[go: up one dir, main page]

CN105303102A - Secure access method for virtual machine and virtual machine system - Google Patents

Secure access method for virtual machine and virtual machine system Download PDF

Info

Publication number
CN105303102A
CN105303102A CN201510738195.4A CN201510738195A CN105303102A CN 105303102 A CN105303102 A CN 105303102A CN 201510738195 A CN201510738195 A CN 201510738195A CN 105303102 A CN105303102 A CN 105303102A
Authority
CN
China
Prior art keywords
virtual machine
virtual
identification information
cloud computing
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510738195.4A
Other languages
Chinese (zh)
Inventor
左强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
IEIT Systems Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201510738195.4A priority Critical patent/CN105303102A/en
Publication of CN105303102A publication Critical patent/CN105303102A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the invention provide a secure access method for a virtual machine and a virtual machine system, which relate to the field of cloud computing and realize security protection of virtual resources in a cloud computing virtual machine platform. The method comprises the steps that: a cloud computing control node configures corresponding identifier information for the virtual machine and the virtual resources of the virtual machine when the virtual machine is established; the computing node receives a virtual resource access request message; the computing node determines whether the virtual machine has a right of accessing to the virtual resources corresponding to the identifier information of the virtual resources or not according to the identifier information of the virtual machine and the identifier information of the virtual resources required to be accessed; when it is determined that the virtual machine has the right of accessing to the virtual resources corresponding to the identifier information of the virtual resources, the computing node allows the virtual machine to access to the virtual resources corresponding to the identifier information of the virtual resources; and when it is determined that the virtual machine does not have the right of accessing to the virtual resources corresponding to the identifier information of the virtual resources, the computing node prevents the virtual machine from accessing to the virtual resources corresponding to the identifier information of the virtual resources.

Description

一种虚拟机的安全访问方法及虚拟机系统A virtual machine security access method and virtual machine system

技术领域technical field

本发明涉及云计算技术领域,尤其涉及一种虚拟机的安全访问方法及虚拟机系统。The invention relates to the technical field of cloud computing, in particular to a virtual machine security access method and a virtual machine system.

背景技术Background technique

云计算带给商业领域一个新型技术(IT,InformationTechnology)服务提供及消费的新时代。云计算强化了协作性、敏捷性、扩展性、可用性,以及通过优化的、更有效率的计算来降低成本的特点。更具体的说,云描述了由“资源池”化的计算、网络、信息和存储等组成的服务、应用、信息和基础设施等的使用。云计算中组成组件可以迅速置备、部署和退役,并且可以顺序扩充或缩减,提供按需的、与效用计算类似的分配和消费模式。Cloud computing brings a new era of service provision and consumption of new technology (IT, Information Technology) in the commercial field. Cloud computing enhances collaboration, agility, scalability, availability, and reduced costs through optimized, more efficient computing. More specifically, the cloud describes the use of services, applications, information, and infrastructure, etc., composed of "resource pools" of computing, networking, information, and storage. Components in cloud computing can be quickly provisioned, deployed, and decommissioned, and can be expanded or reduced sequentially, providing an on-demand distribution and consumption model similar to utility computing.

云计算系统之所以能够自动控制优化某种服务的资源使用,是因为利用了警告某种程度抽象的测量能力。在云计算中,虚拟化技术是将资源抽象的重要选择技术之一。The reason why cloud computing systems can automatically control and optimize the resource usage of a certain service is because of the use of a certain degree of abstract measurement capabilities. In cloud computing, virtualization technology is one of the important selection technologies for abstracting resources.

在虚拟机化技术中,根据待虚拟的实体不同,可以分为不同类型的虚拟化。系统虚拟化技术是被广泛认识的一种虚拟化技术。In the virtual machine technology, according to different entities to be virtualized, it can be divided into different types of virtualization. System virtualization technology is a widely recognized virtualization technology.

系统虚拟化的核心思想是虚拟化软件在一台物理机上虚拟出一台或多台虚拟机。虚拟机运行在一个隔离环境中,是具有完整硬件功能的逻辑计算机系统,其包括客户操作系统和其中的应用程序。在虚拟机系统中,多个操作系统可以互不影响地在同一台物理机上同时运行,复用物理资源。The core idea of system virtualization is that virtualization software virtualizes one or more virtual machines on a physical machine. A virtual machine runs in an isolated environment and is a logical computer system with complete hardware functions, including a guest operating system and applications therein. In the virtual machine system, multiple operating systems can run simultaneously on the same physical machine without affecting each other and reuse physical resources.

尽管虚拟化技术得到迅猛发展,但是虚拟机系统的安全技术却严重滞后。在虚拟机上运行各种服务并保障系统安全,要比在单一计算机上复杂的多。虚拟机系统的安全威胁很多,例如虚拟机之间的攻击、资源占用冲突以及逃逸威胁等。因此,在使用虚拟机带来应用和管理便利的同时,应该更加重视解决虚拟安全问题,研究虚拟安全机制。Although the virtualization technology has developed rapidly, the security technology of the virtual machine system lags behind seriously. Running various services and ensuring system security on a virtual machine is much more complicated than on a single computer. There are many security threats to virtual machine systems, such as attacks between virtual machines, resource occupation conflicts, and escape threats. Therefore, while using virtual machines to bring convenience to applications and management, more attention should be paid to solving virtual security issues and researching virtual security mechanisms.

目前,虚拟化技术中的虚拟机监控软件(VMM,VirtualMachineMonitor),或称为Hypervisor,它可以访问服务器上的所有硬件设备。当服务器启动并调用Hypervisor时,它会加载所有虚拟机客户端上的操作系统,同时给每个虚拟机分配适量的网络、CPU、磁盘和内存等物理资源。Hypervisor负责协调这些硬件资源的访问,同时也在每个虚拟机之间施加安全防护。在传统虚拟化技术中,针对虚拟机逃逸大多采用监控的方式来发现并阻止危险的发生。监控机制的一种思路是通过虚拟机环境提供的Hypervisor层从客户虚拟机所处环境之处,对其进行监控。这类机制可以有效地保护安全部件免遭篡改,同时这一方式对监控环境的影响较小,方便透明实现,在系统的兼容上也有优势。但是,上述方式会存在语义断层问题。Currently, the virtual machine monitoring software (VMM, Virtual Machine Monitor) in the virtualization technology, or Hypervisor, can access all hardware devices on the server. When the server starts and invokes the Hypervisor, it will load the operating systems on all virtual machine clients, and at the same time allocate appropriate physical resources such as network, CPU, disk, and memory to each virtual machine. The hypervisor is responsible for coordinating access to these hardware resources, while also imposing security protections between each virtual machine. In traditional virtualization technologies, monitoring is mostly used to detect and prevent the occurrence of dangers for virtual machine escape. One way of thinking of the monitoring mechanism is to monitor the client virtual machine from the environment where the virtual machine is located through the hypervisor layer provided by the virtual machine environment. This type of mechanism can effectively protect security components from tampering, and at the same time, this method has less impact on the monitoring environment, is convenient for transparent implementation, and has advantages in system compatibility. However, there will be a problem of semantic gap in the above method.

