the system for implementing a container network plug-in as claimed in any one of claims 1 to 4, and the method for implementing a container network plug-in includes:
vrf the veth interface of the routing domain acquires an arp request packet sent by a corresponding container;
the veth interface replies the arp request packet by using the mac address of the veth interface, and obtains and feeds back an arp response packet to the container;
the veth interface acquires an IP message generated by the container according to the arp reply packet, and forwards the IP message to a macvlan sub-interface of the vrf routing domain;
and the macvlan sub-interface sends the IP message according to the real mac address corresponding to the IP message.
6. The method of claim 5, wherein before the step of the veth interface obtaining an arp request packet sent by a corresponding container, the method further comprises:
the macvlan sub-interface acquires an arp request packet sent by an external client, and generates and feeds back a corresponding arp reply packet according to the mac address of the macvlan sub-interface;
and the macvlan sub-interface acquires an IP data packet sent by the external client according to the arp reply packet, and forwards the IP data packet to the container.
7. The implementation method of the container network plug-in according to claim 5 or 6, wherein the step of sending the IP packet by the macvlan sub-interface according to the real mac address corresponding to the IP packet includes:
the macvlan sub-interface sends an arp request packet according to the IP address corresponding to the IP message to obtain the real mac address;
and the macvlan sub-interface sends the IP message to the client corresponding to the real mac address.
8. The method for implementing the container network plug-in according to claim 6, wherein the step of the macvlan sub-interface obtaining an arp request packet sent by the external client, and generating and feeding back a corresponding arp reply packet according to a mac address of the macvlan sub-interface itself includes:
the macvlan sub-interface uses the IP address and the mac address of the container to configure the IP address and the mac address of the macvlan sub-interface itself;
the macvlan sub-interface acquires an arp request packet sent by the external client according to the IP address of the macvlan sub-interface;
the macvlan sub-interface generates an arp reply packet corresponding to the arp request packet, where the arp reply packet includes a mac address of the macvlan sub-interface.
9. The method of implementing a container network plug-in of claim 5, further comprising:
the service conversion module sends the data flow flowing in by the container or the veth interface to a kernel protocol stack;
and the kernel protocol stack interacts with the iptable module through the data flow to realize a service function.
10. The method according to claim 6, wherein before the step of generating and feeding back the corresponding arp reply packet according to the mac address of the macvlan sub-interface itself, the method further comprises:
filtering the obtained arp request packet according to an arp request filtering rule by using an arp filtering module to obtain an arp request packet allowed by the arp request filtering rule;
and the arp filtering module sends an arp request packet allowed by the arp request filtering rule to the macvlan sub-interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813616.5A CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210813616.5A CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115189948A CN115189948A (en) | 2022-10-14 |
| CN115189948B true CN115189948B (en) | 2023-05-12 |
Family
ID=83517528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210813616.5A Active CN115189948B (en) | 2022-07-11 | 2022-07-11 | Method and system for realizing container network plug-in CaaS platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189948B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116016448B (en) * | 2022-11-30 | 2024-12-17 | 上海浦东发展银行股份有限公司 | Service network access method, device, equipment and storage medium |
| CN116132542B (en) * | 2023-01-13 | 2024-11-08 | 国信证券股份有限公司 | Container network management method, container network plug-in and related equipment |
| CN119814868A (en) * | 2025-01-16 | 2025-04-11 | 中电云计算技术有限公司 | A container cross-network communication method and device based on VRF |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105407140A (en) * | 2015-10-23 | 2016-03-16 | 上海比林电子科技有限公司 | Calculation resource virtualization system of networked test system and method thereof |
| CN108475251A (en) * | 2016-01-22 | 2018-08-31 | 环球互连及数据中心公司 | Virtual Networking, Hot Swapping, Hot Scaling and Disaster Recovery for Containers |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN112637135A (en) * | 2020-12-04 | 2021-04-09 | 同盾控股有限公司 | Method, device and system for host network isolation based on macvlan |
| CN114301868A (en) * | 2021-12-30 | 2022-04-08 | 上海观安信息技术股份有限公司 | Method for quickly generating floating IP of virtual container and method and device for network direct connection |
| CN114363170A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Container service network configuration method and related product |
| CN114615109A (en) * | 2020-11-23 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Container network creating method and device, electronic equipment and storage medium |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103384255B (en) * | 2011-12-31 | 2016-08-10 | 华为数字技术(成都)有限公司 | The load-balancing method of cluster virtual machine, server and system |