由于云计算与传统单机虚拟化环境架构的不同,在云计算中控制权由Hypervisor向云控制节点Controller转移。而传统的虚拟机监控机制设计在计算节点Hypervisor中,难以有效与云控制节点上虚拟机管理控制流程衔接,会出现安全链断裂而无法保证虚拟机整个生命周期的安全,并不能很好地在云计算场景中发挥作用。Due to the difference between cloud computing and traditional stand-alone virtualization environment architecture, the control right is transferred from Hypervisor to cloud control node Controller in cloud computing. However, the traditional virtual machine monitoring mechanism is designed in the computing node Hypervisor, and it is difficult to effectively connect with the virtual machine management and control process on the cloud control node. The safety chain will be broken and the security of the entire life cycle of the virtual machine cannot be guaranteed. play a role in cloud computing scenarios.

发明内容Contents of the invention

本发明的实施例提供一种虚拟机的安全访问方法及虚拟机系统,用以实现云计算虚拟机化平台中虚拟资源的安全保护。Embodiments of the present invention provide a virtual machine security access method and a virtual machine system, which are used to realize security protection of virtual resources in a cloud computing virtualization platform.

为达到上述目的,本发明的实施例采用如下技术方案:In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:

本发明实施例提供了一种虚拟机的安全访问方法,应用于虚拟机系统,所述虚拟机系统包括:计算节点,云计算控制节点,虚拟机,所述方法包括:所述云计算控制节点在所述虚拟机建立时,为所述虚拟机及所述虚拟机对应的虚拟资源配置对应的标识信息;所述计算节点接收虚拟机发送的虚拟资源访问请求消息;其中,所述虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;所述计算节点根据所述虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定所述虚拟机是否具有访问所述虚拟资源的标识信息对应的虚拟资源的权限;在确定所述虚拟机具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,所述计算节点允许所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源;在确定所述虚拟机不具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,所述计算节点阻止所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源。An embodiment of the present invention provides a virtual machine security access method, which is applied to a virtual machine system. The virtual machine system includes: a computing node, a cloud computing control node, and a virtual machine. The method includes: the cloud computing control node When the virtual machine is established, configure corresponding identification information for the virtual machine and the virtual resource corresponding to the virtual machine; the computing node receives the virtual resource access request message sent by the virtual machine; wherein, the virtual resource access The request message carries the identification information of the virtual machine and the identification information of the virtual resource to be accessed; the computing node determines whether the virtual machine has The right to access the virtual resource corresponding to the identification information of the virtual resource; when it is determined that the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node allows the virtual machine to access the A virtual resource corresponding to the identification information of the virtual resource; when it is determined that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from accessing the identification of the virtual resource The virtual resource corresponding to the information.

进一步的,在所述计算节点接收虚拟机发送的虚拟资源访问请求消息之前,还包括:云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点;所述云计算控制节点向所述运行虚拟机的计算节点发送建立与所述虚拟机间的运行关系的消息;所述计算节点接收云计算控制节点发送的建立与所述虚拟机间的运行关系的消息;所述计算节点根据所述建立与所述虚拟机间的运行关系的消息,为所述虚拟机分配运行资源,与所述虚拟机建立运行关系。Further, before the computing node receives the virtual resource access request message sent by the virtual machine, it also includes: the cloud computing control node determines the computing node running the virtual machine according to the benefit information of the user; the cloud computing control node sends the A computing node running a virtual machine sends a message for establishing an operating relationship with the virtual machine; the computing node receives a message for establishing an operating relationship with the virtual machine sent by the cloud computing control node; The message of establishing the running relationship with the virtual machine is provided, the running resource is allocated to the virtual machine, and the running relationship is established with the virtual machine.

进一步的,在所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点之前,还包括:所述云计算控制节点根据所述虚拟机所在的计算节点的负载信息,确定是否迁移所述虚拟机;所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:在所述云计算控制节点确定迁移所述虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。Further, before the cloud computing control node determines the computing node running the virtual machine according to the user's interest information, it also includes: the cloud computing control node determines whether to migrate according to the load information of the computing node where the virtual machine is located The virtual machine; the cloud computing control node determining the computing node running the virtual machine according to the user's benefit information includes: when the cloud computing control node determines to migrate the virtual machine, determining to run the virtual machine according to the user's benefit information computing node of the computer.

进一步的,所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:在所述云计算控制节点确定创建虚拟机时,所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点。Further, the cloud computing control node determining the computing node running the virtual machine according to the user's benefit information includes: when the cloud computing control node determines to create a virtual machine, the cloud computing control node determines according to the user's benefit information Compute nodes that run virtual machines.

进一步的,本发明实施例提供了一种虚拟机系统,包括:计算节点,云计算控制节点,虚拟机;其中,所述云计算控制节点,用于在所述虚拟机建立时,为所述虚拟机及所述虚拟机对应的虚拟资源配置对应的标识信息;所述计算节点,用于接收虚拟机发送的虚拟资源访问请求消息;其中,所述虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;所述计算节点,还用于根据所述虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定所述虚拟机是否具有访问所述虚拟资源的标识信息对应的虚拟资源的权限;在确定所述虚拟机具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,允许所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源;在确定所述虚拟机不具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,阻止所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源。Further, an embodiment of the present invention provides a virtual machine system, including: a computing node, a cloud computing control node, and a virtual machine; wherein, the cloud computing control node is configured to, when the virtual machine is established, provide The identification information corresponding to the virtual machine and the virtual resource configuration corresponding to the virtual machine; the computing node is configured to receive a virtual resource access request message sent by the virtual machine; wherein, the virtual resource access request message carries the information of the virtual machine Identification information and identification information of the virtual resource to be accessed; the computing node is further configured to determine whether the virtual machine has access to the virtual resource based on the identification information of the virtual machine and the identification information of the virtual resource to be accessed The permission of the virtual resource corresponding to the identification information of the resource; when it is determined that the virtual machine has the permission to access the virtual resource corresponding to the identification information of the virtual resource, allowing the virtual machine to access the virtual resource corresponding to the identification information of the virtual resource resources: when it is determined that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, prevent the virtual machine from accessing the virtual resource corresponding to the identification information of the virtual resource.

进一步的,云计算控制节点,还用于根据用户的利益信息,确定运行虚拟机的计算节点;所述云计算控制节点,还用于向所述运行虚拟机的计算节点发送建立与所述虚拟机间的运行关系的消息;所述计算节点,还用于接收云计算控制节点发送的建立与所述虚拟机间的运行关系的消息;所述计算节点,还用于根据所述建立与所述虚拟机间的运行关系的消息,为所述虚拟机分配运行资源,与所述虚拟机建立运行关系。Further, the cloud computing control node is also used to determine the computing node running the virtual machine according to the benefit information of the user; The message of the running relationship between the virtual machines; the computing node is also used to receive the message of establishing the running relationship with the virtual machine sent by the cloud computing control node; information about the running relationship between the virtual machines, allocate running resources for the virtual machines, and establish a running relationship with the virtual machines.

进一步的,所述云计算控制节点,还用于根据所述虚拟机所在的计算节点的负载信息,确定是否迁移所述虚拟机;所述云计算控制节点,具体用于确定迁移所述虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。Further, the cloud computing control node is further configured to determine whether to migrate the virtual machine according to the load information of the computing node where the virtual machine is located; the cloud computing control node is specifically configured to determine whether to migrate the virtual machine When , according to the user's interest information, determine the computing node running the virtual machine.

进一步的,所述云计算控制节点,具体用于在确定创建虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。Further, the cloud computing control node is specifically configured to, when determining to create a virtual machine, determine a computing node for running the virtual machine according to user interest information.