| CN105430110A (en) * | 2015-10-30 | 2016-03-23 | 浪潮(北京)电子信息产业有限公司 | Container configuration method and network transmission device for a virtual network system |
| US11159366B1 (en) * | 2018-09-28 | 2021-10-26 | Juniper Networks, Inc. | Service chaining for virtual execution elements |
| CN109561108B (en) * | 2019-01-07 | 2020-09-01 | 中国人民解放军国防科技大学 | Policy-based container network resource isolation control method |
| US20210112093A1 (en) * | 2019-10-14 | 2021-04-15 | AVAST Software s.r.o. | Measuring address resolution protocol spoofing success |
| CN111049796B (en) * | 2019-10-25 | 2022-01-07 | 中国通信服务股份有限公司 | Method for realizing Overlay multi-tenant CNI (CNI) container network based on Open vSwitch |
| CN111147450B (en) * | 2019-12-09 | 2022-07-08 | 江苏艾佳家居用品有限公司 | Container network isolation method based on macvlan mode |
| CN111404753B (en) * | 2020-03-23 | 2021-08-20 | 星环信息科技(上海)股份有限公司 | Flat network configuration method, computer equipment and storage medium |
| US11481356B2 (en) * | 2020-07-21 | 2022-10-25 | EMC IP Holding Company LLC | Techniques for providing client interfaces |
| CN112202615B (en) * | 2020-09-30 | 2021-08-31 | 上海道客网络科技有限公司 | A multi-CNI cooperative work system and method |
| CN113726632B (en) * | 2021-07-31 | 2023-04-18 | 新华三信息安全技术有限公司 | Message forwarding method and device |
| CN114172802B (en) * | 2021-12-01 | 2024-04-26 | 百果园技术(新加坡)有限公司 | Container network configuration method, device, computing node, master node and storage medium |
| CN114629744B (en) * | 2022-01-25 | 2024-01-16 | 浙江大华技术股份有限公司 | Data access method, system and related device based on macvlan host network |
| CN114338594B (en) * | 2022-03-14 | 2022-05-17 | 江苏博云科技股份有限公司 | ARP (Address resolution protocol) response-substituting method, device, equipment and storage medium in Kubernetes environment |
-
2022
- 2022-07-11 CN CN202210813616.5A patent/CN115189948B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105407140A (en) * | 2015-10-23 | 2016-03-16 | 上海比林电子科技有限公司 | Calculation resource virtualization system of networked test system and method thereof |
| CN108475251A (en) * | 2016-01-22 | 2018-08-31 | 环球互连及数据中心公司 | Virtual Networking, Hot Swapping, Hot Scaling and Disaster Recovery for Containers |
| CN111885075A (en) * | 2020-07-30 | 2020-11-03 | 广州华多网络科技有限公司 | Container communication method, device, network equipment and storage medium |
| CN114615109A (en) * | 2020-11-23 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Container network creating method and device, electronic equipment and storage medium |
| CN112637135A (en) * | 2020-12-04 | 2021-04-09 | 同盾控股有限公司 | Method, device and system for host network isolation based on macvlan |
| CN114363170A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Container service network configuration method and related product |
| CN114301868A (en) * | 2021-12-30 | 2022-04-08 | 上海观安信息技术股份有限公司 | Method for quickly generating floating IP of virtual container and method and device for network direct connection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115189948A (en) | 2022-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115189948B (en) | Method and system for realizing container network plug-in CaaS platform | |
| US20040004966A1 (en) | Using virtual identifiers to route transmitted data through a network | |
| CN106161335A (en) | A kind for the treatment of method and apparatus of network packet | |
| CN102255785B (en) | Network isolation method in VPLS (Virtual Private Lan Service) and device thereof | |
| CN103166858A (en) | Message transmission method and device | |
| CN107332772B (en) | Forwarding table item establishing method and device | |
| CN104363243A (en) | Method and device for preventing gateway deceit | |
| CN105187311A (en) | Message forwarding method and message forwarding device | |
| CN105939240A (en) | Load balancing method and device | |
| CN105939267B (en) | Outband management method and device | |
| CN107948150A (en) | Message forwarding method and device | |
| CN109474713B (en) | Message forwarding method and device | |
| CN113726653A (en) | Message processing method and device | |
| Rauf et al. | Enterprise integration patterns in SDN: A reliable, fault-tolerant communication framework | |
| CN106130926A (en) | A kind of processing method and processing device of message | |
| EP3503484B1 (en) | Message transmission methods and devices | |
| CN103391251A (en) | Method and device for reducing redundant flow in PBB (provider backbone bridge) network | |
| CN111614566B (en) | Method, device and system for forwarding airborne data stream and readable storage medium | |
| CN101924698A (en) | Method, system and equipment for balancing two-layer domain load based on IP unicast route | |
| CN101309154B (en) | Datagram sending method, sending apparatus and transmission system | |
| RS61018B1 (en) | Network architecture with fixed routing | |
| CN116264518A (en) | Cloud service mutual access method, system, network node and medium based on cloud private line | |
| CN115412527A (en) | Method and communication device for one-way communication between virtual private networks | |
| CN114500094A (en) | Access method and device | |
| CN102263834A (en) | Method for network equipment to obtain IPv6 address automatically, network equipment thereof and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 8b, building 1, No. 48, Zhichun Road, Haidian District, Beijing 100086 Patentee after: Beijing Zhiling Haina Technology Co.,Ltd. Country or region after: China Address before: 8b, building 1, No. 48, Zhichun Road, Haidian District, Beijing 100086 Patentee before: Beijing zhilinghaina Technology Co.,Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address |