本发明实施例提供了一种虚拟机的安全访问方法及虚拟机系统,虚拟机系统包括计算节点,云计算控制节点,虚拟机,所述方法包括:云计算控制节点在虚拟机建立时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息;计算节点接收虚拟机发送的虚拟资源访问请求消息,其中,虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;计算节点根据虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定虚拟机是否具有访问虚拟资源的标识信息对应的虚拟资源的权限;在确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点允许虚拟机访问虚拟资源的标识信息对应的虚拟资源;在确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点阻止虚拟机访问虚拟资源的标识信息对应的虚拟资源。这样,云计算控制节点在虚拟机创建时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息后,计算节点在虚拟机需访问虚拟资源时,可以根据此虚拟机的标识信息及其需访问的虚拟资源的标识信息,确定此虚拟机是否有权限。在虚拟机有权限访问需访问的虚拟资源时,才允许此虚拟机访问。从而可以降低恶意用户访问其他用户的虚拟资源的情况发生的概率,实现对虚拟资源的保护,进而实现了云计算虚拟机化平台中虚拟资源的安全保护。Embodiments of the present invention provide a virtual machine security access method and a virtual machine system. The virtual machine system includes a computing node, a cloud computing control node, and a virtual machine. The method includes: when the cloud computing control node is established for the virtual machine, The identification information corresponding to the virtual machine and the virtual resource configuration corresponding to the virtual machine; the computing node receives the virtual resource access request message sent by the virtual machine, wherein the virtual resource access request message carries the identification information of the virtual machine and the information of the virtual resource to be accessed Identification information; the computing node determines whether the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource according to the identification information of the virtual machine and the identification information of the virtual resource to be accessed; When it is determined that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from A virtual resource corresponding to the identification information of the virtual resource is accessed. In this way, after the cloud computing control node configures the corresponding identification information for the virtual machine and the virtual resources corresponding to the virtual machine when the virtual machine is created, when the virtual machine needs to access the virtual resources, the computing node can use the identification information of the virtual machine and its The identification information of the virtual resource to be accessed to determine whether the virtual machine has permission. The virtual machine is allowed to access only when the virtual machine has the permission to access the virtual resources that need to be accessed. Therefore, the probability of a malicious user accessing the virtual resources of other users can be reduced, the protection of the virtual resources is realized, and the security protection of the virtual resources in the cloud computing virtualization platform is realized.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明实施例提供的一种虚拟机的安全访问方法的流程示意图;FIG. 1 is a schematic flowchart of a method for securely accessing a virtual machine provided by an embodiment of the present invention;

图2为本发明实施例提供的另一种虚拟机的安全访问方法的流程示意图;FIG. 2 is a schematic flowchart of another virtual machine security access method provided by an embodiment of the present invention;

图3为本发明实施例提供的另一种虚拟机的安全访问方法的流程示意图;FIG. 3 is a schematic flowchart of another virtual machine security access method provided by an embodiment of the present invention;

图4为本发明实施例提供的一种虚拟机系统的结构示意图。FIG. 4 is a schematic structural diagram of a virtual machine system provided by an embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

本发明实施例提供了一种虚拟机的安全访问方法,应用于虚拟机系统,虚拟机系统包括:计算节点,云计算控制节点,虚拟机。所述方法,如图1所示,包括:An embodiment of the present invention provides a virtual machine security access method, which is applied to a virtual machine system, and the virtual machine system includes: a computing node, a cloud computing control node, and a virtual machine. Described method, as shown in Figure 1, comprises:

步骤101、云计算控制节点在虚拟机建立时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息。Step 101, the cloud computing control node configures corresponding identification information for the virtual machine and virtual resources corresponding to the virtual machine when the virtual machine is created.

具体的,在虚拟机创建时,云计算控制节点为了实现对虚拟资源的保护,需要对虚拟机及此虚拟机能够访问的虚拟资源配置对应的标识信息。Specifically, when the virtual machine is created, in order to protect the virtual resources, the cloud computing control node needs to configure corresponding identification information for the virtual machine and the virtual resources that the virtual machine can access.

进一步的,不同虚拟机对应的标识信息是不同的。Further, the identification information corresponding to different virtual machines is different.

进一步的,在虚拟机创建时,云计算控制节点可以根据虚拟机所需的资源,及其配置信息确定出此虚拟机对应的虚拟资源,进而可以为其虚拟机及此虚拟机能够访问的虚拟资源配置对应的标识信息。Furthermore, when a virtual machine is created, the cloud computing control node can determine the virtual resources corresponding to the virtual machine according to the resources required by the virtual machine and its configuration information, and then can provide information for the virtual machine and the virtual machines that the virtual machine can access. The identification information corresponding to the resource configuration.

进一步的,云计算控制节点为虚拟机及此虚拟机能够访问的虚拟资源配置相同的标识信息。Further, the cloud computing control node configures the same identification information for the virtual machine and the virtual resources that the virtual machine can access.

步骤102、计算节点接收虚拟机发送的虚拟资源访问请求消息。Step 102, the computing node receives the virtual resource access request message sent by the virtual machine.

其中,虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息。Wherein, the virtual resource access request message carries the identification information of the virtual machine and the identification information of the virtual resource to be accessed.

具体的,虚拟机在需要访问虚拟资源时,向计算节点发送虚拟资源访问请求消息。且此虚拟资源访问请求消息中携带有其自身的标识信息,即为虚拟机的标识信息及其需要访问的资源的标识信息。Specifically, when the virtual machine needs to access the virtual resource, it sends a virtual resource access request message to the computing node. Moreover, the virtual resource access request message carries its own identification information, which is the identification information of the virtual machine and the identification information of the resource to be accessed.

进一步的,虚拟资源访问请求消息中也可以不携带需访问的虚拟资源的标识信息,此时需要携带能够标示出需访问的虚拟资源的其他信息,这样,便于计算节点根据此能够标示出需访问的虚拟资源的其他信息,确定出虚拟资源的标识信息。Further, the virtual resource access request message may not carry the identification information of the virtual resource to be accessed. In this case, it needs to carry other information that can indicate the virtual resource to be accessed. In this way, it is convenient for the computing node to indicate the virtual resource to be accessed. other information of the virtual resource to determine the identification information of the virtual resource.

步骤103、计算节点根据所述虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定虚拟机是否具有访问所述虚拟资源的标识信息对应的虚拟资源的权限。Step 103, the computing node determines whether the virtual machine has the right to access the virtual resource corresponding to the virtual resource identification information according to the identification information of the virtual machine and the identification information of the virtual resource to be accessed.

具体的,计算节点在接收到虚拟资源访问请求消息后,解析出其内携带的虚拟资源的标识信息及虚拟机的标识信息,将虚拟资源的标识信息与虚拟机的标识信息进行比对,进而可以根据比对结果确定虚拟机是否具有访问其需访问的虚拟资源的访问权限。Specifically, after receiving the virtual resource access request message, the computing node parses out the identification information of the virtual resource and the identification information of the virtual machine carried in it, compares the identification information of the virtual resource with the identification information of the virtual machine, and then It can be determined according to the comparison result whether the virtual machine has access rights to access the virtual resources it needs to access.

进一步的,若在步骤101中,云计算控制节点为虚拟机及此虚拟机能够访问的虚拟资源配置相同的标识信息时,计算节点可以将解析出的虚拟机的标识信息与虚拟资源的标识信息进行比对,检测虚拟机的标识信息与虚拟资源的标识信息是否一致,若一致,则可以确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的访问权限。若不一致,则可以确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的访问权限。Further, if in step 101, the cloud computing control node configures the same identification information for the virtual machine and the virtual resources that the virtual machine can access, the computing node can combine the analyzed identification information of the virtual machine with the identification information of the virtual resources Comparison is performed to detect whether the identification information of the virtual machine is consistent with the identification information of the virtual resource. If they are consistent, it can be determined that the virtual machine has the access right to access the virtual resource corresponding to the identification information of the virtual resource. If not, it can be determined that the virtual machine does not have the access right to access the virtual resource corresponding to the identification information of the virtual resource.

需要说明的是,根据步骤103的确定结果不同,下面执行的步骤也不同。计算节点确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的访问权限时,则执行步骤104a。计算节点确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的访问权限时,则执行步骤104b。It should be noted that, depending on the determination result of step 103, the following steps are also different. When the computing node determines that the virtual machine has the access right to access the virtual resource corresponding to the identification information of the virtual resource, step 104a is performed. When the computing node determines that the virtual machine does not have the access right to access the virtual resource corresponding to the identification information of the virtual resource, step 104b is performed.

步骤104a、在确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点允许虚拟机访问所述虚拟资源的标识信息对应的虚拟资源。Step 104a, when it is determined that the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node allows the virtual machine to access the virtual resource corresponding to the identification information of the virtual resource.

具体的,计算节点在确定出虚拟机具有访问虚拟资源的标识对应的虚拟资源的权限时,说明虚拟机是合法的,其并不是恶意用户控制的虚拟机,因此计算节点可以运行虚拟机访问所述虚拟资源的标识信息对应的虚拟资源,使虚拟机获取其所需的信息。Specifically, when the computing node determines that the virtual machine has the right to access the virtual resource corresponding to the virtual resource identifier, it indicates that the virtual machine is legal and is not a virtual machine controlled by a malicious user. Therefore, the computing node can run the virtual machine to access all The virtual resource corresponding to the identification information of the virtual resource is selected, so that the virtual machine obtains the required information.

步骤104b、在确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点阻止虚拟机访问虚拟资源的标识信息对应的虚拟资源。Step 104b, when it is determined that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from accessing the virtual resource corresponding to the identification information of the virtual resource.

具体的,计算节点在确定出虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,说明虚拟机是不合法的,其可能是恶意用户控制的虚拟机,因此计算节点阻止虚拟机访问虚拟资源的标识信息对应的虚拟资源。即为,计算节点不对虚拟机此发送的虚拟资源访问请求消息进行响应。Specifically, when the computing node determines that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, it indicates that the virtual machine is illegal and may be a virtual machine controlled by a malicious user, so the computing node prevents the virtual machine from A virtual resource corresponding to the identification information of the virtual resource is accessed. That is, the computing node does not respond to the virtual resource access request message sent by the virtual machine.

这样,云计算控制节点在虚拟机创建时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息后,计算节点在虚拟机需访问虚拟资源时,可以根据此虚拟机的标识信息及其需访问的虚拟资源的标识信息,确定此虚拟机是否有权限。在虚拟机有权限访问需访问的虚拟资源时,才允许此虚拟机访问。从而可以降低恶意用户访问其他用户的虚拟资源的情况发生的概率,实现对虚拟资源的保护,进而实现了云计算虚拟机化平台中虚拟资源的安全保护。In this way, after the cloud computing control node configures the corresponding identification information for the virtual machine and the virtual resources corresponding to the virtual machine when the virtual machine is created, when the virtual machine needs to access the virtual resources, the computing node can use the identification information of the virtual machine and its The identification information of the virtual resource to be accessed to determine whether the virtual machine has permission. The virtual machine is allowed to access only when the virtual machine has the permission to access the virtual resources that need to be accessed. Therefore, the probability of a malicious user accessing the virtual resources of other users can be reduced, the protection of the virtual resources is realized, and the security protection of the virtual resources in the cloud computing virtualization platform is realized.

进一步的,在步骤101之前,如图2所示,还包括:Further, before step 101, as shown in Figure 2, it also includes:

步骤105、云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点。Step 105, the cloud computing control node determines the computing node running the virtual machine according to the benefit information of the user.

具体的,用户在虚拟机创建时,将用户的利益信息发送至云计算控制节点。其中,用户的利益信息是指用户提供的可能会与自己存在利益关系的其他用户的信息。此时,云计算控制节点可以根据获取的用户的利益信息,确定运行虚拟机的计算节点,以便运行此虚拟机的计算节点没有运行其他利益关系的用户的虚拟机。即为,云计算控制节点,根据用户的利益信息,在所有计算节点中,选取出没有运行与此用户有利益关系的用户的虚拟机的计算节点,将此计算节点作为上述虚拟机的运行计算节点。Specifically, when the user creates the virtual machine, the user's interest information is sent to the cloud computing control node. Among them, the user's interest information refers to the information provided by the user on other users who may have an interest relationship with the user. At this time, the cloud computing control node can determine the computing node running the virtual machine according to the obtained user's interest information, so that the computing node running the virtual machine does not run the virtual machine of other users with interests. That is, the cloud computing control node, according to the user's interest information, selects the computing node that does not run the virtual machine of the user who has an interest relationship with the user among all the computing nodes, and uses this computing node as the running computing node of the above virtual machine. node.

需要说明的是,若选取出的没有运行与此用户有利益关系的用户的虚拟机的计算节点有至少两个,则可以在上述至少两个没有运行与此用户有利益关系的用户的虚拟机的计算节点中,任意确定出一个计算节点作为虚拟机的运行计算节点。当然,可以根据其他规则在上述至少两个没有运行与此用户有利益关系的用户的虚拟机的计算节点中,确定出运行虚拟机的计算节点,例如根据计算节点的负载情况,将负载小的计算节点确定为运行虚拟机的计算节点。当然,还可以是其他规则,本发明对此不作限制。It should be noted that if there are at least two selected computing nodes that do not run virtual machines of users that have an interest relationship with this user, then at least two of the above-mentioned computing nodes that do not run virtual machines of users that have an interest relationship with this user Among the computing nodes, a computing node is arbitrarily determined as the running computing node of the virtual machine. Of course, among the above-mentioned at least two computing nodes that do not run virtual machines of users who have an interest relationship with this user, the computing nodes that run virtual machines can be determined according to other rules. The computing node is determined as a computing node running the virtual machine. Certainly, other rules may also be used, and the present invention is not limited thereto.

示例性的,在虚拟机系统中有计算节点a,b,c及d四个计算节点。云计算控制节点需确定虚拟机1的计算节点。此时,云计算控制节点可以先获取到存储的虚拟机1对应的用户的利益信息。即为,获取到建立虚拟机1的用户对应的用户的利益信息。这样,云计算控制节点根据此用户的利益信息,确定出计算节点a,b,c及d四个计算节点中计算节点a,b均运行了与虚拟机1的用户有利益关系的用户的虚拟机,而在计算节点c,d中没有运行与虚拟机1的用户有利益关系的用户的虚拟机。此时,云计算控制节点可以将负载较小的计算节点c确定为虚拟机1的计算节点。Exemplarily, there are four computing nodes of computing nodes a, b, c and d in the virtual machine system. The cloud computing control node needs to determine the computing node of the virtual machine 1. At this time, the cloud computing control node may first obtain the stored benefit information of the user corresponding to the virtual machine 1 . That is, the benefit information of the user corresponding to the user who created the virtual machine 1 is obtained. In this way, the cloud computing control node determines that computing nodes a and b among the four computing nodes a, b, c and d are running the virtual virtual machine of the user who has an interest relationship with the user of virtual machine 1 according to the user's interest information. machine, but no virtual machine of a user who has an interest relationship with the user of virtual machine 1 is running in computing nodes c and d. At this time, the cloud computing control node may determine the computing node c with a smaller load as the computing node of the virtual machine 1 .

步骤106、云计算控制节点向运行虚拟机的计算节点发送建立与虚拟机间的运行关系的消息。计算节点接收云计算控制节点发送的建立与虚拟机间的运行关系的消息。Step 106, the cloud computing control node sends a message for establishing an operation relationship with the virtual machine to the computing node running the virtual machine. The computing node receives the message of establishing the running relationship with the virtual machine sent by the cloud computing control node.

具体的,云计算控制节点在确定出运行虚拟机的计算节点后,向此计算节点发送建立与虚拟机间的运行关系的消息,以便计算节点建立与虚拟机间的运行关系。此计算节点接收此建立与虚拟机间的运行关系的消息。Specifically, after the cloud computing control node determines the computing node running the virtual machine, it sends a message of establishing an operating relationship with the virtual machine to the computing node, so that the computing node establishes an operating relationship with the virtual machine. The computing node receives the message establishing the running relationship with the virtual machine.

如上例所述,云计算节点在确定出计算节点c是虚拟机1的运行计算节点后,向计算节点c发送建立与虚拟机1间的运行关系的消息。计算节点c可以接收到此建立与虚拟机1间的运行关系的消息。As described in the above example, after the cloud computing node determines that the computing node c is the running computing node of the virtual machine 1, it sends a message for establishing an operating relationship with the virtual machine 1 to the computing node c. The computing node c may receive the message of establishing the running relationship with the virtual machine 1 .

步骤107、计算节点根据建立与虚拟机间的运行关系的消息,为虚拟机分配运行资源,与虚拟机建立运行关系。Step 107, the computing node allocates running resources to the virtual machine according to the message of establishing the running relationship with the virtual machine, and establishes the running relationship with the virtual machine.

具体的,计算节点在接收到建立与虚拟机间的运行关系的消息后,可以解析此消息,进而获知与哪个虚拟机建立运行关系,然后可以为此虚拟机分配相应的运行资源,进而建立与此虚拟机的运行关系。Specifically, after a computing node receives a message about establishing an operating relationship with a virtual machine, it can parse the message to know which virtual machine it has established an operating relationship with, and then allocate corresponding operating resources to this virtual machine, and then establish an operating relationship with the virtual machine. The running relationship of this virtual machine.

如上例所述,计算节点c在接收到此建立与虚拟机1间的运行关系的消息后,可以解析此建立与虚拟机1间的运行关系的消息,获知需建立运行关系的虚拟机1,从而为虚拟机1分配其所需的运行资源,进而建立与虚拟机1的运行关系。As mentioned in the above example, after receiving the message of establishing the operating relationship with virtual machine 1, the computing node c can parse the message of establishing the operating relationship with virtual machine 1, and know the virtual machine 1 that needs to establish the operating relationship. Therefore, the virtual machine 1 is allocated the running resources it needs, and then the running relationship with the virtual machine 1 is established.

进一步的,步骤105是在虚拟机创建或迁移时,云计算控制节点才执行。在虚拟机创建时,说明用户需要创建虚拟机,此时用户可以触发云计算控制节点创建虚拟机。在用户触发云计算控制节点创建虚拟机时,可以将用户的利益信息发送至云计算控制节点。Further, step 105 is executed by the cloud computing control node only when the virtual machine is created or migrated. When the virtual machine is created, it indicates that the user needs to create the virtual machine, and at this time the user can trigger the cloud computing control node to create the virtual machine. When the user triggers the cloud computing control node to create a virtual machine, the user's interest information can be sent to the cloud computing control node.

此时,云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:在云计算控制节点确定创建虚拟机时,云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点。At this time, the cloud computing control node determines the computing node running the virtual machine according to the user's interest information includes: when the cloud computing control node determines to create a virtual machine, the cloud computing control node determines the computing node running the virtual machine according to the user's interest information .

也就是说,在用户需要创建虚拟机时,向云计算控制节点发送创建虚拟机的触发消息,并将用户的利益信息发送至云计算控制节点。此时,云计算控制节点在接收到创建虚拟机的触发消息后,可以获取到用户的利益信息,进而云计算控制节点在创建虚拟机时,需确定出运行虚拟机的计算节点。That is to say, when a user needs to create a virtual machine, a trigger message for creating a virtual machine is sent to the cloud computing control node, and the user's benefit information is sent to the cloud computing control node. At this time, the cloud computing control node can obtain the benefit information of the user after receiving the trigger message to create the virtual machine, and then the cloud computing control node needs to determine the computing node running the virtual machine when creating the virtual machine.

在虚拟机进行迁移时,在步骤105之前,如图3所示,还包括:When the virtual machine is being migrated, before step 105, as shown in FIG. 3 , it also includes:

步骤108、云计算控制节点根据所述虚拟机所在的计算节点的负载信息,确定是否迁移虚拟机。Step 108, the cloud computing control node determines whether to migrate the virtual machine according to the load information of the computing node where the virtual machine is located.

具体的,云计算控制节点可以实时的获知各个计算节点的各种信息,例如负载情况,资源利用率等。云计算控制节点可以根据各个计算节点的各种信息,确定是否有计算节点需要迁移虚拟机。Specifically, the cloud computing control node can obtain various information of each computing node in real time, such as load status, resource utilization rate, and the like. The cloud computing control node can determine whether any computing node needs to migrate a virtual machine according to various information of each computing node.

如上例所述,云计算控制节点可以获取计算节点a,b,c,及d四个计算节点的各种信息。若发现计算节点a的负载较大,而计算节点c的负载较小,且资源利用率较低,这样云计算控制节点可以确定出计算节点a需要迁移虚拟机,即为可以将计算节点a中的虚拟机确定为迁移的虚拟机。As mentioned in the above example, the cloud computing control node can obtain various information of the four computing nodes a, b, c, and d. If it is found that the load of computing node a is relatively large, while the load of computing node c is small and the resource utilization rate is low, the cloud computing control node can determine that computing node a needs to migrate the virtual machine, that is, the virtual machine in computing node a can be migrated to The virtual machine identified as the migrated virtual machine.

此时,步骤105云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:在云计算控制节点确定迁移所述虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。At this time, step 105, the cloud computing control node determining the computing node running the virtual machine according to the user's benefit information includes: when the cloud computing control node determines to migrate the virtual machine, determining the computing node running the virtual machine according to the user's benefit information .

也就是说,在云计算控制节点确定迁移虚拟机时,云计算控制节点可以为此虚拟机确定出运行此虚拟机的计算节点。此时,云计算控制节点可以根据用户的利益信息来确定运行虚拟机的计算节点。That is to say, when the cloud computing control node determines to migrate the virtual machine, the cloud computing control node may determine a computing node for running the virtual machine for the virtual machine. At this time, the cloud computing control node can determine the computing node running the virtual machine according to the user's benefit information.

本发明实施例提供了一种虚拟机的安全访问方法,虚拟机系统包括计算节点,云计算控制节点,虚拟机,所述方法包括:云计算控制节点在虚拟机建立时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息;计算节点接收虚拟机发送的虚拟资源访问请求消息,其中,虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;计算节点根据虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定虚拟机是否具有访问虚拟资源的标识信息对应的虚拟资源的权限;在确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点允许虚拟机访问虚拟资源的标识信息对应的虚拟资源;在确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点阻止虚拟机访问虚拟资源的标识信息对应的虚拟资源。这样,云计算控制节点在虚拟机创建时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息后,计算节点在虚拟机需访问虚拟资源时,可以根据此虚拟机的标识信息及其需访问的虚拟资源的标识信息,确定此虚拟机是否有权限。在虚拟机有权限访问需访问的虚拟资源时,才允许此虚拟机访问。从而可以降低恶意用户访问其他用户的虚拟资源的情况发生的概率,实现对虚拟资源的保护,进而实现了云计算虚拟机化平台中虚拟资源的安全保护。An embodiment of the present invention provides a method for securely accessing a virtual machine. The virtual machine system includes a computing node, a cloud computing control node, and a virtual machine. The method includes: when the cloud computing control node is The identification information corresponding to the virtual resource configuration corresponding to the machine; the computing node receives the virtual resource access request message sent by the virtual machine, wherein the virtual resource access request message carries the identification information of the virtual machine and the identification information of the virtual resource to be accessed; According to the identification information of the virtual machine and the identification information of the virtual resource to be accessed, the node determines whether the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource; When the permission of the resource is specified, the computing node allows the virtual machine to access the virtual resource corresponding to the identification information of the virtual resource; when it is determined that the virtual machine does not have the permission to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from accessing the virtual resource The virtual resource corresponding to the identification information. In this way, after the cloud computing control node configures the corresponding identification information for the virtual machine and the virtual resources corresponding to the virtual machine when the virtual machine is created, when the virtual machine needs to access the virtual resources, the computing node can use the identification information of the virtual machine and its The identification information of the virtual resource to be accessed to determine whether the virtual machine has permission. The virtual machine is allowed to access only when the virtual machine has the permission to access the virtual resources that need to be accessed. Therefore, the probability of a malicious user accessing the virtual resources of other users can be reduced, the protection of the virtual resources is realized, and the security protection of the virtual resources in the cloud computing virtualization platform is realized.

本发明实施例提供了一种虚拟机系统,如图4所示,包括:计算节点401,云计算控制节点402,虚拟机403。An embodiment of the present invention provides a virtual machine system, as shown in FIG. 4 , including: a computing node 401 , a cloud computing control node 402 , and a virtual machine 403 .

云计算控制节点402,用于在虚拟机403建立时,为虚拟机403及虚拟机403对应的虚拟资源配置对应的标识信息。The cloud computing control node 402 is configured to configure corresponding identification information for the virtual machine 403 and virtual resources corresponding to the virtual machine 403 when the virtual machine 403 is established.

计算节点401,用于接收虚拟机403发送的虚拟资源访问请求消息。The computing node 401 is configured to receive the virtual resource access request message sent by the virtual machine 403 .

其中,虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息。Wherein, the virtual resource access request message carries the identification information of the virtual machine and the identification information of the virtual resource to be accessed.

计算节点401,还用于根据虚拟机403的标识信息,及需访问的虚拟资源的标识信息,确定虚拟机403是否具有访问虚拟资源的标识信息对应的虚拟资源的权限。在确定虚拟机403具有访问虚拟资源的标识信息对应的虚拟资源的权限时,允许虚拟机403访问虚拟资源的标识信息对应的虚拟资源。在确定虚拟机403不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,阻止虚拟机403访问虚拟资源的标识信息对应的虚拟资源。The computing node 401 is further configured to determine, according to the identification information of the virtual machine 403 and the identification information of the virtual resource to be accessed, whether the virtual machine 403 has the right to access the virtual resource corresponding to the identification information of the virtual resource. When it is determined that the virtual machine 403 has the right to access the virtual resource corresponding to the identification information of the virtual resource, the virtual machine 403 is allowed to access the virtual resource corresponding to the identification information of the virtual resource. When it is determined that the virtual machine 403 does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the virtual machine 403 is prevented from accessing the virtual resource corresponding to the identification information of the virtual resource.

进一步的,云计算控制节点402,还用于根据用户的利益信息,确定运行虚拟机的计算节点。Further, the cloud computing control node 402 is also configured to determine the computing node running the virtual machine according to the benefit information of the user.

云计算控制节点402,还用于向运行虚拟机403的计算节点发送建立与虚拟机403间的运行关系的消息。The cloud computing control node 402 is further configured to send a message for establishing an operation relationship with the virtual machine 403 to the computing node running the virtual machine 403 .

计算节点401,还用于接收云计算控制节点402发送的建立与虚拟机403间的运行关系的消息。The computing node 401 is further configured to receive a message for establishing an operation relationship with the virtual machine 403 sent by the cloud computing control node 402 .

计算节点401,还用于根据建立与虚拟机403间的运行关系的消息,为虚拟机403分配运行资源,与虚拟机403建立运行关系。The computing node 401 is further configured to allocate running resources to the virtual machine 403 and establish a running relationship with the virtual machine 403 according to the message of establishing the running relationship with the virtual machine 403 .

进一步的,云计算控制节点402,还用于根据虚拟机403所在的计算节点的负载信息,确定是否迁移虚拟机403。Further, the cloud computing control node 402 is further configured to determine whether to migrate the virtual machine 403 according to the load information of the computing node where the virtual machine 403 is located.

云计算控制节点402,具体用于确定迁移虚拟机403时,根据用户的利益信息,确定运行虚拟机403的计算节点401。The cloud computing control node 402 is specifically used to determine the computing node 401 for running the virtual machine 403 according to the benefit information of the user when determining the virtual machine 403 to be migrated.

或者,云计算控制节点402,具体用于在确定创建虚拟机,根据用户的利益信息,确定运行虚拟机403的计算节点。Alternatively, the cloud computing control node 402 is specifically configured to determine the computing node for running the virtual machine 403 according to the benefit information of the user when determining to create the virtual machine.

本发明实施例提供了一种虚拟机系统,虚拟机系统包括计算节点,云计算控制节点,虚拟机,所述方法包括:云计算控制节点在虚拟机建立时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息;计算节点接收虚拟机发送的虚拟资源访问请求消息,其中,虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;计算节点根据虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定虚拟机是否具有访问虚拟资源的标识信息对应的虚拟资源的权限;在确定虚拟机具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点允许虚拟机访问虚拟资源的标识信息对应的虚拟资源;在确定虚拟机不具有访问虚拟资源的标识信息对应的虚拟资源的权限时,计算节点阻止虚拟机访问虚拟资源的标识信息对应的虚拟资源。这样,云计算控制节点在虚拟机创建时,为虚拟机及虚拟机对应的虚拟资源配置对应的标识信息后,计算节点在虚拟机需访问虚拟资源时,可以根据此虚拟机的标识信息及其需访问的虚拟资源的标识信息,确定此虚拟机是否有权限。在虚拟机有权限访问需访问的虚拟资源时,才允许此虚拟机访问。从而可以降低恶意用户访问其他用户的虚拟资源的情况发生的概率,实现对虚拟资源的保护,进而实现了云计算虚拟机化平台中虚拟资源的安全保护。An embodiment of the present invention provides a virtual machine system. The virtual machine system includes a computing node, a cloud computing control node, and a virtual machine. The identification information corresponding to the virtual resource configuration; the computing node receives the virtual resource access request message sent by the virtual machine, wherein the virtual resource access request message carries the identification information of the virtual machine and the identification information of the virtual resource to be accessed; The identification information of the virtual machine and the identification information of the virtual resource to be accessed determine whether the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource; after determining that the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource When it is determined that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from accessing the virtual resource corresponding to the identification information of the virtual resource. virtual resources. In this way, after the cloud computing control node configures the corresponding identification information for the virtual machine and the virtual resources corresponding to the virtual machine when the virtual machine is created, when the virtual machine needs to access the virtual resources, the computing node can use the identification information of the virtual machine and its The identification information of the virtual resource to be accessed to determine whether the virtual machine has permission. The virtual machine is allowed to access only when the virtual machine has the permission to access the virtual resources that need to be accessed. Therefore, the probability of a malicious user accessing the virtual resources of other users can be reduced, the protection of the virtual resources is realized, and the security protection of the virtual resources in the cloud computing virtualization platform is realized.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (8)

1.一种虚拟机的安全访问方法,其特征在于,应用于虚拟机系统,所述虚拟机系统包括:计算节点,云计算控制节点,虚拟机,所述方法包括:1. A security access method for a virtual machine, characterized in that it is applied to a virtual machine system, and the virtual machine system includes: a computing node, a cloud computing control node, and a virtual machine, and the method includes: 所述云计算控制节点在所述虚拟机建立时,为所述虚拟机及所述虚拟机对应的虚拟资源配置对应的标识信息;The cloud computing control node configures corresponding identification information for the virtual machine and virtual resources corresponding to the virtual machine when the virtual machine is established; 所述计算节点接收虚拟机发送的虚拟资源访问请求消息;其中,所述虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;The computing node receives a virtual resource access request message sent by a virtual machine; wherein, the virtual resource access request message carries identification information of the virtual machine and identification information of the virtual resource to be accessed; 所述计算节点根据所述虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定所述虚拟机是否具有访问所述虚拟资源的标识信息对应的虚拟资源的权限;The computing node determines, according to the identification information of the virtual machine and the identification information of the virtual resource to be accessed, whether the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource; 在确定所述虚拟机具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,所述计算节点允许所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源;When determining that the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node allows the virtual machine to access the virtual resource corresponding to the identification information of the virtual resource; 在确定所述虚拟机不具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,所述计算节点阻止所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源。When determining that the virtual machine does not have the right to access the virtual resource corresponding to the identification information of the virtual resource, the computing node prevents the virtual machine from accessing the virtual resource corresponding to the identification information of the virtual resource. 2.根据权利要求1所述的方法,其特征在于,在所述计算节点接收虚拟机发送的虚拟资源访问请求消息之前,还包括:2. The method according to claim 1, further comprising: before the computing node receives the virtual resource access request message sent by the virtual machine: 云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点;The cloud computing control node determines the computing node running the virtual machine according to the user's interest information; 所述云计算控制节点向所述运行虚拟机的计算节点发送建立与所述虚拟机间的运行关系的消息;所述计算节点接收云计算控制节点发送的建立与所述虚拟机间的运行关系的消息;The cloud computing control node sends a message to the computing node running the virtual machine to establish an operating relationship with the virtual machine; the computing node receives the message sent by the cloud computing control node to establish an operating relationship with the virtual machine news; 所述计算节点根据所述建立与所述虚拟机间的运行关系的消息,为所述虚拟机分配运行资源,与所述虚拟机建立运行关系。The computing node allocates running resources to the virtual machine according to the message of establishing the running relationship with the virtual machine, and establishes a running relationship with the virtual machine. 3.根据权利要求2所述的方法,其特征在于,在所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点之前,还包括:3. The method according to claim 2, wherein, before the cloud computing control node determines the computing node running the virtual machine according to the user's interest information, it also includes: 所述云计算控制节点根据所述虚拟机所在的计算节点的负载信息,确定是否迁移所述虚拟机;The cloud computing control node determines whether to migrate the virtual machine according to the load information of the computing node where the virtual machine is located; 所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:The cloud computing control node determines the computing node running the virtual machine according to the user's interest information including: 在所述云计算控制节点确定迁移所述虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。When the cloud computing control node determines to migrate the virtual machine, it determines the computing node running the virtual machine according to the benefit information of the user. 4.根据权利要求2所述的方法,其特征在于,所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点包括:4. The method according to claim 2, wherein the cloud computing control node determines the computing node running the virtual machine according to the user's interest information comprising: 在所述云计算控制节点确定创建虚拟机时,所述云计算控制节点根据用户的利益信息,确定运行虚拟机的计算节点。When the cloud computing control node determines to create a virtual machine, the cloud computing control node determines a computing node for running the virtual machine according to the benefit information of the user. 5.一种虚拟机系统,其特征在于,包括:计算节点,云计算控制节点,虚拟机;其中,5. A virtual machine system, characterized in that it comprises: a computing node, a cloud computing control node, and a virtual machine; wherein, 所述云计算控制节点,用于在所述虚拟机建立时,为所述虚拟机及所述虚拟机对应的虚拟资源配置对应的标识信息;The cloud computing control node is configured to configure corresponding identification information for the virtual machine and virtual resources corresponding to the virtual machine when the virtual machine is established; 所述计算节点,用于接收虚拟机发送的虚拟资源访问请求消息;其中,所述虚拟资源访问请求消息中携带有虚拟机的标识信息及需访问的虚拟资源的标识信息;The computing node is configured to receive a virtual resource access request message sent by a virtual machine; wherein, the virtual resource access request message carries identification information of the virtual machine and identification information of the virtual resource to be accessed; 所述计算节点,还用于根据所述虚拟机的标识信息,及需访问的虚拟资源的标识信息,确定所述虚拟机是否具有访问所述虚拟资源的标识信息对应的虚拟资源的权限;在确定所述虚拟机具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,允许所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源;在确定所述虚拟机不具有访问所述虚拟资源的标识信息对应的虚拟资源的权限时,阻止所述虚拟机访问所述虚拟资源的标识信息对应的虚拟资源。The computing node is further configured to determine, according to the identification information of the virtual machine and the identification information of the virtual resource to be accessed, whether the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource; When it is determined that the virtual machine has the right to access the virtual resource corresponding to the identification information of the virtual resource, allow the virtual machine to access the virtual resource corresponding to the identification information of the virtual resource; when it is determined that the virtual machine does not have access to the virtual resource When the permission of the virtual resource corresponding to the identification information of the virtual resource is disabled, the virtual machine is prevented from accessing the virtual resource corresponding to the identification information of the virtual resource. 6.根据权利要求5所述的系统,特征在于,6. The system according to claim 5, characterized in that, 云计算控制节点,还用于根据用户的利益信息,确定运行虚拟机的计算节点;The cloud computing control node is also used to determine the computing node running the virtual machine according to the user's interest information; 所述云计算控制节点,还用于向所述运行虚拟机的计算节点发送建立与所述虚拟机间的运行关系的消息;The cloud computing control node is further configured to send a message for establishing an operating relationship with the virtual machine to the computing node running the virtual machine; 所述计算节点,还用于接收云计算控制节点发送的建立与所述虚拟机间的运行关系的消息;The computing node is further configured to receive a message for establishing an operating relationship with the virtual machine sent by the cloud computing control node; 所述计算节点,还用于根据所述建立与所述虚拟机间的运行关系的消息,为所述虚拟机分配运行资源,与所述虚拟机建立运行关系。The computing node is further configured to allocate running resources to the virtual machine and establish a running relationship with the virtual machine according to the message of establishing the running relationship with the virtual machine. 7.根据权利要求6所述的系统,其特征在于,7. The system of claim 6, wherein: 所述云计算控制节点,还用于根据所述虚拟机所在的计算节点的负载信息,确定是否迁移所述虚拟机;The cloud computing control node is further configured to determine whether to migrate the virtual machine according to the load information of the computing node where the virtual machine is located; 所述云计算控制节点,具体用于确定迁移所述虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。The cloud computing control node is specifically configured to determine, when migrating the virtual machine, a computing node for running the virtual machine according to user interest information. 8.根据权利要求6所述的系统,其特征在于,8. The system of claim 6, wherein: 所述云计算控制节点,具体用于在确定创建虚拟机时,根据用户的利益信息,确定运行虚拟机的计算节点。The cloud computing control node is specifically used to determine the computing node for running the virtual machine according to the benefit information of the user when determining to create the virtual machine.
CN201510738195.4A 2015-11-03 2015-11-03 Secure access method for virtual machine and virtual machine system Pending CN105303102A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510738195.4A CN105303102A (en) 2015-11-03 2015-11-03 Secure access method for virtual machine and virtual machine system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510738195.4A CN105303102A (en) 2015-11-03 2015-11-03 Secure access method for virtual machine and virtual machine system

Publications (1)

Publication Number Publication Date
CN105303102A true CN105303102A (en) 2016-02-03

Family

ID=55200359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510738195.4A Pending CN105303102A (en) 2015-11-03 2015-11-03 Secure access method for virtual machine and virtual machine system

Country Status (1)

Country Link
CN (1) CN105303102A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106230830A (en) * 2016-08-03 2016-12-14 浪潮(北京)电子信息产业有限公司 A kind of virtual resource access control method and device
CN106713003A (en) * 2016-05-12 2017-05-24 深圳市深信服电子科技有限公司 Virtual node creating method and apparatus based on network topological diagram
CN108521397A (en) * 2018-02-09 2018-09-11 华为技术有限公司 A method and system for accessing resource services
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission
CN112487478A (en) * 2020-12-02 2021-03-12 星环信息科技(上海)股份有限公司 Data access control method, device, storage medium and database system
CN114285842A (en) * 2021-12-09 2022-04-05 华特数字科技有限公司 Electronic reading room building method and system based on cloud desktop

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050258992A1 (en) * 2004-05-21 2005-11-24 Fontaine Paul A Digital-to-analog converter data rate reduction by interleaving and recombination through mixer switching
CN102292698A (en) * 2009-02-04 2011-12-21 思杰系统有限公司 Methods and systems for automated management of virtual resources in a cloud computing environment
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN102811239A (en) * 2011-06-03 2012-12-05 中兴通讯股份有限公司 Virtual machine system and safety control method thereof
CN103533086A (en) * 2013-10-31 2014-01-22 中国科学院计算机网络信息中心 Uniform resource scheduling method in cloud computing system
CN103902884A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 System and method for protecting data of virtual machine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050258992A1 (en) * 2004-05-21 2005-11-24 Fontaine Paul A Digital-to-analog converter data rate reduction by interleaving and recombination through mixer switching
CN102292698A (en) * 2009-02-04 2011-12-21 思杰系统有限公司 Methods and systems for automated management of virtual resources in a cloud computing environment
CN102707985A (en) * 2011-03-28 2012-10-03 中兴通讯股份有限公司 Access control method and system for virtual machine system
CN102811239A (en) * 2011-06-03 2012-12-05 中兴通讯股份有限公司 Virtual machine system and safety control method thereof
CN103902884A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 System and method for protecting data of virtual machine
CN103533086A (en) * 2013-10-31 2014-01-22 中国科学院计算机网络信息中心 Uniform resource scheduling method in cloud computing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
乔然等: "云计算客户虚拟机间的安全机制研究与实现方法", 《计算机工程》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713003A (en) * 2016-05-12 2017-05-24 深圳市深信服电子科技有限公司 Virtual node creating method and apparatus based on network topological diagram
CN106230830A (en) * 2016-08-03 2016-12-14 浪潮(北京)电子信息产业有限公司 A kind of virtual resource access control method and device
CN108521397A (en) * 2018-02-09 2018-09-11 华为技术有限公司 A method and system for accessing resource services
WO2019154175A1 (en) * 2018-02-09 2019-08-15 华为技术有限公司 Method and system for accessing resource services
CN108521397B (en) * 2018-02-09 2021-02-12 华为技术有限公司 Method and system for accessing resource service
CN110516431A (en) * 2019-08-29 2019-11-29 北京浪潮数据技术有限公司 Method, system, equipment and the storage medium of dynamic configuration virtual machine operations permission
CN110516431B (en) * 2019-08-29 2022-02-18 北京浪潮数据技术有限公司 Method, system, equipment and storage medium for dynamically configuring virtual machine operation authority
CN112487478A (en) * 2020-12-02 2021-03-12 星环信息科技(上海)股份有限公司 Data access control method, device, storage medium and database system
CN114285842A (en) * 2021-12-09 2022-04-05 华特数字科技有限公司 Electronic reading room building method and system based on cloud desktop

Similar Documents

Publication Publication Date Title
US11429408B2 (en) System and method for network function virtualization resource management
US10534911B2 (en) Security within a software-defined infrastructure
CN105303102A (en) Secure access method for virtual machine and virtual machine system
EP3313023B1 (en) Life cycle management method and apparatus
US10263911B2 (en) System and method for resource management
EP2724244B1 (en) Native cloud computing via network segmentation
US20120173728A1 (en) Policy and identity based workload provisioning
CN102811239B (en) A kind of dummy machine system and its method of controlling security
US8949430B2 (en) Clustered computer environment partition resolution
US20140075494A1 (en) Managing security clusters in cloud computing environments using autonomous security risk negotiation agents
EP2929483A1 (en) Method and apparatus for secure storage segmentation based on security context in a virtual environment
US10228978B2 (en) Dynamic management of computing platform resources
CN106296530B (en) Trust coverage for non-converged infrastructure
US9882775B1 (en) Dependent network resources
US10666572B2 (en) Dynamic management of computing platform resources
US9485215B2 (en) Multiple inspection avoidance (MIA) using a protection scope
US9678984B2 (en) File access for applications deployed in a cloud environment
US11120148B2 (en) Dynamically applying application security settings and policies based on workload properties
US9215129B2 (en) Automatically constructing protection scope in a virtual infrastructure
Yu et al. A Security‐Awareness Virtual Machine Management Scheme Based on Chinese Wall Policy in Cloud Computing
Dellios et al. Deploying a maritime cloud
US11816205B2 (en) Detecting and handling attacks on processes executing within a trusted execution environment
CN107046546A (en) A kind of network safety control method and device
Zissis et al. Is cloud computing finally beginning to mature?
CN105912892B (en) A kind of Process Protection system and method based on cloud computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160203